-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #235 from Olf0/qcrypto
Commits for v1.7.1
- Loading branch information
Showing
6 changed files
with
36 additions
and
66 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,7 +7,8 @@ Requisite=dev-disk-by\x2duuid-%i.device | |
PartOf=mount-cryptosd-luks@%i.service cryptsetup.target | ||
Conflicts=umount.target shutdown.target actdead.target factory-test.target | ||
Before=umount.target shutdown.target mount-cryptosd-luks@%i.service | ||
AssertFileNotEmpty=/etc/crypto-sdcard/crypto_luks_%I.key | ||
AssertPathIsDirectory=!/etc/crypto-sdcard/crypto_luks_%I.key | ||
AssertPathExists=/etc/crypto-sdcard/crypto_luks_%I.key | ||
|
||
[Service] | ||
Type=oneshot | ||
|
@@ -17,20 +18,6 @@ RemainAfterExit=yes | |
ExecStartPre=/sbin/modprobe qcrypto | ||
# For various reasons (avoid (temporal) dependency on udisks2, allow for discards etc.), do | ||
# not use "udisksctl unlock --key-file", instead call cryptsetup directly: | ||
ExecStart=/usr/sbin/cryptsetup --allow-discards -d /etc/crypto-sdcard/crypto_luks_%I.key luksOpen /dev/disk/by-uuid/%I %I ; /bin/sleep 1 | ||
# "udisksctl mount" (in [email protected]) sometimes fails when issued right after | ||
# this unit (instance) and "udisksd" (per "udisks2.service") have finished starting, because | ||
# the udisks object for this unlocked device has not been created yet. | ||
# Hence one might give udisksd a second to recognise the fresh device, before starting units | ||
# dependent on this unit instance and "udisks2.service" / "udisksd". Side note: Letting | ||
# dependent units sleep for a second by an "ExecStartPre=/bin/sleep 1" in them would | ||
# unnecessarily waste this second most of the time; that is avoided this way. | ||
# Note that using ExecStartPost= for this is futile (as irrelevant for dependencies, see | ||
# https://www.freedesktop.org/software/systemd/man/systemd.service.html#Type= ), but (only) | ||
# units of the Type=oneshot may use multiple ExecStart= lines (which are *started | ||
# concurrently*, but the last one is displayed as "main process") and / or commands in an | ||
# ExecStart= line. Side note: For non-oneshot units a solution is to move the ExecStart= | ||
# command to ExecStartPre= (that is *functionally equivalent*, but again displays the | ||
# ExecStart= command as "main process") and use ExecStart=/bin/sleep 1 | ||
ExecStart=/usr/sbin/cryptsetup --allow-discards -d /etc/crypto-sdcard/crypto_luks_%I.key luksOpen /dev/disk/by-uuid/%I %I | ||
ExecStop=/usr/sbin/cryptsetup close %I | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,7 +7,8 @@ Requisite=dev-%i.device | |
PartOf=mount-cryptosd-plain@%i.service cryptsetup.target | ||
Conflicts=umount.target shutdown.target actdead.target factory-test.target | ||
Before=umount.target shutdown.target mount-cryptosd-plain@%i.service | ||
AssertFileNotEmpty=/etc/crypto-sdcard/crypto_plain_%I.key | ||
AssertPathIsDirectory=!/etc/crypto-sdcard/crypto_plain_%I.key | ||
AssertPathExists=/etc/crypto-sdcard/crypto_plain_%I.key | ||
|
||
[Service] | ||
Type=oneshot | ||
|
@@ -23,20 +24,6 @@ StandardInput=file:/etc/crypto-sdcard/crypto_plain_%I.key | |
StandardOutput=journal | ||
# "udisksctl unlock --key-file" does only work with LUKS "containers", not with "plain" ones, | ||
# thus call cryptsetup directly: | ||
ExecStart=/usr/sbin/cryptsetup -d - -o ${CRYPTO_PLAIN_OFFSET} -h ${CRYPTO_PLAIN_PASSPHRASE_HASH} -s ${CRYPTO_PLAIN_KEYLENGTH} -c ${CRYPTO_PLAIN_CIPHER} --allow-discards --type plain open /dev/%I %I ; /bin/sleep 1 | ||
