[gentoo-commits] proj/genkernel:master commit in: defaults/

[Robin H. Johnson]

commit:     9ae0c9752add3ff79c0eeedbe8f2d6c8aae6b6fe
Author:     Georgy Yakovlev <gyakovlev <AT> gentoo <DOT> org>
AuthorDate: Tue Feb 26 00:22:32 2019 +0000
Commit:     Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
CommitDate: Tue Feb 26 00:22:32 2019 +0000
URL:        https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=9ae0c975

Add basic zfs encryption support

This very simple implementation only supports passphrase.

It does not affect booting ecryption-unaware zfs, since
'zpool list -H -o feature <AT> encryption ...' will return 0
on systems where zfs userland utils do not support encryption.

Closes: https://bugs.gentoo.org/show_bug.cgi?id=657374
Signed-off-by: Georgy Yakovlev <gyakovlev <AT> gentoo.org>

 defaults/linuxrc | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/defaults/linuxrc b/defaults/linuxrc
index 0776423..880d668 100644
--- a/defaults/linuxrc
+++ b/defaults/linuxrc
@@ -639,11 +639,32 @@ do
                        prompt_user "REAL_ROOT" "root block device"
                        got_good_root=0
 
-               # Check for a block device or /dev/nfs
+               # Check for a block device or /dev/nfs or zfs encryption
                elif [ -b "${REAL_ROOT}" ] || [ "${REAL_ROOT}" = "/dev/nfs" ] 
|| [ "${ROOTFSTYPE}" = "zfs" ]
                then
-                       got_good_root=1
-
+                       if [ "${ROOTFSTYPE}" = "zfs" ]; then
+                               # at this point we determined dataset and are 
ready to mount
+                               # let's check if this dataset is encrypted and 
ask for passphrase
+                               if [ "$(zpool list -H -o feature@encryption 
"${REAL_ROOT%%/*}")" = 'active' ]; then
+                                       ZFS_KEYSTATUS="$(zfs get -H -o value 
keystatus "${REAL_ROOT}")"
+                                       ZFS_ENCRYPTIONROOT="$(zfs get -H -o 
value encryptionroot "${REAL_ROOT}")"
+                                       if ! [ "${ZFS_ENCRYPTIONROOT}" = '-' ] 
|| [ "${ZFS_KEYSTATUS}" = 'available' ]; then
+                                               good_msg "Detected ZFS 
encryption, asking for key"
+                                               zfs load-key 
"${ZFS_ENCRYPTIONROOT}"
+                                               retval=$?
+                                               # if the key loaded fine, 
confirm got_good_root to exit second while loop
+                                               if [ ${retval} -eq 0 ]; then
+                                                       got_good_root=1
+                                               else
+                                                       bad_msg "${ROOT_DEV} is 
encrypted and not mountable without key"
+                                                       prompt_user "REAL_ROOT" 
"root block device"
+                                                       got_good_root=0
+                                               fi
+                                       fi
+                               fi
+                       else
+                               got_good_root=1
+                       fi
                else
                        bad_msg "Block device ${REAL_ROOT} is not a valid root 
device..."
                        REAL_ROOT=""