Skip to content

libzfs: add keylocation=https://, backed by fetch(3) or libcurl #11956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
May 13, 2021
Merged

libzfs: add keylocation=https://, backed by fetch(3) or libcurl #11956

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e1ab4a5
libzfs: add keylocation=https://, backed by fetch(3) or libcurl
nabijaczleweli Apr 27, 2021
dfeeed7
libzfs: also allow keylocation=http://
nabijaczleweli May 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/zfs-tests-functional.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
xfslibs-dev libattr1-dev libacl1-dev libudev-dev libdevmapper-dev \
libssl-dev libffi-dev libaio-dev libelf-dev libmount-dev \
libpam0g-dev pamtester python-dev python-setuptools python-cffi \
python3 python3-dev python3-setuptools python3-cffi
python3 python3-dev python3-setuptools python3-cffi libcurl4-openssl-dev
- name: Autogen.sh
run: |
sh autogen.sh
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/zfs-tests-sanity.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
xfslibs-dev libattr1-dev libacl1-dev libudev-dev libdevmapper-dev \
libssl-dev libffi-dev libaio-dev libelf-dev libmount-dev \
libpam0g-dev pamtester python-dev python-setuptools python-cffi \
python3 python3-dev python3-setuptools python3-cffi
python3 python3-dev python3-setuptools python3-cffi libcurl4-openssl-dev
- name: Autogen.sh
run: |
sh autogen.sh
Expand Down
4 changes: 3 additions & 1 deletion config/Substfiles.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ subst_sed_cmd = \
-e 's|@PYTHON[@]|$(PYTHON)|g' \
-e 's|@PYTHON_SHEBANG[@]|$(PYTHON_SHEBANG)|g' \
-e 's|@DEFAULT_INIT_NFS_SERVER[@]|$(DEFAULT_INIT_NFS_SERVER)|g' \
-e 's|@DEFAULT_INIT_SHELL[@]|$(DEFAULT_INIT_SHELL)|g'
-e 's|@DEFAULT_INIT_SHELL[@]|$(DEFAULT_INIT_SHELL)|g' \
-e 's|@LIBFETCH_DYNAMIC[@]|$(LIBFETCH_DYNAMIC)|g' \
-e 's|@LIBFETCH_SONAME[@]|$(LIBFETCH_SONAME)|g'

SUBSTFILES =
CLEANFILES = $(SUBSTFILES)
Expand Down
71 changes: 71 additions & 0 deletions config/user-libfetch.m4
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
dnl #
dnl # Check for a libfetch - either fetch(3) or libcurl.
dnl #
dnl # There are two configuration dimensions:
dnl # * fetch(3) vs libcurl
dnl # * static vs dynamic
dnl #
dnl # fetch(3) is only dynamic.
dnl # We use sover 6, which first appeared in FreeBSD 8.0-RELEASE.
dnl #
dnl # libcurl development packages include curl-config(1) – we want:
dnl # * HTTPS support
dnl # * version at least 7.16 (October 2006), for sover 4
dnl # * to decide if it's static or not
dnl #
AC_DEFUN([ZFS_AC_CONFIG_USER_LIBFETCH], [
AC_MSG_CHECKING([for libfetch])
LIBFETCH_LIBS=
LIBFETCH_IS_FETCH=0
LIBFETCH_IS_LIBCURL=0
LIBFETCH_DYNAMIC=0
LIBFETCH_SONAME=
have_libfetch=

saved_libs="$LIBS"
LIBS="$LIBS -lfetch"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
#include <sys/param.h>
#include <stdio.h>
#include <fetch.h>
]], [fetchGetURL("", "");])], [
have_libfetch=1
LIBFETCH_IS_FETCH=1
LIBFETCH_DYNAMIC=1
LIBFETCH_SONAME='"libfetch.so.6"'
LIBFETCH_LIBS="-ldl"
AC_MSG_RESULT([fetch(3)])
], [])
LIBS="$saved_libs"

if test -z "$have_libfetch"; then
if curl-config --protocols 2>/dev/null | grep -q HTTPS &&
test "$(printf "%u" "0x$(curl-config --vernum)")" -ge "$(printf "%u" "0x071000")"; then
have_libfetch=1
LIBFETCH_IS_LIBCURL=1
if test "$(curl-config --built-shared)" = "yes"; then
LIBFETCH_DYNAMIC=1
LIBFETCH_SONAME='"libcurl.so.4"'
LIBFETCH_LIBS="-ldl"
AC_MSG_RESULT([libcurl])
else
LIBFETCH_LIBS="$(curl-config --libs)"
AC_MSG_RESULT([libcurl (static)])
fi

