Add support for ZFS encryption

dracut/60clevis-zfs/clevis-zfs-hook.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+
+# import the libs now that we know the pool imported
+[ -f /lib/dracut-lib.sh ] && dracutlib=/lib/dracut-lib.sh
+[ -f /usr/lib/dracut/modules.d/99base/dracut-lib.sh ] && dracutlib=/usr/lib/dracut/modules.d/99base/dracut-lib.sh
+# shellcheck source=./lib-zfs.sh.in
+. "$dracutlib"
+
+# load the kernel command line vars
+[ -z "$root" ] && root="$(getarg root=)"
+# If root is not ZFS= or zfs: or rootfstype is not zfs then we are not supposed to handle it.
+[ "${root##zfs:}" = "${root}" ] && [ "${root##ZFS=}" = "${root}" ] && [ "$rootfstype" != "zfs" ] && exit 0
+
+# There is a race between the zpool import and the pre-mount hooks, so we wait for a pool to be imported
+while true; do
+    zpool list -H | grep -q -v '^$' && break
+    [ "$(systemctl is-failed zfs-import-cache.service)" = 'failed' ] && exit 1
+    [ "$(systemctl is-failed zfs-import-scan.service)" = 'failed' ] && exit 1
+    sleep 0.1s
+done
+
+# run this after import as zfs-import-cache/scan service is confirmed good
+# we do not overwrite the ${root} variable, but create a new one, BOOTFS, to hold the dataset
+if [ "${root}" = "zfs:AUTO" ] ; then
+    BOOTFS="$(zpool list -H -o bootfs | awk '$1 != "-" {print; exit}')"
+else
+    BOOTFS="${root##zfs:}"
+    BOOTFS="${BOOTFS##ZFS=}"
+fi
+
+# if pool encryption is active and the zfs command understands '-o encryption'
+if [ "$(zpool list -H -o feature@encryption $(echo "${BOOTFS}" | awk -F\/ '{print $1}'))" = 'active' ]; then
+    # if the root dataset has encryption enabled
+    ENCRYPTIONROOT=$(zfs get -H -o value encryptionroot "${BOOTFS}")
+    # where the key is stored (in a file or loaded via prompt)
+    KEYLOCATION=$(zfs get -H -o value keylocation "${ENCRYPTIONROOT}")
+    if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
+        KEYSTATUS="$(zfs get -H -o value keystatus "${ENCRYPTIONROOT}")"
+        # continue only if the key needs to be loaded
+        [ "$KEYSTATUS" = "unavailable" ] || exit 0
+        # decrypt them
+        TRY_COUNT=5
+        while [ $TRY_COUNT -gt 0 ]; do
+	    echo >&2 "Attempting to unlock with clevis-zfs-unlock; ${TRY_COUNT} attempts left..."
+	    clevis-zfs-unlock -d "${ENCRYPTIONROOT}" && break
+            TRY_COUNT=$((TRY_COUNT - 1))
+        done
+    fi
+fi
+
+
+

dracut/60clevis-zfs/module-setup.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Nathaniel McCallum <[email protected]>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+depends() {
+    # do we have a hard dependency on systemd?
+    echo zfs systemd
+    return 255
+}
+
+install() {
+    inst_multiple \
+        /etc/services \
+        grep sed cut \
+        clevis-decrypt \
+        clevis-zfs-common \
+        clevis-zfs-unlock \
+        clevis-zfs-list \
+        clevis \
+        mktemp \
+        jose
+
+    inst_hook pre-mount 90 "${moddir}/clevis-zfs-hook.sh"
+
+    dracut_need_initqueue
+}

src/initramfs-tools/hooks/clevis-zfs.in

@@ -0,0 +1,96 @@
+#!/bin/bash
+#
+# Copyright (c) 2017 Shawn Rose
+# Copyright (c) 2024 Joel Low
+# Author: Shawn Rose <[email protected]>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+PREREQ=""
+prereqs()
+{
+     echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+     prereqs
+     exit 0
+     ;;
+esac
+
+. @initramfstoolsdir@/hook-functions
+
+die() {
+    code="$1"
+    msg="$2"
+    echo "    (ERROR): $msg" >&2
+    exit $1
+}
+
+find_binary() {
+    bin_name="$1"
+    resolved=$(command -v ${bin_name})
+    [ -z "$resolved" ] && die 1 "Unable to find ${bin_name}"
+    echo "$resolved"
+}
+
+
+copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
+copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
+copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
+copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
+copy_exec @libexecdir@/clevis-zfs-common || die 1 "@libexecdir@/clevis-zfs-common not found"
+copy_exec @bindir@/clevis-zfs-unlock || die 1 "@bindir@/clevis-zfs-unlock not found"
+if [ -x @bindir@/clevis-decrypt-tpm2 ]; then
+    copy_exec @bindir@/clevis-decrypt-tpm2 || die 1 "@bindir@/clevis-decrypt-tpm2 not found"
+    tpm2_creatprimary_bin=$(find_binary "tpm2_createprimary")
+    tpm2_unseal_bin=$(find_binary "tpm2_unseal")
+    tpm2_load_bin=$(find_binary "tpm2_load")
+    tpm2_flushcontext=$(find_binary "tpm2_flushcontext")
+    copy_exec "${tpm2_creatprimary_bin}" || die 1 "Unable to copy ${tpm2_creatprimary_bin}" 
+    copy_exec "${tpm2_unseal_bin}" || die 1 "Unable to copy ${tpm2_unseal_bin}"
+    copy_exec "${tpm2_load_bin}" || die 1 "Unable to copy ${tpm2_load_bin}"
+    copy_exec "${tpm2_flushcontext}" || die 1 "Unable to copy ${tpm2_flushcontext}"
+    for _LIBRARY in @libdir@/libtss2-tcti-device.so*; do
+        if [ -e "${_LIBRARY}" ]; then
+            copy_exec "${_LIBRARY}" || die 2 "Unable to copy ${_LIBRARY}"
+        fi
+    done
+    manual_add_modules tpm_crb
+    manual_add_modules tpm_tis
+fi
+
+
+jose_bin=$(find_binary "jose")
+copy_exec "${jose_bin}" || die 2 "Unable to copy ${jose_bin}"
+
+
+copy_exec @bindir@/clevis || die 1 "@bindir@/clevis not found"
+curl_bin=$(find_binary "curl")
+awk_bin=$(find_binary "awk")
+bash_bin=$(find_binary "bash")
+copy_exec "${curl_bin}" || die 2 "Unable to copy ${curl_bin} to initrd image"
+copy_exec "${awk_bin}" || die 2 "Unable to copy ${awk_bin} to initrd image"
+copy_exec "${bash_bin}" || die 2 "Unable to copy ${bash_bin} to initrd image"
+
+# Copy latest versions of shared objects needed for DNS resolution
+for so in $(ldconfig -p | sed -nr 's/^\s*libnss_files\.so\.[0-9]+\s.*=>\s*//p'); do
+  copy_exec "${so}"
+done
+for so in $(ldconfig -p | sed -nr 's/^\s*libnss_dns\.so\.[0-9]+\s.*=>\s*//p'); do
+  copy_exec "${so}"
+done

src/initramfs-tools/hooks/meson.build

@@ -1,6 +1,12 @@
 configure_file(
   input: 'clevis.in',
-  output: 'clevis',
+  output: 'clevis-luks',
+  install_dir: initramfs_hooks_dir,
+  configuration: initramfs_data,
+)
+configure_file(
+  input: 'clevis-zfs.in',
+  output: 'clevis-zfs',
   install_dir: initramfs_hooks_dir,
   configuration: initramfs_data,
 )

src/initramfs-tools/meson.build

@@ -4,6 +4,7 @@ if initramfs_tools.found()
   initramfstools_dir = '/usr/share/initramfs-tools'
   initramfs_hooks_dir =  '/usr/share/initramfs-tools/hooks'
   initramfs_scripts_dir = '/usr/share/initramfs-tools/scripts'
+  zfs_initramfs_load_key_scripts_dir = '/etc/zfs/initramfs-tools-load-key.d'
   initramfs_data = configuration_data()
   initramfs_data.merge_from(data)
   initramfs_data.set('initramfstoolsdir', initramfstools_dir)

src/initramfs-tools/scripts/meson.build

@@ -1,2 +1,3 @@
 subdir('local-top')
 subdir('local-bottom')
+subdir('zfs-load-key')

src/initramfs-tools/scripts/zfs-load-key/clevis-zfs.in

@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# Copyright (c) 2024 Joel Low
+#
+# Author: Joel Low <[email protected]>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+set -eu
+
+clevis zfs unlock -d "${ENCRYPTIONROOT}"

