Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 147835 Details for
Bug 124789
[PATCH] Add encrypted root filesystem support to mkinitrd
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch to add encrypted root fs support to mkinitrd w/modular CBC
mkinitrd-5.1.19.0.2-enc-sup.patch (text/plain), 12.95 KB, created by
Andy Walls
on 2007-02-10 14:50:18 UTC
(
hide
)
Description:
Patch to add encrypted root fs support to mkinitrd w/modular CBC
Filename:
MIME Type:
Creator:
Andy Walls
Created:
2007-02-10 14:50:18 UTC
Size:
12.95 KB
patch
obsolete
>diff -Nur mkinitrd-5.1.19.0.2/grubby/grubby.c mkinitrd-5.1.19.0.2/grubby/grubby.c >--- mkinitrd-5.1.19.0.2/grubby/grubby.c 2006-09-21 15:50:44.000000000 -0400 >+++ mkinitrd-5.1.19.0.2/grubby/grubby.c 2006-12-24 18:08:00.000000000 -0500 >@@ -27,6 +27,7 @@ > #include <sys/stat.h> > #include <unistd.h> > #include <libgen.h> >+#include <libdevmapper.h> > > #include "version.h" > >@@ -45,6 +46,8 @@ > > #define CODE_SEG_SIZE 128 /* code segment checked by --bootloader-probe */ > >+#define CRYPT_TARGET "crypt" >+ > /* comments get lumped in with indention */ > struct lineElement { > char * item; >@@ -1035,6 +1038,32 @@ > return i; > } > >+/* returns true if dev seems to be encrypted using dmcrypt -- if this is >+ true then dev (ie: /dev/hdaX) will not be the same as sb2's dev >+ (ie: /dev/mapper/Y) */ >+static int isRootEnc(const dev_t statdev, const char *configdev) { >+ void *next = NULL; >+ struct dm_task *dmt; >+ struct dm_info dmi; >+ uint64_t start, length; >+ char *target_type, *params; >+ // Check if current root device is dm device. >+ if (statdev >> 8 != 253) >+ return 0; >+ if (!(dmt = dm_task_create(DM_DEVICE_STATUS))) >+ return 0; >+ if (!dm_task_set_name(dmt, "root")) >+ return 0; >+ if (!dm_task_run(dmt)) >+ return 0; >+ if (!dm_task_get_info(dmt, &dmi)) >+ return 0; >+ next = dm_get_next_target(dmt, next, &start, &length, &target_type, ¶ms); >+ if (!target_type || strcmp(target_type, CRYPT_TARGET) != 0 || start != 0 || next) >+ return 0; >+ return 1; >+} >+ > int suitableImage(struct singleEntry * entry, const char * bootPrefix, > int skipRemoved, int flags) { > struct singleLine * line; >@@ -1098,7 +1127,7 @@ > > stat("/", &sb2); > >- if (sb.st_rdev != sb2.st_dev) >+ if (! isRootEnc(sb2.st_dev, dev) && sb.st_rdev != sb2.st_dev) > return 0; > > return 1; >diff -Nur mkinitrd-5.1.19.0.2/grubby/new-kernel-pkg mkinitrd-5.1.19.0.2/grubby/new-kernel-pkg >--- mkinitrd-5.1.19.0.2/grubby/new-kernel-pkg 2006-06-29 23:54:45.000000000 -0400 >+++ mkinitrd-5.1.19.0.2/grubby/new-kernel-pkg 2006-12-24 18:08:00.000000000 -0500 >@@ -11,6 +11,8 @@ > > PATH=/sbin:/bin:$PATH > >+. /etc/rc.d/init.d/functions >+ > lilo=/sbin/lilo > > # some defaults that are sane for most arches >@@ -87,6 +89,32 @@ > exit 1 > } > >+get_traditional_devnod() { >+ majmin=$(get_numeric_dev dec $1) >+ find /sys/block -name dev | while read device ; do \ >+ echo "$majmin" | cmp -s $device && echo $device ; done \ >+ | sed -e 's,.*/\([^/]\+\)/dev,\1,' >+} >+ >+# Given /dev/dm-?: >+# 1. Find the devnod in /dev/mapper that has the same major and minor number. >+# 2. Find the link in /dev/VolGroup?? that points to this /dev/mapper device. >+# 3. Print /dev/VolGroup??