Attachment #213301 for bug #217959




	[ ! -e /sbin/cryptsetup ] && bad_msg "The ramdisk does not support LUKS" && exit 1
	while [ 1 ]
	do
		local gpg_cmd=""
		# if crypt_silent=1 and some error occurs, enter shell quietly
		if [ \( ${CRYPT_SILENT} -eq 1 \) -a \( \( \( ${DEV_ERROR} -eq 1 \) -o \( ${KEY_ERROR} -eq 1 \) \) -o \( ${KEYDEV_ERROR} -eq 1 \) \) ]
		then

					fi
					# At this point a candidate key exists (either mounted before or not)
					good_msg "${LUKS_KEY} on device ${LUKS_KEYDEV} found" ${CRYPT_SILENT}
					if [ $(echo ${LUKS_KEY} | grep -o '.gpg$') == ".gpg" ] && [ -e /sbin/gpg ] ; then
						[ -e /dev/tty ] && mv /dev/tty /dev/tty.org
						mknod /dev/tty c 5 1
						cryptsetup_options="-d -"
						gpg_cmd="/sbin/gpg --logger-file /dev/null --quiet --decrypt ${mntkey}${LUKS_KEY} |"
					else
						cryptsetup_options="-d ${mntkey}${LUKS_KEY}"
					fi
				fi
				# At this point, keyfile or not, we're ready!
				crypt_filter "${gpg_cmd}cryptsetup ${cryptsetup_options} luksOpen ${LUKS_DEVICE} ${LUKS_NAME}"
				if [ $? -eq 0 ]
				then
					good_msg "LUKS device ${LUKS_DEVICE} opened" ${CRYPT_SILENT}

Lines 94-99 longusage() { Link Here

(-)a/gen_cmdline.sh (+5 lines)
94	echo " ramdisk"	94	echo " ramdisk"
95	echo " --luks Include LUKS support"	95	echo " --luks Include LUKS support"
96	echo " --> 'emerge cryptsetup-luks' with USE=-dynamic"	96	echo " --> 'emerge cryptsetup-luks' with USE=-dynamic"
		97	echo " --gpg Include GPG-armored LUKS key support"
97	echo " --no-busybox Do not include busybox in the initramfs."	98	echo " --no-busybox Do not include busybox in the initramfs."
98	echo " --unionfs Include support for unionfs"	99	echo " --unionfs Include support for unionfs"
99	echo " --netboot Create a self-contained env in the initramfs"	100	echo " --netboot Create a self-contained env in the initramfs"
Lines 520-525 parse_cmdline() { Link Here
520	CMD_LUKS=1	521	CMD_LUKS=1
521	print_info 2 "CMD_LUKS: ${CMD_LUKS}"	522	print_info 2 "CMD_LUKS: ${CMD_LUKS}"
522	;;	523	;;
		524	--gpg)
		525	CMD_GPG=1
		526	print_info 2 "CMD_GPG: ${CMD_GPG}"
		527	;;
523	--firmware)	528	--firmware)
524	CMD_FIRMWARE=1	529	CMD_FIRMWARE=1
525	print_info 2 "CMD_FIRMWARE: ${CMD_FIRMWARE}"	530	print_info 2 "CMD_FIRMWARE: ${CMD_FIRMWARE}"




	fi
}

compile_gpg() {
	if [ ! -f "${GPG_BINCACHE}" ]
	then
		[ ! -f "${GPG_SRCTAR}" ] &&
			gen_die "Could not find gnupg source tarball: ${GPG_SRCTAR}. Please place it there, or place another version, changing /etc/genkernel.conf as necessary!"
		cd "${TEMP}"
		rm -rf "${GPG_DIR}"
		tar -jxf "${GPG_SRCTAR}"
		[ ! -d "${GPG_DIR}" ] &&
			gen_die "gnupg directory ${GPG_DIR} invalid"
		cd "${GPG_DIR}"
		print_info 1 'gnupg: >> Configuring...'
		# --enable-minimal works, but it doesn't reduce the command length much.
		# Given its history and the precision this needs, explicit is cleaner.
		LDFLAGS='-static' CFLAGS='-Os' ./configure --prefix=/ \
			--enable-static-rnd=linux --disable-dev-random --disable-asm \
			--disable-selinux-support --disable-gnupg-iconv --disable-card-support \
			--disable-agent-support --disable-bzip2 --disable-exec \
			--disable-photo-viewers --disable-keyserver-helpers --disable-ldap \
			--disable-hkp --disable-finger --disable-generic --disable-mailto \
			--disable-keyserver-path --disable-dns-srv --disable-dns-pka \
			--disable-dns-cert --disable-nls --disable-threads --disable-regex \
			--disable-optimization --with-included-zlib --without-capabilities \
			--without-tar --without-ldap --without-libcurl --without-mailprog \
			--without-libpth-prefix --without-libiconv-prefix --without-libintl-prefix\
			--without-zlib --without-bzip2 --without-libusb --without-readline \
				>> ${LOGFILE} 2>&1 || gen_die 'Configuring gnupg failed!'
		print_info 1 'gnupg: >> Compiling...'
		MAKE=${UTILS_MAKE} compile_generic "" ""
		print_info 1 'gnupg: >> Copying to cache...'
		[ -f "${TEMP}/${GPG_DIR}/g10/gpg" ] ||
			gen_die 'gnupg executable does not exist!'
		strip "${TEMP}/${GPG_DIR}/g10/gpg" ||
			gen_die 'Could not strip gpg binary!'
		bzip2 -z -c "${TEMP}/${GPG_DIR}/g10/gpg" > "${GPG_BINCACHE}" ||
			gen_die 'Could not copy the gpg binary to the package directory, does the directory exist?'

		cd "${TEMP}"
		rm -rf "${GPG_DIR}" > /dev/null
	fi
}




	set_config_with_override 2 REAL_ROOT			CMD_REAL_ROOT
	set_config_with_override 1 DISKLABEL            CMD_DISKLABEL
	set_config_with_override 1 LUKS                 CMD_LUKS
	set_config_with_override 1 GPG                  CMD_GPG
	set_config_with_override 1 MDADM                CMD_MDADM
	set_config_with_override 1 MULTIPATH            CMD_MULTIPATH
	set_config_with_override 1 FIRMWARE             CMD_FIRMWARE

	BLKID_BINCACHE=`cache_replace "${BLKID_BINCACHE}"`
	FUSE_BINCACHE=`cache_replace "${FUSE_BINCACHE}"`
	UNIONFS_FUSE_BINCACHE=`cache_replace "${UNIONFS_FUSE_BINCACHE}"`
	GPG_BINCACHE=`cache_replace "${GPG_BINCACHE}"`
  
	DEFAULT_KERNEL_CONFIG=`arch_replace "${DEFAULT_KERNEL_CONFIG}"`
	BUSYBOX_CONFIG=`arch_replace "${BUSYBOX_CONFIG}"`

	BLKID_BINCACHE=`arch_replace "${BLKID_BINCACHE}"`
	FUSE_BINCACHE=`arch_replace "${FUSE_BINCACHE}"`
	UNIONFS_FUSE_BINCACHE=`arch_replace "${UNIONFS_FUSE_BINCACHE}"`
	GPG_BINCACHE=`arch_replace "${GPG_BINCACHE}"`

	if [ -n "${CMD_BOOTLOADER}" ]
	then

Lines 500-506 set_config_with_override() { Link Here

(-)a/gen_funcs.sh (-1 / +1 lines)
500	}	500	}
501		501
502	check_distfiles() {	502	check_distfiles() {
503	for i in $BUSYBOX_SRCTAR $DEVICE_MAPPER_SRCTAR $MULTIPATH_SRCTAR $LVM_SRCTAR $DMRAID_SRCTAR $E2FSPROGS_SRCTAR $ISCSI_SRCTAR	503	for i in $BUSYBOX_SRCTAR $DEVICE_MAPPER_SRCTAR $MULTIPATH_SRCTAR $LVM_SRCTAR $DMRAID_SRCTAR $E2FSPROGS_SRCTAR $ISCSI_SRCTAR $GPG_SRCTAR
504	do	504	do
505	if [ ! -f "${i}" ]	505	if [ ! -f "${i}" ]
506	then	506	then




	rm -r "${TEMP}/initramfs-firmware-temp/"
}

append_gpg() {
	if [ -d "${TEMP}/initramfs-gpg-temp" ]
	then
		rm -r "${TEMP}/initramfs-gpg-temp"
	fi
	cd ${TEMP}
	mkdir -p "${TEMP}/initramfs-gpg-temp/sbin/"
	if [ ! -e ${GPG_BINCACHE} ] ; then
		print_info 1 '		GPG: Adding support (compiling binaries)...'
		compile_gpg
	fi
	bzip2 -dc "${GPG_BINCACHE}" > "${TEMP}/initramfs-gpg-temp/sbin/gpg" ||
		gen_die 'Could not extract gpg binary cache!'
	chmod a+x "${TEMP}/initramfs-gpg-temp/sbin/gpg"
	cd "${TEMP}/initramfs-gpg-temp/"
	find . -print | cpio ${CPIO_ARGS} --append -F "${CPIO}"
	rm -rf "${TEMP}/initramfs-gpg-temp" > /dev/null
}

print_list()
{
	local x

	append_data 'mdadm' "${MDADM}"
	append_data 'luks' "${LUKS}"
	append_data 'multipath' "${MULTIPATH}"
	append_data 'gpg' "${GPG}"

	if [ "${NORAMDISKMODULES}" -eq '0' ]
	then




Add in EVMS support from static binaries if they exist on the system:
you should run "emerge evms" first.
.TP
\fB\-\-gpg\fR
.RS
Add support for PGP-armored LUKS keys; this increases the size of the initrd
considerably.  The key file must end in '.gpg' and is expected to be the same
format as a LUKS key, just symmetrically encrypted (i.e. "gpg --symmetric").
Example:
.RS

gpg --symmetric --cipher-algo=AES --output newkey.gpg old_luks_key.key
.RE
.RE
.TP
\fB\-\-lvm\fR
.RS
Add in LVM support from static binaries if they exist on the system,

Lines 186-188 UNIONFS_FUSE_VER="VERSION_UNIONFS_FUSE" Link Here

(-)a/genkernel.conf (+5 lines)
186	UNIONFS_FUSE_DIR="unionfs-fuse-${UNIONFS_FUSE_VER}"	186	UNIONFS_FUSE_DIR="unionfs-fuse-${UNIONFS_FUSE_VER}"
187	UNIONFS_FUSE_SRCTAR="${DISTDIR}/unionfs-fuse-${UNIONFS_FUSE_VER}.tar.bz2"	187	UNIONFS_FUSE_SRCTAR="${DISTDIR}/unionfs-fuse-${UNIONFS_FUSE_VER}.tar.bz2"
188	UNIONFS_FUSE_BINCACHE="%%CACHE%%/unionfs-fuse-${UNIONFS_FUSE_VER}-%%ARCH%%.bz2"	188	UNIONFS_FUSE_BINCACHE="%%CACHE%%/unionfs-fuse-${UNIONFS_FUSE_VER}-%%ARCH%%.bz2"
		189
		190	GPG_VER="VERSION_GPG"
		191	GPG_DIR="gnupg-${GPG_VER}"
		192	GPG_SRCTAR="${DISTDIR}/gnupg-${GPG_VER}.tar.bz2"
		193	GPG_BINCACHE="%%CACHE%%/gnupg-${GPG_VER}-%%ARCH%%.bz2"

Return to bug 217959

Lines 699-704 openLUKS() { Link Here

(-)a/defaults/initrd.scripts (-2 / +10 lines)
699	[ ! -e /sbin/cryptsetup ] && bad_msg "The ramdisk does not support LUKS" && exit 1	699	[ ! -e /sbin/cryptsetup ] && bad_msg "The ramdisk does not support LUKS" && exit 1
700	while [ 1 ]	700	while [ 1 ]
701	do	701	do
		702	local gpg_cmd=""
702	# if crypt_silent=1 and some error occurs, enter shell quietly	703	# if crypt_silent=1 and some error occurs, enter shell quietly
703	if [ \( ${CRYPT_SILENT} -eq 1 \) -a \( \( \( ${DEV_ERROR} -eq 1 \) -o \( ${KEY_ERROR} -eq 1 \) \) -o \( ${KEYDEV_ERROR} -eq 1 \) \) ]	704	if [ \( ${CRYPT_SILENT} -eq 1 \) -a \( \( \( ${DEV_ERROR} -eq 1 \) -o \( ${KEY_ERROR} -eq 1 \) \) -o \( ${KEYDEV_ERROR} -eq 1 \) \) ]
704	then	705	then
Lines 783-792 openLUKS() { Link Here
783	fi	784	fi
784	# At this point a candidate key exists (either mounted before or not)	785	# At this point a candidate key exists (either mounted before or not)
785	good_msg "${LUKS_KEY} on device ${LUKS_KEYDEV} found" ${CRYPT_SILENT}	786	good_msg "${LUKS_KEY} on device ${LUKS_KEYDEV} found" ${CRYPT_SILENT}
786	cryptsetup_options="-d ${mntkey}${LUKS_KEY}"	787	if [ $(echo ${LUKS_KEY} \| grep -o '.gpg$') == ".gpg" ] && [ -e /sbin/gpg ] ; then
		788	[ -e /dev/tty ] && mv /dev/tty /dev/tty.org
		789	mknod /dev/tty c 5 1
		790	cryptsetup_options="-d -"
		791	gpg_cmd="/sbin/gpg --logger-file /dev/null --quiet --decrypt ${mntkey}${LUKS_KEY} \|"
		792	else
		793	cryptsetup_options="-d ${mntkey}${LUKS_KEY}"
		794	fi
787	fi	795	fi
788	# At this point, keyfile or not, we're ready!	796	# At this point, keyfile or not, we're ready!
789	crypt_filter "cryptsetup ${cryptsetup_options} luksOpen ${LUKS_DEVICE} ${LUKS_NAME}"	797	crypt_filter "${gpg_cmd}cryptsetup ${cryptsetup_options} luksOpen ${LUKS_DEVICE} ${LUKS_NAME}"
790	if [ $? -eq 0 ]	798	if [ $? -eq 0 ]
791	then	799	then
792	good_msg "LUKS device ${LUKS_DEVICE} opened" ${CRYPT_SILENT}	800	good_msg "LUKS device ${LUKS_DEVICE} opened" ${CRYPT_SILENT}

