/*
* cryptinit 1.0.2 - setup encrypted root/swap system using LUKS
*
* Copyright (C) 2009 Waldemar Brodkorb <mail@waldemar-brodkorb.de>
* Copyright (C) 2008 Phil Sutter <phil@nwl.cc>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* strongly based on ideas and work from Phil Sutter
* http://nwl.cc/cgi-bin/git/gitweb.cgi?p=initramfs-init.git;a=summary
* - used with cryptsetup 1.0.6 (needs a small cryptsetup-patch)
* - see comment at the end of file for a useful initramfs filelist
* - compile and link with following commands to get a static init
* gcc -Wall -c -o init.o cryptinit.c
* libtool --mode=link --tag=CC gcc -all-static -o init init.o \
* /usr/lib/libcryptsetup.la
*/
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <libcryptsetup.h>
#include <sys/mount.h>
#include <sys/reboot.h>
#include <sys/types.h>
#include <sys/utsname.h>
#include <sys/wait.h>
#define HOSTNAME "linux"
#define DOMAINNAME "foo.bar"
#define CRYPT_SWAP_DEV "/dev/sda3"
#define CRYPT_SWAP_NAME "swap"
#define CRYPT_ROOT_DEV "/dev/sda2"
#define CRYPT_ROOT_NAME "root"
#define PROCPATH "/proc"
#define SYSPATH "/sys"
#define PROCFS "proc"
#define SYSFS "sysfs"
#define DEF_KERN_CONS "/dev/console"
#define DEF_KERN_SWAP "/dev/mapper/swap"
#define DEF_KERN_ROOT_SRC "/dev/mapper/root"
#define DEF_KERN_ROOT_TGT "/mnt"
#define DEF_KERN_ROOT_FS "xfs"
#define DEF_KERN_INIT "/init"
#ifndef MS_MOVE
#define MS_MOVE 8192
#endif
/* a structure for holding options to mount() a device */
struct mntopts {
char *source;
char *target;
char *fstype;
unsigned long flags;
};
/* a structure for holding kernel boot parameters */
struct commandline {
struct mntopts root;
char *init;
char *resume;
ushort do_resume;
ushort debug;
};
struct commandline cmdline;
void debug_printf(const char *format, ...) {
va_list params;
if(cmdline.debug) {
va_start(params, format);
vprintf(format, params);
va_end(params);
}
}
void debug_msg(const char *s) {
if(cmdline.debug)
fputs(s, stderr);
}
void log_msg(const char *s) {
fputs(s, stdout);
}
/* logging function from cryptsetup library */
static void cmdLineLog(int class, char *msg) {
switch(class) {
case CRYPT_LOG_NORMAL:
debug_msg(msg);
break;
case CRYPT_LOG_ERROR:
debug_msg(msg);
break;
default:
fprintf(stderr, "Internal error for msg: %s", msg);
break;
}
}
int switch_root(char *console, char *newroot, char *init) {
if (chdir(newroot)) {
fprintf(stderr,"bad newroot %s\n",newroot);
return 1;
}
/* Overmount / with newdir and chroot into it. The chdir is needed to
* recalculate "." and ".." links. */
if (mount(".", "/", NULL, MS_MOVE, NULL) || chroot(".") || chdir("/")) {
fprintf(stderr,"switch_root: error moving root\n");
return 2;
}
/* If a new console specified, redirect stdin/stdout/stderr to that. */
if (console) {
close(0);
if(open(console, O_RDWR) < 0) {
fprintf(stderr,"Bad console '%s'\n",console);
return 4;
}
dup2(0, 1);
dup2(0, 2);
}
log_msg("Starting Linux from encrypted root disk\n");
/* Exec real init. (This is why we must be pid 1.) */
execl(init, init, (char *)NULL);
fprintf(stderr,"Bad init '%s'\n",init);
return 3;
}
char *read_cmdline(void) {
FILE *fp;
int linelen, i;
char *str;
if((fp=fopen("/proc/cmdline","r")) == NULL) {
perror("fopen()");
return NULL;
}
linelen = 10;
str = calloc(linelen, sizeof(char));
for(i=0;(str[i]=fgetc(fp)) != EOF; i++) {
if(i>linelen-1) {
linelen += 10;
if((str=realloc(str, linelen)) == NULL) {
perror("realloc()");
return NULL;
}
}
}
str[i-1] = '\0'; /* substitutes \n for \0 */
fclose(fp);
return str;
}
int parse_cmdline(char *line) {
int tmpnum;
char *tmpstr, *lstr, *rstr, *idx;
char *invchars[1];
tmpstr = strtok(line, " ");
do {
if((idx=strchr(tmpstr, '=')) != NULL) {
rstr = idx + 1;
idx = '\0';
lstr = tmpstr;
if(!strncmp(lstr, "rootfstype", 10)) {
cmdline.root.fstype = rstr;
} else if(!strncmp(lstr, "root", 4)) {
cmdline.root.source = rstr;
} else if(!strncmp(lstr, "init", 4)) {
cmdline.init = rstr;
} else if(!strncmp(lstr, "resume", 6)) {
cmdline.resume = rstr;
}
} else if(!strncmp(tmpstr, "noresume", 8)) {
cmdline.do_resume = 0;
} else if(!strncmp(tmpstr, "debug", 5)) {
cmdline.debug=1;
} else {
if(cmdline.debug)
printf("unknown bootparam flag %s\n",tmpstr);
}
} while((tmpstr = strtok(NULL, " ")) != NULL);
debug_printf("\n Bootparams scanned:\n");
debug_printf("root\t%s\nrootfstype\t%s\ninit\t%s\nresume\t%s\ndo_resume\t%i\n",
cmdline.root.source,cmdline.root.fstype,cmdline.init,cmdline.resume,cmdline.do_resume);
debug_printf("debug\t%i\n\n",
cmdline.debug);
return 0;
}
int get_cmdline() {
char *str;
/* first set some useful defaults */
cmdline.root.source = DEF_KERN_ROOT_SRC;
cmdline.root.target = DEF_KERN_ROOT_TGT;
cmdline.root.fstype = DEF_KERN_ROOT_FS;
cmdline.root.flags = MS_RDONLY;
cmdline.init = DEF_KERN_INIT;
cmdline.resume = DEF_KERN_SWAP;
cmdline.do_resume = 1;
cmdline.debug = 0;
/* read out cmdline from /proc */
str = read_cmdline();
/* parse the cmdline */
if(parse_cmdline(str))
return -1;
return 0;
}
void kmsg_log(int level) {
FILE *fd;
debug_msg("Finetune kernel log\n");
if((fd = fopen("/proc/sys/kernel/printk", "r+")) == NULL) {
perror("fopen()");
return;
}
fprintf(fd, "%d", level);
fclose(fd);
}
void do_resume(void) {
FILE *fd;
debug_msg("Trying to resume\n");
if((fd = fopen("/sys/power/resume", "a")) == NULL) {
return;
}
fprintf(fd, "254:0\n");
fclose(fd);
}
void do_halt(void) {
int pid;
/* run sync just to be sure */
sync();
/* fork to prevent a kernel panic while killing init */
if((pid=fork()) == 0) {
reboot(0x4321fedc);
_exit(0);
}
waitpid(pid, NULL, 0);
}
int do_mount(struct mntopts o) {
debug_printf("do_mount: mounting %s with fstype %s\n", o.source, o.fstype);
if(mount(o.source, o.target, o.fstype, o.flags, NULL)) {
perror("mount()");
debug_printf("do_mount: mounting %s with fstype %s\n failed", o.source, o.fstype);
return errno;
}
return 0;
}
int main(void) {
char errormsg[100];
int i;
int wrongpass;
char *pass;
struct utsname info;
int ret;
const char hostname[20] = HOSTNAME;
const char domainname[20] = DOMAINNAME;
struct crypt_options options;
struct interface_callbacks cmd_icb;
struct mntopts mopts[2] = {
{ "proc", PROCPATH, PROCFS, 0 },
{ "sysfs", SYSPATH, SYSFS, 0 }
};
/* need to set callback functions, log is required */
cmd_icb.yesDialog = NULL;
cmd_icb.log = cmdLineLog;
/* first try to mount needed virtual filesystems */
if(do_mount(mopts[0]) || do_mount(mopts[1])) {
fprintf(stderr, "Error mounting %s and %s\n",
PROCPATH, SYSPATH);
exit(errno);
}
/* get kernel command line */
if(get_cmdline() == -1) {
fprintf(stderr, "Failed to parse kernel commandline\n");
exit(errno);
}
