Merge pull request #194 from Olf0/sfos401+

Last commits for v1.5.1

systemd/system/cryptosd-luks@.service

@@ -2,8 +2,8 @@
 Description=Open %I per cryptsetup
 Documentation=https://github.com/Olf0/crypto-sdcard
 DefaultDependencies=no
-After=sysinit.target dev-%i.device
-Requisite=dev-%i.device
+After=sysinit.target dev-disk-by\x2duuid-%i.device
+Requisite=dev-disk-by\x2duuid-%i.device
 Requires=sysinit.target
 Conflicts=umount.target shutdown.target actdead.target factory-test.target
 Before=umount.target shutdown.target mount-cryptosd-luks@%i.service
@@ -12,7 +12,7 @@ Before=umount.target shutdown.target mount-cryptosd-luks@%i.service
 # harmless, disable it as long as benefits and potential consequences for the SFOS updater
 # are not properly evaluated:
 # IgnoreOnIsolate=true
-AssertFileNotEmpty=/etc/crypto-sdcard/%I.key
+AssertFileNotEmpty=/etc/crypto-sdcard/crypto_luks_%I.key
 
 [Service]
 Type=oneshot
@@ -22,7 +22,7 @@ RemainAfterExit=yes
 # ExecStartPre=/sbin/modprobe qcrypto
 # For various reasons (avoid (temporal) dependency on udisks2, allow for discards etc.), do
 # not use "udisksctl unlock --key-file", instead call cryptsetup directly:
-ExecStart=/usr/sbin/cryptsetup --allow-discards -d /etc/crypto-sdcard/%I.key luksOpen /dev/%I %I
+ExecStart=/usr/sbin/cryptsetup --allow-discards -d /etc/crypto-sdcard/crypto_luks_%I.key luksOpen /dev/disk/by-uuid/%I %I
 # "udisksctl mount" (in mount-cryptosd-luks@.service) sometimes fails when issued right after
 # "udisksd" (per "udisks2.service") has finished starting, because the udisks object for this
 # unlocked device has not been created yet.

systemd/system/cryptosd-plain@.service

@@ -12,7 +12,7 @@ Before=umount.target shutdown.target mount-cryptosd-plain@%i.service
 # harmless, disable it as long as benefits and potential consequences for the SFOS updater
 # are not properly evaluated:
 # IgnoreOnIsolate=true
-AssertFileNotEmpty=/etc/crypto-sdcard/%I.key
+AssertFileNotEmpty=/etc/crypto-sdcard/crypto_plain_%I.key
 
 [Service]
 Type=oneshot
@@ -24,7 +24,7 @@ EnvironmentFile=-/etc/crypto-sdcard/cryptosd@%I.conf
 # schemes as e.g. XTS:
 # ExecStartPre=/sbin/modprobe qcrypto
 # With workaround for https://github.com/systemd/systemd/issues/14560 :
-StandardInput=file:/etc/crypto-sdcard/%I.key
+StandardInput=file:/etc/crypto-sdcard/crypto_plain_%I.key
 StandardOutput=journal
 # "udisksctl unlock --key-file" does only work with LUKS "containers", not with "plain" ones,
 # thus call cryptsetup directly:

systemd/system/cryptosd.conf

@@ -1,11 +1,11 @@
 # This configuration file is part of the crypto-sdcard utility, see https://github.com/Olf0/crypto-sdcard/
-# crypto-sdcard evaluates configration files at these location in the following order:
+# crypto-sdcard evaluates its configuration files at these locations in the following order:
 # A file listed lower (i.e., evaluated later) can override settings made by an earlier one.
 # /etc/systemd/system/cryptosd.conf
 # /etc/crypto-sdcard/cryptosd.conf
-# Plus at last either device-specific configuration file:
-# /etc/crypto-sdcard/cryptosd@crypto_luks_<UUID>.conf
-# respectively /etc/crypto-sdcard/cryptosd@crypto_plain_<device-name>.conf
+# Plus at last either device-specific configuration file
+# /etc/crypto-sdcard/cryptosd@<UUID>.conf , respectively for "Cryptsetup 'plain' containers"
+# /etc/crypto-sdcard/cryptosd@<device-name>.conf
 # Do not alter or remove /etc/systemd/system/cryptosd.conf, because it will be redeployed by the next
 # update of crypto-sdcard!  Instead alter mount-sdcard's settings by creating one of the configuration
 # files in /etc/crypto-sdcard/: I.e., set or reset (per e.g., UDISKS2_MOUNT_OPTIONS="") specific options
@@ -22,6 +22,8 @@
 # LUKS header, there is currently nothing to set for opening LUKS "containers".
 
 # 2. Cryptsetup options for opening "plain containers"
+# These three options must exactly match the options a "Cryptsetup 'plain' containers" was created with.
+# The default options (below) are merely reasonable cryptography parameters for doing that today.
 CRYPTO_PLAIN_CIPHER="aes-xts-plain"
 # "aes-xts" is the only reasonable choice, the sole alternative (but much older, slower etc.) is
 # "aes-cbc-essiv:sha256".  "-plain64" is unnecessary on devices guaranteed to be smaller than 2 TB, 

udev/rules.d/96-cryptosd.rules

@@ -1,14 +1,14 @@
 # For DM-Crypt LUKS, match sda0 to mmcblk1 to both SUBSYSTEM=="block" and ENV{ID_FS_TYPE}=="crypto_LUKS"
-KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add", SYMLINK+="crypto_luks_%E{ID_FS_UUID}", TAG+="systemd", ENV{SYSTEMD_WANTS}="", PROGRAM=="/usr/bin/systemd-escape crypto_luks_%E{ID_FS_UUID}", RUN{program}+="/usr/bin/systemctl start cryptosd-luks@%c.service"
+KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=cryptosd-luks@.service %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="", RUN{program}+="/usr/bin/systemctl start %c"
 
 # For DM-Crypt "plain", also match sda0 to mmcblk1 to SUBSYSTEM=="block", but ensure (by ENV{ID_*}!= statements) that it appears to be unused space
 # Two rules, one for partitions and a tighter one for whole disks:
-KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add", SYMLINK+="crypto_plain_%k", TAG+="systemd", ENV{SYSTEMD_WANTS}="", PROGRAM=="/usr/bin/systemd-escape crypto_plain_%k", RUN{program}+="/usr/bin/systemctl start cryptosd-plain@%c.service"
-KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add", SYMLINK+="crypto_plain_%k", TAG+="systemd", ENV{SYSTEMD_WANTS}="", PROGRAM=="/usr/bin/systemd-escape crypto_plain_%k", RUN{program}+="/usr/bin/systemctl start cryptosd-plain@%c.service"
+KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}=="", ENV{ID_FS_TYPE}=="", ENV{ID_PART_TABLE_TYPE}=="", ACTION=="add", TAG+="systemd", ENV{SYSTEMD_WANTS}="'cryptosd-plain@%k.service'"
+KERNEL=="mmcblk1*|sd[a-z]*", SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}=="", ENV{ID_FS_TYPE}=="", ACTION=="add", TAG+="systemd", ENV{SYSTEMD_WANTS}="'cryptosd-plain@%k.service'"
 
 # Carefully match resulting virtual node dm-* to trigger mounting it; see /lib/udev/rules.d/10-dm.rules for details
-KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", SYMLINK=="mapper/crypto_luks_*", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[1-9]*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", TAG+="systemd", ENV{SYSTEMD_WANTS}="", PROGRAM=="/usr/bin/systemd-escape %E{DM_NAME}", RUN{program}+="/usr/bin/systemctl start mount-cryptosd-luks@%c.service"
+KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="????????-????-????-????-????????????|????-????", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_SYSTEM}="0", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=mount-cryptosd-luks@.service %E{DM_NAME}", ENV{SYSTEMD_WANTS}="", RUN{program}+="/usr/bin/systemctl start %c"
 
 # Ditto for DM-Crypt "plain":
-KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", SYMLINK=="mapper/crypto_plain_*", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[1-9]*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", TAG+="systemd", ENV{SYSTEMD_WANTS}="", PROGRAM=="/usr/bin/systemd-escape %E{DM_NAME}", RUN{program}+="/usr/bin/systemctl start mount-cryptosd-plain@%c.service"
+KERNEL=="dm-[0-9]*", SUBSYSTEM=="block", ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="mmcblk1*|sd[a-z]*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_SYSTEM}="0", TAG+="systemd", ENV{SYSTEMD_WANTS}="'mount-cryptosd-plain@%E{DM_NAME}.service'"