Attachment 161910 Details for Bug 124789 – Diff between previous patch and current patch with encrypted PV

[patch] Diff between previous patch and current patch with encrypted PV

old_to_new_patch.diff (text/plain), 7.35 KB, created by Kevin R. Page on 2007-08-20 17:56:29 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Kevin R. Page

Created: 2007-08-20 17:56:29 UTC

Size: 7.35 KB

patch

obsolete

>--- old_patched	2007-08-20 14:38:46.000000000 +0100
>+++ new_patched	2007-08-20 15:28:45.000000000 +0100
>@@ -167,6 +167,15 @@
>         | sed -e 's,.*/$[^/]\+$/dev,\1,'
> }
> 
>+get_mapper_dev() {
>+    majmin=$(get_numeric_dev dec "$1")
>+
>+    for device in /dev/mapper/*; do
>+        [ "$majmin" = "$(get_numeric_dev dec $device)" ] && mapperdev=$device
>+    done
>+    echo $mapperdev
>+}
>+
> # Given /dev/dm-?:
> # 1.  Find the devnod in /dev/mapper that has the same major and minor number.
> # 2.  Find the link in /dev/VolGroup?? that points to this /dev/mapper device.
>@@ -1054,9 +1063,52 @@
>         rootopts=$(echo $rootopts | sed -e 's/^r[ow],//' -e 's/,_netdev//' -e 's/_netdev//' -e 's/,r[ow],$//' -e 's/,r[ow],/,/' -e 's/^r[ow]$/defaults/' -e 's/$/,ro/')
>     fi
> 
>-    # Check if root is encrypted
>+
>+    # Check if root is encrypted, first if as an encrypted Physical Volume,
>+    # then if encrypted upon a Logical Volume or normal block device
>     root_enc=""
>-    if [ ${rootdev%/*} = /dev/mapper ] \
>+    root_enc_pv=""
>+
>+    # Get the underlying PVs for $rootdev - if it has any
>+    root_pvs=$(lvdisplay -m $rootdev 2>/dev/null | awk '/Physical volume/ {print $3}')
>+    # If any PVs were found, check iff one is encrypted
>+    if [[ -n "${root_pvs}" ]] ; then
>+       for test_pv in $root_pvs; do
>+          # vgdisplay will return the first matching device (e.g. /dev/dm-X)
>+          # whilst cryptsetup needs a /dev/mapper/* device. Any valid crypt
>+          # device will have an entry in /dev/mapper/ anyway, of course.
>+          mapper_test_pv=$(get_mapper_dev $test_pv)
>+          if [ -n "${mapper_test_pv}" ] \
>+          && cryptsetup status $mapper_test_pv |grep cipher >/dev/null; then
>+             if [ -n "${crypt_pv}" ] ; then
>+                echo "$rootdev has multiple encrypted Physical Volumes; only one is supported. Aborting."
>+                exit 1
>+             else
>+                crypt_pv=$mapper_test_pv
>+             fi
>+          fi
>+       done 
>+    fi
>+
>+    if [ -n "${crypt_pv}" ] ; then
>+        # Find the backingdev of the encrypted PV
>+        backingdev=$(cryptsetup status $crypt_pv | awk '/device/ { print $2 }')
>+        vecho "Found encrypted PV $backingdev for $rootdev"
>+
>+        if ! cryptsetup isLuks ${backingdev}; then
>+            echo "Encryption on $rootdev (backing PV device ${backingdev} does not use LUKS, aborting." >&2
>+            exit 1
>+        fi
>+        root_enc_pv="yes"
>+        findmodule -dm-crypt
>+        findmodule -blkcipher
>+        findmodule -cbc
>+        findmodule -aes
>+        findmodule -sha256
>+        handlelvordev $backingdev
>+        handlelvordev $rootdev
>+
>+    elif [ ${rootdev%/*} = /dev/mapper ] \
>        && cryptsetup status $rootdev | grep cipher >/dev/null; then
>         # cryptsetup prints the first device node it finds that matches the device type,
>         # major number and minor number; this may be /dev/root and not, e.x., /dev/hda1.
>@@ -1101,8 +1153,69 @@
> 
>     # find the first swap dev which would get used for swsusp
>     swsuspdev=$(awk '/^[ \t]*[^#]/ { if ($3 == "swap") { print $1; exit }}' $fstab)
>+
>+    # Check if swsuspend is encrypted, first as an encrupted PV, then if
>+    # encrypted upon a Logical Volume or normal block device
>     swsusp_enc=""
>-    if [ ${swsuspdev%/*} = /dev/mapper ] \
>+    swsusp_env_pv=""
>+
>+    # Get the underlying PVs reported for $swsuspdev
>+    swsusp_pvs=$(lvdisplay -m $swsuspdev 2>/dev/null | awk '/Physical volume/ {print $3}')
>+    # If any PVs were found, check iff one is encrypted and if matched that for rootdev
>+    if [[ -n "${swsusp_pvs}" ]] ; then
>+       for test_pv in $swsusp_pvs; do
>+          # vgdisplay will return the first matching device (e.g. /dev/dm-X)
