Date: Tuesday, July 31, 2012 @ 15:25:50 Author: tomegun Revision: 164359
db-move: moved cryptsetup from [testing] to [core] (i686, x86_64) Added: cryptsetup/repos/core-i686/PKGBUILD (from rev 164358, cryptsetup/repos/testing-i686/PKGBUILD) cryptsetup/repos/core-i686/encrypt_hook (from rev 164358, cryptsetup/repos/testing-i686/encrypt_hook) cryptsetup/repos/core-i686/encrypt_install (from rev 164358, cryptsetup/repos/testing-i686/encrypt_install) cryptsetup/repos/core-x86_64/PKGBUILD (from rev 164358, cryptsetup/repos/testing-x86_64/PKGBUILD) cryptsetup/repos/core-x86_64/encrypt_hook (from rev 164358, cryptsetup/repos/testing-x86_64/encrypt_hook) cryptsetup/repos/core-x86_64/encrypt_install (from rev 164358, cryptsetup/repos/testing-x86_64/encrypt_install) Deleted: cryptsetup/repos/core-i686/PKGBUILD cryptsetup/repos/core-i686/encrypt_hook cryptsetup/repos/core-i686/encrypt_install cryptsetup/repos/core-x86_64/PKGBUILD cryptsetup/repos/core-x86_64/encrypt_hook cryptsetup/repos/core-x86_64/encrypt_install cryptsetup/repos/testing-i686/ cryptsetup/repos/testing-x86_64/ -----------------------------+ core-i686/PKGBUILD | 69 +++++----- core-i686/encrypt_hook | 276 +++++++++++++++++++++--------------------- core-i686/encrypt_install | 88 ++++++------- core-x86_64/PKGBUILD | 69 +++++----- core-x86_64/encrypt_hook | 276 +++++++++++++++++++++--------------------- core-x86_64/encrypt_install | 88 ++++++------- 6 files changed, 432 insertions(+), 434 deletions(-) Deleted: core-i686/PKGBUILD =================================================================== --- core-i686/PKGBUILD 2012-07-31 18:56:29 UTC (rev 164358) +++ core-i686/PKGBUILD 2012-07-31 19:25:50 UTC (rev 164359) @@ -1,35 +0,0 @@ -# $Id$ -# Maintainer: Thomas Bächler <tho...@archlinux.org> -pkgname=cryptsetup -pkgver=1.4.3 -pkgrel=1 -pkgdesc="Userspace setup tool for transparent encryption of block devices using dm-crypt" -arch=(i686 x86_64) -license=('GPL') -url="http://code.google.com/p/cryptsetup/" -groups=('base') -depends=('device-mapper>=2.02.85-2' 'libgcrypt' 'popt' 'util-linux') -conflicts=('mkinitcpio<0.7') -options=('!libtool' '!emptydirs') -source=(http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2 - http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2.asc - encrypt_hook - encrypt_install) -sha256sums=('d5ff2c00f6f791d77fa5636a02ae43ddbb46c6c793bdeafdec5e38fd15f99d0a' - 'ad610fe77d78bf7e91b7473f9d9c84de46ed1cc21f006fe3ae4791b0b6f42f3a' - 'e0cbcabb81233b4d465833dca0faf1e762dc3cb6611597a25fe24e5d7209f316' - 'cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae') - -build() { - cd "${srcdir}"/$pkgname-${pkgver} - ./configure --prefix=/usr --disable-static - make -} - -package() { - cd "${srcdir}"/$pkgname-${pkgver} - make DESTDIR="${pkgdir}" install - # install hook - install -D -m644 "${srcdir}"/encrypt_hook "${pkgdir}"/usr/lib/initcpio/hooks/encrypt - install -D -m644 "${srcdir}"/encrypt_install "${pkgdir}"/usr/lib/initcpio/install/encrypt -} Copied: cryptsetup/repos/core-i686/PKGBUILD (from rev 164358, cryptsetup/repos/testing-i686/PKGBUILD) =================================================================== --- core-i686/PKGBUILD (rev 0) +++ core-i686/PKGBUILD 2012-07-31 19:25:50 UTC (rev 164359) @@ -0,0 +1,34 @@ +# $Id$ +# Maintainer: Thomas Bächler <tho...@archlinux.org> +pkgname=cryptsetup +pkgver=1.5.0 +pkgrel=1 +pkgdesc="Userspace setup tool for transparent encryption of block devices using dm-crypt" +arch=(i686 x86_64) +license=('GPL') +url="http://code.google.com/p/cryptsetup/" +groups=('base') +depends=('device-mapper' 'libgcrypt' 'popt' 'util-linux') +options=('!libtool' '!emptydirs') +source=(http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2 + http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2.asc + encrypt_hook + encrypt_install) + +build() { + cd "${srcdir}"/$pkgname-${pkgver} + ./configure --prefix=/usr --disable-static + make +} + +package() { + cd "${srcdir}"/$pkgname-${pkgver} + make DESTDIR="${pkgdir}" install + # install hook + install -D -m644 "${srcdir}"/encrypt_hook "${pkgdir}"/usr/lib/initcpio/hooks/encrypt + install -D -m644 "${srcdir}"/encrypt_install "${pkgdir}"/usr/lib/initcpio/install/encrypt +} +md5sums=('0fa7ba8923b0ce8eed2aa65f2cb9950c' + 'efe1b74dfadf37726397fd27ad0df965' + '4dab1b0e23d81907b79b49c2d8d719b5' + '21c45f9cab3e0b5165f68358884fbd0f') Deleted: core-i686/encrypt_hook =================================================================== --- core-i686/encrypt_hook 2012-07-31 18:56:29 UTC (rev 164358) +++ core-i686/encrypt_hook 2012-07-31 19:25:50 UTC (rev 164359) @@ -1,138 +0,0 @@ -#!/usr/bin/ash - -run_hook() { - modprobe -a -q dm-crypt >/dev/null 2>&1 - [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" - - # Get keyfile if specified - ckeyfile="/crypto_keyfile.bin" - if [ -n "$cryptkey" ]; then - IFS=: read ckdev ckarg1 ckarg2 <<EOF -$cryptkey -EOF - - if resolved=$(resolve_device "${ckdev}" ${rootdelay}); then - case ${ckarg1} in - *[!0-9]*) - # Use a file on the device - # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path - mkdir /ckey - mount -r -t "$ckarg1" "$resolved" /ckey - dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1 - umount /ckey - ;; - *) - # Read raw data from the block device - # ckarg1 is numeric: ckarg1=offset, ckarg2=length - dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 - ;; - esac - fi - [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." - fi - - if [ -n "${cryptdevice}" ]; then - DEPRECATED_CRYPT=0 - IFS=: read cryptdev cryptname cryptoptions <<EOF -$cryptdevice -EOF - else - DEPRECATED_CRYPT=1 - cryptdev="${root}" - cryptname="root" - fi - - warn_deprecated() { - echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" - echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." - } - - for cryptopt in ${cryptoptions//,/ }; do - case ${cryptopt} in - allow-discards) - echo "Enabling TRIM/discard support." - cryptargs="${cryptargs} --allow-discards" - ;; - *) - echo "Encryption option '${cryptopt}' not known, ignoring." >&2 - ;; - esac - done - - if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then - if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then - [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated - dopassphrase=1 - # If keyfile exists, try to use that - if [ -f ${ckeyfile} ]; then - if eval cryptsetup --key-file ${ckeyfile} luksOpen ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then - dopassphrase=0 - else - echo "Invalid keyfile. Reverting to passphrase." - fi - fi - # Ask for a passphrase - if [ ${dopassphrase} -gt 0 ]; then - echo "" - echo "A password is required to access the ${cryptname} volume:" - - #loop until we get a real password - while ! eval cryptsetup luksOpen ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do - sleep 2; - done - fi - if [ -e "/dev/mapper/${cryptname}" ]; then - if [ ${DEPRECATED_CRYPT} -eq 1 ]; then - export root="/dev/mapper/root" - fi - else - err "Password succeeded, but ${cryptname} creation failed, aborting..." - exit 1 - fi - elif [ -n "${crypto}" ]; then - [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated - msg "Non-LUKS encrypted device found..." - if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then - err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" - err "Non-LUKS decryption not attempted..." - return 1 - fi - exe="cryptsetup create $cryptname $resolved $cryptargs" - IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF -$crypto -EOF - [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'" - [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'" - [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'" - [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'" - [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'" - if [ -f "$ckeyfile" ]; then - exe="$exe --key-file $ckeyfile" - else - exe="$exe --verify-passphrase" - echo "" - echo "A password is required to access the ${cryptname} volume:" - fi - eval "$exe $CSQUIET" - - if [ $? -ne 0 ]; then - err "Non-LUKS device decryption failed. verify format: " - err " crypto=hash:cipher:keysize:offset:skip" - exit 1 - fi - if [ -e "/dev/mapper/${cryptname}" ]; then - if [ ${DEPRECATED_CRYPT} -eq 1 ]; then - export root="/dev/mapper/root" - fi - else - err "Password succeeded, but ${cryptname} creation failed, aborting..." - exit 1 - fi - else - err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." - fi - fi - rm -f ${ckeyfile} -} - -# vim: set ft=sh ts=4 sw=4 et: Copied: cryptsetup/repos/core-i686/encrypt_hook (from rev 164358, cryptsetup/repos/testing-i686/encrypt_hook) =================================================================== --- core-i686/encrypt_hook (rev 0) +++ core-i686/encrypt_hook 2012-07-31 19:25:50 UTC (rev 164359) @@ -0,0 +1,138 @@ +#!