Skip to content

Commit

Permalink
Merge pull request #235 from Olf0/qcrypto
Browse files Browse the repository at this point in the history
Commits for v1.7.1
  • Loading branch information
Olf0 authored Apr 22, 2021
2 parents 1763adb + d8bf651 commit 60dca41
Show file tree
Hide file tree
Showing 6 changed files with 36 additions and 66 deletions.
2 changes: 1 addition & 1 deletion rpm/crypto-sdcard.spec
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Name: crypto-sdcard
Summary: Configuration files for unlocking and mounting encrypted SD-cards automatically
Version: 1.7.0
Version: 1.7.1
# Since v1.3.1, the release version consists of two or three fields, separated by a dot ("."):
# - The first field must contain a natural number greater than zero.
# This number may be prefixed by one of {alpha,beta,stable}, e.g. "alpha13".
Expand Down
19 changes: 3 additions & 16 deletions systemd/system/[email protected]
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ Requisite=dev-disk-by\x2duuid-%i.device
PartOf=mount-cryptosd-luks@%i.service cryptsetup.target
Conflicts=umount.target shutdown.target actdead.target factory-test.target
Before=umount.target shutdown.target mount-cryptosd-luks@%i.service
AssertFileNotEmpty=/etc/crypto-sdcard/crypto_luks_%I.key
AssertPathIsDirectory=!/etc/crypto-sdcard/crypto_luks_%I.key
AssertPathExists=/etc/crypto-sdcard/crypto_luks_%I.key

[Service]
Type=oneshot
Expand All @@ -17,20 +18,6 @@ RemainAfterExit=yes
ExecStartPre=/sbin/modprobe qcrypto
# For various reasons (avoid (temporal) dependency on udisks2, allow for discards etc.), do
# not use "udisksctl unlock --key-file", instead call cryptsetup directly:
ExecStart=/usr/sbin/cryptsetup --allow-discards -d /etc/crypto-sdcard/crypto_luks_%I.key luksOpen /dev/disk/by-uuid/%I %I ; /bin/sleep 1
# "udisksctl mount" (in [email protected]) sometimes fails when issued right after
# this unit (instance) and "udisksd" (per "udisks2.service") have finished starting, because
# the udisks object for this unlocked device has not been created yet.
# Hence one might give udisksd a second to recognise the fresh device, before starting units
# dependent on this unit instance and "udisks2.service" / "udisksd". Side note: Letting
# dependent units sleep for a second by an "ExecStartPre=/bin/sleep 1" in them would
# unnecessarily waste this second most of the time; that is avoided this way.
# Note that using ExecStartPost= for this is futile (as irrelevant for dependencies, see
# https://www.freedesktop.org/software/systemd/man/systemd.service.html#Type= ), but (only)
# units of the Type=oneshot may use multiple ExecStart= lines (which are *started
# concurrently*, but the last one is displayed as "main process") and / or commands in an
# ExecStart= line. Side note: For non-oneshot units a solution is to move the ExecStart=
# command to ExecStartPre= (that is *functionally equivalent*, but again displays the
# ExecStart= command as "main process") and use ExecStart=/bin/sleep 1
ExecStart=/usr/sbin/cryptsetup --allow-discards -d /etc/crypto-sdcard/crypto_luks_%I.key luksOpen /dev/disk/by-uuid/%I %I
ExecStop=/usr/sbin/cryptsetup close %I

19 changes: 3 additions & 16 deletions systemd/system/[email protected]
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ Requisite=dev-%i.device
PartOf=mount-cryptosd-plain@%i.service cryptsetup.target
Conflicts=umount.target shutdown.target actdead.target factory-test.target
Before=umount.target shutdown.target mount-cryptosd-plain@%i.service
AssertFileNotEmpty=/etc/crypto-sdcard/crypto_plain_%I.key
AssertPathIsDirectory=!/etc/crypto-sdcard/crypto_plain_%I.key
AssertPathExists=/etc/crypto-sdcard/crypto_plain_%I.key

[Service]
Type=oneshot
Expand All @@ -23,20 +24,6 @@ StandardInput=file:/etc/crypto-sdcard/crypto_plain_%I.key
StandardOutput=journal
# "udisksctl unlock --key-file" does only work with LUKS "containers", not with "plain" ones,
# thus call cryptsetup directly:
ExecStart=/usr/sbin/cryptsetup -d - -o ${CRYPTO_PLAIN_OFFSET} -h ${CRYPTO_PLAIN_PASSPHRASE_HASH} -s ${CRYPTO_PLAIN_KEYLENGTH} -c ${CRYPTO_PLAIN_CIPHER} --allow-discards --type plain open /dev/%I %I ; /bin/sleep 1
# "udisksctl mount" (in [email protected]) sometimes fails when issued right after
# this unit (instance) and "udisksd" (per "udisks2.service") have finished starting, because
# the udisks object for this unlocked device has not been created yet.
# Hence one might give udisksd a second to recognise the fresh device, before starting units
# dependent on this unit instance and "udisks2.service" / "udisksd". Side note: Letting
# dependent units sleep for a second by an "ExecStartPre=/bin/sleep 1" in them would
# unnecessarily waste this second most of the time; that is avoided this way.
# Note that using ExecStartPost= for this is futile (as irrelevant for dependencies, see
# https://www.freedesktop.org/software/systemd/man/systemd.service.html#Type= ), but (only)
# units of the Type=oneshot may use multiple ExecStart= lines (which are *started
# concurrently*, but the last one is displayed as "main process") and / or commands in an
# ExecStart= line. Side note: For non-oneshot units a solution is to move the ExecStart=
# command to ExecStartPre= (that is *functionally equivalent*, but again displays the
# ExecStart= command as "main process") and use ExecStart=/bin/sleep 1
ExecStart=/usr/sbin/cryptsetup -d - -o ${CRYPTO_PLAIN_OFFSET} -h ${CRYPTO_PLAIN_PASSPHRASE_HASH} -s ${CRYPTO_PLAIN_KEYLENGTH} -c ${CRYPTO_PLAIN_CIPHER} --allow-discards --type plain open /dev/%I %I
ExecStop=/usr/sbin/cryptsetup close %I

2 changes: 1 addition & 1 deletion systemd/system/[email protected]
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,5 @@ EnvironmentFile=-/etc/crypto-sdcard/cryptosd.conf
EnvironmentFile=-/etc/crypto-sdcard/cryptosd@%I.conf
ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I
ExecStop=/usr/bin/udisksctl unmount -b /dev/mapper/%I
ExecStopPost=/bin/umount -vrq /dev/mapper/%I
ExecStopPost=-/bin/umount -vrq /dev/mapper/%I

2 changes: 1 addition & 1 deletion systemd/system/[email protected]
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,5 @@ EnvironmentFile=-/etc/crypto-sdcard/cryptosd.conf
EnvironmentFile=-/etc/crypto-sdcard/cryptosd@%I.conf
ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I
ExecStop=/usr/bin/udisksctl unmount -b /dev/mapper/%I
ExecStopPost=/bin/umount -vrq /dev/mapper/%I
ExecStopPost=-/bin/umount -vrq /dev/mapper/%I

