diff options
author | Simon Rettberg | 2023-07-06 11:22:08 +0200 |
---|---|---|
committer | Simon Rettberg | 2023-07-06 11:22:08 +0200 |
commit | 73dc5ba6f4cadf9e500258d508c86af98a4b02cd (patch) | |
tree | 838cad78cfa036a164e103fa61373a5e96ce2920 | |
parent | [slx-network] Write own hostname and fqdn to /etc/hosts (diff) | |
download | systemd-init-73dc5ba6f4cadf9e500258d508c86af98a4b02cd.tar.gz systemd-init-73dc5ba6f4cadf9e500258d508c86af98a4b02cd.tar.xz systemd-init-73dc5ba6f4cadf9e500258d508c86af98a4b02cd.zip |
[slx-dmsetup] Introduce SLX_ID44_CRYPT for encrypting
This will encrypt the entire writable device(s) before creating any
partitions and pools inside it.
-rwxr-xr-x | modules.d/slx-dmsetup/scripts/dmsetup-slx-device | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/modules.d/slx-dmsetup/scripts/dmsetup-slx-device b/modules.d/slx-dmsetup/scripts/dmsetup-slx-device index e01b1f97..8bf0f097 100755 --- a/modules.d/slx-dmsetup/scripts/dmsetup-slx-device +++ b/modules.d/slx-dmsetup/scripts/dmsetup-slx-device @@ -476,6 +476,7 @@ dev_find_partitions &> /dev/null dev_swap_version &> /dev/null # This is the main variable driving this script +declare -g id44_crypted= declare -g writable_device= if [ -z "$SLX_WRITABLE_DEVICE_IDENTIFIER" ]; then SLX_WRITABLE_DEVICE_IDENTIFIER=("44" "87f86132-ff94-4987-b250-444444444444") @@ -485,7 +486,6 @@ if [ -z "$SLX_WRITABLE_DEVICE_IDENTIFIER" ]; then fi # XXX The fuck? This may or may not be an array? Shit will defintely break some day... if [ -n "$SLX_WRITABLE_DEVICE_IDENTIFIER" ]; then - # only first one for now TODO create linear devices of all ID44s declare -a writable_devices writable_devices=( $( dev_find_partitions "${SLX_WRITABLE_DEVICE_IDENTIFIER[@]}" ) ) if [[ "${#writable_devices[@]}" -eq 0 && "$SLX_NTFSFREE" != "never" ]] || [ "$SLX_NTFSFREE" = "always" ]; then @@ -551,6 +551,16 @@ fi if [ -z "$writable_device" ]; then echo "$0: Could not find writable device with id '$SLX_WRITABLE_DEVICE_IDENTIFIER'." ramdisk_fallback +elif [ -n "$SLX_ID44_CRYPT" ] && [ "$SLX_ID44_CRYPT" != 0 ]; then + # Config option crypts the entire ID44 device(s), before any slices are taken from it. + if encrypt_device "$writable_device" "id44-crypt"; then + echo "$0: ID44 encrypted" + writable_device="/dev/mapper/id44-crypt" + # Remember the whole device is already encrypted, and ignore the crypt flag for the partition table later + id44_crypted=1 + else + echo "$0: Error encrypting ID44 partition" + fi fi # NOTE: from here on out, every value related to size is in 512 bytes sectors! @@ -652,11 +662,13 @@ fi save_partition_info "${scratch_device##*/}" "*" "1" "$scratch_device_sz" # encrypt the scratch device, if configured -if [ "$crypt" -ne 0 ] && encrypt_device \ - "$scratch_device" "${scratch_device##*/}-crypt" "$scratch_device_sz"; then - scratch_device="/dev/mapper/${scratch_device##*/}-crypt" -else - echo "$0: Continuing with unencrypted scratch" +if [ -z "$id44_crypted" ]; then + if [ "$crypt" -ne 0 ] && encrypt_device \ + "$scratch_device" "${scratch_device##*/}-crypt" "$scratch_device_sz"; then + scratch_device="/dev/mapper/${scratch_device##*/}-crypt" + else + echo "$0: Continuing with unencrypted scratch" + fi fi writable_device_used_sz="$scratch_device_sz" @@ -665,6 +677,7 @@ writable_device_used_sz="$scratch_device_sz" for line in "${linear[@]}"; do [ -z "$line" ] && continue read -r name crypt min max ignore <<< "$line" + [ -n "$id44_crypted" ] && crypt=0 free_space="$(( writable_device_sz - writable_device_used_sz ))" if [ "$min" -gt "$free_space" ]; then echo "$0: Not enough space left for linear devices: '$line'" @@ -710,6 +723,7 @@ if [ -n "$thin_snapshot" ] || [ -n "$thin_volume" ]; then for line in "${thin_volume[@]}"; do [ -z "$line" ] && continue read -r name crypt min max ignore <<< "$line" + [ -n "$id44_crypted" ] && crypt=0 # thin-volume can be created with max size, # since they are overprovisioned anyway. if ! create_volume "$name" "$(( volume_id++ ))" "$max"; then @@ -725,6 +739,7 @@ if [ -n "$thin_snapshot" ] || [ -n "$thin_volume" ]; then if [ -n "$thin_snapshot" ]; then # create thin-snapshot, use first one read -r name crypt min max ignore <<< "$thin_snapshot" + [ -n "$id44_crypted" ] && crypt=0 # min/max was used for the pool data device, ignore it here! # Calculate how much of the CoW space we reserve for changes in the base # system. Usually all the files in the base system should be static, but @@ -761,6 +776,7 @@ fi ### if [ -n "$snapshot" ] && require_exact_scratch_size; then read -r name crypt min max ignore <<< "$snapshot" + [ -n "$id44_crypted" ] && crypt=0 if ! create_snapshot "$name $persist"; then echo "Failed to create regular snapshot for '$read_only_device' on '$scratch_device'." else |