# "udisksctl mount" (in [email protected]) sometimes fails when issued right after | ||
# this unit (instance) and "udisksd" (per "udisks2.service") have finished starting, because | ||
# the udisks object for this unlocked device has not been created yet. | ||
# Hence one might give udisksd a second to recognise the fresh device, before starting units | ||
# dependent on this unit instance and "udisks2.service" / "udisksd". Side note: Letting | ||
# dependent units sleep for a second by an "ExecStartPre=/bin/sleep 1" in them would | ||
# unnecessarily waste this second most of the time; that is avoided this way. | ||
# Note that using ExecStartPost= for this is futile (as irrelevant for dependencies, see | ||
# https://www.freedesktop.org/software/systemd/man/systemd.service.html#Type= ), but (only) | ||
# units of the Type=oneshot may use multiple ExecStart= lines (which are *started | ||
# concurrently*, but the last one is displayed as "main process") and / or commands in an | ||
# ExecStart= line. Side note: For non-oneshot units a solution is to move the ExecStart= | ||
# command to ExecStartPre= (that is *functionally equivalent*, but again displays the | ||
# ExecStart= command as "main process") and use ExecStart=/bin/sleep 1 | ||
ExecStart=/usr/sbin/cryptsetup -d - -o ${CRYPTO_PLAIN_OFFSET} -h ${CRYPTO_PLAIN_PASSPHRASE_HASH} -s ${CRYPTO_PLAIN_KEYLENGTH} -c ${CRYPTO_PLAIN_CIPHER} --allow-discards --type plain open /dev/%I %I | ||
ExecStop=/usr/sbin/cryptsetup close %I | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,65 +1,61 @@ | ||
# Since crypto-sdcard 1.6.1, it adheres to the nomenclature used in other udev rules: | ||
# - KERNEL=="sd*[!0-9]|sr*", ENV{DEVTYPE}=="disk" for all USB-attached (OTG) storage *devices* | ||
# - KERNEL=="sd*[0-9]|sr*", ENV{DEVTYPE}=="partition" for all partitions on USB-attached storage devices | ||
# - KERNEL=="sd*|sr*" for both | ||
# - SUBSYSTEMS=="usb", KERNEL=="sd*[!0-9]|sr*", ENV{DEVTYPE}=="disk" for all USB-attached (OTG) storage *devices* | ||
# - SUBSYSTEMS=="usb", KERNEL=="sd*[0-9]|sr*", ENV{DEVTYPE}=="partition" for all partitions on USB-attached storage devices | ||
# - SUBSYSTEMS=="usb", KERNEL=="sd*|sr*" for both | ||
# - KERNEL=="mmcblk[1-9]" (the test ENV{DEVTYPE}=="disk" can be omitted) for the card in the internal slot and all external (USB-attached) SD-cards and MMCs (e.g., in readers). | ||
# - KERNEL=="mmcblk[1-9]p[0-9]" (the test ENV{DEVTYPE}=="partition" can be omitted) for all partitions on the card in the internal slot and on all external SD-cards and MMCs. Side note: mmcblk[0-9]boot[0-9] are (e)MMC's special devices ("RPMB"). | ||
# - KERNEL=="mmcblk[1-9]*" for both | ||
# - KERNEL=="mmcblk[1-9]*|sd*|sr*", SUBSYSTEMS=="usb" to filter for anything attached via (presumably "external") USB. Mind that on devices without an SD-card slot mmcblk1 will be an externally attached card. | ||
# - SUBSYSTEMS=="usb", KERNEL=="mmcblk[0-9]*|sd*|sr*" to filter for anything attached via (presumably "external") USB. Mind that on devices without an SD-card slot mmcblk1 will be an externally attached card. | ||
# Reference: /usr/lib/udev/rules.d/60-persistent-storage.rules | ||
# | ||
# Is something like KERNEL=="mmcblk[1-9]*|sd*|sr*", SUBSYSTEMS=="usb", ATTR{removable}="1" possible and reasonable (means only "removable *media*"?) ? Or without restricting it to USB-attached devices / partitions? | ||
# Q: Is something like SUBSYSTEMS=="usb", KERNEL=="mmcblk[0-9]*|sd*|sr*", ATTRS{removable}=="1" possible and reasonable (means only "removable *media*"?) ? Or without restricting it to USB-attached devices / partitions? | ||
# A: Yes, but potential side effects are still evaluated. | ||
|
