[pkg-cryptsetup-devel] Bug#994486: cryptsetup-initramfs: include askpass only when needed?
Christoph Anton Mitterer
calestyo at scientia.net
Thu Sep 16 16:41:17 BST 2021
Package: cryptsetup-initramfs
Version: 2:2.4.0-1
Severity: wishlist
Hi.
I think it would be nice if askpass was only included when actually
needed.
That seems to be the case, when no keyscript is set, and the KEY field is none,
cause:
- if a keyscript is set, either this shall perform reading a passphrase (if
needed a all) on it's own or include askpass by itself (via a hook)
- if KEY is not "none", a key file would be used rather than as passphrase
Does the attached patch seem reasonable (haven't had the time to test it).
Cheers,
Chris.
-------------- next part --------------
--- /usr/share/initramfs-tools/hooks/cryptroot 2021-08-19 03:11:11.000000000 +0200
+++ cryptroot 2021-09-16 17:37:21.670792197 +0200
@@ -67,45 +67,51 @@
# luck with the unchanged _CRYPTTAB_SOURCE value
fi
- # if keyscript is set, the "key" is just an argument to the script
- if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
- crypttab_key_check || return 1
- case "$CRYPTTAB_KEY" in
- $KEYFILE_PATTERN)
- mkdir -pm0700 -- "$DESTDIR/cryptroot/keyfiles"
- # $CRYPTTAB_NAME can't contain '/' (even after unmangling)
- keyfile="/cryptroot/keyfiles/$CRYPTTAB_NAME.key"
- if [ ! -f "$DESTDIR$keyfile" ] && ! copy_file keyfile "$CRYPTTAB_KEY" "$keyfile"; then
- cryptsetup_message "WARNING: couldn't copy keyfile $CRYPTTAB_KEY"
- fi
- _CRYPTTAB_KEY="/cryptroot/keyfiles/$_CRYPTTAB_NAME.key" # preserve mangled name
- ;;
- *)
- if [ "$usage" = rootfs ]; then
- cryptsetup_message "WARNING: Skipping root target $CRYPTTAB_NAME: uses a key file"
- return 1
- elif [ "$usage" = resume ]; then
- cryptsetup_message "WARNING: Resume target $CRYPTTAB_NAME uses a key file"
- fi
- if [ -L "$CRYPTTAB_KEY" ] && keyfile="$(readlink -- "$CRYPTTAB_KEY")" &&
- [ "${keyfile#/}" != "$keyfile" ]; then
- cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is a symlink with absolute target"
- return 1
- elif [ -f "$CRYPTTAB_KEY" ] && [ "$(stat -L -c"%m" -- "$CRYPTTAB_KEY" 2>/dev/null)" != "/" ]; then
- cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is not on the root FS"
- return 1
- fi
- if [ ! -e "$CRYPTTAB_KEY" ]; then
- cryptsetup_message "WARNING: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
- else
- _CRYPTTAB_KEY="/FIXME-initramfs-rootmnt$_CRYPTTAB_KEY" # preserve mangled name
- fi
- esac
- fi
-
+ # if a keyscript is set
if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ]; then
+ # in this case the "key field" is just an argument to the keyscript
+
copy_exec "$CRYPTTAB_OPTION_keyscript"
+ else
+ # if a key file is set
+ if [ "$CRYPTTAB_KEY" != "none" ]; then
+ crypttab_key_check || return 1
+ case "$CRYPTTAB_KEY" in
+ $KEYFILE_PATTERN)
+ mkdir -pm0700 -- "$DESTDIR/cryptroot/keyfiles"
+ # $CRYPTTAB_NAME can't contain '/' (even after unmangling)
+ keyfile="/cryptroot/keyfiles/$CRYPTTAB_NAME.key"
+ if [ ! -f "$DESTDIR$keyfile" ] && ! copy_file keyfile "$CRYPTTAB_KEY" "$keyfile"; then
+ cryptsetup_message "WARNING: couldn't copy keyfile $CRYPTTAB_KEY"
+ fi
+ _CRYPTTAB_KEY="/cryptroot/keyfiles/$_CRYPTTAB_NAME.key" # preserve mangled name
+ ;;
+ *)
+ if [ "$usage" = rootfs ]; then
+ cryptsetup_message "WARNING: Skipping root target $CRYPTTAB_NAME: uses a key file"
+ return 1
+ elif [ "$usage" = resume ]; then
+ cryptsetup_message "WARNING: Resume target $CRYPTTAB_NAME uses a key file"
+ fi
+ if [ -L "$CRYPTTAB_KEY" ] && keyfile="$(readlink -- "$CRYPTTAB_KEY")" &&
+ [ "${keyfile#/}" != "$keyfile" ]; then
+ cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is a symlink with absolute target"
+ return 1
+ elif [ -f "$CRYPTTAB_KEY" ] && [ "$(stat -L -c"%m" -- "$CRYPTTAB_KEY" 2>/dev/null)" != "/" ]; then
+ cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is not on the root FS"
+ return 1
+ fi
+ if [ ! -e "$CRYPTTAB_KEY" ]; then
+ cryptsetup_message "WARNING: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
+ else
+ _CRYPTTAB_KEY="/FIXME-initramfs-rootmnt$_CRYPTTAB_KEY" # preserve mangled name
+ fi
+ esac
+ else
+ copy_exec /lib/cryptsetup/askpass
+ fi
fi
+
if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_derived" ]; then
# (recursively) list first the device to derive the key from (so
# the boot scripts unlock it first); since _CRYPTTAB_* are local
@@ -295,7 +301,6 @@
copy_exec /sbin/cryptsetup
copy_exec /sbin/dmsetup
-copy_exec /lib/cryptsetup/askpass
# We need sed. Either via busybox or as standalone binary.
if [ "$BUSYBOX" = n ] || [ ! -e "$BUSYBOXDIR/busybox" ]; then
More information about the pkg-cryptsetup-devel
mailing list