Browse Source

[trunk] -> [testing] 'cryptsetup-2.4.1-1' add

master
artoo 1 month ago
parent
commit
85d1358235
  1. 6
      trunk/PKGBUILD
  2. 49
      x86_64/testing/PKGBUILD
  3. 155
      x86_64/testing/hooks-encrypt
  4. 48
      x86_64/testing/install-encrypt

6
trunk/PKGBUILD

@ -2,7 +2,7 @@
# Contributor: Thomas Bächler <thomas@archlinux.org>
pkgname=cryptsetup
pkgver=2.4.0
pkgver=2.4.1
pkgrel=1
pkgdesc='Userspace setup tool for transparent encryption of block devices using dm-crypt'
arch=(x86_64)
@ -10,14 +10,14 @@ license=('GPL')
url='https://gitlab.com/cryptsetup/cryptsetup/'
depends=('device-mapper' 'libdevmapper.so' 'openssl' 'popt' 'util-linux-libs'
'libuuid.so' 'json-c' 'libjson-c.so' 'argon2' 'libargon2.so')
makedepends=('util-linux' 'eudev')
makedepends=('util-linux' 'udev')
provides=('libcryptsetup.so')
options=('!emptydirs')
validpgpkeys=('2A2918243FDE46648D0686F9D9B0577BD93E98FC') # Milan Broz <gmazyland@gmail.com>
source=("https://www.kernel.org/pub/linux/utils/cryptsetup/v${pkgver%.*}/${pkgname}-${pkgver}.tar."{xz,sign}
'hooks-encrypt'
'install-encrypt')
sha256sums=('c5c8bda31159a9c010ea72e708053cc4252cf5eebdca520e150abc0609287ff8'
sha256sums=('a356a727a83a464ade566e95239622a22dbe4e0f482b198fdb04ab0d3a5a9c5f'
'SKIP'
'10461d20fe3bc357864ace3b408a2e93b4b03b5cff023def3ab126ae9857720d'
'd325dc239ecc9a5324407b0782da6df2573e8491251836d6c4e65fa61339ce57')

49
x86_64/testing/PKGBUILD

@ -0,0 +1,49 @@
# Maintainer: Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
# Contributor: Thomas Bächler <thomas@archlinux.org>
pkgname=cryptsetup
pkgver=2.4.1
pkgrel=1
pkgdesc='Userspace setup tool for transparent encryption of block devices using dm-crypt'
arch=(x86_64)
license=('GPL')
url='https://gitlab.com/cryptsetup/cryptsetup/'
depends=('device-mapper' 'libdevmapper.so' 'openssl' 'popt' 'util-linux-libs'
'libuuid.so' 'json-c' 'libjson-c.so' 'argon2' 'libargon2.so')
makedepends=('util-linux' 'udev')
provides=('libcryptsetup.so')
options=('!emptydirs')
validpgpkeys=('2A2918243FDE46648D0686F9D9B0577BD93E98FC') # Milan Broz <gmazyland@gmail.com>
source=("https://www.kernel.org/pub/linux/utils/cryptsetup/v${pkgver%.*}/${pkgname}-${pkgver}.tar."{xz,sign}
'hooks-encrypt'
'install-encrypt')
sha256sums=('a356a727a83a464ade566e95239622a22dbe4e0f482b198fdb04ab0d3a5a9c5f'
'SKIP'
'10461d20fe3bc357864ace3b408a2e93b4b03b5cff023def3ab126ae9857720d'
'd325dc239ecc9a5324407b0782da6df2573e8491251836d6c4e65fa61339ce57')
build() {
cd "${srcdir}"/$pkgname-${pkgver}
./configure \
--prefix=/usr \
--sbindir=/usr/bin \
--enable-libargon2 \
--disable-ssh-token \
--disable-static
sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
make
}
package() {
cd "${srcdir}"/$pkgname-${pkgver}
make DESTDIR="${pkgdir}" install
# install docs
install -D -m0644 -t "${pkgdir}"/usr/share/doc/cryptsetup/ FAQ docs/{Keyring,LUKS2-locking}.txt
# install hook
install -D -m0644 "${srcdir}"/hooks-encrypt "${pkgdir}"/usr/lib/initcpio/hooks/encrypt
install -D -m0644 "${srcdir}"/install-encrypt "${pkgdir}"/usr/lib/initcpio/install/encrypt
}