||
SUBSYSTEM!="block", GOTO="cryptosd_mount_end" | ||
KERNEL!="mmcblk[1-9]*|sd*|sr*", GOTO="cryptosd_open_end" | ||
SUBSYSTEM!="block", GOTO="cryptosd_end" | ||
#SUBSYSTEMS!="usb", KERNEL!="mmcblk[0-9]*|sd*|sr*", GOTO="cryptosd_open_end" | ||
# Note that this means: If NOT (SUBSYSTEMS=="usb" OR KERNEL=="mmcblk[0-9]*|sd*|sr*"), then GOTO. | ||
|
||
# Ignore the additions / changes by Jolla per | ||
# https://git.sailfishos.org/mer-core/udisks2/blob/master/rpm/0005-Add-udev-rule-for-the-sda-drives.patch | ||
# by setting these anew / clobbering these for *all suitable* devices. | ||
KERNEL=="mmcblk[1-9]*", ENV{DEVTYPE}=="disk", ENV{MMC_TYPE}!="?*", ENV{ID_DRIVE_FLASH_SD}="1", ENV{ID_DRIVE_MEDIA_FLASH_SD}="1" | ||
KERNEL=="sd*", ENV{DEVTYPE}=="disk", ENV{ID_DRIVE_FLASH_SD}="1", ENV{ID_DRIVE_MEDIA_FLASH_SD}="1" | ||
# ToDo: Only set that for storage, which is not "rotational", but also for SATA-RAIDs; check, if ATTR{queue/rotational} works!?! | ||
#KERNEL=="sd*|sr*", ENV{DEVTYPE}=="disk", ATTR{queue/rotational}=="0", ENV{ID_DRIVE_FLASH_SD}="1", ENV{ID_DRIVE_MEDIA_FLASH_SD}="1" | ||
|
||
# ToDo: Set UDISKS_CAN_POWER_OFF for all suitable devices dealt with, here: | ||
#ENV{DEVTYPE}=="disk", ATTR{power/control}=="on", ENV{UDISKS_CAN_POWER_OFF}="1" | ||
|
||
# ToDo: Use a test for ATA-Discard / -"Trim" to unlock appropriately: | ||
# See for details https://github.com/Olf0/crypto-sdcard/wiki/ToDo#starting-points-for-that | ||
# ATTR{discard_alignment}!="0", ... | ||
# ATTR{device/queue/discard_granularity}!="0", ... | ||
# ATTR{device/discard_alignment}!="0", ... | ||
# ATTRS{discard_alignment}!="0", ... | ||
# ATTRS{queue/discard_granularity}!="0", ... | ||
# or IMPORT{parent}="...", IMPORT{db}="...", | ||
SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{DEVTYPE}=="disk", ATTR{queue/rotational}=="0", ENV{MMC_TYPE}!="?*", ENV{ID_DRIVE_FLASH_SD}="1", ENV{ID_DRIVE_MEDIA_FLASH_SD}="1" | ||
|
||
# Set power control / UDISKS_CAN_POWER_OFF for all devices dealt with, here: This is also supported for partitions, not only disks!?! | ||
# KERNEL=="mmcblk[1-9]*", ATTR{power/control}=="off", ATTR{power/control}="auto" | ||
# SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ATTR{power/control}=="off", ATTR{power/control}="auto" | ||
KERNEL=="mmcblk[1-9]*", ATTR{power/control}=="on", ENV{UDISKS_CAN_POWER_OFF}="1" | ||
SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ATTR{power/control}=="on", ENV{UDISKS_CAN_POWER_OFF}="1" | ||
|
||
# For DM-Crypt LUKS, match ENV{ID_FS_TYPE}=="crypto_LUKS" | ||
ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add|change", PROGRAM=="/bin/grep -q .* /etc/crypto-sdcard/crypto_luks_%E{ID_FS_UUID}.key", ENV{CRYPTOSD_TYPE}="LUKS" | ||
ENV{CRYPTOSD_TYPE}=="LUKS", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_luks_dev-%k_%E{ID_FS_UUID}", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="'%c'" | ||
KERNEL=="mmcblk[1-9]*", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_luks_%E{ID_FS_UUID}.key", ENV{CRYPTOSD_TYPE}="LUKS" | ||
SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_luks_%E{ID_FS_UUID}.key", ENV{CRYPTOSD_TYPE}="LUKS" | ||
ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_luks_dev-%k_%E{ID_FS_UUID}", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="'%c'" | ||