/* keep kernel quiet while asking for password */
kmsg_log(0);
/* first unlock swap partition for resume */
memset(&options, 0, sizeof(struct crypt_options));
options.name = CRYPT_SWAP_NAME;
options.device = CRYPT_SWAP_DEV;
options.icb = &cmd_icb;
ret = uname(&info);
if (ret < 0)
fprintf(stderr, "Error calling uname function\n");
/* security by obscurity */
printf("This is %s.%s (Linux %s %s)\n", hostname, domainname, info.machine, info.release);
printf("%s login: ", hostname);
fflush(stdout);
while(getchar() != '\n');
/* unlock swap */
debug_msg("Unlocking Swap\n");
for(i=0; i<3; i++) {
/* ask user for password */
if((pass=getpass("Password: ")) == NULL) {
perror("getpass()");
return errno;
}
options.passphrase = pass;
/* try to unlock swap */
if((wrongpass=crypt_luksOpen(&options))) {
printf("Login incorrect\n");
crypt_get_error(errormsg, 99);
debug_printf("Error: %s\n", errormsg);
} else { /* success */
if(i > 0)
fprintf(stderr, "%i incorrect attempts\n",i);
break;
}
}
if(wrongpass) {
fprintf(stderr, "Panic - you are not allowed!\n");
sleep(3);
do_halt();
}
/* try to resume here */
if(cmdline.do_resume) {
debug_msg("Trying to resume from swap\n");
do_resume();
debug_msg("Resume failed, starting normal boot\n");
}
/* resume returned, starting normal boot */
options.name = CRYPT_ROOT_NAME;
options.device = CRYPT_ROOT_DEV;
/* unlock root device */
debug_msg("Unlocking Root\n");
if(crypt_luksOpen(&options)) {
perror("crypt_luksOpen()");
crypt_get_error(errormsg, 99);
debug_printf("Error: %s\n", errormsg);
}
/* mount root filesystem */
if(do_mount(cmdline.root)) {
puts("Error mounting root");
exit(errno);
}
kmsg_log(6);
/* no need for /sys anymore */
debug_msg("Unmounting /sys\n");
if(umount("/sys"))
perror("umount()");
/* no need for /proc anymore */
debug_msg("Unmounting /proc\n");
if(umount("/proc"))
perror("umount()");
/* remove password from RAM */
memset(pass, 0, strlen(pass)*sizeof(char));
debug_msg("Switching root\n");
switch_root(DEF_KERN_CONS, cmdline.root.target, cmdline.init);
return(0);
}
/*
example initramfs file list:
dir /dev 755 0 0
dir /dev/mapper 755 0 0
dir /proc 755 0 0
dir /sys 755 0 0
dir /mnt 755 0 0
nod /dev/console 644 0 0 c 5 1
nod /dev/tty 660 0 0 c 5 0
nod /dev/tty0 600 0 0 c 4 0
nod /dev/sda 644 0 0 b 8 0
nod /dev/sda1 644 0 0 b 8 1
nod /dev/sda2 644 0 0 b 8 2
nod /dev/sda3 644 0 0 b 8 3
nod /dev/sda4 644 0 0 b 8 4
nod /dev/null 644 0 0 c 1 3
nod /dev/mapper/control 644 0 0 c 10 62
nod /dev/urandom 644 0 0 c 1 9
file /init /usr/src/init 755 0 0
cryptsetup patch:
Index: lib/setup.c
===================================================================
--- lib/setup.c (revision 40)
+++ lib/setup.c (working copy)
@@ -538,10 +538,17 @@
start:
mk=NULL;
- if(get_key("Enter LUKS passphrase: ",&password,&passwordLen, 0, options->key_file, options->passphrase_fd, options->timeout, options->flags))
- tries--;
- else
- tries = 0;
+ if(options->passphrase) {
+ password = NULL;
+ password = safe_alloc(512);
+ strcpy(password, options->passphrase);
+ passwordLen = strlen(password);
+ } else {
+ if(get_key("Enter LUKS passphrase: ",&password,&passwordLen, 0, options->key_file, options->passphrase_fd, options->timeout, options->flags))
+ tries--;
+ else
+ tries = 0;
+ }
if(!password) {
r = -EINVAL; goto out;
*/