Add initcpio script to autodetect external luks root key

2024-09-19 21:29:41 +00:00 · 2021-11-24 00:04:32 +01:00 · 2021-11-24 00:04:32 +01:00 · 4929c281d2
parent caef6a84c5
commit 4929c281d2
3 changed files with 55 additions and 1 deletions
--- a/root/etc/initcpio/hooks/lukskeyfile
+++ b/root/etc/initcpio/hooks/lukskeyfile
@ -0,0 +1,27 @@
+#!/bin/ash
+
+run_hook() {
+    if [ -n "$lukskeyfile" ]; then
+        # This is a needed kernel parameter for this hook
+        modprobe -a -q loop dm-crypt >/dev/null 2>&1
+        # Refer to help from `mkinitcpio -H lukskeyfile`.
+        IFS=: read rootKeyDev rootKey cryptkeyLoc <<EOF
+$lukskeyfile
+EOF
+
+        if [ -z "${cryptkeyLoc}" ]; then
+            cryptkeyLoc=/crypto_keyfile.bin
+        fi
+
+        if resoleved=$(resolve_device "${rootKeyDev}" $rootdelay); then
+            if mount -o noatime "${rootKeyDev}" /mnt>/dev/null 2>&1; then
+                cat "/mnt/${rootKey}" > "${cryptkeyLoc}"
+            else
+                echo "Failed to mount ${rootKeyDev} on /mnt"
+                /bin/sh
+            fi
+        else
+            echo "Failed to find ${rootKeyDev} containing LUKS root key."
+        fi
+    fi
+}
--- a/root/etc/initcpio/install/lukskeyfile
+++ b/root/etc/initcpio/install/lukskeyfile
@ -0,0 +1,27 @@
+#!/bin/bash
+
+build() {
+    add_dir "/mnt"
+    add_module loop
+    add_module dm-crypt
+    add_runscript
+}
+
+help() {
+    cat <<EOF
+Open root partition with LUKS root key present on internal
+or external accessible non-encrypted partition.
+To use this hook, specify lukskeyfile in kernel parameters.
+This hook is designed to copy over the specified key file into
+initramfs internal path designated as cryptkey by encrypt hook.
+
+lukskeyfile=rootKeyDev:rootKey[:cryptkeyLoc]
+
+rootKeyDev = /path/to/rootKeyDev, UUID=uuid-of-rootKeyDev
+rootKey = /path/to/rootKey in rootKeyDev
+cryptkeyLoc = /path/to/cryptkey in initramfs.
+
+Default values
+cryptkeyLoc=/crypto_keyfile.bin
+EOF
+}
--- a/root/etc/mkinitcpio.conf
+++ b/root/etc/mkinitcpio.conf
@ -51,7 +51,7 @@ FILES=()
 #    usr, fsck and shutdown hooks.
 #
 ##  Edits applied: numlock (requires mkinitcpio-numlock (AUR)), encrypt
-HOOKS=(base udev autodetect keyboard numlock modconf block encrypt filesystems fsck)
+HOOKS=(base udev autodetect keyboard numlock modconf block lukskeyfile encrypt filesystems fsck)

 # COMPRESSION
 # Use this to compress the initramfs image. By default, zstd compression