napcok/calamares
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support unencrypted boot partition

Browse Source
This commit is contained in:
abalfoort 2022-04-21 16:39:07 +02:00
parent 33b4fd3a20
commit 73d09977fc
2 changed files with 48 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/modules/fstab/main.py Normal file → Executable file
View File

@ -142,13 +142,21 @@ class FstabGenerator(object):
with open(crypttab_path, "w") as crypttab_file:
print(CRYPTTAB_HEADER, file=crypttab_file)
# Check if /boot is unencrypted
unencrypted_separate_boot = False
for partition in self.partitions:
dct = self.generate_crypttab_line_info(partition)
if (partition["mountPoint"] == "/boot"
and "luksMapperName" not in partition):
unencrypted_separate_boot = True
break
for partition in self.partitions:
dct = self.generate_crypttab_line_info(partition, unencrypted_separate_boot)
if dct:
self.print_crypttab_line(dct, file=crypttab_file)
def generate_crypttab_line_info(self, partition):
def generate_crypttab_line_info(self, partition, unencrypted_separate_boot):
""" Generates information for each crypttab entry. """
if "luksMapperName" not in partition or "luksUuid" not in partition:
return None
@ -158,11 +166,19 @@ class FstabGenerator(object):
if not mapper_name or not luks_uuid:
return None
# Set crypttab password for partition to none and remove crypttab options
# on root partition when /boot is unencrypted
password = "/crypto_keyfile.bin"
crypttab_options = self.crypttab_options
if partition["mountPoint"] == "/" and unencrypted_separate_boot:
password = 'none'
crypttab_options = ''
return dict(
name=mapper_name,
device="UUID=" + luks_uuid,
password="/crypto_keyfile.bin",
options=self.crypttab_options,
password=password,
options=crypttab_options,
)
def print_crypttab_line(self, dct, file=None):
@ -264,6 +280,10 @@ class FstabGenerator(object):
options = "subvol={},".format(partition["subvol"]) + options
if has_luks:
# Check if user mounted a previously encrypted partition
if not partition["luksMapperName"]:
return None
device = "/dev/mapper/" + partition["luksMapperName"]
elif partition["uuid"]:
device = "UUID=" + partition["uuid"]

27
src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp Normal file → Executable file
View File

@ -172,6 +172,22 @@ hasUnencryptedSeparateBoot()
return false;
}
static bool
hasEncryptedRoot()
{
const QVariantList partitions = ::partitions();
for ( const QVariant& partition : partitions )
{
QVariantMap partitionMap = partition.toMap();
QString mountPoint = partitionMap.value( QStringLiteral( "mountPoint" ) ).toString();
if ( QDir::cleanPath( mountPoint ) == QStringLiteral( "/" ) )
{
return partitionMap.contains( QStringLiteral( "luksMapperName" ) );
}
}
return false;
}
Calamares::JobResult
LuksBootKeyFileJob::exec()
{
@ -218,9 +234,10 @@ LuksBootKeyFileJob::exec()
}
// /boot partition is not encrypted, keyfile must not be used
if ( hasUnencryptedSeparateBoot() )
// But only if root partition is not encrypted
if ( hasUnencryptedSeparateBoot() && !hasEncryptedRoot() )
{
cDebug() << Logger::SubEntry << "/boot partition is not encrypted, skipping keyfile creation.";
cDebug() << Logger::SubEntry << "/boot partition is not encrypted, skipping keyfile creation.";
return Calamares::JobResult::ok();
}
@ -241,7 +258,11 @@ LuksBootKeyFileJob::exec()
for ( const auto& d : s.devices )
{
if ( !setupLuks( d ) )
// Skip setupLuks for root partition if system has an unencrypted /boot
if ( d.isRoot && hasUnencryptedSeparateBoot() )
continue;
if ( !setupLuks( d ) )
return Calamares::JobResult::error(
tr( "Encrypted rootfs setup error" ),
tr( "Could not configure LUKS key file on partition %1." ).arg( d.device ) );