Merge pull request #117 from Olf0/qcrypto

Pull request for v1.3.3

README.md

@@ -5,7 +5,7 @@ This edition is provided specifically for devices, which need to load Qualcomm's
 Only SailfishOS on the Jolla 1 (sbj) is known to provide (per its *kernel-adaptation-sbj* RPM) and need the `qcrypto.ko`, hence currently it is the only device supported by the "qcrypto edition".  SailfishOS on the Intex Aquafish / Jolla C (l500d / JP-1601) does not provide `qcrypto.ko`, for the Inoi R7 (p4903), Jala Accione and Accione P this is unknown (but `qcrypto.ko` is likely not provided), and on Sony's Xperias `qcrypto.ko` is definitely not provided.<br />
 Thus for all other devices (i.e., on those where `find /lib/modules/ -name qcrypto.ko` yields nothing), the [regular edition](https://github.com/Olf0/crypto-sdcard) shall be used.
 
-Extensively tested with systemd 225 (which includes udev), udisks2 2.7.5 and polkit 0.104 (e.g. SailfishOS 2.2 / 3.x, which provides aforementioned environment).<br />
+Extensively tested with systemd 225 (which includes udev), udisks2 2.7.5 and polkit 0.104 (e.g. SailfishOS since version 2.2, which provides aforementioned software or newer versions).<br />
 Built RPMs are available in the [release section](https://github.com/Olf0/crypto-sdcard/releases) and for easy installation under SailfishOS at [OpenRepos](https://openrepos.net/content/olf/crypto-sdcard-sbj-edition).
 
 The necessary steps to prepare an SD-card (or any other removable storage) are described at [Together.Jolla.com](https://together.jolla.com/question/195850/guide-creating-partitions-on-sd-card-optionally-encrypted/).<br />
@@ -22,11 +22,16 @@ Thus **crypto-sdcard** solely protects "data at rest" on SD-cards and other remo
   * As Cryptsetup reads the cryptography parameters from the LUKS header and Cryptsetup **2** supports both v1 and v2 headers, **crypto-sdcard** shall work fine with any LUKS header version and parameters, which are valid for the installed Cryptsetup version.
   * For Cryptsetup "plain" (only to be used, when "plausible deniability" is a must), **crypto-sdcard** has to provide the cryptography parameters and uses "*-h sha1 -s 256 -c aes-xts-plain*" by default.
     While these parameters are optimised for speed, low power consumption, interoperability and sufficiently strong security for the next decade (including the specific use of SHA1 for hashing a pass-file down to 160 bits), other parameters may be set for unlocking Cryptsetup "plain" in */etc/systemd/system/cryptosd-plain\@.service*
-* Start mounting encrypted (partitions on) SD-card via udisks at the earliest sensible time: Right after udisks2.service has started.
-* Unmount before udisks2 begins stopping, hence achieving a clean unmount.
-* Ensure, that AlienDalvik (specifically *alien-service-manager.service*) begins starting after mounting succeeded, to allow for [android_storage on SD-card](https://together.jolla.com/question/203539/guide-externalising-android_storage-and-other-directories-files-to-sd-card/#203539-2-externalising-homenemoandroid_storage).  Even more importantly this also ensures, that unmounting occurs only after AlienDalvik is completely stopped.<br />
-Nevertheless, these configuration files are also applicable to devices without AlienDalvik installed.
-* Boot time is not significantly prolonged, as unlocking encrypted partitions per Cryptsetup occurs in parallel to starting udisks2; after both succeeded, all mount operations are also started concurrently.
+* Start mounting encrypted (partitions on) SD-card via udisks at the earliest sensible time: Right after *udisks2.service* has started.
+* Unmount before *udisks2.service* begins stopping, hence achieving a clean unmount.
+* Also do not use SailfishOS' *udisksctl-user* script for unmounting (because it cannot work at the time ExecStop is executed), which is installed and used by SailfishOS since its release 3.2.1, and was also used by *crypto-sdcard* versions 1.1-1 to 1.3.1-5; see [details here](https://github.com/Olf0/crypto-sdcard/pull/28).
+* Since v1.3.3 the [Systemd EnvironmentFiles](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#EnvironmentFile=) `mount-cryptosd-luks.conf` and `mount-cryptosd-luks@crypto_luks_<UUID>.conf` (in this order), respectively `mount-cryptosd-luks.conf` and `mount-cryptosd-plain@crypto_plain_<device-name>.conf`, in `/var/lib/environment/udisks2/` are evaluated for additional mount options, if they exist (one or both).
+  Take a look at `ls /dev/mapper/crypto*` for the partition specific part (between the `@` and the `.conf` extension) of the file names for the partition specific configuration files. 
+  These configuration files can be created by a system administrator (i.e., you), so if you want to add restricting mount options, see [here for details](https://github.com/Olf0/mount-sdcard/releases/tag/1.3.2).
+* Ensure, that AlienDalvik (specifically *alien-service-manager.service*) begins starting after mounting succeeded, to allow for [android_storage on SD-card](https://together.jolla.com/question/203539/guide-externalising-android_storage-and-other-directories-files-to-sd-card/#203539-2-externalising-homenemoandroid_storage).<br />
+  Even more importantly (i.e., also relevant for devices without "android_storage on SD-card") this also ensures, that unmounting occurs only after AlienDalvik has completely stopped.<br />
+  Nevertheless, these configuration files are also applicable to devices without AlienDalvik installed.
+* Boot time is not significantly prolonged, as unlocking encrypted partitions per Cryptsetup occurs in parallel to starting udisks; after both succeeded, all mount operations are also started concurrently.
 
