1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
#!/bin/sh
#
# Standard initramfs preamble
#
prereqs()
{
echo ""
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
#
# Helper functions
#
decode_cipher() {
local cipher
case "$1" in
twofish*)
echo twofish
;;
blowfish*)
echo blowfish
;;
serpent*)
echo serpent
;;
mars*|rc6*|tripleDES)
echo "WARNING| (loop-aes) Don't know how to handle encryption type $1" 1>&2
;;
NONE|XOR|AES*)
;;
*)
echo "WARNING| (loop-aes) Unknown encryption type $1" 1>&2
;;
esac
}
iterate_cipher_module() {
local cipher
local IFS=":"
for cipher in $2; do
$1 "loop_${cipher}"
done
}
get_options()
{
# Do we have any settings from the /conf/conf.d/cryptroot file?
[ -r /conf/conf.d/loopaes ] && . /conf/conf.d/loopaes
loopaes_opts="${LOOPAESOPTS}"
# Does the kernel boot command line override them?
for x in $(cat /proc/cmdline); do
case $x in
loopaesopts=*)
loopaes_opts=${x#loopaesopts=}
;;
esac
done
# Sanity check
if [ -z "${loopaes_opts}" ]; then
# Apparently the root partition isn't encrypted
echo "No root-on-loop configured, skipping"
exit 0
fi
local opt cipher
local IFS=", "
for opt in $loopaes_opts; do
case $opt in
encryption=*)
cipher="$(decode_cipher \"${opt#encryption=}\")"
if [ -n "$cipher" ]; then
rootencryption="${rootencryption}${rootencryption:+:}${cipher}"
fi
losetup_opts="${losetup_opts} -e ${opt#encryption=}"
;;
offset=*)
losetup_opts="${losetup_opts} -o ${opt#offset=}"
;;
sizelimit=*)
losetup_opts="${losetup_opts} -s ${opt#sizelimit=}"
;;
pseed=*)
losetup_opts="${losetup_opts} -S ${opt#pseed=}"
;;
phash=*)
losetup_opts="${losetup_opts} -H ${opt#phash=}"
;;
loinit=*)
losetup_opts="${losetup_opts} -I ${opt#loinit=}"
;;
itercountk=*)
losetup_opts="${losetup_opts} -C ${opt#itercountk=}"
;;
gpgkey=*)
losetup_opts="${losetup_opts} -K ${opt#gpgkey=}"
;;
gpghome=*)
rootgpghome=${opt#gpghome=}
;;
loop=*)
rootloop=${opt#loop=}
;;
*)
# Presumably a non-supported or filesystem option
;;
esac
done
}
load_keymap()
{
if [ -x /bin/loadkeys -a -r /etc/boottime.kmap.gz ]; then
loadkeys -q /etc/boottime.kmap.gz
fi
}
#
# Begin real processing
#
# define crypto variables
get_options
if [ -z "${rootgpghome}" ]; then
rootgpghome=/.gnupg
fi
losetup_opts="${losetup_opts} -G ${rootgpghome}"
if [ -z "${rootloop}" ]; then
echo "root on loop enabled, but not loop device given"
exit 1
fi
modprobe -q loop
iterate_cipher_module "modprobe -q" "$rootencryption"
while ! [ -b "${rootloop}" ]; do
sleep 1
done
# If possible, load the keymap so that the user can input non-en characters
load_keymap
# Use /sbin/losetup to make sure that we get the loopaes modified one,
# not the busybox one.
/sbin/losetup ${losetup_opts} "${rootloop}" "$ROOT"
# init can now pick up new FSTYPE, FSSIZE and ROOT
echo "ROOT=\"${rootloop}\"" >> /conf/param.conf
exit 0
|