CCFLAGS="$CCFLAGS $(curl-config --cflags)"
fi
fi

if test -z "$have_libfetch"; then
AC_MSG_RESULT([none])
fi

AC_SUBST([LIBFETCH_LIBS])
AC_SUBST([LIBFETCH_DYNAMIC])
AC_SUBST([LIBFETCH_SONAME])
AC_DEFINE_UNQUOTED([LIBFETCH_IS_FETCH], [$LIBFETCH_IS_FETCH], [libfetch is fetch(3)])
AC_DEFINE_UNQUOTED([LIBFETCH_IS_LIBCURL], [$LIBFETCH_IS_LIBCURL], [libfetch is libcurl])
AC_DEFINE_UNQUOTED([LIBFETCH_DYNAMIC], [$LIBFETCH_DYNAMIC], [whether the chosen libfetch is to be loaded at run-time])
AC_DEFINE_UNQUOTED([LIBFETCH_SONAME], [$LIBFETCH_SONAME], [soname of chosen libfetch])
])
1 change: 1 addition & 0 deletions config/user.m4
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ AC_DEFUN([ZFS_AC_CONFIG_USER], [
ZFS_AC_CONFIG_USER_LIBCRYPTO
ZFS_AC_CONFIG_USER_LIBAIO
ZFS_AC_CONFIG_USER_LIBATOMIC
ZFS_AC_CONFIG_USER_LIBFETCH
ZFS_AC_CONFIG_USER_CLOCK_GETTIME
ZFS_AC_CONFIG_USER_PAM
ZFS_AC_CONFIG_USER_RUNSTATEDIR
Expand Down
5 changes: 5 additions & 0 deletions contrib/dracut/90zfs/module-setup.sh.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,11 @@ install() {
# Fallback: Guess the path and include all matches
dracut_install /usr/lib/gcc/*/*/libgcc_s.so*
fi
if [ @LIBFETCH_DYNAMIC@ != 0 ]; then
for d in $libdirs; do
[ -e "$d"/@LIBFETCH_SONAME@ ] && dracut_install "$d"/@LIBFETCH_SONAME@
done
fi
dracut_install @mounthelperdir@/mount.zfs
dracut_install @udevdir@/vdev_id
dracut_install awk
Expand Down
2 changes: 1 addition & 1 deletion contrib/dracut/90zfs/zfs-env-bootfs.service.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Before=zfs-import.target

[Service]
Type=oneshot
ExecStart=/bin/sh -c "systemctl set-environment BOOTFS=$(@sbindir@/zpool list -H -o bootfs | grep -m1 -v '^-$')"
ExecStart=/bin/sh -c "exec systemctl set-environment BOOTFS=$(@sbindir@/zpool list -H -o bootfs | grep -m1 -v '^-$')"

[Install]
WantedBy=zfs-import.target
7 changes: 4 additions & 3 deletions contrib/dracut/90zfs/zfs-load-key.sh.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,14 @@ if [ "$(zpool list -H -o feature@encryption "$(echo "${BOOTFS}" | awk -F/ '{prin
[ "$KEYSTATUS" = "unavailable" ] || exit 0
# if key is stored in a file, do not prompt
if ! [ "${KEYLOCATION}" = "prompt" ]; then
if ! [ "${KEYLOCATION#http}" = "${KEYLOCATION}" ]; then
systemctl start network-online.target
fi
zfs load-key "${ENCRYPTIONROOT}"
else
# decrypt them
TRY_COUNT=5
while [ $TRY_COUNT -gt 0 ]; do
for _ in 1 2 3 4 5; do
systemd-ask-password "Encrypted ZFS password for ${BOOTFS}" --no-tty | zfs load-key "${ENCRYPTIONROOT}" && break
TRY_COUNT=$((TRY_COUNT - 1))
done
fi
fi
Expand Down
2 changes: 1 addition & 1 deletion contrib/dracut/90zfs/zfs-rollback-bootfs.service.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ ConditionKernelCommandLine=bootfs.rollback
# ${BOOTFS} should have been set by zfs-env-bootfs.service
Type=oneshot
ExecStartPre=/bin/sh -c 'test -n "${BOOTFS}"'
ExecStart=/bin/sh -c '. /lib/dracut-lib.sh; SNAPNAME="$(getarg bootfs.rollback)"; @sbindir@/zfs rollback -Rf "${BOOTFS}@${SNAPNAME:-%v}"'
ExecStart=/bin/sh -c '. /lib/dracut-lib.sh; SNAPNAME="$(getarg bootfs.rollback)"; exec @sbindir@/zfs rollback -Rf "${BOOTFS}@${SNAPNAME:-%v}"'
RemainAfterExit=yes
2 changes: 1 addition & 1 deletion contrib/dracut/90zfs/zfs-snapshot-bootfs.service.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ ConditionKernelCommandLine=bootfs.snapshot
# ${BOOTFS} should have been set by zfs-env-bootfs.service
Type=oneshot
ExecStartPre=/bin/sh -c 'test -n "${BOOTFS}"'
ExecStart=-/bin/sh -c '. /lib/dracut-lib.sh; SNAPNAME="$(getarg bootfs.snapshot)"; @sbindir@/zfs snapshot "${BOOTFS}@${SNAPNAME:-%v}"'
ExecStart=-/bin/sh -c '. /lib/dracut-lib.sh; SNAPNAME="$(getarg bootfs.snapshot)"; exec @sbindir@/zfs snapshot "${BOOTFS}@${SNAPNAME:-%v}"'
RemainAfterExit=yes
8 changes: 8 additions & 0 deletions contrib/initramfs/hooks/zfs.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,14 @@ mkdir -p "$DESTDIR/etc/"
# multi-arch installations.
cp --target-directory="$DESTDIR" --parents $(find /lib/ -type f -name libgcc_s.so.1)

if [ @LIBFETCH_DYNAMIC@ != 0 ]
then
for l in $(find /lib/ -name @LIBFETCH_SONAME@)
do
copy_exec "$l"
done
fi

for ii in $COPY_EXEC_LIST
do
copy_exec "$ii"
Expand Down
11 changes: 4 additions & 7 deletions contrib/initramfs/scripts/zfs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -406,28 +406,25 @@ decrypt_fs()
KEYSTATUS="$(get_fs_value "${ENCRYPTIONROOT}" keystatus)"
# Continue only if the key needs to be loaded
[ "$KEYSTATUS" = "unavailable" ] || return 0
TRY_COUNT=3

# If key is stored in a file, do not prompt
# Do not prompt if key is stored noninteractively,
if ! [ "${KEYLOCATION}" = "prompt" ]; then
$ZFS load-key "${ENCRYPTIONROOT}"

# Prompt with plymouth, if active
elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
elif /bin/plymouth --ping 2>/dev/null; then
echo "plymouth" > /run/zfs_console_askpwd_cmd
while [ $TRY_COUNT -gt 0 ]; do
for _ in 1 2 3; do
plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
$ZFS load-key "${ENCRYPTIONROOT}" && break
TRY_COUNT=$((TRY_COUNT - 1))
done

# Prompt with systemd, if active
elif [ -e /run/systemd/system ]; then
echo "systemd-ask-password" > /run/zfs_console_askpwd_cmd
while [ $TRY_COUNT -gt 0 ]; do
for _ in 1 2 3; do
systemd-ask-password "Encrypted ZFS password for ${ENCRYPTIONROOT}" --no-tty | \
$ZFS load-key "${ENCRYPTIONROOT}" && break
TRY_COUNT=$((TRY_COUNT - 1))
done

# Prompt with ZFS tty, otherwise
Expand Down
2 changes: 2 additions & 0 deletions include/libzfs_impl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ struct libzfs_handle {
boolean_t libzfs_prop_debug;
regex_t libzfs_urire;
uint64_t libzfs_max_nvlist;
void *libfetch;
char *libfetch_load_error;
};

struct zfs_handle {
Expand Down
2 changes: 1 addition & 1 deletion lib/libzfs/Makefile.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ libzfs_la_LIBADD = \
$(abs_top_builddir)/lib/libnvpair/libnvpair.la \
$(abs_top_builddir)/lib/libuutil/libuutil.la

libzfs_la_LIBADD += -lm $(LIBCRYPTO_LIBS) $(ZLIB_LIBS) $(LTLIBINTL)
libzfs_la_LIBADD += -lm $(LIBCRYPTO_LIBS) $(ZLIB_LIBS) $(LIBFETCH_LIBS) $(LTLIBINTL)

libzfs_la_LDFLAGS = -pthread

Expand Down
Loading