/usr/bin/ash + +run_hook() { + modprobe -a -q dm-crypt >/dev/null 2>&1 + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" + + # Get keyfile if specified + ckeyfile="/crypto_keyfile.bin" + if [ -n "$cryptkey" ]; then + IFS=: read ckdev ckarg1 ckarg2 <<EOF +$cryptkey +EOF + + if resolved=$(resolve_device "${ckdev}" ${rootdelay}); then + case ${ckarg1} in + *[!0-9]*) + # Use a file on the device + # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path + mkdir /ckey + mount -r -t "$ckarg1" "$resolved" /ckey + dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1 + umount /ckey + ;; + *) + # Read raw data from the block device + # ckarg1 is numeric: ckarg1=offset, ckarg2=length + dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 + ;; + esac + fi + [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." + fi + + if [ -n "${cryptdevice}" ]; then + DEPRECATED_CRYPT=0 + IFS=: read cryptdev cryptname cryptoptions <<EOF +$cryptdevice +EOF + else + DEPRECATED_CRYPT=1 + cryptdev="${root}" + cryptname="root" + fi + + warn_deprecated() { + echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" + echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." + } + + for cryptopt in ${cryptoptions//,/ }; do + case ${cryptopt} in + allow-discards) + echo "Enabling TRIM/discard support." + cryptargs="${cryptargs} --allow-discards" + ;; + *) + echo "Encryption option '${cryptopt}' not known, ignoring." >&2 + ;; + esac + done + + if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then + if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + dopassphrase=1 + # If keyfile exists, try to use that + if [ -f ${ckeyfile} ]; then + if eval cryptsetup --key-file ${ckeyfile} luksOpen ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then + dopassphrase=0 + else + echo "Invalid keyfile. Reverting to passphrase." + fi + fi + # Ask for a passphrase + if [ ${dopassphrase} -gt 0 ]; then + echo "" + echo "A password is required to access the ${cryptname} volume:" + + #loop until we get a real password + while ! eval cryptsetup luksOpen ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do + sleep 2; + done + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + elif [ -n "${crypto}" ]; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + msg "Non-LUKS encrypted device found..." + if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then + err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" + err "Non-LUKS decryption not attempted..." + return 1 + fi + exe="cryptsetup create $cryptname $resolved $cryptargs" + IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF +$crypto +EOF + [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'" + [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'" + [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'" + [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'" + [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'" + if [ -f "$ckeyfile" ]; then + exe="$exe --key-file $ckeyfile" + else + exe="$exe --verify-passphrase" + echo "" + echo "A password is required to access the ${cryptname} volume:" + fi + eval "$exe $CSQUIET" + + if [ $? -ne 0 ]; then + err "Non-LUKS device decryption failed. verify format: " + err " crypto=hash:cipher:keysize:offset:skip" + exit 1 + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + else + err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." + fi + fi + rm -f ${ckeyfile} +} + +# vim: set ft=sh ts=4 sw=4 et: Deleted: core-i686/encrypt_install =================================================================== --- core-i686/encrypt_install 2012-07-31 18:56:29 UTC (rev 164358) +++ core-i686/encrypt_install 2012-07-31 19:25:50 UTC (rev 164359) @@ -1,44 +0,0 @@ -#!