1.9 KiB
Mkinitfs
Mkinitfs is the initramfs generator of Alpine Linux. Among the usual operations to setup zlevis, i.e. writing the encryption key of the ZFS root pool to the TPM after the creation of the ZFS root pool, enabling the zlevis-hook in mkinitfs.conf and installing zlevis on the host system, we require to make an adaptation to the initramfs-init script of mkinitfs.
Particularly, in the prepare_zfs_root() function we need to add the option zlevis decrypt "$_root_pool" | zfs load-key -L prompt "$_root_pool":
# Do some tasks to make sure mounting the ZFS pool is A-OK
prepare_zfs_root() {
local _root_vol=${KOPT_root#ZFS=}
local _root_pool=${_root_vol%%/*}
# Force import if this has been imported on a different system previously.
# Import normally otherwise
if [ "$KOPT_zfs_force" = 1 ]; then
zpool import -N -d /dev -f $_root_pool
else
zpool import -N -d /dev $_root_pool
fi
# Ask for encryption password
if [ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]; then
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)
if [ "$_encryption_root" != "-" ]; then
zlevis decrypt "$_root_pool" | zfs load-key -L prompt "$_root_pool" || eval zfs load-key $_encryption_root
fi
fi
}
Retaining the fallback to eval zfs load-key with the || operator.
Furthermore, we need to configure the zlevis-hook by notifying mkinitfs which binaries and libraries to add into the initramfs:
/usr/bin/zlevis
/usr/bin/zlevis-decrypt
/usr/bin/tpm2*
/usr/bin/jose
/usr/lib/libtss2-tcti*
and to notify what kernel drivers are required:
kernel/drivers/char/tpm*
Dracut
Work in progress.