diff --git a/.gitignore b/.gitignore index 6403a6b..04f362c 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,5 @@ !contrib/** !initrd !initrd/** +!init.d +!init.d/** diff --git a/Makefile b/Makefile index 95d957b..34a8740 100644 --- a/Makefile +++ b/Makefile @@ -43,14 +43,14 @@ else DEF_TPH_MAN ?= . endif -.PHONY : all clean build shellcheck i-t dracut manpages htmlpages +.PHONY : all clean build shellcheck i-t dracut init.d-systemd manpages htmlpages .SECONDARY: -all : build manpages htmlpages shellcheck i-t dracut +all : build manpages htmlpages shellcheck i-t init.d-systemd dracut shellcheck : i-t dracut - find $(OUTDIR)initramfs-tools/ $(OUTDIR)dracut -name '*.sh' -exec echo $(SHELLCHECK) --exclude SC1091 {} + | sh -x + find $(OUTDIR)initramfs-tools/ $(OUTDIR)dracut/ init.d/ -name '*.sh' -exec echo $(SHELLCHECK) --exclude SC1091,SC2093 {} + | sh -x clean : rm -rf $(OUTDIR) @@ -60,6 +60,7 @@ manpages : $(patsubst $(MANDIR)%.pp,$(OUTDIR)man/%,$(MANPAGE_SOURCES)) htmlpages : $(patsubst $(MANDIR)%.pp,$(OUTDIR)man/%.html,$(MANPAGE_SOURCES)) $(OUTDIR)man/style.css i-t : $(OUTDIR)initramfs-tools/usr/share/initramfs-tools/hooks/tzpfms $(OUTDIR)initramfs-tools/usr/share/tzpfms/initramfs-tools-zfs-patch.sh dracut : $(patsubst $(INITRDDIR)dracut/%,$(OUTDIR)dracut/usr/lib/dracut/modules.d/91tzpfms/%,$(sort $(wildcard $(INITRDDIR)dracut/*.sh))) +init.d-systemd : $(OUTDIR)systemd/$(SYSTEMD_SYSTEM_UNITDIR)/zfs-load-key@.service.d/tzpfms.conf $(OUTDIR)systemd/usr/libexec/tzpfms-zfs-load-key@ $(OUTDIR)initramfs-tools/usr/share/initramfs-tools/hooks/tzpfms: $(INITRDDIR)initramfs-tools/hook $(INITRD_HEADERS) @@ -72,6 +73,14 @@ $(OUTDIR)initramfs-tools/usr/share/tzpfms/initramfs-tools-zfs-patch.sh: $(INITRD $(AWK) -f pp.awk $< > $@ chmod --reference $< $@ +$(OUTDIR)systemd/$(SYSTEMD_SYSTEM_UNITDIR)/zfs-load-key@.service.d/tzpfms.conf : init.d/systemd/zfs-load-key@.service.d-tzpfms.conf + @mkdir -p $(dir $@) + ln -f $< $@ || cp $< $@ + +$(OUTDIR)systemd/usr/libexec/tzpfms-zfs-load-key@ : init.d/systemd/libexec-tzpfms-zfs-load-key@.sh + @mkdir -p $(dir $@) + ln -f $< $@ || cp $< $@ + # The d-v-o-s string starts at "BSD" (hence the "BSD General Commands Manual" default); we're not BSD, so hide it # Can't put it at the very top, since man(1) only loads mdoc *after* the first mdoc macro (.Dd in our case) $(OUTDIR)man/% : $(MANDIR)%.pp $(MANPAGE_HEADERS) diff --git a/README.md b/README.md index 72b1afb..e5c80c4 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,9 @@ For initrd support, copy the content of either `out/dracut/` or `out/initramfs-t these need `zfs-tpm-list` but will work with any combination of back-end `*-load-key` binaries (local TPM1.X initrds need to be updated when the system state changes (e.g. the TPM is taken ownership of)). +To integrate with [zfs-mount-generator(8)](//manpages.debian.org/bookworm/zfsutils-linux/zfs-mount-generator.8.html) +[copy](//twitter.com/nabijaczleweli/status/1472986504272261124) `out/systemd/` over `/`. + #### From Debian repository