From 618206c0b922a1e27a942036b893bfb98570e244 Mon Sep 17 00:00:00 2001 From: Witaut Bajaryn Date: Fri, 8 Nov 2019 23:34:07 +0100 Subject: [PATCH] Skip loading already loaded key Don't ask for the password / try to load the key if the key for the encryptionroot is already loaded. The user might have loaded the key manually or by other means before the scripts get called. Reviewed-by: Brian Behlendorf Reviewed-by: Tom Caputi Reviewed-by: Richard Laager Signed-off-by: Witaut Bajaryn Closes #9495 Closes #9529 --- contrib/dracut/90zfs/mount-zfs.sh.in | 14 +++++++++----- contrib/dracut/90zfs/zfs-load-key.sh.in | 3 +++ contrib/initramfs/scripts/zfs.in | 3 +++ .../system-generators/zfs-mount-generator.in | 2 ++ 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/contrib/dracut/90zfs/mount-zfs.sh.in b/contrib/dracut/90zfs/mount-zfs.sh.in index 23f7e3e295..73300a9b66 100755 --- a/contrib/dracut/90zfs/mount-zfs.sh.in +++ b/contrib/dracut/90zfs/mount-zfs.sh.in @@ -62,11 +62,15 @@ if import_pool "${ZFS_POOL}" ; then # if the root dataset has encryption enabled ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${ZFS_DATASET}")" if ! [ "${ENCRYPTIONROOT}" = "-" ]; then - # decrypt them - ask_for_password \ - --tries 5 \ - --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}: " \ - --cmd "zfs load-key '${ENCRYPTIONROOT}'" + KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")" + # if the key needs to be loaded + if [ "$KEYSTATUS" = "unavailable" ]; then + # decrypt them + ask_for_password \ + --tries 5 \ + --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}: " \ + --cmd "zfs load-key '${ENCRYPTIONROOT}'" + fi fi fi # Let us tell the initrd to run on shutdown. diff --git a/contrib/dracut/90zfs/zfs-load-key.sh.in b/contrib/dracut/90zfs/zfs-load-key.sh.in index 3f466798e7..88f43b6edc 100755 --- a/contrib/dracut/90zfs/zfs-load-key.sh.in +++ b/contrib/dracut/90zfs/zfs-load-key.sh.in @@ -38,6 +38,9 @@ if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{prin # if the root dataset has encryption enabled ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}") if ! [ "${ENCRYPTIONROOT}" = "-" ]; then + KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")" + # continue only if the key needs to be loaded + [ "$KEYSTATUS" = "unavailable" ] || exit 0 # decrypt them TRY_COUNT=5 while [ $TRY_COUNT -gt 0 ]; do diff --git a/contrib/initramfs/scripts/zfs.in b/contrib/initramfs/scripts/zfs.in index c82b210d7e..523694473a 100644 --- a/contrib/initramfs/scripts/zfs.in +++ b/contrib/initramfs/scripts/zfs.in @@ -414,6 +414,9 @@ decrypt_fs() # If root dataset is encrypted... if ! [ "${ENCRYPTIONROOT}" = "-" ]; then + KEYSTATUS="$(${ZFS} get -H -o value keystatus "${ENCRYPTIONROOT}")" + # Continue only if the key needs to be loaded + [ "$KEYSTATUS" = "unavailable" ] || return 0 TRY_COUNT=3 # Prompt with plymouth, if active if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then diff --git a/etc/systemd/system-generators/zfs-mount-generator.in b/etc/systemd/system-generators/zfs-mount-generator.in index 3e529cb67b..be2c1420cd 100755 --- a/etc/systemd/system-generators/zfs-mount-generator.in +++ b/etc/systemd/system-generators/zfs-mount-generator.in @@ -182,6 +182,8 @@ process_line() { keyloadcmd="@sbindir@/zfs load-key '${dataset}'" elif [ "${p_keyloc}" = "prompt" ] ; then keyloadcmd="sh -c 'set -eu;"\ +"keystatus=\"\$\$(@sbindir@/zfs get -H -o value keystatus \"${dataset}\")\";"\ +"[ \"\$\$keystatus\" = \"unavailable\" ] || exit 0;"\ "count=0;"\ "while [ \$\$count -lt 3 ];do"\ " systemd-ask-password --id=\"zfs:${dataset}\""\