Skip loading already loaded key

Don't ask for the password / try to load the key if the key for the encryptionroot is already loaded. The user might have loaded the key manually or by other means before the scripts get called. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Tom Caputi <tcaputi@datto.com> Reviewed-by: Richard Laager <rlaager@wiktel.com> Signed-off-by: Witaut Bajaryn <vitaut.bayaryn@gmail.com> Closes #9495 Closes #9529
2019-11-08 23:34:07 +01:00 · 2019-11-08 23:34:07 +01:00 · 6c7023a532
parent 734de7ced1
commit 6c7023a532
4 changed files with 17 additions and 5 deletions
--- a/contrib/dracut/90zfs/mount-zfs.sh.in
+++ b/contrib/dracut/90zfs/mount-zfs.sh.in
@ -62,11 +62,15 @@ if import_pool "${ZFS_POOL}" ; then
 		# if the root dataset has encryption enabled
 		ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${ZFS_DATASET}")"
 		if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
-			# decrypt them
-			ask_for_password \
-				--tries 5 \
-				--prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}: " \
-				--cmd "zfs load-key '${ENCRYPTIONROOT}'"
+			KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
+			# if the key needs to be loaded
+			if [ "$KEYSTATUS" = "unavailable" ]; then
+				# decrypt them
+				ask_for_password \
+					--tries 5 \
+					--prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}: " \
+					--cmd "zfs load-key '${ENCRYPTIONROOT}'"
+			fi
 		fi
 	fi
 	# Let us tell the initrd to run on shutdown.
--- a/contrib/dracut/90zfs/zfs-load-key.sh.in
+++ b/contrib/dracut/90zfs/zfs-load-key.sh.in
@ -38,6 +38,9 @@ if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{prin
    # if the root dataset has encryption enabled
    ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
    if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
+        KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
+        # continue only if the key needs to be loaded
+        [ "$KEYSTATUS" = "unavailable" ] || exit 0
        # decrypt them
        TRY_COUNT=5
        while [ $TRY_COUNT -gt 0 ]; do
--- a/contrib/initramfs/scripts/zfs.in
+++ b/contrib/initramfs/scripts/zfs.in
@ -414,6 +414,9 @@ decrypt_fs()

 		# If root dataset is encrypted...
 		if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
+			KEYSTATUS="$(${ZFS} get -H -o value keystatus "${ENCRYPTIONROOT}")"
+			# Continue only if the key needs to be loaded
+			[ "$KEYSTATUS" = "unavailable" ] || return 0
 			TRY_COUNT=3
 			# Prompt with plymouth, if active
 			if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
--- a/etc/systemd/system-generators/zfs-mount-generator.in
+++ b/etc/systemd/system-generators/zfs-mount-generator.in
@ -182,6 +182,8 @@ process_line() {
        keyloadcmd="@sbindir@/zfs load-key '${dataset}'"
      elif [ "${p_keyloc}" = "prompt" ] ; then
        keyloadcmd="sh -c 'set -eu;"\
+"keystatus=\"\$\$(@sbindir@/zfs get -H -o value keystatus \"${dataset}\")\";"\
+"[ \"\$\$keystatus\" = \"unavailable\" ] || exit 0;"\
 "count=0;"\
 "while [ \$\$count -lt 3 ];do"\
 "  systemd-ask-password --id=\"zfs:${dataset}\""\