Page MenuHomeFreeBSD
Differential D34601

zfskeys: Support autoloading of keys stored on ZFS
ClosedPublic
Actions

Authored by 0mp on Mar 18 2022, 12:51 PM.
Tags
Referenced Files
Unknown Object (File)
Sat, Nov 16, 8:54 PM
Unknown Object (File)
Thu, Nov 7, 10:15 AM
Unknown Object (File)
Sun, Oct 20, 10:56 PM
Unknown Object (File)
Oct 17 2024, 6:17 PM
Unknown Object (File)
Oct 17 2024, 4:41 PM
Unknown Object (File)
Oct 16 2024, 10:28 AM
Unknown Object (File)
Oct 16 2024, 5:02 AM
Unknown Object (File)
Oct 15 2024, 10:16 PM
View All Files
Subscribers
imp

Details

Reviewers
allanjude
ltning-freebsd_anduin.net
Group Reviewers
ZFS
Commits
rGf23b24655f7c: zfskeys: Support autoloading of keys stored on ZFS
rG2411090f6940: zfskeys: Support autoloading of keys stored on ZFS
rG97aeda224356: zfskeys: Support autoloading of keys stored on ZFS
Summary

The zfskeys service script starts before the zfs service script so that
dataset decryption keys are available when zfs mount -a is run. One of
the potential edge cases of this design is that if a key is stored on
ZFS it won't be loaded until zfs mount -a is issued.

In order to address that, let's try to load the keys and mount related
ZFS datasets after the zfs script finishes its standard mounting
procedure.

PR: 262468
Reported by: Graham Perrin <grahamperrin@gmail.com>
Fixes: 33ff39796ffe Add zfskeys rc.d script for auto-loading encryption keys
MFC after: 3 days
Sponsored by: Modirum
Sponsored by: Klara Inc.

Test Plan

Given this Makefile:

MP1=	${.CURDIR}/1
MP2=	${MP1}/2
KEY1=	${.CURDIR}/key1
KEY2=	${MP1}/key2

DS1=	zroot/zzztmp1
DS2=	zroot/zzztmp2

all:
	echo 12345678 > ${KEY1}
	zfs create -o encryption=on -o keyformat=passphrase -o keylocation=file://${KEY1} -o mountpoint=${MP1} ${DS1}

	echo 12345678 > ${KEY2}
	zfs create -o encryption=on -o keyformat=passphrase -o keylocation=file://${KEY2} -o mountpoint=${MP2} ${DS2}

	touch ${MP2}/hi

	find ${MP1}

Run:

make all
# Run zfskeys stop twice to make sure both MP1 and MP2 are unmounted:
/etc/rc.d/zfskeys stop
/etc/rc.d/zfskeys stop
# Simulate the rc boot sequence:
/etc/rc.d/zfskeys start
/etc/rc.d/zfs start

You should observe something along the lines of:

# /etc/rc.d/zfskeys start
Loading key for zroot/zzztmp1 from file:///usr/home/0mp/zfskeys/key1..
Key file /usr/home/0mp/zfskeys/1/key2 not found, empty or unreadable. Skipping zroot/zzztmp2..

# /etc/rc.d/zfs start
Key already loaded for zroot/zzztmp1.
Loading key for zroot/zzztmp2 from file:///usr/home/0mp/klara/zfskeys/1/key2..

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

0mp created this revision.Mar 18 2022, 12:51 PM
Herald added a subscriber: imp. · View Herald TranscriptMar 18 2022, 12:51 PM
0mp requested review of this revision.Mar 18 2022, 12:51 PM
Harbormaster completed remote builds in B44820: Diff 103988.Mar 18 2022, 12:51 PM
0mp added reviewers: allanjude, ZFS, ltning-freebsd_anduin.net.Mar 18 2022, 12:52 PM
0mp added a project: rc.
ltning-freebsd_anduin.net added inline comments.Mar 18 2022, 1:01 PM
libexec/rc/rc.d/zfs
50

Why do we check this? Would we even get here if it wasn't true?

0mp edited the test plan for this revision. (Show Details)Mar 18 2022, 1:04 PM
allanjude accepted this revision.Mar 18 2022, 1:05 PM

reviewed by: allanjude

This revision is now accepted and ready to land.Mar 18 2022, 1:05 PM
0mp added inline comments.Mar 18 2022, 1:05 PM
libexec/rc/rc.d/zfs
50

Yes, as this is the zfs service script, not zfskeys. So this if is going to be useful when zfs is enabled and zfskeys is not.

ltning-freebsd_anduin.net added inline comments.Mar 18 2022, 1:08 PM
libexec/rc/rc.d/zfs
50

Of course, badly phrased question. Also I just realised zfskeys would complain if it was invoked but not enabled. Excuse the noise, and thank you.

0mp marked an inline comment as done.Mar 18 2022, 1:33 PM
0mp added inline comments.
libexec/rc/rc.d/zfs
50

Ah, yes, I avoiding complains from zfskeys is another reason. :)

Closed by commit rG97aeda224356: zfskeys: Support autoloading of keys stored on ZFS (authored by 0mp). · Explain WhyMar 18 2022, 1:56 PM
This revision was automatically updated to reflect the committed changes.
0mp added a commit: rG97aeda224356: zfskeys: Support autoloading of keys stored on ZFS.
0mp added a commit: rG2411090f6940: zfskeys: Support autoloading of keys stored on ZFS.Mar 21 2022, 2:50 PM
gjb added a commit: rGf23b24655f7c: zfskeys: Support autoloading of keys stored on ZFS.Mar 23 2022, 8:28 PM

Revision Contents
Changeset List

PathSize
libexec/
rc/
rc.d/
12 lines

Diff 103993

View Options

libexec/rc/rc.d/zfs

Loading...