This patch applies to the current mkinitrd SRPM set (except the mkinitrd.spec file) and the patched mkinitrd package is available via yum at < http://www.cygnetech.com/linux/repos/>
I incorporated the feedback I have received and have changed the patches to use options stored in /etc/sysconfig/mkinitrd.
I have one option in development that will let you boot and reference the root filesystem by UUID, but it's not finished yet. The current developmental UUID hack relies on bash and find included in the initrd image, but I want a static binary or cryptsetup patch.
I'm also exploring creating some screens for anaconda, but that's a steep learning curve.
Should encryption be an option on the disk partition option or an option to pick the type of installation right after the greeting?
diff -ru ../mkinitrd-6.0.9.old/mkinitrd ./mkinitrd
--- ../mkinitrd-6.0.9.old/mkinitrd 2007-06-18 00:31:45.000000000 -0500
+++ ./mkinitrd 2007-06-18 00:32:53.000000000 -0500
@@ -23,6 +23,7 @@
# Bill Nottingham <notting@xxxxxxxxxx>
# Guillaume Cottenceau <gc@xxxxxxxxxxxxxxxx>
# Peter Jones <pjones@xxxxxxxxxx>
+# Thomas Swan <thomas.swan@xxxxxxxxx>
if [ $UID != 0 ]; then
error "mkinitrd must be run as root."
@@ -40,7 +41,7 @@
# password (chap secret), so only allow read by owner.
umask 077
-VERSION=6.0.9
+VERSION=6.0.8
PROBE="yes"
MODULES=""
@@ -50,8 +51,13 @@
LD_SO_CONF=/etc/ld.so.conf
LD_SO_CONF_D=/etc/ld.so.conf.d/
+CRYPTODEVICES=""
+CRYPTOMODS="DEFAULT"
+
[ -e /etc/sysconfig/mkinitrd ] && . /etc/sysconfig/mkinitrd
+crypto_reps=0
+crypto_omit=0
CONFMODS="$MODULES"
MODULES=""
@@ -106,7 +112,9 @@
$cmd " [--force-ide-probe] [--force-scsi-probe | --omit-scsi-modules]"
$cmd " [--image-version] [--force-raid-probe | --omit-raid-modules]"
$cmd " [--with=<module>] [--force-lvm-probe | --omit-lvm-modules]"
- $cmd " [--builtin=<module>] [--omit-dmraid] [--net-dev=<interface>]"
+ $cmd " [--builtin=<module>] [--net-dev=<interface>] [--config=<config>]"
+ $cmd " [--nocrypto] [--crypto-module=<module>|DEFAULT|ALL] [--omit-dmraid] "
+ $cmd " [--crypto-dev=<device>[@<key-device>,<key-device-fstype>][:<key-file>]"
$cmd " [--fstab=<fstab>] [--nocompress] <initrd-image> <kernel-version>"
$cmd ""
$cmd " (ex: `basename $0` /boot/initrd-2.2.5-15.img 2.2.5-15)"
@@ -120,29 +128,10 @@
moduledep() {
vecho -n "Looking for deps of module $1"
- deps=""
deps=$(modprobe --set-version $kernel --show-depends $1 2>/dev/null| awk '/^insmod / { print gensub(".*/","","g",$2) }' | while read foo ; do [ "${foo%%.ko}" != "$1" ] && echo -n "${foo%%.ko} " ; done)
[ -n "$deps" ] && vecho ": $deps" || vecho
}
-locatemodule() {
- fmPath=$(modprobe --set-version $kernel --show-depends $1 2>/dev/null | awk '/^insmod / { print $2; }' | tail -1)
- if [ -n "$fmPath" -a -f "$fmPath" ]; then
- return 0
- fi
- for modExt in o.gz o ko ; do
- for modDir in /lib/modules/$kernel/updates /lib/modules/$kernel ; do
- if [ -d $modDir ]; then
- fmPath=$(findone $modDir -name $1.$modExt)
- if [ -n "$fmPath" -a -f "$fmPath" ]; then
- return 0
- fi
- fi
- done
- done
- return 1
-}
-
findone() {
echo nash-find "$@" | /sbin/nash --force --quiet \
| /bin/awk '{ print $1; exit; }'
@@ -206,20 +195,6 @@
EOF
exit 1
fi
- case "$FILE" in
- /lib*)
- LIBDIR=`echo "$FILE" | sed 's,\(/lib[^/]*\)/.*$,\1,'`
- BASE=`basename "$FILE"`
- # Prefer nosegneg libs over direct segment accesses on i686.
