picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/cryptsetup/cryptsetup-generator.c

607 lines
20 KiB
C
Raw Normal View History

Add SPDX license identifiers to source files under the LGPL This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
2017-11-18 17:09:20 +01:00
/* SPDX-License-Identifier: LGPL-2.1+ */
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
#include <errno.h>
headers: remove unneeded includes from util.h This means we need to include many more headers in various files that simply included util.h before, but it seems cleaner to do it this way.
2019-03-27 11:32:41 +01:00
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
util-lib: split out allocation calls into alloc-util.[ch]
2015-10-27 03:01:06 +01:00
#include "alloc-util.h"
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
#include "dropin.h"
cryptsetup-generator: allow whitespace characters in keydev specification For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't work, because we truncated label at the first whitespace character, i.e. LABEL="KEYFILE".
2018-09-04 20:03:34 +02:00
#include "escape.h"
util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.
2015-10-25 13:14:12 +01:00
#include "fd-util.h"
util-lib: move more file I/O related calls into fileio.[ch]
2015-10-26 18:05:03 +01:00
#include "fileio.h"
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-24 22:58:24 +02:00
#include "fstab-util.h"
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
#include "generator.h"
#include "hashmap.h"
cryptsetup-generator: allow whitespace characters in keydev specification For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't work, because we truncated label at the first whitespace character, i.e. LABEL="KEYFILE".
2018-09-04 20:03:34 +02:00
#include "id128-util.h"
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
#include "log.h"
rename basic.la to shared.la and put selinux deps in shared-selinx.la Only 34 of 74 tools need libselinux linked, and libselinux is a pain with its unconditional library constructor.
2012-04-10 21:54:31 +02:00
#include "mkdir.h"
util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]
2015-10-26 16:18:16 +01:00
#include "parse-util.h"
cryptsetup: don't add unit dependency on /dev/null devices when it is listed as password file As special magic, don't create device dependencies for /dev/null. Of course, there might be similar devices we might want to include, but given that none of them really make sense to specify as password source there's really no point in checking for anything else here. https://bugs.freedesktop.org/show_bug.cgi?id=75816
2014-06-23 19:18:44 +02:00
#include "path-util.h"
util-lib: move /proc/cmdline parsing code to proc-cmdline.[ch]
2015-10-27 00:06:29 +01:00
#include "proc-cmdline.h"
generators: be more careful when writing unit settings that support specifier expansion Let's always escape strings we receive from the user before writing them out to unit file settings that suppor specifier expansion, so that user strings are transported as-is.
2017-11-21 20:09:31 +01:00
#include "specifier.h"
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-24 22:58:24 +02:00
#include "string-util.h"
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
#include "strv.h"
#include "unit-name.h"
#include "util.h"
typedef struct crypto_device {
char *uuid;
cryptsetup-generator: Add support for UUID-specific key files on kernel command line
2014-12-02 18:49:29 +01:00
char *keyfile;
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
char *keydev;
cryptsetup-generator: Add support for naming luks devices on kernel cmdline
2014-12-02 18:49:30 +01:00
char *name;
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
char *options;
bool create;
} crypto_device;
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
generators: define custom main func definer and use it where applicable There should be no functional difference, except that the error message is changd from "three or no arguments" to "zero or three arguments". Somehow the inverted form always seemed strange. umask() call is also dropped from run-generator. I think it wasn't dropped in 053254e3cb215df3b8c905bc39b920f8817e1c7d because the run generator was merged around the same time.
2018-12-04 11:49:42 +01:00
static const char *arg_dest = NULL;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
static bool arg_enabled = true;
static bool arg_read_crypttab = true;
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
static bool arg_whitelist = false;
static Hashmap *arg_disks = NULL;
static char *arg_default_options = NULL;
static char *arg_default_keyfile = NULL;
Extract looping over /proc/cmdline into a shared function In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.
2014-02-16 00:08:59 +01:00
cryptsetup-generator: define main through macro
2018-11-25 16:19:08 +01:00
STATIC_DESTRUCTOR_REGISTER(arg_disks, hashmap_freep);
STATIC_DESTRUCTOR_REGISTER(arg_default_options, freep);
STATIC_DESTRUCTOR_REGISTER(arg_default_keyfile, freep);
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
static int generate_keydev_mount(const char *name, const char *keydev, char **unit, char **mount) {
cryptsetup-generator: allow whitespace characters in keydev specification For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't work, because we truncated label at the first whitespace character, i.e. LABEL="KEYFILE".
2018-09-04 20:03:34 +02:00
_cleanup_free_ char *u = NULL, *what = NULL, *where = NULL, *name_escaped = NULL;
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
_cleanup_fclose_ FILE *f = NULL;
int r;
assert(name);
assert(keydev);
assert(unit);
assert(mount);
r = mkdir_parents("/run/systemd/cryptsetup", 0755);
if (r < 0)
return r;
r = mkdir("/run/systemd/cryptsetup", 0700);
cryptsetup-generator: don't return error if target directory already exists
2018-09-04 19:51:14 +02:00
if (r < 0 && errno != EEXIST)
return -errno;
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
cryptsetup-generator: allow whitespace characters in keydev specification For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't work, because we truncated label at the first whitespace character, i.e. LABEL="KEYFILE".
2018-09-04 20:03:34 +02:00
name_escaped = cescape(name);
if (!name_escaped)
return -ENOMEM;
where = strjoin("/run/systemd/cryptsetup/keydev-", name_escaped);
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
if (!where)
return -ENOMEM;
r = mkdir(where, 0700);
cryptsetup-generator: don't return error if target directory already exists
2018-09-04 19:51:14 +02:00
if (r < 0 && errno != EEXIST)
return -errno;
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
r = unit_name_from_path(where, ".mount", &u);
if (r < 0)
return r;
r = generator_open_unit_file(arg_dest, NULL, u, &f);
if (r < 0)
return r;
what = fstab_node_to_udev_node(keydev);
if (!what)
return -ENOMEM;
fprintf(f,
"[Unit]\n"
"DefaultDependencies=no\n\n"
"[Mount]\n"
"What=%s\n"
"Where=%s\n"
"Options=ro\n", what, where);
r = fflush_and_check(f);
if (r < 0)
return r;
*unit = TAKE_PTR(u);
*mount = TAKE_PTR(where);
return 0;
}
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
static int create_disk(
const char *name,
const char *device,
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
const char *keydev,
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
const char *password,
const char *options) {
generator: add helper function for writing unit files It doesn't save too much, but it's a common pattern so I think it's worth to factor this out.
