[Pkg-zfsonlinux-devel] Bug#941019: zfs-initramfs: Mounting natively encrypted ZFS root filesystem doesn't work, when plymouth is enabled

Bartosz Kostrzewski kostrzewski.bartosz at protonmail.com
Mon Sep 23 14:16:20 BST 2019 

Package: zfs-initramfs
Version: 0.8.1-4~bpo10+1
Severity: normal
Tags: patch

Dear Maintainer,

the "zfs" initramfs script tries to mount natively encrypted ZFS
filesystem and fails if plymouth is enabled. Asking and relaying of a
password to "zfs load-key" doesn't work. The same problem would probably
occur if it were a systemd enabled initramfs.
Error message: cannot open ''POOLNAME'' invalid character ''' in name

There is a problem with quote removal shell processing, if the command is
given as the --command parameter to plymouth. It also shouldn't be
invoked through variable expansion. Eval would be the way I suppose.

Unfortunately --command="eval ${DECRYPT_CMD}" also doesn't work.

Here's a possible quick fix:

--- /usr/share/initramfs-tools/scripts/zfs	2019-09-23 14:37:05.131987571 +0200
+++ /etc/initramfs-tools/scripts/zfs	2019-09-23 14:46:36.461307188 +0200
@@ -415,19 +415,22 @@
 
 		# If root dataset is encrypted...
 		if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
-
+            
 			# Prompt with plymouth, if active
 			if [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
-				plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" \
-					--number-of-tries="3" \
-					--command="${DECRYPT_CMD}"
-
+				TRY_COUNT=3
+				while [ $TRY_COUNT -gt 0 ]; do
+                    plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
+                        eval "${DECRYPT_CMD}" && break
+					TRY_COUNT=$((TRY_COUNT - 1))
+                done
+                    
 			# Prompt with systemd, if active 
 			elif [ -e /run/systemd/system ]; then
 				TRY_COUNT=3
 				while [ $TRY_COUNT -gt 0 ]; do
 					systemd-ask-password "Encrypted ZFS password for ${ENCRYPTIONROOT}" --no-tty | \
-						${DECRYPT_CMD} && break
+						eval "${DECRYPT_CMD}" && break
 					TRY_COUNT=$((TRY_COUNT - 1))
 				done


-- System Information:
Debian Release: 10.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages zfs-initramfs depends on:
ii  busybox-static [busybox]  1:1.30.1-4
ii  initramfs-tools           0.133+deb10u1
ii  zfs-dkms [zfs-modules]    0.8.1-4~bpo10+1
ii  zfsutils-linux            0.8.1-4~bpo10+1

zfs-initramfs recommends no packages.

zfs-initramfs suggests no packages.

-- no debconf information

More information about the Pkg-zfsonlinux-devel mailing list