[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Root filesystem encryption update



Here's another go.  

This patch applies to the current mkinitrd SRPM set (except the mkinitrd.spec file) and the patched mkinitrd package is available via yum at < http://www.cygnetech.com/linux/repos/>

I incorporated the feedback I have received and have changed the patches to use options stored in /etc/sysconfig/mkinitrd.

I have one option in development that will let you boot and reference the root filesystem by UUID, but it's not finished yet.  The current developmental UUID hack relies on bash and find included in the initrd image, but I want a static binary or cryptsetup patch.

I'm also exploring creating some screens for anaconda, but that's a steep learning curve.

Should encryption be an option on the disk partition option or an option to pick the type of installation right after the greeting?
diff -ru ../mkinitrd-6.0.9.old/mkinitrd ./mkinitrd
--- ../mkinitrd-6.0.9.old/mkinitrd	2007-06-18 00:31:45.000000000 -0500
+++ ./mkinitrd	2007-06-18 00:32:53.000000000 -0500
@@ -23,6 +23,7 @@
 #       Bill Nottingham <notting redhat com>
 #       Guillaume Cottenceau <gc mandrakesoft com>
 #       Peter Jones <pjones redhat com>
+#       Thomas Swan <thomas swan gmail com>
 
 if [ $UID != 0 ]; then
     error "mkinitrd must be run as root."
@@ -40,7 +41,7 @@
 # password (chap secret), so only allow read by owner.
 umask 077
 
-VERSION=6.0.9
+VERSION=6.0.8
 
 PROBE="yes"
 MODULES=""
@@ -50,8 +51,13 @@
 LD_SO_CONF=/etc/ld.so.conf
 LD_SO_CONF_D=/etc/ld.so.conf.d/
 
+CRYPTODEVICES=""
+CRYPTOMODS="DEFAULT"
+
 [ -e /etc/sysconfig/mkinitrd ] && . /etc/sysconfig/mkinitrd
 
+crypto_reps=0
+crypto_omit=0
 CONFMODS="$MODULES"
 MODULES=""
 
@@ -106,7 +112,9 @@
     $cmd "       [--force-ide-probe] [--force-scsi-probe | --omit-scsi-modules]"
     $cmd "       [--image-version] [--force-raid-probe | --omit-raid-modules]"
     $cmd "       [--with=<module>] [--force-lvm-probe | --omit-lvm-modules]"
-    $cmd "       [--builtin=<module>] [--omit-dmraid] [--net-dev=<interface>]"
+    $cmd "       [--builtin=<module>] [--net-dev=<interface>] [--config=<config>]"
+    $cmd "       [--nocrypto] [--crypto-module=<module>|DEFAULT|ALL] [--omit-dmraid] "
+    $cmd "       [--crypto-dev=<device>[@<key-device>,<key-device-fstype>][:<key-file>]"
     $cmd "       [--fstab=<fstab>] [--nocompress] <initrd-image> <kernel-version>"
     $cmd ""
     $cmd "       (ex: `basename $0` /boot/initrd-2.2.5-15.img 2.2.5-15)"
@@ -120,29 +128,10 @@
 
 moduledep() {
     vecho -n "Looking for deps of module $1"
-    deps=""
     deps=$(modprobe --set-version $kernel --show-depends $1 2>/dev/null| awk '/^insmod / { print gensub(".*/","","g",$2) }' | while read foo ; do [ "${foo%%.ko}" != "$1" ] && echo -n "${foo%%.ko} " ; done)
     [ -n "$deps" ] && vecho ": $deps" || vecho
 }
 
