Hello community, here is the log from the commit of package cryptsetup for openSUSE:Factory checked in at Thu Feb 4 08:46:22 CET 2010. -------- --- cryptsetup/cryptsetup.changes 2010-01-18 13:29:18.000000000 +0100 +++ /mounts/work_src_done/STABLE/cryptsetup/cryptsetup.changes 2010-02-02 13:22:29.000000000 +0100 @@ -1,0 +2,9 @@ +Tue Feb 2 12:21:44 UTC 2010 - lnussel@suse.de + +- boot.crypto: + * document the stages of the boot process + * show status message in boot.cypto-early + * don't perform some checks if the device is skipped anyways + * seed random number generator (bnc#575139) + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- boot.crypto-0_200911271000.tar.bz2 New: ---- boot.crypto-0_201002021320.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cryptsetup.spec ++++++ --- /var/tmp/diff_new_pack.2g2cmY/_old 2010-02-04 08:45:32.000000000 +0100 +++ /var/tmp/diff_new_pack.2g2cmY/_new 2010-02-04 08:45:32.000000000 +0100 @@ -25,12 +25,12 @@ # hashalot version %define haver 0.3 # boot.crypto version -%define bcver 0_200911271000 +%define bcver 0_201002021320 License: BSD3c(or similar) ; GPLv2 ; GPLv2+ Group: System/Base AutoReqProv: on Version: 1.1.0 -Release: 1 +Release: 2 Summary: Set Up dm-crypt Based Encrypted Block Devices Source: http://cryptsetup.googlecode.com/files/cryptsetup-%{version}.tar.bz2 Source1: http://cryptsetup.googlecode.com/files/cryptsetup-%{version}.tar.bz2.asc ++++++ boot.crypto-0_200911271000.tar.bz2 -> boot.crypto-0_201002021320.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/boot.crypto-0_200911271000/boot.crypto.functions new/boot.crypto-0_201002021320/boot.crypto.functions --- old/boot.crypto-0_200911271000/boot.crypto.functions 2009-11-27 11:00:59.000000000 +0100 +++ new/boot.crypto-0_201002021320/boot.crypto.functions 2010-02-02 13:20:40.000000000 +0100 @@ -101,6 +101,18 @@ done } +# we may need to initialize the random number generator if random +# keys are used as /etc/init.d/random runs later +init_random() +{ + # assume random is seeded in running system + test "$base" != "$link" || return 0 + + local random_seed=/var/lib/misc/random-seed + test -f $random_seed || return 1 + cat $random_seed > /dev/urandom +} + check_loop_module () { if test ! -d /sys/block/loop0; then @@ -459,23 +471,6 @@ makeabsolute physdev - # skip mapped entries - if test -e /dev/mapper/$name; then - report 5 "$name: already mapped" - continue - fi - - if ! test -e $physdev ; then - if test "$CRYPT_EARLY" = "yes"; then - report 5 "$physdev does not exist (missing noearly option in /etc/crypttab?)" - else - report 5 "$physdev does not exist" - fi - - failed=1 - continue - fi - test "$keyfile" != "none" || keyfile="" test "$options" != "none" || options="" CRYPTTAB_NAME="$name" @@ -584,6 +579,33 @@ esac done + if test "$skip" = "yes" -o \( "$noauto" = "yes" -a -z "$tostart" \); then + report 5 "$name" + continue + fi + + if test "$CRYPT_EARLY" = "yes" -a "$noearly" = "yes"; then + report 5 "$name... will be set up later" + continue + fi + + # skip mapped entries + if test -e /dev/mapper/$name; then + report 5 "$name: already mapped" + continue + fi + + if ! test -e $physdev ; then + if test "$CRYPT_EARLY" = "yes"; then + report 5 "$physdev does not exist (missing noearly option in /etc/crypttab?)" + else + report 5 "$physdev does not exist" + fi + + failed=1 + continue + fi + if test -n "$luks"; then if test -n "$cipher" -o -n "$halgo" -o -n "$keysize" -o -n "$pseed" -o -n "$itercountk"; then echo "${extd}Warning: cipher, hash, size, pseed and itercountk options are ignored for LUKS${norm}" @@ -608,18 +630,14 @@ continue fi if test -n "$halgo" -o -n "$pseed" -o -n "$itercountk"; then - echo "${extd}Warning: