Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 157728 Details for
Bug 238079
Support encrypted root filesystems
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch again mkinitrd 6.0.9, man and bin
mkinitrd-6.0.9-rootencryption.patch (text/plain), 18.91 KB, created by
tswan
on 2007-06-25 00:06:34 UTC
(
hide
)
Description:
Patch again mkinitrd 6.0.9, man and bin
Filename:
MIME Type:
Creator:
tswan
Created:
2007-06-25 00:06:34 UTC
Size:
18.91 KB
patch
obsolete
>diff -ru ../mkinitrd-6.0.9.old/mkinitrd ./mkinitrd >--- ../mkinitrd-6.0.9.old/mkinitrd 2007-06-18 00:31:45.000000000 -0500 >+++ ./mkinitrd 2007-06-18 00:32:53.000000000 -0500 >@@ -23,6 +23,7 @@ > # Bill Nottingham <notting@redhat.com> > # Guillaume Cottenceau <gc@mandrakesoft.com> > # Peter Jones <pjones@redhat.com> >+# Thomas Swan <thomas.swan@gmail.com> > > if [ $UID != 0 ]; then > error "mkinitrd must be run as root." >@@ -40,7 +41,7 @@ > # password (chap secret), so only allow read by owner. > umask 077 > >-VERSION=6.0.9 >+VERSION=6.0.8 > > PROBE="yes" > MODULES="" >@@ -50,8 +51,13 @@ > LD_SO_CONF=/etc/ld.so.conf > LD_SO_CONF_D=/etc/ld.so.conf.d/ > >+CRYPTODEVICES="" >+CRYPTOMODS="DEFAULT" >+ > [ -e /etc/sysconfig/mkinitrd ] && . /etc/sysconfig/mkinitrd > >+crypto_reps=0 >+crypto_omit=0 > CONFMODS="$MODULES" > MODULES="" > >@@ -106,7 +112,9 @@ > $cmd " [--force-ide-probe] [--force-scsi-probe | --omit-scsi-modules]" > $cmd " [--image-version] [--force-raid-probe | --omit-raid-modules]" > $cmd " [--with=<module>] [--force-lvm-probe | --omit-lvm-modules]" >- $cmd " [--builtin=<module>] [--omit-dmraid] [--net-dev=<interface>]" >+ $cmd " [--builtin=<module>] [--net-dev=<interface>] [--config=<config>]" >+ $cmd " [--nocrypto] [--crypto-module=<module>|DEFAULT|ALL] [--omit-dmraid] " >+ $cmd " [--crypto-dev=<device>[@<key-device>,<key-device-fstype>][:<key-file>]" > $cmd " [--fstab=<fstab>] [--nocompress] <initrd-image> <kernel-version>" > $cmd "" > $cmd " (ex: `basename $0` /boot/initrd-2.2.5-15.img 2.2.5-15)" >@@ -120,29 +128,10 @@ > > moduledep() { > vecho -n "Looking for deps of module $1" >- deps="" > deps=$(modprobe --set-version $kernel --show-depends $1 2>/dev/null| awk '/^insmod / { print gensub(".*/","","g",$2) }' | while read foo ; do [ "${foo%%.ko}" != "$1" ] && echo -n "${foo%%.ko} " ; done) > [ -n "$deps" ] && vecho ": $deps" || vecho > } > >-locatemodule() { >- fmPath=$(modprobe --set-version $kernel --show-depends $1 2>/dev/null | awk '/^insmod / { print $2; }' | tail -1) >- if [ -n "$fmPath" -a -f "$fmPath" ]; then >- return 0 >- fi >- for modExt in o.gz o ko ; do >- for modDir in /lib/modules/$kernel/updates /lib/modules/$kernel ; do >- if [ -d $modDir ]; then >- fmPath=$(findone $modDir -name $1.$modExt) >- if [ -n "$fmPath" -a -f "$fmPath" ]; then >- return 0 >- fi >- fi >- done >- done >- return 1 >-} >- > findone() { > echo nash-find "$@" | /sbin/nash --force --quiet \ > | /bin/awk '{ print $1; exit; }' >@@ -206,20 +195,6 @@ > EOF > exit 1 > fi >- case "$FILE" in >- /lib*) >- LIBDIR=`echo "$FILE" | sed 's,\(/lib[^/]*\)/.