-locatemodule() {
-    fmPath=$(modprobe --set-version $kernel --show-depends $1 2>/dev/null | awk '/^insmod / { print $2; }' | tail -1)
-    if [ -n "$fmPath" -a -f "$fmPath" ]; then
-        return 0
-    fi
-    for modExt in o.gz o ko ; do
-        for modDir in /lib/modules/$kernel/updates /lib/modules/$kernel ; do
-            if [ -d $modDir ]; then
-                fmPath=$(findone $modDir -name $1.$modExt)
-                if [ -n "$fmPath" -a -f "$fmPath" ]; then
-                    return 0
-                fi
-            fi
-        done
-    done
-    return 1
-}
-
 findone() {
     echo nash-find "$@" | /sbin/nash --force --quiet \
         | /bin/awk '{ print $1; exit; }'
@@ -206,20 +195,6 @@
 EOF
             exit 1
         fi
-       case "$FILE" in
-         /lib*)
-           LIBDIR=`echo "$FILE" | sed 's,\(/lib[^/]*\)/.*$,\1,'`
-           BASE=`basename "$FILE"`
-           # Prefer nosegneg libs over direct segment accesses on i686.
-           if [ -f "$LIBDIR/i686/nosegneg/$BASE" ]; then
-             FILE="$LIBDIR/i686/nosegneg/$BASE"
-           # Otherwise, prefer base libraries rather than their optimized
-           # variants.
-           elif [ -f "$LIBDIR/$BASE" ]; then
-             FILE="$LIBDIR/$BASE"
-           fi
-           ;;
-       esac
         dynamic="yes"
         let n++
     done
@@ -227,7 +202,6 @@
     DSO_DEPS="${FILES[ ]}"
 }
 
-scsi_wait_scan="no"
 findmodule() {
     skiperrors=""
 
@@ -269,10 +243,6 @@
         findmodule ieee1394
         findmodule ohci1394
         modName="sbp2"
-    elif [ "$modName" = "fw-sbp2" ]; then
-        findmodule fw-core
-        findmodule fw-ohci
-        modName="fw-sbp2"
     elif [ "$modName" = "gfs2" ]; then
         findmodule lock_nolock
         modName="gfs2"
@@ -295,14 +265,21 @@
         usbModName=""
     fi
 
-
-    deps=""
     moduledep $modName
     for i in $deps; do
         findmodule $i
     done
 
-    locatemodule $modName
+    for modExt in o.gz o ko ; do
+        for modDir in /lib/modules/$kernel/updates /lib/modules/$kernel ; do
+            if [ -d $modDir ]; then
+                fmPath=$(findone $modDir -name $modName.$modExt)
+                if [ -f "$fmPath" ]; then
+                    break 2
+                fi
+            fi
+        done
+    done
 
     if [ ! -f $fmPath ]; then
         if [ -n "$skiperrors" ]; then
@@ -333,16 +310,6 @@
         for n in $PRESCSIMODS ; do
             findmodule $n
         done
-        locatemodule scsi_wait_scan
-        if [ -n "$fmPath" -a -f "$fmPath" ]; then
-            scsi_wait_scan="yes"
-        fi
-        if [ "$scsi_wait_scan" == "yes" ]; then
-            moduledep scsi_wait_scan
-            for i in $deps ; do
-                findmodule $i
-            done
-        fi
     fi
 }
 
@@ -440,12 +407,7 @@
             get_dso_deps "$file"
             local DEPS="$DSO_DEPS"
             for x in $DEPS ; do
-               l=`echo "$x" | sed -n 's,\(/lib[^/]*\)/.*$,\1,p'`
-               if [ -n "$l" ]; then
-                 inst "$x" "$root" "$l"/`basename "$x"`
-               else
-                 inst "$x" "$root"
-               fi
+                inst "$x" "$root"
             done
             RET=$?
         fi
@@ -614,6 +576,93 @@
     addnetdev $netdev
 }
 
+findallcryptomods() {
+    local cryptomods=""
+    cryptomods="$cryptomods dm-crypt"
+    cryptomods="$cryptomods blkcipher"
+    for modName in `find /lib/modules/$1/kernel/crypto/ -type f | sed 's/.*\/\(.*\)\..*/\1/'` ; do
+        cryptomods="$cryptomods $modName"
+    done
+    echo $cryptomods
+}
+
+execconfig() {
+    if [ -e ${CONFIG} ] ; then
+        local OPTIONS
+        while read config ; do 
+            config=${config/##*/}
+            config=${config/#\{ ,    \}*//}
+            config=${config/%*\{ ,    \}//}
+            if [ -n ${config} ] ; then
+                OPTIONS="${OPTIONS} ${config}" 
+            fi
+        done < /etc/mkinitrd.conf
+        if [ -n "${OPTIONS}" ] ; then
+            OPTIONS="--noconfig ${OPTIONS} $*"
+            exec $progname ${OPTIONS}
+        fi
+    fi
+}
+
+emit_crypto() {
+    let crypto_reps=${crypto_reps}+1
+    for i in $CRYPTODEVICES ; do 
+        # We want a complete predictable name for the encrypted device
+        # to use with device-mapper. ... Assume nothing!
+        crypto_device=${i%% *}
+        crypto_device=${crypto_device%%:*}
+        crypto_mapper_name=${crypto_device##/dev/}
+        crypto_mapper_name=`echo ${crypto_mapper_name} | sed 's!/!_!g'`
+        crypto_key_file=""
+        crypto_key_device=""
+        crypto_key_tmp=""
+        if [ ${i##*:} != ${i} ] ; then
+            crypto_key_file=${i##*:}
+            crypto_key_tmp=${i%%:*}
+            crypto_key_tmp=${crypto_key_tmp##* }
+        fi
+        if [ -n "$crypto_key_tmp" -a "${crypto_key_tmp}" != "${crypto_device}" ] ; then
+            crypto_key_device=${crypto_key_tmp%%,*}
+            crypto_key_device_fs=${crypto_key_tmp##*,}
+            crypto_key_file=${crypto_key_file##/}
+            if [ ${crypto_key_device} == ${crypto_key_tmp} ] ; then
+                echo "Crypto: No fstype specified for external crypto key:"
+                echo "   ${i}"
+                exit 211
+            fi
+        fi
+        emit "echo Decrypting ${crypto_device} (Round ${crypto_reps})"
+        if [ -n "${crypto_key_device}" ] ; then
+            # Mount the filesystem with the key, and decrypt using the key
+            # on the mounted media.  
+            emit "mount -t ${crypto_key_device_fs} -o ro ${crypto_key_device} /crypto/mount"
+            emit "cryptsetup luksOpen ${crypto_device} ${crypto_mapper_name} -d /crypto/mount/${crypto_key_file}"
+            emit "umount /crypto/mount"
+            if [ $crypto_reps == 1 ] ; then
+                vecho -n "Crypto: Decrypt ${crypto_device} using external keyfile ${crypto_key_file} "
+                vecho  "located on ${crypto_key_device} mounted as an ${crypto_key_device_fs} filesystem "
+            fi
+        elif [ -n "${crypto_key_file}" ] ; then 
+            # Embed the key in the initrd image.  * Useful if /boot is a removable drive * 
+            emit "cryptsetup luksOpen ${crypto_device} ${crypto_mapper_name} -d /crypto/"`basename ${crypto_key_file}`
+            if [ ! -f "$MNTIMAGE/crypto/$(basename ${crypto_key_file})" ] ; then
+                if ! inst ${crypto_key_file} "$MNTIMAGE/crypto/$(basename ${crypto_key_file})" ; then
+                    echo "Unable to import key file ${crypto_key_file}" 
+                    exit 1
+                fi
+            fi
+            if [ $crypto_reps == 1 ] ; then
+                vecho "Crypto: Decrypt ${crypto_device} using embedded keyfile imported from ${crypto_key_file}"
+            fi
+        else
+            emit "cryptsetup luksOpen ${crypto_device} ${crypto_mapper_name}"
+            if [ $crypto_reps == 1 ] ; then
+                vecho "Crypto: Decrypt ${crypto_device} using passphrase decryption"
+            fi
+        fi
+    done
+}
+
 handleraid() {
     local start=0
 