/bin/bash - -build() { - local mod - - add_module dm-crypt - if [[ $CRYPTO_MODULES ]]; then - for mod in $CRYPTO_MODULES; do - add_module "$mod" - done - else - add_all_modules '/crypto/' - fi - - add_binary "cryptsetup" - add_binary "dmsetup" - add_file "/usr/lib/udev/rules.d/10-dm.rules" - add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" - add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" - add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" - - add_runscript -} - -help() { - cat <<HELPEOF -This hook allows for an encrypted root device. Users should specify the device -to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, -where 'device' is the path to the raw device, and 'dmname' is the name given to -the device after unlocking, and will be available as /dev/mapper/dmname. - -For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on -the kernel cmdline, where 'device' represents the raw block device where the key -exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is -the absolute path of the keyfile within the device. - -Without specifying a keyfile, you will be prompted for the password at runtime. -This means you must have a keyboard available to input it, and you may need -the keymap hook as well to ensure that the keyboard is using the layout you -expect. -HELPEOF -} - -# vim: set ft=sh ts=4 sw=4 et: Copied: cryptsetup/repos/core-i686/encrypt_install (from rev 164358, cryptsetup/repos/testing-i686/encrypt_install) =================================================================== --- core-i686/encrypt_install (rev 0) +++ core-i686/encrypt_install 2012-07-31 19:25:50 UTC (rev 164359) @@ -0,0 +1,44 @@ +#!/bin/bash + +build() { + local mod + + add_module dm-crypt + if [[ $CRYPTO_MODULES ]]; then + for mod in $CRYPTO_MODULES; do + add_module "$mod" + done + else + add_all_modules '/crypto/' + fi + + add_binary "cryptsetup" + add_binary "dmsetup" + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + + add_runscript +} + +help() { + cat <<HELPEOF +This hook allows for an encrypted root device. Users should specify the device +to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, +where 'device' is the path to the raw device, and 'dmname' is the name given to +the device after unlocking, and will be available as /dev/mapper/dmname. + +For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on +the kernel cmdline, where 'device' represents the raw block device where the key +exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is +the absolute path of the keyfile within the device. + +Without specifying a keyfile, you will be prompted for the password at runtime. +This means you must have a keyboard available to input it, and you may need +the keymap hook as well to ensure that the keyboard is using the layout you +expect. +HELPEOF +} + +# vim: set ft=sh ts=4 sw=4 et: Deleted: core-x86_64/PKGBUILD =================================================================== --- core-x86_64/PKGBUILD 2012-07-31 18:56:29 UTC (rev 164358) +++ core-x86_64/PKGBUILD 2012-07-31 19:25:50 UTC (rev 164359) @@ -1,35 +0,0 @@ -# $Id$ -# Maintainer: Thomas Bächler <tho...@archlinux.org> -pkgname=cryptsetup -pkgver=1.4.3 -pkgrel=1 -pkgdesc="Userspace setup tool for transparent encryption of block devices using dm-crypt" -arch=(i686 x86_64) -license=('GPL') -url="http://code.google.com/p/cryptsetup/" -groups=('base') -depends=('device-mapper>=2.02.85-2' 'libgcrypt' 'popt' 'util-linux') -conflicts=('mkinitcpio<0.7') -options=('!libtool' '!emptydirs') -source=(http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2 - http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2.asc - encrypt_hook - encrypt_install) -sha256sums=('d5ff2c00f6f791d77fa5636a02ae43ddbb46c6c793bdeafdec5e38fd15f99d0a' - 'ad610fe77d78bf7e91b7473f9d9c84de46ed1cc21f006fe3ae4791b0b6f42f3a' - 'e0cbcabb81233b4d465833dca0faf1e762dc3cb6611597a25fe24e5d7209f316' - 'cfe465bdad3d958bb2332a05e04f2e1e884422a5714dfd1a0a3b9b74bf7dc6ae') - -build() { - cd "${srcdir}"/$pkgname-${pkgver} - ./configure --prefix=/usr --disable-static - make -} - -package() { - cd "${srcdir}"/$pkgname-${pkgver} - make DESTDIR="${pkgdir}" install - # install hook - install -D -m644 "${srcdir}"/encrypt_hook "${pkgdir}"/usr/lib/initcpio/hooks/encrypt - install -D -m644 "${srcdir}"/encrypt_install "${pkgdir}"/usr/lib/initcpio/install/encrypt -} Copied: cryptsetup/repos/core-x86_64/PKGBUILD (from rev 164358, cryptsetup/repos/testing-x86_64/PKGBUILD) =================================================================== --- core-x86_64/PKGBUILD (rev 0) +++ core-x86_64/PKGBUILD 2012-07-31 19:25:50 UTC (rev 164359) @@ -0,0 +1,34 @@ +# $Id$ +# Maintainer: Thomas Bächler <tho...