/LogVol?? >+get_logvol_devnod() { >+ majmin=$(get_numeric_dev dec $1) >+ >+ # 1: >+ for device in /dev/mapper/*; do >+ [ "$majmin" = "$(get_numeric_dev dec $device)" ] && mapperdev=$device >+ done >+ # 2: >+ for device in /dev/VolGroup??/*; do >+ [ "$mapperdev" = "$(ls -l $device | awk '{ print $11 }')" ] && logvol=$device >+ done >+ # 3: >+ echo $logvol >+} >+ > install() { > # XXX kernel should be able to be specified also (or work right on ia64) > if [ ! -f $bootPrefix/$kernelName-$version ] ; then >@@ -130,6 +158,42 @@ > cfgLilo="" > fi > >+ # check if root is encrypted and convert /dev/mapper/root to real >+ # block device if it is (inverse of code in mkinitrd) >+ if [ ${rootdevice%/*} = /dev/mapper ] \ >+ && cryptsetup status $rootdevice | grep cipher >/dev/null; then >+ # cryptsetup prints the first device node it finds that matches the device type, >+ # major number and minor number; this may be /dev/root and not, e.x., /dev/hda1. >+ cryptsetupdevice=$(cryptsetup status $rootdevice | grep device | awk '{ print $2 }') >+ traditionaldevice=$(get_traditional_devnod $cryptsetupdevice) >+ >+ # If the backing device is not a valid block device, then check if the >+ # cryptdevice is a valid block device and use it instead. >+ # This helps cover the case where newer rules have disabled the >+ # dm-# devices but the LVM mappings point to a valid block device. >+ if [ ! -b "/dev/$traditionaldevice" ] && [ -b "$cryptsetupdevice" ] ; then >+ traditionaldevice=$cryptsetupdevice >+ fi >+ >+ if [ -n "$traditionaldevice" ]; then >+ if [ "dm-" = ${traditionaldevice%[^-]} ]; then >+ logvoldevice=$(get_logvol_devnod /dev/$traditionaldevice) >+ echo "Found backing device $logvoldevice ($traditionaldevice) for $rootdevice" >+ rootdevice=$logvoldevice >+ elif [[ "$traditionaldevice" =~ "^/dev/" ]] ; then >+ logvoldevice=$(get_logvol_devnod $traditionaldevice) >+ echo "Found backing device $logvoldevice ($traditionaldevice) for $rootdevice" >+ rootdevice=$logvoldevice >+ else >+ echo "Found backing device $traditionaldevice for $rootdevice" >+ rootdevice=/dev/$traditionaldevice >+ fi >+ else >+ echo "Could not determine traditional device for $cryptsetupdevice" >+ exit 1 >+ fi >+ fi >+ > if [ -n "$cfgGrub" ]; then > [ -n "$verbose" ] && echo "adding $version to $grubConfig" > >diff -Nur mkinitrd-5.1.19.0.2/mkinitrd mkinitrd-5.1.19.0.2/mkinitrd >--- mkinitrd-5.1.19.0.2/mkinitrd 2006-12-05 10:51:38.000000000 -0500 >+++ mkinitrd-5.1.19.0.2/mkinitrd 2006-12-24 18:08:09.000000000 -0500 >@@ -133,6 +133,32 @@ > echo nash-resolveDevice "$1" | /sbin/nash --forcequiet > } > >+get_traditional_devnod() { >+ majmin=$(get_numeric_dev dec $1) >+ findall /sys/block -name dev | while read device ; do \ >+ echo "$majmin" | cmp -s $device && echo $device ; done \ >+ | sed -e 's,.*/\([^/]\+\)/dev,\1,' >+} >+ >+# Given /dev/dm-?: >+# 1. Find the devnod in /dev/mapper that has the same major and minor number. >+# 2. Find the link in /dev/VolGroup?? that points to this /dev/mapper device. >+# 3. Print /dev/VolGroup??/LogVol?? >+get_logvol_devnod() { >+ majmin=$(get_numeric_dev dec $1) >+ >+ # 1: >+ for device in /dev/mapper/*; do >+ [ "$majmin" = "$(get_numeric_dev dec $device)" ] && mapperdev=$device >+ done >+ # 2: >+ for device in /dev/VolGroup??