summaryrefslogtreecommitdiff
path: root/old-school
diff options
context:
space:
mode:
authorAndrew Cady <d@jerkface.net>2016-04-27 09:23:09 -0400
committerAndrew Cady <d@jerkface.net>2016-04-27 09:23:09 -0400
commitbb35cfd21f0683d17d29a5f51b22bab8047127de (patch)
tree035abc9fcb556cd195041587cf208e0ff6ccfcb6 /old-school
parent5240fe8fb459d895ec8daf7da013298ac9786a59 (diff)
Implement encrypted cdrom ejection
This allows the cdrom to be copied onto the outer filesystem (mounted in /outerfs) without storing unencrypted gpg keys there. e.g.: samizdat-eject.sh /outerfs/samizdat.iso This was necessary because the other method probably causes btrfs deadlocks. We do end up copying data twice this way (or three times, probably -- if the ISO is saved), but not _from the cdrom_. And we get to eject immediately after the first copy. Future copies will be from the hard drive. Not too bad.
Diffstat (limited to 'old-school')
-rw-r--r--old-school/lvm-create.sh26
-rw-r--r--old-school/mdadm-dup.sh46
2 files changed, 70 insertions, 2 deletions
diff --git a/old-school/lvm-create.sh b/old-school/lvm-create.sh
index ce0862e..916b888 100644
--- a/old-school/lvm-create.sh
+++ b/old-school/lvm-create.sh
@@ -53,12 +53,35 @@ init_samizdat()
53 53
54 btrfs device add "$blockdev" /root || return 54 btrfs device add "$blockdev" /root || return
55 mount -o rw,remount /root || return 55 mount -o rw,remount /root || return
56 samizdat_movemounts "$imgfile"
56 57
57 initialize_root_filesystem || return 58 initialize_root_filesystem || return
58 59
59 bootdone root-mounted 60 bootdone root-mounted
60} 61}
61 62
63samizdat_movemounts()
64{
65 local imgfile="$1" mountpoint
66
67 mountpoint=$(mountpoint_of "$imgfile") || return
68 mkdir /root/cdrom /root/outerfs
69 mount -o move /cdrom /root/cdrom
70 mount -o move "$mountpoint" /root/outerfs
71 mkdir /run/initramfs/samizdat
72 mv /var/log /run/initramfs/samizdat/log
73}
74
75mountpoint_of()
76{
77 local f="$1"
78 while ! mountpoint -q "$f"; do
79 f=$(dirname "$f")
80 [ "$f" != '.' ] || return 1
81 done
82 printf '%s\n' "$f"
83}
84
62initialize_root_filesystem() 85initialize_root_filesystem()
63{ 86{
64 rm -r /root/root 87 rm -r /root/root
@@ -117,7 +140,7 @@ filesystem_incomplete()
117open_samizdat() 140open_samizdat()
118{ 141{
119 open_samizdat_blockdev "$@" || return 142 open_samizdat_blockdev "$@" || return
120 local blockdev=/dev/mapper/samizdatcrypt fs 143 local blockdev=/dev/mapper/samizdatcrypt imgfile="$1" fs
121 144
122 # For this part, we don't necessarily need the cdrom. 145 # For this part, we don't necessarily need the cdrom.
123 # Unfortunately the init_gpg code is still getting the GPG key there. 146 # Unfortunately the init_gpg code is still getting the GPG key there.
@@ -127,6 +150,7 @@ open_samizdat()
127 modprobe btrfs || return 150 modprobe btrfs || return
128 btrfs device scan || return 151 btrfs device scan || return
129 mount -t btrfs -o subvol=ROOT "$blockdev" /root || return 152 mount -t btrfs -o subvol=ROOT "$blockdev" /root || return
153 samizdat_movemounts "$imgfile"
130 LoSetup -D 154 LoSetup -D
131 bootdone root-mounted 155 bootdone root-mounted
132} 156}
diff --git a/old-school/mdadm-dup.sh b/old-school/mdadm-dup.sh
index 16e3dfd..fe18e92 100644
--- a/old-school/mdadm-dup.sh
+++ b/old-school/mdadm-dup.sh
@@ -116,7 +116,51 @@ mdadm_subdevices()
116 mdadm -D "$md_dev" -Y | sed -ne 's/^MD_DEVICE_.*_DEV=//p' 116 mdadm -D "$md_dev" -Y | sed -ne 's/^MD_DEVICE_.*_DEV=//p'
117} 117}
118 118
119mdadm_copy_eject() # NOT INITRD; uses non-busybox "losetup" 119cryptsetup_temp()
120{
121 local sectors="$1" cryptname="$2" temp_file="$3" parms=$- secret
122 set +x
123 # Add 4096 sectors for LUKS header
124 truncate -s $(((sectors + 4096) * 512)) "$temp_file" || return
125 cleartext_dev=$(LoSetup -f --show "$temp_file") || return
126 secret="$(head -c256 /dev/urandom)" || return
127 printf %s "$secret" |
128 cryptsetup luksFormat "$cleartext_dev" - || return
129 printf %s "$secret" |
130 cryptsetup --key-file - luksOpen "$cleartext_dev" "$cryptname" || return
131 unset secret
132 set $parms
133
134 wait_for_dm_device /dev/mapper/"$cryptname"
135 echo /dev/mapper/"$cryptname"
136}
137
138mdadm_copy_eject_crypt()
139{
140 local md_dev="$1" temp_file="$2"
141
142 [ -b "$md_dev" ] || return
143 [ ! -e "$temp_file" ] || return
144
145 local output_dev sectors
146
147 old_subdev=$(mdadm_subdevices "$md_dev"|head -n1) || return
148 [ -b "$old_subdev" ] || return
149 # TODO: truncate to the ISO fs size if the device is larger
150 sectors=$(blockdev --getsz "$md_dev") || return
151
152 output_dev=$(cryptsetup_temp "$sectors" samizdatiso "$temp_file") || return
153
154 mdadm "$md_dev" --add "$output_dev" || return
155 mdadm "$md_dev" --grow -n2 || return
156
157 mdadm_wait_remove "$md_dev" "$old_subdev" || return
158
159 mdadm "$md_dev" --grow -n1 --force || return
160 dm_snapshot_teardown "$old_subdev"
161}
162
163mdadm_copy_eject()
120{ 164{
121 local md_dev="$1" output_file="$2" 165 local md_dev="$1" output_file="$2"
122 166