2017-12-09 19:23:26 +01:00
_cleanup_free_ char *n = NULL, *d = NULL, *u = NULL, *e = NULL,
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
*filtered = NULL, *u_escaped = NULL, *password_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL, *keydev_mount = NULL;
move _cleanup_ attribute in front of the type http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-18 09:11:22 +02:00
_cleanup_fclose_ FILE *f = NULL;
cryptsetup-generator: add a helper utility to create symlinks It seems that there's a common pattern among the various generators. Let's add a helper function for it and make use of it in cryptsetup-generator. This fixes a bunch of theoretical memleaks in error paths, since *to wasn't generally freed properly. Not thath it matters.
2017-07-10 05:31:47 +02:00
const char *dmname;
cryptsetup-generator: use remote-cryptsetup.target when _netdev is present This allows such devices to depend on the network. Their startup will be delayed similarly to network mount units. Fixes #4642.
2017-09-05 11:30:33 +02:00
bool noauto, nofail, tmp, swap, netdev;
cryptsetup: some fixes
2014-03-06 02:26:52 +01:00
int r;
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
assert(name);
assert(device);
Support negated fstab options We would ignore options like "fail" and "auto", and for any option which takes a value the first assignment would win. Repeated and options equivalent to the default are rarely used, but they have been documented forever, and people might use them. Especially on the kernel command line it is easier to append a repeated or negated option at the end.
2015-01-11 06:04:00 +01:00
noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
cryptsetup-generator: remove duplicated function
2015-01-11 05:06:52 +01:00
tmp = fstab_test_option(options, "tmp\0");
swap = fstab_test_option(options, "swap\0");
cryptsetup-generator: use remote-cryptsetup.target when _netdev is present This allows such devices to depend on the network. Their startup will be delayed similarly to network mount units. Fixes #4642.
2017-09-05 11:30:33 +02:00
netdev = fstab_test_option(options, "_netdev\0");
cryptsetup-generator: don't create tmp+swap units
2013-08-15 02:47:59 +02:00
coccinelle: make use of SYNTHETIC_ERRNO Ideally, coccinelle would strip unnecessary braces too. But I do not see any option in coccinelle for this, so instead, I edited the patch text using search&replace to remove the braces. Unfortunately this is not fully automatic, in particular it didn't deal well with if-else-if-else blocks and ifdefs, so there is an increased likelikehood be some bugs in such spots. I also removed part of the patch that coccinelle generated for udev, where we returns -1 for failure. This should be fixed independently.
2018-11-20 23:40:44 +01:00
if (tmp && swap)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.",
name);
mount,crypto: rework meaning of noauto/nofail
2011-04-20 00:45:22 +02:00
generators: be more careful when writing unit settings that support specifier expansion Let's always escape strings we receive from the user before writing them out to unit file settings that suppor specifier expansion, so that user strings are transported as-is.
2017-11-21 20:09:31 +01:00
name_escaped = specifier_escape(name);
if (!name_escaped)
return log_oom();
cryptsetup: some fixes
2014-03-06 02:26:52 +01:00
e = unit_name_escape(name);
if (!e)
return log_oom();
cryptsetup: a few simplifications
2012-05-21 17:22:36 +02:00
u = fstab_node_to_udev_node(device);
cryptsetup-generator: use _cleanup_ where possible
2013-03-08 10:50:33 +01:00
if (!u)
return log_oom();
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
generator: add helper function for writing unit files It doesn't save too much, but it's a common pattern so I think it's worth to factor this out.
2017-12-09 19:23:26 +01:00
r = unit_name_build("systemd-cryptsetup", e, ".service", &n);
if (r < 0)
return log_error_errno(r, "Failed to generate unit name: %m");
generators: be more careful when writing unit settings that support specifier expansion Let's always escape strings we receive from the user before writing them out to unit file settings that suppor specifier expansion, so that user strings are transported as-is.
2017-11-21 20:09:31 +01:00
u_escaped = specifier_escape(u);
if (!u_escaped)
return log_oom();
core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name
2015-04-30 20:21:00 +02:00
r = unit_name_from_path(u, ".device", &d);
if (r < 0)
return log_error_errno(r, "Failed to generate unit name: %m");
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup: small if check improvement (#7747) It's a bit weird to test these strings after the fact instead of before. Let's make sure that we don't even attempt the string escaping if the strings are NULL. Follow-up for #7688
2017-12-27 12:43:31 +01:00
if (password) {
password_escaped = specifier_escape(password);
if (!password_escaped)
return log_oom();
}
generators: be more careful when writing unit settings that support specifier expansion Let's always escape strings we receive from the user before writing them out to unit file settings that suppor specifier expansion, so that user strings are transported as-is.
2017-11-21 20:09:31 +01:00
coccinelle: make use of SYNTHETIC_ERRNO Ideally, coccinelle would strip unnecessary braces too. But I do not see any option in coccinelle for this, so instead, I edited the patch text using search&replace to remove the braces. Unfortunately this is not fully automatic, in particular it didn't deal well with if-else-if-else blocks and ifdefs, so there is an increased likelikehood be some bugs in such spots. I also removed part of the patch that coccinelle generated for udev, where we returns -1 for failure. This should be fixed independently.
2018-11-20 23:40:44 +01:00
if (keydev && !password)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Key device is specified, but path to the password file is missing.");
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
generator: add helper function for writing unit files It doesn't save too much, but it's a common pattern so I think it's worth to factor this out.
2017-12-09 19:23:26 +01:00
r = generator_open_unit_file(arg_dest, NULL, n, &f);
if (r < 0)
return r;
tree-wide: use __fsetlocking() instead of fxyz_unlocked() Let's replace usage of fputc_unlocked() and friends by __fsetlocking(f, FSETLOCKING_BYCALLER). This turns off locking for the entire FILE*, instead of doing individual per-call decision whether to use normal calls or _unlocked() calls. This has various benefits: 1. It's easier to read and easier not to forget 2. It's more comprehensive, as fprintf() and friends are covered too (as these functions have no _unlocked() counterpart) 3. Philosophically, it's a bit more correct, because it's more a property of the file handle really whether we ever pass it on to another thread, not of the operations we then apply to it. This patch reworks all pieces of codes that so far used fxyz_unlocked() calls to use __fsetlocking() instead. It also reworks all places that use open_memstream(), i.e. use stdio FILE* for string manipulations. Note that this in some way a revert of 4b61c8751135c58be043d86b9fef4c8ec7aadf18.
2017-12-11 19:50:30 +01:00
cryptsetup-generator: use remote-cryptsetup.target when _netdev is present This allows such devices to depend on the network. Their startup will be delayed similarly to network mount units. Fixes #4642.
