Here is a second version:
- Support for loop-aes in the intramfs can be forced off or on.
- Still no documentation.
Attached is a cumulative patch (against plain loop-aes-utils) and an
incremental patch (against version 1 of the integration).
--
Lionel
diff -u loop-aes-utils-2.12r/debian/changelog
loop-aes-utils-2.12r/debian/changelog
--- loop-aes-utils-2.12r/debian/changelog
+++ loop-aes-utils-2.12r/debian/changelog
@@ -1,8 +1,9 @@
loop-aes-utils (2.12r-11.0) unstable; urgency=low
* Integrate with initramfs-tools for root fs on loop/loopaes device
+ (version 2 of integration).
- -- Lionel Elie Mamane <[EMAIL PROTECTED]> Sun, 16 Jul 2006 17:46:57 +0200
+ -- Lionel Elie Mamane <[EMAIL PROTECTED]> Tue, 25 Jul 2006 19:07:49 +0200
loop-aes-utils (2.12r-11) unstable; urgency=low
diff -u loop-aes-utils-2.12r/debian/initramfs-tools-hook
loop-aes-utils-2.12r/debian/initramfs-tools-hook
--- loop-aes-utils-2.12r/debian/initramfs-tools-hook
+++ loop-aes-utils-2.12r/debian/initramfs-tools-hook
@@ -16,8 +16,28 @@
;;
esac
+#Check whether loop-aes support is forced on or off
+case "${INITRAMFS_LOOPAES}" in
+ 0|no|off)
+ exit 0
+ ;;
+ 1|yes|on)
+ FORCE_LOOPAES=1
+ ;;
+ auto|)
+ ;;
+ *)
+ echo "WARNING! (loop-aes) ignoring invalid INITRAMFS_LOOPAES value
${INITRAMFS_LOOPAES}" 1>&2
+esac
+
. /usr/share/initramfs-tools/hook-functions
+exit_unless_forced() {
+ if [ -z "${FORCE_LOOPAES}" ]; then
+ exit $1
+ fi
+}
+
get_root_device() {
[ -r /etc/fstab ] || return
@@ -30,12 +50,48 @@
done )
}
+decode_cipher() {
+ local cipher
+
+ case "$1" in
+ twofish*)
+ echo twofish
+ ;;
+ blowfish*)
+ echo blowfish
+ ;;
+ serpent*)
+ echo serpent
+ ;;
+ mars*|rc6*|tripleDES)
+ echo "WARNING| (loop-aes) Don't know how to handle encryption type
$1" 1>&2
+ ;;
+ NONE|XOR|AES*)
+ ;;
+ *)
+ echo "WARNING| (loop-aes) Unknown encryption type $1" 1>&2
+ ;;
+ esac
+}
+
+iterate_cipher_module() {
+ local cipher
+ local IFS=":"
+ for cipher in $2; do
+ $1 "loop_${cipher}"
+ done
+}
+
get_root_opts() {
- local opt
+ local opt cipher
local IFS=", "
for opt in $rootoptions; do
- case $opt in
+ case "$opt" in
encryption=*)
+ cipher="$(decode_cipher \"${opt#encryption=}\")"
+ if [ -n "$cipher" ]; then
+
rootencryption="${rootencryption}${rootencryption:+:}${cipher}"
+ fi
loopaes_opts="${loopaes_opts},${opt}"
;;
offset=*)
@@ -60,7 +116,7 @@
rootgpgkey=${opt#gpgkey=}
;;
gpghome=*)
- rootgpghome=${opt#gpgkey=}
+ rootgpghome=${opt#gpghome=}
;;
loop=*)
rootloop=${opt#loop=}
@@ -74,11 +130,11 @@
# Find out which device root is on
eval $(get_root_device)
-[ -z "${rootdev}" ] && exit 0
+[ -z "${rootdev}" ] && exit_unless_forced 0
# We now have set: rootdev rootoptions
get_root_opts
-[ -z "${rootloop}" ] && exit 0
+[ -z "${rootloop}" ] && exit_unless_forced 0
loopaes_opts="${loopaes_opts},loop=${rootloop}"
# Prepare the initramfs
@@ -90,7 +146,7 @@
fi
if [ -n "${rootgpghome}" ]; then
- cp -R "${rootgpgkey}" ${DESTDIR}/.gnupg
+ cp -R "${rootgpghome}" ${DESTDIR}/.gnupg
else
mkdir ${DESTDIR}/.gnupg/
fi
@@ -104,6 +160,11 @@
cp /etc/console/boottime.kmap.gz $DESTDIR/etc/
fi
manual_add_modules loop
+if [ -z "${FORCE_LOOPAES}" ]; then
+ iterate_cipher_module "manual_add_modules" "$rootencryption"
+else
+ iterate_cipher_module "manual_add_modules" "serpent:blowfish:twofish"
+fi
# Done
exit 0
diff -u loop-aes-utils-2.12r/debian/initramfs-tools-script
loop-aes-utils-2.12r/debian/initramfs-tools-script
--- loop-aes-utils-2.12r/debian/initramfs-tools-script
+++ loop-aes-utils-2.12r/debian/initramfs-tools-script
@@ -19,6 +19,50 @@
#
# Helper functions
#
+get_root_device() {
+ [ -r /etc/fstab ] || return
+
+ grep '^[^#]' /etc/fstab | ( \
+ while read dev mount type options dump pass; do
