Add scripts for GELI device configuration on boot.
rc.d/geli - configures encryption (ask for passphrases, etc.); rc.d/geli2 - is called after file systems are mounted and mark devices for detach on last close. Sponsored by: Wheel Sp. z o.o. http://www.wheel.pl MFC after: 3 days
This commit is contained in:
parent
b3d1f1fce9
commit
b12cfed25c
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=149050
@ -59,7 +59,23 @@ gbde_devices="NO" # Devices to automatically attach (list, or AUTO)
|
||||
gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices
|
||||
gbde_lockdir="/etc" # Where to look for gbde lockfiles
|
||||
|
||||
geli_swap_flags="-a aes -l 256 -s 4096 -d" # Options for GELI-encrypted swap partitions.
|
||||
# GELI disk encryption configuration.
|
||||
geli_devices="" # List of devices to automatically attach in addition to
|
||||
# GELI devices listed in /etc/fstab.
|
||||
geli_tries="" # Number of times to attempt attaching geli device.
|
||||
# If empty, kern.geom.eli.tries will be used.
|
||||
geli_default_flags="" # Default flags for geli(8).
|
||||
geli_autodetach="YES" # Automatically detach on last close.
|
||||
# Providers are marked as such when all file systems are
|
||||
# mounted.
|
||||
# Example use.
|
||||
#geli_devices="da1 mirror/home"
|
||||
#geli_da1_flags="-p -k /etc/geli/da1.keys"
|
||||
#geli_da1_autodetach="NO"
|
||||
#geli_mirror_home_flags="-k /etc/geli/home.keys"
|
||||
|
||||
geli_swap_flags="-a aes -l 256 -s 4096 -d" # Options for GELI-encrypted
|
||||
# swap partitions.
|
||||
|
||||
root_rw_mount="YES" # Set to NO to inhibit remounting root read-write.
|
||||
fsck_y_enable="NO" # Set to YES to do fsck -y if the initial preen fails.
|
||||
|
98
etc/rc.d/geli
Normal file
98
etc/rc.d/geli
Normal file
@ -0,0 +1,98 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# PROVIDE: disks
|
||||
# REQUIRE: initrandom
|
||||
# KEYWORD: nojail
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
name="geli"
|
||||
start_cmd="geli_start"
|
||||
stop_cmd="geli_stop"
|
||||
|
||||
geli_start()
|
||||
{
|
||||
devices=`geli_make_list`
|
||||
|
||||
# If there are no devices return before loading geom_eli.ko.
|
||||
if [ -z "${devices}" ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
geli load >/dev/null 2>&1
|
||||
if ! kldstat -v | grep -q g_eli\$; then
|
||||
err 1 'geom_eli module failed to load.'
|
||||
fi
|
||||
|
||||
if [ -z "${geli_tries}" ]; then
|
||||
if [ -n "${geli_attach_attempts}" ]; then
|
||||
# Compatibility with rc.d/gbde.
|
||||
geli_tries=${geli_attach_attempts}
|
||||
else
|
||||
geli_tries=`${SYSCTL_N} kern.geom.eli.tries`
|
||||
fi
|
||||
fi
|
||||
|
||||
for provider in ${devices}; do
|
||||
provider_=`ltr ${provider} '/' '_'`
|
||||
|
||||
eval "flags=\${geli_${provider_}_flags}"
|
||||
if [ -z "${flags}" ]; then
|
||||
flags=${geli_default_flags}
|
||||
fi
|
||||
if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then
|
||||
echo "Configuring Disk Encryption for ${provider}."
|
||||
count=1
|
||||
while [ ${count} -le ${geli_tries} ]; do
|
||||
geli attach ${flags} ${provider}
|
||||
if [ -e "/dev/${provider}.eli" ]; then
|
||||
break
|
||||
fi
|
||||
echo "Attach failed; attempt ${count} of ${geli_tries}."