hash, pseed and itercountk options are ignored when using a key file${norm}" + report 2 "${ext}hash, pseed and itercountk options are unused when using a key file${norm}" + fi + if test "$keyfile" = /dev/random -o "$keyfile" = /dev/urandom && + ! init_random; then + report 5 "$physdev: failed to initialize random number generator. /var on separate partition?" + failed=1 + continue fi - fi - - if test "$skip" = "yes" -o \( "$noauto" = "yes" -a -z "$tostart" \); then - report 5 "$name" - continue - fi - - if test "$CRYPT_EARLY" = "yes" -a "$noearly" = "yes"; then - report 5 "skipping $name (noearly)" - continue fi # run precheck if it's set @@ -822,6 +840,7 @@ # if called from boot.crypto-early skip the rest, # since fsck and mount is done in boot.localfs if test "$CRYPT_EARLY" = "yes"; then + report 0 "$name..." continue fi @@ -1224,4 +1243,3 @@ /etc/init.d/$srv reload done } - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/boot.crypto-0_200911271000/crypttab.5 new/boot.crypto-0_201002021320/crypttab.5 --- old/boot.crypto-0_200911271000/crypttab.5 2009-11-27 11:00:59.000000000 +0100 +++ new/boot.crypto-0_201002021320/crypttab.5 2010-02-02 13:20:40.000000000 +0100 @@ -1,161 +1,13 @@ +'\" t .\" Title: crypttab .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.74.0 http://docbook.sf.net/ -.\" Date: 09/25/2009 +.\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/ +.\" Date: 02/02/2010 .\" Manual: Cryptsetup Manual .\" Source: cryptsetup .\" Language: English .\" -.TH "CRYPTTAB" "5" "09/25/2009" "cryptsetup" "Cryptsetup Manual" -.\" ----------------------------------------------------------------- -.\" * (re)Define some macros -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" toupper - uppercase a string (locale-aware) -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de toupper -.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -\\$* -.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SH-xref - format a cross-reference to an SH section -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de SH-xref -.ie n \{\ -.\} -.toupper \\$* -.el \{\ -\\$* -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SH - level-one heading that works better for non-TTY output -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de1 SH -.\" put an extra blank line of space above the head in non-TTY output -.if t \{\ -.sp 1 -.\} -.sp \\n[PD]u -.nr an-level 1 -.set-an-margin -.nr an-prevailing-indent \\n[IN] -.fi -.in \\n[an-margin]u -.ti 0 -.HTML-TAG ".NH \\n[an-level]" -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -\." make the size of the head bigger -.ps +3 -.ft B -.ne (2v + 1u) -.ie n \{\ -.\" if n (TTY output), use uppercase -.toupper \\$* -.\} -.el \{\ -.nr an-break-flag 0 -.\" if not n (not TTY), use normal case (not uppercase) -\\$1 -.in \\n[an-margin]u -.ti 0 -.\" if not n (not TTY), put a border/line under subheading -.sp -.6 -\l'\n(.lu' -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SS - level-two heading that works better for non-TTY output -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de1 SS -.sp \\n[PD]u -.nr an-level 1 -.set-an-margin -.nr an-prevailing-indent \\n[IN] -.fi -.in \\n[IN]u -.ti \\n[SN]u -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.ps \\n[PS-SS]u -\." make the size of the head bigger -.ps +2 -.ft B -.ne (2v + 1u) -.if \\n[.$] \&\\$* -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" BB/BE - put background/screen (filled box) around block of text -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de BB -.if t \{\ -.sp -.5 -.br -.in +2n -.ll -2n -.gcolor red -.di BX -.\} -.. -.de EB -.if t \{\ -.if "\\$2"adjust-for-leading-newline" \{\ -.sp -1 -.