summarylogtreecommitdiffstats
path: root/run.sh
blob: b91d88085162696ffb0a5beb2d949b9407f8d187 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275

#!/usr/bin/ash
# shellcheck shell=bash
# vim: set ft=sh ts=2 sw=2 et:

#  ┬─┐┬ ┐┌┐┐┌─┐┌┐┐o┌─┐┌┐┐┐─┐
#  ├─ │ │││││   │ ││ ││││└─┐
#  ┘  ┘─┘┘└┘└─┘ ┘ ┘┘─┘┘└┘──┘

# Logging helpers. Send the argument list to plymouth(1), or fold it
# and print it to the standard error.
dm_nuke_message() {
  local IFS=' '
  if command -v plymouth 1>/dev/null 2>&1 && plymouth --ping 2>/dev/null; then
    plymouth message --text="cryptsetup: $*"
  else
    msg "cryptsetup: $*"
  fi
  return 0
}

#  ┌┌┐┬─┐o┌┐┐
#  ││││─┤││││
#  ┘ ┘┘ ┘┘┘└┘

run_hook() {
  local quiet rootdelay
  # Switches
  local kf_enabled='false' ks_enabled='false' nuke_enabled='false'
  # Keyfile configuration
  local kf_root_dev kf_root_fs kf_path kf_offset=0 kf_size
  # Keyscript configuration
  local ks_root_dev ks_root_fs ks_path
  # Nuke configuration
  local nuke_hash
  # Cryptsetup configuration
  local device alias='cryptroot' cryptargs
  rootdelay="$(getarg rootdelay)"

  mkdir -p /tmp/dm-nuke
  cd /tmp/dm-nuke

  # Reading configuration
  local oldifs key value configuration
  oldifs="$IFS"
  IFS=,
  configuration="$(getarg dm-nuke)"
  if [ -z "$configuration" ]; then
    dm_nuke_message "dm-nuke is loaded but not configured"
    sleep 2
    exit 0
  fi
  quiet="$(getarg quiet)"
  if [ "$quiet" = "y" ]; then
    quiet=">/dev/null"
  fi
  for option in $configuration; do
    key="${option%%=*}"
    value="${option#*=}"
    case "$key" in
    device)
      if resolved="$(resolve_device "$value" "$rootdelay")"; then
        device="$resolved"
      else
        err "failed to resolve root device $value"
      fi
      ;;
    alias)
      alias="$value"
      ;;
    cryptargs)
      cryptargs="$value"
      ;;
    keyfile-root)
      if ! echo "$value" | awk -F: '{exit($NF==2)}'; then
        dm_nuke_message "warning: keyfile-root must be in format path:fstype"
      elif resolved="$(resolve_device "$(echo "$value" | cut -d: -f1)" "$rootdelay")"; then
        kf_root_dev="$resolved"
        kf_root_fs="$(echo "$value" | cut -d: -f2)"
      else
        dm_nuke_message "warning: failed to resolve device for the keyfile $(echo "$value" | cut -d: -f1)"
      fi
      ;;
    keyfile-path)
      kf_enabled='true'
      kf_path="$value"
      ;;
    keyfile-offset)
      kf_offset="$value"
      ;;
    keyfile-size)
      kf_size="$value"
      ;;
    keyscript-root)
      if ! echo "$value" | awk -F: '{exit($NF==2)}'; then
        dm_nuke_message "warning: keyscript-root must be in format path:fstype"
      elif resolved="$(resolve_device "$(echo "$value" | cut -d: -f1)" "$rootdelay")"; then
        ks_root_dev="$resolved"
        ks_root_fs="$(echo "$value" | cut -d: -f2)"
      else
        dm_nuke_message "warning: failed to resolve device for the keyscript $(echo "$value" | cut -d: -f1)"
      fi
      ;;
    keyscript-path)
      ks_enabled='true'
      ks_path="$value"
      ;;
    nuke)
      nuke_enabled='true'
      nuke_hash="$value"
      ;;
    *)
      dm_nuke_message "error: unknown option $key: $value" 1>&2
      exit 1
      ;;
    esac
  done
  IFS="$oldifs"
  unset oldifs

  # Load dm-crypt module
  modprobe -a -q dm-crypt >/dev/null 2>&1

  # If keyfile options are configured...
  if [ "$kf_enabled" = 'true' ]; then
    # ...then mount keyfile root filesystem if defined...
    if [ -n "$kf_root_dev" ]; then
      mkdir kf_mp
      if [ "$kf_root_fs" = "auto" ]; then
        mount -r "$resolved" kf_mp
      else
        mount -r -t "$kf_root_fs" "$resolved" kf_mp
      fi
      kf_path="kf_mp/${kf_path#/}"
    fi
    # ... and read the key to the temp file
    if [ -n "$kf_size" ]; then
      dd if="$kf_path" of=kf iflag=skip_bytes skip="$kf_offset" bs="$kf_size" count=1 2>/dev/null
    else
      dd if="$kf_path" of=kf iflag=skip_bytes skip="$kf_offset" 2>/dev/null
    fi
    # Do not forget to unmount at the end
    [ -n "$kf_root_dev" ] && umount kf_mp
  fi

