JFIF   ( %!1!%)+...383,7(-.+  ++-+++++-++-++--+--+-+-------+-++-+--+---+++--+7+-+"F!1AQaq"2BRb#3Sr$CDsT&!Q1Aa"2Rbq ?򉄘ǷLR HR,nNb .&W)fJbMOYxj-\bT2(4CQ"qiC/ " %0Jl"e2V  0SDd2@TV^{cW&F͉x9#l,.XɳvRZ C8S 6ml!@!E! `FS!M #(d)Q lml1ml Ų&x(ʨ2NFmj@D<dN5UN˄uTB emLAy#` ` ` I!I 6āHBxL & J#7BQ.$hv h q+tC"EJ) 8R e2U2Y@j%6PF^4LnNBp"8)4JI-ֲvK ^؊)hz[T5˗",Rҥf8ڤS4ʘ!`D ` X+ L,(hl)*S##`6[`0*L T H*HA@I&&r1kr*r*)N$#L  1#ZFSl `[( ("((he`4 Ch [="A R / 0I`twCDcWh"i) cLad\BcLKHZ"ZEW$Ƚ@A~i^`S *A&h:+c Y6vϕGClRPs.`H`(@<$qDe pL@DpLX, E2MP A  `II m& AQ "AT rbg# g2!SiLj*3L \ G;TFL`K BMy 2S`YLh1 d >-"ZfD^Q DH" RAbEV#Lfq,(rETp64-IJ!*p4F$q;G8DQ/TKP2$jp3KW]FtLtƉ1ol]VBgػJH6 )h61GJR7Nj.Z4piJRDd]t]0dP]:N.b'⹙SvDSz]L,_#ugT&[~?cS^"{Bh{/=ۑxOk̳O59o dar793`)SeYM@\ "$E(Tm&)N2Ih)F5EDed(FS,Pa @!@#@lea HCD$11jCLJqcod S3yd*,lL+QEfsgW1nw)cT#dS HXkFJB"6(ʝH)H"#EZh:Y`khݳh%Sc<mlAko2]gDqQtro=3OƸU9_-t8UvW3sGəg*#:c)><"wc\ASmT|6Ę>9~#1Ƈ~ڒE1vVi# I MM#u$8W 5ǍfƬΜg*Qpi1ȩFOf۔S,/⎯(Lrմ`(Z LsbA \6 6dm[I=!r:REI.wgzG)ԇSbӑxuׇTyyL^e'x^ty4Z&eB]I|v59Jjhm;Ng񷫳n<ϞҼѝjk;׹DlY^ҍ\+x9V!j([cmS.NO6jxNζrm&oײizT$N>?~ Sl-:iڥk\at#E!CL`.O0a*w/WV7/r)DŽt7'Nĵ#7O1 ]{[/-2bA<$&Gm_4t)_>)mjG;V^'k59o>ɌM,ؾf9z6 4v_3T.5V/RD-5 %T5XTޫ4TaZ`U *ƱUƲ UG"5+sJJ2E9#܎kr2G3Bb,XM6H: ?@p!'\4V02aԙ) hbZ]:` ev3ʘ'}!ohȒ*TJjr[RFyQ*#{h{R]J]Lr-.D-.җfo$D ?X0%~1P.Og{cWϫ22&Ϭ_V.W3nmiOl}+!˫#`kR33aUb0-g:qmsέ+0HO|&nhOn+}n5QF_"gvLm/z'+r'n_oC语i|1}Gi|}_D~9JZ_%DVQp\koۅjAs~/c0ksUJi^W9W5!>?O:q|ˣSIB/&K<(lg(%Wg$|LW7vߤW߇q|jef3D H\S6(eJb*@&sTKTW/*@v:.N- @ITʓ1Zg&-eꓝM r]EMס{q$b]'7Z7N:O~lNlP7iͲk)$O^퉢<YSD*hr'Z#5e6t[Fdh AJǔP9P 1\R).Il+jI*,(ܢ22N*OwKFX gc?\mB7iA+εe8 "ġ/p5pW-$މ-[a 5ViAW/V{/&UsF./՞ҕ*)rZg.^_+gt_z-oAbqQn*WlHyZ*\TaEewlLR3ԹȭN}MM}aih"5ܕRT$:~'TcT|*)xGC>n+r{XU xuF"<~67у'fxlf`r3D*#Z1ђfH`2dIWo/qB| 63xxW6^m%Kvg>\>x>!H5Nr8J/FJ9Wx(Hou" S'kWاC\9ְ#^OaҮ+~gnkuЉ,aWU*1 읍jnb|e= :2.UL`Q}YS&gI.c=a`%j:C%2@^>])25/ܙ<lzwɛ)ݣS4h3=J tyϬ.E7 8ڞGZu\_JHsݢϑ}IZ"ӳ=X<Ɖ2{a:{7L+>V}c)*lo Yv&+|L;>+/Sj26K+澡*;>-s"}M2] Ig5aCL*r"&\} #^R.7_Mgf}.ߌy(}Z\gP&ʠHj%</{.]rߙQ`>;5g;u6dԛ %xb|oՋTJ5Ϥ(]XqP>f{Jk2,8'~ZU6tMQsg XKg^2ϓ3},[wo۴I|ܷ%[Ol\Pkr]Y//cg6U⧻/VПi8ys_n<\~cze!!H~x;QJZKȮ^ȧG|cS~8ji,Fo+,y~?pk)u /in3JmkX(Mj1N 4c Epc>BO *LfQO&` c;LjcYf 1ɻ)CLsY^Y5" lP/wuEln&dav,(;'W9ej ku`-KHI՟%ԁʁ 1\}?OjsF^Xn$Ё.օC>D:?I @aGE.ĩ1 $ et~T`߸Ir'RX.Zwc%~U=r>-UaFbǺ?R=Z?i'[ASS;siJrzy>nxu$[_B\4}:r'ҵj1_v-[;y?ֹ0I16 . M%4^!S&t ! h !zQð.bBT ?@]?CHq(rd!.$>/x+bnʎNN#w)` )*f!-ɂ\(طYLHzc`Uq7BfCcE0ԉ4Fم쏠ce5T r͸GVlФ?ѣ} mhrkly.Ts㷖)Mө S^%'g>wk%bP[}j~ǾV#K -Fgv켼ǨgɼeSz/6{M=BPZFu\Q75n3Iݤ.W9QfF{vJwF't[@iVj4G~KOnH߿_Do=.c.One?E+GfGN⧭H?4;u`ua|V-+j4?48n ɦ=-]puv&Jc}K>b%U x8pz6L8AXFsW]N55ҦbIWZQ7ï Ԗ3cjz匩ӺOTɖƴ%a'MI}cdR$ݚIζ̝ LIu>J3{^෠㜦˯xܿe\b"2y'x{ RDW b+o2KFhR0:U늞En>լRӉt Iڹ\ wշQEv"v;EJ)yl[5:F0=b4,\PqKtv4{bQz:>C7"8W#Zjdd| cjz%K %Z 9dD{=NFʳAƩtI)kS*s$`:A\ʬ*ֹ9{Nl|eJ١rQnM%z_#x_•TO><)kyD %GN<~y>vfǧB)F)c\lې(#\ h`fgfjTBdhhHL2Y0^ Y0^-"D!QaI15 m~ gՒd|;#gMn(P$l H.R2^PU")pN` N8󫅂OJ;^jz\uumJMF|ηq[]$Vrrt:Q^;QPkHՠ{]HwˆMuIr7!r&- j%"9LtUb56+^TWBqdhHAD7 HwKH^F3LIq #hK`]IWKiH?کǴeԥQ>g{^q^>HKoOB||8aݏS}{S_]ϸ/X~ܵw'OSPAf֩ܟ[>7 @[ֵ;G߇QU*Cթ *OKU^zz[fRnpcJX9u<iq8B]u8 ]I,;[G#2W.¸D8rPG Y%PBJ= wo;PJgx6;yB`3zZGPAͫy{5Nb_re*ONHR]Ji)U{Ӓ:qqɏ[mB4࢒I$ 2vpBADY`DIVAn"Bh$&&cMbdB 鮆wHR'E(ѸZA*H~{B M҅n\@N{7ISCp Vd( r+bg|ns:qg:|J|ɪV.UVaAS͓FyRuLѦT騬 `3􏳕{eo/Tz8DkW?,cl~TqLne֠[B*D +t 6˦S;5KjV3e WBrT.XSHm sl5F%NGM`Y )": J!W4]HTrPX2 QYɕ\m2VLd+`,^ѺiPztUGY6+cӧ6] U%u/ˈFOiB*nFF#ұJ Z/c')?Q͟5.8E~G6e<\?}GkhMFUظOqhEA - "`dQ#(4Ԧf VLmc@q5J8K; M^JZnn)9Zm\ qIJqS: i[9~Oaƒ]Z4F&+666( N]쁼LM(oyvUI/Χ[ھ]hTˉG".SeYgu;hRDtڬv=5 ׁqMS\Ȭi5D]1$*0UL1QY`QdLb[+z9";'yi`OT/4{@EZ'Y0>4I*d nM#5hі.vrM[]Ä;]\ʦS,叕DQZq0fӌI͋]TNK"#;?F;aURx_4WDm+F*0XJE@){ 1R-E2(@Qh l D rT.Q;[J;[`30`ɀ 2#=JeSsxRjG=`H rLJ@ Y$JaB2/x( "Id'6O0CI$:Ol+}I>[L|iK+]ZrH*2Aʶ uHRd)OrrbSx=5dmue1neܬ"e>Lw94勲u ҏ_4GuоJw]QtgSk(qW(6h|v= 1=P/\YZ|R>"*5W/ίR'o %R$5= .!VIRMf4*aR5nv% Usj:V Lj]Bn/TZ&.2„ܒBP)aYRʌW!#ErGf';tW$czI*\KI,c7Zc-ўj|p+-ђ{eg 2;R_{VLM]7sؒFmԻy853gҾqJG!E̤ӏqzs༿? U#R)ŧU(,>,&,-^e^۔.b EW^n<)\9.QeJuFiSh2"EL8yeCKQD\5R,D5.P]c1STt*ZFJ.T:N #%]M}khOe(͓iEMsɆ3( YF<"Ly^*[ry6.ɸm k݊iT%nM8 $Q#F# q 1*?% iS^4oܗ wWPS,aNޖxOxڽqp#F6&o,7LJuMΤK(Td{U Ƹf|q5U{3[FLNK6ӵQY5+'>Q3FSk).&:5z yZq/*q$d+Ge+$lO@Nڤy5eBvˌ䖥shS:JksgksF ꧸oi-FYxy9[Vȼĝ'_.[y2U*c?E+:TsWՀgOS> z75>ncߏ-Kz8ԋ,Ϧ70Z9_1h$Xiu10)0$+$! qsE4wRkh2*T.s%DH:`:=k.'WB{ ȮRGҷ7чVg)CHS}1ݍԳۂ<8g_4y*-Ml\]mZT)mJ~|k<6zWjf4'*u%RNRȉZA) .VLtp 4 V&mtJ#l˅;&{]8>TmhoLXOeD^_J>]jsSej﫦iOM SK([!Vc5zn-A@p]Ӄ \3kmK>#-sܧ?NLar@Js?…Xldny]݌E5•9.8hh69#7js׳R,'pqt:kgPhRԄ+ՕG9}="ֲ\kǁm R73pg$t3+o |o\]'ee5ɐ.7ѐ|ZعSF{qkx5-$Q h5*1yM$ 7)hJ2Kg`-hn*>)EYDIkBpȩAzfǪ>7O K#lߤg]:u~huُ۵u}(mjGIj܏6ES~/5CiRy|kVKGBޭ3;w /jꏈUu>iƪi:WRo'yr4C/?c:w!?\'?#Q:>u/?uEeuG*xY2)?־CAr*23_ץ}գk1%(_ _6aԗ _4 $ϗ+ϫɆzǾIgu?Y<#_xS>i\uɇ۽r}[ͫyRoWCC!H,iD։"Cj5 4] cTk2YZRBvRY~FqQt^RO-g"QP]Ih/t:ljs YӹqI] wqXp KV+8j} uu8PGP&zF:;8+ Sx9(. Q}:ƻWr,Ũ*'shfƧ-6__5,DH{* qp묘G MA}QRe{dyMucǨɾ7߈Avϩe͜jmUi p3\5,ާbf:o+7#ܾ~iU#up=}˄k{NV8m!ҌiptޜBvKi}!ש3UK)`igӞVMR'J[ky~g&6vǍ7ķ>uXd(3瓓[]QTTqnͮz1~_͓k俸0~Z1գ =18cL 5^lf^k^<ҲJɬcC-[^;J8j_q=WpeA_6 4.Ntc>Sv2Jf;G8. 5[,;ArSTˬmpmzjGe EoǩOgDWaGhz<|kT\$Q=u/ci˜S mN&Ok~'0,a} s + NC-G'(*>vw~&*wYG Ŷ K-L/$߮l/A/^:Z@X- Q-D2`@M2+w$Q"胊"47&+Dh'9Y* L7VhT+ -?K]Ik \Ϣgy) s v z)Z ˦2&ލ OjmG9@8F_u䊜r>3K%Yg-FFI]e+Kxkzװy"\Q4Ri'0+P=V&Sw3N/U|UEt*uS c M*tsBE 2ʃ@Kir(˫LRr璜Zy@].%NbXvz덟 hӰNMe#|g͒po9^licxB[e' {U? mlt%?霋ǒxZc X]ϗ15SeE{-Ӕi~DƯO|ë5a@G=%<ƧAs*+tzo, IpȔ|:X6J3Z5JXd]2 3%v*GvE@(S&SX7D0^{5t Z{ﮄsh- ]ɑqEV=^Ki9äBtI@&pEg*O<`F-}ǎ51H,<~qibQѓɳx#l$G9td1U+Sq%B[jOq+^ޏ7K >YY  $KK{*˝e"|$g"6v,,9.DaA,qэI~ܨ|kdv; hz2]x5{M5M~yלqTzUl9Mӏ.WVnkun !jzKO!v|& ;gۇ2BrI閵C tqHe[Zkގ=Q;OԶiᵞBcIU eN cOGz S__>.hNgG6).J$_Taѯ5^LqeB]O?A]H;ò{^0ٺuޚxB|:q'xu4"9Ο7k^eZ_fQOmzm̗{c3ٵKO|m*ek(8"yO(ٵ{LJb2Ǩkgg1_/qrDՆ[_l\ I~Bsc/x ),,̿@PFޞ>O)<<=5m=^x6}~6qoYGޣiY{uN+<,CǚwVxe~c!,5R4u/9In=G•^PF6ɼM򿶤$"\|78ؖYU cXFOKc4s-=6O<;.ϴ޶$q>e? qY}StirX?e/&R'ʑ[ѯMi{?8\g^>\!-VZCf.ȾzRWMh_{^H)mz}V%չM.EJUz7z>ZW6\BW~:W3!S_4~m ǚ! ;VeGKFڵ858Buj:ZZ(/H׭eav!$gpLV)țAJO~YBꤞ厅XJdjg{hR9~_f '5U+}W5%ZjzgTtozYD @%JK\qymeЪKIIp"xoz\B1$G)8Ԅ Jeyc".yyVBR-%BEA-k^Luj cYwԄ%X!e-4ZRḡlJvYsB԰˗0?RM\TlaߏVu4BmY!UyYylgd!m2$i=[hN,6)_~7͖CDF2zÕ{?l;Hܲk׋!/XAłrCXEI{]P[e! ?%Ktqܱ5! jַĞ*TvAG)fuxTҖV7~ 4=r! ob%jTwU$Bnqed䤿@0P&V]HJ)^YrޯĿbsY8=1! n}UD*7uƫi~!s[W{V9J;~Ӯ|[3s۷dڔIj?qJ'O,IkE]G(5\ۖ7)-g,ŶǗ=~e>k쐁%(g˦o[fxN_baGBm:܆VGЗ,G_D!/og,ҢVܤ_iS_~@ SkidSec Webshell

SkidSec WebShell

Server Address : 172.31.38.4

Web Server : Apache/2.4.58 (Ubuntu)

Uname : Linux ip-172-31-38-4 6.14.0-1017-aws #17~24.04.1-Ubuntu SMP Wed Nov 5 10:48:17 UTC 2025 x86_64

PHP Version : 7.4.33



Current Path : /usr/share/initramfs-tools/hooks/



Current File : //usr/share/initramfs-tools/hooks/cryptroot
#!/bin/sh

PREREQ=""

prereqs()
{
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
        ;;
esac

. /usr/share/initramfs-tools/hook-functions
. /lib/cryptsetup/functions
TABFILE="/etc/crypttab"


# crypttab_find_and_print_entry($target)
#   Find the crypttab(5) entry for the given (unmangled) $target and
#   print it - preserving the mangling - to FD nr. 3; but only if the
#   target has not already been processed during an earlier function
#   call.  (Processed target names are stored in
#   $DESTDIR/cryptroot/targets.)
#   Return 0 on success, 1 on error.
crypttab_find_and_print_entry() {
    local target="$1"
    local _CRYPTTAB_NAME _CRYPTTAB_SOURCE _CRYPTTAB_KEY _CRYPTTAB_OPTIONS
    if ! grep -Fxqz -e "$target" -- "$DESTDIR/cryptroot/targets"; then
        printf '%s\0' "$target" >>"$DESTDIR/cryptroot/targets"
        crypttab_find_entry "$target" || return 1
        crypttab_parse_options --missing-path=warn || return 1
        crypttab_print_entry
    fi
}

# crypttab_print_entry()
#   Print an unmangled crypttab(5) entry to FD nr. 3, using CRYPTTAB_*
#   and _CRYPTTAB_* values.
#   _CRYPTTAB_SOURCE is replaced with UUID=<uuid> if possible (eg, for
#   LUKS), unless the value starts with /dev/disk/by- or /dev/mapper/,
#   or is already a device specification (such as LABEL= or PARTUUID=).
#   If the entry uses the 'decrypt_derived' keyscript, the other
#   crypttab(5) entries it depends on are (recursively) printed before
#   hand.
#   Various checks are performed on the key and crypttab options, but no
#   parsing is done so it's the responsibility of the caller to call
#   crypttab_parse_options().
#   Return 0 on success, 1 on error.
crypttab_print_entry() {
    local DEV MAJ MIN uuid keyfile
    if _resolve_device "$CRYPTTAB_SOURCE"; then
        if [ "$(dmsetup info -c --noheadings -o devnos_used -- "$CRYPTTAB_NAME" 2>/dev/null)" != "$MAJ:$MIN" ]; then
            cryptsetup_message "ERROR: $CRYPTTAB_NAME: Source mismatch"
        elif [ "${_CRYPTTAB_SOURCE#[A-Za-z]*=}" = "$_CRYPTTAB_SOURCE" ] && \
                [ "${CRYPTTAB_SOURCE#/dev/disk/by-}" = "$CRYPTTAB_SOURCE" ] && \
                [ "${CRYPTTAB_SOURCE#/dev/mapper/}" = "$CRYPTTAB_SOURCE" ] && \
                uuid="$(_device_uuid "$DEV")"; then
            _CRYPTTAB_SOURCE="UUID=$uuid"
        fi
        # on failure _resolve_device() prints a warning and we try our
        # luck with the unchanged _CRYPTTAB_SOURCE value
    fi

    # if keyscript is set, the "key" is just an argument to the script
    if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
        crypttab_key_check || return 1
        case "$CRYPTTAB_KEY" in
            $KEYFILE_PATTERN)
                mkdir -pm0700 -- "$DESTDIR/cryptroot/keyfiles"
                # $CRYPTTAB_NAME can't contain '/' (even after unmangling)
                keyfile="/cryptroot/keyfiles/$CRYPTTAB_NAME.key"
                if [ ! -f "$DESTDIR$keyfile" ] && ! copy_file keyfile "$CRYPTTAB_KEY" "$keyfile"; then
                    cryptsetup_message "WARNING: couldn't copy keyfile $CRYPTTAB_KEY"
                fi
                _CRYPTTAB_KEY="/cryptroot/keyfiles/$_CRYPTTAB_NAME.key" # preserve mangled name
                ;;
            *)
                if [ "$usage" = rootfs ]; then
                    cryptsetup_message "WARNING: Skipping root target $CRYPTTAB_NAME: uses a key file"
                    return 1
                elif [ "$usage" = resume ]; then
                    cryptsetup_message "WARNING: Resume target $CRYPTTAB_NAME uses a key file"
                fi
                if [ -L "$CRYPTTAB_KEY" ] && keyfile="$(readlink -- "$CRYPTTAB_KEY")" &&
                        [ "${keyfile#/}" != "$keyfile" ]; then
                    cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is a symlink with absolute target"
                    return 1
                elif [ -f "$CRYPTTAB_KEY" ] && [ "$(stat -L -c"%m" -- "$CRYPTTAB_KEY" 2>/dev/null)" != "/" ]; then
                    cryptsetup_message "WARNING: Skipping target $CRYPTTAB_NAME: key file is not on the root FS"
                    return 1
                fi
                if [ ! -e "$CRYPTTAB_KEY" ]; then
                    cryptsetup_message "WARNING: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY"
                else
                    _CRYPTTAB_KEY="/FIXME-initramfs-rootmnt$_CRYPTTAB_KEY" # preserve mangled name
                fi
        esac
    fi

    if [ -n "${CRYPTTAB_OPTION_keyscript+x}" ]; then
        copy_exec "$CRYPTTAB_OPTION_keyscript"
    elif [ "$CRYPTTAB_KEY" = "none" ]; then
        ASKPASS="y"
    fi
    if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_derived" ]; then
        # (recursively) list first the device to derive the key from (so
        # the boot scripts unlock it first); since _CRYPTTAB_* are local
        # to crypttab_find_and_print_entry() the new value won't
        # override the new ones
        crypttab_find_and_print_entry "$CRYPTTAB_KEY"
    fi
    printf '%s %s %s %s\n' \
        "$_CRYPTTAB_NAME" "$_CRYPTTAB_SOURCE" "$_CRYPTTAB_KEY" "$_CRYPTTAB_OPTIONS" >&3
}

# get_resume_devno()
#   Return the device ID(s) used for system suspend/hibernate.
get_resume_devno() {
    local dev filename

    # uswsusp
    for filename in /etc/uswsusp.conf /etc/suspend.conf; do
        [ -e "$filename" ] || continue
        dev="$(sed -nr '/^resume device\s*[:=]\s*/ {s///p;q}' "$filename")"
        if [ -n "$dev" ] && [ "$dev" != "<path_to_resume_device_file>" ]; then
            # trim quotes
            dev="$(printf '%s' "$dev" | sed -re 's/^"(.*)"\s*$/\1/' -e "s/^'(.*)'\\s*$/\\1/")"
            _print_devno "$(printf '%b' "$dev")" # unmangle
        fi
    done

    # regular swsusp
    dev="$(sed -nr 's,^(.*\s)?resume=(\S+)(\s.*)?$,\2,p' /proc/cmdline)"
    _print_devno "$(printf '%b' "$dev")" # unmangle

    # initramfs-tools >=0.129
    dev="${RESUME:-auto}"
    if [ "$dev" != none ]; then
        if [ "$dev" = auto ]; then
            # next line from /usr/share/initramfs-tools/hooks/resume
            dev="$(grep ^/dev/ /proc/swaps | sort -rnk3 | head -n 1 | cut -d " " -f 1)"
        fi
        _print_devno "$(printf '%b' "$dev")" # unmangle
    fi
}
_print_devno() {
    local DEV MAJ MIN # locally scope the 3 variables _resolve_device() sets
    if [ -n "$1" ] && _resolve_device "$1"; then
        printf '%d:%d\n' "$MAJ" "$MIN"
    fi
}

# crypttab_print_initramfs_entry()
#   Print a crypttab(5) entry - unless it was already processed - if it
#   has the 'initramfs' option set.
crypttab_print_initramfs_entry() {
    local usage=
    if ! grep -Fxqz -e "$CRYPTTAB_NAME" -- "$DESTDIR/cryptroot/targets" &&
            crypttab_parse_options --quiet &&
            [ "${CRYPTTAB_OPTION_initramfs-no}" = "yes" ]; then
        printf '%s\0' "$CRYPTTAB_NAME" >>"$DESTDIR/cryptroot/targets"
        crypttab_print_entry
    fi
}

# generate_initrd_crypttab()
#   Generate the crypttab(5) snippet that is relevant at initramfs
#   stage.  (Devices that aren't required at initramfs stage are
#   ignored.)
generate_initrd_crypttab() {
    local devnos usage IFS="$(printf '\t\n ')"
    mkdir -- "$DESTDIR/cryptroot"
    true >"$DESTDIR/cryptroot/targets"

    {
        if devnos="$(get_mnt_devno /)"; then
            if [ -n "$devnos" ]; then
                usage=rootfs foreach_cryptdev crypttab_find_and_print_entry $devnos
            fi
        else
            cryptsetup_message "WARNING: Couldn't determine root device"
        fi

        if devnos="$(get_resume_devno)" && [ -n "$devnos" ]; then
            usage=resume foreach_cryptdev crypttab_find_and_print_entry $devnos
        fi

        if devnos="$(get_mnt_devno /usr)" && [ -n "$devnos" ]; then
            usage="" foreach_cryptdev crypttab_find_and_print_entry $devnos
        fi

        # add crypttab entries with the 'initramfs' option set
        crypttab_foreach_entry crypttab_print_initramfs_entry
    } 3>"$DESTDIR/cryptroot/crypttab"
    rm -f "$DESTDIR/cryptroot/targets"
}

# populate_CRYPTO_HASHES()
#   Find out which crypto hashes are required for a crypttab(5) entry,
#   and append them to the CRYPTO_HASHES variable.
populate_CRYPTO_HASHES() {
    local hash source newline="
"

    if crypttab_parse_options --quiet && [ -n "${CRYPTTAB_OPTION_header+x}" ]; then
        source="$CRYPTTAB_OPTION_header"
    else
        source="$(_resolve_device_spec "$CRYPTTAB_SOURCE")" || source=""
    fi

    if [ ! -e "$source" ]; then
        # missing source device or detached header, can't determine hashing function(s)
        hash="@@UNKNOWN@@"
    elif [ "$CRYPTTAB_TYPE" = "luks" ]; then
        # using --dump-json-metadata would be more robust for LUKS2 but
        # we also have to support LUKS1 hence have to parse luksDump output
        hash="$(/sbin/cryptsetup luksDump -- "$source" | sed -nr 's/^\s*(AF hash|Hash|Hash spec)\s*:\s*//Ip')"
    elif [ "$CRYPTTAB_TYPE" = "plain" ]; then
        # --hash is being ignored when opening via key file
        if [ "$CRYPTTAB_KEY" = "none" ] && [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then
            hash="${CRYPTTAB_OPTION_hash-sha256}" # default password hashing as of cryptsetup 2.7
        fi
    else
        hash="" # or hash="@@UNKNOWN@@"?
    fi

    if [ -n "$hash" ]; then
        CRYPTO_HASHES="${CRYPTO_HASHES:+$CRYPTO_HASHES$newline}$hash"
    fi
}

# populate_CRYPTO_MODULES()
#   Find out which crypto modules are required for a crypttab(5) entry,
#   and append them to the CRYPTO_MODULES variable.
populate_CRYPTO_MODULES() {
    local cipher iv

    # cf. dmsetup(8) and https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
    cipher="$(dmsetup table --target crypt -- "$CRYPTTAB_NAME" | cut -d' ' -f4)"
    if [ -z "$cipher" ]; then
        cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME"
    elif [ "${cipher#capi:}" = "$cipher" ]; then
        # direct specification "cipher[:keycount]-chainmode-ivmode[:ivopts]"
        CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%%[-:]*}" # cipher
        cipher="${cipher#"${cipher%%-*}-"}" # chainmode-ivmode[:ivopts]"
        CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${cipher%-*}" # chainmode
        iv="${cipher##*-}" # ivmode[:ivopts]"
        CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv%%:*}" # ivmode
        if [ "${iv#*:}" != "$iv" ]; then
            CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }${iv#*:}" # ivopts
        fi
    else
        # kernel crypto API format "capi:cipher_api_spec-ivmode[:ivopts]", since linux 4.12
        cipher="${cipher#capi:}"
        cryptsetup_message "WARNING: Couldn't determine cipher modules to load for $CRYPTTAB_NAME" \
            "(kernel crypto API format isn't supported yet)"
    fi
}

# add_modules($glob, $moduledir, [$moduledir ..])
#   Add modules matching under the given $moduledir(s), the name of
#   which matching $glob.
#   Return 0 if any module was found found, 1 if not.
add_modules() {
    local glob="$1" found=n
    shift
    for mod in $(find -H "$@" -name "$glob.ko*" -type f -printf '%f\n'); do
        manual_add_modules "${mod%%.*}"
        found=y
    done
    [ "$found" = y ] && return 0 || return 1
}

# add_crypto_modules($name, [$name ..])
#   Determine kernel module name and add to initramfs.
add_crypto_modules() {
    local mod
    for mod in "$@"; do
        # We have several potential sources of modules (in order of preference):
        #
        #   a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko
        #   b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko
        #   c) /lib/modules/$VERSION/kernel/crypto/$mod.ko
        #
        # and (currently ignored):
        #
        #   d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko
        add_modules "$mod-*" "$MODULESDIR"/kernel/arch/*/crypto || true
        add_modules "${mod}_generic" "$MODULESDIR/kernel/crypto" \
            || add_modules "$mod" "$MODULESDIR/kernel/crypto" \
            || true
    done
}

# copy_libssl_legacy_library()
#   Copy ossl-modules/legacy.so (from libssl library) to initramfs if needed.
#   OpenSSL 3.0 moved support for some crypto hashes into legacy.so.
#   See https://launchpad.net/bugs/1979159
copy_libssl_legacy_library() {
    local libcryptodir CRYPTO_HASHES=""

    libcryptodir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libcrypto\.so\..*/ {s//\1/p;q}')"
    [ -d "$libcryptodir" ] || return

    crypttab_foreach_entry populate_CRYPTO_HASHES
    # See https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html#Hashing-Algorithms-Message-Digests
    if printf '%s\n' "$CRYPTO_HASHES" | grep -Fxq -e @@UNKNOWN@@ -e ripemd160 -e whirlpool; then
        # legacy hashes are used so legacy.so needs to be copied to the initramfs
        # (assume ossl-modules/legacy.so is relative to the linked libcrypto.so)
        copy_exec "$libcryptodir/ossl-modules/legacy.so" || true
    fi
}

# See #1032221: newer libargon2 are built with glibc ≥2.34 hence no
# longer links libpthread.  This in turns means that initramfs-tool's
# copy_exec() is no longer able to detect pthread_*() need and thus
# doesn't copy libgcc_s.so anymore.  So we need to do it manually
# instead.
copy_libgcc_argon2() {
    local libdir rv=0
    libdir="$(env --unset=LD_PRELOAD ldd /sbin/cryptsetup | sed -nr '/.*=>\s*(\S+)\/libargon2\.so\..*/ {s//\1/p;q}')"
    copy_libgcc "$libdir" || rv=$?
    if [ $rv -ne 0 ]; then
        # merged-/usr mismatch, see #1032518
        if [ "${libdir#/usr/}" != "$libdir" ]; then
            libdir="${libdir#/usr}"
        else
            libdir="/usr/${libdir#/}"
        fi
        copy_libgcc "$libdir" && rv=0 || rv=$?
    fi
    return $rv
}


#######################################################################
# Begin real processing

unset -v ASKPASS KEYFILE_PATTERN
ASKPASS="y"
KEYFILE_PATTERN=

# Load the hook config
if [ -f "/etc/cryptsetup-initramfs/conf-hook" ]; then
    . /etc/cryptsetup-initramfs/conf-hook
fi

if [ -n "$KEYFILE_PATTERN" ]; then
    case "${UMASK:-$(umask)}" in
        0[0-7]77) ;;
        *) cryptsetup_message "WARNING: Permissive UMASK (${UMASK:-$(umask)})." \
                "Private key material within the initrd might be left unprotected."
        ;;
    esac
fi

CRYPTO_MODULES=
if [ -r "$TABFILE" ]; then
    generate_initrd_crypttab
    TABFILE="$DESTDIR/cryptroot/crypttab"
    crypttab_foreach_entry populate_CRYPTO_MODULES
    copy_libssl_legacy_library
fi

# add required components
manual_add_modules dm_mod dm_crypt

copy_exec /sbin/cryptsetup
copy_exec /sbin/dmsetup
copy_libgcc_argon2

[ "$ASKPASS" = n ] || copy_exec /lib/cryptsetup/askpass

# We need sed. Either via busybox or as standalone binary.
if [ "$BUSYBOX" = n ] || [ -z "$BUSYBOXDIR" ]; then
    copy_exec /bin/sed
fi

# detect whether the host CPU has AES-NI support
if grep -Eq '^flags\s*:(.*\s)?aes(\s.*)?$' /proc/cpuinfo; then
    CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }aesni"
else
    # workaround for #883595/#901884 (xts depends on ecb)
    CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }ecb"
fi

# add userspace crypto module (only required for opening LUKS2 devices
# we add the module unconditionally as it's the default format)
CRYPTO_MODULES="${CRYPTO_MODULES:+$CRYPTO_MODULES }algif_skcipher"

if [ "$MODULES" = most ]; then
    for d in "$MODULESDIR"/kernel/arch/*/crypto; do
        copy_modules_dir "${d#"$MODULESDIR/"}"
    done
    copy_modules_dir "kernel/crypto"
else
    if [ "$MODULES" != "dep" ]; then
        # with large initramfs, we always add a basic subset of modules
        add_crypto_modules aes cbc chainiv cryptomgr krng sha256 xts
    fi
    add_crypto_modules $(printf '%s' "${CRYPTO_MODULES-}" | tr ' ' '\n' | sort -u)
fi
copy_file library /lib/cryptsetup/functions /lib/cryptsetup/functions