2017-09-05 11:30:33 +02:00
fprintf(f,
"[Unit]\n"
"Description=Cryptography Setup for %%I\n"
"Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
"SourcePath=/etc/crypttab\n"
"DefaultDependencies=no\n"
"Conflicts=umount.target\n"
"IgnoreOnIsolate=true\n"
"After=%s\n",
units: replace remote-cryptsetup-pre.target with remote-fs-pre.target remote-cryptsetup-pre.target was designed as an active unit (that pulls in network-online.target), the opposite of remote-fs-pre.target (a passive unit, with individual provider services ordering itself before it and pulling it in, for example iscsi.service and nfs-client.target). To make remote-cryptsetup-pre.target really work, those services should be ordered before it too. But this would require updates to all those services, not just changes from systemd side. But the requirements for remote-fs-pre.target and remote-cryptset-pre.target are fairly similar (e.g. iscsi devices can certainly be used for both), so let's reuse remote-fs-pre.target also for remote cryptsetup units. This loses a bit of flexibility, but does away with the requirement for various provider services to know about remote-cryptsetup-pre.target.
2017-10-12 22:34:54 +02:00
netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
if (keydev) {
_cleanup_free_ char *unit = NULL, *p = NULL;
r = generate_keydev_mount(name, keydev, &unit, &keydev_mount);
if (r < 0)
return log_error_errno(r, "Failed to generate keydev mount unit: %m");
p = prefix_root(keydev_mount, password_escaped);
if (!p)
return log_oom();
free_and_replace(password_escaped, p);
}
mount,crypto: rework meaning of noauto/nofail
2011-04-20 00:45:22 +02:00
if (!nofail)
fprintf(f,
cryptsetup-generator: use remote-cryptsetup.target when _netdev is present This allows such devices to depend on the network. Their startup will be delayed similarly to network mount units. Fixes #4642.
2017-09-05 11:30:33 +02:00
"Before=%s\n",
netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
mount,crypto: rework meaning of noauto/nofail
2011-04-20 00:45:22 +02:00
cryptsetup: add RequiresMountsFor for keyfile This ensures that the keyfile is available during the opening of the encrypted device. Also dropped the explicit ordering Before=local-fs.target, as the containers are ordered implicitly by their content.
2013-03-29 23:01:12 +01:00
if (password) {
cryptsetup: use PATH_IN_SET() instead of STR_IN_SET() when comparing paths It's formally more correct.
2018-10-05 22:39:02 +02:00
if (PATH_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
tree-wide: use __fsetlocking() instead of fxyz_unlocked() Let's replace usage of fputc_unlocked() and friends by __fsetlocking(f, FSETLOCKING_BYCALLER). This turns off locking for the entire FILE*, instead of doing individual per-call decision whether to use normal calls or _unlocked() calls. This has various benefits: 1. It's easier to read and easier not to forget 2. It's more comprehensive, as fprintf() and friends are covered too (as these functions have no _unlocked() counterpart) 3. Philosophically, it's a bit more correct, because it's more a property of the file handle really whether we ever pass it on to another thread, not of the operations we then apply to it. This patch reworks all pieces of codes that so far used fxyz_unlocked() calls to use __fsetlocking() instead. It also reworks all places that use open_memstream(), i.e. use stdio FILE* for string manipulations. Note that this in some way a revert of 4b61c8751135c58be043d86b9fef4c8ec7aadf18.
2017-12-11 19:50:30 +01:00
fputs("After=systemd-random-seed.service\n", f);
cryptsetup-generator: add a helper utility to create symlinks It seems that there's a common pattern among the various generators. Let's add a helper function for it and make use of it in cryptsetup-generator. This fixes a bunch of theoretical memleaks in error paths, since *to wasn't generally freed properly. Not thath it matters.
2017-07-10 05:31:47 +02:00
else if (!STR_IN_SET(password, "-", "none")) {
cryptsetup: some fixes
2014-03-06 02:26:52 +01:00
_cleanup_free_ char *uu;
uu = fstab_node_to_udev_node(password);
if (!uu)
cryptsetup-generator: auto add deps for device as password If the password is a device file, we can add Requires/After dependencies on the device rather than requiring the user to do so.
2014-02-08 18:54:58 +01:00
return log_oom();
cryptsetup: don't add unit dependency on /dev/null devices when it is listed as password file As special magic, don't create device dependencies for /dev/null. Of course, there might be similar devices we might want to include, but given that none of them really make sense to specify as password source there's really no point in checking for anything else here. https://bugs.freedesktop.org/show_bug.cgi?id=75816
2014-06-23 19:18:44 +02:00
if (!path_equal(uu, "/dev/null")) {
cryptsetup: some fixes
2014-03-06 02:26:52 +01:00
6647 - use path_startswith("/dev") in cryptsetup (#6732) For both key and partition paths.
2017-09-04 15:36:52 +02:00
if (path_startswith(uu, "/dev/")) {
core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name
2015-04-30 20:21:00 +02:00
_cleanup_free_ char *dd = NULL;
cryptsetup-generator: auto add deps for device as password If the password is a device file, we can add Requires/After dependencies on the device rather than requiring the user to do so.
2014-02-08 18:54:58 +01:00
core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name
2015-04-30 20:21:00 +02:00
r = unit_name_from_path(uu, ".device", &dd);
if (r < 0)
return log_error_errno(r, "Failed to generate unit name: %m");
cryptsetup: don't add unit dependency on /dev/null devices when it is listed as password file As special magic, don't create device dependencies for /dev/null. Of course, there might be similar devices we might want to include, but given that none of them really make sense to specify as password source there's really no point in checking for anything else here. https://bugs.freedesktop.org/show_bug.cgi?id=75816
2014-06-23 19:18:44 +02:00
fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
} else
generators: be more careful when writing unit settings that support specifier expansion Let's always escape strings we receive from the user before writing them out to unit file settings that suppor specifier expansion, so that user strings are transported as-is.
2017-11-21 20:09:31 +01:00
fprintf(f, "RequiresMountsFor=%s\n", password_escaped);
cryptsetup: don't add unit dependency on /dev/null devices when it is listed as password file As special magic, don't create device dependencies for /dev/null. Of course, there might be similar devices we might want to include, but given that none of them really make sense to specify as password source there's really no point in checking for anything else here. https://bugs.freedesktop.org/show_bug.cgi?id=75816
2014-06-23 19:18:44 +02:00
}
cryptsetup-generator: auto add deps for device as password If the password is a device file, we can add Requires/After dependencies on the device rather than requiring the user to do so.
2014-02-08 18:54:58 +01:00
}
cryptsetup: add RequiresMountsFor for keyfile This ensures that the keyfile is available during the opening of the encrypted device. Also dropped the explicit ordering Before=local-fs.target, as the containers are ordered implicitly by their content.
