Add zfs-mount-generator integration

Funny moment: https://twitter.com/nabijaczleweli/status/1472986504272261124
2025-04-07 09:20:00 +03:00 · 2021-12-20 19:23:43 +01:00 · 2021-12-20 19:23:43 +01:00 · af6928d525
commit af6928d525
parent ce3560b797
7 changed files with 63 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@ -18,3 +18,5 @@
 !contrib/**
 !initrd
 !initrd/**
 !init.d
 !init.d/**
--- a/15
+++ b/15
@ -43,14 +43,14 @@ else
 DEF_TPH_MAN ?= .
 endif
-.PHONY : all clean build shellcheck i-t dracut manpages htmlpages
+.PHONY : all clean build shellcheck i-t dracut init.d-systemd manpages htmlpages
 .SECONDARY:
-all : build manpages htmlpages shellcheck i-t dracut
+all : build manpages htmlpages shellcheck i-t init.d-systemd dracut
 shellcheck : i-t dracut
-	find $(OUTDIR)initramfs-tools/ $(OUTDIR)dracut -name '*.sh' -exec echo $(SHELLCHECK) --exclude SC1091 {} + | sh -x
+	find $(OUTDIR)initramfs-tools/ $(OUTDIR)dracut/ init.d/ -name '*.sh' -exec echo $(SHELLCHECK) --exclude SC1091,SC2093 {} + | sh -x
 clean :
 	rm -rf $(OUTDIR)
@ -60,6 +60,7 @@ manpages : $(patsubst $(MANDIR)%.pp,$(OUTDIR)man/%,$(MANPAGE_SOURCES))
 htmlpages : $(patsubst $(MANDIR)%.pp,$(OUTDIR)man/%.html,$(MANPAGE_SOURCES)) $(OUTDIR)man/style.css
 i-t : $(OUTDIR)initramfs-tools/usr/share/initramfs-tools/hooks/tzpfms $(OUTDIR)initramfs-tools/usr/share/tzpfms/initramfs-tools-zfs-patch.sh
 dracut : $(patsubst $(INITRDDIR)dracut/%,$(OUTDIR)dracut/usr/lib/dracut/modules.d/91tzpfms/%,$(sort $(wildcard $(INITRDDIR)dracut/*.sh)))
 init.d-systemd : $(OUTDIR)systemd/$(SYSTEMD_SYSTEM_UNITDIR)/zfs-load-key@.service.d/tzpfms.conf $(OUTDIR)systemd/usr/libexec/tzpfms-zfs-load-key@
 $(OUTDIR)initramfs-tools/usr/share/initramfs-tools/hooks/tzpfms: $(INITRDDIR)initramfs-tools/hook $(INITRD_HEADERS)
@ -72,6 +73,14 @@ $(OUTDIR)initramfs-tools/usr/share/tzpfms/initramfs-tools-zfs-patch.sh: $(INITRD
 	$(AWK) -f pp.awk $< > $@
 	chmod --reference $< $@
 $(OUTDIR)systemd/$(SYSTEMD_SYSTEM_UNITDIR)/zfs-load-key@.service.d/tzpfms.conf : init.d/systemd/zfs-load-key@.service.d-tzpfms.conf
 	@mkdir -p $(dir $@)
 	ln -f $< $@ || cp $< $@
 $(OUTDIR)systemd/usr/libexec/tzpfms-zfs-load-key@ : init.d/systemd/libexec-tzpfms-zfs-load-key@.sh
 	@mkdir -p $(dir $@)
 	ln -f $< $@ || cp $< $@
 # The d-v-o-s string starts at "BSD" (hence the "BSD General Commands Manual" default); we're not BSD, so hide it
 # Can't put it at the very top, since man(1) only loads mdoc *after* the first mdoc macro (.Dd in our case)
 $(OUTDIR)man/% : $(MANDIR)%.pp $(MANPAGE_HEADERS)
--- a/README.md
+++ b/README.md
@ -45,6 +45,9 @@ For initrd support, copy the content of either `out/dracut/` or `out/initramfs-t
 these need `zfs-tpm-list` but will work with any combination of back-end `*-load-key` binaries
 (local TPM1.X initrds need to be updated when the system state changes (e.g. the TPM is taken ownership of)).
