249 lines
14 KiB
Diff
249 lines
14 KiB
Diff
diff -up rear-2.4/usr/share/rear/layout/prepare/GNU/Linux/160_include_luks_code.sh.orig rear-2.4/usr/share/rear/layout/prepare/GNU/Linux/160_include_luks_code.sh
|
|
--- rear-2.4/usr/share/rear/layout/prepare/GNU/Linux/160_include_luks_code.sh.orig 2018-06-21 10:40:53.000000000 +0200
|
|
+++ rear-2.4/usr/share/rear/layout/prepare/GNU/Linux/160_include_luks_code.sh 2020-11-25 09:21:55.186716041 +0100
|
|
@@ -1,35 +1,74 @@
|
|
# Code to recreate LUKS volumes.
|
|
|
|
create_crypt() {
|
|
+ # See the create_device() function in lib/layout-functions.sh what "device type" means:
|
|
+ local device_type="$1"
|
|
+ if ! grep -q "^crypt $device_type " "$LAYOUT_FILE" ; then
|
|
+ LogPrintError "Skip recreating LUKS volume $device_type (no 'crypt $device_type' entry in $LAYOUT_FILE)"
|
|
+ # FIXME: The return code is ignored in the create_device() function in lib/layout-functions.sh:
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
local crypt target_device source_device options
|
|
- read crypt target_device source_device options < <(grep "^crypt $1 " "$LAYOUT_FILE")
|
|
+ local mapping_name option key value
|
|
+ local cryptsetup_options="" keyfile="" password=""
|
|
|
|
- local target_name=${target_device#/dev/mapper/}
|
|
+ read crypt target_device source_device options < <( grep "^crypt $device_type " "$LAYOUT_FILE" )
|
|
+
|
|
+ # Careful! One cannot 'test -b $source_device' here at the time when this code is run
|
|
+ # because the source device is usually a disk partition block device like /dev/sda2
|
|
+ # but disk partition block devices usually do not yet exist (in particular not on a new clean disk)
|
|
+ # because partitions are actually created later when the diskrestore.sh script is run
|
|
+ # but not here when this code is run which only generates the diskrestore.sh script:
|
|
+ if ! test $source_device ; then
|
|
+ LogPrintError "Skip recreating LUKS volume $device_type: No source device (see the 'crypt $device_type' entry in $LAYOUT_FILE)"
|
|
+ # FIXME: The return code is ignored in the create_device() function in lib/layout-functions.sh:
|
|
+ return 1
|
|
+ fi
|
|
+
|
|
+ mapping_name=${target_device#/dev/mapper/}
|
|
+ if ! test $mapping_name ; then
|
|
+ LogPrintError "Skip recreating LUKS volume $device_type on $source_device: No /dev/mapper/... mapping name (see the 'crypt $device_type' entry in $LAYOUT_FILE)"
|
|
+ # FIXME: The return code is ignored in the create_device() function in lib/layout-functions.sh:
|
|
+ return 1
|
|
+ fi
|
|
|
|
- local cryptsetup_options="" keyfile="" password=""
|
|
- local option key value
|
|
for option in $options ; do
|
|
- key=${option%=*}
|
|
+ # $option is of the form keyword=value and
|
|
+ # we assume keyword has no '=' character but value could be anything that may have a '=' character
|
|
+ # so we split keyword=value at the leftmost '=' character so that
|
|
+ # e.g. keyword=foo=bar gets split into key="keyword" and value="foo=bar":
|
|
+ key=${option%%=*}
|
|
value=${option#*=}
|
|
-
|
|
+ # The "cryptseup luksFormat" command does not require any of the type, cipher, key-size, hash, uuid option values
|
|
+ # because if omitted a cryptseup default value is used so we treat those values as optional.