2013-03-29 23:01:12 +01:00
}
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
6647 - use path_startswith("/dev") in cryptsetup (#6732) For both key and partition paths.
2017-09-04 15:36:52 +02:00
if (path_startswith(u, "/dev/")) {
cryptsetup: RequiresMountsFor if source is a file Fixes: https://bugzilla.novell.com/show_bug.cgi?id=730496 https://bugs.freedesktop.org/show_bug.cgi?id=60821
2013-03-29 23:01:11 +01:00
fprintf(f,
"BindsTo=%s\n"
"After=%s\n"
"Before=umount.target\n",
d, d);
cryptsetup-generator: run cryptsetup service before swap unit (#5480) If the cryptsetup service unit and swap unit for a swap device are not strictly ordered, it might happen that the swap unit activates/mounts the swap device before its cryptsetup service unit has a chance to run the 'mkswap' command (that it is programmed to). This leads to the following error: Starting Cryptography Setup for sda3_crypt... [ OK ] Found device /dev/mapper/sda3_crypt. Activating swap /dev/mapper/sda3_crypt... [ OK ] Activated swap /dev/mapper/sda3_crypt. [ OK ] Reached target Swap. [FAILED] Failed to start Cryptography Setup for sda3_crypt. See 'systemctl status systemd-cryptsetup@sda3_crypt.service' for details. [DEPEND] Dependency failed for Encrypted Volumes. Which happens because the swap device is already mounted: # systemctl status systemd-cryptsetup@sda3_crypt.service <...> Active: failed (Result: exit-code) since Mon 2017-02-27 14:21:43 CST; 54s ago <...> <...> systemd[1]: Starting Cryptography Setup for sda3_crypt... <...> mkswap[2420]: mkswap: error: /dev/mapper/sda3_crypt is mounted; will not make swapspace <...> So, modify cryptsetup-generator to include a 'Before=' option for the respective 'dev-mapper-%i.swap' device in the cryptsetup service unit. Now, correct ordering is ensured, and the error no longer occurs: Starting Cryptography Setup for sda3_crypt... [ OK ] Found device /dev/mapper/sda3_crypt. [ OK ] Started Cryptography Setup for sda3_crypt. Activating swap /dev/mapper/sda3_crypt... [ OK ] Reached target Encrypted Volumes. [ OK ] Activated swap /dev/mapper/sda3_crypt. [ OK ] Reached target Swap.
2017-02-28 21:30:22 +01:00
if (swap)
tree-wide: use __fsetlocking() instead of fxyz_unlocked() Let's replace usage of fputc_unlocked() and friends by __fsetlocking(f, FSETLOCKING_BYCALLER). This turns off locking for the entire FILE*, instead of doing individual per-call decision whether to use normal calls or _unlocked() calls. This has various benefits: 1. It's easier to read and easier not to forget 2. It's more comprehensive, as fprintf() and friends are covered too (as these functions have no _unlocked() counterpart) 3. Philosophically, it's a bit more correct, because it's more a property of the file handle really whether we ever pass it on to another thread, not of the operations we then apply to it. This patch reworks all pieces of codes that so far used fxyz_unlocked() calls to use __fsetlocking() instead. It also reworks all places that use open_memstream(), i.e. use stdio FILE* for string manipulations. Note that this in some way a revert of 4b61c8751135c58be043d86b9fef4c8ec7aadf18.
2017-12-11 19:50:30 +01:00
fputs("Before=dev-mapper-%i.swap\n",
f);
cryptsetup-generator: run cryptsetup service before swap unit (#5480) If the cryptsetup service unit and swap unit for a swap device are not strictly ordered, it might happen that the swap unit activates/mounts the swap device before its cryptsetup service unit has a chance to run the 'mkswap' command (that it is programmed to). This leads to the following error: Starting Cryptography Setup for sda3_crypt... [ OK ] Found device /dev/mapper/sda3_crypt. Activating swap /dev/mapper/sda3_crypt... [ OK ] Activated swap /dev/mapper/sda3_crypt. [ OK ] Reached target Swap. [FAILED] Failed to start Cryptography Setup for sda3_crypt. See 'systemctl status systemd-cryptsetup@sda3_crypt.service' for details. [DEPEND] Dependency failed for Encrypted Volumes. Which happens because the swap device is already mounted: # systemctl status systemd-cryptsetup@sda3_crypt.service <...> Active: failed (Result: exit-code) since Mon 2017-02-27 14:21:43 CST; 54s ago <...> <...> systemd[1]: Starting Cryptography Setup for sda3_crypt... <...> mkswap[2420]: mkswap: error: /dev/mapper/sda3_crypt is mounted; will not make swapspace <...> So, modify cryptsetup-generator to include a 'Before=' option for the respective 'dev-mapper-%i.swap' device in the cryptsetup service unit. Now, correct ordering is ensured, and the error no longer occurs: Starting Cryptography Setup for sda3_crypt... [ OK ] Found device /dev/mapper/sda3_crypt. [ OK ] Started Cryptography Setup for sda3_crypt. Activating swap /dev/mapper/sda3_crypt... [ OK ] Reached target Encrypted Volumes. [ OK ] Activated swap /dev/mapper/sda3_crypt. [ OK ] Reached target Swap.
2017-02-28 21:30:22 +01:00
} else
cryptsetup: Add dependency on loopback setup to generated units For loopback volumes, the generated unit needs to depend on systemd-tmpfiles-setup-dev.service to ensure that loopback support is loaded. Fixes #9308
2018-06-26 19:41:30 +02:00
/* For loopback devices, add systemd-tmpfiles-setup-dev.service
dependency to ensure that loopback support is available in
the kernel (/dev/loop-control needs to exist) */
cryptsetup: RequiresMountsFor if source is a file Fixes: https://bugzilla.novell.com/show_bug.cgi?id=730496 https://bugs.freedesktop.org/show_bug.cgi?id=60821
2013-03-29 23:01:11 +01:00
fprintf(f,
cryptsetup: Add dependency on loopback setup to generated units For loopback volumes, the generated unit needs to depend on systemd-tmpfiles-setup-dev.service to ensure that loopback support is loaded. Fixes #9308
2018-06-26 19:41:30 +02:00
"RequiresMountsFor=%s\n"
"Requires=systemd-tmpfiles-setup-dev.service\n"
"After=systemd-tmpfiles-setup-dev.service\n",
generators: be more careful when writing unit settings that support specifier expansion Let's always escape strings we receive from the user before writing them out to unit file settings that suppor specifier expansion, so that user strings are transported as-is.
2017-11-21 20:09:31 +01:00
u_escaped);
cryptsetup: allow x-systemd.device-timeout https://bugs.freedesktop.org/show_bug.cgi?id=54210
2014-07-01 00:41:17 +02:00
r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
if (r < 0)
return r;
cryptsetup: small if check improvement (#7747) It's a bit weird to test these strings after the fact instead of before. Let's make sure that we don't even attempt the string escaping if the strings are NULL. Follow-up for #7688
2017-12-27 12:43:31 +01:00
if (filtered) {
filtered_escaped = specifier_escape(filtered);
if (!filtered_escaped)
return log_oom();
}
generators: be more careful when writing unit settings that support specifier expansion Let's always escape strings we receive from the user before writing them out to unit file settings that suppor specifier expansion, so that user strings are transported as-is.
2017-11-21 20:09:31 +01:00
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
fprintf(f,
"\n[Service]\n"
"Type=oneshot\n"
"RemainAfterExit=yes\n"
crypto: let the cryptsetup binary handles its own configurable timeouts
2011-04-14 02:36:02 +02:00
"TimeoutSec=0\n" /* the binary handles timeouts anyway */
cryptsetup: make sure we invoke the cryptsetup tools with a shared keyring We want that cryptsetup can cache keys between multiple invocations, and it does so via the root user's user keyring, hence let's share it among services. Replaces: #6286
2017-09-14 21:23:56 +02:00
"KeyringMode=shared\n" /* make sure we can share cached keys among instances */
cryptsetup-generator: set high OOM score for systemd-cryptsetup instances With new LUKS2 header format it is possible to use Argon2 key derivation function. This function is "memory-hard" hence keyslot unlocking can potentially use a lot of RAM as this increases resistance to massively parallel GPU based password cracking. However, when multiple systemd-cryptsetup binaries run at the same time it is very likely that system using Argon2 (e.g. Fedora 30) will encounter memory-pressure during early boot, following OOM killing spree. This patch aims to lower the damage done by OOM killer and sets OOMScore for systemd-cryptsetup units to 500. Hopefully OOM killer will then shoot us down and leave rest of the system services alone.
2019-03-27 09:27:21 +01:00
"OOMScoreAdjust=500\n" /* unlocking can allocate a lot of memory if Argon2 is used */
cryptsetup: support non-LUKS crypto partitions
2010-11-14 01:53:46 +01:00
"ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
cryptsetup: hook up tool with ask-password
2010-11-12 00:39:17 +01:00
"ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
generators: be more careful when writing unit settings that support specifier expansion Let's always escape strings we receive from the user before writing them out to unit file settings that suppor specifier expansion, so that user strings are transported as-is.
2017-11-21 20:09:31 +01:00
name_escaped, u_escaped, strempty(password_escaped), strempty(filtered_escaped),
name_escaped);
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup-generator: don't create tmp+swap units
2013-08-15 02:47:59 +02:00
if (tmp)
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
fprintf(f,
cryptsetup: add trailing \n
2011-04-13 22:22:10 +02:00
"ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
generators: be more careful when writing unit settings that support specifier expansion Let's always escape strings we receive from the user before writing them out to unit file settings that suppor specifier expansion, so that user strings are transported as-is.
2017-11-21 20:09:31 +01:00
name_escaped);
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup-generator: don't create tmp+swap units
2013-08-15 02:47:59 +02:00
if (swap)
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
fprintf(f,
cryptsetup: add trailing \n
2011-04-13 22:22:10 +02:00
"ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
generators: be more careful when writing unit settings that support specifier expansion Let's always escape strings we receive from the user before writing them out to unit file settings that suppor specifier expansion, so that user strings are transported as-is.
2017-11-21 20:09:31 +01:00
name_escaped);
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
if (keydev)
fprintf(f,
"ExecStartPost=" UMOUNT_PATH " %s\n\n",
keydev_mount);
Use fflush_and_check() in more places
2015-05-17 00:11:12 +02:00
r = fflush_and_check(f);
if (r < 0)
generator: add helper function for writing unit files It doesn't save too much, but it's a common pattern so I think it's worth to factor this out.
2017-12-09 19:23:26 +01:00
return log_error_errno(r, "Failed to write unit file %s: %m", n);
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
mount,crypto: rework meaning of noauto/nofail
2011-04-20 00:45:22 +02:00
if (!noauto) {
cryptsetup-generator: use remote-cryptsetup.target when _netdev is present This allows such devices to depend on the network. Their startup will be delayed similarly to network mount units. Fixes #4642.
2017-09-05 11:30:33 +02:00
r = generator_add_symlink(arg_dest,
netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
cryptsetup-generator: add a helper utility to create symlinks It seems that there's a common pattern among the various generators. Let's add a helper function for it and make use of it in cryptsetup-generator. This fixes a bunch of theoretical memleaks in error paths, since *to wasn't generally freed properly. Not thath it matters.
2017-07-10 05:31:47 +02:00
nofail ? "wants" : "requires", n);
if (r < 0)
return r;
cryptsetup: a few simplifications
2012-05-21 17:22:36 +02:00
}
cryptsetup: automatically start cryptsetup when looking for mount source
2010-11-12 03:04:10 +01:00
cryptsetup-generator: add a helper utility to create symlinks It seems that there's a common pattern among the various generators. Let's add a helper function for it and make use of it in cryptsetup-generator. This fixes a bunch of theoretical memleaks in error paths, since *to wasn't generally freed properly. Not thath it matters.
2017-07-10 05:31:47 +02:00
dmname = strjoina("dev-mapper-", e, ".device");
r = generator_add_symlink(arg_dest, dmname, "requires", n);
if (r < 0)
return r;
cryptsetup: automatically start cryptsetup when looking for mount source
2010-11-12 03:04:10 +01:00
cryptsetup-generator: add JobTimeoutSec=0 for the decrypted crypt devices The password query for a crypto device currently times out after 90s, which is too short to grab a cup of coffee when a machine boots up. The resulting decrypted device /dev/mapper/luks-<uuid> might not be a mountpoint (but part of a LVM PV or raid array) and therefore the timeout cannot be controlled by the settings in /etc/fstab. For this reason this device should not carry its own timeout. Also the encrypted device /dev/disk/by-*/* already has a timeout and additionally the timeout for the password query is set in /etc/crypttab. This patch disables the timeout of the resulting decrypted devices by creating <device-unit>.d/50-job-timeout-sec-0.conf files with "JobTimeoutSec=0".
