-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In initramfs, do not prompt if keylocation is "file" #9764
Conversation
@sam-lunt your solution is in fact one of the best for preventing evil maid attacks and yes, ZFS should be able to handle this. Nice find! :)
|
Codecov Report
@@ Coverage Diff @@
## master #9764 +/- ##
========================================
- Coverage 80% 80% -<1%
========================================
Files 385 385
Lines 121470 121470
========================================
- Hits 96756 96701 -55
- Misses 24714 24769 +55
Continue to review full report at Codecov.
|
f8ea830
to
13b249a
Compare
Thanks!
If I need to change the commit message, just let me know. |
@sam-lunt |
@Ornias1993 Not sure why, but I read the examples as "Signed-Off-by", so I was confused what the issue was with my message. Anyway, I took a second look and fixed the issue. |
13b249a
to
ba92a8a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm marking this approved, as my comment changes fall into "nit" territory. I'd like to see them addressed, but this otherwise seems great to me.
If the encryption key is stored in a file, the initramfs should not prompt for the password. For example, this could be the case if the boot partition is stored on removable media that is only present at boot time Signed-off-by: Sam Lunt <[email protected]>
ba92a8a
to
cb5b875
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@behlendorf Just a reminder: |
Can you be more specific to which failures you believe are from this PR? I am not seeing anything related to encryption lock state. |
@ghfields @Ornias1993 the failures here are unrelated. Sorry, we hit an unexpected snag when updating the CI environment. Once it's sorted out, I'll resubmit this PR for a new run. |
@behlendorf I noticed, forgot to edit my comment, sorry. |
If the encryption key is stored in a file, the initramfs should not prompt for the password. For example, this could be the case if the boot partition is stored on removable media that is only present at boot time Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: Garrett Fields <[email protected]> Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Kjeld Schouten <[email protected]> Signed-off-by: Sam Lunt <[email protected]> Closes openzfs#9764
If the encryption key is stored in a file, the initramfs should not prompt for the password. For example, this could be the case if the boot partition is stored on removable media that is only present at boot time Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: Garrett Fields <[email protected]> Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Kjeld Schouten <[email protected]> Signed-off-by: Sam Lunt <[email protected]> Closes openzfs#9764
If the encryption key is stored in a file, the initramfs should not prompt for the password. For example, this could be the case if the boot partition is stored on removable media that is only present at boot time Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: Garrett Fields <[email protected]> Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Kjeld Schouten <[email protected]> Signed-off-by: Sam Lunt <[email protected]> Closes openzfs#9764
If the encryption key is stored in a file, the initramfs should not prompt for the password. For example, this could be the case if the boot partition is stored on removable media that is only present at boot time Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: Garrett Fields <[email protected]> Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Kjeld Schouten <[email protected]> Signed-off-by: Sam Lunt <[email protected]> Closes #9764
If the encryption key is stored in a file, the initramfs should not
prompt for the password. This scenario is possible if the initramfs is
stored on a removable media that is only inserted when booting
Motivation and Context
I placed my /boot partition on flash drive that is only inserted at boot time (I have a home server that normally does not have a monitor attached). The initramfs is built with the key file in the location specified by the
keylocation
property, so there is no need for the prompt at boot time.Description
This is a small change to the initramfs-tools script that loads the zfs filesystem. I made the corresponding change to the dracut script as well.
How Has This Been Tested?
I edited the initramfs-tools script for my system, rebuilt the initramfs, and booted successfully. I don't have a system that builds the initramfs using dracut, so that change wasn't tested directly. It's the same logic as the initramfs, however.
Types of changes
Checklist:
Signed-off-by
.