#!/bin/bash set -ax exit_with() { echo "$1" >&2 exit 1 } validate() { [ ! -e /etc/fido2luks.conf ] && exit_with "/etc/fido2luks.conf does not exist! Please configure first" . /etc/fido2luks.conf [ ! -e "$FIDO2LUKS_DEVICE" ] && exit_with "FIDO2LUKS_DEVICE='$FIDO2LUKS_DEVICE' does not exist!" [ -z "$FIDO2LUKS_CREDENTIAL_ID" ] && exit_with "FIDO2LUKS_CREDENTIAL_ID must be set!" [ -z "$FIDO2LUKS_MAPPER_NAME" ] && exit_with "FIDO2LUKS_MAPPER_NAME must be set!" } build() { local mod add_binary "cryptsetup" add_module "dm-crypt" add_module "dm-integrity" if [[ $CRYPTO_MODULES ]]; then for mod in $CRYPTO_MODULES; do add_module "$mod" done else add_all_modules "/crypto/" fi add_binary "dmsetup" add_file "/usr/lib/udev/rules.d/10-dm.rules" add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" add_systemd_unit "systemd-ask-password-console.path" add_systemd_unit "systemd-ask-password-console.service" # cryptsetup calls pthread_create(), which dlopen()s libgcc_s.so.1 add_binary "/usr/lib/libgcc_s.so.1" # add mkswap for creating swap space on the fly (see 'swap' in crypttab(5)) add_binary "mkswap" [[ -f /etc/crypttab.initramfs ]] && add_file "/etc/crypttab.initramfs" "/etc/crypttab" validate add_file "/etc/fido2luks.conf" "/etc/fido2luks.conf" add_binary "fido2luks" add_runscipt } run_hook() { modprobe -a -q dm-crypt . /etc/fido2luks.conf if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then export FIDO2LUKS_PASSWORD_HELPER="systemd-ask-password 'FIDO2 password salt for $FIDO2LUKS_DEVICE'" fi fido2luks open } help() { cat <