Merge pull request #1566 from Chrysostomus/calamares

Don't use a keyfile for encrypted partitions if /boot in unecrypted
2020-11-24 16:13:32 +01:00 · 2020-11-24 16:13:32 +01:00 · ccfbd6b972
commit ccfbd6b972
parent 35f8d90591 ff9f47ec83
4 changed files with 40 additions and 5 deletions
--- a/src/modules/grubcfg/main.py
+++ b/src/modules/grubcfg/main.py
@ -90,6 +90,7 @@ def modify_grub_default(partitions, root_mount_point, distributor):
    swap_outer_uuid = ""
    swap_outer_mappername = None
    no_save_default = False
+    unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions)

    for partition in partitions:
        if partition["mountPoint"] in ("/", "/boot") and partition["fs"] in ("btrfs", "f2fs"):
@ -239,7 +240,7 @@ def modify_grub_default(partitions, root_mount_point, distributor):
    if not have_distributor_line:
        lines.append(distributor_line)

-    if cryptdevice_params:
+    if cryptdevice_params and not unencrypted_separate_boot:
        lines.append("GRUB_ENABLE_CRYPTODISK=y")

    with open(default_grub, 'w') as grub_file:
--- a/src/modules/initcpiocfg/main.py
+++ b/src/modules/initcpiocfg/main.py
@ -146,8 +146,7 @@ def modify_mkinitcpio_conf(partitions, root_mount_point):
        if partition["mountPoint"] == "/" and "luksMapperName" in partition:
            encrypt_hook = True

-        if (partition["mountPoint"] == "/boot"
-                and "luksMapperName" not in partition):
+        if (partition["mountPoint"] == "/boot" and "luksMapperName" not in partition):
            unencrypted_separate_boot = True

        if partition["mountPoint"] == "/usr":
--- a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp
+++ b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp
@ -129,6 +129,31 @@ setupLuks( const LuksDevice& d )
    return true;
 }

+// static
+QVariantList
+partitions()
+{
+    Calamares::GlobalStorage* globalStorage = Calamares::JobQueue::instance()->globalStorage();
+    return globalStorage->value( QStringLiteral( "partitions" ) ).toList();
+}
+
+// static
+bool
+hasUnencryptedSeparateBoot()
+{
+    const QVariantList partitions = ::partitions();
+    for ( const QVariant& partition : partitions )
+    {
+        QVariantMap partitionMap = partition.toMap();
+        QString mountPoint = partitionMap.value( QStringLiteral( "mountPoint" ) ).toString();
+        if ( mountPoint == QStringLiteral( "/boot" ) )
+        {
+            return !partitionMap.contains( QStringLiteral( "luksMapperName" ) );
+        }
+    }
+    return false;
+}
+
 Calamares::JobResult
 LuksBootKeyFileJob::exec()
 {
@ -174,6 +199,13 @@ LuksBootKeyFileJob::exec()
        return Calamares::JobResult::ok();
    }

+    // /boot partition is not encrypted, keyfile must not be used
+    if ( hasUnencryptedSeparateBoot() )
+    {
+        cDebug() << Logger::SubEntry << "/boot partition is not encrypted, skipping keyfile creation.";
+        return Calamares::JobResult::ok();
+    }
+
    if ( s.devices.first().passphrase.isEmpty() )
    {
        cDebug() << Logger::SubEntry << "No root passphrase.";
--- a/src/modules/openrcdmcryptcfg/main.py
+++ b/src/modules/openrcdmcryptcfg/main.py
@ -21,6 +21,7 @@ _ = gettext.translation("calamares-python",
                        fallback=True).gettext


+
 def pretty_name():
    return _("Configuring OpenRC dmcrypt service.")

@ -28,6 +29,7 @@ def pretty_name():
 def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path):
    crypto_target = ""
    crypto_source = ""
+    unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions)

    for partition in partitions:
        has_luks = "luksMapperName" in partition
@ -36,7 +38,6 @@ def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path):
        if not has_luks and not skip_partitions:
            libcalamares.utils.debug(
                "Skip writing OpenRC LUKS configuration for partition {!s}".format(partition["mountPoint"]))
-
        if has_luks and not skip_partitions:
            crypto_target = partition["luksMapperName"]
            crypto_source = "/dev/disk/by-uuid/{!s}".format(partition["uuid"])
@ -46,7 +47,9 @@ def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path):
            with open(os.path.join(root_mount_point, dmcrypt_conf_path), 'a+') as dmcrypt_file:
                dmcrypt_file.write("\ntarget=" + crypto_target)
                dmcrypt_file.write("\nsource=" + crypto_source)
-                dmcrypt_file.write("\nkey=/crypto_keyfile.bin")
+                # Don't use keyfile if boot is unencrypted, keys must not be stored on unencrypted partitions
+                if not unencrypted_separate_boot:
+                    dmcrypt_file.write("\nkey=/crypto_keyfile.bin")
                dmcrypt_file.write("\n")

        if has_luks and skip_partitions: