Add support for keyfiles

The "cryptkey" boot parameter enables keyfile decryption. By default,
init will look for a keyfile named "/crypto_keyfile.bin". Another file
may be specified like so: "cryptkey=/path/to/keyfile.bin". If keyfile
decryption fails, init will fall back to passphrase mode.

1 files changed, 17 insertions, 0 deletions

diff --git a/nlplug-findfs.c b/nlplug-findfs.c
index 6614991..e037a93 100644
--- a/nlplug-findfs.c
+++ b/nlplug-findfs.c
@@ -309,6 +309,7 @@ static int spawn_active(struct spawn_manager *mgr)
 struct cryptdev {
 	char *device;
 	char *name;
+	char *key;
 	char devnode[256];
 };
 
@@ -594,6 +595,18 @@ static void *cryptsetup_thread(void *data)
 		goto free_out;
 	}
 
+	struct stat st;
+	if (!stat(c->crypt.data.key, &st)) {
+		pthread_mutex_lock(&c->crypt.mutex);
+		r = crypt_activate_by_keyfile(cd, c->crypt.data.name,
+					      CRYPT_ANY_SLOT,
+					      c->crypt.data.key, st.st_size,
+					      c->crypt.flags);
+		pthread_mutex_unlock(&c->crypt.mutex);
+		if (r >= 0)
+			goto free_out;
+	}
+
 	while (passwd_tries > 0) {
 		char pass[1024];
 
@@ -1173,6 +1186,7 @@ static void usage(int rc)
 	" -c CRYPTDEVICE  run cryptsetup luksOpen when CRYPTDEVICE is found\n"
 	" -h              show this help\n"
 	" -H HEADERDEVICE use HEADERDEVICE as the LUKS header\n"
+	" -k CRYPTKEY     path to keyfile\n"
 	" -m CRYPTNAME    use CRYPTNAME name for crypto device mapping\n"
 	" -o OFFSET       cryptsetup payload offset\n"
 	" -D              allow discards on crypto device\n"
@@ -1238,6 +1252,9 @@ int main(int argc, char *argv[])
 	case 'h':
 		usage(0);
 		break;
+	case 'k':
+		conf.crypt.data.key = EARGF(usage(1));
+		break;
 	case 'm':
 		conf.crypt.data.name = EARGF(usage(1));
 		break;