+ if [ "$mount" = "/" ]; then
+ echo "rootdev=\"${dev}\" rootoptions=\"${options}\""
+ return
+ fi
+ done )
+}
+
+decode_cipher() {
+ local cipher
+
+ case "$1" in
+ twofish*)
+ echo twofish
+ ;;
+ blowfish*)
+ echo blowfish
+ ;;
+ serpent*)
+ echo serpent
+ ;;
+ mars*|rc6*|tripleDES)
+ echo "WARNING| (loop-aes) Don't know how to handle encryption type
$1" 1>&2
+ ;;
+ NONE|XOR|AES*)
+ ;;
+ *)
+ echo "WARNING| (loop-aes) Unknown encryption type $1" 1>&2
+ ;;
+ esac
+}
+
+iterate_cipher_module() {
+ local cipher
+ local IFS=":"
+ for cipher in $2; do
+ $1 "loop_${cipher}"
+ done
+}
+
get_options()
{
# Do we have any settings from the /conf/conf.d/cryptroot file?
@@ -41,11 +85,15 @@
exit 0
fi
- local opt
+ local opt cipher
local IFS=", "
for opt in $loopaes_opts; do
case $opt in
encryption=*)
+ cipher="$(decode_cipher \"${opt#encryption=}\")"
+ if [ -n "$cipher" ]; then
+
rootencryption="${rootencryption}${rootencryption:+:}${cipher}"
+ fi
losetup_opts="${losetup_opts} -e ${opt#encryption=}"
;;
offset=*)
@@ -70,7 +118,7 @@
losetup_opts="${losetup_opts} -K ${opt#gpgkey=}"
;;
gpghome=*)
- rootgpghome=${opt#gpgkey=}
+ rootgpghome=${opt#gpghome=}
;;
loop=*)
rootloop=${opt#loop=}
@@ -107,6 +155,7 @@
fi
modprobe -q loop
+iterate_cipher_module "modprobe -q" "$rootencryption"
while ! [ -b "${rootloop}" ]; do
sleep 1
done
diff -u loop-aes-utils-2.12r/debian/changelog
loop-aes-utils-2.12r/debian/changelog
--- loop-aes-utils-2.12r/debian/changelog
+++ loop-aes-utils-2.12r/debian/changelog
@@ -1,3 +1,10 @@
+loop-aes-utils (2.12r-11.0) unstable; urgency=low
+
+ * Integrate with initramfs-tools for root fs on loop/loopaes device
+ (version 2 of integration).
+
+ -- Lionel Elie Mamane <[EMAIL PROTECTED]> Tue, 25 Jul 2006 19:07:49 +0200
+
loop-aes-utils (2.12r-11) unstable; urgency=low
* Sync with util-linux 2.12r-10
diff -u loop-aes-utils-2.12r/debian/rules loop-aes-utils-2.12r/debian/rules
--- loop-aes-utils-2.12r/debian/rules
+++ loop-aes-utils-2.12r/debian/rules
@@ -64,7 +64,9 @@
install -m 755 mount/losetup $(DIR_UDEB)/sbin/losetup-aes
install -m 755 mount/swapon $(DIR_UDEB)/sbin/swapon-aes
install -m 755 debian/loop-aes-keygen $(DIR_UDEB)/bin
-
+ # initramsfs-tools integration
+ install -m 755 debian/initramfs-tools-script
$(DIR)/usr/share/initramfs-tools/scripts/local-top/loopaes
+ install -m 755 debian/initramfs-tools-hook
$(DIR)/usr/share/initramfs-tools/hooks/loopaes
binary-indep: build install
diff -u loop-aes-utils-2.12r/debian/loop-aes-utils.dirs
loop-aes-utils-2.12r/debian/loop-aes-utils.dirs
--- loop-aes-utils-2.12r/debian/loop-aes-utils.dirs
+++ loop-aes-utils-2.12r/debian/loop-aes-utils.dirs
@@ -7,0 +8,2 @@
+/usr/share/initramfs-tools/scripts/local-top
+/usr/share/initramfs-tools/hooks
only in patch2:
unchanged:
--- loop-aes-utils-2.12r.orig/debian/initramfs-tools-hook
+++ loop-aes-utils-2.12r/debian/initramfs-tools-hook
@@ -0,0 +1,170 @@
+#!/bin/sh
+
+set -e
+
+PREREQ=""
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+#Check whether loop-aes support is forced on or off
+case "${INITRAMFS_LOOPAES}" in
+ 0|no|off)
+ exit 0
+ ;;
+ 1|yes|on)
+ FORCE_LOOPAES=1
+ ;;
+ auto|)
+ ;;
+ *)
+ echo "WARNING! (loop-aes) ignoring invalid INITRAMFS_LOOPAES value
${INITRAMFS_LOOPAES}" 1>&2
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+exit_unless_forced() {
+ if [ -z "${FORCE_LOOPAES}" ]; then
+ exit $1
+ fi
+}
+
+get_root_device() {
+ [ -r /etc/fstab ] || return
+
+ grep '^[^#]' /etc/fstab | ( \
+ while read dev mount type options dump pass; do
+ if [ "$mount" = "/" ]; then
+ echo "rootdev=\"${dev}\" rootoptions=\"${options}\""
+ return
+ fi
+ done )
+}
+
+decode_cipher() {
+ local cipher
