[gentoo-commits] proj/genkernel:master commit in: defaults/ - gentoo-commits

From:	"Robin H. Johnson" <robbat2@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/genkernel:master commit in: defaults/
Date:	Thu, 28 Feb 2019 06:40:34
Message-Id:	`1551140552.9ae0c9752add3ff79c0eeedbe8f2d6c8aae6b6fe.robbat2@gentoo`

1

commit:     9ae0c9752add3ff79c0eeedbe8f2d6c8aae6b6fe

2

Author:     Georgy Yakovlev <gyakovlev <AT> gentoo <DOT> org>

3

AuthorDate: Tue Feb 26 00:22:32 2019 +0000

4

Commit:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>

5

CommitDate: Tue Feb 26 00:22:32 2019 +0000

6

URL:        https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=9ae0c975

7

8

Add basic zfs encryption support

9

10

This very simple implementation only supports passphrase.

11

12

It does not affect booting ecryption-unaware zfs, since

13

'zpool list -H -o feature <AT> encryption ...' will return 0

14

on systems where zfs userland utils do not support encryption.

15

16

Closes: https://bugs.gentoo.org/show_bug.cgi?id=657374

17

Signed-off-by: Georgy Yakovlev <gyakovlev <AT> gentoo.org>

18

19

 defaults/linuxrc | 27 ++++++++++++++++++++++++---

20

 1 file changed, 24 insertions(+), 3 deletions(-)

21

22

diff --git a/defaults/linuxrc b/defaults/linuxrc

23

index 0776423..880d668 100644

24

--- a/defaults/linuxrc

25

+++ b/defaults/linuxrc

26

@@ -639,11 +639,32 @@ do

27

 			prompt_user "REAL_ROOT" "root block device"

28

 			got_good_root=0

29

30

-		# Check for a block device or /dev/nfs

31

+		# Check for a block device or /dev/nfs or zfs encryption

32

 		elif [ -b "${REAL_ROOT}" ] || [ "${REAL_ROOT}" = "/dev/nfs" ] || [ "${ROOTFSTYPE}" = "zfs" ]

33

 		then

34

-			got_good_root=1

35

-

36

+			if [ "${ROOTFSTYPE}" = "zfs" ]; then

37

+				# at this point we determined dataset and are ready to mount

38

+				# let's check if this dataset is encrypted and ask for passphrase

39

+				if [ "$(zpool list -H -o feature@encryption "${REAL_ROOT%%/*}")" = 'active' ]; then

40

+					ZFS_KEYSTATUS="$(zfs get -H -o value keystatus "${REAL_ROOT}")"

41

+					ZFS_ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${REAL_ROOT}")"

42

+					if ! [ "${ZFS_ENCRYPTIONROOT}" = '-' ] || [ "${ZFS_KEYSTATUS}" = 'available' ]; then

43

+						good_msg "Detected ZFS encryption, asking for key"

44

+						zfs load-key "${ZFS_ENCRYPTIONROOT}"

45

+						retval=$?

46

+						# if the key loaded fine, confirm got_good_root to exit second while loop

47

+						if [ ${retval} -eq 0 ];	then

48

+							got_good_root=1

49

+						else

50

+							bad_msg "${ROOT_DEV} is encrypted and not mountable without key"

51

+							prompt_user "REAL_ROOT" "root block device"

52

+							got_good_root=0

53

+						fi

54

+					fi

55

+				fi

56

+			else

57

+				got_good_root=1

58

+			fi

59

 		else

60

 			bad_msg "Block device ${REAL_ROOT} is not a valid root device..."

61

 			REAL_ROOT=""

1	commit: 9ae0c9752add3ff79c0eeedbe8f2d6c8aae6b6fe
2	Author: Georgy Yakovlev <gyakovlev <AT> gentoo <DOT> org>
3	AuthorDate: Tue Feb 26 00:22:32 2019 +0000
4	Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
5	CommitDate: Tue Feb 26 00:22:32 2019 +0000
6	URL: https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=9ae0c975
7
8	Add basic zfs encryption support
9
10	This very simple implementation only supports passphrase.
11
12	It does not affect booting ecryption-unaware zfs, since
13	'zpool list -H -o feature <AT> encryption ...' will return 0
14	on systems where zfs userland utils do not support encryption.
15
16	Closes: https://bugs.gentoo.org/show_bug.cgi?id=657374
17	Signed-off-by: Georgy Yakovlev <gyakovlev <AT> gentoo.org>
18
19	defaults/linuxrc \| 27 ++++++++++++++++++++++++---
20	1 file changed, 24 insertions(+), 3 deletions(-)
21
22	diff --git a/defaults/linuxrc b/defaults/linuxrc
23	index 0776423..880d668 100644
24	--- a/defaults/linuxrc
25	+++ b/defaults/linuxrc
26	@@ -639,11 +639,32 @@ do
27	prompt_user "REAL_ROOT" "root block device"
28	got_good_root=0
29
30	- # Check for a block device or /dev/nfs
31	+ # Check for a block device or /dev/nfs or zfs encryption
32	elif [ -b "${REAL_ROOT}" ] \|\| [ "${REAL_ROOT}" = "/dev/nfs" ] \|\| [ "${ROOTFSTYPE}" = "zfs" ]
33	then
34	- got_good_root=1
35	-
36	+ if [ "${ROOTFSTYPE}" = "zfs" ]; then
37	+ # at this point we determined dataset and are ready to mount
38	+ # let's check if this dataset is encrypted and ask for passphrase
39	+ if [ "$(zpool list -H -o feature@encryption "${REAL_ROOT%%/*}")" = 'active' ]; then
40	+ ZFS_KEYSTATUS="$(zfs get -H -o value keystatus "${REAL_ROOT}")"
41	+ ZFS_ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${REAL_ROOT}")"
42	+ if ! [ "${ZFS_ENCRYPTIONROOT}" = '-' ] \|\| [ "${ZFS_KEYSTATUS}" = 'available' ]; then
43	+ good_msg "Detected ZFS encryption, asking for key"
44	+ zfs load-key "${ZFS_ENCRYPTIONROOT}"
45	+ retval=$?
46	+ # if the key loaded fine, confirm got_good_root to exit second while loop
47	+ if [ ${retval} -eq 0 ]; then
48	+ got_good_root=1
49	+ else
50	+ bad_msg "${ROOT_DEV} is encrypted and not mountable without key"
51	+ prompt_user "REAL_ROOT" "root block device"
52	+ got_good_root=0
53	+ fi
54	+ fi
55	+ fi
56	+ else
57	+ got_good_root=1
58	+ fi
59	else
60	bad_msg "Block device ${REAL_ROOT} is not a valid root device..."
61	REAL_ROOT=""

Gentoo Archives: gentoo-commits