/*; do >+ [ "$mapperdev" = "$(ls -l $device | awk '{ print $11 }')" ] && logvol=$device >+ done >+ # 3: >+ echo $logvol >+} >+ > findmodule() { > skiperrors="" > >@@ -828,6 +854,7 @@ > findmodule -${rootfs} > > [ -z "$rootdev" ] && rootdev=$(awk '/^[ \t]*[^#]/ { if ($2 == "/") { print $1; }}' $fstab) >+ > # check if it's nfsroot > if [ "$rootfs" == "nfs" -a "x$net_list" == "x" ]; then > handlenfs $rootdev >@@ -835,20 +862,59 @@ > elif [ "$rootdev" != "${rootdev##LABEL=}" ]; then > rootopts=$(echo $rootopts | sed -e 's/^r[ow],//' -e 's/,_netdev//' -e 's/_netdev//' -e 's/,r[ow],$//' -e 's/,r[ow],/,/' -e 's/^r[ow]$/defaults/' -e 's/$/,ro/') > devname=$(resolve_device_name $rootdev) >- majmin=$(get_numeric_dev dec $devname) >- if [ -n "$majmin" ]; then >- dev=$(findall /sys/block -name dev | while read device ; do \ >- echo "$majmin" | cmp -s $device && echo $device ; done \ >- | sed -e 's,.*/\([^/]\+\)/dev,\1,' ) >- if [ -n "$dev" ]; then >- vecho "Found root device $dev for $rootdev" >- rootdev=$dev >- fi >+ dev=$(get_traditional_devnod $devname) >+ if [ -n "$dev" ]; then >+ vecho "Found root device $dev for $rootdev" >+ rootdev=/dev/$dev > fi > else > rootopts=$(echo $rootopts | sed -e 's/^r[ow],//' -e 's/,_netdev//' -e 's/_netdev//' -e 's/,r[ow],$//' -e 's/,r[ow],/,/' -e 's/^r[ow]$/defaults/' -e 's/$/,ro/') > fi >- [ "$rootfs" != "nfs" ] && handlelvordev $rootdev >+ >+ # Check if root is encrypted >+ root_enc="" >+ if [ ${rootdev%/*} = /dev/mapper ] \ >+ && cryptsetup status $rootdev | grep cipher >/dev/null; then >+ # cryptsetup prints the first device node it finds that matches the device type, >+ # major number and minor number; this may be /dev/root and not, e.x., /dev/hda1. >+ cryptsetupdev=`cryptsetup status $rootdev | grep device | awk '{ print $2 }'` >+ traditionaldev=$(get_traditional_devnod $cryptsetupdev) >+ >+ # If the backing device is not a valid block device, then check if the >+ # cryptdevice is a valid block device and use it instead. >+ # This helps cover the case where newer rules have disabled the >+ # dm-# devices but the LVM mappings point to a valid block device. >+ if [ ! -b "/dev/$traditionaldev" ] && [ -b "$cryptsetupdev" ] ; then >+ traditionaldev=$cryptsetupdev >+ fi >+ >+ if [ -n "$traditionaldev" ]; then >+ if [ "dm-" = ${traditionaldev%[^-]} ]; then >+ backingdev=$(get_logvol_devnod /dev/$traditionaldev) >+ elif [[ "$traditionaldev" =~ "^/dev/" ]] ; then >+ backingdev=$(get_logvol_devnod $traditionaldev) >+ else >+ backingdev=/dev/$traditionaldev >+ fi >+ vecho "Found backing device $backingdev for $rootdev" >+ else >+ echo "Could not determine backing device, aborting." >&2 >+ exit 1 >+ fi >+ if ! cryptsetup isLuks ${backingdev}; then >+ echo "Encryption on $rootdev (backing device ${backingdev} does not use LUKS, aborting." >&2 >+ exit 1 >+ fi >+ root_enc="yes" >+ findmodule -dm-crypt >+ findmodule -blkcipher >+ findmodule -cbc >+ findmodule -aes >+ findmodule -sha256 >+ handlelvordev $backingdev >+ else >+ [ "$rootfs" != "nfs" ] && handlelvordev $rootdev >+ fi > > # find the first swap dev which would get used for swsusp > swsuspdev=$(awk '/^[ \t]*[^#]/ { if ($3 == "swap") { print $1; exit }}' $fstab) >@@ -1213,7 +1279,7 @@ > done > unset usb_mounted > >-if [ -n "$vg_list" ]; then >+if [ -n "$vg_list" -o -n "$root_enc" ]; then > emit "echo Making device-mapper