>+          # whilst cryptsetup needs a /dev/mapper/* device. Any valid crypt
>+          # device will have an entry in /dev/mapper/ anyway, of course.
>+          mapper_test_pv=$(get_mapper_dev $test_pv)
>+          if [ -n "${mapper_test_pv}" ] \
>+          && cryptsetup status $mapper_test_pv |grep cipher >/dev/null; then
>+             if [ -n "${scrypt_pv}" ] ; then
>+                echo "$swsuspdev has multiple encrypted Physical Volumes; only one is supported. Aborting."
>+                exit 1
>+             else
>+                scrypt_pv=$mapper_test_pv
>+                if [ -n "$root_enc_pv" ] && [ "$scrypt_pv" != "$crypt_pv" ] ; then
>+                   echo "$rootdev and $swsuspdev are split across different encrypted PVs. Aborting."
>+                   exit 1
>+                fi
>+             fi
>+          fi
>+       done 
>+    fi
>+
>+    if [ -n "${scrypt_pv}" ] ; then
>+       if [ -n "${root_enc_pv}" ]; then
>+          # If root is also encrypted, the backing device must be the same
>+          sbackingdev=$backingdev
>+          vecho "Matching encrypted PV $sbackingdev for $swsuspdev"
>+       else
>+          # Find the backingdev of the encrypted PV
>+          sbackingdev=$(cryptsetup status $scrypt_pv | awk '/device/ { print $2 }')
>+          vecho "Found encrypted PV $sbackingdev for $swsuspdev"
>+
>+          if ! cryptsetup isLuks ${sbackingdev}; then
>+              echo "Encryption on $swsuspdev (backing PV device ${sbackingdev}) does not use LUKS, aborting." >&2
>+              exit 1
>+          fi
>+
>+          findmodule -dm-crypt
>+          findmodule -blkcipher
>+          findmodule -cbc
>+          findmodule -aes
>+          findmodule -sha256
>+
>+       fi
>+
>+       handlelvordev $sbackingdev
>+       swsusp_env_pv="yes"
>+
>+       if [ "$swsuspdev" == "${swsuspdev##LABEL=}" -o \
>+            "$swsuspdev" == "${swsuspdev##UUID=}" ]; then
>+           handlelvordev $swsuspdev
>+       fi
>+
>+    elif [ ${swsuspdev%/*} = /dev/mapper ] \
>        && cryptsetup status $swsuspdev | grep cipher >/dev/null; then
>         # cryptsetup prints the first device node it finds that matches the
>         # device type, major number and minor number .
>@@ -1543,7 +1656,7 @@
> done
> unset usb_mounted
> 
>-if [ -n "$vg_list" -o -n "$root_enc" -o -n "$swsusp_enc" ]; then
>+if [ -n "$vg_list" -o -n "$root_enc" -o -n "$swsusp_enc" -o -n "$root_env_pv" -o -n "$swsusp_env_pv" ]; then
>     emit "echo Making device-mapper control node"
>     emit "mkdmnod"
> fi
>@@ -1576,6 +1689,22 @@
>     done
> fi
> 
>+if [ -n "$root_enc_pv" -o -n "$swsusp_enc_pv" ]; then
>+    inst /sbin/cryptsetup "$MNTIMAGE" "/bin/cryptsetup"
>+    emit "echo Unlocking encrypted PV"
>+
>+    # unlock device, and make accesible at /dev/mapper/cryptpv
>+    if [ -f /etc/pv-key ]; then
>+        vecho "Found swsusp key at /etc/pv-key, installing at $MNTIMAGE/pv-key"
>+        vecho "Initrd's volume MUST BE REMOVABLE AND PROTECTED"
>+        cp /etc/pv-key $MNTIMAGE/pv-key
>+        emit "cryptsetup -d /pv-key luksOpen ${backingdev} cryptpv"
>+    else
>+        vecho "Assuming manual passphrase entry for encrypted PV"
>+        emit "cryptsetup luksOpen ${backingdev} cryptpv < /dev/console > /dev/console"
>+    fi
>+fi
>+
> if [ -n "$vg_list" ]; then
>     emit "echo Scanning logical volumes"
>     emit "lvm vgscan --ignorelockingfailure"
>@@ -1609,7 +1738,12 @@
>     emit "losetup /dev/loop0 /tmpmount/$looppath"
> fi
> 
>-if [ -n "$root_enc" ]; then
>+if [ -n "$root_enc_pv" ]; then
>+    emit "echo Creating root device"
>+    # unlocking $backingdev and making accesible was completed above
>+    emit "mkrootdev -n $rootdev -t $rootfs -o $rootopts $backingdev"
>+
>+elif [ -n "$root_enc" ]; then
>     inst /sbin/cryptsetup "$MNTIMAGE" "/bin/cryptsetup"
>     emit "echo Creating root device"
>

Actions: View | Diff

Attachments on bug 124789: 100700 | 101270 | 101644 | 102779 | 103215 | 103216 | 103419 | 105456 | 107752 | 107778 | 108173 | 113508 | 115668 | 117763 | 133932 | 134108 | 134534 | 134535 | 134536 | 134537 | 134538 | 135006 | 135462 | 135894 | 136049 | 141591 | 143860 | 144351 | 147835 | 148297 | 154948 | 155547 | 155901 | 159957 | 161831 | 161832 | 161909 | 161910 | 161912 | 255221 | 269101 | 289833