Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Initramfs support #18

Closed
wants to merge 9 commits into from
Closed

Add Initramfs support #18

wants to merge 9 commits into from

Conversation

ShaRose
Copy link

@ShaRose ShaRose commented Aug 11, 2017

I was going to wait until I updated the build script, but I clearly haven't gotten around to it. It's fairly well tested and shouldn't have any 'gotchas': I've been using it at home for the past 2 months without issue on a few systems.

/src/initramfs/* should be copied to /usr/share/initramfs-tools/, assuming initramfs is used instead of dracut.

ShaRose added 9 commits June 20, 2017 16:29
Added initramfs hook and script
cbccb9f 
Added ports to initramfs based systems.
Fixed some bugs
7e986e6 
Moved all binaries to /bin since findexe wasn't searching /usr/bin
sometimes.

Fixed parsing errors with the prereqs check.

Added a kill after clevis tries to derypt to prevent lockouts if it
fails to get the right password.
Various Improvements
64909eb 
Imported some of the code from
https://anonscm.debian.org/cgit/pkg-cryptsetup/cryptsetup.git/tree/debian/initramfs/cryptroot-unlock
and implemented suggestions from the debian cryptsetup team.
Merge remote-tracking branch 'refs/remotes/origin/master' into latchs…
89d20cd 
…et/master
Merge branch 'master' of https://github.com/latchset/clevis
7683c0d
Cleaned script a bit; Cleans up when finished.
8262ee1 
 * Removed the vim settings (I don't use vim so I can't even check if I'm
sticking to its specifications, so why bother)

 * Moved things to sane
locations: makes it easier to see where things go in
/usr/share/initramfs-tools/

 * Included a script that does some
cleanup: If clevis is still running, it kills the process (For example
when the user enters the password before clevis can decrypt anything).
It also cleans up by flushing configuration from all interfaces.

 * Fixed locations for clevis and such in initramfs: also set up PATH
specifically to include clevis and curl. I just included 'what works':
this might be able to be trimmed down, but it doesn't hurt as it is now.
Fixed networking
006e76c 
* Moved configure_networking to block: it was failing in the subshell.

* Removed extra whitespace.
Reformatting, multiple device support
9642cce 
* Reformatted lines to fit under 72 chars

* Updated so that the main loop, well, loops. This is so if you have
multiple luks containers that as for passwords at boot, it can get all
of them so long as they have clevis set up.
Merge remote-tracking branch 'refs/remotes/origin/master' into latchs…
4edd1b8 
…et/master
@ShaRose ShaRose closed this Oct 20, 2017
@jh23453
Copy link

jh23453 commented Feb 10, 2018

I've used the script as a start to get clevis running on debian. Here are the changes I did:

--- clevis      2018-02-10 18:26:28.517508839 +0100
+++ /etc/initramfs-tools/scripts/local-top/clevis       2018-02-10 20:24:31.191136875 +0100
@@ -39,9 +39,8 @@
 # Print the PID of the askpass process with a file descriptor opened to
 # /lib/cryptsetup/passfifo if there is one.
 get_askpass_pid() {
-    psinfo=$(ps) # Doing this so I don't end up matching myself
-    echo "$psinfo" | awk "/$cryptkeyscript/ { print \$1 }" | \
-        while read pid; do
+    local pid
+    for pid in $(pidof "askpass" "plymouth"); do
         if in_fds "$pid" "$PASSFIFO"; then
             echo "$pid"
             break
@@ -59,13 +58,6 @@
     # Set the path how we want it (Probably not all needed)
     PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin"
 
-    if [ -x /bin/plymouth ] && plymouth --ping; then
-        cryptkeyscript='plymouth ask-for-password'
-    else
-        # This has to be escaped for awk
-        cryptkeyscript='\/lib\/cryptsetup\/askpass'
-    fi
-
     PASSFIFO='/lib/cryptsetup/passfifo'
 
     OLD_CRYPTTAB_SOURCE=""
@@ -80,7 +72,7 @@
         done
 
         # Import CRYPTTAB_SOURCE from the askpass process.
-        local $(grep '^CRYPTTAB_SOURCE=' /proc/$pid/environ)
+        local $(tr '\0' '\n' </proc/$pid/environ | grep '^CRYPTTAB_SOURCE=' )
 
         # Make sure that CRYPTTAB_SOURCE is actually a block device
         [ ! -b "$CRYPTTAB_SOURCE" ] && continue

The first two hunks use pidof to get the process id of askpass. I think it's more readable
and reliable.

The last hunk fixes parsing /proc/$pid/environment. In that file the variable=value pairs
are delimited with \0, so "^CRYPTTAB_SOURCE=" won't match most of the time - only
if it's the first entry in the environment. So let's fix it: translate \0 to \n and now we can match
"^CRYPTTAB_SOURCE=".

Thanks for the scripts - they are really useful for me.

@ragkousism ragkousism mentioned this pull request Mar 1, 2018
Closed
@dguglielmi
Copy link

I added

# Read CRYPTTAB_SOURCE from cryptroot [ -z "$CRYPTTAB_SOURCE" ] && \ CRYPTTAB_SOURCE=$(awk -F',' '($3 == "rootdev"){print substr($2,8)}' /conf/conf.d/cryptroot)

to determine CRYPTTAB_SOURCE from cryptroot hook generated file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ShaRose @jh23453 @dguglielmi