|
||||
count=$((count+1))
|
||||
done
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
geli_stop()
|
||||
{
|
||||
devices=`geli_make_list`
|
||||
|
||||
for provider in ${devices}; do
|
||||
if [ -e "/dev/${provider}.eli" ]; then
|
||||
umount "/dev/${provider}.eli" 2>/dev/null
|
||||
geli detach "${provider}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
load_rc_config $name
|
||||
run_rc_command "$1"
|
58
etc/rc.d/geli2
Normal file
58
etc/rc.d/geli2
Normal file
@ -0,0 +1,58 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# PROVIDE: geli2
|
||||
# REQUIRE: mountcritlocal
|
||||
# KEYWORD: nojail
|
||||
|
||||
. /etc/rc.subr
|
||||
|
||||
name="geli2"
|
||||
start_cmd="geli2_start"
|
||||
stop_cmd=":"
|
||||
|
||||
geli2_start()
|
||||
{
|
||||
devices=`geli_make_list`
|
||||
|
||||
for provider in ${devices}; do
|
||||
provider_=`ltr ${provider} '/' '_'`
|
||||
|
||||
eval "autodetach=\${geli_${provider_}_autodetach}"
|
||||
if [ -z "${autodetach}" ]; then
|
||||
autodetach=${geli_autodetach}
|
||||
fi
|
||||
if checkyesno autodetach && [ -e "/dev/${provider}.eli" ]; then
|
||||
geli detach -l ${provider}
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
load_rc_config $name
|
||||
run_rc_command "$1"
|
34
etc/rc.subr
34
etc/rc.subr
@ -1320,4 +1320,38 @@ ltr()
|
||||
echo "${_out}"
|
||||
}
|
||||
|
||||
# Creates a list of providers for GELI encryption.
|
||||
geli_make_list()
|
||||
{
|
||||
local devices devices2
|
||||
local provider mountpoint type options rest
|
||||
|
||||
# Create list of GELI providers from fstab.
|
||||
while read provider mountpoint type options rest ; do
|
||||
case ":${provider}" in
|
||||
:#*)
|
||||
continue
|
||||
;;
|
||||
*.eli)
|
||||
# Skip swap devices.
|
||||
if [ "${type}" = "swap" -o "${options}" = "sw" ]; then
|
||||
continue
|
||||
fi
|
||||
devices="${devices} ${provider}"
|
||||
;;
|
||||
esac
|
||||
done < /etc/fstab
|
||||
|
||||
# Append providers from geli_devices.
|
||||
devices="${devices} ${geli_devices}"
|
||||
|
||||
for provider in ${devices}; do
|
||||
provider=${provider%.eli}
|
||||
provider=${provider#/dev/}
|
||||
devices2="${devices2} ${provider}"
|
||||
done
|
||||
|
||||
echo ${devices2}
|
||||
}
|
||||
|
||||
fi
|
||||
|
@ -1156,6 +1156,35 @@ Number of times to attempt attaching to a
|
||||
.Xr gbde 4
|
||||
device, i.e., how many times the user is asked for the pass-phrase.
|
||||
Default is 3.
|
||||
.It Va geli_devices
|
||||
.Pq Vt str
|
||||
List of devices to automatically attach on boot.
|
||||
Note that .eli devices from
|
||||
.Pa /etc/fstab
|
||||
are automatically appended to this list.
|
||||
.It Va geli_tries
|
||||
.Pq Vt int
|
||||
Number of times user is asked for the pass-phrase.
|
||||
If empty, it will be taken from
|
||||
.Va kern.geom.eli.tries
|
||||
sysctl variable.
|
||||
.It Va geli_default_flags
|
||||
.Pq Vt str
|
||||
Default flags to use by
|
||||
.Xr geli 8
|
||||
when configuring disk encryption.
|
||||
Flags can be configured for every device separately by defining
|
||||
.Va geli_<device>_flags
|
||||
variable.
|
||||
.It Va geli_autodetach
|
||||
.Pq Vt str
|
||||
Specifies if GELI devices should be marked for detach on last close after
|
||||
file systems are mounted.
|
||||
Default is
|
||||
.Dq Li YES .
|
||||
This can be changed for every device separately by defining
|
||||
.Va geli_<device>_autodetach
|
||||
variable.
|
||||
.It Va geli_swap_flags
|
||||
Options passed to the
|
||||
.Xr geli 8
|
||||
|
Loading…
Reference in New Issue
Block a user