diff --git a/src/modules/luksbootkeyfile/main.py b/src/modules/luksbootkeyfile/main.py new file mode 100644 index 000000000..92ba00118 --- /dev/null +++ b/src/modules/luksbootkeyfile/main.py @@ -0,0 +1,67 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# === This file is part of Calamares - === +# +# Copyright 2016, Teo Mrnjavac +# +# Calamares is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Calamares is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Calamares. If not, see . + +import libcalamares + +from libcalamares.utils import check_target_env_call + + +def run(): + """ + This module sets up a file crypto_keyfile.bin on the rootfs, assuming the rootfs + is LUKS encrypted and a passphrase is provided. This file is then included in the + initramfs and used for unlocking the rootfs from a previously unlocked GRUB2 + session. + :return: + """ + + partitions = libcalamares.globalstorage.value("partitions") + + luks_device = "" + luks_passphrase = "" + + for partition in partitions: + if partition["mountPoint"] == "/" and "luksMapperName" in partition: + luks_device = partition["device"] + luks_passphrase = partition["luksPassphrase"] + + if not luks_device: + return None + + if not luks_passphrase: + return ("Encrypted rootfs setup error", + "Rootfs partition {!s} is LUKS but no passphrase found.".format(luks_device)) + + # Generate random keyfile + check_target_env_call(["dd", + "bs=512", + "count=4", + "if=/dev/urandom", + "of=/crypto_keyfile.bin"]) + check_target_env_call(["cryptsetup", + "luksAddKey", + luks_device, + "/crypto_keyfile.bin"], + luks_passphrase) + check_target_env_call(["chmod", + "g-rwx,o-rwx", + "/crypto_keyfile.bin"]) + + return None diff --git a/src/modules/luksbootkeyfile/module.desc b/src/modules/luksbootkeyfile/module.desc new file mode 100644 index 000000000..11a0173d5 --- /dev/null +++ b/src/modules/luksbootkeyfile/module.desc @@ -0,0 +1,5 @@ +--- +type: "job" +name: "luksbootkeyfile" +interface: "python" +script: "main.py"