From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 249BE138334 for ; Thu, 28 Feb 2019 06:40:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0B46EE08D6; Thu, 28 Feb 2019 06:40:33 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CD4E4E08D9 for ; Thu, 28 Feb 2019 06:40:32 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 5C0B9335CE7 for ; Thu, 28 Feb 2019 06:40:31 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id BF148555 for ; Thu, 28 Feb 2019 06:40:29 +0000 (UTC) From: "Robin H. Johnson" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Robin H. Johnson" Message-ID: <1551140552.9ae0c9752add3ff79c0eeedbe8f2d6c8aae6b6fe.robbat2@gentoo> Subject: [gentoo-commits] proj/genkernel:master commit in: defaults/ X-VCS-Repository: proj/genkernel X-VCS-Files: defaults/linuxrc X-VCS-Directories: defaults/ X-VCS-Committer: robbat2 X-VCS-Committer-Name: Robin H. Johnson X-VCS-Revision: 9ae0c9752add3ff79c0eeedbe8f2d6c8aae6b6fe X-VCS-Branch: master Date: Thu, 28 Feb 2019 06:40:29 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 2bda09bd-8fae-47f0-b5f2-0bd384b9de5f X-Archives-Hash: 477ea77a6336ee030ba525409e27402e commit: 9ae0c9752add3ff79c0eeedbe8f2d6c8aae6b6fe Author: Georgy Yakovlev gentoo org> AuthorDate: Tue Feb 26 00:22:32 2019 +0000 Commit: Robin H. Johnson gentoo org> CommitDate: Tue Feb 26 00:22:32 2019 +0000 URL: https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=9ae0c975 Add basic zfs encryption support This very simple implementation only supports passphrase. It does not affect booting ecryption-unaware zfs, since 'zpool list -H -o feature encryption ...' will return 0 on systems where zfs userland utils do not support encryption. Closes: https://bugs.gentoo.org/show_bug.cgi?id=657374 Signed-off-by: Georgy Yakovlev gentoo.org> defaults/linuxrc | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/defaults/linuxrc b/defaults/linuxrc index 0776423..880d668 100644 --- a/defaults/linuxrc +++ b/defaults/linuxrc @@ -639,11 +639,32 @@ do prompt_user "REAL_ROOT" "root block device" got_good_root=0 - # Check for a block device or /dev/nfs + # Check for a block device or /dev/nfs or zfs encryption elif [ -b "${REAL_ROOT}" ] || [ "${REAL_ROOT}" = "/dev/nfs" ] || [ "${ROOTFSTYPE}" = "zfs" ] then - got_good_root=1 - + if [ "${ROOTFSTYPE}" = "zfs" ]; then + # at this point we determined dataset and are ready to mount + # let's check if this dataset is encrypted and ask for passphrase + if [ "$(zpool list -H -o feature@encryption "${REAL_ROOT%%/*}")" = 'active' ]; then + ZFS_KEYSTATUS="$(zfs get -H -o value keystatus "${REAL_ROOT}")" + ZFS_ENCRYPTIONROOT="$(zfs get -H -o value encryptionroot "${REAL_ROOT}")" + if ! [ "${ZFS_ENCRYPTIONROOT}" = '-' ] || [ "${ZFS_KEYSTATUS}" = 'available' ]; then + good_msg "Detected ZFS encryption, asking for key" + zfs load-key "${ZFS_ENCRYPTIONROOT}" + retval=$? + # if the key loaded fine, confirm got_good_root to exit second while loop + if [ ${retval} -eq 0 ]; then + got_good_root=1 + else + bad_msg "${ROOT_DEV} is encrypted and not mountable without key" + prompt_user "REAL_ROOT" "root block device" + got_good_root=0 + fi + fi + fi + else + got_good_root=1 + fi else bad_msg "Block device ${REAL_ROOT} is not a valid root device..." REAL_ROOT=""