- if [ -f "$LIBDIR/i686/nosegneg/$BASE" ]; then
- FILE="$LIBDIR/i686/nosegneg/$BASE"
- # Otherwise, prefer base libraries rather than their optimized
- # variants.
- elif [ -f "$LIBDIR/$BASE" ]; then
- FILE="$LIBDIR/$BASE"
- fi
- ;;
- esac
dynamic="yes"
let n++
done
@@ -227,7 +202,6 @@
DSO_DEPS="${FILES[@]}"
}
-scsi_wait_scan="no"
findmodule() {
skiperrors=""
@@ -269,10 +243,6 @@
findmodule ieee1394
findmodule ohci1394
modName="sbp2"
- elif [ "$modName" = "fw-sbp2" ]; then
- findmodule fw-core
- findmodule fw-ohci
- modName="fw-sbp2"
elif [ "$modName" = "gfs2" ]; then
findmodule lock_nolock
modName="gfs2"
@@ -295,14 +265,21 @@
usbModName=""
fi
-
- deps=""
moduledep $modName
for i in $deps; do
findmodule $i
done
- locatemodule $modName
+ for modExt in o.gz o ko ; do
+ for modDir in /lib/modules/$kernel/updates /lib/modules/$kernel ; do
+ if [ -d $modDir ]; then
+ fmPath=$(findone $modDir -name $modName.$modExt)
+ if [ -f "$fmPath" ]; then
+ break 2
+ fi
+ fi
+ done
+ done
if [ ! -f $fmPath ]; then
if [ -n "$skiperrors" ]; then
@@ -333,16 +310,6 @@
for n in $PRESCSIMODS ; do
findmodule $n
done
- locatemodule scsi_wait_scan
- if [ -n "$fmPath" -a -f "$fmPath" ]; then
- scsi_wait_scan="yes"
- fi
- if [ "$scsi_wait_scan" == "yes" ]; then
- moduledep scsi_wait_scan
- for i in $deps ; do
- findmodule $i
- done
- fi
fi
}
@@ -440,12 +407,7 @@
get_dso_deps "$file"
local DEPS="$DSO_DEPS"
for x in $DEPS ; do
- l=`echo "$x" | sed -n 's,\(/lib[^/]*\)/.*$,\1,p'`
- if [ -n "$l" ]; then
- inst "$x" "$root" "$l"/`basename "$x"`
- else
- inst "$x" "$root"
- fi
+ inst "$x" "$root"
done
RET=$?
fi
@@ -614,6 +576,93 @@
addnetdev $netdev
}
+findallcryptomods() {
+ local cryptomods=""
+ cryptomods="$cryptomods dm-crypt"
+ cryptomods="$cryptomods blkcipher"
+ for modName in `find /lib/modules/$1/kernel/crypto/ -type f | sed 's/.*\/\(.*\)\..*/\1/'` ; do
+ cryptomods="$cryptomods $modName"
+ done
+ echo $cryptomods
+}
+
+execconfig() {
+ if [ -e ${CONFIG} ] ; then
+ local OPTIONS
+ while read config ; do
+ config=${config/##*/}
+ config=${config/#\{ , \}*//}
+ config=${config/%*\{ , \}//}
+ if [ -n ${config} ] ; then
+ OPTIONS="${OPTIONS} ${config}"
+ fi
+ done < /etc/mkinitrd.conf
+ if [ -n "${OPTIONS}" ] ; then
+ OPTIONS="--noconfig ${OPTIONS} $*"
+ exec $progname ${OPTIONS}
+ fi
+ fi
+}
+
+emit_crypto() {
+ let crypto_reps=${crypto_reps}+1
+ for i in $CRYPTODEVICES ; do
+ # We want a complete predictable name for the encrypted device
+ # to use with device-mapper. ... Assume nothing!
+ crypto_device=${i%%@*}
+ crypto_device=${crypto_device%%:*}
+ crypto_mapper_name=${crypto_device##/dev/}
+ crypto_mapper_name=`echo ${crypto_mapper_name} | sed 's!/!_!g'`
+ crypto_key_file=""
+ crypto_key_device=""
+ crypto_key_tmp=""
+ if [ ${i##*:} != ${i} ] ; then
+ crypto_key_file=${i##*:}
+ crypto_key_tmp=${i%%:*}
+ crypto_key_tmp=${crypto_key_tmp##*@}
+ fi
+ if [ -n "$crypto_key_tmp" -a "${crypto_key_tmp}" != "${crypto_device}" ] ; then
+ crypto_key_device=${crypto_key_tmp%%,*}
+ crypto_key_device_fs=${crypto_key_tmp##*,}
+ crypto_key_file=${crypto_key_file##/}
+ if [ ${crypto_key_device} == ${crypto_key_tmp} ] ; then
+ echo "Crypto: No fstype specified for external crypto key:"
+ echo " ${i}"
+ exit 211
+ fi
+ fi
+ emit "echo Decrypting ${crypto_device} (Round ${crypto_reps})"
+ if [ -n "${crypto_key_device}" ] ; then
+ # Mount the filesystem with the key, and decrypt using the key
+ # on the mounted media.
+ emit "mount -t ${crypto_key_device_fs} -o ro ${crypto_key_device} /crypto/mount"
+ emit "cryptsetup luksOpen ${crypto_device} ${crypto_mapper_name} -d /crypto/mount/${crypto_key_file}"
+ emit "umount /crypto/mount"
+ if [ $crypto_reps == 1 ] ; then
+ vecho -n "Crypto: Decrypt ${crypto_device} using external keyfile ${crypto_key_file} "
+ vecho "located on ${crypto_key_device} mounted as an ${crypto_key_device_fs} filesystem "
+ fi
+ elif [ -n "${crypto_key_file}" ] ; then
+ # Embed the key in the initrd image. * Useful if /boot is a removable drive *
+ emit "cryptsetup luksOpen ${crypto_device} ${crypto_mapper_name} -d /crypto/"`basename ${crypto_key_file}`
+ if [ ! -f "$MNTIMAGE/crypto/$(basename ${crypto_key_file})" ] ; then
+ if ! inst ${crypto_key_file} "$MNTIMAGE/crypto/$(basename ${crypto_key_file})" ; then
+ echo "Unable to import key file ${crypto_key_file}"
+ exit 1
+ fi
+ fi
+ if [ $crypto_reps == 1 ] ; then
+ vecho "Crypto: Decrypt ${crypto_device} using embedded keyfile imported from ${crypto_key_file}"
+ fi
+ else
+ emit "cryptsetup luksOpen ${crypto_device} ${crypto_mapper_name}"
+ if [ $crypto_reps == 1 ] ; then
+ vecho "Crypto: Decrypt ${crypto_device} using passphrase decryption"
+ fi
+ fi
+ done
+}
+
handleraid() {
local start=0
@@ -734,6 +783,22 @@
addnetdev $netdev
}
+option_next=1
+for option in $@ ; do
+ let option_next=$option_next+1
+ case $option in
+ --noconfig*)
+ config=0
+ ;;
+ esac
+done
+unset option_next
+
+if [ "$config" == "1" ] ; then
+ progname=$0
+ execconfig $@
+fi
+
while [ $# -gt 0 ]; do
case $1 in
--fstab*)
@@ -907,6 +972,31 @@
shift
fi
;;
+ --omit-crypt*)
+ crypto_omit=1
+ ;;
+ --crypto-module*)
+ crypto=1
+ if [ "$1" != "${1##--crypto-module=}" ]; then
