# vim: set ft=sh: # TODO this one needs some work to work with lots of different # encryption schemes run_hook () { mkdevice () { /bin/mkdir "/dev/mapper" 2>/dev/null /bin/mknod "/dev/mapper/control" c ${1} ${2} 2>/dev/null } /bin/modprobe -a -q dm-crypt >/dev/null 2>&1 if [ -e "/sys/class/misc/device-mapper" ]; then read dev_t < /sys/class/misc/device-mapper/dev OLDIFS=$IFS; IFS=: mkdevice $dev_t IFS=$OLDIFS if /bin/cryptsetup isLuks ${root} >/dev/null 2>&1; then if [ "x${crypto}" != "x" ]; then # crypto=device:fstype:keyfile # On failure, carry on in the hope that another slot has a "normal" password get_key () { if ! [ $# -eq 3 ]; then err "Verify parameter format: crypto=device:fstype:keyfile" err "Not using external key for LUKS decryption" return 1 fi local dev="${1}" local fstype="${2}" local keyfile="${3}" msg "Attempting to mount ${dev} (type ${fstype})" for try in 10 9 8 7 6 5 4 3 2 1; do if [ "${quiet}" != "y" ]; then /bin/mount -t "${fstype}" "${dev}" /mnt && break else /bin/mount -t "${fstype}" "${dev}" /mnt >/dev/null 2>&1 && break fi if [ ${try} -eq 1 ]; then err "Could not mount ${dev} (${fstype})." err "Make sure you have included any needed modules/hooks in mkinitcpio.conf" err "You may need to add the ${fstype} module to MODULES" err "or place filesystems before autodetect in HOOKS" return 1 else sleep 1 fi done if [ -e "/mnt/${keyfile}" ]; then export cryptokeyfile="/mnt/${keyfile}" else err "Could not find ${keyfile} on ${dev}" # Carry on in the hope that another slot has a "normal" password /bin/umount /mnt 2>/dev/null fi } OLDIFS=$IFS; IFS=: get_key $crypto IFS=$OLDIFS fi if [ "x${cryptokeyfile}" != "x" ]; then if ! /bin/cryptsetup --key-file "${cryptokeyfile}" luksOpen ${root} root >/dev/null; then err "Failed to setup root device with the specified key file." # Carry on in the hope that another slot has a "normal" password fi /bin/umount /mnt 2>/dev/null fi if [ ! -e "/dev/mapper/root" ]; then echo "" echo "A password is required to access the root filesystem:" #loop until we get a real password while ! /bin/cryptsetup luksOpen ${root} root; do sleep 2; done fi if [ -e "/dev/mapper/root" ]; then export root="/dev/mapper/root" else err "Password succeeded, but root creation failed, aborting..." exit 1 fi elif [ "x${crypto}" != "x" ]; then do_oldcrypto () { if [ $# -ne 5 ]; then err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" err "Non-LUKS decryption not attempted..." else exe="/bin/cryptsetup create root ${root}" [ "x${1}" != "x" ] && exe="$exe --hash \"${1}\"" [ "x${2}" != "x" ] && exe="$exe --cipher \"${2}\"" [ "x${3}" != "x" ] && exe="$exe --key-size \"${3}\"" [ "x${4}" != "x" ] && exe="$exe --offset \"${4}\"" [ "x${5}" != "x" ] && exe="$exe --skip \"${5}\"" echo "" echo "A password is required to access the root filesystem:" eval "${exe}" fi } msg "Non-LUKS encrypted device found..." OLDIFS=$IFS; IFS=: do_oldcrypt ${crypto} IFS=$OLDIFS if [ $? -ne 0 ]; then err "Non-LUKS device decryption failed. verify format: " err " crypto=hash:cipher:keysize:offset:skip" exit 1 else if [ -e "/dev/mapper/root" ]; then export root="/dev/mapper/root" else err "Password succeeded, but root creation failed, aborting..." exit 1 fi fi fi fi }