Implement loading the ZFS key at boot

latchset · Jun 14, 2024 · 45b2d0e · 45b2d0e
1 parent 8ae3bcd
commit 45b2d0e
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 0 deletions.
diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
@@ -62,6 +62,7 @@ copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null no
 copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
 copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
 copy_exec @bindir@/clevis-zfs-common || die 1 "@bindir@/clevis-zfs-common not found"
+copy_exec @bindir@/clevis-zfs-unlock || die 1 "@bindir@/clevis-zfs-unlock not found"
 copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
 if [ -x @bindir@/clevis-decrypt-tpm2 ]; then
     copy_exec @bindir@/clevis-decrypt-tpm2 || die 1 "@bindir@/clevis-decrypt-tpm2 not found"

diff --git a/src/initramfs-tools/meson.build b/src/initramfs-tools/meson.build
@@ -4,6 +4,7 @@ if initramfs_tools.found()
   initramfstools_dir = '/usr/share/initramfs-tools'
   initramfs_hooks_dir =  '/usr/share/initramfs-tools/hooks'
   initramfs_scripts_dir = '/usr/share/initramfs-tools/scripts'
+  zfs_initramfs_load_key_scripts_dir = '/etc/zfs/initramfs-tools-load-key.d'
   initramfs_data = configuration_data()
   initramfs_data.merge_from(data)
   initramfs_data.set('initramfstoolsdir', initramfstools_dir)

diff --git a/src/initramfs-tools/scripts/meson.build b/src/initramfs-tools/scripts/meson.build
@@ -1,2 +1,3 @@
 subdir('local-top')
 subdir('local-bottom')
+subdir('zfs-load-key')
diff --git a/src/initramfs-tools/scripts/zfs-load-key/clevis-zfs.in b/src/initramfs-tools/scripts/zfs-load-key/clevis-zfs.in
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# Copyright (c) 2024 Joel Low
+#
+# Author: Joel Low <[email protected]>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+set -euo pipefail
+
+clevis zfs unlock -d "${ENCRYPTIONROOT}"
diff --git a/src/initramfs-tools/scripts/zfs-load-key/meson.build b/src/initramfs-tools/scripts/zfs-load-key/meson.build
@@ -0,0 +1,6 @@
+configure_file(
+  input: 'clevis-zfs.in',
+  output: 'clevis-zfs',
+  install_dir: zfs_initramfs_load_key_scripts_dir,
+  configuration: initramfs_data,
+)