Date: Wednesday, September 15, 2021 @ 13:05:54 Author: eworm Revision: 424027
archrelease: copy trunk to testing-x86_64 Added: cryptsetup/repos/testing-x86_64/ cryptsetup/repos/testing-x86_64/PKGBUILD (from rev 424026, cryptsetup/trunk/PKGBUILD) cryptsetup/repos/testing-x86_64/hooks-encrypt (from rev 424026, cryptsetup/trunk/hooks-encrypt) cryptsetup/repos/testing-x86_64/install-encrypt (from rev 424026, cryptsetup/trunk/install-encrypt) cryptsetup/repos/testing-x86_64/install-sd-encrypt (from rev 424026, cryptsetup/trunk/install-sd-encrypt) --------------------+ PKGBUILD | 52 +++++++++++++++++ hooks-encrypt | 155 +++++++++++++++++++++++++++++++++++++++++++++++++++ install-encrypt | 48 +++++++++++++++ install-sd-encrypt | 61 ++++++++++++++++++++ 4 files changed, 316 insertions(+) Copied: cryptsetup/repos/testing-x86_64/PKGBUILD (from rev 424026, cryptsetup/trunk/PKGBUILD) =================================================================== --- testing-x86_64/PKGBUILD (rev 0) +++ testing-x86_64/PKGBUILD 2021-09-15 13:05:54 UTC (rev 424027) @@ -0,0 +1,52 @@ +# Maintainer: Bartłomiej Piotrowski <bpiotrow...@archlinux.org> +# Contributor: Thomas Bächler <tho...@archlinux.org> + +pkgname=cryptsetup +pkgver=2.4.1 +pkgrel=1 +pkgdesc='Userspace setup tool for transparent encryption of block devices using dm-crypt' +arch=(x86_64) +license=('GPL') +url='https://gitlab.com/cryptsetup/cryptsetup/' +depends=('device-mapper' 'libdevmapper.so' 'openssl' 'popt' 'util-linux-libs' + 'libuuid.so' 'json-c' 'libjson-c.so' 'argon2' 'libargon2.so') +makedepends=('util-linux') +provides=('libcryptsetup.so') +options=('!emptydirs') +validpgpkeys=('2A2918243FDE46648D0686F9D9B0577BD93E98FC') # Milan Broz <gmazyl...@gmail.com> +source=("https://www.kernel.org/pub/linux/utils/cryptsetup/v${pkgver%.*}/${pkgname}-${pkgver}.tar."{xz,sign} + 'hooks-encrypt' + 'install-encrypt' + 'install-sd-encrypt') +sha256sums=('a356a727a83a464ade566e95239622a22dbe4e0f482b198fdb04ab0d3a5a9c5f' + 'SKIP' + '10461d20fe3bc357864ace3b408a2e93b4b03b5cff023def3ab126ae9857720d' + 'd325dc239ecc9a5324407b0782da6df2573e8491251836d6c4e65fa61339ce57' + '46af2f1353db1909fc483f20e3fa1e13f1e7c0d14f44c0d6163ce0862916c613') + +build() { + cd "${srcdir}"/$pkgname-${pkgver} + + ./configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --enable-libargon2 \ + --disable-ssh-token \ + --disable-static + sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool + make +} + +package() { + cd "${srcdir}"/$pkgname-${pkgver} + + make DESTDIR="${pkgdir}" install + + # install docs + install -D -m0644 -t "${pkgdir}"/usr/share/doc/cryptsetup/ FAQ docs/{Keyring,LUKS2-locking}.txt + + # install hook + install -D -m0644 "${srcdir}"/hooks-encrypt "${pkgdir}"/usr/lib/initcpio/hooks/encrypt + install -D -m0644 "${srcdir}"/install-encrypt "${pkgdir}"/usr/lib/initcpio/install/encrypt + install -D -m0644 "${srcdir}"/install-sd-encrypt "${pkgdir}"/usr/lib/initcpio/install/sd-encrypt +} Copied: cryptsetup/repos/testing-x86_64/hooks-encrypt (from rev 424026, cryptsetup/trunk/hooks-encrypt) =================================================================== --- testing-x86_64/hooks-encrypt (rev 0) +++ testing-x86_64/hooks-encrypt 2021-09-15 13:05:54 UTC (rev 424027) @@ -0,0 +1,155 @@ +#!