-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Initramfs support #18
Conversation
Added ports to initramfs based systems.
Moved all binaries to /bin since findexe wasn't searching /usr/bin sometimes. Fixed parsing errors with the prereqs check. Added a kill after clevis tries to derypt to prevent lockouts if it fails to get the right password.
Imported some of the code from https://anonscm.debian.org/cgit/pkg-cryptsetup/cryptsetup.git/tree/debian/initramfs/cryptroot-unlock and implemented suggestions from the debian cryptsetup team.
* Removed the vim settings (I don't use vim so I can't even check if I'm sticking to its specifications, so why bother) * Moved things to sane locations: makes it easier to see where things go in /usr/share/initramfs-tools/ * Included a script that does some cleanup: If clevis is still running, it kills the process (For example when the user enters the password before clevis can decrypt anything). It also cleans up by flushing configuration from all interfaces. * Fixed locations for clevis and such in initramfs: also set up PATH specifically to include clevis and curl. I just included 'what works': this might be able to be trimmed down, but it doesn't hurt as it is now.
* Moved configure_networking to block: it was failing in the subshell. * Removed extra whitespace.
* Reformatted lines to fit under 72 chars * Updated so that the main loop, well, loops. This is so if you have multiple luks containers that as for passwords at boot, it can get all of them so long as they have clevis set up.
I've used the script as a start to get clevis running on debian. Here are the changes I did:
The first two hunks use pidof to get the process id of askpass. I think it's more readable The last hunk fixes parsing /proc/$pid/environment. In that file the variable=value pairs Thanks for the scripts - they are really useful for me. |
I added
to determine CRYPTTAB_SOURCE from cryptroot hook generated file. |
I was going to wait until I updated the build script, but I clearly haven't gotten around to it. It's fairly well tested and shouldn't have any 'gotchas': I've been using it at home for the past 2 months without issue on a few systems.
/src/initramfs/* should be copied to /usr/share/initramfs-tools/, assuming initramfs is used instead of dracut.