control node" > emit "mkdmnod" > fi >@@ -1261,10 +1327,37 @@ > emit "losetup /dev/loop0 /tmpmount/$looppath" > fi > >-emit "echo Creating root device." >-# mkrootdev does "echo /dev/root /sysroot ext3 defaults,ro 0 0 >/etc/fstab" >-emit "mkrootdev -t $rootfs -o $rootopts $rootdev" >-rootdev=/dev/root >+if [ -n "$root_enc" ]; then >+ inst /sbin/cryptsetup "$MNTIMAGE/bin/cryptsetup" >+ emit "echo Creating root device" >+ >+ # FIXME: I need some advice here. In the case of encrypted filesystems, >+ # the "backing" root device is something like /dev/hda6 ($backingdev) and >+ # the "used" root device is something like /dev/mapper/root ($rootdev). >+ # mkrootdev should create the "backing" root device but should write >+ # the "used" root device to /etc/fstab. I modified mkrootdev to allow >+ # this but the result is ugly: >+ emit "mkrootdev -n $rootdev -t $rootfs -o $rootopts $backingdev" >+ >+ # unlock /dev/root, make accesible at /dev/mapper/root >+ if [ -f /etc/root-key ]; then >+ vecho "Found root key at /etc/root-key, installing at $MNTIMAGE/root-key" >+ vecho "Initrd's volume MUST BE REMOVABLE AND PROTECTED" >+ cp /etc/root-key $MNTIMAGE/root-key >+ emit "cryptsetup -d /root-key luksOpen /dev/root root" >+ else >+ vecho "Assuming manual passphrase entry" >+ emit "cryptsetup luksOpen /dev/root root < /dev/console > /dev/console" >+ fi >+ >+ # /dev/root is encrypted, /dev/mapper/root is plaintext >+ rootdev=/dev/mapper/root >+else >+ emit "echo Creating root device." >+ # mkrootdev does "echo /dev/root /sysroot ext3 defaults,ro 0 0 >/etc/fstab" >+ emit "mkrootdev -n $rootdev -t $rootfs -o $rootopts $rootdev" >+ rootdev=/dev/root >+fi > > emit "echo Mounting root filesystem." > emit "mount /sysroot" >diff -Nur mkinitrd-5.1.19.0.2/nash/nash.c mkinitrd-5.1.19.0.2/nash/nash.c >--- mkinitrd-5.1.19.0.2/nash/nash.c 2006-09-14 13:47:49.000000000 -0400 >+++ mkinitrd-5.1.19.0.2/nash/nash.c 2006-12-24 18:08:00.000000000 -0500 >@@ -1421,7 +1421,7 @@ > int i; > FILE *fstab; > struct mntent mnt = { >- .mnt_fsname = "/dev/root", >+ .mnt_fsname = NULL, > .mnt_dir = "/sysroot", > .mnt_type = NULL, > .mnt_opts = NULL, >@@ -1444,7 +1444,13 @@ > > i = 0; > while ((cmd = getArg(cmd, end, &chptr))) { >- if (!strcmp(chptr, "-t")) { >+ if (!strcmp(chptr, "-n")) { >+ cmd = getArg(cmd, end, &mnt.mnt_fsname); >+ if (!cmd) { >+ eprintf("mkrootdev: expected real mount device name\n"); >+ return 1; >+ } >+ } else if (!strcmp(chptr, "-t")) { > cmd = getArg(cmd, end, &mnt.mnt_type); > if (!cmd) { > eprintf("mkrootdev: expected fs type\n"); >@@ -1477,6 +1483,10 @@ > return 1; > } > >+ if (!mnt.mnt_fsname) { >+ eprintf("mkrootdev: expected real mount device name\n"); >+ return 1; >+ } > if (!mnt.mnt_type) { > eprintf("mkrootdev: expected fs type\n"); > return 1;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=147835">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 124789
:
100700
|
101270
|
101644
|
102779
|
103215
|
103216
|
103419
|
105456
|
107752
|
107778
|
108173
|
113508
|
115668
|
117763
|
133932
|
134108
|
134534
|
134535
|
134536
|
134537
|
134538
|
135006
|
135462
|
135894
|
136049
|
141591
|
143860
|
144351
|
147835
|
148297
|
154948
|
155547
|
155901
|
159957
|
161831
|
161832
|
161909
|
161910
|
161912
|
255221
|
269101
|
289833