+
+ case "$1" in
+ twofish*)
+ echo twofish
+ ;;
+ blowfish*)
+ echo blowfish
+ ;;
+ serpent*)
+ echo serpent
+ ;;
+ mars*|rc6*|tripleDES)
+ echo "WARNING| (loop-aes) Don't know how to handle encryption type
$1" 1>&2
+ ;;
+ NONE|XOR|AES*)
+ ;;
+ *)
+ echo "WARNING| (loop-aes) Unknown encryption type $1" 1>&2
+ ;;
+ esac
+}
+
+iterate_cipher_module() {
+ local cipher
+ local IFS=":"
+ for cipher in $2; do
+ $1 "loop_${cipher}"
+ done
+}
+
+get_root_opts() {
+ local opt cipher
+ local IFS=", "
+ for opt in $rootoptions; do
+ case "$opt" in
+ encryption=*)
+ cipher="$(decode_cipher \"${opt#encryption=}\")"
+ if [ -n "$cipher" ]; then
+
rootencryption="${rootencryption}${rootencryption:+:}${cipher}"
+ fi
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ offset=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ sizelimit=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ pseed=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ phash=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ loinit=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ itercountk=*)
+ loopaes_opts="${loopaes_opts},${opt}"
+ ;;
+ gpgkey=*)
+ rootgpgkey=${opt#gpgkey=}
+ ;;
+ gpghome=*)
+ rootgpghome=${opt#gpghome=}
+ ;;
+ loop=*)
+ rootloop=${opt#loop=}
+ ;;
+ *)
+ # Presumably a non-supported or filesystem option
+ ;;
+ esac
+ done
+}
+
+# Find out which device root is on
+eval $(get_root_device)
+[ -z "${rootdev}" ] && exit_unless_forced 0
+# We now have set: rootdev rootoptions
+
+get_root_opts
+[ -z "${rootloop}" ] && exit_unless_forced 0
+loopaes_opts="${loopaes_opts},loop=${rootloop}"
+
+# Prepare the initramfs
+if [ -n "${rootgpgkey}" ]; then
+ mkdir ${DESTDIR}/keys/
+ cp "${rootgpgkey}" ${DESTDIR}/keys/rootkeyfile.gpg
+ copy_exec /usr/bin/gpg /bin/
+ loopaes_opts="${loopaes_opts},gpgkey=/keys/rootkeyfile.gpg"
+fi
+
+if [ -n "${rootgpghome}" ]; then
+ cp -R "${rootgpghome}" ${DESTDIR}/.gnupg
+else
+ mkdir ${DESTDIR}/.gnupg/
+fi
+loopaes_opts="${loopaes_opts},gpghome=/.gnupg"
+
+echo "LOOPAESOPTS=\"$loopaes_opts\"" > ${DESTDIR}/conf/conf.d/loopaes
+copy_exec /sbin/losetup /sbin/
+# Allow the correct keymap to be loaded if possible
+if [ -e /bin/loadkeys -a -r /etc/console/boottime.kmap.gz ]; then
+ copy_exec /bin/loadkeys /bin/
+ cp /etc/console/boottime.kmap.gz $DESTDIR/etc/
+fi
+manual_add_modules loop
+if [ -z "${FORCE_LOOPAES}" ]; then
+ iterate_cipher_module "manual_add_modules" "$rootencryption"
+else
+ iterate_cipher_module "manual_add_modules" "serpent:blowfish:twofish"
+fi
+
+# Done
+exit 0
only in patch2:
unchanged:
--- loop-aes-utils-2.12r.orig/debian/initramfs-tools-script
+++ loop-aes-utils-2.12r/debian/initramfs-tools-script
@@ -0,0 +1,173 @@
+#!/bin/sh
+
+#
+# Standard initramfs preamble
+#
+prereqs()
+{
+ echo ""
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+
+#
+# Helper functions
+#
+get_root_device() {
+ [ -r /etc/fstab ] || return
+
+ grep '^[^#]' /etc/fstab | ( \
+ while read dev mount type options dump pass; do
+ if [ "$mount" = "/" ]; then
+ echo "rootdev=\"${dev}\" rootoptions=\"${options}\""
+ return
+ fi
+ done )
+}
+
+decode_cipher() {
+ local cipher
+
+ case "$1" in
+ twofish*)
+ echo twofish
+ ;;
+ blowfish*)
+ echo blowfish
+ ;;
+ serpent*)
+ echo serpent
+ ;;
+ mars*|rc6*|tripleDES)
+ echo "WARNING| (loop-aes) Don't know how to handle encryption type
$1" 1>&2
+ ;;
+ NONE|XOR|AES*)
+ ;;
+ *)
+ echo "WARNING| (loop-aes) Unknown encryption type $1" 1>&2
+ ;;
+ esac
+}
+
+iterate_cipher_module() {
+ local cipher
+ local IFS=":"
+ for cipher in $2; do
+ $1 "loop_${cipher}"
+ done
+}
+
+get_options()
+{
+ # Do we have any settings from the /conf/conf.d/cryptroot file?
