Add scripts for GELI device configuration on boot.

rc.d/geli - configures encryption (ask for passphrases, etc.); rc.d/geli2 - is called after file systems are mounted and mark devices for detach on last close. Sponsored by: Wheel Sp. z o.o. http://www.wheel.pl MFC after: 3 days
svn path=/head/; revision=149050
2005-08-14 18:02:22 +00:00 · 2005-08-14 18:02:22 +00:00 · b12cfed25c · 2020-12-20 02:59:44 +00:00
commit b12cfed25c
parent b3d1f1fce9
5 changed files with 236 additions and 1 deletions
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -59,7 +59,23 @@ gbde_devices="NO" 	# Devices to automatically attach (list, or AUTO)
 gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices
 gbde_lockdir="/etc"	# Where to look for gbde lockfiles

-geli_swap_flags="-a aes -l 256 -s 4096 -d"	# Options for GELI-encrypted swap partitions.
+# GELI disk encryption configuration.
+geli_devices=""		# List of devices to automatically attach in addition to
+			# GELI devices listed in /etc/fstab.
+geli_tries=""		# Number of times to attempt attaching geli device.
+			# If empty, kern.geom.eli.tries will be used.
+geli_default_flags=""	# Default flags for geli(8).
+geli_autodetach="YES"	# Automatically detach on last close.
+			# Providers are marked as such when all file systems are
+			# mounted.
+# Example use.
+#geli_devices="da1 mirror/home"
+#geli_da1_flags="-p -k /etc/geli/da1.keys"
+#geli_da1_autodetach="NO"
+#geli_mirror_home_flags="-k /etc/geli/home.keys"
+
+geli_swap_flags="-a aes -l 256 -s 4096 -d"	# Options for GELI-encrypted
+						# swap partitions.

 root_rw_mount="YES"	# Set to NO to inhibit remounting root read-write.
 fsck_y_enable="NO"	# Set to YES to do fsck -y if the initial preen fails.
--- a/etc/rc.d/geli
+++ b/etc/rc.d/geli
@ -0,0 +1,98 @@
+#!/bin/sh
+#
+# Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# PROVIDE: disks
+# REQUIRE: initrandom
+# KEYWORD: nojail
+
+. /etc/rc.subr
+
+name="geli"
+start_cmd="geli_start"
+stop_cmd="geli_stop"
+
+geli_start()
+{
+	devices=`geli_make_list`
+
+	# If there are no devices return before loading geom_eli.ko.
+	if [ -z "${devices}" ]; then
+		return
+	fi
+
+	geli load >/dev/null 2>&1
+	if ! kldstat -v | grep -q g_eli\$; then
+		err 1 'geom_eli module failed to load.'
+	fi
+
+	if [ -z "${geli_tries}" ]; then
+		if [ -n "${geli_attach_attempts}" ]; then
+			# Compatibility with rc.d/gbde.
+			geli_tries=${geli_attach_attempts}
+		else
+			geli_tries=`${SYSCTL_N} kern.geom.eli.tries`
+		fi
+	fi
+
+	for provider in ${devices}; do
+		provider_=`ltr ${provider} '/' '_'`
+
+		eval "flags=\${geli_${provider_}_flags}"
+		if [ -z "${flags}" ]; then
+			flags=${geli_default_flags}
+		fi
+		if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then
+			echo "Configuring Disk Encryption for ${provider}."
+			count=1
+			while [ ${count} -le ${geli_tries} ]; do
+				geli attach ${flags} ${provider}
+				if [ -e "/dev/${provider}.eli" ]; then
+					break
+				fi
+				echo "Attach failed; attempt ${count} of ${geli_tries}."
+				count=$((count+1))
+			done
+		fi
+	done
+}
+
+geli_stop()
+{
+	devices=`geli_make_list`
+
+	for provider in ${devices}; do
+		if [ -e "/dev/${provider}.eli" ]; then
+			umount "/dev/${provider}.eli" 2>/dev/null
+			geli detach "${provider}"
+		fi
+	done
+}
+
+load_rc_config $name
+run_rc_command "$1"
--- a/etc/rc.d/geli2
+++ b/etc/rc.d/geli2
@ -0,0 +1,58 @@
+#!/bin/sh
+#
+# Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# PROVIDE: geli2
+# REQUIRE: mountcritlocal
+# KEYWORD: nojail
+
+. /etc/rc.subr
+
+name="geli2"
+start_cmd="geli2_start"
+stop_cmd=":"
+
+geli2_start()
+{
+	devices=`geli_make_list`
+
+	for provider in ${devices}; do
+		provider_=`ltr ${provider} '/' '_'`
+
+		eval "autodetach=\${geli_${provider_}_autodetach}"
+		if [ -z "${autodetach}" ]; then
+			autodetach=${geli_autodetach}
+		fi
+		if checkyesno autodetach && [ -e "/dev/${provider}.eli" ]; then
+			geli detach -l ${provider}
+		fi
+	done
+}
+
+load_rc_config $name
+run_rc_command "$1"
--- a/etc/rc.subr
+++ b/etc/rc.subr
@ -1320,4 +1320,38 @@ ltr()
 	echo "${_out}"
 }

+# Creates a list of providers for GELI encryption.
+geli_make_list()
+{
+	local devices devices2
+	local provider mountpoint type options rest
+
+	# Create list of GELI providers from fstab.
+	while read provider mountpoint type options rest ; do
+		case ":${provider}" in
+		:#*)
+			continue
+			;;
+		*.eli)
+			# Skip swap devices.
+			if [ "${type}" = "swap" -o "${options}" = "sw" ]; then
+				continue
+			fi
+			devices="${devices} ${provider}"
+			;;
+		esac
+	done < /etc/fstab
+
+	# Append providers from geli_devices.
+	devices="${devices} ${geli_devices}"
+
+	for provider in ${devices}; do
+		provider=${provider%.eli}
+		provider=${provider#/dev/}
+		devices2="${devices2} ${provider}"
+	done
+
+	echo ${devices2}
+}
+
 fi
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -1156,6 +1156,35 @@ Number of times to attempt attaching to a
 .Xr gbde 4
 device, i.e., how many times the user is asked for the pass-phrase.
 Default is 3.
+.It Va geli_devices
+.Pq Vt str
+List of devices to automatically attach on boot.
+Note that .eli devices from
+.Pa /etc/fstab
+are automatically appended to this list.
+.It Va geli_tries
+.Pq Vt int
+Number of times user is asked for the pass-phrase.
+If empty, it will be taken from
+.Va kern.geom.eli.tries
+sysctl variable.
+.It Va geli_default_flags
+.Pq Vt str
+Default flags to use by
+.Xr geli 8
+when configuring disk encryption.
+Flags can be configured for every device separately by defining
+.Va geli_<device>_flags
+variable.
+.It Va geli_autodetach
+.Pq Vt str
+Specifies if GELI devices should be marked for detach on last close after
+file systems are mounted.
+Default is
+.Dq Li YES .
+This can be changed for every device separately by defining
+.Va geli_<device>_autodetach
+variable.
 .It Va geli_swap_flags
 Options passed to the
 .Xr geli 8