initrd_luks_pkcs/lib/cryptsetup/scripts/decrypt_pkcs
2021-05-02 08:51:25 +02:00

144 lines
4.1 KiB
Bash
Executable file

#!/bin/sh
# Why not use "openct-tool rwait" instead of polling opensc-tool exit status?
# Well openct daemon has to be running which interferes with pcscd since both
# implement reader drivers, my particular CCID reader (SCM SCR331-LC1) doesn't
# work with the CCID driver in openct, however it does work with pcscd.
# Why not use "opensc-tool --wait" instead of polling opensc-tool exit status?
# Although opensc-tool --help reports that there is a --wait option, it doesn't
# seem to be implemented.
# Load configuration and test set default value if missing
. /etc/default/decrypt_pkcs
SMARTCARD_PRESENCE_COMMAND=${SMARTCARD_PRESENCE_COMMAND:-/usr/bin/opensc-tool}
SMARTCARD_PRESENCE_ARGS=${SMARTCARD_PRESENCE_ARGS:-'-n'}
DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt}
DECIPHER_ARGS=${DECIPHER_ARGS:-'--decipher --pkcs1 --raw --input'}
DECIPHER_ASK_PIN=${DECIPHER_ASK_PIN:-'--pin'}
DECIPHER_MULTI=${DECIPHER_MULTI:-0}
check_plymouth() {
plymouth=0
if [ -x /bin/plymouth ] && plymouth --ping > /dev/null ; then
plymouth=1
fi
}
check_osk_sdl() {
osk_sdl=0
if [ -f /usr/bin/osk-sdl ] ; then
osk_sdl=1
export ETNA_MESA_DEBUG=no_supertile
export SDL_VIDEODRIVER=kmsdrm
fi
}
check_card() {
cardfound=0
if $SMARTCARD_PRESENCE_COMMAND $SMARTCARD_PRESENCE_ARGS >/dev/null 2>&1; then
cardfound=1
fi
}
check_key() {
if [ $DECIPHER_MULTI = 1 ] ; then
temp=$($DECIPHER_MULTI_SCRIPT)
KEY=$(echo $temp | awk '{print $1}')
DECIPHER_EXTRA_ARGS=$(echo $temp | awk '{$1=""; print}')
else
KEY=$1
fi
}
log_message() {
if [ $plymouth = 1 ] ; then
plymouth display-message --text="$@" 2>/dev/null
else
echo "$@" >&2
fi
}
fallback() {
log_message 'Asking for passphrase'
if [ $plymouth = 1 ] ; then
if [ $osk_sdl = 1 ] ; then
plymouth hide-splash 2>/dev/null
/usr/bin/osk-sdl -d ${CRYPTTAB_SOURCE} -n "${CRYPTTAB_NAME}" -c /etc/osk.conf -v \
|| panic "Failure running osk-sdl. Good luck."
plymouth show-splash 2>/dev/null
else
plymouth ask-for-password --prompt "Try LUKS password for $CRYPTTAB_NAME: " 2>/dev/null
exit 0
fi
else
if [ $osk_sdl = 1 ] ; then
/usr/bin/osk-sdl -d ${CRYPTTAB_SOURCE} -n "${CRYPTTAB_NAME}" -c /etc/osk.conf -v \
|| panic "Failure running osk-sdl. Good luck."
else
echo </dev/console 2>/dev/console
exit 0
fi
fi
exit $?
}
wait_card() {
check_card
if [ $cardfound = 0 ] ; then
log_message "Waiting for Smart Card..."
tries=0
while [ $cardfound = 0 ] && [ $tries -lt 15 ] ; do
sleep 1
check_card
tries=$(($tries + 1))
done
if [ $cardfound = 0 ] ; then
log_message 'Failed to find Smart Card card!'
if [ -b "/dev/mapper/${CRYPTTAB_NAME}" ] ; then
log_message 'Already decrypted'
exit 0
else
fallback
fi
fi
fi
}
check_plymouth
check_osk_sdl
if [ -b "/dev/mapper/${CRYPTTAB_NAME}" ] ; then
log_message 'Already decrypted'
exit 0
fi
wait_card
check_key
if [ $plymouth = 1 ] ; then
if [ $osk_sdl = 1 ] ; then
# Get pin number from osk_sdl
plymouth hide-splash 2>/dev/null
${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
$DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
plymouth show-splash 2>/dev/null
else
# Get pin number from plymouth
${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
$DECIPHER_ASK_PIN "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME ($KEY): ")"
fi
else
if [ $osk_sdl = 1 ] ; then
# Get pin number from osk_sdl
${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS \
$DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
else
# Get pin number from console
${DECIPHER_COMMAND} $DECIPHER_ARGS "$KEY" $DECIPHER_EXTRA_ARGS </dev/console 2>/dev/console
fi
fi
exit $?