/mandos/trunk

#!/bin/sh -e

# 

# This script will run in the initrd environment at boot and edit

# /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript

# when no other keyscript is set, before cryptsetup.

# 

# This script should be installed as

# "/usr/share/initramfs-tools/scripts/local-top/mandos" which will

# eventually be "/scripts/local-top/mandos" in the initrd.img file.

# No initramfs pre-requirements; we must instead run BEFORE cryptroot.

# This is not a problem, since cryptroot forces itself to run LAST.

PREREQ=""

prereqs()

{

     echo "$PREREQ"

}

case $1 in

prereqs)

     prereqs

     exit 0

     ;;

esac

chmod a=rwxt /tmp

test -w /conf/conf.d/cryptroot

# Do not replace cryptroot file unless we need to.

replace_cryptroot=no

# Our keyscript

mandos=/lib/mandos/plugin-runner

# parse /conf/conf.d/cryptroot.  Format:

# target=sda2_crypt,source=/dev/sda2,key=none,keyscript=/foo/bar/baz

exec 3>/conf/conf.d/cryptroot.mandos

while read options; do

    newopts=""

    # Split option line on commas

    old_ifs="$IFS"

    IFS="$IFS,"

    for opt in $options; do

	# Find the keyscript option, if any

	case "$opt" in

	    keyscript=*)

		keyscript="${opt#keyscript=}"

		newopts="$newopts,$opt"

		;;

	    "") : ;;

	    *)

		newopts="$newopts,$opt"

		;;

	esac

    done

    IFS="$old_ifs"

    unset old_ifs

    # If there was no keyscript option, add one.

    if [ -z "$keyscript" ]; then

	replace_cryptroot=yes

	newopts="$newopts,keyscript=$mandos"

    fi

    newopts="${newopts#,}"

    echo "$newopts" >&3

done < /conf/conf.d/cryptroot

exec 3>&-

# If we need to, replace the old cryptroot file with the new file.

if [ "$replace_cryptroot" = yes ]; then

    mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old

    mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot

else

    rm /conf/conf.d/cryptroot.mandos

fi