verify that we can decrypt rootfs before offering it as menu item

author: Andrew Cady <d@jerkface.net> 2017-03-28 18:54:59 -0400
committer: Andrew Cady <d@jerkface.net> 2017-03-28 18:54:59 -0400
commit: 66bac917e1f17fbb15ad96b4ee68037d94608ce7 (patch)
tree: 9a26d22f4e88d1aecb24c405b669d0d172f3949d /src/initrd
parent: 5160fd50cf2bf09700c20236cac992a7a85fc943 (diff)
1 files changed, 15 insertions, 3 deletions
diff --git a/src/initrd/grok-block b/src/initrd/grok-block
index f44ed19..efe46d8 100755
--- a/src/initrd/grok-block
+++ b/src/initrd/grok-block
@@ -87,11 +87,24 @@ retry_mount()
  done
 }
+Gpg2()
+{
+    gpg2 --lock-never --no-permission-warning --no-auto-check-trustdb --no-options "$@"
+}
 gpg_verify()
 {
+  [ -e "$1" ] || return
  bootwait samizdat-gpg
  export GNUPGHOME=/gpg/gnupghome
-  gpg2 --lock-never --no-permission-warning --no-auto-check-trustdb --no-options --verify "$1"
+  Gpg2 --verify "$1"
+}
+gpg_can_decrypt()
+{
+  [ -e "$1" ] || return
+  bootwait samizdat-gpg
+  Gpg2 --decrypt "$1" | Gpg2 --decrypt "$1" >/dev/null
 }
 is_lvm()
@@ -186,8 +199,7 @@ grok_block()
      # TODO: And what if we create partitions and then reboot the machine mid-install?
  elif [ "$ID_PART_ENTRY_NAME" = samizdat-plaintext ]; then
-    # TODO: First ensure we can decrypt the key
+    if gpg_verify "$mountpoint"/disk.key && gpg_can_decrypt "$mountpoint"/disk.key; then
-    if [ -e "$mountpoint"/disk.key ]; then
      addmenu_choose_native_root "$(parent_device "$DEVNAME")"
    fi
    umount "$mountpoint"
author	Andrew Cady <d@jerkface.net>	2017-03-28 18:54:59 -0400
committer	Andrew Cady <d@jerkface.net>	2017-03-28 18:54:59 -0400
commit	66bac917e1f17fbb15ad96b4ee68037d94608ce7 (patch)
tree	9a26d22f4e88d1aecb24c405b669d0d172f3949d /src/initrd
parent	5160fd50cf2bf09700c20236cac992a7a85fc943 (diff)