# When above detected and assigned devices are removed | ||
ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}="removed", ENV{UDISKS_NAME}="cryptosd_removed", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop %c" | ||
|
||
# For DM-Crypt "plain", ensure (by ENV{ID_*}!="?*" statements) that it appears to be unused space | ||
# Two rules, one for partitions and a tighter one for whole disks: | ||
ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add|change", PROGRAM=="/bin/grep -q .* /etc/crypto-sdcard/crypto_plain_%k.key", ENV{UDISKS_PARTITIONABLE}="0", ENV{CRYPTOSD_TYPE}="PLAIN" | ||
ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add|change", PROGRAM=="/bin/grep -q .* /etc/crypto-sdcard/crypto_plain_%k.key", ENV{CRYPTOSD_TYPE}="PLAIN" | ||
ENV{CRYPTOSD_TYPE}=="PLAIN", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_plain_dev-%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'cryptosd-plain@%k.service'" | ||
KERNEL=="mmcblk[1-9]*", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{UDISKS_PARTITIONABLE}="0", ENV{CRYPTOSD_TYPE}="PLAIN" | ||
SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{UDISKS_PARTITIONABLE}="0", ENV{CRYPTOSD_TYPE}="PLAIN" | ||
KERNEL=="mmcblk[1-9]*", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{CRYPTOSD_TYPE}="PLAIN" | ||
SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{CRYPTOSD_TYPE}="PLAIN" | ||
ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_plain_dev-%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'cryptosd-plain@%k.service'" | ||
# When above detected and assigned devices are removed | ||
ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="removed", ENV{UDISKS_NAME}="cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop cryptosd-plain@%k.service" | ||
|
||
LABEL="cryptosd_open_end" | ||
#LABEL="cryptosd_open_end" | ||
|
||
|
||
KERNEL!="dm-[0-9]*", GOTO="cryptosd_mount_end" | ||
KERNEL!="dm-[0-9]*", GOTO="cryptosd_end" | ||
|
||
# Carefully match resulting virtual node dm-[0-9]* to trigger mounting it; see /lib/udev/rules.d/10-dm.rules for details | ||
ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="????????-????-????-????-????????????|????-????", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-LUKS", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_luks_%E{DM_NAME}", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{DM_NAME}", ENV{SYSTEMD_WANTS}="'%c'" | ||
ENV{CRYPTOSD_TYPE}=="mount-LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/usr/bin/systemd-escape [email protected] %E{DM_NAME}", RUN{program}+="/usr/bin/systemctl stop %c" | ||
|
||
# Ditto for DM-Crypt "plain" | ||
ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="mmcblk[1-9]*|sd*|sr*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-PLAIN", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_plain_%E{DM_NAME}", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'mount-cryptosd-plain@%E{DM_NAME}.service'" | ||
ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="mmcblk[0-9]*|sd*|sr*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-PLAIN", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_plain_%E{DM_NAME}", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'mount-cryptosd-plain@%E{DM_NAME}.service'" | ||
ENV{CRYPTOSD_TYPE}=="mount-PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop mount-cryptosd-plain@%E{DM_NAME}.service" | ||
|
||
LABEL="cryptosd_mount_end" | ||
LABEL="cryptosd_end" | ||
|