|
|
+ # Using plain test to ensure the value is a single non empty and non blank word
|
|
+ # without quoting because test " " would return zero exit code
|
|
+ # cf. "Beware of the emptiness" in https://github.com/rear/rear/wiki/Coding-Style
|
|
case "$key" in
|
|
- cipher)
|
|
- cryptsetup_options+=" --cipher $value"
|
|
+ (type)
|
|
+ test $value && cryptsetup_options+=" --type $value"
|
|
+ ;;
|
|
+ (cipher)
|
|
+ test $value && cryptsetup_options+=" --cipher $value"
|
|
;;
|
|
- key_size)
|
|
- cryptsetup_options+=" --key-size $value"
|
|
+ (key_size)
|
|
+ test $value && cryptsetup_options+=" --key-size $value"
|
|
;;
|
|
- hash)
|
|
- cryptsetup_options+=" --hash $value"
|
|
+ (hash)
|
|
+ test $value && cryptsetup_options+=" --hash $value"
|
|
;;
|
|
- uuid)
|
|
- cryptsetup_options+=" --uuid $value"
|
|
+ (uuid)
|
|
+ test $value && cryptsetup_options+=" --uuid $value"
|
|
;;
|
|
- keyfile)
|
|
- keyfile=$value
|
|
+ (keyfile)
|
|
+ test $value && keyfile=$value
|
|
;;
|
|
- password)
|
|
- password=$value
|
|
+ (password)
|
|
+ test $value && password=$value
|
|
+ ;;
|
|
+ (*)
|
|
+ LogPrintError "Skipping unsupported LUKS cryptsetup option '$key' in 'crypt $target_device $source_device' entry in $LAYOUT_FILE"
|
|
;;
|
|
esac
|
|
done
|
|
@@ -37,26 +76,25 @@ create_crypt() {
|
|
cryptsetup_options+=" $LUKS_CRYPTSETUP_OPTIONS"
|
|
|
|
(
|
|
- echo "Log \"Creating LUKS device $target_name on $source_device\""
|
|
+ echo "LogPrint \"Creating LUKS volume $mapping_name on $source_device\""
|
|
if [ -n "$keyfile" ] ; then
|
|
# Assign a temporary keyfile at this stage so that original keyfiles do not leak onto the rescue medium.
|
|
# The original keyfile will be restored from the backup and then re-assigned to the LUKS device in the
|
|
# 'finalize' stage.
|
|
# The scheme for generating a temporary keyfile path must be the same here and in the 'finalize' stage.
|
|
- keyfile="${TMPDIR:-/tmp}/LUKS-keyfile-$target_name"
|
|
+ keyfile="$TMP_DIR/LUKS-keyfile-$mapping_name"
|
|
dd bs=512 count=4 if=/dev/urandom of="$keyfile"
|
|
chmod u=rw,go=- "$keyfile"
|
|
-
|
|
echo "cryptsetup luksFormat --batch-mode $cryptsetup_options $source_device $keyfile"
|
|
- echo "cryptsetup luksOpen --key-file $keyfile $source_device $target_name"
|
|
+ echo "cryptsetup luksOpen --key-file $keyfile $source_device $mapping_name"
|
|
elif [ -n "$password" ] ; then
|
|
echo "echo \"$password\" | cryptsetup luksFormat --batch-mode $cryptsetup_options $source_device"
|
|
- echo "echo \"$password\" | cryptsetup luksOpen $source_device $target_name"
|
|
+ echo "echo \"$password\" | cryptsetup luksOpen $source_device $mapping_name"
|
|
else
|
|
- echo "LogPrint \"Please enter the password for LUKS device $target_name ($source_device):\""
|
|
+ echo "LogUserOutput \"Set the password for LUKS volume $mapping_name (for 'cryptsetup luksFormat' on $source_device):\""
|
|
echo "cryptsetup luksFormat --batch-mode $cryptsetup_options $source_device"
|
|
- echo "LogPrint \"Please re-enter the password for LUKS device $target_name ($source_device):\""
|
|
- echo "cryptsetup luksOpen $source_device $target_name"
|
|
+ echo "LogUserOutput \"Enter the password for LUKS volume $mapping_name (for 'cryptsetup luksOpen' on $source_device):\""
|
|
+ echo "cryptsetup luksOpen $source_device $mapping_name"
|
|
fi
|
|
echo ""
|
|
) >> "$LAYOUT_CODE"
|
|
diff -up rear-2.4/usr/share/rear/layout/save/GNU/Linux/260_crypt_layout.sh.orig rear-2.4/usr/share/rear/layout/save/GNU/Linux/260_crypt_layout.sh
|
|
--- rear-2.4/usr/share/rear/layout/save/GNU/Linux/260_crypt_layout.sh.orig 2018-06-21 10:40:53.000000000 +0200
|
|
+++ rear-2.4/usr/share/rear/layout/save/GNU/Linux/260_crypt_layout.sh 2020-11-25 09:19:31.406669210 +0100
|
|
@@ -9,6 +9,8 @@ Log "Saving Encrypted volumes."
|
|
REQUIRED_PROGS=( "${REQUIRED_PROGS[@]}" cryptsetup dmsetup )
|
|
COPY_AS_IS=( "${COPY_AS_IS[@]}" /usr/share/cracklib/\* /etc/security/pwquality.conf )
|
|
|
|
+local invalid_cryptsetup_option_value="no"
|
|
+
|
|
while read target_name junk ; do
|
|
# find the target device we're mapping
|
|
if ! [ -e /dev/mapper/$target_name ] ; then
|
|
@@ -30,17 +32,96 @@ while read target_name junk ; do
|
|
source_device="$(get_device_name ${slave##*/})"
|
|
done
|
|
|
|
- if ! cryptsetup isLuks $source_device >/dev/null 2>&1; then
|
|
+ if ! blkid -p -o export $source_device >$TMP_DIR/blkid.output ; then
|
|
+ LogPrintError "Error: Cannot get attributes for $target_name ('blkid -p -o export $source_device' failed)"
|
|
+ continue
|
|
+ fi
|
|
+
|
|
+ if ! grep -q "TYPE=crypto_LUKS" $TMP_DIR/blkid.output ; then
|
|
+ Log "Skipping $target_name (no 'TYPE=crypto_LUKS' in 'blkid -p -o export $source_device' output)"
|
|
+ continue
|
|
+ fi
|
|
+
|
|
+ # Detect LUKS version:
|
|
+ # Remove all non-digits in particular to avoid leading or trailing spaces in the version string
|
|
+ # cf. "Beware of the emptiness" in https://github.com/rear/rear/wiki/Coding-Style
|
|
+ # that could happen if the blkid output contains "VERSION = 2" so that 'cut -d= -f2' results " 2".
|
|
+ version=$( grep "VERSION" $TMP_DIR/blkid.output | cut -d= -f2 | tr -c -d '[:digit:]' )
|
|
+ if ! test "$version" = "1" -o "$version" = "2" ; then
|
|
+ LogPrintError "Error: Unsupported LUKS version for $target_name ('blkid -p -o export $source_device' shows 'VERSION=$version')"
|
|
+ continue
|
|
+ fi
|
|
+ luks_type=luks$version
|
|
+
|
|
+ # Gather crypt information:
|
|
+ if ! cryptsetup luksDump $source_device >$TMP_DIR/cryptsetup.luksDump ; then
|
|
+ LogPrintError "Error: Cannot get LUKS$version values for $target_name ('cryptsetup luksDump $source_device' failed)"
|
|
continue
|
|
fi
|
|
+ uuid=$( grep "UUID" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )
|
|
+ keyfile_option=$( [ -f /etc/crypttab ] && awk '$1 == "'"$target_name"'" && $3 != "none" && $3 != "-" && $3 != "" { print "keyfile=" $3; }' /etc/crypttab )
|
|
+ if test $luks_type = "luks1" ; then
|
|
+ cipher_name=$( grep "Cipher name" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )
|
|
+ cipher_mode=$( grep "Cipher mode" $TMP_DIR/cryptsetup.luksDump | cut -d: -f2- | awk '{printf("%s",$1)};' )
|
|
+ cipher=$cipher_name-$cipher_mode
|
|
+ key_size=$( grep "MK bits" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )
|
|
+ hash=$( grep "Hash spec" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )
|
|
+ elif test $luks_type = "luks2" ; then
|
|
+ cipher=$( grep "cipher:" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )
|
|
+ # More than one keyslot may be defined - use key_size from the first slot.
|
|
+ # Depending on the version the "cryptsetup luksDump" command outputs the key_size value
|
|
+ # as a line like
|
|
+ # Key: 512 bits
|
|
+ # and/or as a line like
|
|
+ # Cipher key: 512 bits
|
|
+ # cf. https://github.com/rear/rear/pull/2504#issuecomment-718729198 and subsequent comments
|
|
+ # so we grep for both lines but use only the first match from the first slot:
|
|
+ key_size=$( egrep -m 1 "Key:|Cipher key:" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+) bits$/\1/' )
|
|
+ hash=$( grep "Hash" $TMP_DIR/cryptsetup.luksDump | sed -r 's/^.+:\s*(.+)$/\1/' )
|
|
+ fi
|
|
|
|
- # gather crypt information
|
|
- cipher=$(cryptsetup luksDump $source_device | grep "Cipher name" | sed -r 's/^.+:\s*(.+)$/\1/')
|
|
- mode=$(cryptsetup luksDump $source_device | grep "Cipher mode" | cut -d: -f2- | awk '{printf("%s",$1)};')
|
|
- key_size=$(cryptsetup luksDump $source_device | grep "MK bits" | sed -r 's/^.+:\s*(.+)$/\1/')
|
|
- hash=$(cryptsetup luksDump $source_device | grep "Hash spec" | sed -r 's/^.+:\s*(.+)$/\1/')
|
|
- uuid=$(cryptsetup luksDump $source_device | grep "UUID" | sed -r 's/^.+:\s*(.+)$/\1/')
|
|
- keyfile_option=$([ -f /etc/crypttab ] && awk '$1 == "'"$target_name"'" && $3 != "none" && $3 != "-" { print "keyfile=" $3; }' /etc/crypttab)
|
|
+ # Basic checks that the cipher key_size hash uuid values exist
|
|
+ # cf. https://github.com/rear/rear/pull/2504#issuecomment-718729198
|
|
+ # because some values are needed during "rear recover"
|
|
+ # to set cryptsetup options in layout/prepare/GNU/Linux/160_include_luks_code.sh
|
|
+ # and it seems cryptsetup fails when options with empty values are specified
|
|
+ # cf. https://github.com/rear/rear/pull/2504#issuecomment-719479724
|
|
+ # For example a LUKS1 crypt entry in disklayout.conf looks like
|
|
+ # crypt /dev/mapper/luks1test /dev/sda7 type=luks1 cipher=aes-xts-plain64 key_size=256 hash=sha256 uuid=1b4198c9-d9b0-4c57-b9a3-3433e391e706
|
|
+ # and a LUKS1 crypt entry in disklayout.conf looks like
|
|
+ # crypt /dev/mapper/luks2test /dev/sda8 type=luks2 cipher=aes-xts-plain64 key_size=256 hash=sha256 uuid=3e874a28-7415-4f8c-9757-b3f28a96c4d2
|
|
+ # Only the keyfile_option value is optional and the luks_type value is already tested above.
|
|
+ # Using plain test to ensure a value is a single non empty and non blank word
|
|
+ # without quoting because test " " would return zero exit code
|
|
+ # cf. "Beware of the emptiness" in https://github.com/rear/rear/wiki/Coding-Style
|
|
+ # Do not error out instantly here but only report errors here so the user can see all messages
|
|
+ # and actually error out at the end of this script if there was one actually invalid value:
|
|
+ if ! test $cipher ; then
|
|
+ LogPrint "No 'cipher' value for LUKS$version volume $target_name in $source_device"
|
|
+ fi
|
|
+ if test $key_size ; then
|
|
+ if ! is_positive_integer $key_size ; then
|
|
+ LogPrintError "Error: 'key_size=$key_size' is no positive integer for LUKS$version volume $target_name in $source_device"
|
|
+ invalid_cryptsetup_option_value="yes"
|
|
+ fi
|
|
+ else
|
|
+ LogPrint "No 'key_size' value for LUKS$version volume $target_name in $source_device"
|
|
+ fi
|
|
+ if ! test $hash ; then
|
|
+ LogPrint "No 'hash' value for LUKS$version volume $target_name in $source_device"
|
|
+ fi
|
|
+ if ! test $uuid ; then
|
|
+ # Report a missig uuid value as an error to have the user informed
|
|
+ # but do not error out here because things can be fixed manually during "rear recover"
|
|
+ # cf. https://github.com/rear/rear/pull/2506#issuecomment-721757810
|
|
+ # and https://github.com/rear/rear/pull/2506#issuecomment-722315498
|
|
+ # and https://github.com/rear/rear/issues/2509
|
|
+ LogPrintError "Error: No 'uuid' value for LUKS$version volume $target_name in $source_device (mounting it or booting the recreated system may fail)"
|
|
+ fi
|
|
+
|
|
+ echo "crypt /dev/mapper/$target_name $source_device type=$luks_type cipher=$cipher key_size=$key_size hash=$hash uuid=$uuid $keyfile_option" >> $DISKLAYOUT_FILE
|
|
|
|
- echo "crypt /dev/mapper/$target_name $source_device cipher=$cipher-$mode key_size=$key_size hash=$hash uuid=$uuid $keyfile_option" >> $DISKLAYOUT_FILE
|
|
done < <( dmsetup ls --target crypt )
|
|
+
|
|
+# Let this script return successfully when invalid_cryptsetup_option_value is not true:
|
|
+is_true $invalid_cryptsetup_option_value && Error "Invalid or empty LUKS cryptsetup option value(s) in $DISKLAYOUT_FILE" || true
|