/usr/bin/ash + +run_hook() { + modprobe -a -q dm-crypt >/dev/null 2>&1 + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" + + # Get keyfile if specified + ckeyfile="/crypto_keyfile.bin" + if [ -n "$cryptkey" ]; then + IFS=: read ckdev ckarg1 ckarg2 <<EOF +$cryptkey +EOF + + if [ "$ckdev" = "rootfs" ]; then + ckeyfile=$ckarg1 + elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then + case ${ckarg1} in + *[!0-9]*) + # Use a file on the device + # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path + mkdir /ckey + mount -r -t "$ckarg1" "$resolved" /ckey + dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1 + umount /ckey + ;; + *) + # Read raw data from the block device + # ckarg1 is numeric: ckarg1=offset, ckarg2=length + dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 + ;; + esac + fi + [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." + fi + + if [ -n "${cryptdevice}" ]; then + DEPRECATED_CRYPT=0 + IFS=: read cryptdev cryptname cryptoptions <<EOF +$cryptdevice +EOF + else + DEPRECATED_CRYPT=1 + cryptdev="${root}" + cryptname="root" + fi + + # This may happen if third party hooks do the crypt setup + if [ -b "/dev/mapper/${cryptname}" ]; then + echo "Device ${cryptname} already exists, not doing any crypt setup." + return 0 + fi + + warn_deprecated() { + echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" + echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." + } + + set -f + OLDIFS="$IFS"; IFS=, + for cryptopt in ${cryptoptions}; do + case ${cryptopt} in + allow-discards|discard) + cryptargs="${cryptargs} --allow-discards" + ;; + no-read-workqueue|perf-no_read_workqueue) + cryptargs="${cryptargs} --perf-no_read_workqueue" + ;; + no-write-workqueue|perf-no_read_workqueue) + cryptargs="${cryptargs} --perf-no_write_workqueue" + ;; + *) + echo "Encryption option '${cryptopt}' not known, ignoring." >&2 + ;; + esac + done + set +f + IFS="$OLDIFS" + unset OLDIFS + + if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then + if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + dopassphrase=1 + # If keyfile exists, try to use that + if [ -f ${ckeyfile} ]; then + if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then + dopassphrase=0 + else + echo "Invalid keyfile. Reverting to passphrase." + fi + fi + # Ask for a passphrase + if [ ${dopassphrase} -gt 0 ]; then + echo "" + echo "A password is required to access the ${cryptname} volume:" + + #loop until we get a real password + while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do + sleep 2; + done + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + return 1 + fi + elif [ -n "${crypto}" ]; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + msg "Non-LUKS encrypted device found..." + if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then + err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" + err "Non-LUKS decryption not attempted..." + return 1 + fi + exe="cryptsetup open --type plain $resolved $cryptname $cryptargs" + IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF +$crypto +EOF + [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'" + [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'" + [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'" + [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'" + [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'" + if [ -f "$ckeyfile" ]; then + exe="$exe --key-file $ckeyfile" + else + echo "" + echo "A password is required to access the ${cryptname} volume:" + fi + eval "$exe $CSQUIET" + + if [ $? -ne 0 ]; then + err "Non-LUKS device decryption failed. verify format: " + err " crypto=hash:cipher:keysize:offset:skip" + return 1 + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + return 1 + fi + else + err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." + fi + fi + rm -f ${ckeyfile} +} + +# vim: set ft=sh ts=4 sw=4 et: Copied: cryptsetup/repos/testing-x86_64/install-encrypt (from rev 424026, cryptsetup/trunk/install-encrypt) =================================================================== --- testing-x86_64/install-encrypt (rev 0) +++ testing-x86_64/install-encrypt 2021-09-15 13:05:54 UTC (rev 424027) @@ -0,0 +1,48 @@ +#!