diff options
-rw-r--r-- | cryptsetup/PKGBUILD | 53 | ||||
-rw-r--r-- | cryptsetup/hooks-encrypt | 144 | ||||
-rw-r--r-- | cryptsetup/install-encrypt | 48 | ||||
-rw-r--r-- | cryptsetup/install-sd-encrypt | 49 | ||||
-rw-r--r-- | cryptsetup/test.patch | 29 |
5 files changed, 0 insertions, 323 deletions
diff --git a/cryptsetup/PKGBUILD b/cryptsetup/PKGBUILD deleted file mode 100644 index 57969c96..00000000 --- a/cryptsetup/PKGBUILD +++ /dev/null @@ -1,53 +0,0 @@ -# Maintainer: Erich Eckner <arch at eckner dot net> -# Contributor: Bartłomiej Piotrowski <bpiotrowski@archlinux.org> -# Contributor: Thomas Bächler <thomas@archlinux.org> - -pkgname=cryptsetup -pkgver=2.3.0 -pkgrel=1 -pkgdesc='Userspace setup tool for transparent encryption of block devices using dm-crypt' -arch=(x86_64) -license=('GPL') -url='https://gitlab.com/cryptsetup/cryptsetup/' -depends=('device-mapper' 'openssl' 'popt' 'libutil-linux' 'json-c' 'argon2') -makedepends=('util-linux') -options=('!emptydirs') -validpgpkeys=('2A2918243FDE46648D0686F9D9B0577BD93E98FC') # Milan Broz <gmazyland@gmail.com> -source=("https://www.kernel.org/pub/linux/utils/cryptsetup/v${pkgver%.*}/${pkgname}-${pkgver}.tar."{xz,sign} - 'hooks-encrypt' - 'install-encrypt' - 'install-sd-encrypt' - 'test.patch') -sha512sums=('d4af8edb7a50603028c6c6999ae7a1851d2232ee11d4a501270afb424f0a7dc82893a6a5d30d3a3188634aa80ec1a79f22a91b539910df10d07f8d9ae532cb08' - 'SKIP' - 'dab61d2559e16f4b74eb366ee5f41e82799d1bf6312fcb3b20f2750ad91c2ba9f3db43242aed00bb8ca9e34c18e48be2045e64ba68289d5720d78a03303b8161' - 'd1839c3b352fc6469185ba01a9af47bc820a61ef4c5d54714d6848b1eec8e2eb071c1ff5855eeee797abbb9afa4883658673ee232591d99ed4ea7ca25ec7d312' - 'aa7b621d9f3afe660c7c5c603c14fa61d026452e521039abc2f00aa771f7dfe4565a3f5697ac57e6acdfb8c8ab34fe9c4424f0c43fd4d3673e9d5a76caae74b3' - 'a1754a37bae46d7f2e4afcd5ac562505f602e0e62dafa38c8be81b98e9cf38b99a8c27367fb063d1919787df96f012ce3b9837502294a22a4df1bce519a52232') - -prepare() { - cd "${srcdir}"/$pkgname-${pkgver} - patch -p1 -i ../test.patch -} - -build() { - cd "${srcdir}"/$pkgname-${pkgver} - - ./configure \ - --prefix=/usr \ - --sbindir=/usr/bin \ - --enable-libargon2 \ - --disable-static - make -} - -package() { - cd "${srcdir}"/$pkgname-${pkgver} - - make DESTDIR="${pkgdir}" install - - # install hook - install -D -m0644 "${srcdir}"/hooks-encrypt "${pkgdir}"/usr/lib/initcpio/hooks/encrypt - install -D -m0644 "${srcdir}"/install-encrypt "${pkgdir}"/usr/lib/initcpio/install/encrypt - install -D -m0644 "${srcdir}"/install-sd-encrypt "${pkgdir}"/usr/lib/initcpio/install/sd-encrypt -} diff --git a/cryptsetup/hooks-encrypt b/cryptsetup/hooks-encrypt deleted file mode 100644 index 882d5fb4..00000000 --- a/cryptsetup/hooks-encrypt +++ /dev/null @@ -1,144 +0,0 @@ -#!/usr/bin/ash - -run_hook() { - modprobe -a -q dm-crypt >/dev/null 2>&1 - [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" - - # Get keyfile if specified - ckeyfile="/crypto_keyfile.bin" - if [ -n "$cryptkey" ]; then - IFS=: read ckdev ckarg1 ckarg2 <<EOF -$cryptkey -EOF - - if [ "$ckdev" = "rootfs" ]; then - ckeyfile=$ckarg1 - elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then - case ${ckarg1} in - *[!0-9]*) - # Use a file on the device - # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path - mkdir /ckey - mount -r -t "$ckarg1" "$resolved" /ckey - dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1 - umount /ckey - ;; - *) - # Read raw data from the block device - # ckarg1 is numeric: ckarg1=offset, ckarg2=length - dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 - ;; - esac - fi - [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." - fi - - if [ -n "${cryptdevice}" ]; then - DEPRECATED_CRYPT=0 - IFS=: read cryptdev cryptname cryptoptions <<EOF -$cryptdevice -EOF - else - DEPRECATED_CRYPT=1 - cryptdev="${root}" - cryptname="root" - fi - - # This may happen if third party hooks do the crypt setup - if [ -b "/dev/mapper/${cryptname}" ]; then - echo "Device ${cryptname} already exists, not doing any crypt