Allow explicit setting of CRYPTPATHMAP in /etc/buildkernel.conf.

This is useful for those whose LUKS filesystem does not reside on
a GPT partition (but e.g. on an MBR partition instead).

buildkernel

@@ -31,7 +31,7 @@ shopt -s nullglob
 # ********************** variables ********************* 
 PROGNAME="$(basename "${0}")"
 CONFFILE="/etc/${PROGNAME}.conf"
-VERSION="1.0.7"
+VERSION="1.0.8"
 DEFAULTEFIBOOTFILE="bootx64.efi"
 EFIBOOTFILE="${DEFAULTEFIBOOTFILE}"
 NEWVERSION="$(basename $(realpath "/usr/src/linux"))"
@@ -130,6 +130,8 @@ declare -A ALLMOUNTS
 declare -A ISUSBPART
 # used by menu-driven config setting
 declare -i CONFIGDIRTY=0
+# set if CRYPTPATHMAP declared in config file
+declare -i CRYPTPATHMAPFORCED=0
 # archived prior versions of key config variables
 PROCVARS=("EFIPARTUUID" "CRYPTPARTUUID" "KEYFILEPARTUUID" "LUKSKEYFILE" \
     "EFIBOOTDIR" "EFIBOOTFILE" "PLYMOUTHTHEME" "KEYMAP")
@@ -260,7 +262,7 @@ umount_all_remembered_mountpoints() {
     done
 }
 check_is_luks_volume() {
-    cryptsetup isLuks "${1}" || die "Partition with UUID '${1}' is not a LUKS volume"
+    cryptsetup isLuks "${1}" || die "Path '${1}' is not a LUKS volume"
 }
 partuuid_is_on_usb_device() {
     local CANONPART="$(readlink --canonicalize "${PARTUUIDDEVDIR}/${1,,}")"
@@ -296,10 +298,18 @@ source_etc_conf_file() {
     if [[ -v KEYFILEPARTUUID ]]; then
         KEYFILEPARTUUID="${KEYFILEPARTUUID,,}"
     fi
+    # remember if CRYPTPATHMAP set
+    if [[ -v CRYPTPATHMAP ]]; then
+        CRYPTPATHMAPFORCED=1
+    fi
 }
 setup_final_variables() {
     # post-processing once buildkernel.conf loaded
     # critical that EFIPARTUUID and CRYPTPARTUUID are defined...
+    # (NB - buildkernel now also supports a LUKS filesystem that does not live
+    # in a GPT partition - you can simply override CRYPTPATHMAP directly in
+    # buildkernel.conf. If you set this, then CRYPTPARTUUID will not be checked
+    # and its contents (if any) will be ignored.)
     if [ -z ${EFIPARTUUID+xxx} ]; then
         warning "EFIPARTUUID not set in ${CONFFILE}"
         if test_yn "Would you like to run --easy-setup now to fix this"; then
@@ -309,7 +319,17 @@ setup_final_variables() {
             die "Cannot proceed; please edit ${CONFFILE} manually"
         fi
     fi
-    if [ -z ${CRYPTPARTUUID+xxx} ]; then
+    if ((CRYPTPATHMAPFORCED==1)); then
+        if [ -z "${CRYPTPATHMAP}" ]; then
+            die "CRYPTPATHMAP set to empty string in ${CONFFILE}; cannot proceed"
+        fi
+        warning "CRYPTPATHMAP defined in ${CONFFILE}"
+        warning "CRYPTPARTUUID will be ignored"
+        # check it
+        if ! cryptsetup isLuks "${CRYPTPATHMAP}"; then
+            die "CRYPTPATHMAP ('${CRYPTPATHMAP}') does not specify a LUKS filesystem"
+        fi
+    elif [ -z ${CRYPTPARTUUID+xxx} ]; then
         warning "CRYPTPARTUUID not set in ${CONFFILE}"
         if test_yn "Would you like to run --easy-setup now to fix this"; then
             interactively_set_buildkernel_config
@@ -324,7 +344,9 @@ setup_final_variables() {
         PLYMOUTHTHEME=""
     fi
     EFIPATHMAP="${PARTUUIDDEVDIR}/${EFIPARTUUID}"
-    CRYPTPATHMAP="${PARTUUIDDEVDIR}/${CRYPTPARTUUID}"
+    if ((CRYPTPATHMAPFORCED==0)); then
+        CRYPTPATHMAP="${PARTUUIDDEVDIR}/${CRYPTPARTUUID}"
+    fi # otherwise, leave it as set
     # assume keyfile is also on the EFI system partition, unless KEYFILEPARTUUID
     # has been set explicitly in buildkernel.conf
     KEYFILEPARTUUID="${KEYFILEPARTUUID:-${EFIPARTUUID}}"
@@ -526,7 +548,14 @@ warn_if_buildkernel_config_incomplete() {
         warning "EFIPARTUUID not set in ${CONFFILE}"
         WILLRUN=0
     fi
-    if [[ ! -v CRYPTPARTUUID ]]; then
+    if ((CRYPTPATHMAPFORCED==1)); then
+        if [ -z "${CRYPTPATHMAP}" ]; then
+            warning "CRYPTPATHMAP set to empty string in ${CONFFILE}"
+            WILLRUN=0
+        fi
+        warning "CRYPTPATHMAP defined in ${CONFFILE}"
+        warning "CRYPTPARTUUID will be ignored"
+    elif [[ ! -v CRYPTPARTUUID ]]; then
         warning "CRYPTPARTUUID not set in ${CONFFILE}"
         WILLRUN=0
     fi
@@ -720,7 +749,12 @@ show_current_key_config_status() {
     show "Current configuration (from ${CONFFILE}${MODFLAG}):"
     printf "\n"
     printf "  EFI system partition UUID:  %-36s\n" "${EFIPARTUUID:-NEEDS SETTING}"
-    printf "  LUKS root partition UUID:   %-36s\n" "${CRYPTPARTUUID:-NEEDS SETTING}"
+    if ((CRYPTPATHMAPFORCED==0)); then
+        printf "  LUKS root partition UUID:   %-36s\n" "${CRYPTPARTUUID:-NEEDS SETTING}"
+    else
+        printf "  LUKS root partition UUID:   %-36s\n" "IGNORED, OVERRIDDEN BY CRYPTPATHMAP"
+        printf "    (to '%s')\n" "${CRYPTPATHMAP}"
+    fi
     printf "  GPG keyfile partition UUID: %-36s\n" "${KEYFILEPARTUUID:-DEFAULT (=EFI system partition UUID)}"
     printf "  GPG keyfile (for LUKS):     %-36s\n" "${LUKSKEYFILE:-NONE (using fallback passphrase)}"
     printf "  EFI boot directory:         %-36s\n" "${EFIBOOTDIR:-NEEDS SETTING}"
@@ -1175,7 +1209,6 @@ copy_file_from_partition_to_partition() {
 }
 ask_whether_to_proceed() {
     show "Secure-bootable EFI kernel build script"
-    check_partuuid_exists "${CRYPTPARTUUID}"
     check_is_luks_volume "${CRYPTPATHMAP}"
     if ((ARG_COPYFROMSTAGING==1)); then
         show "Will copy built kernel from ${BOOTDIR} to ${FULLEFIBOOTDIR}"

