Skip to content

Commit

Permalink
add luks support
Browse files Browse the repository at this point in the history
  • Loading branch information
YukariChiba committed Jan 3, 2025
1 parent 465b1fc commit 7328361
Show file tree
Hide file tree
Showing 9 changed files with 339 additions and 3 deletions.
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ Tiny initramfs written in POSIX shell for eweOS, forked from https://github.com/
- Portable, not distro specific
- Easy to use configuration
- Make time and init time hooks
- LUKS (detached header, key)
- mdev supported
- Resume from swap partition

Expand All @@ -27,6 +28,8 @@ Tiny initramfs written in POSIX shell for eweOS, forked from https://github.com/
- Optional. Required for UUID, LABEL, PARTUUID support
* `mdev` OR CONFIG_UEVENT_HELPER
- Optional. Required for modular kernel, /dev/mapper/* and /dev/disk/* creation
* `cryptsetup`
- Optional. Required for LUKS support
* `busybox loadkmap` OR `kbd loadkeys`
- Optional. Required for keymap support
* `plymouth`
Expand Down
25 changes: 25 additions & 0 deletions config.example.conf
Original file line number Diff line number Diff line change
Expand Up @@ -95,3 +95,28 @@ live_ram_opts="size=50%,mode=0755"

# define keymap file to be used
keymap_path=

###################################
## hook: luks
# activated if "luks" hook is included in hooks

# define luks root partition to be used, unset to use $root and override $root when volume is decrypted
# /dev/xdY or /dev/nvme0nXpY
# LABEL=label
# PARTUUID=partuuid
# UUID=uuid
#luks_root=

# define to allow the use of discard (TRIM) requests for your luks device
# WARNING*: This option may have a negative security impact. For more info read *cryptsetup*(8).
#luks_discard=

# define path to LUKS header
#luks_header=

# define path to LUKS keyfile
#luks_key=

# name to map LUKS device to
# default: crypt-${device##*/}
#luks_name=
37 changes: 36 additions & 1 deletion doc/tinyramfs.5
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
.nh
.ad l
.\" Begin generated content:
.TH "tinyramfs" "5" "2024-12-17" "tinyramfs" "2024-12-03"
.TH "tinyramfs" "5" "2025-01-03" "tinyramfs" "2024-12-03"
.P
.SH NAME
.P
Expand Down Expand Up @@ -108,6 +108,41 @@ keymap_path
Path to your keymap.\&
.P
.RE
.SS LUKS
.P
luks_discard
.P
.RS 4
(bool) Allow the use of discard (TRIM) requests for your luks device.\&
.P
\fBWARNING\fR: This option may have a negative security impact.\& For more info
read \fBcryptsetup\fR(8).\&
.P
.RE
luks_header
.P
.RS 4
Path to your LUKS header.\&
.P
.RE
luks_root
.P
.RS 4
The device your LUKS volume is located on.\&
.P
.RE
luks_name
.P
.RS 4
The name to map your LUKS device to.\&
.P
.RE
luks_key
.P
.RS 4
Path to your LUKS keyfile.\&
.P
.RE
.SS RESUME
.P
resume
Expand Down
25 changes: 25 additions & 0 deletions doc/tinyramfs.5.scd
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,31 @@ keymap_path

Path to your keymap.

## LUKS

luks_discard

(bool) Allow the use of discard (TRIM) requests for your luks device.

*WARNING*: This option may have a negative security impact. For more info
read *cryptsetup*(8).

luks_header

Path to your LUKS header.

luks_root

The device your LUKS volume is located on.

luks_name

The name to map your LUKS device to.

luks_key

Path to your LUKS keyfile.

