Merge pull request #90 from simoncampion/root-unlock-generator

Add service for root disk unlocking

dracut/31decrypt-root/decrypt-root

@@ -0,0 +1,23 @@
+#!/bin/bash
+set -euo pipefail
+
+# Check if there is a partition labeled ROOT and, if so, determine its UUID.
+match=$(lsblk --noheadings -o UUID,PARTLABEL | { grep -m1 -w ROOT || true ; })
+if [[ "${match}" = "" ]]; then
+    exit 0
+fi
+uuid="${match%% *}"
+
+# Check if the partition labeled ROOT is a LUKS device.
+IFS= read -r -n "4" header < /dev/disk/by-uuid/$uuid
+if [[ "$header" != "LUKS" ]]; then
+    exit 0
+fi
+
+# Generate a systemd-cryptsetup unit to decrypt the root partition.
+# We call the LUKS device `rootencrypted`, no matter what it was called in the Ignition configuration.
+echo "rootencrypted UUID=$uuid none luks,tpm2-device=auto" > /tmp/crypttab
+SYSTEMD_CRYPTTAB=/tmp/crypttab /usr/lib/systemd/system-generators/systemd-cryptsetup-generator /etc/systemd/system/
+
+# Start the generated systemd service to decrypt the root partition.
+systemctl start systemd-cryptsetup@rootencrypted

dracut/31decrypt-root/decrypt-root.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Generate and execute a systemd-cryptsetup service to decrypt the ROOT partition
+
+DefaultDependencies=no
+# If systemd-networkd.service is used in the initramfs, then we should run after it, since the ROOT partition
+# might use network-bound encryption.
+After=systemd-networkd.service dev-disk-by\x2dpartlabel-ROOT.device
+Wants=dev-disk-by\x2dpartlabel-ROOT.device
+Before=dracut-initqueue.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/sbin/decrypt-root
+
+[Install]
+WantedBy=ignition-subsequent.target

dracut/31decrypt-root/module-setup.sh

@@ -0,0 +1,9 @@
+install() {
+    inst_script "$moddir/decrypt-root" \
+        "/usr/sbin/decrypt-root"
+
+    inst_simple "$moddir/decrypt-root.service" \
+        "$systemdsystemunitdir/decrypt-root.service"
+
+    systemctl --root "$initdir" enable decrypt-root.service
+}