forked from fuhry/initramfs-scencrypt
-
Notifications
You must be signed in to change notification settings - Fork 0
/
scencrypt-install
98 lines (80 loc) · 3.58 KB
/
scencrypt-install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/bin/bash
build() {
local mod
add_module dm-crypt
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules '/crypto/'
fi
if [ -d $BUILDROOT/etc/initcpio/gpg ]; then
echo "WARNING! /etc/initcpio/gpg exists in initramfs buildroot. Huh?"
rm -rf "$BUILDROOT/etc/initcpio/gpg"
fi
mkdir -p $BUILDROOT/etc/initcpio/gpg
chmod 0700 $BUILDROOT/etc/initcpio/gpg
echo "pinentry-program /usr/bin/pinentry" > $BUILDROOT/etc/initcpio/gpg/gpg-agent.conf
add_binary "cryptsetup"
add_binary "dmsetup"
add_binary "gpg"
add_binary "gpg-agent"
add_binary "pinentry-tty"
add_binary "gpg-connect-agent"
add_binary "/usr/lib/gnupg/scdaemon"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
# cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
add_binary "/usr/lib/libgcc_s.so.1"
# add_file "/etc/crypttab" # file is added later line by line
ln -s "pinentry-tty" "$BUILDROOT/usr/bin/pinentry"
# create a tmp dir
mkdir -p $BUILDROOT/tmp
# Iterate over entries in /etc/crypttab looking for regular keyfiles
sed -re 's;#.*$;;g' -e '/^[ \t]*$/ d' /etc/crypttab | awk '{print $3;}' | \
while read f; do
# Path must begin with a slash and must be a regular file
if [ "${f:0:1}" = "/" -a -f "$f" ]; then
# file must end in .gpg
extension="${f##*.}"
if [[ "${extension}" =~ ^(gpg|pgp|asc)$ ]] ; then
# add file line to crypttab
fgrep -w $f /etc/crypttab >> "$BUILDROOT/tmp/crypttab"
# Determine the keyid used to encrypt this keyfile
keyid=$(gpg -q --list-packets --list-only $f 2>&1 | egrep -o '(ID|keyid) [0-9A-F]{16}' | awk '{print $2;}' | tail -1)
# If we got a keyid, export that key. Recent versions of GPG will fail to
# export secret key stubs, so if we don't get any output, export just the
# public key. Note that this means decryption will fail if you add only the
# public key to root's keyring.
if [ -n "$keyid" ]; then
keyfile="$BUILDROOT/tmp/$keyid.asc"
gpg --homedir /root/.gnupg --export-options export-minimal --export-secret-keys -a 0x${keyid} 2>/dev/null > $keyfile
if ! egrep -q '.*' $keyfile; then
gpg --homedir /root/.gnupg --export-options export-minimal --export -a 0x${keyid} > $keyfile
fi
gpg --homedir "$BUILDROOT/etc/initcpio/gpg" --import $keyfile
fi
fi
add_file "$f"
fi
done
# Remove duplicate lines (first sort and then use uniq)
sort "$BUILDROOT/tmp/crypttab" | uniq > "$BUILDROOT/etc/crypttab"
# Remove tmp dir
rm -rf "$BUILDROOT/tmp"
add_runscript
}
help() {
cat <<HELPEOF
This hook adds support for the use of smartcards conforming to the OpenPGP
smartcard standard to Arch's initramfs. Encrypted objects listed in
/etc/crypttab will be decrypted with GnuPG during the initramfs stage if the
keyfile path ends in ".gpg". If GnuPG fails to decrypt the key file, the hook
will prompt for the passphrase instead.
Note that non-LUKS disks are unsupported at this time.
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et: