Skip to content

Commit

Permalink
libzfs: add keylocation=https://, backed by fetch(3) or libcurl
Browse files Browse the repository at this point in the history 
Signed-off-by: Ahelenia Ziemiańska <[email protected]>
Ref: openzfs#9543
Closes openzfs#9947
  • Loading branch information
@nabijaczleweli
nabijaczleweli committed May 12, 2021
1 parent 4704be2 commit f190ecd
Show file tree
Hide file tree
Showing 31 changed files with 6,977 additions and 4,280 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/zfs-tests-functional.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
xfslibs-dev libattr1-dev libacl1-dev libudev-dev libdevmapper-dev \
libssl-dev libffi-dev libaio-dev libelf-dev libmount-dev \
libpam0g-dev pamtester python-dev python-setuptools python-cffi \
python3 python3-dev python3-setuptools python3-cffi
python3 python3-dev python3-setuptools python3-cffi libcurl4-openssl-dev
- name: Autogen.sh
run: |
sh autogen.sh
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/zfs-tests-sanity.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
xfslibs-dev libattr1-dev libacl1-dev libudev-dev libdevmapper-dev \
libssl-dev libffi-dev libaio-dev libelf-dev libmount-dev \
libpam0g-dev pamtester python-dev python-setuptools python-cffi \
python3 python3-dev python3-setuptools python3-cffi
python3 python3-dev python3-setuptools python3-cffi libcurl4-openssl-dev
- name: Autogen.sh
run: |
sh autogen.sh
Expand Down
4 changes: 3 additions & 1 deletion config/Substfiles.am
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ subst_sed_cmd = \
-e 's|@PYTHON[@]|$(PYTHON)|g' \
-e 's|@PYTHON_SHEBANG[@]|$(PYTHON_SHEBANG)|g' \
-e 's|@DEFAULT_INIT_NFS_SERVER[@]|$(DEFAULT_INIT_NFS_SERVER)|g' \
-e 's|@DEFAULT_INIT_SHELL[@]|$(DEFAULT_INIT_SHELL)|g'
-e 's|@DEFAULT_INIT_SHELL[@]|$(DEFAULT_INIT_SHELL)|g' \
-e 's|@LIBFETCH_DYNAMIC[@]|$(LIBFETCH_DYNAMIC)|g' \
-e 's|@LIBFETCH_SONAME[@]|$(LIBFETCH_SONAME)|g'

SUBSTFILES =
CLEANFILES = $(SUBSTFILES)
Expand Down
71 changes: 71 additions & 0 deletions config/user-libfetch.m4
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
dnl #
dnl # Check for a libfetch - either fetch(3) or libcurl.
dnl #
dnl # There are two configuration dimensions:
dnl # * fetch(3) vs libcurl
dnl # * static vs dynamic
dnl #
dnl # fetch(3) is only dynamic.
dnl # We use sover 6, which first appeared in FreeBSD 8.0-RELEASE.
dnl #
dnl # libcurl development packages include curl-config(1) – we want:
dnl # * HTTPS support
dnl # * version at least 7.16 (October 2006), for sover 4
dnl # * to decide if it's static or not
dnl #
AC_DEFUN([ZFS_AC_CONFIG_USER_LIBFETCH], [
AC_MSG_CHECKING([for libfetch])
LIBFETCH_LIBS=
LIBFETCH_IS_FETCH=0
LIBFETCH_IS_LIBCURL=0
LIBFETCH_DYNAMIC=0
LIBFETCH_SONAME=
have_libfetch=
saved_libs="$LIBS"
LIBS="$LIBS -lfetch"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
#include <sys/param.h>
#include <stdio.h>
#include <fetch.h>
]], [fetchGetURL("", "");])], [
have_libfetch=1
LIBFETCH_IS_FETCH=1
LIBFETCH_DYNAMIC=1
LIBFETCH_SONAME='"libfetch.so.6"'
LIBFETCH_LIBS="-ldl"
AC_MSG_RESULT([fetch(3)])
], [])
LIBS="$saved_libs"
if test -z "$have_libfetch"; then
if curl-config --protocols 2>/dev/null | grep -q HTTPS &&
test "$(printf "%u" "0x$(curl-config --vernum)")" -ge "$(printf "%u" "0x071000")"; then
have_libfetch=1
LIBFETCH_IS_LIBCURL=1
if test "$(curl-config --built-shared)" = "yes"; then
LIBFETCH_DYNAMIC=1
LIBFETCH_SONAME='"libcurl.so.4"'
LIBFETCH_LIBS="-ldl"
AC_MSG_RESULT([libcurl])
else
LIBFETCH_LIBS="$(curl-config --libs)"
AC_MSG_RESULT([libcurl (static)])
fi
CCFLAGS="$CCFLAGS $(curl-config --cflags)"
fi
fi
if test -z "$have_libfetch"; then
AC_MSG_RESULT([none])
fi
AC_SUBST([LIBFETCH_LIBS])
AC_SUBST([LIBFETCH_DYNAMIC])
AC_SUBST([LIBFETCH_SONAME])
AC_DEFINE_UNQUOTED([LIBFETCH_IS_FETCH], [$LIBFETCH_IS_FETCH], [libfetch is fetch(3)])
AC_DEFINE_UNQUOTED([LIBFETCH_IS_LIBCURL], [$LIBFETCH_IS_LIBCURL], [libfetch is libcurl])
AC_DEFINE_UNQUOTED([LIBFETCH_DYNAMIC], [$LIBFETCH_DYNAMIC], [whether the chosen libfetch is to be loaded at run-time])
AC_DEFINE_UNQUOTED([LIBFETCH_SONAME], [$LIBFETCH_SONAME], [soname of chosen libfetch])
])
1 change: 1 addition & 0 deletions config/user.m4
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ AC_DEFUN([ZFS_AC_CONFIG_USER], [
ZFS_AC_CONFIG_USER_LIBCRYPTO
ZFS_AC_CONFIG_USER_LIBAIO
ZFS_AC_CONFIG_USER_LIBATOMIC
ZFS_AC_CONFIG_USER_LIBFETCH
ZFS_AC_CONFIG_USER_CLOCK_GETTIME
ZFS_AC_CONFIG_USER_PAM
ZFS_AC_CONFIG_USER_RUNSTATEDIR
Expand Down
5 changes: 5 additions & 0 deletions contrib/dracut/90zfs/module-setup.sh.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,11 @@ install() {
# Fallback: Guess the path and include all matches
dracut_install /usr/lib/gcc/*/*/libgcc_s.so*
fi
if [ @LIBFETCH_DYNAMIC@ != 0 ]; then
for d in $libdirs; do
[ -e "$d"/@LIBFETCH_SONAME@ ] && dracut_install "$d"/@LIBFETCH_SONAME@
done
fi
dracut_install @mounthelperdir@/mount.zfs
dracut_install @udevdir@/vdev_id
dracut_install awk
Expand Down
2 changes: 1 addition & 1 deletion contrib/dracut/90zfs/zfs-env-bootfs.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Before=zfs-import.target

[Service]
Type=oneshot
ExecStart=/bin/sh -c "systemctl set-environment BOOTFS=$(@sbindir@/zpool list -H -o bootfs | grep -m1 -v '^-$')"
ExecStart=/bin/sh -c "exec systemctl set-environment BOOTFS=$(@sbindir@/zpool list -H -o bootfs | grep -m1 -v '^-$')"

