diff options
-rw-r--r-- | Makefile | 1 | ||||
-rw-r--r-- | features.d/cryptkey.files | 1 | ||||
-rwxr-xr-x | initramfs-init.in | 11 | ||||
-rw-r--r-- | nlplug-findfs.c | 17 | ||||
-rwxr-xr-x | test.sh | 28 |
5 files changed, 55 insertions, 3 deletions
@@ -16,6 +16,7 @@ CONF_FILES := mkinitfs.conf \ features.d/btrfs.modules \ features.d/cdrom.modules \ features.d/cramfs.modules \ + features.d/cryptkey.files \ features.d/cryptsetup.files \ features.d/cryptsetup.modules \ features.d/ena.modules \ diff --git a/features.d/cryptkey.files b/features.d/cryptkey.files new file mode 100644 index 0000000..6bdda2e --- /dev/null +++ b/features.d/cryptkey.files @@ -0,0 +1 @@ +/crypto_keyfile.bin diff --git a/initramfs-init.in b/initramfs-init.in index fd3c50c..df704d5 100755 --- a/initramfs-init.in +++ b/initramfs-init.in @@ -274,9 +274,9 @@ setup_nbd() { set -- $(cat /proc/cmdline) myopts="alpine_dev autodetect autoraid chart cryptroot cryptdm cryptheader cryptoffset - cryptdiscards debug_init dma init_args keep_apk_new modules ovl_dev pkgs quiet - root_size root usbdelay ip alpine_repo apkovl alpine_start splash blacklist - overlaytmpfs rootfstype rootflags nbd resume s390x_net dasd ssh_key" + cryptdiscards cryptkey debug_init dma init_args keep_apk_new modules ovl_dev + pkgs quiet root_size root usbdelay ip alpine_repo apkovl alpine_start splash + blacklist overlaytmpfs rootfstype rootflags nbd resume s390x_net dasd ssh_key" for opt; do case "$opt" in @@ -397,6 +397,11 @@ if [ -n "$KOPT_cryptroot" ]; then if [ -n "$KOPT_cryptoffset" ]; then cryptopts="$cryptopts -o ${KOPT_cryptoffset}" fi + if [ "$KOPT_cryptkey" = "yes" ]; then + cryptopts="$cryptopts -k /crypto_keyfile.bin" + elif [ -n "$KOPT_cryptkey" ]; then + cryptopts="$cryptopts -k ${KOPT_cryptkey}" + fi fi if [ -n "$KOPT_nbd" ]; then diff --git a/nlplug-findfs.c b/nlplug-findfs.c index 6614991..e037a93 100644 --- a/nlplug-findfs.c +++ b/nlplug-findfs.c @@ -309,6 +309,7 @@ static int spawn_active(struct spawn_manager *mgr) struct cryptdev { char *device; char *name; + char *key; char devnode[256]; }; @@ -594,6 +595,18 @@ static void *cryptsetup_thread(void *data) goto free_out; } + struct stat st; + if (!stat(c->crypt.data.key, &st)) { + pthread_mutex_lock(&c->crypt.mutex); + r = crypt_activate_by_keyfile(cd, c->crypt.data.name, + CRYPT_ANY_SLOT, + c->crypt.data.key, st.st_size, + c->crypt.flags); + pthread_mutex_unlock(&c->crypt.mutex); + if (r >= 0) + goto free_out; + } + while (passwd_tries > 0) { char pass[1024]; @@ -1173,6 +1186,7 @@ static void usage(int rc) " -c CRYPTDEVICE run cryptsetup luksOpen when CRYPTDEVICE is found\n" " -h show this help\n" " -H HEADERDEVICE use HEADERDEVICE as the LUKS header\n" + " -k CRYPTKEY path to keyfile\n" " -m CRYPTNAME use CRYPTNAME name for crypto device mapping\n" " -o OFFSET cryptsetup payload offset\n" " -D allow discards on crypto device\n" @@ -1238,6 +1252,9 @@ int main(int argc, char *argv[]) case 'h': usage(0); break; + case 'k': + conf.crypt.data.key = EARGF(usage(1)); + break; case 'm': conf.crypt.data.name = EARGF(usage(1)); break; @@ -76,6 +76,13 @@ then [ "$operation" = "header" ] && echo "> Formatting '$block' with header '$header' and passphrase '$passphrase'." [ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksFormat -q $block - 2>&1 | sed 's/^/\t/g' [ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksFormat -q --header $header $block - 2>&1 | sed 's/^/\t/g' + + echo "> Creating keyfile" + dd if=/dev/urandom of=keyfile count=1 bs=512 2>&1 | sed 's/^/\t/g' + echo "> Adding keyfile to device" + [ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksAddKey -q $block keyfile - 2>&1 | sed 's/^/\t/g' + [ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksAddKey -q --header $header $block keyfile - 2>&1 | sed 's/^/\t/g' + echo "> Opening the device '$block' as /dev/mapper/temp-test" [ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksOpen -q $block temp-test - 2>&1 | sed 's/^/\t/g' [ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksOpen -q --header $header $block temp-test - 2>&1 | sed 's/^/\t/g' @@ -92,6 +99,27 @@ then echo "> Closing the device '/dev/mapper/temp-test'" sudo cryptsetup luksClose temp-test + echo "> Testing nlplug-findfs on $block using keyfile" + [ "$operation" != "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -c $block -k keyfile -m 'test-device' /dev/mapper/test-device || retcode=1; } + [ "$operation" = "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -H $header -c $block -k keyfile -m 'test-device' /dev/mapper/test-device || retcode=1; } + + if [ $retcode -eq 0 ]; then + echo "> Mounting the device" + sudo mount /dev/mapper/test-device local-mount + echo "> Getting proof" + check=$(cat local-mount/proof) + echo "Retrieved proof is: $check" + if [ "$check" != "$proof" ]; then + retcode=1 + fi + fi + [ $retcode -eq 0 ] && echo "Operation succeeded, proofs match" || echo "Operation failed, proofs don't match" + + echo "> Unmounting the fs" + mountpoint local-mount && sudo umount local-mount + echo "> Closing the device '/dev/mapper/test-device'" + [ -b /dev/mapper/test-device ] && sudo cryptsetup luksClose test-device + echo "> Testing nlplug-findfs on $block (passphrase was '$passphrase')" [ "$operation" != "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -c $block -m 'test-device' /dev/mapper/test-device || retcode=1; } [ "$operation" = "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -H $header -c $block -m 'test-device' /dev/mapper/test-device || retcode=1; } |