From 3eae98eac30cef125dfb65683a5a479527f8a61a Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Tue, 3 Nov 2020 23:15:35 +0200 Subject: [PATCH 01/15] Don't enable grub password query if /boot is on unencrypted partition --- src/modules/grubcfg/main.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/modules/grubcfg/main.py b/src/modules/grubcfg/main.py index 22ef18130..4fd0f7b6b 100644 --- a/src/modules/grubcfg/main.py +++ b/src/modules/grubcfg/main.py @@ -90,6 +90,12 @@ def modify_grub_default(partitions, root_mount_point, distributor): swap_outer_uuid = "" swap_outer_mappername = None no_save_default = False + unencrypted_separate_boot = False + + for partition in partitions: + if (partition["mountPoint"] == "/boot" + and "luksMapperName" not in partition): + unencrypted_separate_boot = True for partition in partitions: if partition["mountPoint"] in ("/", "/boot") and partition["fs"] in ("btrfs", "f2fs"): @@ -239,7 +245,7 @@ def modify_grub_default(partitions, root_mount_point, distributor): if not have_distributor_line: lines.append(distributor_line) - if cryptdevice_params: + if cryptdevice_params and not unencrypted_separate_boot: lines.append("GRUB_ENABLE_CRYPTODISK=y") with open(default_grub, 'w') as grub_file: From 9f52282e4c234c0865f3fbf2ddbe501948b7f55b Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Tue, 3 Nov 2020 23:23:56 +0200 Subject: [PATCH 02/15] Don't use keyfile if there /boot is unencrypted --- src/modules/openrcdmcryptcfg/main.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/modules/openrcdmcryptcfg/main.py b/src/modules/openrcdmcryptcfg/main.py index 8eb169867..37c6098fd 100644 --- a/src/modules/openrcdmcryptcfg/main.py +++ b/src/modules/openrcdmcryptcfg/main.py @@ -20,6 +20,12 @@ _ = gettext.translation("calamares-python", languages=libcalamares.utils.gettext_languages(), fallback=True).gettext +unencrypted_separate_boot = False + +for partition in partitions: + if (partition["mountPoint"] == "/boot" + and "luksMapperName" not in partition): + unencrypted_separate_boot = True def pretty_name(): return _("Configuring OpenRC dmcrypt service.") @@ -36,8 +42,8 @@ def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path): if not has_luks and not skip_partitions: libcalamares.utils.debug( "Skip writing OpenRC LUKS configuration for partition {!s}".format(partition["mountPoint"])) - - if has_luks and not skip_partitions: + # Don't use keyfile if boot is unecrypted, keys must not be stored on unencrypted partitions + if has_luks and not skip_partitions and not unencrypted_separate_boot: crypto_target = partition["luksMapperName"] crypto_source = "/dev/disk/by-uuid/{!s}".format(partition["uuid"]) libcalamares.utils.debug( From fe291bc51a280816d4202a0e5dcc51fc0838bdde Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Tue, 3 Nov 2020 23:33:24 +0200 Subject: [PATCH 03/15] Write the crypttab entry still --- src/modules/openrcdmcryptcfg/main.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/modules/openrcdmcryptcfg/main.py b/src/modules/openrcdmcryptcfg/main.py index 37c6098fd..efcf3eaed 100644 --- a/src/modules/openrcdmcryptcfg/main.py +++ b/src/modules/openrcdmcryptcfg/main.py @@ -42,8 +42,7 @@ def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path): if not has_luks and not skip_partitions: libcalamares.utils.debug( "Skip writing OpenRC LUKS configuration for partition {!s}".format(partition["mountPoint"])) - # Don't use keyfile if boot is unecrypted, keys must not be stored on unencrypted partitions - if has_luks and not skip_partitions and not unencrypted_separate_boot: + if has_luks and not skip_partitions: crypto_target = partition["luksMapperName"] crypto_source = "/dev/disk/by-uuid/{!s}".format(partition["uuid"]) libcalamares.utils.debug( @@ -52,7 +51,9 @@ def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path): with open(os.path.join(root_mount_point, dmcrypt_conf_path), 'a+') as dmcrypt_file: dmcrypt_file.write("\ntarget=" + crypto_target) dmcrypt_file.write("\nsource=" + crypto_source) - dmcrypt_file.write("\nkey=/crypto_keyfile.bin") + # Don't use keyfile if boot is unecrypted, keys must not be stored on unencrypted partitions + if not unencrypted_separate_boot: + dmcrypt_file.write("\nkey=/crypto_keyfile.bin") dmcrypt_file.write("\n") if has_luks and skip_partitions: From 26b1c349d3e1d6daf3f1ee55596fd170be5962cc Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Wed, 4 Nov 2020 19:27:59 +0200 Subject: [PATCH 04/15] Set default value inside the relevant function --- src/modules/openrcdmcryptcfg/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/openrcdmcryptcfg/main.py b/src/modules/openrcdmcryptcfg/main.py index efcf3eaed..2aa61b1c7 100644 --- a/src/modules/openrcdmcryptcfg/main.py +++ b/src/modules/openrcdmcryptcfg/main.py @@ -20,7 +20,6 @@ _ = gettext.translation("calamares-python", languages=libcalamares.utils.gettext_languages(), fallback=True).gettext -unencrypted_separate_boot = False for partition in partitions: if (partition["mountPoint"] == "/boot" @@ -34,6 +33,7 @@ def pretty_name(): def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path): crypto_target = "" crypto_source = "" + unencrypted_separate_boot = False for partition in partitions: has_luks = "luksMapperName" in partition From 741c1c5d1e00ecb30b1d17ec4dff7d6c027d7957 Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Thu, 5 Nov 2020 01:01:26 +0200 Subject: [PATCH 05/15] Use constructor instead of a loop --- src/modules/grubcfg/main.py | 7 ++----- src/modules/openrcdmcryptcfg/main.py | 6 ++---- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/src/modules/grubcfg/main.py b/src/modules/grubcfg/main.py index 4fd0f7b6b..642e18df2 100644 --- a/src/modules/grubcfg/main.py +++ b/src/modules/grubcfg/main.py @@ -91,11 +91,8 @@ def modify_grub_default(partitions, root_mount_point, distributor): swap_outer_mappername = None no_save_default = False unencrypted_separate_boot = False - - for partition in partitions: - if (partition["mountPoint"] == "/boot" - and "luksMapperName" not in partition): - unencrypted_separate_boot = True + if any(partition["mountPoint"] == "/boot" and "luksMapperName" not in partition for partition in partitions): + unencrypted_separate_boot = True for partition in partitions: if partition["mountPoint"] in ("/", "/boot") and partition["fs"] in ("btrfs", "f2fs"): diff --git a/src/modules/openrcdmcryptcfg/main.py b/src/modules/openrcdmcryptcfg/main.py index 2aa61b1c7..097c1bfd5 100644 --- a/src/modules/openrcdmcryptcfg/main.py +++ b/src/modules/openrcdmcryptcfg/main.py @@ -21,10 +21,6 @@ _ = gettext.translation("calamares-python", fallback=True).gettext -for partition in partitions: - if (partition["mountPoint"] == "/boot" - and "luksMapperName" not in partition): - unencrypted_separate_boot = True def pretty_name(): return _("Configuring OpenRC dmcrypt service.") @@ -34,6 +30,8 @@ def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path): crypto_target = "" crypto_source = "" unencrypted_separate_boot = False + if any(partition["mountPoint"] == "/boot" and "luksMapperName" not in partition for partition in partitions): + unencrypted_separate_boot = True for partition in partitions: has_luks = "luksMapperName" in partition From 73b5c62ab8f1b78fab1c3300d64cbd3e26e96e4e Mon Sep 17 00:00:00 2001 From: Matti Hyttinen Date: Fri, 6 Nov 2020 08:49:22 +0200 Subject: [PATCH 06/15] Update main.py typo in a comment --- src/modules/openrcdmcryptcfg/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/openrcdmcryptcfg/main.py b/src/modules/openrcdmcryptcfg/main.py index 097c1bfd5..818ca4963 100644 --- a/src/modules/openrcdmcryptcfg/main.py +++ b/src/modules/openrcdmcryptcfg/main.py @@ -49,7 +49,7 @@ def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path): with open(os.path.join(root_mount_point, dmcrypt_conf_path), 'a+') as dmcrypt_file: dmcrypt_file.write("\ntarget=" + crypto_target) dmcrypt_file.write("\nsource=" + crypto_source) - # Don't use keyfile if boot is unecrypted, keys must not be stored on unencrypted partitions + # Don't use keyfile if boot is unencrypted, keys must not be stored on unencrypted partitions if not unencrypted_separate_boot: dmcrypt_file.write("\nkey=/crypto_keyfile.bin") dmcrypt_file.write("\n") From 