Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AutoYaST (SLE-15-SP6): support for advanced LUKS(2) settings #1355

Merged
merged 5 commits into from
Sep 22, 2023
Merged

AutoYaST (SLE-15-SP6): support for advanced LUKS(2) settings #1355

merged 5 commits into from
Sep 22, 2023

Conversation

ancorgs
Copy link
Contributor

@ancorgs ancorgs commented Sep 22, 2023
edited
Loading

Problem

AutoYaST does not officially support LUKS2 or setting any of its advanced options.

In fact, preliminary support for LUKS2 was added to YaST at SLE-15-SP4 targeting only the interactive installation. That's explained at the description of #1245. Since there was no feedback about it, the feature was not developed any further.

As a consequence, LUKS2 works partially in AutoYaST if the boot argument YAST_LUKS2_AVAILABLE is used during installation. But there is no way to configure via AutoYaST some of the parameters than can be tweaked in the UI (like the PBKDF or the LUKS2 label). LUKS2 support for AutoYaST is not even officially documented.

But some SUSE customers want to configure LUKS2 devices during installation using AutoYaST, tweaking some of the luksFormat parameters. Even on already released versions of SLE.

Solution

This pull request removes the need to use YAST_LUKS2_AVAILABLE for using LUKS2 with AutoYaST. It's still needed in interactive installation or the UI corresponding to LUKS2 will be hidden.

This also adds support for four new attributes in a <partition> section of AutoYaST: <crypt_pbkdf>, <crypt_label>, <crypt_cipher> and <crypt_key_size>.

Those new attributes are honored when present in an AutoYaST profile (in those cases that make sense) and are also exported to the generated AutoYaST profile when cloning the system.

This pull request targets SLE-15-SP6.

Extra

This pull request also includes a relatively big commit to refactor a bit the class Y2Storage::AutoinstProfile::PartitionSection, encapsulating the logic for exporting (ie. cloning the system) into an new inner class PartitionExporter.

That was triggered by Rubocop complaining about PartitionSection being too long and complex.

The refactoring is far from being a final solution, but it's likely a step into the right direction without introducing much disruption (despite its size, the commit actually just relocates and reorganizes existing code well covered by unit tests).

Code review

As mentioned, most of the changes correspond to the code reorganization that actually should change nothing. To distinguish the trees from the forest it's highly advised to review commit by commit.

Automated Testing

This pull request includes automated unit tests to verify the following aspects:

  • The new attributes <crypt_cipher> and <crypt_key_size> are honored for devices encrypted with the LUKS1 and LUKS2 encryption methods.
  • The new attributes <crypt_pbkdf> and <crypt_label> are honored for devices encrypted with the LUKS2 encryption method.
  • The four attributes are ignored for all other encryptions methods (like SECURE_SWAP).
  • AutoYaST suggests to create an extra unencrypted /boot partition if LUKS2 is used for root with a password-based key derivation function not supported by Grub2.
  • AutoYaST does not suggest a separate /boot if root is encrypted with LUKS2 using PBKDF2 as derivation function.
  • Cloning a system writes the new attributes to the AutoYaST profile if they are known and make sense.

Manual Testing

Apart from the mentioned unit tests, this pull request has been successfully tested in a patched SLE-15-SP5 with the following AutoYaST definition. The result looks as expected.

Expand to see the input AutoYaST profile 
<partitions t="list">
        <partition>
          <create t="boolean">true</create>
          <filesystem t="symbol">xfs</filesystem>
          <format t="boolean">true</format>
          <mount>/</mount>
          <size>12G</size>
        </partition>
        <partition>
          <create t="boolean">true</create>
          <filesystem t="symbol">xfs</filesystem>
          <mount>/home/crypt1</mount>
          <size>3G</size>
          <crypt_method t="symbol">luks2</crypt_method>
          <crypt_key>linuxlinux</crypt_key>
          <crypt_label>aesPBKDF2</crypt_label>
          <crypt_pbkdf t="symbol">pbkdf2</crypt_pbkdf>
        </partition>
        <partition>
          <create t="boolean">true</create>
          <filesystem t="symbol">xfs</filesystem>
          <mount>/home/crypt2</mount>
          <size>3G</size>
          <crypt_method t="symbol">luks2</crypt_method>
          <crypt_key>linuxlinux</crypt_key>
          <crypt_cipher>capi:xts(aes)-plain64</crypt_cipher>
        </partition>
        <partition>
          <create t="boolean">true</create>
          <filesystem t="symbol">xfs</filesystem>
          <mount>/home/crypt3</mount>
          <size>3G</size>
          <crypt_method t="symbol">luks2</crypt_method>
          <crypt_key>linuxlinux</crypt_key>
          <crypt_key_size t="integer">256</crypt_key_size>
        </partition>
        <partition>
          <create t="boolean">true</create>
          <filesystem t="symbol">xfs</filesystem>
          <mount>/home/crypt4</mount>
          <size>3G</size>
          <crypt_method t="symbol">luks2</crypt_method>
          <crypt_key>linuxlinux</crypt_key>
          <crypt_pbkdf t="symbol">argon2i</crypt_pbkdf>
          <crypt_label>twoFish512</crypt_label>
          <crypt_cipher>twofish-xts-plain64</crypt_cipher>
          <crypt_key_size t="integer">512</crypt_key_size>
        </partition>
        <partition>
          <create t="boolean">true</create>
          <filesystem t="symbol">xfs</filesystem>
          <mount>/home/crypt5</mount>
          <size>3G</size>
          <crypt_method t="symbol">luks1</crypt_method>
          <crypt_key>linuxlinux</crypt_key>
        </partition>
      </partitions>

To complete the manual testing, the system resulting from the previously mentioned autoinstallation was clonned. It resulted in the expected profile (obviously more verbose than the input profile).

Expand to see the cloned AutoYaST profile 
<partitions t="list">
        <partition t="map">
          <create t="boolean">true</create>
          <filesystem t="symbol">xfs</filesystem>
          <format t="boolean">false</format>
          <lv_name>root</lv_name>
          <pool t="boolean">false</pool>
          <resize t="boolean">false</resize>
          <size>16106127360</size>
          <stripes t="integer">1</stripes>
          <stripesize t="integer">0</stripesize>
        </partition>
      </partitions>
      <pesize>4194304</pesize>
      <type t="symbol">CT_LVM</type>
    </drive>
    <drive t="map">
      <device>/dev/sda</device>
      <disklabel>gpt</disklabel>
      <partitions t="list">
        <partition t="map">
          <create t="boolean">false</create>
          <filesystem t="symbol">vfat</filesystem>
          <format t="boolean">true</format>
          <partition_id t="integer">259</partition_id>
          <partition_nr t="integer">1</partition_nr>
          <resize t="boolean">false</resize>
          <size>104857600</size>
        </partition>
        <partition t="map">
          <create t="boolean">false</create>
          <filesystem t="symbol">ntfs</filesystem>
          <format t="boolean">true</format>
          <partition_id t="integer">18</partition_id>
          <partition_nr t="integer">4</partition_nr>
          <resize t="boolean">false</resize>
          <size>655360000</size>
        </partition>
      </partitions>
      <type t="symbol">CT_DISK</type>
      <use>1,4</use>
    </drive>
    <drive t="map">
      <device>/dev/sdb</device>
      <disklabel>gpt</disklabel>
      <enable_snapshots t="boolean">false</enable_snapshots>
      <partitions t="list">
        <partition t="map">
          <create t="boolean">true</create>
          <format t="boolean">false</format>
          <partition_id t="integer">263</partition_id>
          <partition_nr t="integer">1</partition_nr>
          <resize t="boolean">false</resize>
          <size>4194304</size>
        </partition>
        <partition t="map">
          <create t="boolean">true</create>
          <filesystem t="symbol">xfs</filesystem>
          <format t="boolean">true</format>
          <mount>/</mount>
          <mountby t="symbol">uuid</mountby>
          <partition_id t="integer">131</partition_id>
          <partition_nr t="integer">2</partition_nr>
          <resize t="boolean">false</resize>
          <size>12884901888</size>
        </partition>
        <partition t="map">
          <create t="boolean">true</create>
          <crypt_cipher>aes-xts-plain64</crypt_cipher>
          <crypt_key>ENTER KEY HERE</crypt_key>
          <crypt_key_size t="integer">512</crypt_key_size>
          <crypt_label>aesPBKDF2</crypt_label>
          <crypt_method t="symbol">luks2</crypt_method>
          <crypt_pbkdf t="symbol">pbkdf2</crypt_pbkdf>
          <filesystem t="symbol">xfs</filesystem>
          <format t="boolean">true</format>
          <loop_fs t="boolean">true</loop_fs>
          <mount>/home/crypt1</mount>
          <mountby t="symbol">device</mountby>
          <partition_id t="integer">131</partition_id>
          <partition_nr t="integer">3</partition_nr>
          <resize t="boolean">false</resize>
          <size>3221225472</size>
        </partition>
        <partition t="map">
          <create t="boolean">true</create>
          <crypt_cipher>capi:xts(aes)-plain64</crypt_cipher>
          <crypt_key>ENTER KEY HERE</crypt_key>
          <crypt_key_size t="integer">256</crypt_key_size>
          <crypt_method t="symbol">luks2</crypt_method>
          <crypt_pbkdf t="symbol">argon2id</crypt_pbkdf>
          <filesystem t="symbol">xfs</filesystem>
          <format t="boolean">true</format>
          <loop_fs t="boolean">true</loop_fs>
          <mount>/home/crypt2</mount>
          <mountby t="symbol">device</mountby>
          <partition_id t="integer">131</partition_id>
          <partition_nr t="integer">4</partition_nr>
          <resize t="boolean">false</resize>
          <size>3221225472</size>
        </partition>
        <partition t="map">
          <create t="boolean">true</create>
          <crypt_cipher>aes-xts-plain64</crypt_cipher>
          <crypt_key>ENTER KEY HERE</crypt_key>
          <crypt_key_size t="integer">256</crypt_key_size>
          <crypt_method t="symbol">luks2</crypt_method>
          <crypt_pbkdf t="symbol">argon2id</crypt_pbkdf>
          <filesystem t="symbol">xfs</filesystem>
          <format t="boolean">true</format>
          <loop_fs t="boolean">true</loop_fs>
          <mount>/home/crypt3</mount>
          <mountby t="symbol">device</mountby>
          <partition_id t="integer">131</partition_id>
          <partition_nr t="integer">5</partition_nr>
          <resize t="boolean">false</resize>
          <size>3221225472</size>
        </partition>
        <partition t="map">
          <create t="boolean">true</create>
          <crypt_cipher>twofish-xts-plain64</crypt_cipher>
          <crypt_key>ENTER KEY HERE</crypt_key>
          <crypt_key_size t="integer">512</crypt_key_size>
          <crypt_label>twoFish512</crypt_label>
          <crypt_method t="symbol">luks2</crypt_method>
          <crypt_pbkdf t="symbol">argon2i</crypt_pbkdf>
          <filesystem t="symbol">xfs</filesystem>
          <format t="boolean">true</format>
          <loop_fs t="boolean">true</loop_fs>
          <mount>/home/crypt4</mount>
          <mountby t="symbol">device</mountby>
          <partition_id t="integer">131</partition_id>
          <partition_nr t="integer">6</partition_nr>
          <resize t="boolean">false</resize>
          <size>3221225472</size>
        </partition>
        <partition t="map">
          <create t="boolean">true</create>
          <crypt_cipher>aes-xts-plain64</crypt_cipher>
          <crypt_key>ENTER KEY HERE</crypt_key>
          <crypt_key_size t="integer">512</crypt_key_size>
          <crypt_method t="symbol">luks1</crypt_method>
          <filesystem t="symbol">xfs</filesystem>
          <format t="boolean">true</format>
          <loop_fs t="boolean">true</loop_fs>
          <mount>/home/crypt5</mount>
          <mountby t="symbol">device</mountby>
          <partition_id t="integer">131</partition_id>
          <partition_nr t="integer">7</partition_nr>
          <resize t="boolean">false</resize>
          <size>3221225472</size>
        </partition>
      </partitions>

Dependencies

This depends on the corresponding updates on two other repositories:

@ancorgs ancorgs mentioned this pull request Sep 22, 2023
Closed
@coveralls
Copy link

coveralls commented Sep 22, 2023
edited
Loading

Coverage Status

coverage: 97.76% (+0.004%) from 97.756% when pulling 4c4cf2c on ancorgs:luks_advanced_sp6 into e8fe69f on yast:SLE-15-SP6.

joseivanlopez
joseivanlopez approved these changes Sep 22, 2023
View reviewed changes
Copy link
Contributor

@joseivanlopez joseivanlopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Great work!

@ancorgs ancorgs mentioned this pull request Sep 22, 2023
Merged
@ancorgs ancorgs merged commit f3932b2 into yast:SLE-15-SP6 Sep 22, 2023
5 checks passed
@yast-bot
Copy link

✔️ Internal Jenkins job #3 successfully finished
✔️ Created IBS submit request #308067

This was referenced Sep 22, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joseivanlopez joseivanlopez joseivanlopez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ancorgs @coveralls @yast-bot @joseivanlopez