src/initramfs-tools/scripts/zfs-load-key/meson.build

@@ -0,0 +1,6 @@
+configure_file(
+  input: 'clevis-zfs.in',
+  output: 'clevis-zfs',
+  install_dir: zfs_initramfs_load_key_scripts_dir,
+  configuration: initramfs_data,
+)

src/meson.build

@@ -2,6 +2,7 @@ subdir('bash')
 subdir('luks')
 subdir('pins')
 subdir('initramfs-tools')
+subdir('zfs')
 
 bins += join_paths(meson.current_source_dir(), 'clevis-decrypt')
 mans += join_paths(meson.current_source_dir(), 'clevis-decrypt.1')

src/zfs/clevis-zfs-bind

@@ -0,0 +1,111 @@
+#!/bin/bash
+set -euo pipefail
+
+SUMMARY="Binds a ZFS dataset using the specified policy"
+
+function usage() {
+	cat >&2 <<-USAGE_END
+		Usage: clevis zfs bind [-f] [-k KEY] -d DATASET PIN CFG
+
+		$SUMMARY:
+
+		  -f          Do not prompt when overwriting configuration
+		  -d DATASET  The ZFS dataset on which to perform binding
+		  -l LABEL    The label to use for this binding. Valid characters: letters, numbers and underscores
+
+		  -k KEY      Non-interactively read ZFS password from KEY file
+		  -k -        Non-interactively read ZFS password from standard input
+
+	USAGE_END
+}
+
+function findexe() {
+	[ $# -eq 1 ] || return 1
+	while read -r -d: path; do
+		[ -f "$path/$1" ] && [ -x "$path/$1" ] && echo "$path/$1" && return 0
+	done <<< "$PATH:"
+	return 1
+}
+
+function bind_zfs_dataset() {
+	local dataset="${1}"
+	local label="${2}"
+	local pin="${3}"
+	local cfg="${4}"
+	local key="${5}"
+	local overwrite="${6:-}"
+
+	local existing_key clevis_data
+
+	if [[ -z "${overwrite}" ]] && zfs_is_bound "${dataset}" "${label}"; then
+		error "given label ${label} in dataset ${dataset} already has a Clevis binding, not overwriting."
+	fi
+
+	existing_key="$(read_passphrase "${dataset}" "${key}")"
+
+	if ! zfs_test_key "${dataset}" <<<"${existing_key}"; then
+		error "given key does not unlock ${dataset}"
+	fi
+
+	echo >&2 -n 'creating new Clevis data... '
+	clevis_data="$(clevis encrypt "${pin}" "${cfg}" <<<"${existing_key}")"
+	echo >&2 'ok'
+
+	[[ -n "${overwrite}" ]] && zfs_unbind_clevis_label "${dataset}" "${label}" && echo >&2 'unbound old clevis data'
+
+	zfs_bind_clevis_label "${dataset}" "${label}" "${clevis_data}"
+}
+
+function main() {
+	if [ $# -eq 1 ] && [ "${1:-}" == "--summary" ]; then
+		echo "$SUMMARY"
+		exit 0
+	fi
+
+	local dataset
+	local pin
+	local cfg
+	local label
+	local key=''
+	local overwrite=''
+	while getopts ":hfd:l:k:" o; do
+		case "$o" in
+		h) usage; exit 0;;
+		f) overwrite='yes';;
+		d) dataset="$OPTARG";;
+		l) label="$OPTARG";;
+		k) key="$OPTARG";;
+		*) error "unrecognized argument: -${OPTARG}";;
+		esac
+	done
+
+	if [ -z "${dataset:-""}" ]; then
+		error "did not specify a dataset!"
+	fi
+
+	check_valid_dataset "${dataset}"
+
+	if [ -z "${label:-}" ]; then
+		error "did not specify a label!"
+	fi
+
+	pin="${*:$((OPTIND++)):1}"
+	if [ -z "$pin" ]; then
+		error "did not specify a pin!"
+	elif ! eval "findexe clevis-encrypt-${pin}" &>/dev/null; then
+		error "'$pin' is not a valid pin!"
+	fi
+
+	cfg="${*:$((OPTIND++)):1}"
+	if [ -z "$cfg" ]; then
+		error "did not specify a pin config!"
+	fi
+
+	bind_zfs_dataset "${dataset}" "${label}" "${pin}" "${cfg}" "${key}" "${overwrite}"
+	echo >&2 "label ${label} on dataset ${dataset} is succesfully bound"
+}
+
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+	. @libexecdir@/clevis-zfs-common
+	main "${@}"
+fi