From 6e546e119086a1cee48e95840b353c2082dbf6c6 Mon Sep 17 00:00:00 2001 From: Ole Tange Date: Sat, 23 Apr 2022 18:58:06 +0200 Subject: [PATCH] ubuntu-22.04: works on laptop. --- .../scripts/local-top/cryptroot | 8 +- .../scripts/local-top/cryptroot | 294 ++++++++++++++++++ 2 files changed, 300 insertions(+), 2 deletions(-) create mode 100644 decrypt-root-with-usb/ubuntu-22.04/usr/share/initramfs-tools/scripts/local-top/cryptroot diff --git a/decrypt-root-with-usb/ubuntu-20.04/usr/share/initramfs-tools/scripts/local-top/cryptroot b/decrypt-root-with-usb/ubuntu-20.04/usr/share/initramfs-tools/scripts/local-top/cryptroot index 18216ef..c0053d4 100644 --- a/decrypt-root-with-usb/ubuntu-20.04/usr/share/initramfs-tools/scripts/local-top/cryptroot +++ b/decrypt-root-with-usb/ubuntu-20.04/usr/share/initramfs-tools/scripts/local-top/cryptroot @@ -1,5 +1,7 @@ #!/bin/sh +# Search for cryptkey.txt + PREREQ="cryptroot-prepare" # @@ -171,9 +173,11 @@ setup_mapping() { echo -n "Searching for cryptkey.txt on available disks... " local partition for partition in `cat /proc/partitions |awk '{print $4}'|tail -n +3`; do - if mount /dev/$partition /mnt 2>/dev/null; then + echo -n " $partition" + if mount -oro /dev/"$partition" /mnt 2>/dev/null; then + echo -n "(mounted)" cat /mnt/cryptkey.txt >> /tmp/cryptkeys.txt 2>/dev/null - umount /dev/$partition + umount /dev/"$partition" fi done echo "done." diff --git a/decrypt-root-with-usb/ubuntu-22.04/usr/share/initramfs-tools/scripts/local-top/cryptroot b/decrypt-root-with-usb/ubuntu-22.04/usr/share/initramfs-tools/scripts/local-top/cryptroot new file mode 100644 index 0000000..61e7ec2 --- /dev/null +++ b/decrypt-root-with-usb/ubuntu-22.04/usr/share/initramfs-tools/scripts/local-top/cryptroot @@ -0,0 +1,294 @@ +#!/bin/sh + +# Search for cryptkey.txt + +PREREQ="cryptroot-prepare" + +# +# Standard initramfs preamble +# +prereqs() +{ + # Make sure that cryptroot is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +[ -f /lib/cryptsetup/functions ] || return 0 +. /lib/cryptsetup/functions + + +# wait_for_source() +# Wait for encrypted $CRYPTTAB_SOURCE . Set $CRYPTTAB_SOURCE +# to its normalized device name when it shows up; +# return 1 if timeout. +wait_for_source() { + wait_for_udev 10 + + if crypttab_resolve_source; then + # the device is here already, no need to loop + return 0 + fi + + # If the source device hasn't shown up yet, give it a little while + # to allow for asynchronous device discovery (e.g. USB). + # + # We also need to take into account RAID or other devices that may + # only be available on local-block stage. So, wait 5 seconds upfront, + # in local-top; if that fails, end execution relying on local-block + # invocations. Allow $ROOTDELAY/4 invocations with 1s sleep times (with + # a minimum of 20 invocations), and if after that we still fail, then it's + # really time to give-up. Variable $initrd_cnt tracks the re-invocations. + # + # Part of the lines below has been taken from initramfs-tools + # scripts/local's local_device_setup(), as suggested per + # https://launchpad.net/bugs/164044 . + + local slumber=5 + if [ "${CRYPTROOT_STAGE-}" = "local-block" ]; then + slumber=1 + fi + + cryptsetup_message "Waiting for encrypted source device $CRYPTTAB_SOURCE..." + + while [ $slumber -gt 0 ]; do + sleep 1 + + if [ -x /scripts/local-block/lvm2 ]; then + # activate any VG that might hold $CRYPTTAB_SOURCE + /scripts/local-block/lvm2 "$CRYPTTAB_SOURCE" + fi + + if crypttab_resolve_source; then + wait_for_udev 10 + return 0 + fi + + slumber=$(( $slumber - 1 )) + done + return 1 +} + +# setup_mapping() +# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME, +# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS. +setup_mapping() { + local dev initrd_cnt + + # We control here the number of re-invocations of this script from + # local-block - the heuristic is $ROOTDELAY/4, with a minimum of 20. + + if [ -f "$CRYPTROOT_COUNT_FILE" ]; then + initrd_cnt="$(cat <"$CRYPTROOT_COUNT_FILE")" + else + initrd_cnt="${ROOTDELAY:-180}" + initrd_cnt=$(( initrd_cnt/4 )) + if [ $initrd_cnt -lt 20 ]; then + initrd_cnt=20 + fi + echo "$initrd_cnt" >"$CRYPTROOT_COUNT_FILE" + fi + + # The same target can be specified multiple times + # e.g. root and resume lvs-on-lvm-on-crypto + if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then + return 0 + fi + + crypttab_parse_options --export --missing-path=fail || return 1 + + if ! wait_for_source; then + if [ $initrd_cnt -eq 0 ]; then + # we've given up + if [ -n "$panic" ]; then + panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." + else + # let the user fix matters if they can + echo " ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." + echo " Check cryptopts=source= bootarg: cat /proc/cmdline" + echo " or missing modules, devices: cat /proc/modules; ls /dev" + panic "Dropping to a shell." + fi + return 1 # can't continue because environment is lost + else + initrd_cnt=$(( initrd_cnt - 1 )) + echo "$initrd_cnt" >"$CRYPTROOT_COUNT_FILE" + return 0 # allow some attempts on local-block stage + fi + fi + + # our `cryptroot-unlock` script searches for cryptsetup processes + # with a given CRYPTTAB_NAME it their environment + export CRYPTTAB_NAME + + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then + # no keyscript: interactive unlocking, or key file + + if [ "${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}" != "$CRYPTTAB_KEY" ]; then + # skip the mapping for now if the root FS is not mounted yet + sed -rn 's/^\s*[^#[:blank:]]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq -- "$rootmnt" || return 1 + # substitute the "/FIXME-initramfs-rootmnt/" prefix by the real root FS mountpoint otherwise + CRYPTTAB_KEY="$rootmnt/${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}" + fi + + if [ "$CRYPTTAB_KEY" != "none" ]; then + if [ ! -e "$CRYPTTAB_KEY" ]; then + cryptsetup_message "ERROR: Skipping target $CRYPTTAB_NAME: non-existing key file $CRYPTTAB_KEY" + return 1 + fi + # try only once if we have a key file + CRYPTTAB_OPTION_tries=1 + fi + fi + + local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv + while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then + # unlock via keyfile + unlock_mapping "$CRYPTTAB_KEY" + else + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then + # Wait for USB to settle + /bin/sleep 3 + + # Test all devices + mkdir /mnt + echo -n "Searching for cryptkey.txt on available disks... " + local partition + for partition in `cat /proc/partitions |awk '{print $4}'|tail -n +3`; do + echo -n " $partition" + if mount -oro /dev/"$partition" /mnt 2>/dev/null; then + echo -n "(mounted)" + cat /mnt/cryptkey.txt >> /tmp/cryptkeys.txt 2>/dev/null + umount /dev/"$partition" + fi + done + echo "done." + fi + + if [ -s /tmp/cryptkeys.txt ]; then + local keyfound + keyfound=0 + echo Trying keys from cryptkey.txt + for key in `cat /tmp/cryptkeys.txt`; do + if echo -n "$key" | unlock_mapping; then + # Found the key + echo Key found in cryptkey.txt + keyfound=1 + key="" + fi + done + # Remove traces of the key + rm /tmp/cryptkeys.txt + unset key + if [ "$keyfound" = "0" ]; then + # Fall back to manual entry + run_keyscript "$CRYPTTAB_KEY" "$count" | unlock_mapping + fi + else + # unlock interactively or via keyscript + run_keyscript "$CRYPTTAB_KEY" "$count" | unlock_mapping + fi + fi + rv=$? + count=$(( $count + 1 )) + + if [ $rv -ne 0 ]; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: cryptsetup failed, bad password or options?" + sleep 1 + continue + elif ! dev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown error setting up device mapping" + return 1 + fi + + if ! fstype="$(get_fstype "$dev")" || [ "$fstype" = "unknown" ]; then + if [ "$CRYPTTAB_TYPE" != "luks" ]; then + # bad password for plain dm-crypt device? or mkfs not run yet? + cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown fstype, bad password or options?" + wait_for_udev 10 + /sbin/cryptsetup remove -- "$CRYPTTAB_NAME" + sleep 1 + continue + fi + elif [ "$fstype" = lvm2 ]; then + if [ ! -x /sbin/lvm ]; then + cryptsetup_message "WARNING: $CRYPTTAB_NAME: lvm is not available" + return 1 + elif vg="$(lvm pvs --noheadings -o vg_name --config 'log{prefix=""}' -- "$dev")"; then + # activate the VG held by the PV we just unlocked + lvm lvchange -a ay --sysinit -- "$vg" + fi + fi + + cryptsetup_message "$CRYPTTAB_NAME: set up successfully" + wait_for_udev 10 + return 0 + done + + cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded" + exit 1 +} + + +####################################################################### +# Begin real processing + +mkdir -p /cryptroot # might not exist yet if the main system has no crypttab(5) + +# Do we have any kernel boot arguments? +if ! grep -qE '^(.*\s)?cryptopts=' /proc/cmdline; then + # ensure $TABFILE exists and has a mtime greater than the boot time + # (existing $TABFILE is preserved) + touch -- "$TABFILE" +else + # let the read builtin unescape the '\' as GRUB substitutes '\' by '\\' in the cmdline + tr ' ' '\n' "$TABFILE" +fi + +# Do we have any settings from the $TABFILE? +if [ -s "$TABFILE" ]; then + # Create locking directory before invoking cryptsetup(8) to avoid warnings + mkdir -pm0700 /run/cryptsetup + modprobe -q dm_crypt + + crypttab_foreach_entry setup_mapping +fi + +exit 0