Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitraty encrypted partitions should be allowed #2580

Open
Tracked by #2128
, #2129
...
jimmykarily opened this issue May 22, 2024 · 1 comment
Open
Tracked by #2128
, #2129
...

Arbitraty encrypted partitions should be allowed #2580

jimmykarily opened this issue May 22, 2024 · 1 comment
Labels
bug Something isn't working question Further information is requested triage Add this label to issues that should be triaged and prioretized in the next planning call unconfirmed

Comments

@jimmykarily
Copy link
Contributor

UKI and non-UKI installations, have different implementations on partition encryption:

  • UKI
  • non UKI (not the actual code but the limiting one)

In the UKI case, one can specify any partition for encryption but in the non-uki case, only COS_OEM and COS_PERSISTENT are allowed (see the second link above).

We should be consistent and we should allow any partition to be encrypted.

The reason why we have that UUID to label mapping is because the partition label is not available while the partition is encrypted (or is it the filesystem label?). In the beginning we were storing a file with mappings from uuids to labels. Later we switched to the current implementation. It turns out, "partlabel" is available even while the partition is encrypted:

/dev/vda5: UUID="85c39d0f-4867-5227-8334-f5eec606d9eb" TYPE="crypto_LUKS" PARTLABEL="persistent" PARTUUID="8a668fe9-3532-4a9f-abd6-d84d9a40c3a3"

although LABEL would only appear in the "mapper" partition:

/dev/mapper/vda5: LABEL="COS_PERSISTENT" UUID="c2b049a5-ce9e-436f-98b9-f9c7c6fb195b" BLOCK_SIZE="4096" TYPE="ext4"

Maybe we should let the user define partitions to be encrypted by their partlabel which means we don't need mapping files or specific UUID generation code.

In any case, we should be consistent between UKI and standard and allows any partition to be encrypted in both cases.
@jimmykarily jimmykarily added bug Something isn't working triage Add this label to issues that should be triaged and prioretized in the next planning call unconfirmed labels May 22, 2024
@ci-robbot ci-robbot added the question Further information is requested label May 22, 2024
@ci-robbot
Copy link
Collaborator

Hello, I'm an experiment by @mudler and @jimmykarily. Thank you for creating an issue in the kairos repository. I see that you've mentioned the difference in partition encryption implementation between UKI and non-UKI installations, and how you believe we should allow any partition to be encrypted.

To provide more clarity, please make sure to include a description of the issue and, if it's a bug, steps to reproduce it. Additionally, kindly mention the versions of the relevant artifacts you're using.

Your input is valuable, and once the issue meets the project's requirements, it will be triaged by assigning the 'triage' label. If you have any further questions or need assistance, feel free to reach out. Thank you.

This was referenced Dec 11, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working question Further information is requested triage Add this label to issues that should be triaged and prioretized in the next planning call unconfirmed
Projects
🧙Issue tracking board
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jimmykarily @ci-robbot