58 changes: 27 additions & 31 deletions udev/rules.d/96-cryptosd.rules
Original file line number Diff line number Diff line change
@@ -1,65 +1,61 @@
# Since crypto-sdcard 1.6.1, it adheres to the nomenclature used in other udev rules:
# - KERNEL=="sd*[!0-9]|sr*", ENV{DEVTYPE}=="disk" for all USB-attached (OTG) storage *devices*
# - KERNEL=="sd*[0-9]|sr*", ENV{DEVTYPE}=="partition" for all partitions on USB-attached storage devices
# - KERNEL=="sd*|sr*" for both
# - SUBSYSTEMS=="usb", KERNEL=="sd*[!0-9]|sr*", ENV{DEVTYPE}=="disk" for all USB-attached (OTG) storage *devices*
# - SUBSYSTEMS=="usb", KERNEL=="sd*[0-9]|sr*", ENV{DEVTYPE}=="partition" for all partitions on USB-attached storage devices
# - SUBSYSTEMS=="usb", KERNEL=="sd*|sr*" for both
# - KERNEL=="mmcblk[1-9]" (the test ENV{DEVTYPE}=="disk" can be omitted) for the card in the internal slot and all external (USB-attached) SD-cards and MMCs (e.g., in readers).
# - KERNEL=="mmcblk[1-9]p[0-9]" (the test ENV{DEVTYPE}=="partition" can be omitted) for all partitions on the card in the internal slot and on all external SD-cards and MMCs. Side note: mmcblk[0-9]boot[0-9] are (e)MMC's special devices ("RPMB").
# - KERNEL=="mmcblk[1-9]*" for both
# - KERNEL=="mmcblk[1-9]*|sd*|sr*", SUBSYSTEMS=="usb" to filter for anything attached via (presumably "external") USB. Mind that on devices without an SD-card slot mmcblk1 will be an externally attached card.
# - SUBSYSTEMS=="usb", KERNEL=="mmcblk[0-9]*|sd*|sr*" to filter for anything attached via (presumably "external") USB. Mind that on devices without an SD-card slot mmcblk1 will be an externally attached card.
# Reference: /usr/lib/udev/rules.d/60-persistent-storage.rules
#
# Is something like KERNEL=="mmcblk[1-9]*|sd*|sr*", SUBSYSTEMS=="usb", ATTR{removable}="1" possible and reasonable (means only "removable *media*"?) ? Or without restricting it to USB-attached devices / partitions?
# Q: Is something like SUBSYSTEMS=="usb", KERNEL=="mmcblk[0-9]*|sd*|sr*", ATTRS{removable}=="1" possible and reasonable (means only "removable *media*"?) ? Or without restricting it to USB-attached devices / partitions?
# A: Yes, but potential side effects are still evaluated.

SUBSYSTEM!="block", GOTO="cryptosd_mount_end"
KERNEL!="mmcblk[1-9]*|sd*|sr*", GOTO="cryptosd_open_end"
SUBSYSTEM!="block", GOTO="cryptosd_end"
#SUBSYSTEMS!="usb", KERNEL!="mmcblk[0-9]*|sd*|sr*", GOTO="cryptosd_open_end"
# Note that this means: If NOT (SUBSYSTEMS=="usb" OR KERNEL=="mmcblk[0-9]*|sd*|sr*"), then GOTO.

# Ignore the additions / changes by Jolla per
# https://git.sailfishos.org/mer-core/udisks2/blob/master/rpm/0005-Add-udev-rule-for-the-sda-drives.patch
# by setting these anew / clobbering these for *all suitable* devices.
KERNEL=="mmcblk[1-9]*", ENV{DEVTYPE}=="disk", ENV{MMC_TYPE}!="?*", ENV{ID_DRIVE_FLASH_SD}="1", ENV{ID_DRIVE_MEDIA_FLASH_SD}="1"
KERNEL=="sd*", ENV{DEVTYPE}=="disk", ENV{ID_DRIVE_FLASH_SD}="1", ENV{ID_DRIVE_MEDIA_FLASH_SD}="1"
# ToDo: Only set that for storage, which is not "rotational", but also for SATA-RAIDs; check, if ATTR{queue/rotational} works!?!
#KERNEL=="sd*|sr*", ENV{DEVTYPE}=="disk", ATTR{queue/rotational}=="0", ENV{ID_DRIVE_FLASH_SD}="1", ENV{ID_DRIVE_MEDIA_FLASH_SD}="1"

# ToDo: Set UDISKS_CAN_POWER_OFF for all suitable devices dealt with, here:
#ENV{DEVTYPE}=="disk", ATTR{power/control}=="on", ENV{UDISKS_CAN_POWER_OFF}="1"

# ToDo: Use a test for ATA-Discard / -"Trim" to unlock appropriately:
# See for details https://github.com/Olf0/crypto-sdcard/wiki/ToDo#starting-points-for-that
# ATTR{discard_alignment}!="0", ...
# ATTR{device/queue/discard_granularity}!="0", ...
# ATTR{device/discard_alignment}!="0", ...
# ATTRS{discard_alignment}!="0", ...
# ATTRS{queue/discard_granularity}!="0", ...
# or IMPORT{parent}="...", IMPORT{db}="...",
SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{DEVTYPE}=="disk", ATTR{queue/rotational}=="0", ENV{MMC_TYPE}!="?*", ENV{ID_DRIVE_FLASH_SD}="1", ENV{ID_DRIVE_MEDIA_FLASH_SD}="1"

