From 0d250492b5ce1f01040898da7eba7db5df4f07be Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Fri, 26 Feb 2016 23:31:31 +0100 Subject: drop shell script and implement with systemd units --- mkinitcpio/ykfde | 12 ++++-------- systemd/ykfde-2f | 18 ------------------ systemd/ykfde-2f.service | 2 +- systemd/ykfde-notify.service | 18 ++++++++++++++++++ 4 files changed, 23 insertions(+), 27 deletions(-) delete mode 100644 systemd/ykfde-2f create mode 100644 systemd/ykfde-notify.service diff --git a/mkinitcpio/ykfde b/mkinitcpio/ykfde index 5a407f5..4932dfd 100644 --- a/mkinitcpio/ykfde +++ b/mkinitcpio/ykfde @@ -11,15 +11,11 @@ build() { add_systemd_unit cryptsetup-pre.target add_systemd_unit ykfde-2f.service add_symlink /usr/lib/systemd/system/sysinit.target.wants/ykfde-2f.service ../ykfde-2f.service - add_file /usr/lib/systemd/scripts/ykfde-2f + add_systemd_unit ykfde-notify.service + add_symlink /usr/lib/systemd/system/sysinit.target.wants/ykfde-notify.service ../ykfde-notify.service add_binary systemd-ask-password - - # shell and commands - local applet - add_binary /usr/lib/initcpio/busybox /usr/bin/busybox - for applet in cat kill sh sleep; do - add_symlink "/usr/bin/${applet}" busybox - done + add_binary pkill + add_binary sleep fi } diff --git a/systemd/ykfde-2f b/systemd/ykfde-2f deleted file mode 100644 index c34bde8..0000000 --- a/systemd/ykfde-2f +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# (C) 2016 by Christian Hesse -# -# This software may be used and distributed according to the terms -# of the GNU General Public License, incorporated herein by reference. - -systemd-ask-password --no-tty --keyname='ykfde-2f' 'Please enter second factor for Yubikey full disk encryption!' >/dev/null - -if [ -s '/run/ykfde.pid' ]; then - kill -USR1 $(cat '/run/ykfde.pid') - # ykfde started from udev needs a moment to set up the key - # in store. It is out of systemd control, so wait a moment - # here. - sleep 0.2 -fi - -true diff --git a/systemd/ykfde-2f.service b/systemd/ykfde-2f.service index cfdab43..f514c7d 100644 --- a/systemd/ykfde-2f.service +++ b/systemd/ykfde-2f.service @@ -14,4 +14,4 @@ ConditionPathExists=/etc/ykfde.d/ Type=oneshot RemainAfterExit=yes TimeoutSec=0 -ExecStart=/usr/lib/systemd/scripts/ykfde-2f +ExecStart=/usr/bin/systemd-ask-password --no-tty --keyname='ykfde-2f' 'Please enter second factor for Yubikey full disk encryption!' diff --git a/systemd/ykfde-notify.service b/systemd/ykfde-notify.service new file mode 100644 index 0000000..e77f634 --- /dev/null +++ b/systemd/ykfde-notify.service @@ -0,0 +1,18 @@ +# (C) 2016 by Christian Hesse +# +# This software may be used and distributed according to the terms +# of the GNU General Public License, incorporated herein by reference. + +[Unit] +Description=Notify ykfde about key +DefaultDependencies=no +Before=cryptsetup-pre.target +Wants=cryptsetup-pre.target +Requires=ykfde-2f.service +ConditionPathExists=/run/ykfde.pid + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/pkill -USR1 --pidfile /run/ykfde.pid +ExecStart=/usr/bin/sleep 0.2 -- cgit v1.2.3-54-g00ecf From 4ee8fd45b82298b5de86e617c449fe53fd45ff84 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Fri, 26 Feb 2016 23:34:47 +0100 Subject: fix start order of units --- systemd/ykfde-notify.service | 1 + 1 file changed, 1 insertion(+) diff --git a/systemd/ykfde-notify.service b/systemd/ykfde-notify.service index e77f634..b2ddc72 100644 --- a/systemd/ykfde-notify.service +++ b/systemd/ykfde-notify.service @@ -9,6 +9,7 @@ DefaultDependencies=no Before=cryptsetup-pre.target Wants=cryptsetup-pre.target Requires=ykfde-2f.service +After=ykfde-2f.service ConditionPathExists=/run/ykfde.pid [Service] -- cgit v1.2.3-54-g00ecf From 9bed4cc764820595c6a8f713a80b10f71a0dc3cc Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Tue, 1 Mar 2016 22:06:22 +0100 Subject: do not write password to log This requires systemd-ask-password with option --no-output, so it depends on systemd v230 (or commit a5a4e365). --- systemd/ykfde-2f.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/ykfde-2f.service b/systemd/ykfde-2f.service index f514c7d..33f034f 100644 --- a/systemd/ykfde-2f.service +++ b/systemd/ykfde-2f.service @@ -14,4 +14,4 @@ ConditionPathExists=/etc/ykfde.d/ Type=oneshot RemainAfterExit=yes TimeoutSec=0 -ExecStart=/usr/bin/systemd-ask-password --no-tty --keyname='ykfde-2f' 'Please enter second factor for Yubikey full disk encryption!' +ExecStart=/usr/bin/systemd-ask-password --no-tty --no-output --keyname='ykfde-2f' 'Please enter second factor for Yubikey full disk encryption!' -- cgit v1.2.3-54-g00ecf From a264487008bbf0f3a47f2e57e1c1ec4472d18653 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 2 Mar 2016 22:06:24 +0100 Subject: add comment about sleep Is there any better way than sleeping? --- systemd/ykfde-notify.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/systemd/ykfde-notify.service b/systemd/ykfde-notify.service index b2ddc72..04a4d46 100644 --- a/systemd/ykfde-notify.service +++ b/systemd/ykfde-notify.service @@ -16,4 +16,7 @@ ConditionPathExists=/run/ykfde.pid Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/pkill -USR1 --pidfile /run/ykfde.pid +# ykfde started from udev needs a moment to set up the key +# in store. It is out of systemd control, so wait a moment +# here. ExecStart=/usr/bin/sleep 0.2 -- cgit v1.2.3-54-g00ecf From 41702194d1609d377fd882682b1856b4ba40ca28 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 2 Mar 2016 22:14:36 +0100 Subject: update dependencies --- README-mkinitcpio.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README-mkinitcpio.md b/README-mkinitcpio.md index 9f2ee4a..1d1833a 100644 --- a/README-mkinitcpio.md +++ b/README-mkinitcpio.md @@ -13,8 +13,10 @@ To compile and use yubikey full disk encryption you need: * [iniparser](http://ndevilla.free.fr/iniparser/) * [systemd](http://www.freedesktop.org/wiki/Software/systemd/) * [cryptsetup](http://code.google.com/p/cryptsetup/) -* keyutils and linux with `CONFIG_KEYS` +* keyutils and linux with `CONFIG_KEYS` enabled * [mkinitcpio](https://projects.archlinux.org/mkinitcpio.git/) +* sleep (from [coreutils](http://www.gnu.org/software/coreutils)) and + pkill (from [procps-ng](https://gitlab.com/procps-ng/procps)) * [markdown](http://daringfireball.net/projects/markdown/) (HTML documentation) * [libarchive](http://www.libarchive.org/) (Update challenge on boot) -- cgit v1.2.3-54-g00ecf From 12437c4719cc110f27cf01403d2d34422b7dee87 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Sun, 22 May 2016 20:43:06 +0200 Subject: do not install ykfde-2f but ykfde-notify.service --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 9dae5cd..8d116c7 100644 --- a/Makefile +++ b/Makefile @@ -42,7 +42,7 @@ install-bin: bin/ykfde udev/ykfde $(INSTALL) -D -m0755 grub/09_linux $(DESTDIR)/etc/grub.d/09_linux $(INSTALL) -D -m0644 systemd/ykfde.service $(DESTDIR)/usr/lib/systemd/system/ykfde.service $(INSTALL) -D -m0644 systemd/ykfde-2f.service $(DESTDIR)/usr/lib/systemd/system/ykfde-2f.service - $(INSTALL) -D -m0755 systemd/ykfde-2f $(DESTDIR)/usr/lib/systemd/scripts/ykfde-2f + $(INSTALL) -D -m0755 systemd/ykfde-notify.service $(DESTDIR)/usr/lib/systemd/system/ykfde-notify.service $(INSTALL) -d -m0700 $(DESTDIR)/etc/ykfde.d/ install-doc: README.html README-mkinitcpio.html README-dracut.html -- cgit v1.2.3-54-g00ecf From 21075238bba7c633fc84657322391664f1770368 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Sat, 28 May 2016 23:23:48 +0200 Subject: install systemd unit file without execute permission --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 8d116c7..e0b85a0 100644 --- a/Makefile +++ b/Makefile @@ -42,7 +42,7 @@ install-bin: bin/ykfde udev/ykfde $(INSTALL) -D -m0755 grub/09_linux $(DESTDIR)/etc/grub.d/09_linux $(INSTALL) -D -m0644 systemd/ykfde.service $(DESTDIR)/usr/lib/systemd/system/ykfde.service $(INSTALL) -D -m0644 systemd/ykfde-2f.service $(DESTDIR)/usr/lib/systemd/system/ykfde-2f.service - $(INSTALL) -D -m0755 systemd/ykfde-notify.service $(DESTDIR)/usr/lib/systemd/system/ykfde-notify.service + $(INSTALL) -D -m0644 systemd/ykfde-notify.service $(DESTDIR)/usr/lib/systemd/system/ykfde-notify.service $(INSTALL) -d -m0700 $(DESTDIR)/etc/ykfde.d/ install-doc: README.html README-mkinitcpio.html README-dracut.html -- cgit v1.2.3-54-g00ecf