The following line in `/etc/apt/sources.list` or equivalent: @@ -55,7 +58,7 @@ deb https://debian.nabijaczleweli.xyz sid main With [my PGP key](//nabijaczleweli.xyz/pgp.txt) (the two URLs are interchangeable): ```sh sudo wget -O/etc/apt/trusted.gpg.d/nabijaczleweli.asc https://debian.nabijaczleweli.xyz/nabijaczleweli.gpg.key -sudo wget -O/etc/apt/trusted.gpg.d/nabijaczleweli.asc https://keybase.io/nabijaczleweli/pgp_keys.asc +sudo wget -O/etc/apt/trusted.gpg.d/nabijaczleweli.asc https://nabijaczleweli.xyz/pgp.txt ``` Then the usual diff --git a/configMakefile b/configMakefile index 5eedb9e..7782a6e 100644 --- a/configMakefile +++ b/configMakefile @@ -48,6 +48,8 @@ endif TZPFMS_VERSION := "$(patsubst v%,%,$(shell git describe))" TZPFMS_DATE := $(shell date -d@$$(git log --no-show-signature -1 --pretty=%at) '+%B %e, %Y') +SYSTEMD_SYSTEM_UNITDIR := $(shell ssud="$$(pkg-config --variable=systemd_system_unit_dir systemd 2>/dev/null)"; echo "$${ssud:-/usr/lib/systemd/system}") + INCCMAKEAR := CXXFLAGS="$(INCCXXAR)" LNCMAKEAR := LDFLAGS="$(LNCXXAR)" diff --git a/init.d/systemd/libexec-tzpfms-zfs-load-key@.sh b/init.d/systemd/libexec-tzpfms-zfs-load-key@.sh new file mode 100755 index 0000000..7701b2a --- /dev/null +++ b/init.d/systemd/libexec-tzpfms-zfs-load-key@.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# SPDX-License-Identifier: MIT + +DSET="$1" +exec 2>>/dev/kmsg + +zfs-tpm-list -H "$DSET" | while read -r _ backend keystatus coherent; do + [ "$keystatus" = 'available' ] && exit + + [ "$coherent" = 'yes' ] || { + printf "%s\n" "${0##*/}[$$]: $DSET: incoherent tzpfms back-end $backend." "You might need to restore from back-up!" >&2 + exit 1 + } + + case "$backend" in + TPM1.X) unlock='zfs-tpm1x-load-key'; deps='trousers.service' ;; + TPM2) unlock='zfs-tpm2-load-key'; deps= ;; + *) unlock=; deps= ;; + esac + + command -v "$unlock" >/dev/null || { + printf "%s\n" "${0##*/}[$$]: $DSET: unknown tzpfms back-end $backend." >&2 + exit # fall through, maybe there's another handler + } + + # shellcheck disable=2086 + [ -n "$deps" ] && systemctl start $deps + + # shellcheck disable=2016 + [ -z "$TZPFMS_PASSPHRASE_HELPER" ] && export TZPFMS_PASSPHRASE_HELPER='exec systemd-ask-password --id="tzpfms:$2" "$1:"' + exec "$unlock" "$DSET" +done + +# Dataset doesn't exist, fall through diff --git a/init.d/systemd/zfs-load-key@.service.d-tzpfms.conf b/init.d/systemd/zfs-load-key@.service.d-tzpfms.conf new file mode 100644 index 0000000..3e4aca5 --- /dev/null +++ b/init.d/systemd/zfs-load-key@.service.d-tzpfms.conf @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: MIT + +[Service] +ExecStartPre=/usr/libexec/tzpfms-zfs-load-key@ %I diff --git a/tzpfms.sublime-project b/tzpfms.sublime-project index 8aa8932..7cc877f 100644 --- a/tzpfms.sublime-project +++ b/tzpfms.sublime-project @@ -35,6 +35,11 @@ "name": "Initrd plug-ins", "path": "initrd" }, + { + "follow_symlinks": true, + "name": "Init system plug-ins", + "path": "init.d" + }, { "follow_symlinks": true, "name": "Manpages",