[systemd.git] / src / cryptsetup / cryptsetup-generator.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#include <errno.h>
#include <stdio_ext.h>

#include "alloc-util.h"
#include "dropin.h"
#include "escape.h"
#include "fd-util.h"
#include "fileio.h"
#include "fstab-util.h"
#include "generator.h"
#include "hashmap.h"
#include "id128-util.h"
#include "log.h"
#include "mkdir.h"
#include "parse-util.h"
#include "path-util.h"
#include "proc-cmdline.h"
#include "specifier.h"
#include "string-util.h"
#include "strv.h"
#include "unit-name.h"
#include "util.h"

typedef struct crypto_device {
        char *uuid;
        char *keyfile;
        char *keydev;
        char *name;
        char *options;
        bool create;
} crypto_device;

static const char *arg_dest = NULL;
static bool arg_enabled = true;
static bool arg_read_crypttab = true;
static bool arg_whitelist = false;
static Hashmap *arg_disks = NULL;
static char *arg_default_options = NULL;
static char *arg_default_keyfile = NULL;

STATIC_DESTRUCTOR_REGISTER(arg_disks, hashmap_freep);
STATIC_DESTRUCTOR_REGISTER(arg_default_options, freep);
STATIC_DESTRUCTOR_REGISTER(arg_default_keyfile, freep);

static int generate_keydev_mount(const char *name, const char *keydev, char **unit, char **mount) {
        _cleanup_free_ char *u = NULL, *what = NULL, *where = NULL, *name_escaped = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        int r;

        assert(name);
        assert(keydev);
        assert(unit);
        assert(mount);

        r = mkdir_parents("/run/systemd/cryptsetup", 0755);
        if (r < 0)
                return r;

        r = mkdir("/run/systemd/cryptsetup", 0700);
        if (r < 0 && errno != EEXIST)
                return -errno;

        name_escaped = cescape(name);
        if (!name_escaped)
                return -ENOMEM;

        where = strjoin("/run/systemd/cryptsetup/keydev-", name_escaped);
        if (!where)
                return -ENOMEM;

        r = mkdir(where, 0700);
        if (r < 0 && errno != EEXIST)
                return -errno;

        r = unit_name_from_path(where, ".mount", &u);
        if (r < 0)
                return r;

        r = generator_open_unit_file(arg_dest, NULL, u, &f);
        if (r < 0)
                return r;

        what = fstab_node_to_udev_node(keydev);
        if (!what)
                return -ENOMEM;

        fprintf(f,
                "[Unit]\n"
                "DefaultDependencies=no\n\n"
                "[Mount]\n"
                "What=%s\n"
                "Where=%s\n"
                "Options=ro\n", what, where);

        r = fflush_and_check(f);
        if (r < 0)
                return r;

        *unit = TAKE_PTR(u);
        *mount = TAKE_PTR(where);

        return 0;
}

static int create_disk(
                const char *name,
                const char *device,
                const char *keydev,
                const char *password,
                const char *options) {

        _cleanup_free_ char *n = NULL, *d = NULL, *u = NULL, *e = NULL,
                *filtered = NULL, *u_escaped = NULL, *password_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL, *keydev_mount = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        const char *dmname;
        bool noauto, nofail, tmp, swap, netdev;
        int r;

        assert(name);
        assert(device);

        noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
        nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
        tmp = fstab_test_option(options, "tmp\0");
        swap = fstab_test_option(options, "swap\0");
        netdev = fstab_test_option(options, "_netdev\0");

        if (tmp && swap)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.",
                                       name);

        name_escaped = specifier_escape(name);
        if (!name_escaped)
                return log_oom();

        e = unit_name_escape(name);
        if (!e)
                return log_oom();

        u = fstab_node_to_udev_node(device);
        if (!u)
                return log_oom();

        r = unit_name_build("systemd-cryptsetup", e, ".service", &n);
        if (r < 0)
                return log_error_errno(r, "Failed to generate unit name: %m");

        u_escaped = specifier_escape(u);
        if (!u_escaped)
                return log_oom();

        r = unit_name_from_path(u, ".device", &d);
        if (r < 0)
                return log_error_errno(r, "Failed to generate unit name: %m");

        if (password) {
                password_escaped = specifier_escape(password);
                if (!password_escaped)
                        return log_oom();
        }

        if (keydev && !password)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Key device is specified, but path to the password file is missing.");

        r = generator_open_unit_file(arg_dest, NULL, n, &f);
        if (r < 0)
                return r;

        fprintf(f,
                "[Unit]\n"
                "Description=Cryptography Setup for %%I\n"
                "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
                "SourcePath=/etc/crypttab\n"
                "DefaultDependencies=no\n"
                "Conflicts=umount.target\n"
                "IgnoreOnIsolate=true\n"
                "After=%s\n",
                netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");

        if (keydev) {
                _cleanup_free_ char *unit = NULL, *p = NULL;

                r = generate_keydev_mount(name, keydev, &unit, &keydev_mount);
                if (r < 0)
                        return log_error_errno(r, "Failed to generate keydev mount unit: %m");

                p = prefix_root(keydev_mount, password_escaped);
                if (!p)
                        return log_oom();

                free_and_replace(password_escaped, p);
        }

        if (!nofail)
                fprintf(f,
                        "Before=%s\n",
                        netdev ? "remote-cryptsetup.target" : "cryptsetup.target");

        if (password) {
                if (PATH_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
                        fputs("After=systemd-random-seed.service\n", f);
                else if (!STR_IN_SET(password, "-", "none")) {
                        _cleanup_free_ char *uu;

