From 624fe6eef68a4ca94023932ca9cf1bc35a4c3648 Mon Sep 17 00:00:00 2001
From: moparisthebest <admin@moparisthebest.com>
Date: Sun, 4 Dec 2016 22:45:45 -0500
Subject: [PATCH] Add experimental cryptsetup-multidisk-ssh

---
 src/cryptsetup-multidisk-ssh/.SRCINFO        | 12 ++++
 src/cryptsetup-multidisk-ssh/PKGBUILD        | 18 +++++
 src/cryptsetup-multidisk-ssh/encrypt_install | 69 ++++++++++++++++++++
 3 files changed, 99 insertions(+)
 create mode 100644 src/cryptsetup-multidisk-ssh/.SRCINFO
 create mode 100644 src/cryptsetup-multidisk-ssh/PKGBUILD
 create mode 100644 src/cryptsetup-multidisk-ssh/encrypt_install

diff --git a/src/cryptsetup-multidisk-ssh/.SRCINFO b/src/cryptsetup-multidisk-ssh/.SRCINFO
new file mode 100644
index 0000000..e58202c
--- /dev/null
+++ b/src/cryptsetup-multidisk-ssh/.SRCINFO
@@ -0,0 +1,12 @@
+pkgbase = cryptsetup-multidisk
+	pkgdesc = Handle multiple encrypted root devices
+	pkgver = 1.0
+	pkgrel = 1
+	url = https://github.com/moparisthebest/archlinux_encrypthook
+	arch = any
+	license = GPL3
+	source = https://codeload.github.com/moparisthebest/archlinux_encrypthook/tar.gz/v1.0
+	sha256sums = e38eed40eadfa7dadd697cbe6d06845edad35fcc37f910e5323d5b89fce5ef67
+
+pkgname = cryptsetup-multidisk
+
diff --git a/src/cryptsetup-multidisk-ssh/PKGBUILD b/src/cryptsetup-multidisk-ssh/PKGBUILD
new file mode 100644
index 0000000..7ac9b0b
--- /dev/null
+++ b/src/cryptsetup-multidisk-ssh/PKGBUILD
@@ -0,0 +1,18 @@
+# Contributor: moparisthebest <admin dot archlinux AT moparisthebest dot com>
+
+pkgname=cryptsetup-multidisk-ssh
+pkgver=1.0
+pkgrel=1
+pkgdesc='Handle multiple encrypted root devices with ssh shell'
+arch=('any')
+license=('GPL3')
+optional=('mkinitcpio-dropbear' 'mkinitcpio-tinyssh')
+url="https://github.com/moparisthebest/archlinux_encrypthook"
+source=("https://codeload.github.com/moparisthebest/archlinux_encrypthook/tar.gz/v$pkgver" "encrypt_install")
+sha256sums=('e38eed40eadfa7dadd697cbe6d06845edad35fcc37f910e5323d5b89fce5ef67'
+            'f97843c8ea18229361f89f13159c65bb4a0fc881589cc09a0433c66cf731052a')
+
+package() {
+	install -D -m644 "archlinux_encrypthook-$pkgver/encrypt_hook"    "${pkgdir}"/usr/lib/initcpio/hooks/encrypt-multidisk-ssh
+	install -D -m644 encrypt_install "${pkgdir}"/usr/lib/initcpio/install/encrypt-multidisk-ssh
+}
diff --git a/src/cryptsetup-multidisk-ssh/encrypt_install b/src/cryptsetup-multidisk-ssh/encrypt_install
new file mode 100644
index 0000000..265fddc
--- /dev/null
+++ b/src/cryptsetup-multidisk-ssh/encrypt_install
@@ -0,0 +1,69 @@
+#!/bin/bash
+make_etc_passwd() {
+    echo 'root:x:0:0:root:/root:/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/passwd
+    echo '/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/shells
+}
+
+
+build() {
+    local mod
+
+    add_module dm-crypt
+    if [[ $CRYPTO_MODULES ]]; then
+        for mod in $CRYPTO_MODULES; do
+            add_module "$mod"
+        done
+    else
+        add_all_modules '/crypto/'
+    fi
+
+    add_binary "cryptsetup"
+    add_binary "dmsetup"
+    add_file "/usr/lib/udev/rules.d/10-dm.rules"
+    add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
+    add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
+    add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
+
+    cp /usr/lib/initcpio/hooks/encrypt-multidisk-ssh /tmp/cryptsetup_shell
+    cat >> /tmp/cryptsetup_shell <<EOF
+
+    sed 's/ /\n/g' /proc/cmdline | grep = > /linux.cmdline
+    source /linux.cmdline
+    rm /linux.cmdline
+
+    run_hook
+EOF
+
+    add_binary "/tmp/cryptsetup_shell" "/bin/cryptsetup_shell"
+    rm /tmp/cryptsetup_shell
+
+    make_etc_passwd
+
+    add_runscript
+}
+
+help() {
+    cat <<HELPEOF
+This hook allows for multiple encrypted root devices. Users should specify the
+device to be unlocked using 'cryptdevice=device:dmname' on the kernel command
+line, where 'device' is the path to the raw device, and 'dmname' is the name 
+given to the device after unlocking, and will be available as /dev/mapper/dmname.
+
+Subsequent devices must be specified the same way, but with cryptdevice1=,
+cryptdevice2= and so on, in order. Passwords will be cached and attempted to
+re-use them on the next device, and if that fails, a new password will be asked
+for.
+
+For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
+the kernel cmdline, where 'device' represents the raw block device where the key
+exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
+the absolute path of the keyfile within the device.
+
+Without specifying a keyfile, you will be prompted for the password at runtime.
+This means you must have a keyboard available to input it, and you may need
+the keymap hook as well to ensure that the keyboard is using the layout you
+expect.
+HELPEOF
+}
+
+# vim: set ft=sh ts=4 sw=4 et: