Dear Maintainer,
I extended the patch for TRIM support in crypttab to include the
cryptroot initramfs script. Further the option “allow-discards” is
renamed to “discard”, which avoids a hyphen in the parameter name:
PARAM=allow-discards
VALUE=yes
eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\""
/bin/dash: 1: export: CRYPTTAB_OPTION_allow-discards: bad variable name
Besides avoiding a hyphen, this follows the style of crypttab options,
e.g. --key-size → size. e2fsprogs names the option “discard” as well.
Regards,
Peter
diff --git a/debian/cryptdisks.functions b/debian/cryptdisks.functions
index 9cb72d4..88d40b7 100644
--- a/debian/cryptdisks.functions
+++ b/debian/cryptdisks.functions
@@ -51,6 +51,9 @@ parse_opts () {
VALUE=$(echo "$opt" | sed '/=/!d;s/^.*=//')
case "$PARAM" in
+ discard)
+ PARAMS="$PARAMS --allow-discards"
+ ;;
readonly)
PARAMS="$PARAMS -r"
;;
diff --git a/debian/doc/crypttab.xml b/debian/doc/crypttab.xml
index 077caf6..5eb274a 100644
--- a/debian/doc/crypttab.xml
+++ b/debian/doc/crypttab.xml
@@ -143,6 +143,21 @@
</varlistentry>
<varlistentry>
+ <term><emphasis>discard</emphasis></term>
+ <listitem>
+ <simpara>Allow using of discards (TRIM) requests for device.</simpara>
+ <simpara><emphasis role="strong">WARNING</emphasis>: Assess the
+ specific security risks carefully before enabling this option.
+ For example, allowing discards on encrypted devices may lead to
+ the leak of information about the ciphertext device (filesystem
+ type, used space etc.) if the discarded blocks can be located
+ easily on the device later.</simpara>
+ <simpara>Kernel version 3.1 or more recent is required.
+ For older versions is the option ignored.</simpara>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><emphasis>readonly</emphasis></term>
<listitem>
<simpara>The backing device is read-only (eg: a dvd).</simpara>
diff --git a/debian/initramfs/cryptroot-hook b/debian/initramfs/cryptroot-hook
index 6c9659d..e770eac 100644
--- a/debian/initramfs/cryptroot-hook
+++ b/debian/initramfs/cryptroot-hook
@@ -249,6 +249,9 @@ get_device_opts() {
rootdev)
OPTIONS="$OPTIONS,$opt"
;;
+ discard)
+ OPTIONS="$OPTIONS,$opt"
+ ;;
luks)
LUKS_FOUND=1
;;
diff --git a/debian/initramfs/cryptroot-script b/debian/initramfs/cryptroot-script
index 86c5f39..8c40af5 100644
--- a/debian/initramfs/cryptroot-script
+++ b/debian/initramfs/cryptroot-script
@@ -70,6 +70,7 @@ parse_options()
cryptkey="" # This is only used as an argument to an eventual keyscript
crypttries=3
cryptrootdev=""
+ cryptdiscard=""
CRYPTTAB_OPTIONS=""
local IFS=" ,"
@@ -120,6 +121,9 @@ parse_options()
rootdev)
cryptrootdev="yes"
;;
+ discard)
+ cryptdiscard="yes"
+ ;;
esac
PARAM="${x%=*}"
if [ "$PARAM" = "$x" ]; then
@@ -242,10 +246,14 @@ setup_mapping()
done
# Prepare commands
+ cryptcreate="/sbin/cryptsetup -T 1"
+ if [ "$cryptdiscard" = "yes" ]; then
+ cryptcreate="$cryptcreate --allow-discards"
+ fi
if /sbin/cryptsetup isLuks $cryptsource > /dev/null 2>&1; then
- cryptcreate="/sbin/cryptsetup -T 1 luksOpen $cryptsource $crypttarget"
+ cryptcreate="$cryptcreate luksOpen $cryptsource $crypttarget"
else
- cryptcreate="/sbin/cryptsetup -T 1 -c $cryptcipher -s $cryptsize -h $crypthash create $crypttarget $cryptsource"
+ cryptcreate="$cryptcreate -c $cryptcipher -s $cryptsize -h $crypthash create $crypttarget $cryptsource"
fi
cryptremove="/sbin/cryptsetup remove $crypttarget"
NEWROOT="/dev/mapper/$crypttarget"
