From 73d09977fc9e333fc693eae4ca77e89de9b95fdd Mon Sep 17 00:00:00 2001
From: abalfoort <arjenbalfoort@hotmail.com>
Date: Thu, 21 Apr 2022 16:39:07 +0200
Subject: [PATCH] Support unencrypted boot partition

---
 src/modules/fstab/main.py                     | 28 ++++++++++++++++---
 .../luksbootkeyfile/LuksBootKeyFileJob.cpp    | 27 ++++++++++++++++--
 2 files changed, 48 insertions(+), 7 deletions(-)
 mode change 100644 => 100755 src/modules/fstab/main.py
 mode change 100644 => 100755 src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp

diff --git a/src/modules/fstab/main.py b/src/modules/fstab/main.py
old mode 100644
new mode 100755
index 9bc427b13..e65e36445
--- a/src/modules/fstab/main.py
+++ b/src/modules/fstab/main.py
@@ -142,13 +142,21 @@ class FstabGenerator(object):
         with open(crypttab_path, "w") as crypttab_file:
             print(CRYPTTAB_HEADER, file=crypttab_file)
 
+            # Check if /boot is unencrypted
+            unencrypted_separate_boot = False
             for partition in self.partitions:
-                dct = self.generate_crypttab_line_info(partition)
+                if (partition["mountPoint"] == "/boot"
+                    and "luksMapperName" not in partition):
+                        unencrypted_separate_boot = True
+                        break
+
+            for partition in self.partitions:
+                dct = self.generate_crypttab_line_info(partition, unencrypted_separate_boot)
 
                 if dct:
                     self.print_crypttab_line(dct, file=crypttab_file)
 
-    def generate_crypttab_line_info(self, partition):
+    def generate_crypttab_line_info(self, partition, unencrypted_separate_boot):
         """ Generates information for each crypttab entry. """
         if "luksMapperName" not in partition or "luksUuid" not in partition:
             return None
@@ -158,11 +166,19 @@ class FstabGenerator(object):
         if not mapper_name or not luks_uuid:
             return None
 
+        # Set crypttab password for partition to none and remove crypttab options
+        # on root partition when /boot is unencrypted
+        password = "/crypto_keyfile.bin"
+        crypttab_options = self.crypttab_options
+        if partition["mountPoint"] == "/" and unencrypted_separate_boot:
+            password = 'none'
+            crypttab_options = ''
+
         return dict(
             name=mapper_name,
             device="UUID=" + luks_uuid,
-            password="/crypto_keyfile.bin",
-            options=self.crypttab_options,
+            password=password,
+            options=crypttab_options,
         )
 
     def print_crypttab_line(self, dct, file=None):
@@ -264,6 +280,10 @@ class FstabGenerator(object):
             options = "subvol={},".format(partition["subvol"]) + options
 
         if has_luks:
+            # Check if user mounted a previously encrypted partition
+            if not partition["luksMapperName"]:
+                return None
+
             device = "/dev/mapper/" + partition["luksMapperName"]
         elif partition["uuid"]:
             device = "UUID=" + partition["uuid"]
diff --git a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp
old mode 100644
new mode 100755
index 137cb750d..38658a7a9
--- a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp
+++ b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp
@@ -172,6 +172,22 @@ hasUnencryptedSeparateBoot()
     return false;
 }
 
+static bool
+hasEncryptedRoot()
+{
+    const QVariantList partitions = ::partitions();
+    for ( const QVariant& partition : partitions )
+    {
+        QVariantMap partitionMap = partition.toMap();
+        QString mountPoint = partitionMap.value( QStringLiteral( "mountPoint" ) ).toString();
+        if ( QDir::cleanPath( mountPoint ) == QStringLiteral( "/" ) )
+        {
+            return partitionMap.contains( QStringLiteral( "luksMapperName" ) );
+        }
+    }
+    return false;
+}
+
 Calamares::JobResult
 LuksBootKeyFileJob::exec()
 {
@@ -218,9 +234,10 @@ LuksBootKeyFileJob::exec()
     }
 
     // /boot partition is not encrypted, keyfile must not be used
-    if ( hasUnencryptedSeparateBoot() )
+    // But only if root partition is not encrypted
+    if ( hasUnencryptedSeparateBoot() && !hasEncryptedRoot() )
     {
-        cDebug() << Logger::SubEntry << "/boot partition is not encrypted, skipping keyfile creation.";
+    	cDebug() << Logger::SubEntry << "/boot partition is not encrypted, skipping keyfile creation.";
         return Calamares::JobResult::ok();
     }
 
@@ -241,7 +258,11 @@ LuksBootKeyFileJob::exec()
 
     for ( const auto& d : s.devices )
     {
-        if ( !setupLuks( d ) )
+    	// Skip setupLuks for root partition if system has an unencrypted /boot
+        if ( d.isRoot && hasUnencryptedSeparateBoot() )
+        	continue;
+
+    	if ( !setupLuks( d ) )
             return Calamares::JobResult::error(
                 tr( "Encrypted rootfs setup error" ),
                 tr( "Could not configure LUKS key file on partition %1." ).arg( d.device ) );