Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LUKS2 enablement: alternative take #1383

Merged
merged 4 commits into from
May 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions package/yast2-storage-ng.changes
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
-------------------------------------------------------------------
Tue May 7 14:38:42 UTC 2024 - Ancor Gonzalez Sosa <ancor@suse.com>

- Proposal: Make the encryption method and the key derivation
function configurable by product.
- Partitioner: LUKS2 is always available and used by default, with
PBKDF2 as default derivation function (related to bsc#1185291).
- 5.0.14

-------------------------------------------------------------------
Wed Apr 24 07:48:08 UTC 2024 - Ancor Gonzalez Sosa <ancor@suse.com>

Expand Down
2 changes: 1 addition & 1 deletion package/yast2-storage-ng.spec
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
#

Name: yast2-storage-ng
Version: 5.0.13
Version: 5.0.14
Release: 0
Summary: YaST2 - Storage Configuration
License: GPL-2.0-only OR GPL-3.0-only
Expand Down
75 changes: 0 additions & 75 deletions src/lib/installation/console/plugins/luks2_checkbox.rb

This file was deleted.

16 changes: 14 additions & 2 deletions src/lib/y2partitioner/actions/controllers/encryption.rb
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ def initialize(fs_controller)
@fs_controller = fs_controller
@action = actions.first
@password = encryption&.password || ""
@pbkdf = encryption&.pbkdf
@method = initial_method
@pbkdf = initial_pbkdf
@apqns = initial_apqns
@label = initial_label
end
Expand Down Expand Up @@ -215,10 +215,22 @@ def initial_method
if methods.include?(encryption&.method)
encryption.method
else
Y2Storage::EncryptionMethod::LUKS1
Y2Storage::EncryptionMethod::LUKS2
end
end

# Initial password-based key derivation function, if relevant
#
# @return [Y2Storage::PbkdFunction, nil]
def initial_pbkdf
function = encryption&.pbkdf
return function unless function.nil? && method.is?(:luks2)

# Hardcoded conservative default, we can either change it or make it configurable
# (see Y2Storage::Configuration) in the future if needed.
Y2Storage::PbkdFunction::PBKDF2
end

# Currently used APQNs when the device is encrypted with pervasive encryption
#
# @return [Array<Y2Storage::EncryptionProcesses::Apqn>]
Expand Down
6 changes: 0 additions & 6 deletions src/lib/y2storage/encryption_method/luks2.rb
Original file line number Diff line number Diff line change
Expand Up @@ -60,12 +60,6 @@ def create_device(blk_device, dm_name, pbkdf: nil, label: "")
encryption_process.create_device(blk_device, dm_name, pbkdf: pbkdf, label: label)
end

# @see Base#available?
def available?
# jsc#PED-3878 and jsc#GEHC-6
Yast::Mode.auto || StorageEnv.instance.luks2_available?
end

private

# @see Base#encryption_process
Expand Down
11 changes: 10 additions & 1 deletion src/lib/y2storage/proposal_settings.rb
Original file line number Diff line number Diff line change
Expand Up @@ -448,9 +448,18 @@ def load_features

# Loads the default encryption settings
#
# The encryption settings are not part of control.xml, but can be injected by a previous step of
# The default encryption settings can be read from control.xml.
#
# Additionally, the encryption password can be injected by a previous step of
# the installation, eg. the dialog of the Common Criteria system role
def load_encryption
enc_method = EncryptionMethod.find(feature(:proposal, :encryption_method).to_s)
self.encryption_method = enc_method if enc_method

enc_pbkdf = PbkdFunction.find(feature(:proposal, :encryption_pbkdf))
self.encryption_pbkdf = enc_pbkdf if enc_pbkdf

# Password potentially injected by a previous step
enc = feature(:proposal, :encryption)

return unless enc
Expand Down
14 changes: 1 addition & 13 deletions src/lib/y2storage/storage_env.rb
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,11 @@ class StorageEnv

ENV_ACTIVATE_LUKS = "YAST_ACTIVATE_LUKS".freeze

ENV_LUKS2_AVAILABLE = "YAST_LUKS2_AVAILABLE".freeze

ENV_LIBSTORAGE_IGNORE_PROBE_ERRORS = "LIBSTORAGE_IGNORE_PROBE_ERRORS".freeze

ENV_REUSE_LVM = "YAST_REUSE_LVM".freeze

private_constant :ENV_MULTIPATH, :ENV_BIOS_RAID, :ENV_ACTIVATE_LUKS, :ENV_LUKS2_AVAILABLE
private_constant :ENV_MULTIPATH, :ENV_BIOS_RAID, :ENV_ACTIVATE_LUKS
private_constant :ENV_LIBSTORAGE_IGNORE_PROBE_ERRORS
private_constant :ENV_REUSE_LVM

Expand Down Expand Up @@ -82,16 +80,6 @@ def activate_luks?
active?(ENV_ACTIVATE_LUKS, default: true)
end

# Whether YaST should offer the encryption method for regular LUKS2
#
# See jsc#SLE-21309 where is stated that YaST support to setup LUKS2 devices should be
# "available only via a special Linuxrc option and communicated as a tech preview".
#
# @return [Boolean]
def luks2_available?
active?(ENV_LUKS2_AVAILABLE, default: false)
end

# Whether YaST should reuse existing LVM
#
# see jsc#PED-6407 or jsc#IBM-1315
Expand Down
114 changes: 0 additions & 114 deletions test/installation/console/plugins/luks2_checkbox_test.rb

This file was deleted.

4 changes: 2 additions & 2 deletions test/y2partitioner/actions/controllers/encryption_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
let(:dev_name) { "/dev/vda2" }

it "assigns the default encryption method" do
expect(subject.method.is?(:luks1)).to eq(true)
expect(subject.method.is?(:luks2)).to eq(true)
end
end

Expand All @@ -78,7 +78,7 @@
end

it "assigns the default encryption method" do
expect(subject.method.is?(:luks1)).to eq(true)
expect(subject.method.is?(:luks2)).to eq(true)
end
end
end
Expand Down
Loading
Loading