+ modname="${1##--crypto-module=}"
+ else
+ modname="$2"
+ if [ -z "$2" ] ; then
+ modname="DEFAULT"
+ fi
+ fi
+ CRYPTOMODS="$CRYPTOMODS $modname"
+ ;;
+ --crypto-dev*)
+ crypto=1
+ cryptodevice=""
+ if [ "$1" != "${1##--crypto-dev=}" ]; then
+ cryptodevice="${1##--crypto-dev=}"
+ else
+ cryptodevice="$2"
+ fi
+ CRYPTODEVICES="$CRYPTODEVICES $cryptodevice"
+ ;;
--help)
usage -n
;;
@@ -957,6 +1047,27 @@
exit 1
fi
+if [ $crypto_omit == 1 ] ; then
+ unset $CRYPTODEVICES
+ unset $CRYPTOMODS
+fi
+
+if [ -n "$CRYPTOMODS" ] ; then
+ for modname in $CRYPTOMODS ; do
+ case $modname in
+ ALL)
+ PREMODS="$PREMODS "`findallcryptomods $kernel`
+ ;;
+ DEFAULT)
+ PREMODS="$PREMODS dm-crypt blkcipher aes cbc sha256 crypto_null"
+ ;;
+ *)
+ PREMODS="$PREMODS $modname"
+ ;;
+ esac
+ done
+fi
+
vecho "Creating initramfs"
modulefile=/etc/modprobe.conf
@@ -1110,6 +1221,9 @@
findmodule -dm-mirror
findmodule -dm-zero
findmodule -dm-snapshot
+ if [ -n "$CRYPTODEVICES" -o -n "$CRYPTOMODS" ] ; then
+ findmodule -dm-crypt
+ fi
RAIDS=$(/sbin/dmraid -s -craidname 2>/dev/null | grep -vi "no raid disks")
@@ -1241,28 +1355,31 @@
ln -s /sbin/nash $MNTIMAGE/sbin/modprobe
inst /sbin/insmod "$MNTIMAGE" /bin/insmod
-inst /sbin/rmmod "$MNTIMAGE" /bin/rmmod
+
+if [ -n "$CRYPTODEVICEES" -o -n "$CRYPTOMODS" ] ; then
+ mkdir -p $MNTIMAGE/crypto
+ mkdir -p $MNTIMAGE/crypto/mount
+fi
if [ -e /etc/fstab.sys ]; then
inst /etc/fstab.sys "$MNTIMAGE"
fi
-installmodule()
-{
+if [ -n "$CRYPTODEVICEES" -o -n "$CRYPTOMODS" ] ; then
+ inst /sbin/cryptsetup "$MNTIMAGE/"
+fi
+
+for MODULE in $MODULES; do
if [ -x /usr/bin/strip ]; then
- /usr/bin/strip -g $verbose $1 -o $MNTIMAGE/lib/$(basename $1)
+ /usr/bin/strip -g $verbose $MODULE -o $MNTIMAGE/lib/$(basename $MODULE)
else
- cp $verbose -a $1 $MNTIMAGE/lib
+ cp $verbose -a $MODULE $MNTIMAGE/lib
fi
- for fw in $(/sbin/modinfo -F firmware $1 2>/dev/null); do
+ for fw in $(/sbin/modinfo -F firmware $MODULE 2>/dev/null); do
if [ -f /lib/firmware/$fw ]; then
cp $verbose -a /lib/firmware/$fw $MNTIMAGE/lib/firmware/
fi
done
-}
-
-for MODULE in $MODULES; do
- installmodule $MODULE
done
# mknod'ing the devices instead of copying them works both with and
@@ -1292,13 +1409,6 @@
mknod $MNTIMAGE/dev/efirtc c 10 136
fi
-if [ -n "$raiddevices" ]; then
- inst /sbin/mdadm "$MNTIMAGE"
- if [ -f /etc/mdadm.conf ]; then
- inst /etc/mdadm.conf "$MNTIMAGE"
- fi
-fi
-
# FIXME -- this can really go poorly with clvm or duplicate vg names.
# nash should do lvm probing for us and write its own configs.
if [ -n "$vg_list" ]; then
@@ -1355,14 +1465,6 @@
emit "echo Creating block device nodes."