@archlinux.org> +pkgname=cryptsetup +pkgver=1.5.0 +pkgrel=1 +pkgdesc="Userspace setup tool for transparent encryption of block devices using dm-crypt" +arch=(i686 x86_64) +license=('GPL') +url="http://code.google.com/p/cryptsetup/" +groups=('base') +depends=('device-mapper' 'libgcrypt' 'popt' 'util-linux') +options=('!libtool' '!emptydirs') +source=(http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2 + http://cryptsetup.googlecode.com/files/${pkgname}-${pkgver}.tar.bz2.asc + encrypt_hook + encrypt_install) + +build() { + cd "${srcdir}"/$pkgname-${pkgver} + ./configure --prefix=/usr --disable-static + make +} + +package() { + cd "${srcdir}"/$pkgname-${pkgver} + make DESTDIR="${pkgdir}" install + # install hook + install -D -m644 "${srcdir}"/encrypt_hook "${pkgdir}"/usr/lib/initcpio/hooks/encrypt + install -D -m644 "${srcdir}"/encrypt_install "${pkgdir}"/usr/lib/initcpio/install/encrypt +} +md5sums=('0fa7ba8923b0ce8eed2aa65f2cb9950c' + 'efe1b74dfadf37726397fd27ad0df965' + '4dab1b0e23d81907b79b49c2d8d719b5' + '21c45f9cab3e0b5165f68358884fbd0f') Deleted: core-x86_64/encrypt_hook =================================================================== --- core-x86_64/encrypt_hook 2012-07-31 18:56:29 UTC (rev 164358) +++ core-x86_64/encrypt_hook 2012-07-31 19:25:50 UTC (rev 164359) @@ -1,138 +0,0 @@ -#!/usr/bin/ash - -run_hook() { - modprobe -a -q dm-crypt >/dev/null 2>&1 - [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" - - # Get keyfile if specified - ckeyfile="/crypto_keyfile.bin" - if [ -n "$cryptkey" ]; then - IFS=: read ckdev ckarg1 ckarg2 <<EOF -$cryptkey -EOF - - if resolved=$(resolve_device "${ckdev}" ${rootdelay}); then - case ${ckarg1} in - *[!0-9]*) - # Use a file on the device - # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path - mkdir /ckey - mount -r -t "$ckarg1" "$resolved" /ckey - dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1 - umount /ckey - ;; - *) - # Read raw data from the block device - # ckarg1 is numeric: ckarg1=offset, ckarg2=length - dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 - ;; - esac - fi - [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." - fi - - if [ -n "${cryptdevice}" ]; then - DEPRECATED_CRYPT=0 - IFS=: read cryptdev cryptname cryptoptions <<EOF -$cryptdevice -EOF - else - DEPRECATED_CRYPT=1 - cryptdev="${root}" - cryptname="root" - fi - - warn_deprecated() { - echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" - echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." - } - - for cryptopt in ${cryptoptions//,/ }; do - case ${cryptopt} in - allow-discards) - echo "Enabling TRIM/discard support." - cryptargs="${cryptargs} --allow-discards" - ;; - *) - echo "Encryption option '${cryptopt}' not known, ignoring." >&2 - ;; - esac - done - - if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then - if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then - [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated - dopassphrase=1 - # If keyfile exists, try to use that - if [ -f ${ckeyfile} ]; then - if eval cryptsetup --key-file ${ckeyfile} luksOpen ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then - dopassphrase=0 - else - echo "Invalid keyfile. Reverting to passphrase." - fi - fi - # Ask for a passphrase - if [ ${dopassphrase} -gt 0 ]; then - echo "" - echo "A password is required to access the ${cryptname} volume:" - - #loop until we get a real password - while ! eval cryptsetup luksOpen ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do - sleep 2; - done - fi - if [ -e "/dev/mapper/${cryptname}" ]; then - if [ ${DEPRECATED_CRYPT} -eq 1 ]; then - export root="/dev/mapper/root" - fi - else - err "Password succeeded, but ${cryptname} creation