From 7841412225ec06cc8c6862f6c19c3bd480ecedec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Tue, 8 Dec 2020 17:48:33 +0100 Subject: [PATCH] Take a stance on some TODOs --- README.md | 4 ++-- initrd/dracut/tzpfms-load-key.sh | 2 +- man/zfs-tpm1x-change-key.md.pp | 3 ++- pp.awk | 2 ++ src/main.hpp | 3 +-- 5 files changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 8aa2c65..85251b4 100644 --- a/README.md +++ b/README.md @@ -18,8 +18,8 @@ Essentially BitLocker, but for ZFS – a random raw key is generated and sealed to the TPM (both 2 and 1.x supported) with an additional optional password in front of it, tying the dataset to the platform and an additional optional secret (or to the posession of the back-up). -Both dracut (with/without Plymouth) (with/without hostonly) and initramfs-tools (with/without Plymouth) are supported for -[ZFS-on-root](https://nabijaczleweli.xyz/content/blogn_t/005-low-curse-zfs-on-root.html) set-ups. +Both dracut (with/without Plymouth) (with/without hostonly) (only on systemd systems, I don't have a test-bed for the non-systemd path) +and initramfs-tools (with/without Plymouth) are supported for [ZFS-on-root](https://nabijaczleweli.xyz/content/blogn_t/005-low-curse-zfs-on-root.html) set-ups. ### Building diff --git a/initrd/dracut/tzpfms-load-key.sh b/initrd/dracut/tzpfms-load-key.sh index adb27ec..2be680a 100755 --- a/initrd/dracut/tzpfms-load-key.sh +++ b/initrd/dracut/tzpfms-load-key.sh @@ -5,7 +5,7 @@ #include "../mount.h" -# Only run on systemd systems, mimicking zfs-dracut's zfs-load-key.sh, TODO: "see mount-zfs.sh for non-systemd systems" +# Only run on systemd systems, mimicking zfs-dracut's zfs-load-key.sh; TODO: "see mount-zfs.sh for non-systemd systems", confer README [ -d /run/systemd ] || exit 0 diff --git a/man/zfs-tpm1x-change-key.md.pp b/man/zfs-tpm1x-change-key.md.pp index 78afce6..3c29b3f 100644 --- a/man/zfs-tpm1x-change-key.md.pp +++ b/man/zfs-tpm1x-change-key.md.pp @@ -33,7 +33,8 @@ the first one represents the RSA key protecting the blob, and it is protected with either the password, if provided, or the SHA1 constant *CE4CF677875B5EB8993591D5A9AF1ED24A3A8736*; the second represents the sealed object containing the wrapping key, and is protected with the SHA1 constant *B9EE715DBE4B243FAA81EA04306E063710383E35*. -There exists no other user-land tool for decrypting this. (TODO: make an LD_PRELOADable for extracting the key maybe) +There exists no other user-land tool for decrypting this; perhaps there should be. +#comment (TODO: make an LD_PRELOADable for extracting the key maybe) Finally, the equivalent of **zfs(8) change-key -o keylocation=prompt -o keyformat=raw dataset** is performed with the new key. If an error occurred, best effort is made to clean up the properties, diff --git a/pp.awk b/pp.awk index 28435e5..b7d3dbe 100644 --- a/pp.awk +++ b/pp.awk @@ -27,6 +27,8 @@ function input() { while((getline < incfile) == 1) input() incfile = "" + } else if(NF >= 1 && $1 == "#comment") { + // just dont } else if(NF >= 2 && $1 == "#define") { split($2, nameargs, "(") macroname = nameargs[1] diff --git a/src/main.hpp b/src/main.hpp index 00aa070..a773515 100644 --- a/src/main.hpp +++ b/src/main.hpp @@ -76,8 +76,7 @@ int do_main(int argc, char ** argv, const char * getoptions, const char * usage, fprintf(stderr, "Dataset %s not encrypted?\n", zfs_get_name(dataset)); return __LINE__; } else if(!dataset_is_root) { - printf("Using dataset %s's encryption root %s instead.\n", zfs_get_name(dataset), encryption_root); - // TODO: disallow maybe? or require force option? + fprintf(stderr, "Using dataset %s's encryption root %s instead.\n", zfs_get_name(dataset), encryption_root); zfs_close(dataset); dataset = TRY_PTR(nullptr, zfs_open(libz, encryption_root, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME)); }