Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 161910 Details for
Bug 124789
[PATCH] Add encrypted root filesystem support to mkinitrd
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Diff between previous patch and current patch with encrypted PV
old_to_new_patch.diff (text/plain), 7.35 KB, created by
Kevin R. Page
on 2007-08-20 17:56:29 UTC
(
hide
)
Description:
Diff between previous patch and current patch with encrypted PV
Filename:
MIME Type:
Creator:
Kevin R. Page
Created:
2007-08-20 17:56:29 UTC
Size:
7.35 KB
patch
obsolete
>--- old_patched 2007-08-20 14:38:46.000000000 +0100 >+++ new_patched 2007-08-20 15:28:45.000000000 +0100 >@@ -167,6 +167,15 @@ > | sed -e 's,.*/\([^/]\+\)/dev,\1,' > } > >+get_mapper_dev() { >+ majmin=$(get_numeric_dev dec "$1") >+ >+ for device in /dev/mapper/*; do >+ [ "$majmin" = "$(get_numeric_dev dec $device)" ] && mapperdev=$device >+ done >+ echo $mapperdev >+} >+ > # Given /dev/dm-?: > # 1. Find the devnod in /dev/mapper that has the same major and minor number. > # 2. Find the link in /dev/VolGroup?? that points to this /dev/mapper device. >@@ -1054,9 +1063,52 @@ > rootopts=$(echo $rootopts | sed -e 's/^r[ow],//' -e 's/,_netdev//' -e 's/_netdev//' -e 's/,r[ow],$//' -e 's/,r[ow],/,/' -e 's/^r[ow]$/defaults/' -e 's/$/,ro/') > fi > >- # Check if root is encrypted >+ >+ # Check if root is encrypted, first if as an encrypted Physical Volume, >+ # then if encrypted upon a Logical Volume or normal block device > root_enc="" >- if [ ${rootdev%/*} = /dev/mapper ] \ >+ root_enc_pv="" >+ >+ # Get the underlying PVs for $rootdev - if it has any >+ root_pvs=$(lvdisplay -m $rootdev 2>/dev/null | awk '/Physical volume/ {print $3}') >+ # If any PVs were found, check iff one is encrypted >+ if [[ -n "${root_pvs}" ]] ; then >+ for test_pv in $root_pvs; do >+ # vgdisplay will return the first matching device (e.g. /dev/dm-X) >+ # whilst cryptsetup needs a /dev/mapper/* device. Any valid crypt >+ # device will have an entry in /dev/mapper/ anyway, of course. >+ mapper_test_pv=$(get_mapper_dev $test_pv) >+ if [ -n "${mapper_test_pv}" ] \ >+ && cryptsetup status $mapper_test_pv |grep cipher >/dev/null; then >+ if [ -n "${crypt_pv}" ] ; then >+ echo "$rootdev has multiple encrypted Physical Volumes; only one is supported. Aborting." >+ exit 1 >+ else >+ crypt_pv=$mapper_test_pv >+ fi >+ fi >+ done >+ fi >+ >+ if [ -n "${crypt_pv}" ] ; then >+ # Find the backingdev of the encrypted PV >+ backingdev=$(cryptsetup status $crypt_pv | awk '/device/ { print $2 }') >+ vecho "Found encrypted PV $backingdev for $rootdev" >+ >+ if ! cryptsetup isLuks ${backingdev}; then >+ echo "Encryption on $rootdev (backing PV device ${backingdev} does not use LUKS, aborting." >&2 >+ exit 1 >+ fi >+ root_enc_pv="yes" >+ findmodule -dm-crypt >+ findmodule -blkcipher >+ findmodule -cbc >+ findmodule -aes >+ findmodule -sha256 >+ handlelvordev $backingdev >+ handlelvordev $rootdev >+ >+ elif [ ${rootdev%/*} = /dev/mapper ] \ > && cryptsetup status $rootdev | grep cipher >/dev/null; then > # cryptsetup prints the first device node it finds that matches the device type, > # major number and minor number; this may be /dev/root and not, e.x., /dev/hda1. >@@ -1101,8 +1153,69 @@ > > # find the first swap dev which would get used for swsusp > swsuspdev=$(awk '/^[ \t]*[^#]/ { if ($3 == "swap") { print $1; exit }}' $fstab) >+ >+ # Check if swsuspend is encrypted, first as an encrupted PV, then if >+ # encrypted upon a Logical Volume or normal block device > swsusp_enc="" >- if [ ${swsuspdev%/*} = /dev/mapper ] \ >+ swsusp_env_pv="" >+ >+ # Get the underlying PVs reported for $swsuspdev >+ swsusp_pvs=$(lvdisplay -m $swsuspdev 2>/dev/null | awk '/Physical volume/ {print $3}') >+ # If any PVs were found, check iff one is encrypted and if matched that for rootdev >+ if [[ -n "${swsusp_pvs}" ]] ; then >+ for test_pv in $swsusp_pvs; do >+ # vgdisplay will return the first matching device (e.g. /dev/dm-X) >+ # whilst cryptsetup needs a /dev/mapper/* device. Any valid crypt >+ # device will have an entry in /dev/mapper/ anyway, of course. >+ mapper_test_pv=$(get_mapper_dev $test_pv) >+ if [ -n "${mapper_test_pv}" ] \ >+ && cryptsetup status $mapper_test_pv |grep cipher >/dev/null; then >+ if [ -n "${scrypt_pv}" ] ; then >+ echo "$swsuspdev has multiple encrypted Physical Volumes; only one is supported. Aborting." >+ exit 1 >+ else >+ scrypt_pv=$mapper_test_pv >+ if [ -n "$root_enc_pv" ] && [ "$scrypt_pv" != "$crypt_pv" ] ; then >+ echo "$rootdev and $swsuspdev are split across different encrypted PVs. Aborting." >+ exit 1 >+ fi >+ fi >+ fi >+ done >+ fi >+ >+ if [ -n "${scrypt_pv}" ] ; then >+ if [ -n "${root_enc_pv}" ]; then >+ # If root is also encrypted, the backing device must be the same >+ sbackingdev=$backingdev >+ vecho "Matching encrypted PV $sbackingdev for $swsuspdev" >+ else >+ # Find the backingdev of the encrypted PV >+ sbackingdev=$(cryptsetup status $scrypt_pv | awk '/device/ { print $2 }') >+ vecho "Found encrypted PV $sbackingdev for $swsuspdev" >+ >+ if ! cryptsetup isLuks ${sbackingdev}; then >+ echo "Encryption on $swsuspdev (backing PV device ${sbackingdev}) does not use LUKS, aborting." >&2 >+ exit 1 >+ fi >+ >+ findmodule -dm-crypt >+ findmodule -blkcipher >+ findmodule -cbc >+ findmodule -aes >+ findmodule -sha256 >+ >+ fi >+ >+ handlelvordev $sbackingdev >+ swsusp_env_pv="yes" >+ >+ if [ "$swsuspdev" == "${swsuspdev##LABEL=}" -o \ >+ "$swsuspdev" == "${swsuspdev##UUID=}" ]; then >+ handlelvordev $swsuspdev >+ fi >+ >+ elif [ ${swsuspdev%/*} = /dev/mapper ] \ > && cryptsetup status $swsuspdev | grep cipher >/dev/null; then > # cryptsetup prints the first device node it finds that matches the > # device type, major number and minor number . >@@ -1543,7 +1656,7 @@ > done > unset usb_mounted > >-if [ -n "$vg_list" -o -n "$root_enc" -o -n "$swsusp_enc" ]; then >+if [ -n "$vg_list" -o -n "$root_enc" -o -n "$swsusp_enc" -o -n "$root_env_pv" -o -n "$swsusp_env_pv" ]; then > emit "echo Making device-mapper control node" > emit "mkdmnod" > fi >@@ -1576,6 +1689,22 @@ > done > fi > >+if [ -n "$root_enc_pv" -o -n "$swsusp_enc_pv" ]; then >+ inst /sbin/cryptsetup "$MNTIMAGE" "/bin/cryptsetup" >+ emit "echo Unlocking encrypted PV" >+ >+ # unlock device, and make accesible at /dev/mapper/cryptpv >+ if [ -f /etc/pv-key ]; then >+ vecho "Found swsusp key at /etc/pv-key, installing at $MNTIMAGE/pv-key" >+ vecho "Initrd's volume MUST BE REMOVABLE AND PROTECTED" >+ cp /etc/pv-key $MNTIMAGE/pv-key >+ emit "cryptsetup -d /pv-key luksOpen ${backingdev} cryptpv" >+ else >+ vecho "Assuming manual passphrase entry for encrypted PV" >+ emit "cryptsetup luksOpen ${backingdev} cryptpv < /dev/console > /dev/console" >+ fi >+fi >+ > if [ -n "$vg_list" ]; then > emit "echo Scanning logical volumes" > emit "lvm vgscan --ignorelockingfailure" >@@ -1609,7 +1738,12 @@ > emit "losetup /dev/loop0 /tmpmount/$looppath" > fi > >-if [ -n "$root_enc" ]; then >+if [ -n "$root_enc_pv" ]; then >+ emit "echo Creating root device" >+ # unlocking $backingdev and making accesible was completed above >+ emit "mkrootdev -n $rootdev -t $rootfs -o $rootopts $backingdev" >+ >+elif [ -n "$root_enc" ]; then > inst /sbin/cryptsetup "$MNTIMAGE" "/bin/cryptsetup" > emit "echo Creating root device" >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 124789
:
100700
|
101270
|
101644
|
102779
|
103215
|
103216
|
103419
|
105456
|
107752
|
107778
|
108173
|
113508
|
115668
|
117763
|
133932
|
134108
|
134534
|
134535
|
134536
|
134537
|
134538
|
135006
|
135462
|
135894
|
136049
|
141591
|
143860
|
144351
|
147835
|
148297
|
154948
|
155547
|
155901
|
159957
|
161831
|
161832
|
161909
|
161910
|
161912
|
255221
|
269101
|
289833