diff options
author | pjd <pjd@FreeBSD.org> | 2005-08-14 18:02:22 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2005-08-14 18:02:22 +0000 |
commit | a2b7d697913d661fda3cdf89df1b40035f6c116a (patch) | |
tree | 85e2934f5d33797f65e52eef52a990ff180d2d5d | |
parent | 4c42e011b4355b63d51ade3c0d027dde76715566 (diff) | |
download | FreeBSD-src-a2b7d697913d661fda3cdf89df1b40035f6c116a.zip FreeBSD-src-a2b7d697913d661fda3cdf89df1b40035f6c116a.tar.gz |
Add scripts for GELI device configuration on boot.
rc.d/geli - configures encryption (ask for passphrases, etc.);
rc.d/geli2 - is called after file systems are mounted and mark devices for
detach on last close.
Sponsored by: Wheel Sp. z o.o.
http://www.wheel.pl
MFC after: 3 days
-rw-r--r-- | etc/defaults/rc.conf | 18 | ||||
-rw-r--r-- | etc/rc.d/geli | 98 | ||||
-rw-r--r-- | etc/rc.d/geli2 | 58 | ||||
-rw-r--r-- | etc/rc.subr | 34 | ||||
-rw-r--r-- | share/man/man5/rc.conf.5 | 29 |
5 files changed, 236 insertions, 1 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index e9d86e4..e56ac85 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -59,7 +59,23 @@ gbde_devices="NO" # Devices to automatically attach (list, or AUTO) gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices gbde_lockdir="/etc" # Where to look for gbde lockfiles -geli_swap_flags="-a aes -l 256 -s 4096 -d" # Options for GELI-encrypted swap partitions. +# GELI disk encryption configuration. +geli_devices="" # List of devices to automatically attach in addition to + # GELI devices listed in /etc/fstab. +geli_tries="" # Number of times to attempt attaching geli device. + # If empty, kern.geom.eli.tries will be used. +geli_default_flags="" # Default flags for geli(8). +geli_autodetach="YES" # Automatically detach on last close. + # Providers are marked as such when all file systems are + # mounted. +# Example use. +#geli_devices="da1 mirror/home" +#geli_da1_flags="-p -k /etc/geli/da1.keys" +#geli_da1_autodetach="NO" +#geli_mirror_home_flags="-k /etc/geli/home.keys" + +geli_swap_flags="-a aes -l 256 -s 4096 -d" # Options for GELI-encrypted + # swap partitions. root_rw_mount="YES" # Set to NO to inhibit remounting root read-write. fsck_y_enable="NO" # Set to YES to do fsck -y if the initial preen fails. diff --git a/etc/rc.d/geli b/etc/rc.d/geli new file mode 100644 index 0000000..913301a --- /dev/null +++ b/etc/rc.d/geli @@ -0,0 +1,98 @@ +#!/bin/sh +# +# Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# PROVIDE: disks +# REQUIRE: initrandom +# KEYWORD: nojail + +. /etc/rc.subr + +name="geli" +start_cmd="geli_start" +stop_cmd="geli_stop" + +geli_start() +{ + devices=`geli_make_list` + + # If there are no devices return before loading geom_eli.ko. + if [ -z "${devices}" ]; then + return + fi + + geli load >/dev/null 2>&1 + if ! kldstat -v | grep -q g_eli\$; then + err 1 'geom_eli module failed to load.' + fi + + if [ -z "${geli_tries}" ]; then + if [ -n "${geli_attach_attempts}" ]; then + # Compatibility with rc.d/gbde. + geli_tries=${geli_attach_attempts} + else + geli_tries=`${SYSCTL_N} kern.geom.eli.tries` + fi + fi + + for provider in ${devices}; do + provider_=`ltr ${provider} '/' '_'` + + eval "flags=\${geli_${provider_}_flags}" + if [ -z "${flags}" ]; then + flags=${geli_default_flags} + fi + if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then + echo "Configuring Disk Encryption for ${provider}." + count=1 + while [ ${count} -le ${geli_tries} ]; do + geli attach ${flags} ${provider} + if [ -e "/dev/${provider}.eli" ]; then + break + fi + echo "Attach failed; attempt ${count} of ${geli_tries}." + count=$((count+1)) + done + fi + done +} + +geli_stop() +{ + devices=`geli_make_list` + + for provider in ${devices}; do + if [ -e "/dev/${provider}.eli" ]; then + umount "/dev/${provider}.eli" 2>/dev/null + geli detach "${provider}" + fi + done +} + +load_rc_config $name +run_rc_command "$1" diff --git a/etc/rc.d/geli2 b/etc/rc.d/geli2 new file mode 100644 index 0000000..a7802b3 --- /dev/null +++ b/etc/rc.d/geli2 @@ -0,0 +1,58 @@ +#!/bin/sh +# +# Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# PROVIDE: geli2 +# REQUIRE: mountcritlocal +# KEYWORD: nojail + +. /etc/rc.subr + +name="geli2" +start_cmd="geli2_start" +stop_cmd=":" + +geli2_start() +{ + devices=`geli_make_list` + + for provider in ${devices}; do + provider_=`ltr ${provider} '/' '_'` + + eval "autodetach=\${geli_${provider_}_autodetach}" + if [ -z "${autodetach}" ]; then + autodetach=${geli_autodetach} + fi + if checkyesno autodetach && [ -e "/dev/${provider}.eli" ]; then + geli detach -l ${provider} + fi + done +} + +load_rc_config $name +run_rc_command "$1" diff --git a/etc/rc.subr b/etc/rc.subr index 77f0592..e70fffb 100644 --- a/etc/rc.subr +++ b/etc/rc.subr @@ -1320,4 +1320,38 @@ ltr() echo "${_out}" } +# Creates a list of providers for GELI encryption. +geli_make_list() +{ + local devices devices2 + local provider mountpoint type options rest + + # Create list of GELI providers from fstab. + while read provider mountpoint type options rest ; do + case ":${provider}" in + :#*) + continue + ;; + *.eli) + # Skip swap devices. + if [ "${type}" = "swap" -o "${options}" = "sw" ]; then + continue + fi + devices="${devices} ${provider}" + ;; + esac + done < /etc/fstab + + # Append providers from geli_devices. + devices="${devices} ${geli_devices}" + + for provider in ${devices}; do + provider=${provider%.eli} + provider=${provider#/dev/} + devices2="${devices2} ${provider}" + done + + echo ${devices2} +} + fi diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 69e9821..a849661 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -1156,6 +1156,35 @@ Number of times to attempt attaching to a .Xr gbde 4 device, i.e., how many times the user is asked for the pass-phrase. Default is 3. +.It Va geli_devices +.Pq Vt str +List of devices to automatically attach on boot. +Note that .eli devices from +.Pa /etc/fstab +are automatically appended to this list. +.It Va geli_tries +.Pq Vt int +Number of times user is asked for the pass-phrase. +If empty, it will be taken from +.Va kern.geom.eli.tries +sysctl variable. +.It Va geli_default_flags +.Pq Vt str +Default flags to use by +.Xr geli 8 +when configuring disk encryption. +Flags can be configured for every device separately by defining +.Va geli_<device>_flags +variable. +.It Va geli_autodetach +.Pq Vt str +Specifies if GELI devices should be marked for detach on last close after +file systems are mounted. +Default is +.Dq Li YES . +This can be changed for every device separately by defining +.Va geli_<device>_autodetach +variable. .It Va geli_swap_flags Options passed to the .Xr geli 8 |