2013-03-01 15:13:43 +01:00
if (!noauto && !nofail) {
cryptsetup: Fix timeout on dm device. Fix a bug in systemd-cryptsetup-generator which caused the drop-in setting the job timeout for the dm device unit to be written with a name different than the unit name. https://bugs.freedesktop.org/show_bug.cgi?id=84409
2014-09-28 03:05:41 +02:00
r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
cryptsetup: allow x-systemd.device-timeout https://bugs.freedesktop.org/show_bug.cgi?id=54210
2014-07-01 00:41:17 +02:00
"# Automatically generated by systemd-cryptsetup-generator \n\n"
"[Unit]\nJobTimeoutSec=0");
treewide: more log_*_errno + return simplifications
2014-11-28 18:23:20 +01:00
if (r < 0)
return log_error_errno(r, "Failed to write device drop-in: %m");
cryptsetup-generator: add JobTimeoutSec=0 for the decrypted crypt devices The password query for a crypto device currently times out after 90s, which is too short to grab a cup of coffee when a machine boots up. The resulting decrypted device /dev/mapper/luks-<uuid> might not be a mountpoint (but part of a LVM PV or raid array) and therefore the timeout cannot be controlled by the settings in /etc/fstab. For this reason this device should not carry its own timeout. Also the encrypted device /dev/disk/by-*/* already has a timeout and additionally the timeout for the password query is set in /etc/crypttab. This patch disables the timeout of the resulting decrypted devices by creating <device-unit>.d/50-job-timeout-sec-0.conf files with "JobTimeoutSec=0".
2013-03-01 15:13:43 +01:00
}
cryptsetup-generator: use _cleanup_ where possible
2013-03-08 10:50:33 +01:00
return 0;
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
}
cryptsetup-generator: define main through macro
2018-11-25 16:19:08 +01:00
static crypto_device* crypt_device_free(crypto_device *d) {
if (!d)
return NULL;
cryptsetup-generator: add helper function and use hashmap_free_with_destructor
2017-11-28 12:37:51 +01:00
free(d->uuid);
free(d->keyfile);
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
free(d->keydev);
cryptsetup-generator: add helper function and use hashmap_free_with_destructor
2017-11-28 12:37:51 +01:00
free(d->name);
free(d->options);
cryptsetup-generator: define main through macro
2018-11-25 16:19:08 +01:00
return mfree(d);
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
}
static crypto_device *get_crypto_device(const char *uuid) {
int r;
crypto_device *d;
assert(uuid);
d = hashmap_get(arg_disks, uuid);
if (!d) {
d = new0(struct crypto_device, 1);
if (!d)
return NULL;
d->create = false;
cryptsetup-generator: Add support for naming luks devices on kernel cmdline
2014-12-02 18:49:30 +01:00
d->keyfile = d->options = d->name = NULL;
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
d->uuid = strdup(uuid);
tree-wide: use mfree more
2016-10-17 00:28:30 +02:00
if (!d->uuid)
return mfree(d);
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
r = hashmap_put(arg_disks, d->uuid, d);
if (r < 0) {
free(d->uuid);
tree-wide: use mfree more
2016-10-17 00:28:30 +02:00
return mfree(d);
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
}
}
return d;
}
tree-wide: allow state to be passed through to parse_proc_cmdline_item No functional change.
2016-10-22 20:24:52 +02:00
static int parse_proc_cmdline_item(const char *key, const char *value, void *data) {
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
_cleanup_free_ char *uuid = NULL, *uuid_value = NULL;
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
crypto_device *d;
int r;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
if (streq(key, "luks")) {
util: move more intellegince into parse_proc_cmdline() Already split variable assignments before invoking the callback. And drop "rd." settings if we are not in an initrd.
2014-03-06 17:05:55 +01:00
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
r = value ? parse_boolean(value) : 1;
Extract looping over /proc/cmdline into a shared function In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.
2014-02-16 00:08:59 +01:00
if (r < 0)
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
log_warning("Failed to parse luks= kernel command line switch %s. Ignoring.", value);
Extract looping over /proc/cmdline into a shared function In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.
2014-02-16 00:08:59 +01:00
else
arg_enabled = r;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
} else if (streq(key, "luks.crypttab")) {
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
r = value ? parse_boolean(value) : 1;
Extract looping over /proc/cmdline into a shared function In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.
2014-02-16 00:08:59 +01:00
if (r < 0)
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
log_warning("Failed to parse luks.crypttab= kernel command line switch %s. Ignoring.", value);
Extract looping over /proc/cmdline into a shared function In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.
2014-02-16 00:08:59 +01:00
else
arg_read_crypttab = r;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
} else if (streq(key, "luks.uuid")) {
if (proc_cmdline_value_missing(key, value))
return 0;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
d = get_crypto_device(startswith(value, "luks-") ? value+5 : value);
if (!d)
Extract looping over /proc/cmdline into a shared function In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.
2014-02-16 00:08:59 +01:00
return log_oom();
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
d->create = arg_whitelist = true;
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
} else if (streq(key, "luks.options")) {
if (proc_cmdline_value_missing(key, value))
return 0;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
if (r == 2) {
d = get_crypto_device(uuid);
if (!d)
return log_oom();
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
free_and_replace(d->options, uuid_value);
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
} else if (free_and_strdup(&arg_default_options, value) < 0)
Extract looping over /proc/cmdline into a shared function In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.
2014-02-16 00:08:59 +01:00
return log_oom();
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
} else if (streq(key, "luks.key")) {
cryptsetup-generator: allow whitespace characters in keydev specification For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't work, because we truncated label at the first whitespace character, i.e. LABEL="KEYFILE".
2018-09-04 20:03:34 +02:00
size_t n;
_cleanup_free_ char *keyfile = NULL, *keydev = NULL;
char *c;
const char *keyspec;
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
if (proc_cmdline_value_missing(key, value))
return 0;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
cryptsetup-generator: allow whitespace characters in keydev specification For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't work, because we truncated label at the first whitespace character, i.e. LABEL="KEYFILE".
2018-09-04 20:03:34 +02:00
n = strspn(value, LETTERS DIGITS "-");
if (value[n] != '=') {
if (free_and_strdup(&arg_default_keyfile, value) < 0)
return log_oom();
return 0;
}
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
cryptsetup-generator: allow whitespace characters in keydev specification For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't work, because we truncated label at the first whitespace character, i.e. LABEL="KEYFILE".
2018-09-04 20:03:34 +02:00
uuid = strndup(value, n);
if (!uuid)
return log_oom();
cryptsetup-generator: Add support for UUID-specific key files on kernel command line
2014-12-02 18:49:29 +01:00
cryptsetup-generator: allow whitespace characters in keydev specification For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't work, because we truncated label at the first whitespace character, i.e. LABEL="KEYFILE".