failed, aborting..." - exit 1 - fi - elif [ -n "${crypto}" ]; then - [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated - msg "Non-LUKS encrypted device found..." - if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then - err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" - err "Non-LUKS decryption not attempted..." - return 1 - fi - exe="cryptsetup create $cryptname $resolved $cryptargs" - IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF -$crypto -EOF - [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'" - [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'" - [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'" - [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'" - [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'" - if [ -f "$ckeyfile" ]; then - exe="$exe --key-file $ckeyfile" - else - exe="$exe --verify-passphrase" - echo "" - echo "A password is required to access the ${cryptname} volume:" - fi - eval "$exe $CSQUIET" - - if [ $? -ne 0 ]; then - err "Non-LUKS device decryption failed. verify format: " - err " crypto=hash:cipher:keysize:offset:skip" - exit 1 - fi - if [ -e "/dev/mapper/${cryptname}" ]; then - if [ ${DEPRECATED_CRYPT} -eq 1 ]; then - export root="/dev/mapper/root" - fi - else - err "Password succeeded, but ${cryptname} creation failed, aborting..." - exit 1 - fi - else - err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." - fi - fi - rm -f ${ckeyfile} -} - -# vim: set ft=sh ts=4 sw=4 et: Copied: cryptsetup/repos/core-x86_64/encrypt_hook (from rev 164358, cryptsetup/repos/testing-x86_64/encrypt_hook) =================================================================== --- core-x86_64/encrypt_hook (rev 0) +++ core-x86_64/encrypt_hook 2012-07-31 19:25:50 UTC (rev 164359) @@ -0,0 +1,138 @@ +#!/usr/bin/ash + +run_hook() { + modprobe -a -q dm-crypt >/dev/null 2>&1 + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" + + # Get keyfile if specified + ckeyfile="/crypto_keyfile.bin" + if [ -n "$cryptkey" ]; then + IFS=: read ckdev ckarg1 ckarg2 <<EOF +$cryptkey +EOF + + if resolved=$(resolve_device "${ckdev}" ${rootdelay}); then + case ${ckarg1} in + *[!0-9]*) + # Use a file on the device + # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path + mkdir /ckey + mount -r -t "$ckarg1" "$resolved" /ckey + dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1 + umount /ckey + ;; + *) + # Read raw data from the block device + # ckarg1 is numeric: ckarg1=offset, ckarg2=length + dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 + ;; + esac + fi + [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." + fi + + if [ -n "${cryptdevice}" ]; then + DEPRECATED_CRYPT=0 + IFS=: read cryptdev cryptname cryptoptions <<EOF +$cryptdevice +EOF + else + DEPRECATED_CRYPT=1 + cryptdev="${root}" + cryptname="root" + fi + + warn_deprecated() { + echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" + echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." + } + + for cryptopt in ${cryptoptions//,/ }; do + case ${cryptopt} in + allow-discards) + echo "Enabling TRIM/discard support." + cryptargs="${cryptargs} --allow-discards" + ;; + *) + echo "Encryption option '${cryptopt}' not known, ignoring." >&2 + ;; + esac + done + + if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then + if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + dopassphrase=1 + # If keyfile exists, try to use that + if [ -f ${ckeyfile} ]; then + if eval cryptsetup --key-file ${ckeyfile} luksOpen ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then + dopassphrase=0 + else + echo "Invalid keyfile. Reverting to passphrase." + fi + fi + # Ask for a passphrase + if [ ${dopassphrase} -gt 0 ]; then + echo "" + echo "A password is required to access the ${cryptname} volume:" + + #loop until we get a real password + while ! eval cryptsetup luksOpen ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do + sleep 2; + done + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + elif [ -n "${crypto}" ]; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + msg "Non-LUKS encrypted device found..." + if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then + err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" + err "Non-LUKS decryption not attempted..." + return 1 + fi + exe="cryptsetup create $cryptname $resolved $cryptargs" + IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF +$crypto +EOF + [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'" + [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'" + [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'" + [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'" + [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'" + if [ -f "$ckeyfile" ]; then + exe="$exe --key-file $ckeyfile" + else + exe="$exe --verify-passphrase" + echo "" + echo "A password is required to access the ${cryptname} volume:" + fi + eval "$exe $CSQUIET" + + if [ $? -ne 0 ]; then + err "Non-LUKS device decryption failed. verify format: " + err " crypto=hash:cipher:keysize:offset:skip" + exit 1 + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + else + err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." + fi + fi + rm -f ${ckeyfile} +} + +# vim: set ft=sh ts=4 sw=4 et: Deleted: core-x86_64/encrypt_install =================================================================== --- core-x86_64/encrypt_install 2012-07-31 18:56:29 UTC (rev 164358) +++ core-x86_64/encrypt_install 2012-07-31 19:25:50 UTC (rev 164359) @@ -1,44 +0,0 @@ -#!/bin/bash - -build() { - local mod - - add_module dm-crypt - if [[ $CRYPTO_MODULES ]]; then - for mod in $CRYPTO_MODULES; do - add_module "$mod" - done - else - add_all_modules '/crypto/' - fi - - add_binary "cryptsetup" - add_binary "dmsetup" - add_file "/usr/lib/udev/rules.d/10-dm.rules" - add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" - add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" - add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" - - add_runscript -} - -help() { - cat <<HELPEOF -This hook allows for an encrypted root device. Users should specify the device -to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, -where 'device' is the path to the raw device, and 'dmname' is the name given to -the device after unlocking, and will be available as /dev/mapper/dmname. - -For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on -the kernel cmdline, where 'device' represents the raw block device where the key -exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is -the absolute path of the keyfile within the device. - -Without specifying a keyfile, you will be prompted for the password at runtime. -This means you must have a keyboard available to input it, and you may need -the keymap hook as well to ensure that the keyboard is using the layout you -expect. -HELPEOF -} - -# vim: set ft=sh ts=4 sw=4 et: Copied: cryptsetup/repos/core-x86_64/encrypt_install (from rev 164358, cryptsetup/repos/testing-x86_64/encrypt_install) =================================================================== --- core-x86_64/encrypt_install (rev 0) +++ core-x86_64/encrypt_install 2012-07-31 19:25:50 UTC (rev 164359) @@ -0,0 +1,44 @@ +#!/bin/bash + +build() { + local mod + + add_module dm-crypt + if [[ $CRYPTO_MODULES ]]; then + for mod in $CRYPTO_MODULES; do + add_module "$mod" + done + else + add_all_modules '/crypto/' + fi + + add_binary "cryptsetup" + add_binary "dmsetup" + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + + add_runscript +} + +help() { + cat <<HELPEOF +This hook allows for an encrypted root device. Users should specify the device +to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, +where 'device' is the path to the raw device, and 'dmname' is the name given to +the device after unlocking, and will be available as /dev/mapper/dmname. + +For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on +the kernel cmdline, where 'device' represents the raw block device where the key +exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is +the absolute path of the keyfile within the device. + +Without specifying a keyfile, you will be prompted for the password at runtime. +This means you must have a keyboard available to input it, and you may need +the keymap hook as well to ensure that the keyboard is using the layout you +expect. +HELPEOF +} + +# vim: set ft=sh ts=4 sw=4 et: