69 lines
2.5 KiB
Bash
69 lines
2.5 KiB
Bash
#!/bin/bash
|
|
make_etc_passwd() {
|
|
echo 'root:x:0:0:root:/root:/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/passwd
|
|
echo '/bin/cryptsetup_shell' > "${BUILDROOT}"/etc/shells
|
|
}
|
|
|
|
|
|
build() {
|
|
local mod
|
|
|
|
add_module dm-crypt
|
|
if [[ $CRYPTO_MODULES ]]; then
|
|
for mod in $CRYPTO_MODULES; do
|
|
add_module "$mod"
|
|
done
|
|
else
|
|
add_all_modules '/crypto/'
|
|
fi
|
|
|
|
add_binary "cryptsetup"
|
|
add_binary "dmsetup"
|
|
add_file "/usr/lib/udev/rules.d/10-dm.rules"
|
|
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
|
|
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
|
|
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
|
|
|
|
add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/cryptsetup_shell" "/bin/cryptsetup_shell"
|
|
add_binary "/usr/share/cryptsetup-multidisk-ssh/bin/query_password" "/bin/query_password"
|
|
|
|
make_etc_passwd
|
|
|
|
add_runscript
|
|
}
|
|
|
|
help() {
|
|
cat <<HELPEOF
|
|
This hook is a drop in replacement for the encrypt multidisk hook and also allows for
|
|
multiple encrypted root devices to be unlocked remotely over SSH. It works with both
|
|
mkinitcpio-dropbear and mkinitcpio-tinyssh hooks. It DOES NOT perform any
|
|
network interface configuration.
|
|
|
|
Use this hook in combination with any early userspace networking hook, such as
|
|
mkinitcpio-netconf or mkinitcpio-ppp. Place this hook AFTER any network
|
|
configuration hook and BEFORE the filesystems hook.
|
|
|
|
This hook allows for multiple encrypted root devices. Users should specify the
|
|
device to be unlocked using 'cryptdevice=device:dmname' on the kernel command
|
|
line, where 'device' is the path to the raw device, and 'dmname' is the name
|
|
given to the device after unlocking, and will be available as /dev/mapper/dmname.
|
|
|
|
Subsequent devices must be specified the same way, but with cryptdevice1=,
|
|
cryptdevice2= and so on, in order. Passwords will be cached and attempted to
|
|
re-use them on the next device, and if that fails, a new password will be asked
|
|
for.
|
|
|
|
For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
|
|
the kernel cmdline, where 'device' represents the raw block device where the key
|
|
exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
|
|
the absolute path of the keyfile within the device.
|
|
|
|
Without specifying a keyfile, you will be prompted for the password at runtime.
|
|
This means you must have a keyboard available to input it, and you may need
|
|
the keymap hook as well to ensure that the keyboard is using the layout you
|
|
expect.
|
|
HELPEOF
|
|
}
|
|
|
|
# vim: set ft=sh ts=4 sw=4 et:
|