third-party-mirrors/tzpfms
1
0
Fork 0
mirror of https://git.sr.ht/~nabijaczleweli/tzpfms synced 2025-04-17 09:42:19 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Take a stance on some TODOs

Browse Source
This commit is contained in:
наб 2020-12-08 17:48:33 +01:00
parent af3e91c77d
commit 7841412225
No known key found for this signature in database
GPG Key ID: BCFD0B018D2658F1
5 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -18,8 +18,8 @@ Essentially BitLocker, but for ZFS
a random raw key is generated and sealed to the TPM (both 2 and 1.x supported) with an additional optional password in front of it, a random raw key is generated and sealed to the TPM (both 2 and 1.x supported) with an additional optional password in front of it,
tying the dataset to the platform and an additional optional secret (or to the posession of the back-up). tying the dataset to the platform and an additional optional secret (or to the posession of the back-up).
Both dracut (with/without Plymouth) (with/without hostonly) and initramfs-tools (with/without Plymouth) are supported for Both dracut (with/without Plymouth) (with/without hostonly) (only on systemd systems, I don't have a test-bed for the non-systemd path)
[ZFS-on-root](https://nabijaczleweli.xyz/content/blogn_t/005-low-curse-zfs-on-root.html) set-ups. and initramfs-tools (with/without Plymouth) are supported for [ZFS-on-root](https://nabijaczleweli.xyz/content/blogn_t/005-low-curse-zfs-on-root.html) set-ups.
### Building ### Building

2
initrd/dracut/tzpfms-load-key.sh
View File

@ -5,7 +5,7 @@
#include "../mount.h" #include "../mount.h"
# Only run on systemd systems, mimicking zfs-dracut's zfs-load-key.sh, TODO: "see mount-zfs.sh for non-systemd systems" # Only run on systemd systems, mimicking zfs-dracut's zfs-load-key.sh; TODO: "see mount-zfs.sh for non-systemd systems", confer README
[ -d /run/systemd ] || exit 0 [ -d /run/systemd ] || exit 0

3
man/zfs-tpm1x-change-key.md.pp
View File

@ -33,7 +33,8 @@ the first one represents the RSA key protecting the blob,
and it is protected with either the password, if provided, or the SHA1 constant *CE4CF677875B5EB8993591D5A9AF1ED24A3A8736*; and it is protected with either the password, if provided, or the SHA1 constant *CE4CF677875B5EB8993591D5A9AF1ED24A3A8736*;
the second represents the sealed object containing the wrapping key, the second represents the sealed object containing the wrapping key,
and is protected with the SHA1 constant *B9EE715DBE4B243FAA81EA04306E063710383E35*. and is protected with the SHA1 constant *B9EE715DBE4B243FAA81EA04306E063710383E35*.
There exists no other user-land tool for decrypting this. (TODO: make an LD_PRELOADable for extracting the key maybe) There exists no other user-land tool for decrypting this; perhaps there should be.
#comment (TODO: make an LD_PRELOADable for extracting the key maybe)
Finally, the equivalent of **zfs(8) change-key -o keylocation=prompt -o keyformat=raw dataset** is performed with the new key. Finally, the equivalent of **zfs(8) change-key -o keylocation=prompt -o keyformat=raw dataset** is performed with the new key.
If an error occurred, best effort is made to clean up the properties, If an error occurred, best effort is made to clean up the properties,

2
pp.awk
View File

@ -27,6 +27,8 @@ function input() {
while((getline < incfile) == 1) while((getline < incfile) == 1)
input() input()
incfile = "" incfile = ""
} else if(NF >= 1 && $1 == "#comment") {
// just dont
} else if(NF >= 2 && $1 == "#define") { } else if(NF >= 2 && $1 == "#define") {
split($2, nameargs, "(") split($2, nameargs, "(")
macroname = nameargs[1] macroname = nameargs[1]

3
src/main.hpp
View File

@ -76,8 +76,7 @@ int do_main(int argc, char ** argv, const char * getoptions, const char * usage,
fprintf(stderr, "Dataset %s not encrypted?\n", zfs_get_name(dataset)); fprintf(stderr, "Dataset %s not encrypted?\n", zfs_get_name(dataset));
return __LINE__; return __LINE__;
} else if(!dataset_is_root) { } else if(!dataset_is_root) {
printf("Using dataset %s's encryption root %s instead.\n", zfs_get_name(dataset), encryption_root); fprintf(stderr, "Using dataset %s's encryption root %s instead.\n", zfs_get_name(dataset), encryption_root);
// TODO: disallow maybe? or require force option?
zfs_close(dataset); zfs_close(dataset);
dataset = TRY_PTR(nullptr, zfs_open(libz, encryption_root, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME)); dataset = TRY_PTR(nullptr, zfs_open(libz, encryption_root, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME));
} }