diff --git a/README.md b/README.md index 94a386b..d619896 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ -# Zlevis-Dracut +# zlevis-dracut -A dracut module to allow zlevis to unlock an encrypted ZFS pool during boot up time. +A dracut module that builds in automatic decryption of a `ZFS` root pool in the `initramfs` with `zlevis`. diff --git a/meson.build b/meson.build index 24066c0..c54f84c 100644 --- a/meson.build +++ b/meson.build @@ -1,14 +1,14 @@ # Project definition -project('zlevis-dracut', version: '0.3') +project('zlevis-dracut', license: 'GPL3') -# Files which need to be moved -src_files = [ - 'module-setup.sh', - 'zlevis.sh' -] - -# Move them to an appropriate dracut module dir +# Define dracut module dir modules_dir = '/usr/lib/dracut/modules.d/85zlevis/' -# Install the files -install_data(src_files, install_dir: modules_dir) +# Define bins list +bins = [] + +# Define subdir with bins +subdir('src') + +# Install bins in module dir +install_data(bins, install_dir: modules_dir) diff --git a/module-setup.sh b/module-setup.sh deleted file mode 100755 index 64c5839..0000000 --- a/module-setup.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - -depends() { - echo udev-rules zfs - return 0 -} - -install() { - # Install the appropriate binaries and libraries - inst_multiple /usr/bin /usr/bin/zlevis* /usr/bin/jose /usr/bin/tpm2* /usr/bin/mktemp - inst_multiple /usr/lib /usr/lib/libtss2-tcti* - - # Run the zlevis decryption hook before the 90zfs hook - inst_hook pre-mount 85 "${moddir}/zlevis.sh" - inst_simple "${moddir}/zlevis.sh" "/sbin/zlevis.sh" -} diff --git a/src/meson.build b/src/meson.build new file mode 100644 index 0000000..8f5b8ca --- /dev/null +++ b/src/meson.build @@ -0,0 +1,11 @@ +# Find scripts +module = find_program('zlevis-module') +module-setup = find_program('zlevis-module-setup') + +# Test the scripts +test('zlevis-module', module, args: '--summary') +test('zlevis-module-setup', module-setup, args: '--summary') + +# Add paths of scripts to bins +bins += join_paths(meson.current_source_dir(), 'zlevis-module') +bins += join_paths(meson.current_source_dir(), 'zlevis-module-setup') \ No newline at end of file diff --git a/zlevis.sh b/src/zlevis-module similarity index 50% rename from zlevis.sh rename to src/zlevis-module index 4601506..d5b917b 100755 --- a/zlevis.sh +++ b/src/zlevis-module @@ -1,21 +1,35 @@ #!/bin/sh -# First make sure the zfs kmod is loaded +# Exit immediately if a command exits with a non-zero status +set -e + +# Summary of the script's functionality +summary="The dracut module of zlevis" + +# Display summary if requested +if [ "$1" = "--summary" ]; then + echo "$summary" + exit 0 +fi + +# Load the ZFS kernel module modprobe zfs 2>/dev/null udevadm settle -# Inspired by Alpine Linux's mkinitfs script - search for encrypted pool's by means of the cmdline root atribute +# Search for encrypted pool's by means of the cmdline root atribute local _root_vol="${root}" local _root_pool="${_root_vol%%/*}" # Import the root pool zpool import -N -d /dev $_root_pool -# If the pool is encrypted run `zlevis decrypt` to obtain the key stored in the tpm2 and load it +# If the pool is encrypted run `zlevis decrypt` to obtain the key stored in the TPM and load the key if [ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]; then local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol) if [ "$_encryption_root" != "-" ]; then - zlevis decrypt $_root_pool | zfs load-key -L prompt "$_root_pool" || echo "zlevis failed to unlock $_root_pool" + zlevis decrypt $_root_pool | zfs load-key -L prompt "$_root_pool" || echo "Failed to unlock $_root_pool with TPM" fi fi +# Exit with the status of the last command +exit $? \ No newline at end of file diff --git a/src/zlevis-module-setup b/src/zlevis-module-setup new file mode 100755 index 0000000..6e9518b --- /dev/null +++ b/src/zlevis-module-setup @@ -0,0 +1,32 @@ +#!/bin/bash + +# Exit immediately if a command exits with a non-zero status +set -e + +# Summary of the script's functionality +summary="The setup of the dracut module of zlevis" + +# Display summary if requested +if [ "$1" = "--summary" ]; then + echo "$summary" + exit 0 +fi + +# Depend on udev-rules and zfs +depends() { + echo udev-rules zfs + return 0 +} + +install() { + # Install the appropriate binaries and libraries + inst_multiple /usr/bin /usr/bin/zlevis /usr/bin/zlevis-decrypt /usr/bin/jose /usr/bin/tpm2* + inst_multiple /usr/lib /usr/lib/libtss2-tcti* + + # Run the zlevis decryption hook before the 90zfs hook + inst_hook pre-mount 85 "${moddir}/zlevis-module" + inst_simple "${moddir}/zlevis-module" "/sbin/zlevis-module" +} + +# Exit with the status of the last command +exit $? \ No newline at end of file