                        uu = fstab_node_to_udev_node(password);
                        if (!uu)
                                return log_oom();

                        if (!path_equal(uu, "/dev/null")) {

                                if (path_startswith(uu, "/dev/")) {
                                        _cleanup_free_ char *dd = NULL;

                                        r = unit_name_from_path(uu, ".device", &dd);
                                        if (r < 0)
                                                return log_error_errno(r, "Failed to generate unit name: %m");

                                        fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
                                } else
                                        fprintf(f, "RequiresMountsFor=%s\n", password_escaped);
                        }
                }
        }

        if (path_startswith(u, "/dev/")) {
                fprintf(f,
                        "BindsTo=%s\n"
                        "After=%s\n"
                        "Before=umount.target\n",
                        d, d);

                if (swap)
                        fputs("Before=dev-mapper-%i.swap\n",
                              f);
        } else
                /* For loopback devices, add systemd-tmpfiles-setup-dev.service
                   dependency to ensure that loopback support is available in
                   the kernel (/dev/loop-control needs to exist) */
                fprintf(f,
                        "RequiresMountsFor=%s\n"
                        "Requires=systemd-tmpfiles-setup-dev.service\n"
                        "After=systemd-tmpfiles-setup-dev.service\n",
                        u_escaped);

        r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
        if (r < 0)
                return r;

        if (filtered) {
                filtered_escaped = specifier_escape(filtered);
                if (!filtered_escaped)
                        return log_oom();
        }

        fprintf(f,
                "\n[Service]\n"
                "Type=oneshot\n"
                "RemainAfterExit=yes\n"
                "TimeoutSec=0\n" /* the binary handles timeouts anyway */
                "KeyringMode=shared\n" /* make sure we can share cached keys among instances */
                "ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
                "ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
                name_escaped, u_escaped, strempty(password_escaped), strempty(filtered_escaped),
                name_escaped);

        if (tmp)
                fprintf(f,
                        "ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
                        name_escaped);

        if (swap)
                fprintf(f,
                        "ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
                        name_escaped);

        if (keydev)
                fprintf(f,
                        "ExecStartPost=" UMOUNT_PATH " %s\n\n",
                        keydev_mount);

        r = fflush_and_check(f);
        if (r < 0)
                return log_error_errno(r, "Failed to write unit file %s: %m", n);

        if (!noauto) {
                r = generator_add_symlink(arg_dest, d, "wants", n);
                if (r < 0)
                        return r;

                r = generator_add_symlink(arg_dest,
                                          netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
                                          nofail ? "wants" : "requires", n);
                if (r < 0)
                        return r;
        }

        dmname = strjoina("dev-mapper-", e, ".device");
        r = generator_add_symlink(arg_dest, dmname, "requires", n);
        if (r < 0)
                return r;

        if (!noauto && !nofail) {
                r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
                                  "# Automatically generated by systemd-cryptsetup-generator \n\n"
                                  "[Unit]\nJobTimeoutSec=0");
                if (r < 0)
                        return log_error_errno(r, "Failed to write device drop-in: %m");
        }

        return 0;
}

static crypto_device* crypt_device_free(crypto_device *d) {
        if (!d)
                return NULL;

        free(d->uuid);
        free(d->keyfile);
        free(d->keydev);
        free(d->name);
        free(d->options);
        return mfree(d);
}

static crypto_device *get_crypto_device(const char *uuid) {
        int r;
        crypto_device *d;

        assert(uuid);

        d = hashmap_get(arg_disks, uuid);
        if (!d) {
                d = new0(struct crypto_device, 1);
                if (!d)
                        return NULL;

                d->create = false;
                d->keyfile = d->options = d->name = NULL;

                d->uuid = strdup(uuid);
                if (!d->uuid)
                        return mfree(d);

                r = hashmap_put(arg_disks, d->uuid, d);
                if (r < 0) {
                        free(d->uuid);
                        return mfree(d);
                }
        }

        return d;
}

static int parse_proc_cmdline_item(const char *key, const char *value, void *data) {
        _cleanup_free_ char *uuid = NULL, *uuid_value = NULL;
        crypto_device *d;
        int r;

        if (streq(key, "luks")) {

                r = value ? parse_boolean(value) : 1;
                if (r < 0)
                        log_warning("Failed to parse luks= kernel command line switch %s. Ignoring.", value);
                else
                        arg_enabled = r;

