summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon Rettberg2023-07-06 11:22:08 +0200
committerSimon Rettberg2023-07-06 11:22:08 +0200
commit73dc5ba6f4cadf9e500258d508c86af98a4b02cd (patch)
tree838cad78cfa036a164e103fa61373a5e96ce2920
parent[slx-network] Write own hostname and fqdn to /etc/hosts (diff)
downloadsystemd-init-73dc5ba6f4cadf9e500258d508c86af98a4b02cd.tar.gz
systemd-init-73dc5ba6f4cadf9e500258d508c86af98a4b02cd.tar.xz
systemd-init-73dc5ba6f4cadf9e500258d508c86af98a4b02cd.zip
[slx-dmsetup] Introduce SLX_ID44_CRYPT for encrypting
This will encrypt the entire writable device(s) before creating any partitions and pools inside it.
-rwxr-xr-xmodules.d/slx-dmsetup/scripts/dmsetup-slx-device28
1 files changed, 22 insertions, 6 deletions
diff --git a/modules.d/slx-dmsetup/scripts/dmsetup-slx-device b/modules.d/slx-dmsetup/scripts/dmsetup-slx-device
index e01b1f97..8bf0f097 100755
--- a/modules.d/slx-dmsetup/scripts/dmsetup-slx-device
+++ b/modules.d/slx-dmsetup/scripts/dmsetup-slx-device
@@ -476,6 +476,7 @@ dev_find_partitions &> /dev/null
dev_swap_version &> /dev/null
# This is the main variable driving this script
+declare -g id44_crypted=
declare -g writable_device=
if [ -z "$SLX_WRITABLE_DEVICE_IDENTIFIER" ]; then
SLX_WRITABLE_DEVICE_IDENTIFIER=("44" "87f86132-ff94-4987-b250-444444444444")
@@ -485,7 +486,6 @@ if [ -z "$SLX_WRITABLE_DEVICE_IDENTIFIER" ]; then
fi
# XXX The fuck? This may or may not be an array? Shit will defintely break some day...
if [ -n "$SLX_WRITABLE_DEVICE_IDENTIFIER" ]; then
- # only first one for now TODO create linear devices of all ID44s
declare -a writable_devices
writable_devices=( $( dev_find_partitions "${SLX_WRITABLE_DEVICE_IDENTIFIER[@]}" ) )
if [[ "${#writable_devices[@]}" -eq 0 && "$SLX_NTFSFREE" != "never" ]] || [ "$SLX_NTFSFREE" = "always" ]; then
@@ -551,6 +551,16 @@ fi
if [ -z "$writable_device" ]; then
echo "$0: Could not find writable device with id '$SLX_WRITABLE_DEVICE_IDENTIFIER'."
ramdisk_fallback
+elif [ -n "$SLX_ID44_CRYPT" ] && [ "$SLX_ID44_CRYPT" != 0 ]; then
+ # Config option crypts the entire ID44 device(s), before any slices are taken from it.
+ if encrypt_device "$writable_device" "id44-crypt"; then
+ echo "$0: ID44 encrypted"
+ writable_device="/dev/mapper/id44-crypt"
+ # Remember the whole device is already encrypted, and ignore the crypt flag for the partition table later
+ id44_crypted=1
+ else
+ echo "$0: Error encrypting ID44 partition"
+ fi
fi
# NOTE: from here on out, every value related to size is in 512 bytes sectors!
@@ -652,11 +662,13 @@ fi
save_partition_info "${scratch_device##*/}" "*" "1" "$scratch_device_sz"
# encrypt the scratch device, if configured
-if [ "$crypt" -ne 0 ] && encrypt_device \
- "$scratch_device" "${scratch_device##*/}-crypt" "$scratch_device_sz"; then
- scratch_device="/dev/mapper/${scratch_device##*/}-crypt"
-else
- echo "$0: Continuing with unencrypted scratch"
+if [ -z "$id44_crypted" ]; then
+ if [ "$crypt" -ne 0 ] && encrypt_device \
+ "$scratch_device" "${scratch_device##*/}-crypt" "$scratch_device_sz"; then
+ scratch_device="/dev/mapper/${scratch_device##*/}-crypt"
+ else
+ echo "$0: Continuing with unencrypted scratch"
+ fi
fi
writable_device_used_sz="$scratch_device_sz"
@@ -665,6 +677,7 @@ writable_device_used_sz="$scratch_device_sz"
for line in "${linear[@]}"; do
[ -z "$line" ] && continue
read -r name crypt min max ignore <<< "$line"
+ [ -n "$id44_crypted" ] && crypt=0
free_space="$(( writable_device_sz - writable_device_used_sz ))"
if [ "$min" -gt "$free_space" ]; then
echo "$0: Not enough space left for linear devices: '$line'"
@@ -710,6 +723,7 @@ if [ -n "$thin_snapshot" ] || [ -n "$thin_volume" ]; then
for line in "${thin_volume[@]}"; do
[ -z "$line" ] && continue
read -r name crypt min max ignore <<< "$line"
+ [ -n "$id44_crypted" ] && crypt=0
# thin-volume can be created with max size,
# since they are overprovisioned anyway.
if ! create_volume "$name" "$(( volume_id++ ))" "$max"; then
@@ -725,6 +739,7 @@ if [ -n "$thin_snapshot" ] || [ -n "$thin_volume" ]; then
if [ -n "$thin_snapshot" ]; then
# create thin-snapshot, use first one
read -r name crypt min max ignore <<< "$thin_snapshot"
+ [ -n "$id44_crypted" ] && crypt=0
# min/max was used for the pool data device, ignore it here!
# Calculate how much of the CoW space we reserve for changes in the base
# system. Usually all the files in the base system should be static, but
@@ -761,6 +776,7 @@ fi
###
if [ -n "$snapshot" ] && require_exact_scratch_size; then
read -r name crypt min max ignore <<< "$snapshot"
+ [ -n "$id44_crypted" ] && crypt=0
if ! create_snapshot "$name $persist"; then
echo "Failed to create regular snapshot for '$read_only_device' on '$scratch_device'."
else