source: calamares/trunk/fuentes/src/modules/luksbootkeyfile/main.py @ 7538

Last change on this file since 7538 was 7538, checked in by kbut, 17 months ago

sync with github

File size: 3.1 KB
Line 
1#!/usr/bin/env python3
2# -*- coding: utf-8 -*-
3#
4# === This file is part of Calamares - <https://github.com/calamares> ===
5#
6#   Copyright 2016, Teo Mrnjavac <teo@kde.org>
7#   Copyright 2017, Alf Gaida <agaida@siduction.org>
8#   Copyright 2017, Adriaan de Groot <groot@kde.org>
9#
10#   Calamares is free software: you can redistribute it and/or modify
11#   it under the terms of the GNU General Public License as published by
12#   the Free Software Foundation, either version 3 of the License, or
13#   (at your option) any later version.
14#
15#   Calamares is distributed in the hope that it will be useful,
16#   but WITHOUT ANY WARRANTY; without even the implied warranty of
17#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18#   GNU General Public License for more details.
19#
20#   You should have received a copy of the GNU General Public License
21#   along with Calamares. If not, see <http://www.gnu.org/licenses/>.
22
23import libcalamares
24
25from libcalamares.utils import check_target_env_call
26
27
28def run():
29    """
30    This module sets up a file crypto_keyfile.bin on the rootfs, assuming the
31    rootfs is LUKS encrypted and a passphrase is provided. This file is then
32    included in the initramfs and used for unlocking the rootfs from a
33    previously unlocked GRUB2 session.
34    :return:
35    """
36
37    partitions = libcalamares.globalstorage.value("partitions")
38
39    luks_root_device = ""
40    luks_root_passphrase = ""
41
42    additional_luks_devices = []
43
44    for partition in partitions:
45        if partition["mountPoint"] == "/" and "luksMapperName" in partition:
46            luks_root_device = partition["device"]
47            luks_root_passphrase = partition["luksPassphrase"]
48        elif "luksMapperName" in partition and\
49             (partition["mountPoint"] or partition["fs"] == "linuxswap"):
50            additional_luks_devices.append((partition["device"],
51                                            partition["luksPassphrase"]))
52
53    if not luks_root_device:
54        return None
55
56    if not luks_root_passphrase:
57        return (
58            "Encrypted rootfs setup error",
59            "Rootfs partition {!s} is LUKS but no passphrase found."
60            .format(luks_root_device))
61
62    # Generate random keyfile
63    check_target_env_call(["dd",
64                           "bs=512",
65                           "count=4",
66                           "if=/dev/urandom",
67                           "of=/crypto_keyfile.bin"])
68
69    check_target_env_call(["cryptsetup",
70                           "luksAddKey",
71                           luks_root_device,
72                           "/crypto_keyfile.bin"],
73                          luks_root_passphrase,
74                          15)  # timeout 15s
75
76    for additional_device in additional_luks_devices:
77        check_target_env_call(["cryptsetup",
78                               "luksAddKey",
79                               additional_device[0],
80                               "/crypto_keyfile.bin"],
81                              additional_device[1],
82                              15)  # timeout 15s
83
84    check_target_env_call(["chmod",
85                           "g-rwx,o-rwx",
86                           "/crypto_keyfile.bin"])
87
88    return None
Note: See TracBrowser for help on using the repository browser.