From a67696a9bda0e95320981b4e9d4e1b1de083f4aa Mon Sep 17 00:00:00 2001 From: Kevin Stolp Date: Thu, 26 Sep 2024 03:05:51 -0700 Subject: [PATCH] Add mkinitcpio hook for decryption over SSH Adds the zfsencryptssh hook to allow the user to decrypt a ZFS root filesystem remotely via SSH, early in the boot process. Sourced from the archzfs project. --- .SRCINFO | 5 +++- PKGBUILD | 12 ++++++--- zfs.initcpio.zfsencryptssh.install | 39 ++++++++++++++++++++++++++++++ 3 files changed, 51 insertions(+), 5 deletions(-) create mode 100644 zfs.initcpio.zfsencryptssh.install diff --git a/.SRCINFO b/.SRCINFO index a716d9a..f6719e0 100644 --- a/.SRCINFO +++ b/.SRCINFO @@ -1,7 +1,7 @@ pkgbase = zfs-utils pkgdesc = Userspace utilities for the Zettabyte File System. pkgver = 2.2.6 - pkgrel = 1 + pkgrel = 2 url = https://zfsonlinux.org/ arch = i686 arch = x86_64 @@ -15,6 +15,7 @@ pkgbase = zfs-utils source = zfs-node-permission.conf source = zfs.initcpio.install source = zfs.initcpio.hook + source = zfs.initcpio.zfsencryptssh.install validpgpkeys = 4F3BA9AB6D1F8D683DC2DFB56AD860EED4598027 validpgpkeys = C33DF142657ED1F7C328A2960AB9E991C6AF658B sha256sums = c92e02103ac5dd77bf01d7209eabdca55c7b3356aa747bb2357ec4222652a2a7 @@ -22,10 +23,12 @@ pkgbase = zfs-utils sha256sums = 7ad45fd291aa582639725f14d88d7da5bd3d427012b25bddbe917ca6d1a07c1a sha256sums = 2f09c742287f4738c7c09a9669f8055cd63d3b9474cd1f6d9447152d11a1b913 sha256sums = 15b5acea44225b4364ec6472a08d3d48666d241fe84c142e1171cd3b78a5584f + sha256sums = ac9ed396465e26fa6896762c52a93eb7aaf8af6d7b2c69bd826d219ff821b2c9 b2sums = 0bbe36df779aaf19460a75725af9c9b13e64e77a6020974ad18d60d9fd52db2ddd6ea98b3e6c7451195bdfb347b8aab51db9b3f9a7c15c77bff47329bbd07dd2 b2sums = SKIP b2sums = 7eb3408b1354a4dd504000739101afc7ec0aed1afcdfa029552bf6989e9a8cd4a95b3d3563b3fb7902afa30a80fb01a3f5a2d5af82f9c734c48b5cc23aac25ca b2sums = cb774227f157573f960bdb345e5b014c043a573c987d37a1db027b852d77a5eda1ee699612e1d8f4a2770897624889f1a3808116a171cc4c796a95e3caa43012 b2sums = 779c864611249c3f21d1864508d60cfe5e0f5541d74fb3093c6bdfa56be2c76f386ac1690d363beaee491c5132f5f6dbc01553aa408cda579ebca74b0e0fd1d0 + b2sums = fcd871d72c62a7c99d6cf29cb40a4751bfc08238ff39e8c9440d119754e92ded4705414710db86e99d044011f3524e54c778bda94696dde2c06b3289da6628d0 pkgname = zfs-utils diff --git a/PKGBUILD b/PKGBUILD index b44b12a..06213b4 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -4,7 +4,7 @@ pkgname=zfs-utils pkgver=2.2.6 -pkgrel=1 +pkgrel=2 pkgdesc="Userspace utilities for the Zettabyte File System." arch=("i686" "x86_64" "aarch64") url="https://zfsonlinux.org/" @@ -13,17 +13,20 @@ optdepends=('python: for