emit "mkblkdevs"
-if [ "$scsi_wait_scan" == "yes" ]; then
- locatemodule scsi_wait_scan
- if [ -n "$fmPath" -a -f "$fmPath" ]; then
- vecho "Adding module scsi_wait_scan"
- installmodule $fmPath
- fi
-fi
-
usb_mounted="prep"
for MODULE in $MODULES; do
text=""
@@ -1420,7 +1522,7 @@
EOF
done
fi
- if [ "${module::5}" == "pata_" -o "$module" == "ata_piix" -o "$module" == "ahci" -o "${module::5}" == "sata_" -o "$module" == "ibmvscsic" ]; then
+ if [ "${module::5}" == "pata_" -o "$module" == "ata_piix" -o "$module" == "ahci" -o "${module::5}" == "sata_" ]; then
emit "echo Waiting for driver initialization."
emit "stabilized --hash --interval 250 /proc/scsi/scsi"
fi
@@ -1442,21 +1544,22 @@
emit_iscsi
-if [ "$scsi_wait_scan" == "yes" ]; then
- emit "insmod /lib/scsi_wait_scan.ko"
- emit "rmmod scsi_wait_scan"
-fi
-
# HACK: module loading + device creation isn't necessarily synchronous...
# this will make sure that we have all of our devices before trying
# things like RAID or LVM
emit "mkblkdevs"
+# Chickens and eggs. Because you can encrypt both LV's and the devices
+# containing containing LV's, we need try to try to decrypt twice or we
+# need to be far more clever.
+emit_crypto
+
emitdms
if [ -n "$raiddevices" ]; then
for dev in $raiddevices; do
- emit "mdadm -As --auto=yes --run /dev/${dev}"
+ cp -a /dev/${dev} $MNTIMAGE/dev
+ emit "raidautorun /dev/${dev}"
done
fi
@@ -1467,6 +1570,14 @@
emit "lvm vgchange -ay --ignorelockingfailure $vg_list"
fi
+# Eggs and chickens. Try decrypting just in case any LV's are encrypted.
+# We need to do to this before resuming on the off chance that swap has been
+# encrypted with a permanent key.
+#
+# If the volume has already been decrypted, no harm has been done doing it
+# twice.
+emit_crypto
+
if [ -z "$noresume" -a -n "$swsuspdev" ]; then
emit "resume $swsuspdev"
fi
@@ -1502,8 +1613,6 @@
emit "echo Switching to new root and running init."
emit "switchroot"
-emit "echo Booting has failed."
-emit "sleep -1"
chmod +x $RCFILE
diff -ru ../mkinitrd-6.0.9.old/mkinitrd.8 ./mkinitrd.8
--- ../mkinitrd-6.0.9.old/mkinitrd.8 2005-12-07 21:00:09.000000000 -0600
+++ ./mkinitrd.8 2007-06-18 00:32:42.000000000 -0500
@@ -3,12 +3,14 @@
mkinitrd \- creates initial ramdisk images for preloading modules
.SH SYNOPSIS
\fBmkinitrd\fR [--version] [-v] [-f]
- [--preload=\fImodule\fR] [--omit-scsi-modules]
+ [--preload=\fImodule\fR]
+ [--crypto-module=(ALL|DEFAULT|\fImodule\fR)]
+ [--crypto-dev=\fIdevice\fR[@\fIkey-device\fR,\fIkey-device-fstype\fR][:\fIkey\fR]]
+ [--omit-crypto] [--omit-scsi-modules]
[--omit-raid-modules] [--omit-lvm-modules]
[--with=\fImodule\fR] [--image-version]
- [--fstab=\fIfstab\fR] [--nocompress]
- [--builtin=\fImodule\fR] [--nopivot]
- \fIimage\fR \fIkernel-version\fR
+ [--fstab=\fIfstab\fR] [--nocompress] [--nopivot]
+ [--builtin=\fImodule\fR] \fIimage\fR \fIkernel-version\fR
.SH DESCRIPTION
\fBmkinitrd\fR creates an initial image used by the kernel for
@@ -36,6 +38,63 @@
exist. This option may be used multiple times.