+ [ -r /conf/conf.d/loopaes ] && . /conf/conf.d/loopaes
+ loopaes_opts="${LOOPAESOPTS}"
+
+ # Does the kernel boot command line override them?
+ for x in $(cat /proc/cmdline); do
+ case $x in
+ loopaesopts=*)
+ loopaes_opts=${x#loopaesopts=}
+ ;;
+ esac
+ done
+
+ # Sanity check
+ if [ -z "${loopaes_opts}" ]; then
+ # Apparently the root partition isn't encrypted
+ echo "No root-on-loop configured, skipping"
+ exit 0
+ fi
+
+ local opt cipher
+ local IFS=", "
+ for opt in $loopaes_opts; do
+ case $opt in
+ encryption=*)
+ cipher="$(decode_cipher \"${opt#encryption=}\")"
+ if [ -n "$cipher" ]; then
+
rootencryption="${rootencryption}${rootencryption:+:}${cipher}"
+ fi
+ losetup_opts="${losetup_opts} -e ${opt#encryption=}"
+ ;;
+ offset=*)
+ losetup_opts="${losetup_opts} -o ${opt#offset=}"
+ ;;
+ sizelimit=*)
+ losetup_opts="${losetup_opts} -s ${opt#sizelimit=}"
+ ;;
+ pseed=*)
+ losetup_opts="${losetup_opts} -S ${opt#pseed=}"
+ ;;
+ phash=*)
+ losetup_opts="${losetup_opts} -H ${opt#phash=}"
+ ;;
+ loinit=*)
+ losetup_opts="${losetup_opts} -I ${opt#loinit=}"
+ ;;
+ itercountk=*)
+ losetup_opts="${losetup_opts} -C ${opt#itercountk=}"
+ ;;
+ gpgkey=*)
+ losetup_opts="${losetup_opts} -K ${opt#gpgkey=}"
+ ;;
+ gpghome=*)
+ rootgpghome=${opt#gpghome=}
+ ;;
+ loop=*)
+ rootloop=${opt#loop=}
+ ;;
+ *)
+ # Presumably a non-supported or filesystem option
+ ;;
+ esac
+ done
+}
+
+load_keymap()
+{
+ if [ -x /bin/loadkeys -a -r /etc/boottime.kmap.gz ]; then
+ loadkeys -q /etc/boottime.kmap.gz
+ fi
+}
+
+#
+# Begin real processing
+#
+
+# define crypto variables
+get_options
+
+if [ -z "${rootgpghome}" ]; then
+ rootgpghome=/.gnupg
+fi
+losetup_opts="${losetup_opts} -G ${rootgpghome}"
+
+if [ -z "${rootloop}" ]; then
+ echo "root on loop enabled, but not loop device given"
+ exit 1
+fi
+
+modprobe -q loop
+iterate_cipher_module "modprobe -q" "$rootencryption"
+while ! [ -b "${rootloop}" ]; do
+ sleep 1
+done
+
+# If possible, load the keymap so that the user can input non-en characters
+load_keymap
+
+# Use /sbin/losetup to make sure that we get the loopaes modified one,
+# not the busybox one.
+/sbin/losetup ${losetup_opts} "${rootloop}" "$ROOT"
+
+# init can now pick up new FSTYPE, FSSIZE and ROOT
+echo "ROOT=\"${rootloop}\"" >> /conf/param.conf
+exit 0
+
