1 |
commit: 9ae0c9752add3ff79c0eeedbe8f2d6c8aae6b6fe |
2 |
Author: Georgy Yakovlev <gyakovlev <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Feb 26 00:22:32 2019 +0000 |
4 |
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Feb 26 00:22:32 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=9ae0c975 |
7 |
|
8 |
Add basic zfs encryption support |
9 |
|
10 |
This very simple implementation only supports passphrase. |
11 |
|
12 |
It does not affect booting ecryption-unaware zfs, since |
13 |
'zpool list -H -o feature <AT> encryption ...' will return 0 |
14 |
on systems where zfs userland utils do not support encryption. |
15 |
|
16 |
Closes: https://bugs.gentoo.org/show_bug.cgi?id=657374 |
17 |
Signed-off-by: Georgy Yakovlev <gyakovlev <AT> gentoo.org> |
18 |
|
19 |
defaults/linuxrc | 27 ++++++++++++++++++++++++--- |
20 |
1 file changed, 24 insertions(+), 3 deletions(-) |
21 |
|
22 |
diff --git a/defaults/linuxrc b/defaults/linuxrc |
23 |
index 0776423..880d668 100644 |
24 |
--- a/defaults/linuxrc |
25 |
+++ b/defaults/linuxrc |
26 |
@@ -639,11 +639,32 @@ do |
27 |
prompt_user "REAL_ROOT" "root block device" |
28 |
got_good_root=0 |
29 |
|
30 |
- # Check for a block device or /dev/nfs |
31 |
+ # Check for a block device or /dev/nfs or zfs encryption |
32 |
elif [ -b "${REAL_ROOT}" ] || [ "${REAL_ROOT}" = "/dev/nfs" ] || [ "${ROOTFSTYPE}" = "zfs" ] |
33 |
then |
34 |
- got_good_root=1 |
35 |
- |
36 |
+ if [ "${ROOTFSTYPE}" = "zfs" ]; then |
37 |
+ # at this point we determined dataset and are ready to mount |
38 |
+ # let's check if this dataset is encrypted and ask for passphrase |
39 |
+ if [ "$(zpool list -H -o feature@encryption "${REAL_ROOT%%/*}")" = 'active' ]; then |
40 |
+ ZFS_KEYSTATUS="$(zfs get -H -o value keystatus "${REAL_ROOT}")" |
41 |
+ ZFS_ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${REAL_ROOT}")" |
42 |
+ if ! [ "${ZFS_ENCRYPTIONROOT}" = '-' ] || [ "${ZFS_KEYSTATUS}" = 'available' ]; then |
43 |
+ good_msg "Detected ZFS encryption, asking for key" |
44 |
+ zfs load-key "${ZFS_ENCRYPTIONROOT}" |
45 |
+ retval=$? |
46 |
+ # if the key loaded fine, confirm got_good_root to exit second while loop |
47 |
+ if [ ${retval} -eq 0 ]; then |
48 |
+ got_good_root=1 |
49 |
+ else |
50 |
+ bad_msg "${ROOT_DEV} is encrypted and not mountable without key" |
51 |
+ prompt_user "REAL_ROOT" "root block device" |
52 |
+ got_good_root=0 |
53 |
+ fi |
54 |
+ fi |
55 |
+ fi |
56 |
+ else |
57 |
+ got_good_root=1 |
58 |
+ fi |
59 |
else |
60 |
bad_msg "Block device ${REAL_ROOT} is not a valid root device..." |
61 |
REAL_ROOT="" |