mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2025-10-24 08:55:00 +03:00
initramfs: source user scripts from /e/z/initramfs-tools-load-key{,.d/*}
By dropping in a file in a directory (for packages) or by making a file (for local administrators), custom key loading methods may be provided for the rootfs and necessities. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Nicholas Morris <security@niwamo.com> Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz> Co-authored-by: Nicholas Morris <security@niwamo.com> Supersedes: #14704 Closes: #13757 Closes #14733
This commit is contained in:
parent
574e09d8c6
commit
6e015933f8
@ -82,3 +82,26 @@ To use this feature:
|
|||||||
in that case, use RSA (2048-bit or more) instead.
|
in that case, use RSA (2048-bit or more) instead.
|
||||||
3. Rebuild the initramfs with your keys: `update-initramfs -u`
|
3. Rebuild the initramfs with your keys: `update-initramfs -u`
|
||||||
4. During the system boot, login via SSH and run: `zfsunlock`
|
4. During the system boot, login via SSH and run: `zfsunlock`
|
||||||
|
|
||||||
|
### Unlocking a ZFS encrypted root via alternate means
|
||||||
|
|
||||||
|
If present, a shell program at `/etc/zfs/initramfs-tools-load-key`
|
||||||
|
and files matching `/etc/zfs/initramfs-tools-load-key.d/*`
|
||||||
|
will be copied to the initramfs during generation
|
||||||
|
and sourced to load the key, if required.
|
||||||
|
|
||||||
|
The `$ENCRYPTIONROOT` to load the key for and `$KEYLOCATION` variables are set,
|
||||||
|
and all initramfs-tools functions are available;
|
||||||
|
use unquoted `$ZPOOL` and `$ZFS` to run `zpool` and `zfs`.
|
||||||
|
|
||||||
|
A successful return (and loaded key) stops the search.
|
||||||
|
A failure return is non-fatal,
|
||||||
|
and loading keys proceeds as normal if no hook succeeds.
|
||||||
|
|
||||||
|
A trivial example of a key-loading drop-in that uses the BLAKE2 checksum
|
||||||
|
of the file at the `keylocation` as the key follows.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
key="$(b2sum "${KEYLOCATION#file://}")" || return
|
||||||
|
printf '%s\n' "${key%% *}" | $ZFS load-key -L prompt "$ENCRYPTIONROOT"
|
||||||
|
```
|
||||||
|
@ -41,6 +41,9 @@ copy_file cache "@sysconfdir@/zfs/zpool.cache"
|
|||||||
copy_file config "@initconfdir@/zfs"
|
copy_file config "@initconfdir@/zfs"
|
||||||
copy_file config "@sysconfdir@/zfs/zfs-functions"
|
copy_file config "@sysconfdir@/zfs/zfs-functions"
|
||||||
copy_file config "@sysconfdir@/zfs/vdev_id.conf"
|
copy_file config "@sysconfdir@/zfs/vdev_id.conf"
|
||||||
|
for f in "@sysconfdir@/zfs/initramfs-tools-load-key" "@sysconfdir@/zfs/initramfs-tools-load-key.d/"*; do
|
||||||
|
copy_file config "$f"
|
||||||
|
done
|
||||||
copy_file rule "@udevruledir@/60-zvol.rules"
|
copy_file rule "@udevruledir@/60-zvol.rules"
|
||||||
copy_file rule "@udevruledir@/69-vdev.rules"
|
copy_file rule "@udevruledir@/69-vdev.rules"
|
||||||
|
|
||||||
|
@ -420,6 +420,16 @@ decrypt_fs()
|
|||||||
# Continue only if the key needs to be loaded
|
# Continue only if the key needs to be loaded
|
||||||
[ "$KEYSTATUS" = "unavailable" ] || return 0
|
[ "$KEYSTATUS" = "unavailable" ] || return 0
|
||||||
|
|
||||||
|
# Try extensions first
|
||||||
|
for f in "/etc/zfs/initramfs-tools-load-key" "/etc/zfs/initramfs-tools-load-key.d/"*; do
|
||||||
|
[ -r "$f" ] || continue
|
||||||
|
(. "$f") && {
|
||||||
|
# Successful return and actually-loaded key: we're done
|
||||||
|
KEYSTATUS="$(get_fs_value "${ENCRYPTIONROOT}" keystatus)"
|
||||||
|
[ "$KEYSTATUS" = "unavailable" ] || return 0
|
||||||
|
}
|
||||||
|
done
|
||||||
|
|
||||||
# Do not prompt if key is stored noninteractively,
|
# Do not prompt if key is stored noninteractively,
|
||||||
if ! [ "${KEYLOCATION}" = "prompt" ]; then
|
if ! [ "${KEYLOCATION}" = "prompt" ]; then
|
||||||
$ZFS load-key "${ENCRYPTIONROOT}"
|
$ZFS load-key "${ENCRYPTIONROOT}"
|
||||||
|
Loading…
Reference in New Issue
Block a user