home: hub: mkinitfs

Download patch

ref: fdc28f072ae269ab9c3f876ed452c6c3d5a769aa
parent: 7e7fed4fee4c2e0bafd4a9714649b185b8696921
author: lemmarathon <lemmarathon@protonmail.com>
date: Mon Apr 30 15:51:50 CDT 2018 

Add support for keyfiles

The "cryptkey" boot parameter enables keyfile decryption. By default,
init will look for a keyfile named "/crypto_keyfile.bin". Another file
may be specified like so: "cryptkey=/path/to/keyfile.bin". If keyfile
decryption fails, init will fall back to passphrase mode.


--- a/Makefile
+++ b/Makefile
@@ -16,6 +16,7 @@
 		features.d/btrfs.modules \
 		features.d/cdrom.modules \
 		features.d/cramfs.modules \
+		features.d/cryptkey.files \
 		features.d/cryptsetup.files \
 		features.d/cryptsetup.modules \
 		features.d/ena.modules \
--- /dev/null
+++ b/features.d/cryptkey.files
@@ -1,0 +1,1 @@
+/crypto_keyfile.bin
--- a/initramfs-init.in
+++ b/initramfs-init.in
@@ -274,9 +274,9 @@
 set -- $(cat /proc/cmdline)
 
 myopts="alpine_dev autodetect autoraid chart cryptroot cryptdm cryptheader cryptoffset
-	cryptdiscards debug_init dma init_args keep_apk_new modules ovl_dev pkgs quiet
-	root_size root usbdelay ip alpine_repo apkovl alpine_start splash blacklist
-	overlaytmpfs rootfstype rootflags nbd resume s390x_net dasd ssh_key"
+	cryptdiscards cryptkey debug_init dma init_args keep_apk_new modules ovl_dev
+	pkgs quiet root_size root usbdelay ip alpine_repo apkovl alpine_start splash
+	blacklist overlaytmpfs rootfstype rootflags nbd resume s390x_net dasd ssh_key"
 
 for opt; do
 	case "$opt" in
@@ -396,6 +396,11 @@
 	fi
 	if [ -n "$KOPT_cryptoffset" ]; then
 		cryptopts="$cryptopts -o ${KOPT_cryptoffset}"
+	fi
+	if [ "$KOPT_cryptkey" = "yes" ]; then
+		cryptopts="$cryptopts -k /crypto_keyfile.bin"
+	elif [ -n "$KOPT_cryptkey" ]; then
+		cryptopts="$cryptopts -k ${KOPT_cryptkey}"
 	fi
 fi
 
--- a/nlplug-findfs.c
+++ b/nlplug-findfs.c
@@ -309,6 +309,7 @@
 struct cryptdev {
 	char *device;
 	char *name;
+	char *key;
 	char devnode[256];
 };
 
@@ -594,6 +595,18 @@
 		goto free_out;
 	}
 
+	struct stat st;
+	if (!stat(c->crypt.data.key, &st)) {
+		pthread_mutex_lock(&c->crypt.mutex);
+		r = crypt_activate_by_keyfile(cd, c->crypt.data.name,
+					      CRYPT_ANY_SLOT,
+					      c->crypt.data.key, st.st_size,
+					      c->crypt.flags);
+		pthread_mutex_unlock(&c->crypt.mutex);
+		if (r >= 0)
+			goto free_out;
+	}
+
 	while (passwd_tries > 0) {
 		char pass[1024];
 
@@ -1173,6 +1186,7 @@
 	" -c CRYPTDEVICE  run cryptsetup luksOpen when CRYPTDEVICE is found\n"
 	" -h              show this help\n"
 	" -H HEADERDEVICE use HEADERDEVICE as the LUKS header\n"
+	" -k CRYPTKEY     path to keyfile\n"
 	" -m CRYPTNAME    use CRYPTNAME name for crypto device mapping\n"
 	" -o OFFSET       cryptsetup payload offset\n"
 	" -D              allow discards on crypto device\n"
@@ -1237,6 +1251,9 @@
 		break;
 	case 'h':
 		usage(0);
+		break;
+	case 'k':
+		conf.crypt.data.key = EARGF(usage(1));
 		break;
 	case 'm':
 		conf.crypt.data.name = EARGF(usage(1));
--- a/test.sh
+++ b/test.sh
@@ -76,6 +76,13 @@
 	[ "$operation" = "header" ] && echo "> Formatting '$block' with header '$header' and passphrase '$passphrase'."
 	[ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksFormat -q $block - 2>&1 | sed 's/^/\t/g'
 	[ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksFormat -q --header $header $block - 2>&1 | sed 's/^/\t/g'
+
+	echo "> Creating keyfile"
+	dd if=/dev/urandom of=keyfile count=1 bs=512 2>&1 | sed 's/^/\t/g'
+	echo "> Adding keyfile to device"
+	[ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksAddKey -q $block keyfile - 2>&1 | sed 's/^/\t/g'
+	[ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksAddKey -q --header $header $block keyfile - 2>&1 | sed 's/^/\t/g'
+
 	echo "> Opening the device '$block' as /dev/mapper/temp-test"
 	[ "$operation" != "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksOpen -q $block temp-test - 2>&1 | sed 's/^/\t/g'
 	[ "$operation" = "header" ] && printf "%s" "$passphrase" | sudo cryptsetup luksOpen -q --header $header $block temp-test - 2>&1 | sed 's/^/\t/g'
@@ -91,6 +98,27 @@
 	sudo umount local-mount
 	echo "> Closing the device '/dev/mapper/temp-test'"
 	sudo cryptsetup luksClose temp-test
+
+	echo "> Testing nlplug-findfs on $block using keyfile"
+	[ "$operation" != "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -c $block -k keyfile -m 'test-device' /dev/mapper/test-device || retcode=1; }
+	[ "$operation" = "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -H $header -c $block -k keyfile -m 'test-device' /dev/mapper/test-device || retcode=1; }
+
+	if [ $retcode -eq 0 ]; then
+		echo "> Mounting the device"
+		sudo mount /dev/mapper/test-device local-mount
+		echo "> Getting proof"
+		check=$(cat local-mount/proof)
+		echo "Retrieved proof is: $check"
+		if [ "$check" != "$proof" ]; then
+			retcode=1
+		fi
+	fi
+	[ $retcode -eq 0 ] && echo "Operation succeeded, proofs match" || echo "Operation failed, proofs don't match"
+
+	echo "> Unmounting the fs"
+	mountpoint local-mount && sudo umount local-mount
+	echo "> Closing the device '/dev/mapper/test-device'"
+	[ -b /dev/mapper/test-device ] && sudo cryptsetup luksClose test-device
 
 	echo "> Testing nlplug-findfs on $block (passphrase was '$passphrase')"
 	[ "$operation" != "header" ] && { echo "$passphrase" | sudo ./nlplug-findfs -p /sbin/mdev ${flags} -c $block -m 'test-device' /dev/mapper/test-device || retcode=1; }