\} -.br -.di -.in -.ll -.gcolor -.nr BW \\n(.lu-\\n(.i -.nr BH \\n(dn+.5v -.ne \\n(BHu+.5v -.ie "\\$2"adjust-for-leading-newline" \{\ -\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -.\} -.el \{\ -\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -.\} -.in 0 -.sp -.5v -.nf -.BX -.in -.sp .5v -.fi -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" BM/EM - put colored marker in margin next to block of text -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de BM -.if t \{\ -.br -.ll -2n -.gcolor red -.di BX -.\} -.. -.de EM -.if t \{\ -.br -.di -.ll -.gcolor -.nr BH \\n(dn -.ne \\n(BHu -\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -.in 0 -.nf -.BX -.in -.fi -.\} -.. +.TH "CRYPTTAB" "5" "02/02/2010" "cryptsetup" "Cryptsetup Manual" .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- @@ -166,9 +18,9 @@ .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- -.SH "Name" +.SH "NAME" crypttab \- static information about crypted filesystems -.SH "Synopsis" +.SH "SYNOPSIS" .PP \fBcrypttab\fR .RS 4 @@ -366,7 +218,7 @@ .PP \fBinitrd\fR .RS 4 -tells mkinitrd to activate this device in the initrd already\&. Only LUKS and no other options are supported\&. The root partition is detected automatically by mkinitrd and doesn\'t need this option explicitly\&. +tells mkinitrd to activate this device in the initrd already\&. Only LUKS and no other options are supported\&. The root partition is detected automatically by mkinitrd and doesn\(cqt need this option explicitly\&. .RE .PP \fBpseed=<string>\fR @@ -383,7 +235,7 @@ .RS 4 Calls <path> and uses the output passphrase or key\&. If <path> is not absolute \fB/lib/cryptsetup/scripts\fR -is prepended\&. The only argument passed to the specified program is the value of the key column\&. keyscript also works in the initrd if the specified program is self contained\&. To use the output as raw key specify hash=plain so cryptsetup doesn\'t hash it\'s input\&. Note that use of a keyscript is not supported by YaST so distribution updates could be problematic when used on mandatory partitions\&. +is prepended\&. The only argument passed to the specified program is the value of the key column\&. keyscript also works in the initrd if the specified program is self contained\&. To use the output as raw key specify hash=plain so cryptsetup doesn\(cqt hash it\(cqs input\&. Note that use of a keyscript is not supported by YaST so distribution updates could be problematic when used on mandatory partitions\&. .RE .PP \fBloud\fR, \fBssl\fR, \fBgpg\fR @@ -392,55 +244,95 @@ .RE .SH "CHECKSCRIPTS" .sp -check scripts are installed in \FC/lib/cryptsetup/checks/\F[] and are called either before (\fIprecheck\fR option) or after (\fIcheck\fR option) the dm\-crypt target is set up\&. +check scripts are installed in /lib/cryptsetup/checks/ and are called either before (\fIprecheck\fR option) or after (\fIcheck\fR option) the dm\-crypt target is set up\&. .PP \fBvol_id\fR .RS 4 Checks for any known filesystem\&. Supports a filesystem type as argument via <checkargs>: -.TS -tab(:); -lt lt -lt lt -lt lt. -T{ +.RE +.PP no checkargs -T}:T{ +.RS 4 succeeds if any valid filesystem is found on the device\&. -T} -T{ +.RE +.PP "none" -T}:T{ +.RS 4 succeeds if no valid filesystem is found on the device\&. -T} -T{ +.RE +.PP "ext3", "xfs", "swap" etc -T}:T{ +.RS 4 succeeds if the given filesystem type is found on the device\&. -T} -.TE -.sp 1 .RE +.SH "UNLOCKING DEVICES AT BOOT TIME" +.sp +There are three ways to unlock encrypted partitions during boot +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +initrd: the root file system as well as any device listed in crypttab with option +\fIinitrd\fR +are unlocked by the scripts in the initrd already\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +before mounting local file systems: the init script +\fIboot\&.crypto\-early\fR +runs before the scripts that fsck and mount additional filesystems\&. This is the preferred way to unlock devices as the normal fsck and mount scripts can handle the device later in the boot process\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +after mounting local file systems: the +\fIboot\&.crypto\fR +init script is the traditional way of unlocking crypto devices\&. It runs after fsck and mount of local file systems\&. +\fIboot\&.crypto\fR +should only be used for loop mounted images nowadays\&. +.RE +.SH "FSCK" +.sp +fsck is run on unlocked, encrypted devices if the fs_passno value in fstab is non zero\&. .SH "EXAMPLES" .PP \fBEncrypted swap device\fR .RS 4 -cswap /dev/sda6 /dev/random swap +cr_sda6 /dev/sda6 /dev/random swap .RE .PP \fBEncrypted luks volume with interactive password\fR .RS 4 -cdisk0 /dev/hda1 none luks +cr_sda1 /dev/sda1 none luks .RE .PP \fBEncrypted luks volume with interactive password, use a custom check script, no retries\fR .RS 4 -cdisk2 /dev/hdc1 none luks,check=customscript,checkargs=foo,tries=1 +cr_sdc1 /dev/sdc1 none luks,check=customscript,checkargs=foo,tries=1 .RE .PP \fBEncrypted volume with interactive password and a cryptoloop compatible twofish256 cipher\fR .RS 4 -cdisk3 /dev/sda3 none cipher=twofish\-cbc\-plain,size=256,hash=sha512 +cr_sda3 /dev/sda3 none cipher=twofish\-cbc\-plain,size=256,hash=sha512 .RE .SH "SEE ALSO" .sp diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/boot.crypto-0_200911271000/crypttab.5.txt new/boot.crypto-0_201002021320/crypttab.5.txt --- old/boot.crypto-0_200911271000/crypttab.5.txt 2009-11-27 11:00:59.000000000 +0100 +++ new/boot.crypto-0_201002021320/crypttab.5.txt 2010-02-02 13:20:40.000000000 +0100 @@ -172,19 +172,44 @@ "ext3", "xfs", "swap" etc:: succeeds if the given filesystem type is found on the device. +UNLOCKING DEVICES AT BOOT TIME +------------------------------ + +There are three ways to unlock encrypted partitions during boot + +- initrd: the root file system as well as any device listed in + crypttab with option 'initrd' are unlocked by the scripts in the + initrd already. + +- before mounting local file systems: the init script + 'boot.crypto-early' runs before the scripts that fsck and mount + additional filesystems. This is the preferred way to unlock + devices as the normal fsck and mount scripts can handle the device + later in the boot process. + +- after mounting local file systems: the 'boot.crypto' init script + is the traditional way of unlocking crypto devices. It runs after + fsck and mount of local file systems. 'boot.crypto' should only be + used for loop mounted images nowadays. + +FSCK +---- +fsck is run on unlocked, encrypted devices if the fs_passno value in +fstab is non zero. + EXAMPLES -------- *Encrypted swap device*:: -cswap /dev/sda6 /dev/random swap +cr_sda6 /dev/sda6 /dev/random swap *Encrypted luks volume with interactive password*:: -cdisk0 /dev/hda1 none luks +cr_sda1 /dev/sda1 none luks *Encrypted luks volume with interactive password, use a custom check script, no retries*:: -cdisk2 /dev/hdc1 none luks,check=customscript,checkargs=foo,tries=1 +cr_sdc1 /dev/sdc1 none luks,check=customscript,checkargs=foo,tries=1 *Encrypted volume with interactive password and a cryptoloop compatible twofish256 cipher*:: -cdisk3 /dev/sda3 none cipher=twofish-cbc-plain,size=256,hash=sha512 +cr_sda3 /dev/sda3 none cipher=twofish-cbc-plain,size=256,hash=sha512 SEE ALSO -------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org