Skip to content

[Feature request] Add mkinitcpio hook support. #334

New issue
New issue
Open
#374
Open
[Feature request] Add mkinitcpio hook support.#334
#374
@ShapeShifter499

Description

@ShapeShifter499
ShapeShifter499
opened on Aug 29, 2021

I use Arch Linux and someone I've talked with on their IRC channel stated that the clevis package for Arch Linux doesn't have mkinitcpio support because upstream didn't. For Arch Linux mkinitcpio is the default way of generating a init ram disk including adding any modules and features you may want to have at boot time. https://wiki.archlinux.org/title/Mkinitcpio

This is a mkinitcpio install and hook I found from the Arch Linux forums that would enable clevis at boot but I am not sure if this is totally correct. https://bbs.archlinux.org/viewtopic.php?id=230948

clevis-mkinitcpio-install:

#!/bin/bash

build() {
    add_binary "clevis-decrypt-http"
    add_binary "clevis-decrypt-tang"
    add_binary "clevis-decrypt-sss"
    add_binary "clevis-decrypt"
    add_binary "luksmeta"
    add_binary "clevis"
    add_binary "jose"
    add_binary "curl"
    add_binary "bash"
    add_runscript
}

help() {
    cat <<HELPEOF
This hook will attempt to unlock LUKS volumes using data stored in the header
by clevis and luksmeta. Use this hook in combination with any early userspace
networking hook, such as mkinitcpio-netconf or mkinitcpio-ppp. It also requires
mkinitcpio-utils for the encryptssh hook.

An example usage would be to have 'netconf clevis encryptssh' added before your
filesystems hook. You also need to configure clevis unlocking by using the
'clevis bind luks' command on your luks partition.
HELPEOF
}

clevis-mkinitcpio-hook:

#!/usr/bin/bash

run_hook ()
{
    clevis_loop &
    echo $! > /.clevis.pid
}

clevis_loop()
{
    while ! [ -c /dev/mapper/control -a -f /.cryptdev -a -f /.cryptname -a -f /.cryptargs ];
do
        sleep 0.1
    done

    CRYPTDEV=$(cat /.cryptdev)
    CRYPTNAME=$(cat /.cryptname)
    UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
    luksmeta show -d "$CRYPTDEV" | while read -r slot state uuid; do
        [ "$state" != "active" ] && continue
        [ "$uuid" != "$UUID" ] && continue

        if ( luksmeta load -d "$CRYPTDEV" -s $slot -u $UUID | clevis decrypt \
            | cryptsetup luksOpen $(cat /.cryptdev) $CRYPTNAME $(cat /.cryptargs) ); then
            echo > /.done
            echo -e "\n\n$CRYPTNAME sucessfully decrypted via clevis."
            killall cryptsetup
            break
        fi
    done
    rm /.clevis.pid
}

run_cleanuphook ()
{
    if [ -f /.clevis.pid ]; then
        kill $(/.clevis.pid)
        rm /.clevis.pid
    fi
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions