commit: a0a6d6313874a7567a26c405713aaf610695285d Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> AuthorDate: Sun Feb 7 18:02:29 2021 +0000 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> CommitDate: Sun Feb 7 18:02:29 2021 +0000 URL: https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=a0a6d631
linuxrc: add kernel command-line argument to allow user to pass additional options to cryptsetup Cryptsetup supports additional options like "--perf-no_read_workqueue" or "--perf-no_write_workqueue". While it is recommended to use LUKS2 format and make these activiation flags permanent, you can also make use of the new kernel command-line arguments "crypt_root_options" for root device or "crypt_swap_options" for swap device to pass additional options to cryptsetup. These arguments can be specified multiple times or separate multiple options with a comma. Bug: https://bugs.gentoo.org/755587 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> defaults/initrd.defaults | 2 ++ defaults/initrd.scripts | 16 +++++++--------- defaults/linuxrc | 13 ++++++++++++- defaults/unlock-luks.sh | 8 +++----- doc/genkernel.8.txt | 10 ++++++++++ 5 files changed, 34 insertions(+), 15 deletions(-) diff --git a/defaults/initrd.defaults b/defaults/initrd.defaults index cd485ca..ac3b072 100644 --- a/defaults/initrd.defaults +++ b/defaults/initrd.defaults @@ -104,9 +104,11 @@ CRYPT_ENV_FILE='/etc/CRYPT_ENV.conf' CRYPT_ROOT_KEYDEV_FSTYPE='auto' CRYPT_ROOT_KEYFILE='/tmp/root.key' CRYPT_ROOT_OPENED_LOCKFILE='/tmp/ROOT.opened' +CRYPT_ROOT_OPTIONS='' CRYPT_SWAP_KEYDEV_FSTYPE='auto' CRYPT_SWAP_KEYFILE='/tmp/swap.key' CRYPT_SWAP_OPENED_LOCKFILE='/tmp/SWAP.opened' +CRYPT_SWAP_OPTIONS='' ZFS_ENC_ENV_FILE='/etc/ZFS_ENC_ENV.conf' ZFS_ENC_OPENED_LOCKFILE='/tmp/ZFS.opened' diff --git a/defaults/initrd.scripts b/defaults/initrd.scripts index f6e84fc..5d744ee 100644 --- a/defaults/initrd.scripts +++ b/defaults/initrd.scripts @@ -1193,7 +1193,7 @@ write_env_file() { for varname in $* do eval varvalue=\$${varname} - echo "${varname}=${varvalue}" >> "${env_file}" + echo "${varname}='${varvalue}'" >> "${env_file}" done } @@ -1774,15 +1774,13 @@ openLUKS() { eval local LUKS_KEY='"${CRYPT_'${TYPE}'_KEY}"' eval local LUKS_KEYDEV='"${CRYPT_'${TYPE}'_KEYDEV}"' eval local LUKS_KEYDEV_FSTYPE='"${CRYPT_'${TYPE}'_KEYDEV_FSTYPE}"' - eval local LUKS_TRIM='"${CRYPT_'${TYPE}'_TRIM}"' + eval local cryptsetup_options='"${CRYPT_'${TYPE}'_OPTIONS}"' eval local OPENED_LOCKFILE='"${CRYPT_'${TYPE}'_OPENED_LOCKFILE}"' local DEV_ERROR=0 KEY_ERROR=0 KEYDEV_ERROR=0 local mntkey="/mnt/key/" crypt_filter_ret= while true do - local cryptsetup_options='' - local gpg_cmd="" if [ -e "${OPENED_LOCKFILE}" ] then @@ -1819,10 +1817,9 @@ openLUKS() { DEV_ERROR=1 continue else - if [ "x${LUKS_TRIM}" = "xyes" ] + if [ -n "${cryptsetup_options}" ] then - good_msg "Enabling TRIM support for ${LUKS_NAME} ..." ${CRYPT_SILENT} - cryptsetup_options="${cryptsetup_options} --allow-discards" + good_msg "Using the following cryptsetup options for ${LUKS_NAME}: ${cryptsetup_options}" ${CRYPT_SILENT} fi # Handle keys @@ -2333,9 +2330,10 @@ start_sshd() { write_env_file \ "${CRYPT_ENV_FILE}" \ CRYPT_ROOT \ - CRYPT_ROOT_TRIM \ + CRYPT_ROOT_OPTIONS \ CRYPT_SILENT \ - CRYPT_SWAP + CRYPT_SWAP \ + CRYPT_SWAP_OPTIONS run touch /var/log/lastlog diff --git a/defaults/linuxrc b/defaults/linuxrc index df0f570..e33576d 100644 --- a/defaults/linuxrc +++ b/defaults/linuxrc @@ -244,10 +244,16 @@ do CRYPT_ROOT=${x#*=} USE_CRYPTSETUP=1 ;; + crypt_root_options=*) + CRYPT_ROOT_OPTIONS=$(echo ${CRYPT_ROOT_OPTIONS} ${x#*=} | sed -e 's/,/ /g') + ;; crypt_swap=*) CRYPT_SWAP=${x#*=} USE_CRYPTSETUP=1 ;; + crypt_swap_options=*) + CRYPT_SWAP_OPTIONS=$(echo ${CRYPT_SWAP_OPTIONS} ${x#*=} | sed -e 's/,/ /g') + ;; root_key=*) CRYPT_ROOT_KEY=${x#*=} ;; @@ -258,7 +264,12 @@ do CRYPT_ROOT_KEYDEV_FSTYPE=${x#*=} ;; root_trim=*) - CRYPT_ROOT_TRIM=${x#*=} + tmp_enabled=${x#*=} + if is_true "${tmp_enabled}" + then + CRYPT_ROOT_OPTIONS="${CRYPT_ROOT_OPTIONS} --allow-discards" + fi + unset tmp_enabled ;; swap_key=*) CRYPT_SWAP_KEY=${x#*=} diff --git a/defaults/unlock-luks.sh b/defaults/unlock-luks.sh index a8ae990..59e086a 100644 --- a/defaults/unlock-luks.sh +++ b/defaults/unlock-luks.sh @@ -46,12 +46,11 @@ main() { local LUKS_NAME="${NAME}" eval local LUKS_DEVICE='"${CRYPT_'${TYPE}'}"' eval local LUKS_KEY='"${CRYPT_'${TYPE}'_KEYFILE}"' - eval local LUKS_TRIM='"${CRYPT_'${TYPE}'_TRIM}"' + eval local cryptsetup_options='"${CRYPT_'${TYPE}'_OPTIONS}"' eval local OPENED_LOCKFILE='"${CRYPT_'${TYPE}'_OPENED_LOCKFILE}"' while true do - local cryptsetup_options="" local gpg_cmd crypt_filter_ret if [ -e "${OPENED_LOCKFILE}" ] @@ -74,10 +73,9 @@ main() { # able to investigate the problem on its own. exit 1 else - if [ "x${LUKS_TRIM}" = "xyes" ] + if [ -n "${cryptsetup_options}" ] then - good_msg "Enabling TRIM support for ${LUKS_NAME} ..." "${CRYPT_SILENT}" - cryptsetup_options="${cryptsetup_options} --allow-discards" + good_msg "Using the following cryptsetup options for ${LUKS_NAME}: ${cryptsetup_options}" ${CRYPT_SILENT} fi # Handle keys diff --git a/doc/genkernel.8.txt b/doc/genkernel.8.txt index 8909fc7..ddccd9f 100644 --- a/doc/genkernel.8.txt +++ b/doc/genkernel.8.txt @@ -633,9 +633,19 @@ recognized by the kernel itself. This specifies the device encrypted by LUKS, which contains the root filesystem to mount. +*crypt_root_options*=<...>:: + This specifies additional options, which should get passed to + cryptsetup when opening root volume. Can be specified multiple + times or separate multiple options with a comma. + *crypt_swap*=<...>:: This specifies the swap device encrypted by LUKS. +*crypt_swap_options*=<...>:: + This specifies additional options, which should get passed to + cryptsetup when opening swap volume. Can be specified multiple + times or separate multiple options with a comma. + *root_key*=<...>:: In case your root is encrypted with a key, you can use a device like a usb pen to store the key. This value should be the key