summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpjd <pjd@FreeBSD.org>2005-08-14 18:02:22 +0000
committerpjd <pjd@FreeBSD.org>2005-08-14 18:02:22 +0000
commita2b7d697913d661fda3cdf89df1b40035f6c116a (patch)
tree85e2934f5d33797f65e52eef52a990ff180d2d5d
parent4c42e011b4355b63d51ade3c0d027dde76715566 (diff)
downloadFreeBSD-src-a2b7d697913d661fda3cdf89df1b40035f6c116a.zip
FreeBSD-src-a2b7d697913d661fda3cdf89df1b40035f6c116a.tar.gz
Add scripts for GELI device configuration on boot.
rc.d/geli - configures encryption (ask for passphrases, etc.); rc.d/geli2 - is called after file systems are mounted and mark devices for detach on last close. Sponsored by: Wheel Sp. z o.o. http://www.wheel.pl MFC after: 3 days
-rw-r--r--etc/defaults/rc.conf18
-rw-r--r--etc/rc.d/geli98
-rw-r--r--etc/rc.d/geli258
-rw-r--r--etc/rc.subr34
-rw-r--r--share/man/man5/rc.conf.529
5 files changed, 236 insertions, 1 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index e9d86e4..e56ac85 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -59,7 +59,23 @@ gbde_devices="NO" # Devices to automatically attach (list, or AUTO)
gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices
gbde_lockdir="/etc" # Where to look for gbde lockfiles
-geli_swap_flags="-a aes -l 256 -s 4096 -d" # Options for GELI-encrypted swap partitions.
+# GELI disk encryption configuration.
+geli_devices="" # List of devices to automatically attach in addition to
+ # GELI devices listed in /etc/fstab.
+geli_tries="" # Number of times to attempt attaching geli device.
+ # If empty, kern.geom.eli.tries will be used.
+geli_default_flags="" # Default flags for geli(8).
+geli_autodetach="YES" # Automatically detach on last close.
+ # Providers are marked as such when all file systems are
+ # mounted.
+# Example use.
+#geli_devices="da1 mirror/home"
+#geli_da1_flags="-p -k /etc/geli/da1.keys"
+#geli_da1_autodetach="NO"
+#geli_mirror_home_flags="-k /etc/geli/home.keys"
+
+geli_swap_flags="-a aes -l 256 -s 4096 -d" # Options for GELI-encrypted
+ # swap partitions.
root_rw_mount="YES" # Set to NO to inhibit remounting root read-write.
fsck_y_enable="NO" # Set to YES to do fsck -y if the initial preen fails.
diff --git a/etc/rc.d/geli b/etc/rc.d/geli
new file mode 100644
index 0000000..913301a
--- /dev/null
+++ b/etc/rc.d/geli
@@ -0,0 +1,98 @@
+#!/bin/sh
+#
+# Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# PROVIDE: disks
+# REQUIRE: initrandom
+# KEYWORD: nojail
+
+. /etc/rc.subr
+
+name="geli"
+start_cmd="geli_start"
+stop_cmd="geli_stop"
+
+geli_start()
+{
+ devices=`geli_make_list`
+
+ # If there are no devices return before loading geom_eli.ko.
+ if [ -z "${devices}" ]; then
+ return
+ fi
+
+ geli load >/dev/null 2>&1
+ if ! kldstat -v | grep -q g_eli\$; then
+ err 1 'geom_eli module failed to load.'
+ fi
+
+ if [ -z "${geli_tries}" ]; then
+ if [ -n "${geli_attach_attempts}" ]; then
+ # Compatibility with rc.d/gbde.
+ geli_tries=${geli_attach_attempts}
+ else
+ geli_tries=`${SYSCTL_N} kern.geom.eli.tries`
+ fi
+ fi
+
+ for provider in ${devices}; do
+ provider_=`ltr ${provider} '/' '_'`
+
+ eval "flags=\${geli_${provider_}_flags}"
+ if [ -z "${flags}" ]; then
+ flags=${geli_default_flags}
+ fi
+ if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then
+ echo "Configuring Disk Encryption for ${provider}."