buildkernel.8

@@ -1,4 +1,4 @@
-.TH BUILDKERNEL 8 "Version 1.0.7: October 2014"
+.TH BUILDKERNEL 8 "Version 1.0.8: November 2014"
 .SH NAME
 buildkernel \- build secure boot kernel, save to EFI system partition
 .SH SYNOPSIS
@@ -196,9 +196,17 @@ partition is secured with by a
 \fBgpg\fR(1) encrypted keyfile. At boot, you are prompted to enter the
 passphrase for this file. Because both the keyfile, and a passphrase to unlock
 it, are required, dual-factor security is obtained.
+
+Also, please note that it is assumed that your \fBLUKS\fR filesystem exists on the
+partition of a GPT-formatted drive; if this is \fInot\fR the case (for example, if
+you have your \fBLUKS\fR filesystem on an MBR partition, or if you have luksFormat-ed
+a top-level drive, rather than a partition within it),
+then you should instead set the \fBLUKS\fR path directly, via the
+\fBCRYPTPATHMAP\fR variable (see the \fBbuildkernel.conf\fR(5) manpage).
+(Most users will \fInot\fR need to do this, however.)
 .br
 .PP
-Please see the \fB/etc/buildkernel.conf\fR(5) manpage for additional optional,
+Please see the \fBbuildkernel.conf\fR(5) manpage for additional optional,
 but important, variables which may be set (including \fBKEYMAP\fR to specify
 the early-boot keymap).
 .SH EXIT STATUS

buildkernel.conf

@@ -6,11 +6,21 @@
 # replace with an appropriate value (find with lsblk and blkid) for your system
 #EFIPARTUUID="2498f874-ad8f-484e-8aba-81ac1c9665b6"
 
-# following is the partuuid of your LUKS partition
+# following is the partuuid of your LUKS partition (if on a GPT drive)
 # (usually, this will be a partition of a fixed drive in your machine)
 # replace with an appropriate value (find with lsblk and blkid) for your system
 #CRYPTPARTUUID="8111286a-d24e-4ba2-b6af-d0650fab4130"
 
+# if your LUKS filesystem is NOT on a GPT partition (for example, if it is
+# on an MBR partition, or if you have luksFormat-ed a top-level drive, rather
+# than a partition within it), then you must uncomment and set the following
+# variable (use "ls -l /dev/disk/by-uuid" to locate the correct path)
+# NB - most users will NOT need to do this (it is a special case), and
+# should accordingly leave the variable commented out;
+# note also that if you set CRYPTPATHMAP directly in this manner, the
+# contents of CRYPTPARTUUID will be ignored
+#CRYPTPATHMAP="/dev/disk/by-uuid/01234567-89ab-cdef-0123-456789abcdef"
+
 # if your LUKS keyfile is not on your EFI system partition (for example,
 # because you use a USB key to hold the keyfile, but have created an EFI
 # system partition on the machine's main drive), then uncomment the below

buildkernel.conf.5

@@ -1,4 +1,4 @@
-.TH BUILDKERNEL 5 "Version 1.0.7: October 2014"
+.TH BUILDKERNEL 5 "Version 1.0.8: November 2014"
 .SH NAME
 buildkernel.conf \- a configuration file for \fBbuildkernel\fR(8)
 .SH SYNOPSIS
@@ -43,13 +43,30 @@ directories).
 \fBgpg\fR(1) encrypted keyfile. At boot, you are prompted to enter the
 passphrase for this file. Because both the keyfile, and a passphrase to unlock
 it, are required, dual-factor security is obtained.
+
+Also, please note that it is assumed that your \fBLUKS\fR filesystem exists on the
+partition of a GPT-formatted drive; if this is \fInot\fR the case (for example, if
+you have your \fBLUKS\fR filesystem on an MBR partition, or if you have luksFormat-ed
+a top-level drive, rather than a partition within it), then you should instead
+set the \fBLUKS\fR path directly, via the
+\fBCRYPTPATHMAP\fR variable (see below).
+(Most users will \fInot\fR need to do this, however.)
 .RE
 
 The following variables are optional, and \fImay\fR be set 
 in \fB/etc/buildkernel.conf\fR if their defaults
 are not suitable for your system:
 .RS
 .TP
+.BR CRYPTPATHMAP
+If, for some reason, your LUKS filesystem does \fInot\fR exist on a GPT
+partition, then you can uncomment this variable, and set it to
+the correct path directly (where possible, use \fI/dev/disk/by-uuid/<...>\fR
+as the value). This feature is provided as a convenience only; most users should
+not need to use it (and so should leave the \fBCRYPTPATHMAP\fR variable
+commented out).
+.br
+.TP
 .BR KEYFILEPARTUUID
 This should be set to the partition UUID of the partition containing your
 \fBgpg\fR(1)-encrypted keyfile, used to unlock the \fBLUKS\fR partition (see