zfskeys: Support autoloading of keys stored on ZFS

The zfskeys service script starts before the zfs service script, so that
dataset decryption keys are available when `zfs mount -a` is run. One of
the potential edge cases of this design is that if a key is stored on
ZFS it won't be loaded until `zfs mount -a` is issued.

In order to address that let's try to load the additional keys and mount
related ZFS datasets after the zfs script finishes its standard mounting
procedure.

PR:		262468
Reported by:	Graham Perrin <grahamperrin@gmail.com>
Reviewed by:	allanjude
Approved by:	allanjude (src)
Fixes:	33ff39796ffe Add zfskeys rc.d script for auto-loading encryption keys
MFC after:	3 days
Sponsored by:	Modirum
Sponsored by:	Klara Inc.
Differential Revision: https://reviews.freebsd.org/D34601

(cherry picked from commit 97aeda2243568b386d792514996a06daec55eece)

1 files changed, 12 insertions, 0 deletions

diff --git a/libexec/rc/rc.d/zfs b/libexec/rc/rc.d/zfs
index 2d35f9b54642..dbc82f82c65b 100755
--- a/libexec/rc/rc.d/zfs
+++ b/libexec/rc/rc.d/zfs
@@ -13,6 +13,7 @@ name="zfs"
 desc="Mount and share ZFS datasets"
 rcvar="zfs_enable"
 start_cmd="zfs_start"
+start_postcmd="zfs_poststart"
 stop_cmd="zfs_stop"
 required_modules="zfs"
 
@@ -41,6 +42,17 @@ zfs_start()
 	fi
 }
 
+zfs_poststart()
+{
+	# Some of the keys to decrypt datasets are potentially stored on ZFS
+	# datasets that just got mounted. Let's try to load those keys and
+	# mount the datasets.
+	if checkyesno zfskeys_enable; then
+		/etc/rc.d/zfskeys start
+		zfs_start
+	fi
+}
+
 zfs_stop_jail()
 {
 	if [ `$SYSCTL_N security.jail.mount_allowed` -eq 1 ]; then