@@ -734,6 +783,22 @@
     addnetdev $netdev
 }
 
+option_next=1
+for option in $@ ; do 
+    let option_next=$option_next+1
+    case $option in 
+    --noconfig*)
+        config=0
+        ;;
+    esac
+done    
+unset option_next
+
+if [ "$config" == "1" ] ; then 
+    progname=$0
+    execconfig $@
+fi
+
 while [ $# -gt 0 ]; do
     case $1 in
         --fstab*)
@@ -907,6 +972,31 @@
                 shift
             fi
 	    ;;
+        --omit-crypt*)
+            crypto_omit=1
+            ;;
+        --crypto-module*)
+            crypto=1
+            if [ "$1" != "${1##--crypto-module=}" ]; then
+                modname="${1##--crypto-module=}"
+            else
+                modname="$2"
+                if [ -z "$2" ] ; then
+                    modname="DEFAULT"
+                fi
+            fi
+            CRYPTOMODS="$CRYPTOMODS $modname"
+            ;;
+        --crypto-dev*)
+            crypto=1
+            cryptodevice=""
+            if [ "$1" != "${1##--crypto-dev=}" ]; then
+                cryptodevice="${1##--crypto-dev=}"
+            else
+                cryptodevice="$2"
+            fi
+            CRYPTODEVICES="$CRYPTODEVICES $cryptodevice"
+            ;;
         --help)
             usage -n
             ;;
@@ -957,6 +1047,27 @@
     exit 1
 fi
 
+if [ $crypto_omit == 1 ] ; then 
+    unset $CRYPTODEVICES
+    unset $CRYPTOMODS
+fi
+
+if [ -n "$CRYPTOMODS" ] ; then
+    for modname in $CRYPTOMODS ; do 
+        case $modname in 
+        ALL)
+            PREMODS="$PREMODS "`findallcryptomods $kernel`
+            ;;
+        DEFAULT)
+            PREMODS="$PREMODS dm-crypt blkcipher aes cbc sha256 crypto_null"
+            ;;
+        *)
+            PREMODS="$PREMODS $modname"
+            ;;
+        esac
+    done
+fi
+
 vecho "Creating initramfs"
 modulefile=/etc/modprobe.conf
 
@@ -1110,6 +1221,9 @@
         findmodule -dm-mirror
         findmodule -dm-zero
         findmodule -dm-snapshot
+        if [ -n "$CRYPTODEVICES" -o -n "$CRYPTOMODS" ] ; then
+            findmodule -dm-crypt
+        fi
         
         RAIDS=$(/sbin/dmraid -s -craidname 2>/dev/null | grep -vi "no raid disks") 
     
@@ -1241,28 +1355,31 @@
 ln -s /sbin/nash $MNTIMAGE/sbin/modprobe
 
 inst /sbin/insmod "$MNTIMAGE" /bin/insmod
-inst /sbin/rmmod "$MNTIMAGE" /bin/rmmod
+
+if [ -n "$CRYPTODEVICEES" -o -n "$CRYPTOMODS" ] ; then
+    mkdir -p $MNTIMAGE/crypto
+    mkdir -p $MNTIMAGE/crypto/mount
+fi
 
 if [ -e /etc/fstab.sys ]; then
     inst /etc/fstab.sys "$MNTIMAGE"
 fi
 
-installmodule()
-{
+if [ -n "$CRYPTODEVICEES" -o -n "$CRYPTOMODS" ] ; then
+    inst /sbin/cryptsetup "$MNTIMAGE/"
+fi
+
+for MODULE in $MODULES; do
     if [ -x /usr/bin/strip ]; then
-        /usr/bin/strip -g $verbose $1 -o $MNTIMAGE/lib/$(basename $1)
+        /usr/bin/strip -g $verbose $MODULE -o $MNTIMAGE/lib/$(basename $MODULE)
     else
-        cp $verbose -a $1 $MNTIMAGE/lib
+        cp $verbose -a $MODULE $MNTIMAGE/lib
     fi
-    for fw in $(/sbin/modinfo -F firmware $1 2>/dev/null); do
+    for fw in $(/sbin/modinfo -F firmware $MODULE 2>/dev/null); do
         if [ -f /lib/firmware/$fw ]; then
             cp $verbose -a /lib/firmware/$fw $MNTIMAGE/lib/firmware/
         fi
     done
-}
-
-for MODULE in $MODULES; do
-    installmodule $MODULE
 done
 
 # mknod'ing the devices instead of copying them works both with and
@@ -1292,13 +1409,6 @@
     mknod $MNTIMAGE/dev/efirtc c 10 136
 fi
 
-if [ -n "$raiddevices" ]; then
-    inst /sbin/mdadm "$MNTIMAGE"
-    if [ -f /etc/mdadm.conf ]; then
-        inst /etc/mdadm.conf "$MNTIMAGE"
-    fi
-fi
-
 # FIXME -- this can really go poorly with clvm or duplicate vg names.
 # nash should do lvm probing for us and write its own configs.
 if [ -n "$vg_list" ]; then
@@ -1355,14 +1465,6 @@
 emit "echo Creating block device nodes."
 emit "mkblkdevs"
 
-if [ "$scsi_wait_scan" == "yes" ]; then
-    locatemodule scsi_wait_scan
-    if [ -n "$fmPath" -a -f "$fmPath" ]; then
-        vecho "Adding module scsi_wait_scan"
-        installmodule $fmPath
-    fi
-fi
-
 usb_mounted="prep"
 for MODULE in $MODULES; do
     text=""
@@ -1420,7 +1522,7 @@
 EOF
         done
     fi
-    if [ "${module::5}" == "pata_" -o "$module" == "ata_piix" -o "$module" == "ahci" -o "${module::5}" == "sata_" -o "$module" == "ibmvscsic" ]; then
+    if [ "${module::5}" == "pata_" -o "$module" == "ata_piix" -o "$module" == "ahci" -o "${module::5}" == "sata_" ]; then
         emit "echo Waiting for driver initialization."
         emit "stabilized --hash --interval 250 /proc/scsi/scsi"
     fi
@@ -1442,21 +1544,22 @@
 
 emit_iscsi
 
-if [ "$scsi_wait_scan" == "yes" ]; then
-    emit "insmod /lib/scsi_wait_scan.ko"
-    emit "rmmod scsi_wait_scan"
-fi
-
 # HACK: module loading + device creation isn't necessarily synchronous...
 # this will make sure that we have all of our devices before trying
 # things like RAID or LVM
 emit "mkblkdevs"
 
+# Chickens and eggs.  Because you can encrypt both LV's and the devices
+# containing containing LV's, we need try to try to decrypt twice or we
+# need to be far more clever.
+emit_crypto
+
 emitdms
 
 if [ -n "$raiddevices" ]; then
     for dev in $raiddevices; do
-        emit "mdadm -As --auto=yes --run /dev/${dev}"
+        cp -a /dev/${dev} $MNTIMAGE/dev
+        emit "raidautorun /dev/${dev}"
     done
 fi
 
@@ -1467,6 +1570,14 @@
     emit "lvm vgchange -ay --ignorelockingfailure $vg_list"
 fi
 
+# Eggs and chickens.  Try decrypting just in case any LV's are encrypted.
+# We need to do to this before resuming on the off chance that swap has been
+# encrypted with a permanent key.  
+#
+# If the volume has already been decrypted, no harm has been done doing it 
+# twice.
+emit_crypto
+
 if [ -z "$noresume" -a -n "$swsuspdev" ]; then
     emit "resume $swsuspdev"
 fi
@@ -1502,8 +1613,6 @@
 
 emit "echo Switching to new root and running init."
 emit "switchroot"
-emit "echo Booting has failed."
-emit "sleep -1"
 
 chmod +x $RCFILE
 
diff -ru ../mkinitrd-6.0.9.old/mkinitrd.8 ./mkinitrd.8
--- ../mkinitrd-6.0.9.old/mkinitrd.8	2005-12-07 21:00:09.000000000 -0600
+++ ./mkinitrd.8	2007-06-18 00:32:42.000000000 -0500
@@ -3,12 +3,14 @@
 mkinitrd \- creates initial ramdisk images for preloading modules
 .SH SYNOPSIS
 \fBmkinitrd\fR [--version] [-v] [-f] 
-         [--preload=\fImodule\fR] [--omit-scsi-modules] 
+         [--preload=\fImodule\fR] 
+         [--crypto-module=(ALL|DEFAULT|\fImodule\fR)]
+         [--crypto-dev=\fIdevice\fR[ \fIkey-device\fR,\fIkey-device-fstype\fR][:\fIkey\fR]]
+         [--omit-crypto] [--omit-scsi-modules] 
          [--omit-raid-modules] [--omit-lvm-modules] 
          [--with=\fImodule\fR] [--image-version]
-         [--fstab=\fIfstab\fR] [--nocompress]
-         [--builtin=\fImodule\fR] [--nopivot]
-         \fIimage\fR \fIkernel-version\fR
+         [--fstab=\fIfstab\fR] [--nocompress] [--nopivot] 
+         [--builtin=\fImodule\fR] \fIimage\fR \fIkernel-version\fR
 
 .SH DESCRIPTION
 \fBmkinitrd\fR creates an initial image used by the kernel for
@@ -36,6 +38,63 @@
 exist. This option may be used multiple times.
 