setup." - return 0 - fi - - warn_deprecated() { - echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" - echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." - } - - for cryptopt in ${cryptoptions//,/ }; do - case ${cryptopt} in - allow-discards) - cryptargs="${cryptargs} --allow-discards" - ;; - *) - echo "Encryption option '${cryptopt}' not known, ignoring." >&2 - ;; - esac - done - - if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then - if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then - [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated - dopassphrase=1 - # If keyfile exists, try to use that - if [ -f ${ckeyfile} ]; then - if eval cryptsetup --key-file ${ckeyfile} open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then - dopassphrase=0 - else - echo "Invalid keyfile. Reverting to passphrase." - fi - fi - # Ask for a passphrase - if [ ${dopassphrase} -gt 0 ]; then - echo "" - echo "A password is required to access the ${cryptname} volume:" - - #loop until we get a real password - while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do - sleep 2; - done - fi - if [ -e "/dev/mapper/${cryptname}" ]; then - if [ ${DEPRECATED_CRYPT} -eq 1 ]; then - export root="/dev/mapper/root" - fi - else - err "Password succeeded, but ${cryptname} creation failed, aborting..." - return 1 - fi - elif [ -n "${crypto}" ]; then - [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated - msg "Non-LUKS encrypted device found..." - if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then - err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" - err "Non-LUKS decryption not attempted..." - return 1 - fi - exe="cryptsetup open --type plain $resolved $cryptname $cryptargs" - IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF -$crypto -EOF - [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'" - [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'" - [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'" - [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'" - [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'" - if [ -f "$ckeyfile" ]; then - exe="$exe --key-file $ckeyfile" - else - echo "" - echo "A password is required to access the ${cryptname} volume:" - fi - eval "$exe $CSQUIET" - - if [ $? -ne 0 ]; then - err "Non-LUKS device decryption failed. verify format: " - err " crypto=hash:cipher:keysize:offset:skip" - return 1 - fi - if [ -e "/dev/mapper/${cryptname}" ]; then - if [ ${DEPRECATED_CRYPT} -eq 1 ]; then - export root="/dev/mapper/root" - fi - else - err "Password succeeded, but ${cryptname} creation failed, aborting..." - return 1 - fi - else - err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." - fi - fi - rm -f ${ckeyfile} -} - -# vim: set ft=sh ts=4 sw=4 et: diff --git a/cryptsetup/install-encrypt b/cryptsetup/install-encrypt deleted file mode 100644 index 4cffb4ff..00000000 --- a/cryptsetup/install-encrypt +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/bash - -build() { - local mod - - add_module "dm-crypt" - add_module "dm-integrity" - if [[ $CRYPTO_MODULES ]]; then - for mod in $CRYPTO_MODULES; do - add_module "$mod" - done - else - add_all_modules "/crypto/" - fi - - add_binary "cryptsetup" - add_binary "dmsetup" - add_file "/usr/lib/udev/rules.d/10-dm.rules" - add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" - add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" - add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" - - # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1 - add_binary "/usr/lib/libgcc_s.so.1" - - add_runscript -} - -help() { - cat <<HELPEOF -This hook allows for an encrypted root device. Users should specify the device -to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, -where 'device' is the path to the raw device, and 'dmname' is the name given to -the device after unlocking, and will be available as /dev/mapper/dmname. - -For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on -the kernel cmdline, where 'device' represents the raw block device where the key -exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is -the absolute path of the keyfile within the device. - -Without specifying a keyfile, you will be prompted for the password at runtime. -This means you must have a keyboard available to input it, and you may need -the keymap hook as well to ensure that the keyboard is using the layout you -expect. -HELPEOF -} - -# vim: set ft=sh ts=4 sw=4 et: diff --git a/cryptsetup/install-sd-encrypt b/cryptsetup/install-sd-encrypt deleted file mode 100644 index 1cc16cff..00000000 --- a/cryptsetup/install-sd-encrypt +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash - -build() { - local mod - - add_module "dm-crypt" - add_module "dm-integrity" - if [[ $CRYPTO_MODULES ]]; then - for mod in $CRYPTO_MODULES; do - add_module "$mod" - done - else - add_all_modules "/crypto/" - fi - - add_binary "dmsetup" - add_file "/usr/lib/udev/rules.d/10-dm.rules" - add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" - add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" - add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" - - add_systemd_unit "cryptsetup.target" - add_binary "/usr/lib/systemd/system-generators/systemd-cryptsetup-generator" - add_binary "/usr/lib/systemd/systemd-cryptsetup" - - add_systemd_unit "systemd-ask-password-console.path" - add_systemd_unit "systemd-ask-password-console.service" - - # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1 - add_binary "/usr/lib/libgcc_s.so.1" - - # add mkswap for creating swap space on the fly (see 'swap' in crypttab(5)) - add_binary "mkswap" - - [[ -f /etc/crypttab.initramfs ]] && add_file "/etc/crypttab.initramfs" "/etc/crypttab" -} - -help() { - cat <<HELPEOF -This hook allows for an encrypted root device with systemd initramfs. - -See the manpage of systemd-cryptsetup-generator(8) for available kernel -command line options. Alternatively, if the file /etc/crypttab.initramfs -exists, it will be added to the initramfs as /etc/crypttab. See the -crypttab(5) manpage for more information on crypttab syntax. -HELPEOF -} - -# vim: set ft=sh ts=4 sw=4 et: diff --git a/cryptsetup/test.patch b/cryptsetup/test.patch deleted file mode 100644 index 405f3358..00000000 --- a/cryptsetup/test.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/src/cryptsetup.c b/src/cryptsetup.c -index df13df3..eb3f625 100644 ---- a/src/cryptsetup.c -+++ b/src/cryptsetup.c -@@ -84,6 +84,7 @@ static int opt_disable_keyring = 0; - static const char *opt_priority = NULL; /* normal */ - static const char *opt_integrity = NULL; /* none */ - static int opt_integrity_nojournal = 0; -+static int opt_integrity_recovery = 0; - static int opt_integrity_no_wipe = 0; - static const char *opt_key_description = NULL; - static int opt_sector_size = 0; -@@ -182,6 +183,8 @@ static void _set_activation_flags(uint32_t *flags) - - if (opt_integrity_nojournal) - *flags |= CRYPT_ACTIVATE_NO_JOURNAL; -+ if (opt_integrity_recovery) -+ *flags |= CRYPT_ACTIVATE_RECOVERY; - - /* In persistent mode, we use what is set on command line */ - if (opt_persistent) -@@ -3409,6 +3412,7 @@ int main(int argc, const char **argv) - { "disable-keyring", '\0', POPT_ARG_NONE, &opt_disable_keyring, 0, N_("Disable loading volume keys via kernel keyring"), NULL }, - { "integrity", 'I', POPT_ARG_STRING, &opt_integrity, 0, N_("Data integrity algorithm (LUKS2 only)"), NULL }, - { "integrity-no-journal",'\0',POPT_ARG_NONE, &opt_integrity_nojournal, 0, N_("Disable journal for integrity device"), NULL }, -+ { "integrity-recovery-mode", 'R', POPT_ARG_NONE, &opt_integrity_recovery, 0, N_("Recovery mode for integrity device (no journal, no tag checking)"), NULL }, - { "integrity-no-wipe", '\0', POPT_ARG_NONE, &opt_integrity_no_wipe, 0, N_("Do not wipe device after format"), NULL }, - { "token-only", '\0', POPT_ARG_NONE, &opt_token_only, 0, N_("Do not ask for passphrase if activation by token fails"), NULL }, - { "token-id", '\0', POPT_ARG_INT, &opt_token, 0, N_("Token number (default: any)"), NULL }, |