        } else if (streq(key, "luks.crypttab")) {

                r = value ? parse_boolean(value) : 1;
                if (r < 0)
                        log_warning("Failed to parse luks.crypttab= kernel command line switch %s. Ignoring.", value);
                else
                        arg_read_crypttab = r;

        } else if (streq(key, "luks.uuid")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                d = get_crypto_device(startswith(value, "luks-") ? value+5 : value);
                if (!d)
                        return log_oom();

                d->create = arg_whitelist = true;

        } else if (streq(key, "luks.options")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
                if (r == 2) {
                        d = get_crypto_device(uuid);
                        if (!d)
                                return log_oom();

                        free_and_replace(d->options, uuid_value);
                } else if (free_and_strdup(&arg_default_options, value) < 0)
                        return log_oom();

        } else if (streq(key, "luks.key")) {
                size_t n;
                _cleanup_free_ char *keyfile = NULL, *keydev = NULL;
                char *c;
                const char *keyspec;

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                n = strspn(value, LETTERS DIGITS "-");
                if (value[n] != '=') {
                        if (free_and_strdup(&arg_default_keyfile, value) < 0)
                                 return log_oom();
                        return 0;
                }

                uuid = strndup(value, n);
                if (!uuid)
                        return log_oom();

                if (!id128_is_valid(uuid)) {
                        log_warning("Failed to parse luks.key= kernel command line switch. UUID is invalid, ignoring.");
                        return 0;
                }

                d = get_crypto_device(uuid);
                if (!d)
                        return log_oom();

                keyspec = value + n + 1;
                c = strrchr(keyspec, ':');
                if (c) {
                         *c = '\0';
                        keyfile = strdup(keyspec);
                        keydev = strdup(c + 1);

                        if (!keyfile || !keydev)
                                return log_oom();
                } else {
                        /* No keydev specified */
                        keyfile = strdup(keyspec);
                        if (!keyfile)
                                return log_oom();
                }

                free_and_replace(d->keyfile, keyfile);
                free_and_replace(d->keydev, keydev);
        } else if (streq(key, "luks.name")) {

                if (proc_cmdline_value_missing(key, value))
                        return 0;

                r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
                if (r == 2) {
                        d = get_crypto_device(uuid);
                        if (!d)
                                return log_oom();

                        d->create = arg_whitelist = true;

                        free_and_replace(d->name, uuid_value);
                } else
                        log_warning("Failed to parse luks name switch %s. Ignoring.", value);
        }

        return 0;
}

static int add_crypttab_devices(void) {
        _cleanup_fclose_ FILE *f = NULL;
        unsigned crypttab_line = 0;
        struct stat st;
        int r;

        if (!arg_read_crypttab)
                return 0;

        f = fopen("/etc/crypttab", "re");
        if (!f) {
                if (errno != ENOENT)
                        log_error_errno(errno, "Failed to open /etc/crypttab: %m");
                return 0;
        }

        (void) __fsetlocking(f, FSETLOCKING_BYCALLER);

        if (fstat(fileno(f), &st) < 0) {
                log_error_errno(errno, "Failed to stat /etc/crypttab: %m");
                return 0;
        }

        for (;;) {
                _cleanup_free_ char *line = NULL, *name = NULL, *device = NULL, *keyfile = NULL, *options = NULL;
                crypto_device *d = NULL;
                char *l, *uuid;
                int k;

                r = read_line(f, LONG_LINE_MAX, &line);
                if (r < 0)
                        return log_error_errno(r, "Failed to read /etc/crypttab: %m");
                if (r == 0)
                        break;

                crypttab_line++;

                l = strstrip(line);
                if (IN_SET(l[0], 0, '#'))
                        continue;

                k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
                if (k < 2 || k > 4) {
                        log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
                        continue;
                }

                uuid = STARTSWITH_SET(device, "UUID=", "luks-");
                if (!uuid)
                        uuid = path_startswith(device, "/dev/disk/by-uuid/");
                if (uuid)
                        d = hashmap_get(arg_disks, uuid);

                if (arg_whitelist && !d) {
                        log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
                        continue;
                }

                r = create_disk(name, device, NULL, keyfile, (d && d->options) ? d->options : options);
                if (r < 0)
                        return r;

                if (d)
                        d->create = false;
        }

        return 0;
}

static int add_proc_cmdline_devices(void) {
        int r;
        Iterator i;
        crypto_device *d;

        HASHMAP_FOREACH(d, arg_disks, i) {
                const char *options;
                _cleanup_free_ char *device = NULL;

                if (!d->create)
                        continue;

                if (!d->name) {
                        d->name = strappend("luks-", d->uuid);
                        if (!d->name)
                                return log_oom();
                }

                device = strappend("UUID=", d->uuid);
                if (!device)
                        return log_oom();

                if (d->options)
                        options = d->options;
                else if (arg_default_options)
                        options = arg_default_options;
                else
                        options = "timeout=0";

                r = create_disk(d->name, device, d->keydev, d->keyfile ?: arg_default_keyfile, options);
                if (r < 0)
                        return r;
        }

        return 0;
}

DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(crypt_device_hash_ops, char, string_hash_func, string_compare_func,
                                              crypto_device, crypt_device_free);

static int run(const char *dest, const char *dest_early, const char *dest_late) {
        int r;

        assert_se(arg_dest = dest);

        arg_disks = hashmap_new(&crypt_device_hash_ops);
        if (!arg_disks)
                return log_oom();

        r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX);
        if (r < 0)
                return log_warning_errno(r, "Failed to parse kernel command line: %m");

        if (!arg_enabled)
                return 0;

        r = add_crypttab_devices();
        if (r < 0)
                return r;

        r = add_proc_cmdline_devices();
        if (r < 0)
                return r;

        return 0;
}

DEFINE_MAIN_GENERATOR_FUNCTION(run);
Commit	Line	Data
52ad194e	1	/* SPDX-License-Identifier: LGPL-2.1+ */
663996b3	2
663996b3	3	#include <errno.h>
52ad194e	4	#include <stdio_ext.h>
663996b3	5
db2df898	6	#include "alloc-util.h"
f47781d8	7	#include "dropin.h"
6e866b33	8	#include "escape.h"
db2df898 MP	9	#include "fd-util.h"
	10	#include "fileio.h"
	11	#include "fstab-util.h"
f47781d8 MP	12	#include "generator.h"
f47781d8 MP	13	#include "hashmap.h"
6e866b33	14	#include "id128-util.h"
663996b3	15	#include "log.h"
663996b3	16	#include "mkdir.h"
db2df898	17	#include "parse-util.h"
e842803a	18	#include "path-util.h"
db2df898	19	#include "proc-cmdline.h"
52ad194e	20	#include "specifier.h"
db2df898	21	#include "string-util.h"
f47781d8 MP	22	#include "strv.h"
	23	#include "unit-name.h"
	24	#include "util.h"
	25
	26	typedef struct crypto_device {
	27	char *uuid;
	28	char *keyfile;
6e866b33	29	char *keydev;
f47781d8 MP	30	char *name;
	31	char *options;
	32	bool create;
	33	} crypto_device;
663996b3	34
6e866b33	35	static const char *arg_dest = NULL;
663996b3 MS	36	static bool arg_enabled = true;
663996b3 MS	37	static bool arg_read_crypttab = true;
f47781d8 MP	38	static bool arg_whitelist = false;
	39	static Hashmap *arg_disks = NULL;
	40	static char *arg_default_options = NULL;
	41	static char *arg_default_keyfile = NULL;
663996b3	42
6e866b33 MB	43	STATIC_DESTRUCTOR_REGISTER(arg_disks, hashmap_freep);
	44	STATIC_DESTRUCTOR_REGISTER(arg_default_options, freep);
	45	STATIC_DESTRUCTOR_REGISTER(arg_default_keyfile, freep);
	46
	47	static int generate_keydev_mount(const char name, const char keydev, char unit, char mount) {
	48	_cleanup_free_ char u = NULL, what = NULL, where = NULL, name_escaped = NULL;
	49	_cleanup_fclose_ FILE *f = NULL;
	50	int r;
	51
	52	assert(name);
	53	assert(keydev);
	54	assert(unit);
	55	assert(mount);
	56
	57	r = mkdir_parents("/run/systemd/cryptsetup", 0755);
	58	if (r < 0)
	59	return r;
	60
	61	r = mkdir("/run/systemd/cryptsetup", 0700);
	62	if (r < 0 && errno != EEXIST)
	63	return -errno;
	64
	65	name_escaped = cescape(name);
	66	if (!name_escaped)
	67	return -ENOMEM;
	68
	69	where = strjoin("/run/systemd/cryptsetup/keydev-", name_escaped);
	70	if (!where)
	71	return -ENOMEM;
	72
	73	r = mkdir(where, 0700);
	74	if (r < 0 && errno != EEXIST)
	75	return -errno;
	76
	77	r = unit_name_from_path(where, ".mount", &u);
	78	if (r < 0)
	79	return r;
	80
	81	r = generator_open_unit_file(arg_dest, NULL, u, &f);
	82	if (r < 0)
	83	return r;
	84
	85	what = fstab_node_to_udev_node(keydev);
	86	if (!what)
	87	return -ENOMEM;
	88
	89	fprintf(f,
	90	"[Unit]\n"
	91	"DefaultDependencies=no\n\n"
	92	"[Mount]\n"
	93	"What=%s\n"
	94	"Where=%s\n"
	95	"Options=ro\n", what, where);
	96
	97	r = fflush_and_check(f);
	98	if (r < 0)
	99	return r;
	100
	101	*unit = TAKE_PTR(u);
	102	*mount = TAKE_PTR(where);
	103
	104	return 0;
	105	}
	106
663996b3 MS	107	static int create_disk(
	108	const char *name,
	109	const char *device,
6e866b33	110	const char *keydev,
663996b3 MS	111	const char *password,
	112	const char *options) {
	113
1d42b86d	114	_cleanup_free_ char n = NULL, d = NULL, u = NULL, e = NULL,
6e866b33	115	filtered = NULL, u_escaped = NULL, password_escaped = NULL, filtered_escaped = NULL, name_escaped = NULL, keydev_mount = NULL;
663996b3	116	_cleanup_fclose_ FILE *f = NULL;
f5e65279 MB	117	const char *dmname;
f5e65279 MB	118	bool noauto, nofail, tmp, swap, netdev;
60f067b4	119	int r;
663996b3 MS	120
	121	assert(name);
	122	assert(device);
	123
e735f4d4 MP	124	noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
	125	nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
	126	tmp = fstab_test_option(options, "tmp\0");
	127	swap = fstab_test_option(options, "swap\0");
f5e65279	128	netdev = fstab_test_option(options, "_netdev\0");
14228c0d	129
6e866b33 MB	130	if (tmp && swap)
	131	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	132	"Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.",
	133	name);
663996b3	134
52ad194e MB	135	name_escaped = specifier_escape(name);
	136	if (!name_escaped)
	137	return log_oom();
	138
60f067b4 JS	139	e = unit_name_escape(name);
	140	if (!e)
	141	return log_oom();
	142
663996b3 MS	143	u = fstab_node_to_udev_node(device);
	144	if (!u)
	145	return log_oom();
	146
1d42b86d MB	147	r = unit_name_build("systemd-cryptsetup", e, ".service", &n);
	148	if (r < 0)
	149	return log_error_errno(r, "Failed to generate unit name: %m");
	150
52ad194e MB	151	u_escaped = specifier_escape(u);
	152	if (!u_escaped)
	153	return log_oom();
	154
e3bff60a MP	155	r = unit_name_from_path(u, ".device", &d);
	156	if (r < 0)
	157	return log_error_errno(r, "Failed to generate unit name: %m");
