zfsencryptssh: support non bootfs datasets

7 years ago · 106f3de2e1
parent 7409c01a82
commit 106f3de2e1
2 changed files with 25 additions and 16 deletions
--- a/src/zfs-utils/zfs-utils.initcpio.hook
+++ b/src/zfs-utils/zfs-utils.initcpio.hook
@ -36,15 +36,22 @@ zfs_decrypt_fs() {

    # check if key is already loaded
    [ "$(zfs get -H -o value keystatus "${dataset}")" != "available" ] || return 0
-    
+
    # get the encryption root
    encryptionroot=$(zfs get -H -o value encryptionroot "${dataset}")

+    # export encription root to be used by other hooks (SSH)
+    echo "${encryptionroot}" > /.encryptionroot
+
    # loop until we get the correct password or key is unlocked by another vector (SSH for instance)
    while [ "$(zfs get -H -o value keystatus "${encryptionroot}")" != "available" ] &&
      ! eval zfs load-key "${encryptionroot}"; do
        sleep 2
    done
+
+    if [ -f /.encryptionroot ]; then
+        rm /.encryptionroot
+    fi
 }

 zfs_mount_handler () {
--- a/src/zfs-utils/zfs-utils.initcpio.zfsencryptssh.install
+++ b/src/zfs-utils/zfs-utils.initcpio.zfsencryptssh.install
@ -1,28 +1,30 @@
 #!/bin/bash

 make_etc_passwd() {
-    echo 'root:x:0:0:root:/root:/bin/bash' > "${BUILDROOT}"/etc/passwd
-    echo '/bin/bash' > "${BUILDROOT}"/etc/shells
+    echo 'root:x:0:0:root:/root:/bin/zfsdecrypt_shell' > "${BUILDROOT}"/etc/passwd
+    echo '/bin/zfsdecrypt_shell' > "${BUILDROOT}"/etc/shells
 }

-make_profile() {
-    profile_file='# get bootfs (dataset must have bootfs flag set to work)
-dataset=$(zpool list -H -o bootfs)
-# source zfs hook functions
-. /hooks/zfs
-# decrypt bootfs
-zfs_decrypt_fs $dataset
-# kill pending decryption attempt to allow the boot process to continue
-killall zfs
-# exit properly
-exit'
-    printf '%s' "$profile_file" > "${BUILDROOT}"/root/.profile
+make_zfsdecrypt_shell() {
+    decrypt_shell='#!/bin/sh
+if [ -f "/.encryptionroot" ]; then
+    # source zfs hook functions
+    . /hooks/zfs
+    # decrypt bootfs
+    zfs_decrypt_fs "$(cat /.encryptionroot)"
+    # kill pending decryption attempt to allow the boot process to continue
+    killall zfs
+else
+    echo "ZFS is not ready yet. Please wait!"
+fi'
+    printf '%s' "$decrypt_shell" > "${BUILDROOT}"/bin/zfsdecrypt_shell
+    chmod a+x "${BUILDROOT}"/bin/zfsdecrypt_shell
 }

 build ()
 {
    make_etc_passwd
-    make_profile
+    make_zfsdecrypt_shell
 }

 help ()