From 106f3de2e1ad0858e9a542074c9916975a53d1fa Mon Sep 17 00:00:00 2001 From: Jan Houben Date: Sat, 11 Aug 2018 17:08:53 +0200 Subject: [PATCH] zfsencryptssh: support non bootfs datasets --- src/zfs-utils/zfs-utils.initcpio.hook | 9 +++++- .../zfs-utils.initcpio.zfsencryptssh.install | 32 ++++++++++--------- 2 files changed, 25 insertions(+), 16 deletions(-) diff --git a/src/zfs-utils/zfs-utils.initcpio.hook b/src/zfs-utils/zfs-utils.initcpio.hook index 2cb8002..35643a6 100644 --- a/src/zfs-utils/zfs-utils.initcpio.hook +++ b/src/zfs-utils/zfs-utils.initcpio.hook @@ -36,15 +36,22 @@ zfs_decrypt_fs() { # check if key is already loaded [ "$(zfs get -H -o value keystatus "${dataset}")" != "available" ] || return 0 - + # get the encryption root encryptionroot=$(zfs get -H -o value encryptionroot "${dataset}") + # export encription root to be used by other hooks (SSH) + echo "${encryptionroot}" > /.encryptionroot + # loop until we get the correct password or key is unlocked by another vector (SSH for instance) while [ "$(zfs get -H -o value keystatus "${encryptionroot}")" != "available" ] && ! eval zfs load-key "${encryptionroot}"; do sleep 2 done + + if [ -f /.encryptionroot ]; then + rm /.encryptionroot + fi } zfs_mount_handler () { diff --git a/src/zfs-utils/zfs-utils.initcpio.zfsencryptssh.install b/src/zfs-utils/zfs-utils.initcpio.zfsencryptssh.install index 4d64f4c..e0ef04b 100644 --- a/src/zfs-utils/zfs-utils.initcpio.zfsencryptssh.install +++ b/src/zfs-utils/zfs-utils.initcpio.zfsencryptssh.install @@ -1,28 +1,30 @@ #!/bin/bash make_etc_passwd() { - echo 'root:x:0:0:root:/root:/bin/bash' > "${BUILDROOT}"/etc/passwd - echo '/bin/bash' > "${BUILDROOT}"/etc/shells + echo 'root:x:0:0:root:/root:/bin/zfsdecrypt_shell' > "${BUILDROOT}"/etc/passwd + echo '/bin/zfsdecrypt_shell' > "${BUILDROOT}"/etc/shells } -make_profile() { - profile_file='# get bootfs (dataset must have bootfs flag set to work) -dataset=$(zpool list -H -o bootfs) -# source zfs hook functions -. /hooks/zfs -# decrypt bootfs -zfs_decrypt_fs $dataset -# kill pending decryption attempt to allow the boot process to continue -killall zfs -# exit properly -exit' - printf '%s' "$profile_file" > "${BUILDROOT}"/root/.profile +make_zfsdecrypt_shell() { + decrypt_shell='#!/bin/sh +if [ -f "/.encryptionroot" ]; then + # source zfs hook functions + . /hooks/zfs + # decrypt bootfs + zfs_decrypt_fs "$(cat /.encryptionroot)" + # kill pending decryption attempt to allow the boot process to continue + killall zfs +else + echo "ZFS is not ready yet. Please wait!" +fi' + printf '%s' "$decrypt_shell" > "${BUILDROOT}"/bin/zfsdecrypt_shell + chmod a+x "${BUILDROOT}"/bin/zfsdecrypt_shell } build () { make_etc_passwd - make_profile + make_zfsdecrypt_shell } help ()