  # If keyscript options are configured...
  if [ "$ks_enabled" = 'true' ]; then
    # ...then mount keyscript root filesystem if defined...
    if [ -n "$ks_root_dev" ]; then
      mkdir ks_mp
      if [ "$ks_root_fs" = "auto" ]; then
        mount -r "$resolved" ks_mp
      else
        mount -r -t "$ks_root_fs" "$resolved" ks_mp
      fi
      ks_path="$(pwd)/ks_mp/${ks_path#/}"
    fi
    # ... and execute the script
    if ! (cd "$(dirname "$ks_path")" && eval "$ks_path") >ks; then
      dm_nuke_message "warning: $ks_path exited with nonzero code"
    fi
    # Do not forget to unmount at the end
    [ -n "$ks_root_dev" ] && umount ks_mp
  fi

  # To protect ourselves from early hooks
  if [ -b "/dev/mapper/$alias" ]; then
    if [ ! -f /tmp/dm-nuke.success ]; then
      dm_nuke_message "warning: /dev/mapper/$alias already exists, skipping decryption"
    fi
    return 0
  fi

  if ! cryptsetup isLuks "$device" 1>/dev/null; then
    err "$device is not a LUKS device"
    return 1
  fi

  # Try to decrypt using a keyfile
  local interactive='true' password
  if [ -f kf ]; then
    if ! eval cryptsetup luksOpen --key-file=kf "$device" "$alias" "$cryptargs" "$quiet"; then
      dm_nuke_message "warning: invalid keyfile key"
    else
      interactive=false
    fi
  fi
  if [ -f ks ]; then
    if ! eval cryptsetup luksOpen --key-file=ks "$device" "$alias" "$cryptargs" "$quiet"; then
      dm_nuke_message "warning: invalid keyscript key"
    else
      interactive=false
    fi
  fi

  # Ask for the password
  if [ "$interactive" = 'true' ]; then
    if [ "$nuke_enabled" = 'true' ]; then
      echo "$nuke_hash kf" > checksum
      cat <<EOF >nuke-or-mount.sh
#!/usr/bin/ash
set -euo pipefail
cat >kf
if [ "$nuke_enabled" = 'true' ]; then
  for algo in md5sum sha1sum sha256sum sha512sum; do
    if eval "\$algo" -c checksum "<kf" 1>/dev/null 2>&1; then
      echo YES | cryptsetup erase "$device"
      if [ "$quiet" = "" ]; then
        cat <<EOT 1>&2

...............................________________................................
..........................____/.(..(....)...)..\___............................
........................./(.(..(..)..._....))..)...)\..........................
.......................((.....(...)(....)..)...(...)..)........................
.....................((/..(._(...)...(..._).).(..().)..).......................
....................(.(..(.(_)...((....(...)...((_.)....)_.....................
...................(.(..)....(......(..)....)...)...).(...)....................
..................(..(...(..(...).(.._..(._).)...)...).).(.)...................
..................(.(..(...).(..)...(..)).....)._)(...)..)..)..................
.................(.(..(.\.).(....(_..(.).(.)..)...).)..)).(.)..................
..................(..(...(..(...(_.(.).(._....)..).(..)..)...).................
.................(.(..(.(..(..).....(_..)..).).._)...)._(.(.)..................
..................((..(...)(....(....._....)..._)._(_.(..(_.)..................
...................(_((__(_(__((.(.(.|..).).).)_))__))_)___)...................
...................((__)........\\\\||lll|l||///..........\_))...................
............................(.../(/.(..)..).)\...).............................
..........................(....(.(.(.|.|.).).)\...)............................
...........................(.../(|./.(.)).).).)).).............................
.........................(.....(.((((_(|)_))))).....)..........................
..........................(......||\(|(|)|/||.....)............................
........................(........|(||(||)||||........).........................
..........................(.....//|/l|||)|\\\\.\.....)...........................
........................(/././/../|//||||\\\\..\.\..\._).........................
-----------------------------!!!.YOU.ARE.NUKED.!!!-----------------------------
          Data is destroyed! They may try to extract information from
              you, but there's nothing more you can do. Good luck!
EOT
      fi
      exit 1
    fi
  done
  cryptsetup luksOpen --key-file=kf $device $alias $cryptargs $quiet && exit 0 || exit 1
fi
EOF
      chmod 0755 nuke-or-mount.sh
    fi
    if command -v plymouth 1>/dev/null 2>&1 && plymouth --ping 2>/dev/null; then
      plymouth ask-for-password \
        --prompt="Enter passphrase for $alias ($device)" \
        --command="$(pwd)/nuke-or-mount.sh"
    else
      echo ""
      # Ask for a correct password infinitely
      while printf "Enter passphrase for %s (%s): " "$alias" "$device"; do
        read -s -r password
        printf "%s" "$password" > kf
        if ./nuke-or-mount.sh; then
          break
        fi
        dm_nuke_message "error: failed to decrypt $alias with the password provided"
        sleep 2
      done
    fi
  fi

  # Check mountpoint
  if [ ! -e "/dev/mapper/$alias" ]; then
    err "decryption has succeeded, but /dev/mapper/$alias creation has failed"
    return 1
  fi

  cd /
  rm -rf /tmp/dm-nuke
  touch /tmp/dm-nuke.success
  return 0
}