3731dfb1462dc2d28f46e907e5b80c45268ca43b Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Fri, 6 Nov 2020 21:31:28 +0200 Subject: [PATCH 07/15] Try not to create the keyfile if not necessary --- .../luksbootkeyfile/LuksBootKeyFileJob.cpp | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp index 9bd2f66da..940d75be6 100644 --- a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp +++ b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp @@ -129,6 +129,30 @@ setupLuks( const LuksDevice& d ) return true; } +// static +QVariantList +LuksBootKeyFileJob::partitions() +{ + Calamares::GlobalStorage* globalStorage = Calamares::JobQueue::instance()->globalStorage(); + return globalStorage->value( QStringLiteral( "partitions" ) ).toList(); +} + +static bool +LuksBootKeyFileJob::hasUnencryptedSeparateBoot() +{ + const QVariantList partitions = LuksBootKeyFileJob::partitions(); + for ( const QVariant& partition : partitions ) + { + QVariantMap partitionMap = partition.toMap(); + QString mountPoint = partitionMap.value( QStringLiteral( "mountPoint" ) ).toString(); + if ( mountPoint == QStringLiteral( "/boot" ) ) + { + return !partitionMap.contains( QStringLiteral( "luksMapperName" ) ); + } + } + return false; +} + Calamares::JobResult LuksBootKeyFileJob::exec() { @@ -174,6 +198,13 @@ LuksBootKeyFileJob::exec() return Calamares::JobResult::ok(); } + // /boot partition is not encrypted, keyfile must not be used + if ( hasUnencryptedSeparateBoot() ) + { + cDebug() << Logger::SubEntry << "/boot partition is not encryptepted, skipping keyfile creation."; + return Calamares::JobResult::ok(); + } + if ( s.devices.first().passphrase.isEmpty() ) { cDebug() << Logger::SubEntry << "No root passphrase."; From b7cc4860e0ae7f02f2de1be0cef5aab9e5e8bfc7 Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Fri, 6 Nov 2020 21:45:01 +0200 Subject: [PATCH 08/15] Put the condition on a single line for prettiness sake --- src/modules/initcpiocfg/main.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/modules/initcpiocfg/main.py b/src/modules/initcpiocfg/main.py index 6e3de6931..0ccffbf56 100644 --- a/src/modules/initcpiocfg/main.py +++ b/src/modules/initcpiocfg/main.py @@ -146,8 +146,7 @@ def modify_mkinitcpio_conf(partitions, root_mount_point): if partition["mountPoint"] == "/" and "luksMapperName" in partition: encrypt_hook = True - if (partition["mountPoint"] == "/boot" - and "luksMapperName" not in partition): + if (partition["mountPoint"] == "/boot" and "luksMapperName" not in partition): unencrypted_separate_boot = True if partition["mountPoint"] == "/usr": From adc8d7e6247f3da642dc9ef906a8f55455e01ec8 Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Sat, 7 Nov 2020 12:55:54 +0200 Subject: [PATCH 09/15] Fix typo --- src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp index 940d75be6..c68afd65c 100644 --- a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp +++ b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp @@ -201,7 +201,7 @@ LuksBootKeyFileJob::exec() // /boot partition is not encrypted, keyfile must not be used if ( hasUnencryptedSeparateBoot() ) { - cDebug() << Logger::SubEntry << "/boot partition is not encryptepted, skipping keyfile creation."; + cDebug() << Logger::SubEntry << "/boot partition is not encrypted, skipping keyfile creation."; return Calamares::JobResult::ok(); } From e3ee3c623d21af90969d48e60b57cb37f0928460 Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Mon, 9 Nov 2020 23:24:09 +0200 Subject: [PATCH 10/15] Add some relevant looking stuff to header file --- src/modules/luksbootkeyfile/LuksBootKeyFileJob.