case: ZFS root with native encryption. initramfs built using genkernel initramfs --zfs --ssh the current linuxrc only allows key entry in the local console. if i reboot the machine remotely, unlock the data set remotely, and kill the zfs load-key process, boot will fail despite the fact that the ZFS key has been loaded via SSH: zfs load-key -a pkill zfs resume-boot ... initramfs fails. This is caused by the following condition check: if [ ${retval} -ne 0 ] ... got_good_root=0 instead of checking the exit code of the local zfs load-key command, we can check that the key has been loaded; this allows us to log into ssh, run the above commands, and have the machine boot successfully. the suggested condition change is in the attached patch. Reproducible: Always
Created attachment 602820 [details, diff] replace the zfs load-key exit status with an actual zfs key status
Well, I hope that we will get something like unlock-luks for ZFS, too. But this looks like an interesting workaround for the meanwhile. Thanks. Waiting for feedback from ZFS maintainer(s).
Created attachment 602832 [details, diff] Check ZFS keystatus instead of return value Please test the attached patch. Based on your idea but slightly adjusted code. Please also confirm if local unlock still works and also test with invalid passphrase.
indeed, zfs returns 255 if key already loaded. # zfs load-key zreaper Key load error: Key already loaded for 'zreaper'. echo $? 255 looking at how dracut module implements it (shipped by zfs) approach looks sane to me, but I haven't tested. https://github.com/zfsonlinux/zfs/commit/6c7023a5326cc999cfaced931ee2498642d5e63f
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=9e7b41cda3df648b509a0f8a2af29a683100a46f commit 9e7b41cda3df648b509a0f8a2af29a683100a46f Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-01-10 16:07:20 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-01-11 19:54:40 +0000 Rework ZFS unlock - Prompt for key when key is unavailable, not when key is available. - Check ZFS' keystatus property instead of return value to allow remote unlock. - Add unlock-zfs command to remote rescue shell. Closes: https://bugs.gentoo.org/705032 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> defaults/initrd.defaults | 3 ++ defaults/initrd.scripts | 38 +++++++++++++++----- defaults/linuxrc | 42 +++++++++++++++------- defaults/login-remote.sh | 5 +++ defaults/unlock-zfs.sh | 91 ++++++++++++++++++++++++++++++++++++++++++++++++ gen_initramfs.sh | 6 ++++ 6 files changed, 165 insertions(+), 20 deletions(-)