.TP
+\fB-\-crypto-module=\fR\fI(module|ALL|DEFAULT)\fR
+Specify a crypto \fImodule\fR to preload.
+
+\fB--crypto-module=DEFAULT\fR will load aes cbc and sha256 crypto modules
+\fB--crypto-module=ALL\fR will load all available crypto modules.
+
+This option may be used multiple times.
+
+This option can be persistently kept as CRYPTOMODS=
+in \fI/etc/sysconfig/mkinitrd\fR
+
+.TP
+\fB-\-crypto-dev=\fR\fIdevice\fR[@\fIkey-device\fR,\fIkey-device-fstype\fR][:\fIkey\fR]]
+Specify the encrypted device to decrypt prior to mounting. Password
+decryption is supported by default. <key-device> may use any mount identifier
+such as LABEL= or UUID= in addition to the physical device identifier. When
+using <key-device>, <key-device-fstype> \fImust\fR be specified.
+<device> must not be listed in \fB/etc/crypttab\fR because it will
+decrypted before init begins. This option may be used multiple times.
+
+-\-crypto-dev=\fIdevice\fR
+<dev> is the device to decrypt.
+
+-\-crypto-dev=\fIdevice\fR:\fI/path/to/key\fR
+\fIdevice\fR is the device to decrypt. The file located at \fI/path/to/key\fR will
+be embedded in the initrd.img file and used to decrypt \fIdevice\fR.
+
+-\-crypto-dev=\fIdevice\fR@\fIkey-device\fR,\fIkey-device-fstype\fR:\fI/path/to/key\fR
+\fIdevice\fR is the device to decrypt. \fIkey-device\fR is the device containing the key
+file used to decrypt \fIdevice\fR. \fIkey-device-fstype\fR is the filesystem type for \fIkey-device\fR:
+eg. ext2. \fI/path/to/key\fR is the key file \fIrelative\fR to the root of
+<dev2>.
+
+This option can be persistently kept as CRYPTODEVICES=
+in \fI/etc/sysconfig/mkinitrd\fR
+
+Examples
+
+-\-crypto-dev=/dev/hdb1 would try to decrypt /dev/hdb1 using a password
+entered by the user during the boot process.
+
+-\-crypto-dev=/dev/hdb1:/media/flash/my.key would embed /media/flash/my.key
+in the initrd image file to and use that key to decrypt /dev/hdb1.
+
+-\-crypto-dev=/dev/hdb1@LABEL=flash,ext2:/my.key would try to decrypt
+/dev/hdb1 using the key, "/my.key", located on an unencrypted ext2
+filesystem with the label, "flash". During boot, it will mount
+the the LABEL=flash device read-only, and use the key on the disk to decrypt
+the specified device, /dev/hdb1. Then the LABEL=flash device would be
+unmounted before continuing. \fIThe key device must be present during
+system boot.\fR
+
+.TP
+\fB-\-version\fR
+Prints the version of \fBmkinitrd\fR that's being used and then exits.
+
+.TP
\fB-f\fR
Allows \fBmkinitrd\fR to overwrite an existing image file.
@@ -63,6 +122,11 @@
option is not recommended, and will be removed in future versions.
.TP
+\fB-\-omit-crypto
+Do not load any cryptographic modules, even if specified on \fBmkinitrd\fR's
+command line.
+
+.TP
\fB-\-omit-lvm-modules
Do not load any lvm modules, even if /etc/fstab expects them.
@@ -114,7 +178,12 @@
Specifies SCSI modules to be loaded and module options to be used.
\fI(only used on kernels < 2.6)\fR
+.TP 20
+\fI/etc/sysconfig/mkinitrd\fR
+Specifies persistent options to be used with mkinitrd.
+
.PD
.SH "SEE ALSO"
+.BR cryptsetup (8),
.BR fstab (5),
.BR insmod (1)
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