2018-09-04 20:03:34 +02:00
if (!id128_is_valid(uuid)) {
log_warning("Failed to parse luks.key= kernel command line switch. UUID is invalid, ignoring.");
return 0;
}
d = get_crypto_device(uuid);
if (!d)
return log_oom();
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
cryptsetup-generator: allow whitespace characters in keydev specification For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't work, because we truncated label at the first whitespace character, i.e. LABEL="KEYFILE".
2018-09-04 20:03:34 +02:00
keyspec = value + n + 1;
c = strrchr(keyspec, ':');
if (c) {
*c = '\0';
keyfile = strdup(keyspec);
keydev = strdup(c + 1);
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
if (!keyfile || !keydev)
return log_oom();
cryptsetup-generator: allow whitespace characters in keydev specification For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't work, because we truncated label at the first whitespace character, i.e. LABEL="KEYFILE".
2018-09-04 20:03:34 +02:00
} else {
/* No keydev specified */
keyfile = strdup(keyspec);
if (!keyfile)
return log_oom();
}
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
cryptsetup-generator: allow whitespace characters in keydev specification For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't work, because we truncated label at the first whitespace character, i.e. LABEL="KEYFILE".
2018-09-04 20:03:34 +02:00
free_and_replace(d->keyfile, keyfile);
free_and_replace(d->keydev, keydev);
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
} else if (streq(key, "luks.name")) {
if (proc_cmdline_value_missing(key, value))
return 0;
cryptsetup-generator: Add support for naming luks devices on kernel cmdline
2014-12-02 18:49:30 +01:00
r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
if (r == 2) {
d = get_crypto_device(uuid);
if (!d)
return log_oom();
d->create = arg_whitelist = true;
Replace free and reassignment with free_and_replace
2017-11-24 11:33:41 +01:00
free_and_replace(d->name, uuid_value);
cryptsetup-generator: Add support for naming luks devices on kernel cmdline
2014-12-02 18:49:30 +01:00
} else
log_warning("Failed to parse luks name switch %s. Ignoring.", value);
stop complaining about unknown kernel cmdline options Also stop warning about unknown kernel cmdline options in the various tools, not just in PID 1
2014-06-19 16:55:20 +02:00
}
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
cryptsetup-generator: use _cleanup_ where possible
2013-03-08 10:50:33 +01:00
return 0;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
}
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
static int add_crypttab_devices(void) {
move _cleanup_ attribute in front of the type http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-18 09:11:22 +02:00
_cleanup_fclose_ FILE *f = NULL;
cryptsetup-generator: fgets() excorcism
2018-10-18 13:34:40 +02:00
unsigned crypttab_line = 0;
struct stat st;
int r;
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
if (!arg_read_crypttab)
return 0;
Add fopen_unlocked() wrapper
2019-04-04 10:17:16 +02:00
r = fopen_unlocked("/etc/crypttab", "re", &f);
if (r < 0) {
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
if (errno != ENOENT)
log_error_errno(errno, "Failed to open /etc/crypttab: %m");
return 0;
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
}
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
if (fstat(fileno(f), &st) < 0) {
log_error_errno(errno, "Failed to stat /etc/crypttab: %m");
return 0;
}
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
for (;;) {
cryptsetup-generator: fgets() excorcism
2018-10-18 13:34:40 +02:00
_cleanup_free_ char *line = NULL, *name = NULL, *device = NULL, *keyfile = NULL, *options = NULL;
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
crypto_device *d = NULL;
cryptsetup-generator: fgets() excorcism
2018-10-18 13:34:40 +02:00
char *l, *uuid;
int k;
umask: change default umask to 0022 just to be sure, and set it explicitly in all binaries, in order to make sure it is set when started from the terminal
2011-08-01 20:52:18 +02:00
cryptsetup-generator: fgets() excorcism
2018-10-18 13:34:40 +02:00
r = read_line(f, LONG_LINE_MAX, &line);
if (r < 0)
return log_error_errno(r, "Failed to read /etc/crypttab: %m");
if (r == 0)
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
break;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
crypttab_line++;
Extract looping over /proc/cmdline into a shared function In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.
2014-02-16 00:08:59 +01:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
l = strstrip(line);
cryptsetup-generator: fgets() excorcism
2018-10-18 13:34:40 +02:00
if (IN_SET(l[0], 0, '#'))
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
continue;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
if (k < 2 || k > 4) {
log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
continue;
}
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
tree-wide: port various places over to STARTSWITH_SET()
2018-11-23 16:30:23 +01:00
uuid = STARTSWITH_SET(device, "UUID=", "luks-");
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
if (!uuid)
uuid = path_startswith(device, "/dev/disk/by-uuid/");
if (uuid)
d = hashmap_get(arg_disks, uuid);
cryptsetup: warn if /etc/crypttab is world-readable
2013-04-30 00:48:03 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
if (arg_whitelist && !d) {
log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
continue;
cryptsetup: warn if /etc/crypttab is world-readable
2013-04-30 00:48:03 +02:00
}
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
r = create_disk(name, device, NULL, keyfile, (d && d->options) ? d->options : options);
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
if (r < 0)
return r;
cryptsetup: warn if /etc/crypttab is world-readable
2013-04-30 00:48:03 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
if (d)
d->create = false;
}
cryptsetup: warn if /etc/crypttab is world-readable
2013-04-30 00:48:03 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
return 0;
}
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
static int add_proc_cmdline_devices(void) {
int r;
Iterator i;
crypto_device *d;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
HASHMAP_FOREACH(d, arg_disks, i) {
const char *options;
cryptsetup-generator: Add support for naming luks devices on kernel cmdline
2014-12-02 18:49:30 +01:00
_cleanup_free_ char *device = NULL;
cryptsetup: allow configuration of LUKS disks via the kernel cmdline This generalizes a bit of the functionality already available in dracut.
2012-06-22 10:11:06 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
if (!d->create)
continue;
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup-generator: Add support for naming luks devices on kernel cmdline
2014-12-02 18:49:30 +01:00
if (!d->name) {
d->name = strappend("luks-", d->uuid);
if (!d->name)
return log_oom();
}
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
device = strappend("UUID=", d->uuid);
if (!device)
return log_oom();
cryptsetup-generator: allow specifying options in /proc/cmdline The main usecase for this is to make it possible to use cryptsetup in the initrd without it having to include a host-specific /etc/crypttab. Tested-by: Thomas Bächler <thomas@archlinux.org>
2013-08-18 08:59:00 +02:00
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
if (d->options)
options = d->options;
else if (arg_default_options)
options = arg_default_options;
else
options = "timeout=0";
Extract looping over /proc/cmdline into a shared function In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.