/bin/bash + +build() { + local mod + + add_module "dm-crypt" + add_module "dm-integrity" + if [[ $CRYPTO_MODULES ]]; then + for mod in $CRYPTO_MODULES; do + add_module "$mod" + done + else + add_all_modules "/crypto/" + fi + + add_binary "cryptsetup" + add_binary "dmsetup" + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + + # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1 + add_binary "/usr/lib/libgcc_s.so.1" + + add_runscript +} + +help() { + cat <<HELPEOF +This hook allows for an encrypted root device. Users should specify the device +to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, +where 'device' is the path to the raw device, and 'dmname' is the name given to +the device after unlocking, and will be available as /dev/mapper/dmname. + +For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on +the kernel cmdline, where 'device' represents the raw block device where the key +exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is +the absolute path of the keyfile within the device. + +Without specifying a keyfile, you will be prompted for the password at runtime. +This means you must have a keyboard available to input it, and you may need +the keymap hook as well to ensure that the keyboard is using the layout you +expect. +HELPEOF +} + +# vim: set ft=sh ts=4 sw=4 et: Copied: cryptsetup/repos/testing-x86_64/install-sd-encrypt (from rev 424026, cryptsetup/trunk/install-sd-encrypt) =================================================================== --- testing-x86_64/install-sd-encrypt (rev 0) +++ testing-x86_64/install-sd-encrypt 2021-09-15 13:05:54 UTC (rev 424027) @@ -0,0 +1,61 @@ +#!/bin/bash + +build() { + local mod + + add_module "dm-crypt" + add_module "dm-integrity" + if [[ $CRYPTO_MODULES ]]; then + for mod in $CRYPTO_MODULES; do + add_module "$mod" + done + else + add_all_modules "/crypto/" + fi + add_checked_modules "/drivers/char/tpm/" + + add_udev_rule "10-dm.rules" + add_udev_rule "13-dm-disk.rules" + add_udev_rule "60-fido-id.rules" + add_udev_rule "95-dm-notify.rules" + add_udev_rule "/usr/lib/initcpio/udev/11-dm-initramfs.rules" + + add_systemd_unit "cryptsetup.target" + add_binary "/usr/lib/systemd/system-generators/systemd-cryptsetup-generator" + add_binary "/usr/lib/systemd/systemd-cryptsetup" + + add_systemd_unit "systemd-ask-password-console.path" + add_systemd_unit "systemd-ask-password-console.service" + + # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1 + add_binary "/usr/lib/libgcc_s.so.1" + + # add libraries dlopen()ed by systemd-cryptsetup + for LIB in fido2 tss2-{{esys,rc,mu},tcti-'*'}; do + for FILE in $(find /usr/lib/ -maxdepth 1 -name "lib${LIB}.so*"); do + if [[ -L "${FILE}" ]]; then + add_symlink "${FILE}" + else + add_binary "${FILE}" + fi + done + done + + # add mkswap for creating swap space on the fly (see 'swap' in crypttab(5)) + add_binary "mkswap" + + [[ -f /etc/crypttab.initramfs ]] && add_file "/etc/crypttab.initramfs" "/etc/crypttab" +} + +help() { + cat <<HELPEOF +This hook allows for an encrypted root device with systemd initramfs. + +See the manpage of systemd-cryptsetup-generator(8) for available kernel +command line options. Alternatively, if the file /etc/crypttab.initramfs +exists, it will be added to the initramfs as /etc/crypttab. See the +crypttab(5) manpage for more information on crypttab syntax. +HELPEOF +} + +# vim: set ft=sh ts=4 sw=4 et: