initram: support for encrypted apkovls

initramfs-init

@@ -64,6 +64,34 @@ retry_mount() {
 	return 1
 }
 
+unpack_apkovl() {
+	local ovl="$1"
+	local dest="$2"
+	local suffix=${ovl##*.}
+	local i
+	if [ "$suffix" = "gz" ]; then
+		tar -C "$dest" -zxf "$ovl"
+		return $?
+	fi
+
+	for i in $ALPINE_MNT/*/*/openssl-[0-9]*.apk $ALPINE_MNT/*/openssl-[0-9]*.apk; do
+		[ -f "$i" ] && tar -C / -zxf $i && break
+	done
+
+	if ! openssl list-cipher-commands | grep "^$suffix$" > /dev/null; then
+		errstr="Cipher $suffix is not supported"
+		return 1
+	fi
+	local count=0
+	echo ""
+	while [ $count -lt 3 ]; do
+		openssl enc -d -$suffix -in "$ovl" | tar -C "$dest" -zx \
+			2>/dev/null && return 0
+		count=$(( $count + 1 ))
+	done
+	return 1
+}
+
 # gotta start from somewhere :)
 echo "Alpine Init $VERSION"
 
@@ -222,8 +250,8 @@ fi
 
 if [ -f "$ovl" ]; then
 	ebegin "Loading user settings from $ovl"
-	tar -C $NEWROOT -zxf "$ovl"
-	eend $?
+	unpack_apkovl "$ovl" $NEWROOT
+	eend $? $errstr
 	umount /media/$i 2>/dev/null &
 	pkgs=$(sed 's/\#.*//' $NEWROOT/etc/lbu/packages.list 2>/dev/null)
 fi