aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Deutschmann <whissi@gentoo.org>2021-02-07 19:02:29 +0100
committerThomas Deutschmann <whissi@gentoo.org>2021-02-07 19:02:29 +0100
commita0a6d6313874a7567a26c405713aaf610695285d (patch)
treee57c7e63dff1864bd631b79b89f1854094367109
parentgenkernel: make sure GREP_OPTIONS is unset (diff)
downloadgenkernel-a0a6d6313874a7567a26c405713aaf610695285d.tar.gz
genkernel-a0a6d6313874a7567a26c405713aaf610695285d.tar.bz2
genkernel-a0a6d6313874a7567a26c405713aaf610695285d.zip
linuxrc: add kernel command-line argument to allow user to pass additional options to cryptsetup
Cryptsetup supports additional options like "--perf-no_read_workqueue" or "--perf-no_write_workqueue". While it is recommended to use LUKS2 format and make these activiation flags permanent, you can also make use of the new kernel command-line arguments "crypt_root_options" for root device or "crypt_swap_options" for swap device to pass additional options to cryptsetup. These arguments can be specified multiple times or separate multiple options with a comma. Bug: https://bugs.gentoo.org/755587 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
-rw-r--r--defaults/initrd.defaults2
-rw-r--r--defaults/initrd.scripts16
-rw-r--r--defaults/linuxrc13
-rw-r--r--defaults/unlock-luks.sh8
-rw-r--r--doc/genkernel.8.txt10
5 files changed, 34 insertions, 15 deletions
diff --git a/defaults/initrd.defaults b/defaults/initrd.defaults
index cd485ca..ac3b072 100644
--- a/defaults/initrd.defaults
+++ b/defaults/initrd.defaults
@@ -104,9 +104,11 @@ CRYPT_ENV_FILE='/etc/CRYPT_ENV.conf'
CRYPT_ROOT_KEYDEV_FSTYPE='auto'
CRYPT_ROOT_KEYFILE='/tmp/root.key'
CRYPT_ROOT_OPENED_LOCKFILE='/tmp/ROOT.opened'
+CRYPT_ROOT_OPTIONS=''
CRYPT_SWAP_KEYDEV_FSTYPE='auto'
CRYPT_SWAP_KEYFILE='/tmp/swap.key'
CRYPT_SWAP_OPENED_LOCKFILE='/tmp/SWAP.opened'
+CRYPT_SWAP_OPTIONS=''
ZFS_ENC_ENV_FILE='/etc/ZFS_ENC_ENV.conf'
ZFS_ENC_OPENED_LOCKFILE='/tmp/ZFS.opened'
diff --git a/defaults/initrd.scripts b/defaults/initrd.scripts
index f6e84fc..5d744ee 100644
--- a/defaults/initrd.scripts
+++ b/defaults/initrd.scripts
@@ -1193,7 +1193,7 @@ write_env_file() {
for varname in $*
do
eval varvalue=\$${varname}
- echo "${varname}=${varvalue}" >> "${env_file}"
+ echo "${varname}='${varvalue}'" >> "${env_file}"
done
}
@@ -1774,15 +1774,13 @@ openLUKS() {
eval local LUKS_KEY='"${CRYPT_'${TYPE}'_KEY}"'
eval local LUKS_KEYDEV='"${CRYPT_'${TYPE}'_KEYDEV}"'
eval local LUKS_KEYDEV_FSTYPE='"${CRYPT_'${TYPE}'_KEYDEV_FSTYPE}"'
- eval local LUKS_TRIM='"${CRYPT_'${TYPE}'_TRIM}"'
+ eval local cryptsetup_options='"${CRYPT_'${TYPE}'_OPTIONS}"'
eval local OPENED_LOCKFILE='"${CRYPT_'${TYPE}'_OPENED_LOCKFILE}"'
local DEV_ERROR=0 KEY_ERROR=0 KEYDEV_ERROR=0
local mntkey="/mnt/key/" crypt_filter_ret=
while true
do
- local cryptsetup_options=''
-
local gpg_cmd=""
if [ -e "${OPENED_LOCKFILE}" ]
then
@@ -1819,10 +1817,9 @@ openLUKS() {
DEV_ERROR=1
continue
else
- if [ "x${LUKS_TRIM}" = "xyes" ]
+ if [ -n "${cryptsetup_options}" ]
then
- good_msg "Enabling TRIM support for ${LUKS_NAME} ..." ${CRYPT_SILENT}
- cryptsetup_options="${cryptsetup_options} --allow-discards"
+ good_msg "Using the following cryptsetup options for ${LUKS_NAME}: ${cryptsetup_options}" ${CRYPT_SILENT}
fi
# Handle keys
@@ -2333,9 +2330,10 @@ start_sshd() {
write_env_file \
"${CRYPT_ENV_FILE}" \
CRYPT_ROOT \
- CRYPT_ROOT_TRIM \
+ CRYPT_ROOT_OPTIONS \
CRYPT_SILENT \
- CRYPT_SWAP
+ CRYPT_SWAP \
+ CRYPT_SWAP_OPTIONS
run touch /var/log/lastlog
diff --git a/defaults/linuxrc b/defaults/linuxrc
index df0f570..e33576d 100644
--- a/defaults/linuxrc
+++ b/defaults/linuxrc
@@ -244,10 +244,16 @@ do
CRYPT_ROOT=${x#*=}
USE_CRYPTSETUP=1
;;
+ crypt_root_options=*)
+ CRYPT_ROOT_OPTIONS=$(echo ${CRYPT_ROOT_OPTIONS} ${x#*=} | sed -e 's/,/ /g')
+ ;;
crypt_swap=*)
CRYPT_SWAP=${x#*=}
USE_CRYPTSETUP=1
;;
+ crypt_swap_options=*)
+ CRYPT_SWAP_OPTIONS=$(echo ${CRYPT_SWAP_OPTIONS} ${x#*=} | sed -e 's/,/ /g')
+ ;;
root_key=*)
CRYPT_ROOT_KEY=${x#*=}
;;
@@ -258,7 +264,12 @@ do
CRYPT_ROOT_KEYDEV_FSTYPE=${x#*=}
;;
root_trim=*)
- CRYPT_ROOT_TRIM=${x#*=}
+ tmp_enabled=${x#*=}
+ if is_true "${tmp_enabled}"
+ then
+ CRYPT_ROOT_OPTIONS="${CRYPT_ROOT_OPTIONS} --allow-discards"
+ fi
+ unset tmp_enabled
;;
swap_key=*)
CRYPT_SWAP_KEY=${x#*=}
diff --git a/defaults/unlock-luks.sh b/defaults/unlock-luks.sh
index a8ae990..59e086a 100644
--- a/defaults/unlock-luks.sh
+++ b/defaults/unlock-luks.sh
@@ -46,12 +46,11 @@ main() {
local LUKS_NAME="${NAME}"
eval local LUKS_DEVICE='"${CRYPT_'${TYPE}'}"'
eval local LUKS_KEY='"${CRYPT_'${TYPE}'_KEYFILE}"'
- eval local LUKS_TRIM='"${CRYPT_'${TYPE}'_TRIM}"'
+ eval local cryptsetup_options='"${CRYPT_'${TYPE}'_OPTIONS}"'
eval local OPENED_LOCKFILE='"${CRYPT_'${TYPE}'_OPENED_LOCKFILE}"'
while true
do
- local cryptsetup_options=""
local gpg_cmd crypt_filter_ret
if [ -e "${OPENED_LOCKFILE}" ]
@@ -74,10 +73,9 @@ main() {
# able to investigate the problem on its own.
exit 1
else
- if [ "x${LUKS_TRIM}" = "xyes" ]
+ if [ -n "${cryptsetup_options}" ]
then
- good_msg "Enabling TRIM support for ${LUKS_NAME} ..." "${CRYPT_SILENT}"
- cryptsetup_options="${cryptsetup_options} --allow-discards"
+ good_msg "Using the following cryptsetup options for ${LUKS_NAME}: ${cryptsetup_options}" ${CRYPT_SILENT}
fi
# Handle keys
diff --git a/doc/genkernel.8.txt b/doc/genkernel.8.txt
index 8909fc7..ddccd9f 100644
--- a/doc/genkernel.8.txt
+++ b/doc/genkernel.8.txt
@@ -633,9 +633,19 @@ recognized by the kernel itself.
This specifies the device encrypted by LUKS, which contains the
root filesystem to mount.
+*crypt_root_options*=<...>::
+ This specifies additional options, which should get passed to
+ cryptsetup when opening root volume. Can be specified multiple
+ times or separate multiple options with a comma.
+
*crypt_swap*=<...>::
This specifies the swap device encrypted by LUKS.
+*crypt_swap_options*=<...>::
+ This specifies additional options, which should get passed to
+ cryptsetup when opening swap volume. Can be specified multiple
+ times or separate multiple options with a comma.
+
*root_key*=<...>::
In case your root is encrypted with a key, you can use a device
like a usb pen to store the key. This value should be the key