cryptsetup: add support for ICE flag

* cryptsetup: add support for ICE flag Signed-off-by: Ondrej Kubik <[email protected]> * cryptsetup: add tests for ICE flag use Signed-off-by: Ondrej Kubik <[email protected]> * luks2: mock cryptsetup in TestFormatWithInlineCryptoEngine The `--inline-crypto-engine` commandline option is only understood by specific version of cryptsetup so the usual `testFormat()` code cannot be run (it will create an actual container). Instead just mock the command and check that the right cmdline options are passed to cryptsetup. --------- Signed-off-by: Ondrej Kubik <[email protected]> Co-authored-by: Michael Vogt <[email protected]>
canonical · Sep 28, 2023 · 0de3f4c · 0de3f4c
1 parent cae912e
commit 0de3f4c
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/crypt.go b/crypt.go
@@ -554,13 +554,17 @@ type InitializeLUKS2ContainerOptions struct {
 	// the initial keyslot. If this is empty, then the name will be
 	// set to "default".
 	InitialKeyslotName string
+
+	// InlineCryptoEngine set flag if to use Inline Crypto Engine
+	InlineCryptoEngine bool
 }
 
 func (o *InitializeLUKS2ContainerOptions) formatOpts() *luks2.FormatOptions {
 	return &luks2.FormatOptions{
 		MetadataKiBSize:     o.MetadataKiBSize,
 		KeyslotsAreaKiBSize: o.KeyslotsAreaKiBSize,
-		KDFOptions:          o.KDFOptions.luksOpts()}
+		KDFOptions:          o.KDFOptions.luksOpts(),
+		InlineCryptoEngine:  o.InlineCryptoEngine}
 }
 
 // InitializeLUKS2Container will initialize the partition at the specified devicePath

diff --git a/internal/luks2/cryptsetup.go b/internal/luks2/cryptsetup.go
@@ -205,6 +205,9 @@ type FormatOptions struct {
 	// KDFOptions describes the KDF options for the initial
 	// key slot.
 	KDFOptions KDFOptions
+
+	// InlineCryptoEngine set flag if to use Inline Crypto Engine
+	InlineCryptoEngine bool
 }
 
 func (options *FormatOptions) validate(cipher string) error {
@@ -327,6 +330,10 @@ func Format(devicePath, label string, key []byte, opts *FormatOptions) error {
 
 	// apply options
 	args = opts.appendArguments(args)
+	if opts.InlineCryptoEngine {
+		// use inline crypto engine
+		args = append(args, "--inline-crypto-engine")
+	}
 
 	args = append(args,
 		// device to format

diff --git a/internal/luks2/cryptsetup_test.go b/internal/luks2/cryptsetup_test.go
@@ -410,6 +410,23 @@ func (s *cryptsetupSuite) TestFormatWithInvalidKeyslotsAreaSize(c *C) {
 	c.Check(Format(devicePath, "", make([]byte, 32), &FormatOptions{KeyslotsAreaKiBSize: 41}), ErrorMatches, "cannot set keyslots area size to 41 KiB")
 }
 
+func (s *cryptsetupSuite) TestFormatWithInlineCryptoEngine(c *C) {
+	mockCryptsetup := snapd_testutil.MockCommand(c, "cryptsetup", "")
+	defer mockCryptsetup.Restore()
+
+	key := make([]byte, 32)
+	rand.Read(key)
+	options := &FormatOptions{
+		KDFOptions: KDFOptions{
+			MemoryKiB: 32 * 1024, ForceIterations: 4},
+		KeyslotsAreaKiBSize: 2 * 1024,
+		InlineCryptoEngine:  true}
+	err := Format("some-path", "test", key, options)
+	c.Check(err, IsNil)
+	c.Assert(mockCryptsetup.Calls(), HasLen, 1)
+	c.Check(mockCryptsetup.Calls()[0], snapd_testutil.Contains, "--inline-crypto-engine")
+}
+
 type testAddKeyData struct {
 	key     []byte
 	options *AddKeyOptions