## RESUME

resume
Expand Down
8 changes: 7 additions & 1 deletion doc/tinyramfs.8
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
.nh
.ad l
.\" Begin generated content:
.TH "tinyramfs" "8" "2024-12-17" "tinyramfs" "2024-12-03"
.TH "tinyramfs" "8" "2025-01-03" "tinyramfs" "2024-12-03"
.P
.SH NAME
.P
Expand Down Expand Up @@ -66,6 +66,12 @@ Use helper scripts in $PWD/lib/, instead of /lib/tinyramfs/.\&
Look for kernel modules in <path>, instead of /lib/modules/.\&
.P
.RE
\fB-v\fR
.P
.RS 4
Increase logging verbosity.\&.\&
.P
.RE
.SH FILES
.P
/lib/tinyramfs/hook.\&d/
Expand Down
32 changes: 32 additions & 0 deletions hook/luks/luks
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# vim: set ft=sh:
# shellcheck shell=sh
#
# https://shellcheck.net/wiki/SC2154
# shellcheck disable=2154

[ "$luks_key" ] && {
copy_file "${luks_key#*=}" /root/luks_key 0400

sed "s|${luks_key#*=}|/root/luks_key|" \
"${tmpdir}/etc/tinyramfs/config" > "${tmpdir}/_"

mv "${tmpdir}/_" "${tmpdir}/etc/tinyramfs/config"
}

[ "$luks_header" ] && {
copy_file "${luks_header#*=}" /root/luks_header 0400

sed "s|${luks_header#*=}|/root/luks_header|" \
"${tmpdir}/etc/tinyramfs/config" > "${tmpdir}/_"

mv "${tmpdir}/_" "${tmpdir}/etc/tinyramfs/config"
}

for _mod in \
aes ecb xts lrw wp512 sha256 \
sha512 twofish serpent dm-crypt
do
copy_kmod "$_mod"
done

copy_exec cryptsetup
77 changes: 77 additions & 0 deletions hook/luks/luks.init
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# vim: set ft=sh:
# shellcheck shell=sh
#
# https://shellcheck.net/wiki/SC2154
# shellcheck disable=2154

# https://shellcheck.net/wiki/SC2034
# shellcheck disable=2034
DM_DISABLE_UDEV=1

mkdir -p /run/cryptsetup

if [ -z "$luks_root" ]; then
luks_root=$root
fi

luks_discard=${luks_discard:+--allow-discards}
luks_header=${luks_header:+--header="$luks_header"}
luks_key=${luks_key:+--key-file="$luks_key"}
luks_name="${luks_name:-crypt-${device##*/}}"

resolve_device "$luks_root"

if [ -n "$luks_key" ] && [ ! -f "$luks_key" ]; then
print_warn "Keyfile could not be opened. Reverting to passphrase."
unset luks_key
fi

if [ -b "/dev/mapper/${luks_name}" ]; then
print_warn "Device ${luks_name} already exists, not doing any crypt setup."
else
if cryptsetup isLuks "${device}" >/dev/null 2>&1; then
luks_succeeded=0

# If keyfile exists, try to use that first
if [ -n "$luks_key" ]; then
if eval cryptsetup open ${luks_discard} ${luks_header} ${luks_key} -- "$device" "$luks_name"; then
luks_succeeded=1
else
print_warn "Invalid keyfile. Reverting to passphrase."
fi
fi

# Ask for a passphrase
if [ "$luks_succeeded" -ne "1" ]; then
if [ -f "/usr/sbin/plymouthd" ] && \
[ -f /usr/bin/plymouth ] && \
[ -z "$plymouth_nosplash" ] && \
plymouth --ping 2>/dev/null; then
plymouth ask-for-password \
--prompt="A password is required to access the ${luks_name} volume" \
--command="cryptsetup open --key-file=- ${luks_discard} ${luks_header} -- \"$device\" \"$luks_name\""
else
echo ""
echo "A password is required to access the ${luks_name} volume:"

#loop until we get a real password
while ! eval cryptsetup open ${luks_discard} ${luks_header} -- "$device" "$luks_name"; do
sleep 2;
done
fi
fi

unset luks_succeeded

if [ -e "/dev/mapper/${luks_name}" ]; then
if [ "$luks_root" = "$root" ]; then
root="/dev/mapper/${luks_name}"
fi
else
panic "Password succeeded, but ${luks_name} creation failed, aborting..."
fi

else
panic "Failed to open encryption mapping: The device ${device} is not a LUKS volume."
fi
fi
2 changes: 1 addition & 1 deletion test/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
.SUFFIXES:
.SUFFIXES: .test

all: bare
all: bare luks

.test:
./$< > $@.out 2>&1
Expand Down
Loading

0 comments on commit 7328361

Please sign in to comment.