From 8d5495e646b040d25def6731a97698ddbe4d28cb Mon Sep 17 00:00:00 2001 From: Simon Campion Date: Sat, 16 Mar 2024 13:35:57 +0100 Subject: [PATCH 1/2] networkd-dependency-generator: make directory directory consistent with other generators --- .../module-setup.sh | 0 .../networkd-dependency-generator | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename dracut/{40networkd-dependency => 10networkd-dependency-generator}/module-setup.sh (100%) rename dracut/{40networkd-dependency => 10networkd-dependency-generator}/networkd-dependency-generator (100%) diff --git a/dracut/40networkd-dependency/module-setup.sh b/dracut/10networkd-dependency-generator/module-setup.sh similarity index 100% rename from dracut/40networkd-dependency/module-setup.sh rename to dracut/10networkd-dependency-generator/module-setup.sh diff --git a/dracut/40networkd-dependency/networkd-dependency-generator b/dracut/10networkd-dependency-generator/networkd-dependency-generator similarity index 100% rename from dracut/40networkd-dependency/networkd-dependency-generator rename to dracut/10networkd-dependency-generator/networkd-dependency-generator From 66145c330d6d0b44c2cc161e042e6f18966c2e4f Mon Sep 17 00:00:00 2001 From: Simon Campion Date: Fri, 22 Mar 2024 16:45:27 +0100 Subject: [PATCH 2/2] decrypt-root: add service to decrypt the ROOT partition --- dracut/31decrypt-root/decrypt-root | 23 ++++++++++++++++++++++ dracut/31decrypt-root/decrypt-root.service | 17 ++++++++++++++++ dracut/31decrypt-root/module-setup.sh | 9 +++++++++ 3 files changed, 49 insertions(+) create mode 100755 dracut/31decrypt-root/decrypt-root create mode 100644 dracut/31decrypt-root/decrypt-root.service create mode 100755 dracut/31decrypt-root/module-setup.sh diff --git a/dracut/31decrypt-root/decrypt-root b/dracut/31decrypt-root/decrypt-root new file mode 100755 index 0000000..5f8d6bc --- /dev/null +++ b/dracut/31decrypt-root/decrypt-root @@ -0,0 +1,23 @@ +#!/bin/bash +set -euo pipefail + +# Check if there is a partition labeled ROOT and, if so, determine its UUID. +match=$(lsblk --noheadings -o UUID,PARTLABEL | { grep -m1 -w ROOT || true ; }) +if [[ "${match}" = "" ]]; then + exit 0 +fi +uuid="${match%% *}" + +# Check if the partition labeled ROOT is a LUKS device. +IFS= read -r -n "4" header < /dev/disk/by-uuid/$uuid +if [[ "$header" != "LUKS" ]]; then + exit 0 +fi + +# Generate a systemd-cryptsetup unit to decrypt the root partition. +# We call the LUKS device `rootencrypted`, no matter what it was called in the Ignition configuration. +echo "rootencrypted UUID=$uuid none luks,tpm2-device=auto" > /tmp/crypttab +SYSTEMD_CRYPTTAB=/tmp/crypttab /usr/lib/systemd/system-generators/systemd-cryptsetup-generator /etc/systemd/system/ + +# Start the generated systemd service to decrypt the root partition. +systemctl start systemd-cryptsetup@rootencrypted \ No newline at end of file diff --git a/dracut/31decrypt-root/decrypt-root.service b/dracut/31decrypt-root/decrypt-root.service new file mode 100644 index 0000000..8daf2ba --- /dev/null +++ b/dracut/31decrypt-root/decrypt-root.service @@ -0,0 +1,17 @@ +[Unit] +Description=Generate and execute a systemd-cryptsetup service to decrypt the ROOT partition + +DefaultDependencies=no +# If systemd-networkd.service is used in the initramfs, then we should run after it, since the ROOT partition +# might use network-bound encryption. +After=systemd-networkd.service dev-disk-by\x2dpartlabel-ROOT.device +Wants=dev-disk-by\x2dpartlabel-ROOT.device +Before=dracut-initqueue.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/sbin/decrypt-root + +[Install] +WantedBy=ignition-subsequent.target \ No newline at end of file diff --git a/dracut/31decrypt-root/module-setup.sh b/dracut/31decrypt-root/module-setup.sh new file mode 100755 index 0000000..5fc8b3d --- /dev/null +++ b/dracut/31decrypt-root/module-setup.sh @@ -0,0 +1,9 @@ +install() { + inst_script "$moddir/decrypt-root" \ + "/usr/sbin/decrypt-root" + + inst_simple "$moddir/decrypt-root.service" \ + "$systemdsystemunitdir/decrypt-root.service" + + systemctl --root "$initdir" enable decrypt-root.service +}