Lines 663-665 compile_iscsi() { Link Here

(-)a/gen_compile.sh (+41 lines)
663	fi	663	fi
664	}	664	}
665		665
		666	compile_gpg() {
		667	if [ ! -f "${GPG_BINCACHE}" ]
		668	then
		669	[ ! -f "${GPG_SRCTAR}" ] &&
		670	gen_die "Could not find gnupg source tarball: ${GPG_SRCTAR}. Please place it there, or place another version, changing /etc/genkernel.conf as necessary!"
		671	cd "${TEMP}"
		672	rm -rf "${GPG_DIR}"
		673	tar -jxf "${GPG_SRCTAR}"
		674	[ ! -d "${GPG_DIR}" ] &&
		675	gen_die "gnupg directory ${GPG_DIR} invalid"
		676	cd "${GPG_DIR}"
		677	print_info 1 'gnupg: >> Configuring...'
		678	# --enable-minimal works, but it doesn't reduce the command length much.
		679	# Given its history and the precision this needs, explicit is cleaner.
		680	LDFLAGS='-static' CFLAGS='-Os' ./configure --prefix=/ \
		681	--enable-static-rnd=linux --disable-dev-random --disable-asm \
		682	--disable-selinux-support --disable-gnupg-iconv --disable-card-support \
		683	--disable-agent-support --disable-bzip2 --disable-exec \
		684	--disable-photo-viewers --disable-keyserver-helpers --disable-ldap \
		685	--disable-hkp --disable-finger --disable-generic --disable-mailto \
		686	--disable-keyserver-path --disable-dns-srv --disable-dns-pka \
		687	--disable-dns-cert --disable-nls --disable-threads --disable-regex \
		688	--disable-optimization --with-included-zlib --without-capabilities \
		689	--without-tar --without-ldap --without-libcurl --without-mailprog \
		690	--without-libpth-prefix --without-libiconv-prefix --without-libintl-prefix\
		691	--without-zlib --without-bzip2 --without-libusb --without-readline \
		692	>> ${LOGFILE} 2>&1 \|\| gen_die 'Configuring gnupg failed!'
		693	print_info 1 'gnupg: >> Compiling...'
		694	MAKE=${UTILS_MAKE} compile_generic "" ""
		695	print_info 1 'gnupg: >> Copying to cache...'
		696	[ -f "${TEMP}/${GPG_DIR}/g10/gpg" ] \|\|
		697	gen_die 'gnupg executable does not exist!'
		698	strip "${TEMP}/${GPG_DIR}/g10/gpg" \|\|
		699	gen_die 'Could not strip gpg binary!'
		700	bzip2 -z -c "${TEMP}/${GPG_DIR}/g10/gpg" > "${GPG_BINCACHE}" \|\|
		701	gen_die 'Could not copy the gpg binary to the package directory, does the directory exist?'
		702
		703	cd "${TEMP}"
		704	rm -rf "${GPG_DIR}" > /dev/null
		705	fi
		706	}

Lines 438-443 append_firmware() { Link Here

(-)a/gen_initramfs.sh (+20 lines)
438	rm -r "${TEMP}/initramfs-firmware-temp/"	438	rm -r "${TEMP}/initramfs-firmware-temp/"
439	}	439	}
440		440
		441	append_gpg() {
		442	if [ -d "${TEMP}/initramfs-gpg-temp" ]
		443	then
		444	rm -r "${TEMP}/initramfs-gpg-temp"
		445	fi
		446	cd ${TEMP}
		447	mkdir -p "${TEMP}/initramfs-gpg-temp/sbin/"
		448	if [ ! -e ${GPG_BINCACHE} ] ; then
		449	print_info 1 ' GPG: Adding support (compiling binaries)...'
		450	compile_gpg
		451	fi
		452	bzip2 -dc "${GPG_BINCACHE}" > "${TEMP}/initramfs-gpg-temp/sbin/gpg" \|\|
		453	gen_die 'Could not extract gpg binary cache!'
		454	chmod a+x "${TEMP}/initramfs-gpg-temp/sbin/gpg"
		455	cd "${TEMP}/initramfs-gpg-temp/"
		456	find . -print \| cpio ${CPIO_ARGS} --append -F "${CPIO}"
		457	rm -rf "${TEMP}/initramfs-gpg-temp" > /dev/null
		458	}
		459
441	print_list()	460	print_list()
442	{	461	{
443	local x	462	local x
Lines 626-631 create_initramfs() { Link Here
626	append_data 'mdadm' "${MDADM}"	645	append_data 'mdadm' "${MDADM}"
627	append_data 'luks' "${LUKS}"	646	append_data 'luks' "${LUKS}"
628	append_data 'multipath' "${MULTIPATH}"	647	append_data 'multipath' "${MULTIPATH}"
		648	append_data 'gpg' "${GPG}"
629		649
630	if [ "${NORAMDISKMODULES}" -eq '0' ]	650	if [ "${NORAMDISKMODULES}" -eq '0' ]
631	then	651	then