# Set power control / UDISKS_CAN_POWER_OFF for all devices dealt with, here: This is also supported for partitions, not only disks!?!
# KERNEL=="mmcblk[1-9]*", ATTR{power/control}=="off", ATTR{power/control}="auto"
# SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ATTR{power/control}=="off", ATTR{power/control}="auto"
KERNEL=="mmcblk[1-9]*", ATTR{power/control}=="on", ENV{UDISKS_CAN_POWER_OFF}="1"
SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ATTR{power/control}=="on", ENV{UDISKS_CAN_POWER_OFF}="1"

# For DM-Crypt LUKS, match ENV{ID_FS_TYPE}=="crypto_LUKS"
ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add|change", PROGRAM=="/bin/grep -q .* /etc/crypto-sdcard/crypto_luks_%E{ID_FS_UUID}.key", ENV{CRYPTOSD_TYPE}="LUKS"
ENV{CRYPTOSD_TYPE}=="LUKS", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_luks_dev-%k_%E{ID_FS_UUID}", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="'%c'"
KERNEL=="mmcblk[1-9]*", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_luks_%E{ID_FS_UUID}.key", ENV{CRYPTOSD_TYPE}="LUKS"
SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_luks_%E{ID_FS_UUID}.key", ENV{CRYPTOSD_TYPE}="LUKS"
ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_luks_dev-%k_%E{ID_FS_UUID}", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="'%c'"
# When above detected and assigned devices are removed
ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}="removed", ENV{UDISKS_NAME}="cryptosd_removed", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop %c"

# For DM-Crypt "plain", ensure (by ENV{ID_*}!="?*" statements) that it appears to be unused space
# Two rules, one for partitions and a tighter one for whole disks:
ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add|change", PROGRAM=="/bin/grep -q .* /etc/crypto-sdcard/crypto_plain_%k.key", ENV{UDISKS_PARTITIONABLE}="0", ENV{CRYPTOSD_TYPE}="PLAIN"
ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add|change", PROGRAM=="/bin/grep -q .* /etc/crypto-sdcard/crypto_plain_%k.key", ENV{CRYPTOSD_TYPE}="PLAIN"
ENV{CRYPTOSD_TYPE}=="PLAIN", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_plain_dev-%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'cryptosd-plain@%k.service'"
KERNEL=="mmcblk[1-9]*", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{UDISKS_PARTITIONABLE}="0", ENV{CRYPTOSD_TYPE}="PLAIN"
SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{UDISKS_PARTITIONABLE}="0", ENV{CRYPTOSD_TYPE}="PLAIN"
KERNEL=="mmcblk[1-9]*", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{CRYPTOSD_TYPE}="PLAIN"
SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{CRYPTOSD_TYPE}="PLAIN"
ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_plain_dev-%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'cryptosd-plain@%k.service'"
# When above detected and assigned devices are removed
ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="removed", ENV{UDISKS_NAME}="cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop cryptosd-plain@%k.service"

LABEL="cryptosd_open_end"
#LABEL="cryptosd_open_end"


KERNEL!="dm-[0-9]*", GOTO="cryptosd_mount_end"
KERNEL!="dm-[0-9]*", GOTO="cryptosd_end"

# Carefully match resulting virtual node dm-[0-9]* to trigger mounting it; see /lib/udev/rules.d/10-dm.rules for details
ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="????????-????-????-????-????????????|????-????", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-LUKS", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_luks_%E{DM_NAME}", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{DM_NAME}", ENV{SYSTEMD_WANTS}="'%c'"
ENV{CRYPTOSD_TYPE}=="mount-LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{DM_NAME}", RUN{program}+="/usr/bin/systemctl stop %c"

# Ditto for DM-Crypt "plain"
ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="mmcblk[1-9]*|sd*|sr*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-PLAIN", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_plain_%E{DM_NAME}", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'mount-cryptosd-plain@%E{DM_NAME}.service'"
ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="mmcblk[0-9]*|sd*|sr*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-PLAIN", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_plain_%E{DM_NAME}", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'mount-cryptosd-plain@%E{DM_NAME}.service'"
ENV{CRYPTOSD_TYPE}=="mount-PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop mount-cryptosd-plain@%E{DM_NAME}.service"

LABEL="cryptosd_mount_end"
LABEL="cryptosd_end"

0 comments on commit 60dca41

Please sign in to comment.