libexec/rc/rc.d/geli

   1 #!/bin/sh
   2 #
   3 # Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
   4 # All rights reserved.
   5 #
   6 # Redistribution and use in source and binary forms, with or without
   7 # modification, are permitted provided that the following conditions
   8 # are met:
   9 # 1. Redistributions of source code must retain the above copyright
  10 #    notice, this list of conditions and the following disclaimer.
  11 # 2. Redistributions in binary form must reproduce the above copyright
  12 #    notice, this list of conditions and the following disclaimer in the
  13 #    documentation and/or other materials provided with the distribution.
  14 #
  15 # THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
  16 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  17 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  18 # ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
  19 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  20 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  21 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  22 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  23 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  24 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  25 # SUCH DAMAGE.
  26 #
  27 # $FreeBSD$
  28 #
  29
  30 # PROVIDE: disks
  31 # KEYWORD: nojail
  32
  33 . /etc/rc.subr
  34
  35 name="geli"
  36 desc="GELI disk encryption"
  37 start_precmd='[ -n "$(geli_make_list)" -o -n "${geli_groups}" ]'
  38 start_cmd="geli_start"
  39 stop_cmd="geli_stop"
  40 required_modules="geom_eli:g_eli"
  41
  42 # Takes provider
  43 # Reads key from EFIvar
  44 # Returns tempfile pathname containing key
  45 geli_efi()
  46 {
  47         local provider="${1}"
  48         local provider_=`ltr ${provider} '/-' '_'`
  49         local guid="65537263-7465-654b-4f79-44666f6f216d"
  50
  51         eval "efi=\${geli_${provider_}_efi:-NO}"
  52
  53         if checkyesno efi
  54         then
  55                 efivar="$(printf "%s-%s" "${guid}" "$(echo -n "${provider}" | sha256)")"
  56                 tmpkey="$(mktemp "/tmp/efikey_${provider_}")"
  57                 efivar --binary --no-name "${efivar}" > "${tmpkey}"
  58                 if [ -s "${tmpkey}" ]
  59                 then
  60                         echo "${tmpkey}"
  61                 fi
  62         fi
  63 }
  64
  65 geli_efi_init()
  66 {
  67         mount -t tmpfs tmpfs /tmp
  68 }
  69
  70 geli_efi_fini()
  71 {
  72         umount -t tmpfs /tmp
  73 }
  74
  75 geli_start()
  76 {
  77         devices=`geli_make_list`
  78
  79         if [ -z "${geli_tries}" ]; then
  80                 if [ -n "${geli_attach_attempts}" ]; then
  81                         # Compatibility with rc.d/gbde.
  82                         geli_tries=${geli_attach_attempts}
  83                 else
  84                         geli_tries=`${SYSCTL_N} kern.geom.eli.tries`
  85                 fi
  86         fi
  87
  88         geli_efi_init
  89
  90         for provider in ${devices}; do
  91                 provider_=`ltr ${provider} '/-' '_'`
  92
  93                 eval "flags=\${geli_${provider_}_flags}"
  94                 if [ -z "${flags}" ]; then
  95                         flags=${geli_default_flags}
  96                 fi
  97
  98                 efikey="$(geli_efi "${provider}")"
  99                 if [ -s "${efikey}" ]
 100                 then
 101                         echo "Acquired key for ${provider} from EFI."
 102                         flags="${flags} -p -k ${efikey}"
 103                 fi
 104
 105                 if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then
 106                         echo "Configuring Disk Encryption for ${provider}."
 107                         count=1
 108                         while [ ${count} -le ${geli_tries} ]; do
 109                                 geli attach ${flags} ${provider}
 110                                 if [ -e "/dev/${provider}.eli" ]; then
 111                                         break
 112                                 fi
 113                                 echo "Attach failed; attempt ${count} of ${geli_tries}."
 114                                 count=$((count+1))
 115                         done
 116                 fi
 117         done
 118
 119         for group in ${geli_groups}; do
 120                 group_=`ltr ${group} '/-' '_'`
 121
 122                 eval "flags=\${geli_${group_}_flags}"
 123                 if [ -z "${flags}" ]; then
 124                         flags=${geli_default_flags}
 125                 fi
 126
 127                 eval "providers=\${geli_${group_}_devices}"
 128                 if [ -z "${providers}" ]; then
 129                         echo "No devices listed in geli group ${group}."
 130                         continue
 131                 fi
 132
 133                 efikey="$(geli_efi "${group}")"
 134                 if [ -s "${efikey}" ]
 135                 then
 136                         echo "Acquired key for ${group} from EFI."
 137                         flags="${flags} -p -k ${efikey}"
 138                 fi
 139
 140                 if [ -e "/dev/${providers%% *}" -a ! -e "/dev/${providers%% *}.eli" ]; then
 141                         echo "Configuring Disk Encryption for geli group ${group}, containing ${providers}."
 142                         count=1
 143                         while [ ${count} -le ${geli_tries} ]; do
 144                                 geli attach ${flags} ${providers}
 145                                 if [ -e "/dev/${providers%% *}.eli" ]; then
 146                                         break
 147                                 fi
 148                                 echo "Attach failed; attempt ${count} of ${geli_tries}."
 149                                 count=$((count+1))
 150                         done
 151                 fi
 152         done
 153
 154         geli_efi_fini
 155 }
 156
 157 geli_stop()
 158 {
 159         devices=`geli_make_list`
 160
 161         for group in ${geli_groups}; do
 162                 group_=`ltr ${group} '/-' '_'`
 163
 164                 eval "providers=\${geli_${group_}_devices}"
 165
 166                 devices="${devices} ${providers}"
 167         done
 168
 169         for provider in ${devices}; do
 170                 if [ -e "/dev/${provider}.eli" ]; then
 171                         umount "/dev/${provider}.eli" 2>/dev/null
 172                         geli detach "${provider}"
 173                 fi
 174         done
 175 }
 176
 177 load_rc_config $name
 178 run_rc_command "$1"