From 4929c281d2cf9a04042d17188ac05cbc5c28e7cb Mon Sep 17 00:00:00 2001
From: ItsDrike <itsdrike@protonmail.com>
Date: Wed, 24 Nov 2021 00:04:32 +0100
Subject: [PATCH] Add initcpio script to autodetect external luks root key

---
 root/etc/initcpio/hooks/lukskeyfile   | 27 +++++++++++++++++++++++++++
 root/etc/initcpio/install/lukskeyfile | 27 +++++++++++++++++++++++++++
 root/etc/mkinitcpio.conf              |  2 +-
 3 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 root/etc/initcpio/hooks/lukskeyfile
 create mode 100644 root/etc/initcpio/install/lukskeyfile

diff --git a/root/etc/initcpio/hooks/lukskeyfile b/root/etc/initcpio/hooks/lukskeyfile
new file mode 100644
index 0000000..fce69a5
--- /dev/null
+++ b/root/etc/initcpio/hooks/lukskeyfile
@@ -0,0 +1,27 @@
+#!/bin/ash
+
+run_hook() {
+    if [ -n "$lukskeyfile" ]; then
+        # This is a needed kernel parameter for this hook
+        modprobe -a -q loop dm-crypt >/dev/null 2>&1
+        # Refer to help from `mkinitcpio -H lukskeyfile`.
+        IFS=: read rootKeyDev rootKey cryptkeyLoc <<EOF
+$lukskeyfile
+EOF
+
+        if [ -z "${cryptkeyLoc}" ]; then
+            cryptkeyLoc=/crypto_keyfile.bin
+        fi
+
+        if resoleved=$(resolve_device "${rootKeyDev}" $rootdelay); then
+            if mount -o noatime "${rootKeyDev}" /mnt>/dev/null 2>&1; then
+                cat "/mnt/${rootKey}" > "${cryptkeyLoc}"
+            else
+                echo "Failed to mount ${rootKeyDev} on /mnt"
+                /bin/sh
+            fi
+        else
+            echo "Failed to find ${rootKeyDev} containing LUKS root key."
+        fi
+    fi
+}
diff --git a/root/etc/initcpio/install/lukskeyfile b/root/etc/initcpio/install/lukskeyfile
new file mode 100644
index 0000000..5e78430
--- /dev/null
+++ b/root/etc/initcpio/install/lukskeyfile
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+build() {
+    add_dir "/mnt"
+    add_module loop
+    add_module dm-crypt
+    add_runscript
+}
+
+help() {
+    cat <<EOF
+Open root partition with LUKS root key present on internal
+or external accessible non-encrypted partition.
+To use this hook, specify lukskeyfile in kernel parameters.
+This hook is designed to copy over the specified key file into
+initramfs internal path designated as cryptkey by encrypt hook.
+
+lukskeyfile=rootKeyDev:rootKey[:cryptkeyLoc]
+
+rootKeyDev = /path/to/rootKeyDev, UUID=uuid-of-rootKeyDev
+rootKey = /path/to/rootKey in rootKeyDev
+cryptkeyLoc = /path/to/cryptkey in initramfs.
+
+Default values
+cryptkeyLoc=/crypto_keyfile.bin
+EOF
+}
diff --git a/root/etc/mkinitcpio.conf b/root/etc/mkinitcpio.conf
index 6f0e262..c5ecfec 100644
--- a/root/etc/mkinitcpio.conf
+++ b/root/etc/mkinitcpio.conf
@@ -51,7 +51,7 @@ FILES=()
 #    usr, fsck and shutdown hooks.
 #
 ##  Edits applied: numlock (requires mkinitcpio-numlock (AUR)), encrypt
-HOOKS=(base udev autodetect keyboard numlock modconf block encrypt filesystems fsck)
+HOOKS=(base udev autodetect keyboard numlock modconf block lukskeyfile encrypt filesystems fsck)
 
 # COMPRESSION
 # Use this to compress the initramfs image. By default, zstd compression