*$,\1,'` >- BASE=`basename "$FILE"` >- # Prefer nosegneg libs over direct segment accesses on i686. >- if [ -f "$LIBDIR/i686/nosegneg/$BASE" ]; then >- FILE="$LIBDIR/i686/nosegneg/$BASE" >- # Otherwise, prefer base libraries rather than their optimized >- # variants. >- elif [ -f "$LIBDIR/$BASE" ]; then >- FILE="$LIBDIR/$BASE" >- fi >- ;; >- esac > dynamic="yes" > let n++ > done >@@ -227,7 +202,6 @@ > DSO_DEPS="${FILES[@]}" > } > >-scsi_wait_scan="no" > findmodule() { > skiperrors="" > >@@ -269,10 +243,6 @@ > findmodule ieee1394 > findmodule ohci1394 > modName="sbp2" >- elif [ "$modName" = "fw-sbp2" ]; then >- findmodule fw-core >- findmodule fw-ohci >- modName="fw-sbp2" > elif [ "$modName" = "gfs2" ]; then > findmodule lock_nolock > modName="gfs2" >@@ -295,14 +265,21 @@ > usbModName="" > fi > >- >- deps="" > moduledep $modName > for i in $deps; do > findmodule $i > done > >- locatemodule $modName >+ for modExt in o.gz o ko ; do >+ for modDir in /lib/modules/$kernel/updates /lib/modules/$kernel ; do >+ if [ -d $modDir ]; then >+ fmPath=$(findone $modDir -name $modName.$modExt) >+ if [ -f "$fmPath" ]; then >+ break 2 >+ fi >+ fi >+ done >+ done > > if [ ! -f $fmPath ]; then > if [ -n "$skiperrors" ]; then >@@ -333,16 +310,6 @@ > for n in $PRESCSIMODS ; do > findmodule $n > done >- locatemodule scsi_wait_scan >- if [ -n "$fmPath" -a -f "$fmPath" ]; then >- scsi_wait_scan="yes" >- fi >- if [ "$scsi_wait_scan" == "yes" ]; then >- moduledep scsi_wait_scan >- for i in $deps ; do >- findmodule $i >- done >- fi > fi > } > >@@ -440,12 +407,7 @@ > get_dso_deps "$file" > local DEPS="$DSO_DEPS" > for x in $DEPS ; do >- l=`echo "$x" | sed -n 's,\(/lib[^/]*\)/.*$,\1,p'` >- if [ -n "$l" ]; then >- inst "$x" "$root" "$l"/`basename "$x"` >- else >- inst "$x" "$root" >- fi >+ inst "$x" "$root" > done > RET=$? > fi >@@ -614,6 +576,93 @@ > addnetdev $netdev > } > >+findallcryptomods() { >+ local cryptomods="" >+ cryptomods="$cryptomods dm-crypt" >+ cryptomods="$cryptomods blkcipher" >+ for modName in `find /lib/modules/$1/kernel/crypto/ -type f | sed 's/.*\/\(.*\)\..*/\1/'` ; do >+ cryptomods="$cryptomods $modName" >+ done >+ echo $cryptomods >+} >+ >+execconfig() { >+ if [ -e ${CONFIG} ] ; then >+ local OPTIONS >+ while read config ; do >+ config=${config/##*/} >+ config=${config/#\{ , \}*//} >+ config=${config/%*\{ , \}//} >+ if [ -n ${config} ] ; then >+ OPTIONS="${OPTIONS} ${config}" >+ fi >+ done < /etc/mkinitrd.conf >+ if [ -n "${OPTIONS}" ] ; then >+ OPTIONS="--noconfig ${OPTIONS} $*" >+ exec $progname ${OPTIONS} >+ fi >+ fi >+} >+ >+emit_crypto() { >+ let crypto_reps=${crypto_reps}+1 >+ for i in $CRYPTODEVICES ; do >+ # We want a complete predictable name for the encrypted device >+ # to use with device-mapper. ... Assume nothing! >+ crypto_device=${i%%@*} >+ crypto_device=${crypto_device%%:*} >+ crypto_mapper_name=${crypto_device##/dev/} >+ crypto_mapper_name=`echo ${crypto_mapper_name} | sed 's!