[Install]
WantedBy=zfs-import.target
7 changes: 4 additions & 3 deletions contrib/dracut/90zfs/zfs-load-key.sh.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,14 @@ if [ "$(zpool list -H -o feature@encryption "$(echo "${BOOTFS}" | awk -F/ '{prin
[ "$KEYSTATUS" = "unavailable" ] || exit 0
# if key is stored in a file, do not prompt
if ! [ "${KEYLOCATION}" = "prompt" ]; then
if ! [ "${KEYLOCATION#https://}" = "${KEYLOCATION}" ]; then
systemctl start network-online.target
fi
zfs load-key "${ENCRYPTIONROOT}"
else
# decrypt them
TRY_COUNT=5
while [ $TRY_COUNT -gt 0 ]; do
for _ in 1 2 3 4 5; do
systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break
TRY_COUNT=$((TRY_COUNT - 1))
done
fi
fi
Expand Down
2 changes: 1 addition & 1 deletion contrib/dracut/90zfs/zfs-rollback-bootfs.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ ConditionKernelCommandLine=bootfs.rollback
# ${BOOTFS} should have been set by zfs-env-bootfs.service
Type=oneshot
ExecStartPre=/bin/sh -c 'test -n "${BOOTFS}"'
ExecStart=/bin/sh -c '. /lib/dracut-lib.sh; SNAPNAME="$(getarg bootfs.rollback)"; @sbindir@/zfs rollback -Rf "${BOOTFS}@${SNAPNAME:-%v}"'
ExecStart=/bin/sh -c '. /lib/dracut-lib.sh; SNAPNAME="$(getarg bootfs.rollback)"; exec @sbindir@/zfs rollback -Rf "${BOOTFS}@${SNAPNAME:-%v}"'
RemainAfterExit=yes
2 changes: 1 addition & 1 deletion contrib/dracut/90zfs/zfs-snapshot-bootfs.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ ConditionKernelCommandLine=bootfs.snapshot
# ${BOOTFS} should have been set by zfs-env-bootfs.service
Type=oneshot
ExecStartPre=/bin/sh -c 'test -n "${BOOTFS}"'
ExecStart=-/bin/sh -c '. /lib/dracut-lib.sh; SNAPNAME="$(getarg bootfs.snapshot)"; @sbindir@/zfs snapshot "${BOOTFS}@${SNAPNAME:-%v}"'
ExecStart=-/bin/sh -c '. /lib/dracut-lib.sh; SNAPNAME="$(getarg bootfs.snapshot)"; exec @sbindir@/zfs snapshot "${BOOTFS}@${SNAPNAME:-%v}"'
RemainAfterExit=yes
8 changes: 8 additions & 0 deletions contrib/initramfs/hooks/zfs.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,14 @@ mkdir -p "$DESTDIR/etc/"
# multi-arch installations.
cp --target-directory="$DESTDIR" --parents $(find /lib/ -type f -name libgcc_s.so.1)

if [ @LIBFETCH_DYNAMIC@ != 0 ]
then
for l in $(find /lib/ -name @LIBFETCH_SONAME@)
do
copy_exec "$l"
done
fi

for ii in $COPY_EXEC_LIST
do
copy_exec "$ii"
Expand Down
11 changes: 4 additions & 7 deletions contrib/initramfs/scripts/zfs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -406,28 +406,25 @@ decrypt_fs()
KEYSTATUS="$(get_fs_value "${ENCRYPTIONROOT}" keystatus)"
# Continue only if the key needs to be loaded
[ "$KEYSTATUS" = "unavailable" ] || return 0
TRY_COUNT=3

# If key is stored in a file, do not prompt
# Do not prompt if key is stored noninteractively,
if ! [ "${KEYLOCATION}" = "prompt" ]; then
$ZFS load-key "${ENCRYPTIONROOT}"

# Prompt with plymouth, if active
elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
elif /bin/plymouth --ping 2>/dev/null; then
echo "plymouth" > /run/zfs_console_askpwd_cmd
while [ $TRY_COUNT -gt 0 ]; do
for _ in 1 2 3; do
plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
$ZFS load-key "${ENCRYPTIONROOT}" && break
TRY_COUNT=$((TRY_COUNT - 1))
done

# Prompt with systemd, if active
elif [ -e /run/systemd/system ]; then
echo "systemd-ask-password" > /run/zfs_console_askpwd_cmd
while [ $TRY_COUNT -gt 0 ]; do
for _ in 1 2 3; do
systemd-ask-password "Encrypted ZFS password for ${ENCRYPTIONROOT}" --no-tty | \
$ZFS load-key "${ENCRYPTIONROOT}" && break
TRY_COUNT=$((TRY_COUNT - 1))
done

# Prompt with ZFS tty, otherwise
Expand Down
2 changes: 2 additions & 0 deletions include/libzfs_impl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ struct libzfs_handle {
boolean_t libzfs_prop_debug;
regex_t libzfs_urire;
uint64_t libzfs_max_nvlist;
void *libfetch;
char *libfetch_load_error;
};

struct zfs_handle {
Expand Down
2 changes: 1 addition & 1 deletion lib/libzfs/Makefile.am
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ libzfs_la_LIBADD = \
$(abs_top_builddir)/lib/libnvpair/libnvpair.la \
$(abs_top_builddir)/lib/libuutil/libuutil.la

libzfs_la_LIBADD += -lm $(LIBCRYPTO_LIBS) $(ZLIB_LIBS) $(LTLIBINTL)
libzfs_la_LIBADD += -lm $(LIBCRYPTO_LIBS) $(ZLIB_LIBS) $(LIBFETCH_LIBS) $(LTLIBINTL)

libzfs_la_LDFLAGS = -pthread

Expand Down
Loading

0 comments on commit f190ecd

Please sign in to comment.