 To integrate with [zfs-mount-generator(8)](//manpages.debian.org/bookworm/zfsutils-linux/zfs-mount-generator.8.html)
 [copy](//twitter.com/nabijaczleweli/status/1472986504272261124) `out/systemd/` over `/`.
 #### From Debian repository
 The following line in `/etc/apt/sources.list` or equivalent:
@ -55,7 +58,7 @@ deb https://debian.nabijaczleweli.xyz sid main
 With [my PGP key](//nabijaczleweli.xyz/pgp.txt) (the two URLs are interchangeable):
 ```sh
 sudo wget -O/etc/apt/trusted.gpg.d/nabijaczleweli.asc https://debian.nabijaczleweli.xyz/nabijaczleweli.gpg.key
-sudo wget -O/etc/apt/trusted.gpg.d/nabijaczleweli.asc https://keybase.io/nabijaczleweli/pgp_keys.asc
+sudo wget -O/etc/apt/trusted.gpg.d/nabijaczleweli.asc https://nabijaczleweli.xyz/pgp.txt
 ```
 Then the usual
--- a/2
+++ b/2
@ -48,6 +48,8 @@ endif
 TZPFMS_VERSION := "$(patsubst v%,%,$(shell git describe))"
 TZPFMS_DATE := $(shell date -d@$$(git log --no-show-signature -1 --pretty=%at) '+%B %e, %Y')
 SYSTEMD_SYSTEM_UNITDIR := $(shell ssud="$$(pkg-config --variable=systemd_system_unit_dir systemd 2>/dev/null)"; echo "$${ssud:-/usr/lib/systemd/system}")
 INCCMAKEAR := CXXFLAGS="$(INCCXXAR)"
 LNCMAKEAR := LDFLAGS="$(LNCXXAR)"
--- a/init.d/systemd/libexec-tzpfms-zfs-load-key@.sh
+++ b/init.d/systemd/libexec-tzpfms-zfs-load-key@.sh
@ -0,0 +1,34 @@
 #!/bin/sh
 # SPDX-License-Identifier: MIT
 DSET="$1"
 exec 2>>/dev/kmsg
 zfs-tpm-list -H "$DSET" | while read -r _ backend keystatus coherent; do
 	[ "$keystatus" = 'available' ] && exit
 	[ "$coherent" = 'yes' ] || {
 		printf "%s\n" "${0##*/}[$$]: $DSET: incoherent tzpfms back-end $backend." "You might need to restore from back-up!" >&2
 		exit 1
 	}
 	case "$backend" in
 		TPM1.X) unlock='zfs-tpm1x-load-key'; deps='trousers.service' ;;
 		TPM2)   unlock='zfs-tpm2-load-key';  deps=                   ;;
 		*)      unlock=;                     deps=                   ;;
 	esac
 	command -v "$unlock" >/dev/null || {
 		printf "%s\n" "${0##*/}[$$]: $DSET: unknown tzpfms back-end $backend." >&2
 		exit # fall through, maybe there's another handler
 	}
 	# shellcheck disable=2086
 	[ -n "$deps" ] && systemctl start $deps
 	# shellcheck disable=2016
 	[ -z "$TZPFMS_PASSPHRASE_HELPER" ] && export TZPFMS_PASSPHRASE_HELPER='exec systemd-ask-password --id="tzpfms:$2" "$1:"'
 	exec "$unlock" "$DSET"
 done
 # Dataset doesn't exist, fall through
--- a/init.d/systemd/zfs-load-key@.service.d-tzpfms.conf
+++ b/init.d/systemd/zfs-load-key@.service.d-tzpfms.conf
@ -0,0 +1,4 @@
 # SPDX-License-Identifier: MIT
 [Service]
 ExecStartPre=/usr/libexec/tzpfms-zfs-load-key@ %I
--- a/tzpfms.sublime-project
+++ b/tzpfms.sublime-project
@ -35,6 +35,11 @@
 			"name": "Initrd plug-ins",
 			"path": "initrd"
 		},
 		{
 			"follow_symlinks": true,
 			"name": "Init system plug-ins",
 			"path": "init.d"
 		},
 		{
 			"follow_symlinks": true,
 			"name": "Manpages",