Archive-Team
/
zfs
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 103 Wiki Activity

Skip loading already loaded key 

Don't ask for the password / try to load the key if the key for the 
encryptionroot is already loaded.  The user might have loaded the key 
manually or by other means before the scripts get called.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Tom Caputi <tcaputi@datto.com>
Reviewed-by: Richard Laager <rlaager@wiktel.com>
Signed-off-by: Witaut Bajaryn <vitaut.bayaryn@gmail.com>
Closes #9495
Closes #9529
This commit is contained in:
Witaut Bajaryn 2019-11-08 23:34:07 +01:00 committed by Brian Behlendorf
parent 734de7ced1
commit 6c7023a532
4 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
contrib/dracut/90zfs/mount-zfs.sh.in
View File

@ -62,6 +62,9 @@ if import_pool "${ZFS_POOL}" ; then
# if the root dataset has encryption enabled # if the root dataset has encryption enabled
ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${ZFS_DATASET}")" ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${ZFS_DATASET}")"
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
# if the key needs to be loaded
if [ "$KEYSTATUS" = "unavailable" ]; then
# decrypt them # decrypt them
ask_for_password \ ask_for_password \
--tries 5 \ --tries 5 \
@ -69,6 +72,7 @@ if import_pool "${ZFS_POOL}" ; then
--cmd "zfs load-key '${ENCRYPTIONROOT}'" --cmd "zfs load-key '${ENCRYPTIONROOT}'"
fi fi
fi fi
fi
# Let us tell the initrd to run on shutdown. # Let us tell the initrd to run on shutdown.
# We have a shutdown hook to run # We have a shutdown hook to run
# because we imported the pool. # because we imported the pool.

3
contrib/dracut/90zfs/zfs-load-key.sh.in
View File

@ -38,6 +38,9 @@ if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{prin
# if the root dataset has encryption enabled # if the root dataset has encryption enabled
ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}") ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
# continue only if the key needs to be loaded
[ "$KEYSTATUS" = "unavailable" ] || exit 0
# decrypt them # decrypt them
TRY_COUNT=5 TRY_COUNT=5
while [ $TRY_COUNT -gt 0 ]; do while [ $TRY_COUNT -gt 0 ]; do

3
contrib/initramfs/scripts/zfs.in
View File

@ -414,6 +414,9 @@ decrypt_fs()
# If root dataset is encrypted... # If root dataset is encrypted...
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
KEYSTATUS="$(${ZFS} get -H -o value keystatus "${ENCRYPTIONROOT}")"
# Continue only if the key needs to be loaded
[ "$KEYSTATUS" = "unavailable" ] || return 0
TRY_COUNT=3 TRY_COUNT=3
# Prompt with plymouth, if active # Prompt with plymouth, if active
if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then

2
etc/systemd/system-generators/zfs-mount-generator.in
View File

@ -182,6 +182,8 @@ process_line() {
keyloadcmd="@sbindir@/zfs load-key '${dataset}'" keyloadcmd="@sbindir@/zfs load-key '${dataset}'"
elif [ "${p_keyloc}" = "prompt" ] ; then elif [ "${p_keyloc}" = "prompt" ] ; then
keyloadcmd="sh -c 'set -eu;"\ keyloadcmd="sh -c 'set -eu;"\
"keystatus=\"\$\$(@sbindir@/zfs get -H -o value keystatus \"${dataset}\")\";"\
"[ \"\$\$keystatus\" = \"unavailable\" ] || exit 0;"\
"count=0;"\ "count=0;"\
"while [ \$\$count -lt 3 ];do"\ "while [ \$\$count -lt 3 ];do"\
" systemd-ask-password --id=\"zfs:${dataset}\""\ " systemd-ask-password --id=\"zfs:${dataset}\""\