 #### Version history
 * v1.3<br />

rpm/crypto-sdcard.spec

@@ -1,6 +1,6 @@
 Name:          crypto-sdcard
 Summary:       Configuration files for unlocking and mounting encrypted SD-cards automatically
-Version:       1.3.2
+Version:       1.3.3
 # Since v1.3.1, the release version consists of two or three fields, separated by a dot ("."):
 # - The first field must contain a natural number greater than zero.
 #   This number may be prefixed by one of {alpha,beta,stable}, e.g. "alpha13".

systemd/system/cryptosd-luks@.service

@@ -4,7 +4,7 @@ Documentation=https://github.com/Olf0/crypto-sdcard
 After=systemd-udevd.service systemd-udev-settle.service dev-%i.device
 BindsTo=dev-%i.device
 PartOf=cryptsetup.target
-Conflicts=rescue.target actdead.target factory-test.target
+Conflicts=actdead.target factory-test.target
 AssertFileNotEmpty=/etc/crypto-sdcard/%I.key
 
 [Service]

systemd/system/cryptosd-plain@.service

@@ -4,7 +4,7 @@ Documentation=https://github.com/Olf0/crypto-sdcard
 After=systemd-udevd.service systemd-udev-settle.service dev-%i.device
 BindsTo=dev-%i.device
 PartOf=cryptsetup.target
-Conflicts=rescue.target actdead.target factory-test.target
+Conflicts=actdead.target factory-test.target
 AssertFileNotEmpty=/etc/crypto-sdcard/%I.key
 
 [Service]

systemd/system/mount-cryptosd-luks@.service

@@ -1,8 +1,13 @@
 [Unit]
 Description=Mount LUKS encrypted SD-card (%I) with udisks
 Documentation=https://github.com/Olf0/crypto-sdcard
-After=udisks2.service cryptosd-luks@%i.service dev-mapper-%i.device start-user-session.service
-BindsTo=udisks2.service cryptosd-luks@%i.service dev-mapper-%i.device
+After=udisks2.service cryptosd-luks@%i.service cryptsetup.target dev-mapper-%i.device start-user-session.service
+BindsTo=cryptsetup.target dev-mapper-%i.device
+Requires=udisks2.service cryptosd-luks@%i.service
+# Allow for rescue.target and conflict with umount.target (see
+# man 7 systemd.special; needed expicitly for the new ExecStopPost
+# statement as this a mounting unit, though not a mount unit):
+Conflicts=umount.target actdead.target factory-test.target
 # Ensure that this Unit is processed before alien-service-manager
 # is started (and even more importantly that it is shut down, *after*
 # alien-service-manager is shut down), to allow for android_storage
@@ -17,6 +22,9 @@ RemainAfterExit=yes
 # udisks object for an encrypted partition has not been created yet.
 # Hence giving udisksd a second to settle:
 ExecStartPre=/bin/sleep 1
-ExecStart=/usr/bin/udisksctl-user mount -b /dev/mapper/%I
+EnvironmentFile=-/var/lib/environment/udisks2/%p.conf
+EnvironmentFile=-/var/lib/environment/udisks2/%p@%I.conf
+ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I
 ExecStop=/usr/bin/udisksctl unmount -b /dev/mapper/%I
+ExecStopPost=/bin/umount -vfrq /dev/%I
 

systemd/system/mount-cryptosd-plain@.service

@@ -1,8 +1,13 @@
 [Unit]
 Description=Mount "plain" encrypted SD-card (%I) with udisks
 Documentation=https://github.com/Olf0/crypto-sdcard
-After=udisks2.service cryptosd-plain@%i.service dev-mapper-%i.device start-user-session.service
-BindsTo=udisks2.service cryptosd-plain@%i.service dev-mapper-%i.device
+After=udisks2.service cryptosd-plain@%i.service cryptsetup.target dev-mapper-%i.device start-user-session.service
+BindsTo=cryptsetup.target dev-mapper-%i.device
+Requires=udisks2.service cryptosd-plain@%i.service
+# Allow for rescue.target and conflict with umount.target (see
+# man 7 systemd.special; needed expicitly for the new ExecStopPost
+# statement as this a mounting unit, though not a mount unit):
+Conflicts=umount.target actdead.target factory-test.target
 # Ensure that this Unit is processed before alien-service-manager
 # is started (and even more importantly that it is shut down, *after*
 # alien-service-manager is shut down), to allow for android_storage
@@ -17,6 +22,9 @@ RemainAfterExit=yes
 # udisks object for an encrypted partition has not been created yet.
 # Hence giving udisksd a second to settle:
 ExecStartPre=/bin/sleep 1
-ExecStart=/usr/bin/udisksctl-user mount -b /dev/mapper/%I
+EnvironmentFile=-/var/lib/environment/udisks2/%p.conf
+EnvironmentFile=-/var/lib/environment/udisks2/%p@%I.conf
+ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I
 ExecStop=/usr/bin/udisksctl unmount -b /dev/mapper/%I
+ExecStopPost=/bin/umount -vfrq /dev/%I