Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZFS: Ask for stage 2 encryption passwords using systemd-ask-password #91344

Merged
merged 4 commits into from
Jul 2, 2020
Merged

ZFS: Ask for stage 2 encryption passwords using systemd-ask-password #91344

merged 4 commits into from
Jul 2, 2020

Conversation

ElvishJerricco
Copy link
Contributor

@ElvishJerricco ElvishJerricco commented Jun 23, 2020
edited
Loading

Motivation for this change

Currently, ZFS pools that do not contain the system root file system can only have encrypted datasets that use key files. They cannot use keylocation=prompt. This PR fixes this by prompting for passphrases using systemd-ask-password.

This PR also ensures Plymouth users can take advantage of this by enabling systemd-ask-password-plymouth.service. I did have to steal one line from #84158, specifically mkdir /run/plymouth. This will have the added benefit of allowing other services to use systemd-ask-password during boot without breaking for plymouth users. Note that you need to set virtualisation.useBootLoader = true in order to test plymouth with nixos-rebuild build-vm.

Relevant: #84158, #88789

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ElvishJerricco ElvishJerricco changed the title ZFS: Ask for stage 2 encryption passwords using systemd-ask-password WIP: ZFS: Ask for stage 2 encryption passwords using systemd-ask-password Jun 23, 2020
@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Jun 23, 2020
@ElvishJerricco ElvishJerricco changed the title WIP: ZFS: Ask for stage 2 encryption passwords using systemd-ask-password ZFS: Ask for stage 2 encryption passwords using systemd-ask-password Jun 23, 2020
@ElvishJerricco
Copy link
Contributor Author

Having a bit of trouble testing this with legacy mountpoints. It asks for the passphrase during boot just fine, but I'm testing with (import ./nixos { ... }).vm, which wipes out fileSystems declarations. But keystatus says available, so I can't imagine it wouldn't work.

grahamc
grahamc reviewed Jul 2, 2020
View reviewed changes
nixos/modules/system/boot/plymouth.nix Outdated
@@ -146,6 +148,7 @@ in
# We use `mkAfter` to ensure that LUKS password prompt would be shown earlier than the splash screen.
boot.initrd.preLVMCommands = mkAfter ''
mkdir -p /etc/plymouth
mkdir /run/plymouth
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any concern around this existing / should we make it -p just in case?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's definitely no harm in -p but it's definitely not necessary. /run is created extremely early in stage 1.

ElvishJerricco and others added 3 commits July 2, 2020 13:50
@ElvishJerricco
plymouth: Enable systemd-ask-password-plymouth
c128229
@ElvishJerricco
ZFS: Pipe /dev/null into the stage 2 load-key script
05f8cba 
Just in case something reads stdin, so that `while read ds kl` doesn't
miss anything
@ElvishJerricco @grahamc
ZFS: Set IFS=$'\t' for the read command in stage 2 load-key
e2f1594 
Co-authored-by: Graham Christensen <graham@grahamc.com>
@ElvishJerricco ElvishJerricco force-pushed the zfs-encryption-systemd-ask-password branch from 4828e65 to e2f1594 Compare July 2, 2020 17:51
@grahamc grahamc merged commit 105e634 into NixOS:master Jul 2, 2020
@ElvishJerricco ElvishJerricco mentioned this pull request Jul 2, 2020
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grahamc grahamc grahamc approved these changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ElvishJerricco @grahamc