663996b3	158
1d42b86d MB	159	if (password) {
	160	password_escaped = specifier_escape(password);
	161	if (!password_escaped)
	162	return log_oom();
	163	}
663996b3	164
6e866b33 MB	165	if (keydev && !password)
	166	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	167	"Key device is specified, but path to the password file is missing.");
	168
1d42b86d MB	169	r = generator_open_unit_file(arg_dest, NULL, n, &f);
	170	if (r < 0)
	171	return r;
52ad194e	172
f5e65279	173	fprintf(f,
f5e65279 MB	174	"[Unit]\n"
	175	"Description=Cryptography Setup for %%I\n"
	176	"Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
	177	"SourcePath=/etc/crypttab\n"
	178	"DefaultDependencies=no\n"
	179	"Conflicts=umount.target\n"
	180	"IgnoreOnIsolate=true\n"
	181	"After=%s\n",
52ad194e	182	netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");
663996b3	183
6e866b33 MB	184	if (keydev) {
	185	_cleanup_free_ char unit = NULL, p = NULL;
	186
	187	r = generate_keydev_mount(name, keydev, &unit, &keydev_mount);
	188	if (r < 0)
	189	return log_error_errno(r, "Failed to generate keydev mount unit: %m");
	190
	191	p = prefix_root(keydev_mount, password_escaped);
	192	if (!p)
	193	return log_oom();
	194
	195	free_and_replace(password_escaped, p);
	196	}
	197
663996b3 MS	198	if (!nofail)
663996b3 MS	199	fprintf(f,
f5e65279 MB	200	"Before=%s\n",
f5e65279 MB	201	netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
663996b3 MS	202
663996b3 MS	203	if (password) {
6e866b33	204	if (PATH_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
52ad194e	205	fputs("After=systemd-random-seed.service\n", f);
f5e65279	206	else if (!STR_IN_SET(password, "-", "none")) {
60f067b4 JS	207	_cleanup_free_ char *uu;
	208
	209	uu = fstab_node_to_udev_node(password);
	210	if (!uu)
	211	return log_oom();
	212
e842803a	213	if (!path_equal(uu, "/dev/null")) {
60f067b4	214
f5e65279	215	if (path_startswith(uu, "/dev/")) {
e3bff60a	216	_cleanup_free_ char *dd = NULL;
60f067b4	217
e3bff60a MP	218	r = unit_name_from_path(uu, ".device", &dd);
	219	if (r < 0)
	220	return log_error_errno(r, "Failed to generate unit name: %m");
e842803a MB	221
	222	fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
	223	} else
52ad194e	224	fprintf(f, "RequiresMountsFor=%s\n", password_escaped);
e842803a	225	}
60f067b4	226	}
663996b3 MS	227	}
663996b3 MS	228
f5e65279	229	if (path_startswith(u, "/dev/")) {
663996b3 MS	230	fprintf(f,
	231	"BindsTo=%s\n"
	232	"After=%s\n"
	233	"Before=umount.target\n",
	234	d, d);
2897b343 MP	235
2897b343 MP	236	if (swap)
52ad194e MB	237	fputs("Before=dev-mapper-%i.swap\n",
52ad194e MB	238	f);
2897b343	239	} else
6e866b33 MB	240	/* For loopback devices, add systemd-tmpfiles-setup-dev.service
	241	dependency to ensure that loopback support is available in
	242	the kernel (/dev/loop-control needs to exist) */
663996b3	243	fprintf(f,
6e866b33 MB	244	"RequiresMountsFor=%s\n"
	245	"Requires=systemd-tmpfiles-setup-dev.service\n"
	246	"After=systemd-tmpfiles-setup-dev.service\n",
52ad194e MB	247	u_escaped);
52ad194e MB	248
e842803a MB	249	r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
	250	if (r < 0)
	251	return r;
	252
1d42b86d MB	253	if (filtered) {
	254	filtered_escaped = specifier_escape(filtered);
	255	if (!filtered_escaped)
	256	return log_oom();
	257	}
52ad194e	258
663996b3 MS	259	fprintf(f,
	260	"\n[Service]\n"
	261	"Type=oneshot\n"
	262	"RemainAfterExit=yes\n"
	263	"TimeoutSec=0\n" /* the binary handles timeouts anyway */
f5e65279	264	"KeyringMode=shared\n" /* make sure we can share cached keys among instances */
663996b3 MS	265	"ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
663996b3 MS	266	"ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
52ad194e MB	267	name_escaped, u_escaped, strempty(password_escaped), strempty(filtered_escaped),
52ad194e MB	268	name_escaped);
663996b3	269
14228c0d	270	if (tmp)
663996b3 MS	271	fprintf(f,
663996b3 MS	272	"ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
52ad194e	273	name_escaped);
663996b3	274
14228c0d	275	if (swap)
663996b3 MS	276	fprintf(f,
663996b3 MS	277	"ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
52ad194e	278	name_escaped);
663996b3	279
6e866b33 MB	280	if (keydev)
	281	fprintf(f,
	282	"ExecStartPost=" UMOUNT_PATH " %s\n\n",
	283	keydev_mount);
	284
e3bff60a MP	285	r = fflush_and_check(f);
e3bff60a MP	286	if (r < 0)
1d42b86d	287	return log_error_errno(r, "Failed to write unit file %s: %m", n);
663996b3	288
663996b3	289	if (!noauto) {
f5e65279 MB	290	r = generator_add_symlink(arg_dest, d, "wants", n);
	291	if (r < 0)
	292	return r;
663996b3	293
f5e65279 MB	294	r = generator_add_symlink(arg_dest,
	295	netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
	296	nofail ? "wants" : "requires", n);
	297	if (r < 0)
	298	return r;
663996b3 MS	299	}
663996b3 MS	300
f5e65279 MB	301	dmname = strjoina("dev-mapper-", e, ".device");
	302	r = generator_add_symlink(arg_dest, dmname, "requires", n);
	303	if (r < 0)
	304	return r;
663996b3 MS	305
663996b3 MS	306	if (!noauto && !nofail) {
5eef597e	307	r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
e842803a MB	308	"# Automatically generated by systemd-cryptsetup-generator \n\n"
e842803a MB	309	"[Unit]\nJobTimeoutSec=0");
f47781d8 MP	310	if (r < 0)
	311	return log_error_errno(r, "Failed to write device drop-in: %m");
	312	}
	313
	314	return 0;
	315	}
	316
6e866b33 MB	317	static crypto_device* crypt_device_free(crypto_device *d) {
	318	if (!d)
	319	return NULL;
	320
52ad194e MB	321	free(d->uuid);
52ad194e MB	322	free(d->keyfile);
6e866b33	323	free(d->keydev);
52ad194e MB	324	free(d->name);
52ad194e MB	325	free(d->options);
6e866b33	326	return mfree(d);
f47781d8 MP	327	}
	328
	329	static crypto_device get_crypto_device(const char uuid) {
	330	int r;
	331	crypto_device *d;
	332
	333	assert(uuid);
	334
	335	d = hashmap_get(arg_disks, uuid);
	336	if (!d) {
	337	d = new0(struct crypto_device, 1);
	338	if (!d)
	339	return NULL;
	340
	341	d->create = false;
	342	d->keyfile = d->options = d->name = NULL;
	343
	344	d->uuid = strdup(uuid);
8a584da2 MP	345	if (!d->uuid)
8a584da2 MP	346	return mfree(d);
f47781d8 MP	347
f47781d8 MP	348	r = hashmap_put(arg_disks, d->uuid, d);
60f067b4	349	if (r < 0) {
f47781d8	350	free(d->uuid);
8a584da2	351	return mfree(d);
60f067b4	352	}
663996b3 MS	353	}
663996b3 MS	354
f47781d8	355	return d;
663996b3 MS	356	}
663996b3 MS	357
8a584da2	358	static int parse_proc_cmdline_item(const char key, const char value, void *data) {
f47781d8	359	_cleanup_free_ char uuid = NULL, uuid_value = NULL;
2897b343 MP	360	crypto_device *d;
2897b343 MP	361	int r;
663996b3	362
2897b343	363	if (streq(key, "luks")) {
663996b3	364
2897b343	365	r = value ? parse_boolean(value) : 1;
60f067b4	366	if (r < 0)
2897b343	367	log_warning("Failed to parse luks= kernel command line switch %s. Ignoring.", value);
60f067b4 JS	368	else
60f067b4 JS	369	arg_enabled = r;
663996b3	370
2897b343	371	} else if (streq(key, "luks.crypttab")) {
14228c0d	372
2897b343	373	r = value ? parse_boolean(value) : 1;
60f067b4	374	if (r < 0)
2897b343	375	log_warning("Failed to parse luks.crypttab= kernel command line switch %s. Ignoring.", value);
60f067b4 JS	376	else
60f067b4 JS	377	arg_read_crypttab = r;
14228c0d	378
2897b343 MP	379	} else if (streq(key, "luks.uuid")) {
	380
	381	if (proc_cmdline_value_missing(key, value))
	382	return 0;
14228c0d	383
f47781d8 MP	384	d = get_crypto_device(startswith(value, "luks-") ? value+5 : value);
f47781d8 MP	385	if (!d)
60f067b4	386	return log_oom();
663996b3	387
f47781d8 MP	388	d->create = arg_whitelist = true;
f47781d8 MP	389
2897b343 MP	390	} else if (streq(key, "luks.options")) {
	391
	392	if (proc_cmdline_value_missing(key, value))
	393	return 0;
663996b3	394
f47781d8 MP	395	r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
	396	if (r == 2) {
	397	d = get_crypto_device(uuid);
	398	if (!d)
	399	return log_oom();
	400
2897b343	401	free_and_replace(d->options, uuid_value);
f47781d8	402	} else if (free_and_strdup(&arg_default_options, value) < 0)
60f067b4	403	return log_oom();
663996b3	404
2897b343	405	} else if (streq(key, "luks.key")) {
6e866b33 MB	406	size_t n;
	407	_cleanup_free_ char keyfile = NULL, keydev = NULL;
	408	char *c;
	409	const char *keyspec;
2897b343 MP	410
	411	if (proc_cmdline_value_missing(key, value))
	412	return 0;
663996b3	413
6e866b33 MB	414	n = strspn(value, LETTERS DIGITS "-");
	415	if (value[n] != '=') {
	416	if (free_and_strdup(&arg_default_keyfile, value) < 0)
	417	return log_oom();
	418	return 0;
	419	}
	420
	421	uuid = strndup(value, n);
	422	if (!uuid)
	423	return log_oom();
	424
	425	if (!id128_is_valid(uuid)) {
	426	log_warning("Failed to parse luks.key= kernel command line switch. UUID is invalid, ignoring.");
	427	return 0;
	428	}
f47781d8	429
6e866b33 MB	430	d = get_crypto_device(uuid);
6e866b33 MB	431	if (!d)
60f067b4	432	return log_oom();
663996b3	433
6e866b33 MB	434	keyspec = value + n + 1;
	435	c = strrchr(keyspec, ':');
	436	if (c) {
	437	*c = '\0';
	438	keyfile = strdup(keyspec);
	439	keydev = strdup(c + 1);
	440
	441	if (!keyfile \|\| !keydev)
	442	return log_oom();
	443	} else {
	444	/* No keydev specified */
	445	keyfile = strdup(keyspec);
	446	if (!keyfile)
	447	return log_oom();
	448	}
	449
	450	free_and_replace(d->keyfile, keyfile);
	451	free_and_replace(d->keydev, keydev);
2897b343 MP	452	} else if (streq(key, "luks.name")) {
	453
	454	if (proc_cmdline_value_missing(key, value))
	455	return 0;
f47781d8 MP	456
	457	r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
	458	if (r == 2) {
	459	d = get_crypto_device(uuid);
	460	if (!d)
	461	return log_oom();
	462
	463	d->create = arg_whitelist = true;
	464
52ad194e	465	free_and_replace(d->name, uuid_value);
f47781d8 MP	466	} else
f47781d8 MP	467	log_warning("Failed to parse luks name switch %s. Ignoring.", value);
e842803a	468	}
663996b3 MS	469
	470	return 0;
	471	}
	472
f47781d8	473	static int add_crypttab_devices(void) {
663996b3	474	_cleanup_fclose_ FILE *f = NULL;
6e866b33 MB	475	unsigned crypttab_line = 0;
	476	struct stat st;
	477	int r;
663996b3	478
f47781d8 MP	479	if (!arg_read_crypttab)
	480	return 0;
	481
	482	f = fopen("/etc/crypttab", "re");
	483	if (!f) {
	484	if (errno != ENOENT)
	485	log_error_errno(errno, "Failed to open /etc/crypttab: %m");
	486	return 0;
663996b3 MS	487	}
663996b3 MS	488
52ad194e MB	489	(void) __fsetlocking(f, FSETLOCKING_BYCALLER);
52ad194e MB	490
f47781d8 MP	491	if (fstat(fileno(f), &st) < 0) {
	492	log_error_errno(errno, "Failed to stat /etc/crypttab: %m");
	493	return 0;
	494	}
663996b3	495
f47781d8	496	for (;;) {
6e866b33	497	_cleanup_free_ char line = NULL, name = NULL, device = NULL, keyfile = NULL, *options = NULL;
f47781d8	498	crypto_device *d = NULL;
6e866b33 MB	499	char l, uuid;
6e866b33 MB	500	int k;
663996b3	501
6e866b33 MB	502	r = read_line(f, LONG_LINE_MAX, &line);
	503	if (r < 0)
	504	return log_error_errno(r, "Failed to read /etc/crypttab: %m");
	505	if (r == 0)
f47781d8	506	break;
60f067b4	507
f47781d8	508	crypttab_line++;
663996b3	509
f47781d8	510	l = strstrip(line);
6e866b33	511	if (IN_SET(l[0], 0, '#'))
f47781d8	512	continue;
663996b3	513
f47781d8 MP	514	k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
	515	if (k < 2 \|\| k > 4) {
	516	log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
	517	continue;
	518	}
663996b3	519
6e866b33	520	uuid = STARTSWITH_SET(device, "UUID=", "luks-");
f47781d8 MP	521	if (!uuid)
f47781d8 MP	522	uuid = path_startswith(device, "/dev/disk/by-uuid/");
f47781d8 MP	523	if (uuid)
f47781d8 MP	524	d = hashmap_get(arg_disks, uuid);
663996b3	525
f47781d8 MP	526	if (arg_whitelist && !d) {
	527	log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
	528	continue;
663996b3 MS	529	}
663996b3 MS	530
6e866b33	531	r = create_disk(name, device, NULL, keyfile, (d && d->options) ? d->options : options);
f47781d8 MP	532	if (r < 0)
f47781d8 MP	533	return r;
663996b3	534
f47781d8 MP	535	if (d)
	536	d->create = false;
	537	}
663996b3	538
f47781d8 MP	539	return 0;
f47781d8 MP	540	}
663996b3	541
f47781d8 MP	542	static int add_proc_cmdline_devices(void) {
	543	int r;
	544	Iterator i;
	545	crypto_device *d;
663996b3	546
f47781d8 MP	547	HASHMAP_FOREACH(d, arg_disks, i) {
	548	const char *options;
	549	_cleanup_free_ char *device = NULL;
663996b3	550
f47781d8 MP	551	if (!d->create)
f47781d8 MP	552	continue;
663996b3	553
f47781d8 MP	554	if (!d->name) {
	555	d->name = strappend("luks-", d->uuid);
	556	if (!d->name)
	557	return log_oom();
	558	}
663996b3	559
f47781d8 MP	560	device = strappend("UUID=", d->uuid);
	561	if (!device)
	562	return log_oom();
14228c0d	563
f47781d8 MP	564	if (d->options)
	565	options = d->options;
	566	else if (arg_default_options)
	567	options = arg_default_options;
	568	else
	569	options = "timeout=0";
60f067b4	570
6e866b33	571	r = create_disk(d->name, device, d->keydev, d->keyfile ?: arg_default_keyfile, options);
f47781d8 MP	572	if (r < 0)
f47781d8 MP	573	return r;
663996b3 MS	574	}
663996b3 MS	575
f47781d8 MP	576	return 0;
f47781d8 MP	577	}
663996b3	578
6e866b33 MB	579	DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(crypt_device_hash_ops, char, string_hash_func, string_compare_func,
6e866b33 MB	580	crypto_device, crypt_device_free);
663996b3	581
6e866b33 MB	582	static int run(const char dest, const char dest_early, const char *dest_late) {
6e866b33 MB	583	int r;
663996b3	584
6e866b33	585	assert_se(arg_dest = dest);
663996b3	586
6e866b33 MB	587	arg_disks = hashmap_new(&crypt_device_hash_ops);
	588	if (!arg_disks)
	589	return log_oom();
14228c0d	590
2897b343	591	r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX);
6e866b33 MB	592	if (r < 0)
6e866b33 MB	593	return log_warning_errno(r, "Failed to parse kernel command line: %m");
14228c0d	594
6e866b33 MB	595	if (!arg_enabled)
6e866b33 MB	596	return 0;
663996b3	597
2897b343 MP	598	r = add_crypttab_devices();
2897b343 MP	599	if (r < 0)
6e866b33	600	return r;
f47781d8	601
2897b343 MP	602	r = add_proc_cmdline_devices();
2897b343 MP	603	if (r < 0)
6e866b33	604	return r;
60f067b4	605
6e866b33	606	return 0;
663996b3	607	}
6e866b33 MB	608
6e866b33 MB	609	DEFINE_MAIN_GENERATOR_FUNCTION(run);