third-party-mirrors/tzpfms
1
0
Fork 0
mirror of https://git.sr.ht/~nabijaczleweli/tzpfms synced 2025-04-13 09:37:13 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Take a stance on some TODOs

Browse Source
This commit is contained in:
наб 2020-12-08 17:48:33 +01:00
parent af3e91c77d
commit 7841412225
No known key found for this signature in database
GPG Key ID: BCFD0B018D2658F1
5 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -18,8 +18,8 @@ Essentially BitLocker, but for ZFS
a random raw key is generated and sealed to the TPM (both 2 and 1.x supported) with an additional optional password in front of it,
tying the dataset to the platform and an additional optional secret (or to the posession of the back-up).
Both dracut (with/without Plymouth) (with/without hostonly) and initramfs-tools (with/without Plymouth) are supported for
[ZFS-on-root](https://nabijaczleweli.xyz/content/blogn_t/005-low-curse-zfs-on-root.html) set-ups.
Both dracut (with/without Plymouth) (with/without hostonly) (only on systemd systems, I don't have a test-bed for the non-systemd path)
and initramfs-tools (with/without Plymouth) are supported for [ZFS-on-root](https://nabijaczleweli.xyz/content/blogn_t/005-low-curse-zfs-on-root.html) set-ups.
### Building

2
initrd/dracut/tzpfms-load-key.sh
View File

@ -5,7 +5,7 @@
#include "../mount.h"
# Only run on systemd systems, mimicking zfs-dracut's zfs-load-key.sh, TODO: "see mount-zfs.sh for non-systemd systems"
# Only run on systemd systems, mimicking zfs-dracut's zfs-load-key.sh; TODO: "see mount-zfs.sh for non-systemd systems", confer README
[ -d /run/systemd ] || exit 0

3
man/zfs-tpm1x-change-key.md.pp
View File

@ -33,7 +33,8 @@ the first one represents the RSA key protecting the blob,
and it is protected with either the password, if provided, or the SHA1 constant *CE4CF677875B5EB8993591D5A9AF1ED24A3A8736*;
the second represents the sealed object containing the wrapping key,
and is protected with the SHA1 constant *B9EE715DBE4B243FAA81EA04306E063710383E35*.
There exists no other user-land tool for decrypting this. (TODO: make an LD_PRELOADable for extracting the key maybe)
There exists no other user-land tool for decrypting this; perhaps there should be.
#comment (TODO: make an LD_PRELOADable for extracting the key maybe)
Finally, the equivalent of **zfs(8) change-key -o keylocation=prompt -o keyformat=raw dataset** is performed with the new key.
If an error occurred, best effort is made to clean up the properties,

2
pp.awk
View File

@ -27,6 +27,8 @@ function input() {
while((getline < incfile) == 1)
input()
incfile = ""
} else if(NF >= 1 && $1 == "#comment") {
// just dont
} else if(NF >= 2 && $1 == "#define") {
split($2, nameargs, "(")
macroname = nameargs[1]

3
src/main.hpp
View File

@ -76,8 +76,7 @@ int do_main(int argc, char ** argv, const char * getoptions, const char * usage,
fprintf(stderr, "Dataset %s not encrypted?\n", zfs_get_name(dataset));
return __LINE__;
} else if(!dataset_is_root) {
printf("Using dataset %s's encryption root %s instead.\n", zfs_get_name(dataset), encryption_root);
// TODO: disallow maybe? or require force option?
fprintf(stderr, "Using dataset %s's encryption root %s instead.\n", zfs_get_name(dataset), encryption_root);
zfs_close(dataset);
dataset = TRY_PTR(nullptr, zfs_open(libz, encryption_root, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME));
}