Lines 110-115 determine_real_args() { Link Here

(-)a/gen_determineargs.sh (+3 lines)
110	set_config_with_override 2 REAL_ROOT CMD_REAL_ROOT	110	set_config_with_override 2 REAL_ROOT CMD_REAL_ROOT
111	set_config_with_override 1 DISKLABEL CMD_DISKLABEL	111	set_config_with_override 1 DISKLABEL CMD_DISKLABEL
112	set_config_with_override 1 LUKS CMD_LUKS	112	set_config_with_override 1 LUKS CMD_LUKS
		113	set_config_with_override 1 GPG CMD_GPG
113	set_config_with_override 1 MDADM CMD_MDADM	114	set_config_with_override 1 MDADM CMD_MDADM
114	set_config_with_override 1 MULTIPATH CMD_MULTIPATH	115	set_config_with_override 1 MULTIPATH CMD_MULTIPATH
115	set_config_with_override 1 FIRMWARE CMD_FIRMWARE	116	set_config_with_override 1 FIRMWARE CMD_FIRMWARE
Lines 133-138 determine_real_args() { Link Here
133	BLKID_BINCACHE=`cache_replace "${BLKID_BINCACHE}"`	134	BLKID_BINCACHE=`cache_replace "${BLKID_BINCACHE}"`
134	FUSE_BINCACHE=`cache_replace "${FUSE_BINCACHE}"`	135	FUSE_BINCACHE=`cache_replace "${FUSE_BINCACHE}"`
135	UNIONFS_FUSE_BINCACHE=`cache_replace "${UNIONFS_FUSE_BINCACHE}"`	136	UNIONFS_FUSE_BINCACHE=`cache_replace "${UNIONFS_FUSE_BINCACHE}"`
		137	GPG_BINCACHE=`cache_replace "${GPG_BINCACHE}"`
136		138
137	DEFAULT_KERNEL_CONFIG=`arch_replace "${DEFAULT_KERNEL_CONFIG}"`	139	DEFAULT_KERNEL_CONFIG=`arch_replace "${DEFAULT_KERNEL_CONFIG}"`
138	BUSYBOX_CONFIG=`arch_replace "${BUSYBOX_CONFIG}"`	140	BUSYBOX_CONFIG=`arch_replace "${BUSYBOX_CONFIG}"`
Lines 144-149 determine_real_args() { Link Here
144	BLKID_BINCACHE=`arch_replace "${BLKID_BINCACHE}"`	146	BLKID_BINCACHE=`arch_replace "${BLKID_BINCACHE}"`
145	FUSE_BINCACHE=`arch_replace "${FUSE_BINCACHE}"`	147	FUSE_BINCACHE=`arch_replace "${FUSE_BINCACHE}"`
146	UNIONFS_FUSE_BINCACHE=`arch_replace "${UNIONFS_FUSE_BINCACHE}"`	148	UNIONFS_FUSE_BINCACHE=`arch_replace "${UNIONFS_FUSE_BINCACHE}"`
		149	GPG_BINCACHE=`arch_replace "${GPG_BINCACHE}"`
147		150
148	if [ -n "${CMD_BOOTLOADER}" ]	151	if [ -n "${CMD_BOOTLOADER}" ]
149	then	152	then

Lines 192-197 Add DMRAID support. Link Here

(-)a/genkernel.8 (+12 lines)
192	Add in EVMS support from static binaries if they exist on the system:	192	Add in EVMS support from static binaries if they exist on the system:
193	you should run "emerge evms" first.	193	you should run "emerge evms" first.
194	.TP	194	.TP
		195	\fB\-\-gpg\fR
		196	.RS
		197	Add support for PGP-armored LUKS keys; this increases the size of the initrd
		198	considerably. The key file must end in '.gpg' and is expected to be the same
		199	format as a LUKS key, just symmetrically encrypted (i.e. "gpg --symmetric").
		200	Example:
		201	.RS
		202
		203	gpg --symmetric --cipher-algo=AES --output newkey.gpg old_luks_key.key
		204	.RE
		205	.RE
		206	.TP
195	\fB\-\-lvm\fR	207	\fB\-\-lvm\fR
196	.RS	208	.RS
197	Add in LVM support from static binaries if they exist on the system,	209	Add in LVM support from static binaries if they exist on the system,