2014-02-16 00:08:59 +01:00
cryptsetup-generator: introduce basic keydev support Dracut has a support for unlocking encrypted drives with keyfile stored on the external drive. This support is included in the generated initrd only if systemd module is not included. When systemd is used in initrd then attachment of encrypted drives is handled by systemd-cryptsetup tools. Our generator has support for keyfile, however, it didn't support keyfile on the external block device (keydev). This commit introduces basic keydev support. Keydev can be specified per luks.uuid on the kernel command line. Keydev is automatically mounted during boot and we look for keyfile in the keydev mountpoint (i.e. keyfile path is prefixed with the keydev mount point path). After crypt device is attached we automatically unmount where keyfile resides. Example: rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
2018-08-30 10:45:11 +02:00
r = create_disk(d->name, device, d->keydev, d->keyfile ?: arg_default_keyfile, options);
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
if (r < 0)
return r;
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
}
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
return 0;
}
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup-generator: define main through macro
2018-11-25 16:19:08 +01:00
DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(crypt_device_hash_ops, char, string_hash_func, string_compare_func,
crypto_device, crypt_device_free);
generators: define custom main func definer and use it where applicable There should be no functional difference, except that the error message is changd from "three or no arguments" to "zero or three arguments". Somehow the inverted form always seemed strange. umask() call is also dropped from run-generator. I think it wasn't dropped in 053254e3cb215df3b8c905bc39b920f8817e1c7d because the run generator was merged around the same time.
2018-12-04 11:49:42 +01:00
static int run(const char *dest, const char *dest_early, const char *dest_late) {
cryptsetup: various coding style improvements No functional changes.
2016-12-16 13:15:31 +01:00
int r;
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
generators: define custom main func definer and use it where applicable There should be no functional difference, except that the error message is changd from "three or no arguments" to "zero or three arguments". Somehow the inverted form always seemed strange. umask() call is also dropped from run-generator. I think it wasn't dropped in 053254e3cb215df3b8c905bc39b920f8817e1c7d because the run generator was merged around the same time.
2018-12-04 11:49:42 +01:00
assert_se(arg_dest = dest);
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup-generator: define main through macro
2018-11-25 16:19:08 +01:00
arg_disks = hashmap_new(&crypt_device_hash_ops);
if (!arg_disks)
return log_oom();
cryptsetup-generator: allow specifying options in /proc/cmdline The main usecase for this is to make it possible to use cryptsetup in the initrd without it having to include a host-specific /etc/crypttab. Tested-by: Thomas Bächler <thomas@archlinux.org>
2013-08-18 08:59:00 +02:00
util-lib: various improvements to kernel command line parsing This improves kernel command line parsing in a number of ways: a) An kernel option "foo_bar=xyz" is now considered equivalent to "foo-bar-xyz", i.e. when comparing kernel command line option names "-" and "_" are now considered equivalent (this only applies to the option names though, not the option values!). Most of our kernel options used "-" as word separator in kernel command line options so far, but some used "_". With this change, which was a source of confusion for users (well, at least of one user: myself, I just couldn't remember that it's systemd.debug-shell, not systemd.debug_shell). Considering both as equivalent is inspired how modern kernel module loading normalizes all kernel module names to use underscores now too. b) All options previously using a dash for separating words in kernel command line options now use an underscore instead, in all documentation and in code. Since a) has been implemented this should not create any compatibility problems, but normalizes our documentation and our code. c) All kernel command line options which take booleans (or are boolean-like) have been reworked so that "foobar" (without argument) is now equivalent to "foobar=1" (but not "foobar=0"), thus normalizing the handling of our boolean arguments. Specifically this means systemd.debug-shell and systemd_debug_shell=1 are now entirely equivalent. d) All kernel command line options which take an argument, and where no argument is specified will now result in a log message. e.g. passing just "systemd.unit" will no result in a complain that it needs an argument. This is implemented in the proc_cmdline_missing_value() function. e) There's now a call proc_cmdline_get_bool() similar to proc_cmdline_get_key() that parses booleans (following the logic explained in c). f) The proc_cmdline_parse() call's boolean argument has been replaced by a new flags argument that takes a common set of bits with proc_cmdline_get_key(). g) All kernel command line APIs now begin with the same "proc_cmdline_" prefix. h) There are now tests for much of this. Yay!
2016-12-12 18:29:15 +01:00
r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX);
cryptsetup-generator: define main through macro
2018-11-25 16:19:08 +01:00
if (r < 0)
return log_warning_errno(r, "Failed to parse kernel command line: %m");
cryptsetup-generator: allow specifying options in /proc/cmdline The main usecase for this is to make it possible to use cryptsetup in the initrd without it having to include a host-specific /etc/crypttab. Tested-by: Thomas Bächler <thomas@archlinux.org>
2013-08-18 08:59:00 +02:00
cryptsetup-generator: define main through macro
2018-11-25 16:19:08 +01:00
if (!arg_enabled)
return 0;
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
cryptsetup: various coding style improvements No functional changes.
2016-12-16 13:15:31 +01:00
r = add_crypttab_devices();
if (r < 0)
cryptsetup-generator: define main through macro
2018-11-25 16:19:08 +01:00
return r;
cryptsetup-generator: Split main() into more functions and use hasmaps
2014-12-02 18:49:28 +01:00
cryptsetup: various coding style improvements No functional changes.
2016-12-16 13:15:31 +01:00
r = add_proc_cmdline_devices();
if (r < 0)
cryptsetup-generator: define main through macro
2018-11-25 16:19:08 +01:00
return r;
Extract looping over /proc/cmdline into a shared function In cryptsetup-generator automatic cleanup had to be replaced with manual cleanup, and the code gets a bit longer. But existing code had the issue that it returned negative values from main(), which was wrong, so should be reworked anyway.
2014-02-16 00:08:59 +01:00
cryptsetup-generator: define main through macro
2018-11-25 16:19:08 +01:00
return 0;
cryptsetup: minimal cryptsetup unit generator
2010-11-08 05:02:45 +01:00
}
cryptsetup-generator: define main through macro
2018-11-25 16:19:08 +01:00
generators: define custom main func definer and use it where applicable There should be no functional difference, except that the error message is changd from "three or no arguments" to "zero or three arguments". Somehow the inverted form always seemed strange. umask() call is also dropped from run-generator. I think it wasn't dropped in 053254e3cb215df3b8c905bc39b920f8817e1c7d because the run generator was merged around the same time.
2018-12-04 11:49:42 +01:00
DEFINE_MAIN_GENERATOR_FUNCTION(run);
Reference in a new issue Copy permalink