+ count=1
+ while [ ${count} -le ${geli_tries} ]; do
+ geli attach ${flags} ${provider}
+ if [ -e "/dev/${provider}.eli" ]; then
+ break
+ fi
+ echo "Attach failed; attempt ${count} of ${geli_tries}."
+ count=$((count+1))
+ done
+ fi
+ done
+}
+
+geli_stop()
+{
+ devices=`geli_make_list`
+
+ for provider in ${devices}; do
+ if [ -e "/dev/${provider}.eli" ]; then
+ umount "/dev/${provider}.eli" 2>/dev/null
+ geli detach "${provider}"
+ fi
+ done
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/etc/rc.d/geli2 b/etc/rc.d/geli2
new file mode 100644
index 0000000..a7802b3
--- /dev/null
+++ b/etc/rc.d/geli2
@@ -0,0 +1,58 @@
+#!/bin/sh
+#
+# Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# PROVIDE: geli2
+# REQUIRE: mountcritlocal
+# KEYWORD: nojail
+
+. /etc/rc.subr
+
+name="geli2"
+start_cmd="geli2_start"
+stop_cmd=":"
+
+geli2_start()
+{
+ devices=`geli_make_list`
+
+ for provider in ${devices}; do
+ provider_=`ltr ${provider} '/' '_'`
+
+ eval "autodetach=\${geli_${provider_}_autodetach}"
+ if [ -z "${autodetach}" ]; then
+ autodetach=${geli_autodetach}
+ fi
+ if checkyesno autodetach && [ -e "/dev/${provider}.eli" ]; then
+ geli detach -l ${provider}
+ fi
+ done
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/etc/rc.subr b/etc/rc.subr
index 77f0592..e70fffb 100644
--- a/etc/rc.subr
+++ b/etc/rc.subr
@@ -1320,4 +1320,38 @@ ltr()
echo "${_out}"
}
+# Creates a list of providers for GELI encryption.
+geli_make_list()
+{
+ local devices devices2
+ local provider mountpoint type options rest
+
+ # Create list of GELI providers from fstab.
+ while read provider mountpoint type options rest ; do
+ case ":${provider}" in
+ :#*)
+ continue
+ ;;
+ *.eli)
+ # Skip swap devices.
+ if [ "${type}" = "swap" -o "${options}" = "sw" ]; then
+ continue
+ fi
+ devices="${devices} ${provider}"
+ ;;
+ esac
+ done < /etc/fstab
+
+ # Append providers from geli_devices.
+ devices="${devices} ${geli_devices}"
+
+ for provider in ${devices}; do
+ provider=${provider%.eli}
+ provider=${provider#/dev/}
+ devices2="${devices2} ${provider}"
+ done
+
+ echo ${devices2}
+}
+
fi
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index 69e9821..a849661 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -1156,6 +1156,35 @@ Number of times to attempt attaching to a
.Xr gbde 4
device, i.e., how many times the user is asked for the pass-phrase.
Default is 3.
+.It Va geli_devices
+.Pq Vt str
+List of devices to automatically attach on boot.
+Note that .eli devices from
+.Pa /etc/fstab
+are automatically appended to this list.
+.It Va geli_tries
+.Pq Vt int
+Number of times user is asked for the pass-phrase.
+If empty, it will be taken from
+.Va kern.geom.eli.tries
+sysctl variable.
+.It Va geli_default_flags
+.Pq Vt str
+Default flags to use by
+.Xr geli 8
+when configuring disk encryption.
+Flags can be configured for every device separately by defining
+.Va geli_<device>_flags
+variable.
+.It Va geli_autodetach
+.Pq Vt str
+Specifies if GELI devices should be marked for detach on last close after
+file systems are mounted.
+Default is
+.Dq Li YES .
+This can be changed for every device separately by defining
+.Va geli_<device>_autodetach
+variable.
.It Va geli_swap_flags
Options passed to the
.Xr geli 8
OpenPOWER on IntegriCloud