diff options
| author |   Maciej S. Szmigiero <mail@maciej.szmigiero.name> | 2020-11-22 02:06:47 +0100 |
|---|---|---|
| committer | Maciej S. Szmigiero <mail@maciej.szmigiero.name> | 2022-05-22 20:45:16 +0200 |
| commit | 72839de16243fb410d587e18d76d3b637fa3f389 (patch) | |
| tree | 895cb2bb1364702ce171dce6e032d8d8f2cffdd5 /gen_cmdline.sh | |
| parent | arch: Copy s390 config to s390x (it's 64bit anyway!) (diff) | |
| download | genkernel-72839de16243fb410d587e18d76d3b637fa3f389.tar.gz genkernel-72839de16243fb410d587e18d76d3b637fa3f389.tar.bz2 genkernel-72839de16243fb410d587e18d76d3b637fa3f389.zip | |
genkernel: add keyctl support for loading LUKS passphrase into a keyring
cryptsetup LUKS2 format comes with an ability to automatically unlock
multiple devices (root, swap, etc.) sharing the same passphrase, without
retyping it for each of them, by loading it into the user keyring.
This commit adds such (optional) genkernel support for loading LUKS
passphrase into the user keyring on boot.
In the default mode of operation the newly added key is (possibly) used
only to unlock root and swap devices and is removed soon after that.
By providing appropriate kernel command line parameter the key can be left
in the keyring instead (with an optional timeout) for unlocking other LUKS
devices post-initramfs time.
Because one of the most common use cases of this functionality will be
having an encrypted swap for doing suspend to disk (hibernation) let's also
make sure that we don't unlock the root device when doing so is unnecessary
(when we are resuming the system from hibernation).
Since the security of a FDE passphrase is of paramount importance in this
solution significant care has been taken not to leak it accidentally:
* The passphrase is read directly by keyctl to avoid storing it in the
shell,
* If the passphrase is used only to unlock root and swap devices (which is
the default mode of operation) the init script will check whether its
removal from keyring has actually succeeded and, if not, reboot the system
rather than continue while leaving it exposed,
* keyutils includes a patch (already upstreamed) to wipe the passphrase
from memory when no longer needed.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Diffstat (limited to 'gen_cmdline.sh')
| -rwxr-xr-x | gen_cmdline.sh | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/gen_cmdline.sh b/gen_cmdline.sh index e53de69..0cba7d1 100755 --- a/gen_cmdline.sh +++ b/gen_cmdline.sh @@ -181,6 +181,8 @@ longusage() { echo " --no-luks Exclude LUKS support" echo " --gpg Include GPG-armored LUKS key support" echo " --no-gpg Exclude GPG-armored LUKS key support" + echo " --keyctl Include keyctl support for loading LUKS passphrase into a keyring" + echo " --no-keyctl Exclude keyctl support for loading LUKS passphrase into a keyring" echo " --b2sum Include b2sum" echo " --no-b2sum Exclude b2sum" echo " --busybox Include busybox" @@ -837,6 +839,10 @@ parse_cmdline() { CMD_GPG=$(parse_optbool "$*") print_info 3 "CMD_GPG: ${CMD_GPG}" ;; + --keyctl|--no-keyctl) + CMD_KEYCTL=$(parse_optbool "$*") + print_info 3 "CMD_KEYCTL: ${CMD_KEYCTL}" + ;; --firmware|--no-firmware) CMD_FIRMWARE=$(parse_optbool "$*") print_info 3 "CMD_FIRMWARE: ${CMD_FIRMWARE}" |