diff --git a/src/modules/fstab/main.py b/src/modules/fstab/main.py old mode 100644 new mode 100755 index 9bc427b13..1cfb5e660 --- a/src/modules/fstab/main.py +++ b/src/modules/fstab/main.py @@ -158,11 +158,23 @@ class FstabGenerator(object): if not mapper_name or not luks_uuid: return None + password = "/crypto_keyfile.bin" + crypttab_options = self.crypttab_options + + # Set crypttab password for partition to none and remove crypttab options + # on root partition when /boot is unencrypted + if partition["mountPoint"] == "/": + if any([p["mountPoint"] == "/boot" + and "luksMapperName" not in p + for p in self.partitions]): + password = "none" + crypttab_options = "" + return dict( name=mapper_name, device="UUID=" + luks_uuid, - password="/crypto_keyfile.bin", - options=self.crypttab_options, + password=password, + options=crypttab_options, ) def print_crypttab_line(self, dct, file=None): @@ -220,7 +232,7 @@ class FstabGenerator(object): # Some "fs" names need special handling in /etc/fstab, so remap them. filesystem = partition["fs"].lower() filesystem = FS_MAP.get(filesystem, filesystem) - has_luks = "luksMapperName" in partition + luks_mapper_name = partition.get("luksMapperName", None) mount_point = partition["mountPoint"] disk_name = disk_name_for_partition(partition) is_ssd = disk_name in self.ssd_disks @@ -263,13 +275,19 @@ class FstabGenerator(object): if filesystem == "btrfs" and partition.get("subvol",None): options = "subvol={},".format(partition["subvol"]) + options - if has_luks: - device = "/dev/mapper/" + partition["luksMapperName"] + device = None + if luks_mapper_name: + device = "/dev/mapper/" + luks_mapper_name elif partition["uuid"]: device = "UUID=" + partition["uuid"] else: device = partition["device"] + if not device: + # TODO: we get here when the user mounted a previously encrypted partition + # This should be catched early in the process + return None + return dict(device=device, mount_point=mount_point, fs=filesystem, diff --git a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp old mode 100644 new mode 100755 index 137cb750d..d4a718acf --- a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp +++ b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp @@ -172,6 +172,22 @@ hasUnencryptedSeparateBoot() return false; } +static bool +hasEncryptedRoot() +{ + const QVariantList partitions = ::partitions(); + for ( const QVariant& partition : partitions ) + { + QVariantMap partitionMap = partition.toMap(); + QString mountPoint = partitionMap.value( QStringLiteral( "mountPoint" ) ).toString(); + if ( QDir::cleanPath( mountPoint ) == QStringLiteral( "/" ) ) + { + return partitionMap.contains( QStringLiteral( "luksMapperName" ) ); + } + } + return false; +} + Calamares::JobResult LuksBootKeyFileJob::exec() { @@ -218,7 +234,8 @@ LuksBootKeyFileJob::exec() } // /boot partition is not encrypted, keyfile must not be used - if ( hasUnencryptedSeparateBoot() ) + // But only if root partition is not encrypted + if ( hasUnencryptedSeparateBoot() && !hasEncryptedRoot() ) { cDebug() << Logger::SubEntry << "/boot partition is not encrypted, skipping keyfile creation."; return Calamares::JobResult::ok(); @@ -241,6 +258,10 @@ LuksBootKeyFileJob::exec() for ( const auto& d : s.devices ) { + // Skip setupLuks for root partition if system has an unencrypted /boot + if ( d.isRoot && hasUnencryptedSeparateBoot() ) + continue; + if ( !setupLuks( d ) ) return Calamares::JobResult::error( tr( "Encrypted rootfs setup error" ),