/!_!g'` >+ crypto_key_file="" >+ crypto_key_device="" >+ crypto_key_tmp="" >+ if [ ${i##*:} != ${i} ] ; then >+ crypto_key_file=${i##*:} >+ crypto_key_tmp=${i%%:*} >+ crypto_key_tmp=${crypto_key_tmp##*@} >+ fi >+ if [ -n "$crypto_key_tmp" -a "${crypto_key_tmp}" != "${crypto_device}" ] ; then >+ crypto_key_device=${crypto_key_tmp%%,*} >+ crypto_key_device_fs=${crypto_key_tmp##*,} >+ crypto_key_file=${crypto_key_file##/} >+ if [ ${crypto_key_device} == ${crypto_key_tmp} ] ; then >+ echo "Crypto: No fstype specified for external crypto key:" >+ echo " ${i}" >+ exit 211 >+ fi >+ fi >+ emit "echo Decrypting ${crypto_device} (Round ${crypto_reps})" >+ if [ -n "${crypto_key_device}" ] ; then >+ # Mount the filesystem with the key, and decrypt using the key >+ # on the mounted media. >+ emit "mount -t ${crypto_key_device_fs} -o ro ${crypto_key_device} /crypto/mount" >+ emit "cryptsetup luksOpen ${crypto_device} ${crypto_mapper_name} -d /crypto/mount/${crypto_key_file}" >+ emit "umount /crypto/mount" >+ if [ $crypto_reps == 1 ] ; then >+ vecho -n "Crypto: Decrypt ${crypto_device} using external keyfile ${crypto_key_file} " >+ vecho "located on ${crypto_key_device} mounted as an ${crypto_key_device_fs} filesystem " >+ fi >+ elif [ -n "${crypto_key_file}" ] ; then >+ # Embed the key in the initrd image. * Useful if /boot is a removable drive * >+ emit "cryptsetup luksOpen ${crypto_device} ${crypto_mapper_name} -d /crypto/"`basename ${crypto_key_file}` >+ if [ ! -f "$MNTIMAGE/crypto/$(basename ${crypto_key_file})" ] ; then >+ if ! inst ${crypto_key_file} "$MNTIMAGE/crypto/$(basename ${crypto_key_file})" ; then >+ echo "Unable to import key file ${crypto_key_file}" >+ exit 1 >+ fi >+ fi >+ if [ $crypto_reps == 1 ] ; then >+ vecho "Crypto: Decrypt ${crypto_device} using embedded keyfile imported from ${crypto_key_file}" >+ fi >+ else >+ emit "cryptsetup luksOpen ${crypto_device} ${crypto_mapper_name}" >+ if [ $crypto_reps == 1 ] ; then >+ vecho "Crypto: Decrypt ${crypto_device} using passphrase decryption" >+ fi >+ fi >+ done >+} >+ > handleraid() { > local start=0 > >@@ -734,6 +783,22 @@ > addnetdev $netdev > } > >+option_next=1 >+for option in $@ ; do >+ let option_next=$option_next+1 >+ case $option in >+ --noconfig*) >+ config=0 >+ ;; >+ esac >+done >+unset option_next >+ >+if [ "$config" == "1" ] ; then >+ progname=$0 >+ execconfig $@ >+fi >+ > while [ $# -gt 0 ]; do > case $1 in > --fstab*) >@@ -907,6 +972,31 @@ > shift > fi > ;; >+ --omit-crypt*) >+ crypto_omit=1 >+ ;; >+ --crypto-module*) >+ crypto=1 >+ if [ "$1" != "${1##--crypto-module=}" ]; then >+ modname="${1##--crypto-module=}" >+ else >+ modname="$2" >+ if [ -z "$2" ] ; then >+ modname="DEFAULT" >+ fi >+ fi >+ CRYPTOMODS="$CRYPTOMODS $modname" >+ ;; >+ --crypto-dev*) >+ crypto=1 >+ cryptodevice="" >+ if [ "$1" != "${1##--crypto-dev=}" ]; then >+ cryptodevice="${1##--crypto-dev=}" >+ else >+ cryptodevice="$2" >+ fi >+ CRYPTODEVICES="$CRYPTODEVICES $cryptodevice" >+ ;; > --help) > usage -n > ;; >@@ -957,6 +1047,27 @@ > exit 1 > fi > >+if [ $crypto_omit == 1 ] ; then >+ unset $CRYPTODEVICES >+ unset $CRYPTOMODS >+fi >+ >+if [ -n "$CRYPTOMODS" ] ; then >+ for modname in $CRYPTOMODS ; do >+ case $modname in >+ ALL) >+ PREMODS="$PREMODS "`findallcryptomods $kernel` >+ ;; >+ DEFAULT) >+ PREMODS="$PREMODS dm-crypt blkcipher aes cbc sha256 crypto_null" >+ ;; >+ *) >+ PREMODS="$PREMODS $modname" >+ ;; >+ esac >+ done >+fi >+ > vecho "Creating initramfs" > modulefile=/etc/modprobe.conf > >@@ -1110,6 +1221,9 @@ > findmodule -dm-mirror > findmodule -dm-zero > findmodule -dm-snapshot >+ if [ -n "$CRYPTODEVICES" -o -n "$CRYPTOMODS" ] ; then >+ findmodule -dm-crypt >+ fi > > RAIDS=$(/sbin/dmraid -s -craidname 2>/dev/null | grep -vi "no raid disks") > >@@ -1241,28 +1355,31 @@ > ln -s /sbin/nash $MNTIMAGE/sbin/modprobe > > inst /sbin/insmod "$MNTIMAGE" /bin/insmod >-inst /sbin/rmmod "$MNTIMAGE" /bin/rmmod >+ >+if [ -n "$CRYPTODEVICEES" -o -n "$CRYPTOMODS" ] ; then >+ mkdir -p $MNTIMAGE/crypto >+ mkdir -p $MNTIMAGE/crypto/mount >+fi > > if [ -e /etc/fstab.sys ]; then > inst /etc/fstab.sys "$MNTIMAGE" > fi > >-installmodule() >-{ >+if [ -n "$CRYPTODEVICEES" -o -n "$CRYPTOMODS" ] ; then >+ inst /sbin/cryptsetup "$MNTIMAGE/" >+fi >+ >+for MODULE in $MODULES; do > if [ -x /usr/bin/strip ]; then >- /usr/bin/strip -g $verbose $1 -o $MNTIMAGE/lib/$(basename $1) >+ /usr/bin/strip -g $verbose $MODULE -o $MNTIMAGE/lib/$(basename $MODULE) > else >- cp $verbose -a $1 $MNTIMAGE/lib >+ cp $verbose -a $MODULE $MNTIMAGE/lib > fi >- for fw in $(/sbin/modinfo -F firmware $1 2>/dev/null); do >+ for fw in $(/sbin/modinfo -F firmware $MODULE 2>/dev/null); do > if [ -f /lib/firmware/$fw ]; then > cp $verbose -a /lib/firmware/$fw $MNTIMAGE/lib/firmware/ > fi > done >-} >- >-for MODULE in $MODULES; do >- installmodule $MODULE > done > > # mknod'ing the devices instead of copying them works both with and >@@ -1292,13 +1409,6 @@ > mknod $MNTIMAGE/dev/efirtc c 10 136 > fi > >-if [ -n "$raiddevices" ]; then >- inst /sbin/mdadm "$MNTIMAGE" >- if [ -f /etc/mdadm.conf ]; then >- inst /etc/mdadm.conf "$MNTIMAGE" >- fi >-fi >- > # FIXME -- this can really go poorly with clvm or duplicate vg names. > # nash should do lvm probing for us and write its own configs. > if [ -n "$vg_list" ]; then >@@ -1355,14 +1465,6 @@ > emit "echo Creating block device nodes." > emit "mkblkdevs" > >-if [ "$scsi_wait_scan" == "yes" ]; then >- locatemodule scsi_wait_scan >- if [ -n "$fmPath" -a -f "$fmPath" ]; then >- vecho "Adding module scsi_wait_scan" >- installmodule $fmPath >- fi >-fi >- > usb_mounted="prep" > for MODULE in $MODULES; do > text="" >@@ -1420,7 +1522,7 @@ > EOF > done > fi >- if [ "${module::5}" == "pata_" -o "$module" == "ata_piix" -o "$module" == "ahci" -o "${module::5}" == "sata_" -o "$module" == "ibmvscsic" ]; then >+ if [ "${module::5}" == "pata_" -o "$module" == "ata_piix" -o "$module" == "ahci" -o "${module::5}" == "sata_" ]; then > emit "echo Waiting for driver initialization." > emit "stabilized --hash --interval 250 /proc/scsi/scsi" > fi >@@ -1442,21 +1544,22 @@ > > emit_iscsi > >-if [ "$scsi_wait_scan" == "yes" ]; then >- emit "insmod /lib/scsi_wait_scan.ko" >- emit "rmmod scsi_wait_scan" >-fi >- > # HACK: module loading + device creation isn't necessarily synchronous... > # this will make sure that we have all of our devices before trying > # things like RAID or LVM > emit "mkblkdevs" > >+# Chickens and eggs. Because you can encrypt both LV's and the devices >+# containing containing LV's, we need try to try to decrypt twice or we >+# need to be far more clever. >+emit_crypto >+ > emitdms > > if [ -n "$raiddevices" ]; then > for dev in $raiddevices; do >- emit "mdadm -As --auto=yes --run /dev/${dev}" >+ cp -a /dev/${dev} $MNTIMAGE/dev >+ emit "raidautorun /dev/${dev}" > done > fi > >@@ -1467,6 +1570,14 @@ > emit "lvm vgchange -ay --ignorelockingfailure $vg_list" > fi > >+# Eggs and chickens. Try decrypting just in case any LV's are encrypted. >+# We need to do to this before resuming on the off chance that swap has been >+# encrypted with a permanent key. >+# >+# If the volume has already been decrypted, no harm has been done doing it >+# twice. >+emit_crypto >+ > if [ -z "$noresume" -a -n "$swsuspdev" ]; then > emit "resume $swsuspdev" > fi >@@ -1502,8 +1613,6 @@ > > emit "echo Switching to new root and running init." > emit "switchroot" >-emit "echo Booting has failed." >-emit "sleep -1" > > chmod +x $RCFILE > >diff -ru ../mkinitrd-6.0.9.old/mkinitrd.8 ./mkinitrd.8 >--- ../mkinitrd-6.0.9.old/mkinitrd.8 2005-12-07 21:00:09.000000000 -0600 >+++ ./mkinitrd.8 2007-06-18 00:32:42.000000000 -0500 >@@ -3,12 +3,14 @@ > mkinitrd \- creates initial ramdisk images for preloading modules > .SH SYNOPSIS > \fBmkinitrd\fR [--version] [-v] [-f] >- [--preload=\fImodule\fR] [--omit-scsi-modules] >+ [--preload=\fImodule\fR] >+ [--crypto-module=(ALL|DEFAULT|\fImodule\fR)] >+ [--crypto-dev=\fIdevice\fR[@\fIkey-device\fR,\fIkey-device-fstype\fR][:\fIkey\fR]] >+ [--omit-crypto] [--omit-scsi-modules] > [--omit-raid-modules] [--omit-lvm-modules] > [--with=\fImodule\fR] [--image-version] >- [--fstab=\fIfstab\fR] [--nocompress] >- [--builtin=\fImodule\fR] [--nopivot] >- \fIimage\fR \fIkernel-version\fR >+ [--fstab=\fIfstab\fR] [--nocompress] [--nopivot] >+ [--builtin=\fImodule\fR] \fIimage\fR \fIkernel-version\fR > > .SH DESCRIPTION > \fBmkinitrd\fR creates an initial image used by the kernel for >@@ -36,6 +38,63 @@ > exist. This option may be used multiple times. > > .TP >+\fB-\-crypto-module=\fR\fI(module|ALL|DEFAULT)\fR >+Specify a crypto \fImodule\fR to preload. >+ >+\fB--crypto-module=DEFAULT\fR will load aes cbc and sha256 crypto modules >+\fB--crypto-module=ALL\fR will load all available crypto modules. >+ >+This option may be used multiple times. >+ >+This option can be persistently kept as CRYPTOMODS= >+in \fI/etc/sysconfig/mkinitrd\fR >+ >+.TP >+\fB-\-crypto-dev=\fR\fIdevice\fR[@\fIkey-device\fR,\fIkey-device-fstype\fR][:\fIkey\fR]] >+Specify the encrypted device to decrypt prior to mounting. Password >+decryption is supported by default. <key-device> may use any mount identifier >+such as LABEL= or UUID= in addition to the physical device identifier. When >+using <key-device>, <key-device-fstype> \fImust\fR be specified. >+<device> must not be listed in \fB/etc/crypttab\fR because it will >+decrypted before init begins. This option may be used multiple times. >+ >+-\-crypto-dev=\fIdevice\fR >+<dev> is the device to decrypt. >+ >+-\-crypto-dev=\fIdevice\fR:\fI/path/to/key\fR >+\fIdevice\fR is the device to decrypt. The file located at \fI/path/to/key\fR will >+be embedded in the initrd.img file and used to decrypt \fIdevice\fR. >+ >+-\-crypto-dev=\fIdevice\fR@\fIkey-device\fR,\fIkey-device-fstype\fR:\fI/path/to/key\fR >+\fIdevice\fR is the device to decrypt. \fIkey-device\fR is the device containing the key >+file used to decrypt \fIdevice\fR. \fIkey-device-fstype\fR is the filesystem type for \fIkey-device\fR: >+eg. ext2. \fI/path/to/key\fR is the key file \fIrelative\fR to the root of >+<dev2>. >+ >+This option can be persistently kept as CRYPTODEVICES= >+in \fI/etc/sysconfig/mkinitrd\fR >+ >+Examples >+ >+-\-crypto-dev=/dev/hdb1 would try to decrypt /dev/hdb1 using a password >+entered by the user during the boot process. >+ >+-\-crypto-dev=/dev/hdb1:/media/flash/my.key would embed /media/flash/my.key >+in the initrd image file to and use that key to decrypt /dev/hdb1. >+ >+-\-crypto-dev=/dev/hdb1@LABEL=flash,ext2:/my.key would try to decrypt >+/dev/hdb1 using the key, "/my.key", located on an unencrypted ext2 >+filesystem with the label, "flash". During boot, it will mount >+the the LABEL=flash device read-only, and use the key on the disk to decrypt >+the specified device, /dev/hdb1. Then the LABEL=flash device would be >+unmounted before continuing. \fIThe key device must be present during >+system boot.\fR >+ >+.TP >+\fB-\-version\fR >+Prints the version of \fBmkinitrd\fR that's being used and then exits. >+ >+.TP > \fB-f\fR > Allows \fBmkinitrd\fR to overwrite an existing image file. > >@@ -63,6 +122,11 @@ > option is not recommended, and will be removed in future versions. > > .TP >+\fB-\-omit-crypto >+Do not load any cryptographic modules, even if specified on \fBmkinitrd\fR's >+command line. >+ >+.TP > \fB-\-omit-lvm-modules > Do not load any lvm modules, even if /etc/fstab expects them. > >@@ -114,7 +178,12 @@ > Specifies SCSI modules to be loaded and module options to be used. > \fI(only used on kernels < 2.6)\fR > >+.TP 20 >+\fI/etc/sysconfig/mkinitrd\fR >+Specifies persistent options to be used with mkinitrd. >+ > .PD > .SH "SEE ALSO" >+.BR cryptsetup (8), > .BR fstab (5), > .BR insmod (1)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=157728">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 238079
:
153560
|
153561
|
153758
| 157728