/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to initramfs-tools-script

  • Committer: Teddy Hogeborn
  • Date: 2018-08-15 09:26:02 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 368.
  • Revision ID: teddy@recompile.se-20180815092602-xoyb5s6gf8376i7u
mandos-client: Set system clock if necessary

* plugins.d/mandos-client.c (init_gpgme/import_key): If the system
  clock is not set, or set to january 1970, set the system clock to
  the more plausible value that is the mtime of the key file.  This is
  required by GnuPG to be able to import the keys.  (We can't pass the
  --ignore-time-conflict or the --ignore-valid-from options though
  GPGME.)

Show diffs side-by-side

added added

removed removed

Lines of Context:
10
10
# eventually be "/scripts/init-premount/mandos" in the initrd.img
11
11
# file.
12
12
 
13
 
# No initramfs pre-requirements.
14
13
PREREQ="udev"
15
14
prereqs()
16
15
{
58
57
# Get DEVICE from /conf/initramfs.conf and other files
59
58
. /conf/initramfs.conf
60
59
for conf in /conf/conf.d/*; do
61
 
    [ -f ${conf} ] && . ${conf}
 
60
    [ -f "${conf}" ] && . "${conf}"
62
61
done
63
62
if [ -e /conf/param.conf ]; then
64
63
    . /conf/param.conf
95
94
# If we are connecting directly, run "configure_networking" (from
96
95
# /scripts/functions); it needs IPOPTS and DEVICE
97
96
if [ "${connect+set}" = set ]; then
 
97
    set +e                      # Required by library functions
98
98
    configure_networking
 
99
    set -e
99
100
    if [ -n "$connect" ]; then
100
101
        cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf
101
102
        
109
110
 
110
111
# Our keyscript
111
112
mandos=/lib/mandos/plugin-runner
 
113
test -x "$mandos"
112
114
 
113
115
# parse /conf/conf.d/cryptroot.  Format:
114
 
# target=sda2_crypt,source=/dev/sda2,key=none,keyscript=/foo/bar/baz
 
116
# target=sda2_crypt,source=/dev/sda2,rootdev,key=none,keyscript=/foo/bar/baz
 
117
# Is the root device specially marked?
 
118
changeall=yes
 
119
while read -r options; do
 
120
    case "$options" in
 
121
        rootdev,*|*,rootdev,*|*,rootdev)
 
122
            # If the root device is specially marked, don't change all
 
123
            # lines in crypttab by default.
 
124
            changeall=no
 
125
            ;;
 
126
    esac
 
127
done < /conf/conf.d/cryptroot
 
128
 
115
129
exec 3>/conf/conf.d/cryptroot.mandos
116
 
while read options; do
 
130
while read -r options; do
117
131
    newopts=""
 
132
    keyscript=""
 
133
    changethis="$changeall"
118
134
    # Split option line on commas
119
135
    old_ifs="$IFS"
120
136
    IFS="$IFS,"
126
142
                newopts="$newopts,$opt"
127
143
                ;;
128
144
            "") : ;;
 
145
            # Always use Mandos on the root device, if marked
 
146
            rootdev)
 
147
                changethis=yes
 
148
                newopts="$newopts,$opt"
 
149
                ;;
 
150
            # Don't use Mandos on resume device, if marked
 
151
            resumedev)
 
152
                changethis=no
 
153
                newopts="$newopts,$opt"
 
154
                ;;
129
155
            *)
130
156
                newopts="$newopts,$opt"
131
157
                ;;
134
160
    IFS="$old_ifs"
135
161
    unset old_ifs
136
162
    # If there was no keyscript option, add one.
137
 
    if [ -z "$keyscript" ]; then
 
163
    if [ "$changethis" = yes ] && [ -z "$keyscript" ]; then
138
164
        replace_cryptroot=yes
139
165
        newopts="$newopts,keyscript=$mandos"
140
166
    fi