 .TP
+\fB-\-crypto-module=\fR\fI(module|ALL|DEFAULT)\fR
+Specify a crypto \fImodule\fR to preload. 
+
+\fB--crypto-module=DEFAULT\fR will load aes cbc and sha256 crypto modules
+\fB--crypto-module=ALL\fR will load all available crypto modules. 
+
+This option may be used multiple times.
+
+This option can be persistently kept as CRYPTOMODS= 
+in \fI/etc/sysconfig/mkinitrd\fR
+
+.TP
+\fB-\-crypto-dev=\fR\fIdevice\fR[ \fIkey-device\fR,\fIkey-device-fstype\fR][:\fIkey\fR]]
+Specify the encrypted device to decrypt prior to mounting. Password 
+decryption is supported by default.  <key-device> may use any mount identifier
+such as LABEL= or UUID= in addition to the physical device identifier. When
+using <key-device>, <key-device-fstype> \fImust\fR be specified.
+<device> must not be listed in \fB/etc/crypttab\fR because it will
+decrypted before init begins.  This option may be used multiple times.
+
+-\-crypto-dev=\fIdevice\fR
+<dev> is the device to decrypt.
+
+-\-crypto-dev=\fIdevice\fR:\fI/path/to/key\fR
+\fIdevice\fR is the device to decrypt.  The file located at \fI/path/to/key\fR will
+be embedded in the initrd.img file and used to decrypt \fIdevice\fR.
+
+-\-crypto-dev=\fIdevice\fR \fIkey-device\fR,\fIkey-device-fstype\fR:\fI/path/to/key\fR
+\fIdevice\fR is the device to decrypt.  \fIkey-device\fR is the device containing the key
+file used to decrypt \fIdevice\fR. \fIkey-device-fstype\fR is the filesystem type for \fIkey-device\fR: 
+eg. ext2. \fI/path/to/key\fR is the key file \fIrelative\fR to the root of
+<dev2>.
+
+This option can be persistently kept as CRYPTODEVICES= 
+in \fI/etc/sysconfig/mkinitrd\fR
+
+Examples
+
+-\-crypto-dev=/dev/hdb1 would try to decrypt /dev/hdb1 using a password
+entered by the user during the boot process.
+
+-\-crypto-dev=/dev/hdb1:/media/flash/my.key would embed /media/flash/my.key
+in the initrd image file to and use that key to decrypt /dev/hdb1.
+
+-\-crypto-dev=/dev/hdb1 LABEL=flash,ext2:/my.key would try to decrypt 
+/dev/hdb1 using the key, "/my.key", located on an unencrypted ext2 
+filesystem with the label, "flash".  During boot, it will mount
+the the LABEL=flash device read-only, and use the key on the disk to decrypt
+the specified device, /dev/hdb1.  Then the LABEL=flash device would be 
+unmounted before continuing. \fIThe key device must be present during 
+system boot.\fR
+
+.TP
+\fB-\-version\fR
+Prints the version of \fBmkinitrd\fR that's being used and then exits.
+
+.TP
 \fB-f\fR
 Allows \fBmkinitrd\fR to overwrite an existing image file.
 
@@ -63,6 +122,11 @@
 option is not recommended, and will be removed in future versions.
 
 .TP
+\fB-\-omit-crypto
+Do not load any cryptographic modules, even if specified on \fBmkinitrd\fR's
+command line.
+
+.TP
 \fB-\-omit-lvm-modules 
 Do not load any lvm modules, even if /etc/fstab expects them.
 
@@ -114,7 +178,12 @@
 Specifies SCSI modules to be loaded and module options to be used.
 \fI(only used on kernels < 2.6)\fR
 
+.TP 20
+\fI/etc/sysconfig/mkinitrd\fR
+Specifies persistent options to be used with mkinitrd.
+
 .PD
 .SH "SEE ALSO"
+.BR cryptsetup (8),
 .BR fstab (5),
 .BR insmod (1)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]