From b9f3b127e2be4f96da1f9f37d9f7b9b2511b5d9a Mon Sep 17 00:00:00 2001
From: Simon Campion <simon1000010@gmail.com>
Date: Fri, 22 Mar 2024 16:45:27 +0100
Subject: [PATCH] decrypt-root: add service to decrypt the ROOT partition

---
 dracut/31decrypt-root/decrypt-root         | 22 ++++++++++++++++++++++
 dracut/31decrypt-root/decrypt-root.service | 16 ++++++++++++++++
 dracut/31decrypt-root/module-setup.sh      |  9 +++++++++
 3 files changed, 47 insertions(+)
 create mode 100755 dracut/31decrypt-root/decrypt-root
 create mode 100644 dracut/31decrypt-root/decrypt-root.service
 create mode 100755 dracut/31decrypt-root/module-setup.sh

diff --git a/dracut/31decrypt-root/decrypt-root b/dracut/31decrypt-root/decrypt-root
new file mode 100755
index 0000000..d1199a9
--- /dev/null
+++ b/dracut/31decrypt-root/decrypt-root
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Check if there is a partition labeled ROOT and, if so, determine its UUID.
+match=$(lsblk -o UUID,PARTLABEL | grep -w ROOT)
+if [[ $? -ne 0 ]]; then
+    exit 0
+fi
+uuid="${match%% *}"
+
+# Check if the partition labeled ROOT is a LUKS device.
+IFS= read -r -n "4" header < /dev/disk/by-uuid/$uuid
+if [[ "$header" != "LUKS" ]]; then
+    exit 0
+fi
+
+# Generate a systemd-cryptsetup unit to decrypt the root partition.
+# We call the LUKS device `rootencrypted`, no matter what it was called in the Ignition configuration.
+echo "rootencrypted UUID=$uuid none luks" > /tmp/crypttab
+SYSTEMD_CRYPTTAB=/tmp/crypttab /usr/lib/systemd/system-generators/systemd-cryptsetup-generator /etc/systemd/system/
+
+# Start the generated systemd service to decrypt the root partition.
+systemctl start systemd-cryptsetup@rootencrypted
\ No newline at end of file
diff --git a/dracut/31decrypt-root/decrypt-root.service b/dracut/31decrypt-root/decrypt-root.service
new file mode 100644
index 0000000..79460bd
--- /dev/null
+++ b/dracut/31decrypt-root/decrypt-root.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Generate and execute a systemd-cryptsetup service to decrypt the ROOT partition
+
+DefaultDependencies=no
+# If systemd-networkd.service is used in the initramfs, then we should run after it, since the ROOT partition
+# might use network-bound encryption.
+After=systemd-networkd.service dev-disk-by\x2dpartlabel-ROOT.device
+Wants=dev-disk-by\x2dpartlabel-ROOT.device
+Before=dracut-initqueue.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/decrypt-root
+
+[Install]
+WantedBy=ignition-subsequent.target
\ No newline at end of file
diff --git a/dracut/31decrypt-root/module-setup.sh b/dracut/31decrypt-root/module-setup.sh
new file mode 100755
index 0000000..5fc8b3d
--- /dev/null
+++ b/dracut/31decrypt-root/module-setup.sh
@@ -0,0 +1,9 @@
+install() {
+    inst_script "$moddir/decrypt-root" \
+        "/usr/sbin/decrypt-root"
+
+    inst_simple "$moddir/decrypt-root.service" \
+        "$systemdsystemunitdir/decrypt-root.service"
+    
+    systemctl --root "$initdir" enable decrypt-root.service
+}