155
x86_64/testing/hooks-encrypt

@ -0,0 +1,155 @@
#!/usr/bin/ash
run_hook() {
modprobe -a -q dm-crypt >/dev/null 2>&1
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
# Get keyfile if specified
ckeyfile="/crypto_keyfile.bin"
if [ -n "$cryptkey" ]; then
IFS=: read ckdev ckarg1 ckarg2 <<EOF
$cryptkey
EOF
if [ "$ckdev" = "rootfs" ]; then
ckeyfile=$ckarg1
elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then
case ${ckarg1} in
*[!0-9]*)
# Use a file on the device
# ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
mkdir /ckey
mount -r -t "$ckarg1" "$resolved" /ckey
dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1
umount /ckey
;;
*)
# Read raw data from the block device
# ckarg1 is numeric: ckarg1=offset, ckarg2=length
dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1
;;
esac
fi
[ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
fi
if [ -n "${cryptdevice}" ]; then
DEPRECATED_CRYPT=0
IFS=: read cryptdev cryptname cryptoptions <<EOF
$cryptdevice
EOF
else
DEPRECATED_CRYPT=1
cryptdev="${root}"
cryptname="root"
fi
# This may happen if third party hooks do the crypt setup
if [ -b "/dev/mapper/${cryptname}" ]; then
echo "Device ${cryptname} already exists, not doing any crypt setup."
return 0
fi
warn_deprecated() {
echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
}
set -f
OLDIFS="$IFS"; IFS=,
for cryptopt in ${cryptoptions}; do
case ${cryptopt} in
allow-discards|discard)
cryptargs="${cryptargs} --allow-discards"
;;
no-read-workqueue|perf-no_read_workqueue)
cryptargs="${cryptargs} --perf-no_read_workqueue"
;;
no-write-workqueue|perf-no_read_workqueue)
cryptargs="${cryptargs} --perf-no_write_workqueue"
;;
*)
echo "Encryption option '${cryptopt}' not known, ignoring." >&2
;;
esac
done
set +f
IFS="$OLDIFS"
unset OLDIFS
if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
dopassphrase=1
# If keyfile exists, try to use that
if [ -f ${ckeyfile} ]; then
if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then
dopassphrase=0
else
echo "Invalid keyfile. Reverting to passphrase."
fi
fi
# Ask for a passphrase
if [ ${dopassphrase} -gt 0 ]; then
echo ""
echo "A password is required to access the ${cryptname} volume:"
#loop until we get a real password
while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do
sleep 2;
done
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
return 1
fi
elif [ -n "${crypto}" ]; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
msg "Non-LUKS encrypted device found..."
if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then
err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
err "Non-LUKS decryption not attempted..."
return 1
fi
exe="cryptsetup open --type plain $resolved $cryptname $cryptargs"
IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF
$crypto
EOF
[ -n "$c_hash" ] && exe="$exe --hash '$c_hash'"
[ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'"
[ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'"
[ -n "$c_offset" ] && exe="$exe --offset '$c_offset'"
[ -n "$c_skip" ] && exe="$exe --skip '$c_skip'"
if [ -f "$ckeyfile" ]; then
exe="$exe --key-file $ckeyfile"
else
echo ""
echo "A password is required to access the ${cryptname} volume:"
fi
eval "$exe $CSQUIET"
if [ $? -ne 0 ]; then
err "Non-LUKS device decryption failed. verify format: "
err " crypto=hash:cipher:keysize:offset:skip"
return 1
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
return 1
fi
else
err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
fi
fi
rm -f ${ckeyfile}
}
# vim: set ft=sh ts=4 sw=4 et:

48
x86_64/testing/install-encrypt

@ -0,0 +1,48 @@
#!/bin/bash
build() {
local mod
add_module "dm-crypt"
add_module "dm-integrity"
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules "/crypto/"
fi
add_binary "cryptsetup"
add_binary "dmsetup"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
# cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1
add_binary "/usr/lib/libgcc_s.so.1"
add_runscript
}
help() {
cat <<HELPEOF
This hook allows for an encrypted root device. Users should specify the device
to be unlocked using 'cryptdevice=device:dmname' on the kernel command line,
where 'device' is the path to the raw device, and 'dmname' is the name given to
the device after unlocking, and will be available as /dev/mapper/dmname.
For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on
the kernel cmdline, where 'device' represents the raw block device where the key
exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is
the absolute path of the keyfile within the device.
Without specifying a keyfile, you will be prompted for the password at runtime.
This means you must have a keyboard available to input it, and you may need
the keymap hook as well to ensure that the keyboard is using the layout you
expect.
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et:
Loading…
Cancel
Save