arcstat/arc_summary/dbufstat') source=("https://github.com/zfsonlinux/zfs/releases/download/zfs-${pkgver}/zfs-${pkgver}.tar.gz"{,.asc} "zfs-node-permission.conf" "zfs.initcpio.install" - "zfs.initcpio.hook") + "zfs.initcpio.hook" + "zfs.initcpio.zfsencryptssh.install") sha256sums=('c92e02103ac5dd77bf01d7209eabdca55c7b3356aa747bb2357ec4222652a2a7' 'SKIP' '7ad45fd291aa582639725f14d88d7da5bd3d427012b25bddbe917ca6d1a07c1a' '2f09c742287f4738c7c09a9669f8055cd63d3b9474cd1f6d9447152d11a1b913' - '15b5acea44225b4364ec6472a08d3d48666d241fe84c142e1171cd3b78a5584f') + '15b5acea44225b4364ec6472a08d3d48666d241fe84c142e1171cd3b78a5584f' + 'ac9ed396465e26fa6896762c52a93eb7aaf8af6d7b2c69bd826d219ff821b2c9') b2sums=('0bbe36df779aaf19460a75725af9c9b13e64e77a6020974ad18d60d9fd52db2ddd6ea98b3e6c7451195bdfb347b8aab51db9b3f9a7c15c77bff47329bbd07dd2' 'SKIP' '7eb3408b1354a4dd504000739101afc7ec0aed1afcdfa029552bf6989e9a8cd4a95b3d3563b3fb7902afa30a80fb01a3f5a2d5af82f9c734c48b5cc23aac25ca' 'cb774227f157573f960bdb345e5b014c043a573c987d37a1db027b852d77a5eda1ee699612e1d8f4a2770897624889f1a3808116a171cc4c796a95e3caa43012' - '779c864611249c3f21d1864508d60cfe5e0f5541d74fb3093c6bdfa56be2c76f386ac1690d363beaee491c5132f5f6dbc01553aa408cda579ebca74b0e0fd1d0') + '779c864611249c3f21d1864508d60cfe5e0f5541d74fb3093c6bdfa56be2c76f386ac1690d363beaee491c5132f5f6dbc01553aa408cda579ebca74b0e0fd1d0' + 'fcd871d72c62a7c99d6cf29cb40a4751bfc08238ff39e8c9440d119754e92ded4705414710db86e99d044011f3524e54c778bda94696dde2c06b3289da6628d0') validpgpkeys=('4F3BA9AB6D1F8D683DC2DFB56AD860EED4598027' # Tony Hutter (GPG key for signing ZFS releases) 'C33DF142657ED1F7C328A2960AB9E991C6AF658B') # Brian Behlendorf backup=('etc/default/zfs' @@ -84,4 +87,5 @@ package() { install -D -m644 "${srcdir}"/zfs.initcpio.hook "${pkgdir}"/usr/lib/initcpio/hooks/zfs install -D -m644 "${srcdir}"/zfs.initcpio.install "${pkgdir}"/usr/lib/initcpio/install/zfs + install -D -m644 "${srcdir}"/zfs.initcpio.zfsencryptssh.install "${pkgdir}"/usr/lib/initcpio/install/zfsencryptssh } diff --git a/zfs.initcpio.zfsencryptssh.install b/zfs.initcpio.zfsencryptssh.install new file mode 100644 index 0000000..725a0ca --- /dev/null +++ b/zfs.initcpio.zfsencryptssh.install @@ -0,0 +1,39 @@ +#!/bin/bash + +make_etc_passwd() { + echo 'root:x:0:0:root:/root:/bin/zfsdecrypt_shell' >> "${BUILDROOT}"/etc/passwd + echo '/bin/zfsdecrypt_shell' > "${BUILDROOT}"/etc/shells +} + +make_zfsdecrypt_shell() { + decrypt_shell='#!/bin/sh +if [ -f "/.encryptionroot" ]; then + # source zfs hook functions + . /hooks/zfs + # decrypt bootfs + zfs_decrypt_fs "$(cat /.encryptionroot)" + # kill pending decryption attempt to allow the boot process to continue + killall zfs +else + echo "ZFS is not ready yet. Please wait!" +fi' + printf '%s' "$decrypt_shell" > "${BUILDROOT}"/bin/zfsdecrypt_shell + chmod a+x "${BUILDROOT}"/bin/zfsdecrypt_shell +} + +build () +{ + make_etc_passwd + make_zfsdecrypt_shell +} + +help () +{ + cat<