Make initramfs-tools script encryption aware

Changed decrypt_fs zfs command to "load-key" Plymouth case code based on "contrib/dracut/90zfs/zfs-lib.sh.in" Systemd case based on "contrib/dracut/90zfs/zfs-load-key.sh.in" Cleaned up misspelling of "available" throughout Code style fixes Single quote for ${ENCRYPTIONROOT} Changed "${DECRYPT_CMD}" to "eval ${DECRYPT_CMD}" Reviewed-by: Kash Pande <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: Tom Caputi <[email protected]> Reviewed-by: Richard Laager <[email protected]> Signed-off-by: Garrett Fields <[email protected]> Closes #8093
author: Garrett Fields <[email protected]> 2018-11-09 14:30:09 -0500
committer: Brian Behlendorf <[email protected]> 2018-11-09 11:30:09 -0800
commit: 0500bfd0b9f1393af5bae274551147c5b31e7ccc (patch)
tree: 84f4afcb6474017f6f8de30dcaab46b0a55fd457 /contrib/initramfs
parent: d48091de81e5eab2aa32d7a52db4f147bd813523 (diff)
1 files changed, 34 insertions, 64 deletions
diff --git a/contrib/initramfs/scripts/zfs.in b/contrib/initramfs/scripts/zfs.in
index 1b8160a6b..602d4c306 100644
--- a/contrib/initramfs/scripts/zfs.in
+++ b/contrib/initramfs/scripts/zfs.in
@@ -39,7 +39,7 @@ pre_mountroot()
 	fi
 }
 
-# If plymouth is availible, hide the splash image.
+# If plymouth is available, hide the splash image.
 disable_plymouth()
 {
 	if [ -x /bin/plymouth ] && /bin/plymouth --ping
@@ -108,7 +108,7 @@ find_pools()
 	echo "${pools%%;}" # Return without the last ';'.
 }
 
-# Get a list of all availible pools
+# Get a list of all available pools
 get_pools()
 {
 	local available_pools npools
@@ -118,7 +118,7 @@ get_pools()
 		return 0
 	fi
 
-	# Get the base list of availible pools.
+	# Get the base list of available pools.
 	available_pools=$(find_pools "$ZPOOL" import)
 
 	# Just in case - seen it happen (that a pool isn't visable/found
@@ -181,7 +181,7 @@ get_pools()
 		available_pools="$apools"
 	fi
 
-	# Return list of availible pools.
+	# Return list of available pools.
 	echo "$available_pools"
 }
 
@@ -391,67 +391,37 @@ mount_fs()
 decrypt_fs()
 {
 	local fs="$1"
-
-	# If the 'zfs key' command isn't availible, exit right here.
-	"${ZFS}" 2>&1 | grep -q 'key -l ' || return 0
-
-	# Check if filesystem is encrypted. If not, exit right here.
-	[ "$(get_fs_value "$fs" encryption)" != "off" ] || return 0
-
-	[ "$quiet" != "y" ] && \
-	    zfs_log_begin_msg "Loading crypto wrapper key for $fs"
-
-	# Just make sure that ALL crypto modules module is loaded.
-	# Simplest just to load all...
-	for mod in sun-ccm sun-gcm sun-ctr
-	do
-		[ "$quiet" != "y" ] && zfs_log_progress_msg "${mod} "
-
-		ZFS_CMD="load_module $mod"
-		ZFS_STDERR="$(${ZFS_CMD} 2>&1)"
-		ZFS_ERROR="$?"
-
-		if [ "${ZFS_ERROR}" != 0 ]
-		then
-			[ "$quiet" != "y" ] && zfs_log_failure_msg "${ZFS_ERROR}"
-
-			disable_plymouth
-			echo ""
-			echo "Command: $ZFS_CMD"
-			echo "Message: $ZFS_STDERR"
-			echo "Error: $ZFS_ERROR"
-			echo ""
-			echo "Failed to load $mod module."
-			echo "Please verify that it is availible on the initrd image"
-			echo "(without it it won't be possible to unlock the filesystem)"
-			echo "and rerun:  $ZFS_CMD"
-			/bin/sh
-		else
-			[ "$quiet" != "y" ] && zfs_log_end_msg
+	
+	# If pool encryption is active and the zfs command understands '-o encryption'
+	if [ "$(zpool list -H -o feature@encryption $(echo "${fs}" | awk -F\/ '{print $1}'))" = 'active' ]; then
+
+		# Determine dataset that holds key for root dataset
+		ENCRYPTIONROOT=$(${ZFS} get -H -o value encryptionroot "${fs}")
+		DECRYPT_CMD="${ZFS} load-key '${ENCRYPTIONROOT}'"
+
+		# If root dataset is encrypted...
+		if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
+
+			# Prompt with plymouth, if active
+			if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
+				plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" \
+					--number-of-tries="3" \
+					--command="${DECRYPT_CMD}"
+
+			# Prompt with systemd, if active 
+			elif [ -e /run/systemd/system ]; then
+				TRY_COUNT=3
+				while [ $TRY_COUNT -gt 0 ]; do
+					systemd-ask-password "Encrypted ZFS password for ${ENCRYPTIONROOT}" --no-tty | \
+						${DECRYPT_CMD} && break
+					TRY_COUNT=$((TRY_COUNT - 1))
+				done
+
+			# Prompt with ZFS tty, otherwise
+			else
+				eval "${DECRYPT_CMD}"
+			fi
 		fi
-	done
-
-	# If the key isn't availible, then this will fail!
-	ZFS_CMD="${ZFS} key -l -r $fs"
-	ZFS_STDERR="$(${ZFS_CMD} 2>&1)"
-	ZFS_ERROR="$?"
-
-	if [ "${ZFS_ERROR}" != 0 ]
-	then
-		[ "$quiet" != "y" ] && zfs_log_failure_msg "${ZFS_ERROR}"
-
-		disable_plymouth
-		echo ""
-		echo "Command: $ZFS_CMD"
-		echo "Message: $ZFS_STDERR"
-		echo "Error: $ZFS_ERROR"
-		echo ""
-		echo "Failed to load zfs encryption wrapper key (s)."
-		echo "Please verify dataset property 'keysource' for datasets"
-		echo "and rerun:  $ZFS_CMD"
-		/bin/sh
-	else
-		[ "$quiet" != "y" ] && zfs_log_end_msg
 	fi
 
 	return 0
author	Garrett Fields <[email protected]>	2018-11-09 14:30:09 -0500
committer	Brian Behlendorf <[email protected]>	2018-11-09 11:30:09 -0800
commit	0500bfd0b9f1393af5bae274551147c5b31e7ccc (patch)
tree	84f4afcb6474017f6f8de30dcaab46b0a55fd457 /contrib/initramfs
parent	d48091de81e5eab2aa32d7a52db4f147bd813523 (diff)