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.h b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.h index 9681228bd..fbfb14b27 100644 --- a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.h +++ b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.h @@ -30,6 +30,9 @@ public: QString prettyName() const override; Calamares::JobResult exec() override; +private: + static QVariantList partitions(); + static bool hasUnencryptedSeparateBoot(); }; CALAMARES_PLUGIN_FACTORY_DECLARATION( LuksBootKeyFileJobFactory ) From 543a9e1afc43e379641ac9d1f7bc7de6fd537bcc Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Tue, 10 Nov 2020 22:11:49 +0200 Subject: [PATCH 11/15] Remove extra static keyword --- src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp index c68afd65c..89323b36a 100644 --- a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp +++ b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp @@ -137,7 +137,8 @@ LuksBootKeyFileJob::partitions() return globalStorage->value( QStringLiteral( "partitions" ) ).toList(); } -static bool +// static +bool LuksBootKeyFileJob::hasUnencryptedSeparateBoot() { const QVariantList partitions = LuksBootKeyFileJob::partitions(); From 8676ce9a205d3528afa6e1b425216d228c54bbe5 Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Thu, 12 Nov 2020 23:57:02 +0200 Subject: [PATCH 12/15] Simplify the generators --- src/modules/grubcfg/main.py | 4 +--- src/modules/openrcdmcryptcfg/main.py | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/src/modules/grubcfg/main.py b/src/modules/grubcfg/main.py index 642e18df2..f13d6552e 100644 --- a/src/modules/grubcfg/main.py +++ b/src/modules/grubcfg/main.py @@ -90,9 +90,7 @@ def modify_grub_default(partitions, root_mount_point, distributor): swap_outer_uuid = "" swap_outer_mappername = None no_save_default = False - unencrypted_separate_boot = False - if any(partition["mountPoint"] == "/boot" and "luksMapperName" not in partition for partition in partitions): - unencrypted_separate_boot = True + unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions): for partition in partitions: if partition["mountPoint"] in ("/", "/boot") and partition["fs"] in ("btrfs", "f2fs"): diff --git a/src/modules/openrcdmcryptcfg/main.py b/src/modules/openrcdmcryptcfg/main.py index 818ca4963..ead8a0a93 100644 --- a/src/modules/openrcdmcryptcfg/main.py +++ b/src/modules/openrcdmcryptcfg/main.py @@ -29,9 +29,7 @@ def pretty_name(): def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path): crypto_target = "" crypto_source = "" - unencrypted_separate_boot = False - if any(partition["mountPoint"] == "/boot" and "luksMapperName" not in partition for partition in partitions): - unencrypted_separate_boot = True + unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions): for partition in partitions: has_luks = "luksMapperName" in partition From 09798a2a124acf42bbd13b23c69adbe0b0c508df Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Fri, 13 Nov 2020 00:02:12 +0200 Subject: [PATCH 13/15] Use free functions (I wish I had known I can do this) --- src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp | 6 +++--- src/modules/luksbootkeyfile/LuksBootKeyFileJob.h | 3 --- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp index 89323b36a..ecc42806d 100644 --- a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp +++ b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp @@ -131,7 +131,7 @@ setupLuks( const LuksDevice& d ) // static QVariantList -LuksBootKeyFileJob::partitions() +partitions() { Calamares::GlobalStorage* globalStorage = Calamares::JobQueue::instance()->globalStorage(); return globalStorage->value( QStringLiteral( "partitions" ) ).toList(); @@ -139,9 +139,9 @@ LuksBootKeyFileJob::partitions() // static bool -LuksBootKeyFileJob::hasUnencryptedSeparateBoot() +hasUnencryptedSeparateBoot() { - const QVariantList partitions = LuksBootKeyFileJob::partitions(); + const QVariantList partitions = partitions(); for ( const QVariant& partition : partitions ) { QVariantMap partitionMap = partition.toMap(); diff --git a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.h b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.h index fbfb14b27..9681228bd 100644 --- a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.h +++ b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.h @@ -30,9 +30,6 @@ public: QString prettyName() const override; Calamares::JobResult exec() override; -private: - static QVariantList partitions(); - static bool hasUnencryptedSeparateBoot(); }; CALAMARES_PLUGIN_FACTORY_DECLARATION( LuksBootKeyFileJobFactory ) From 567b01eab009395de393d4cddbc38b2c9627e70d Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Fri, 13 Nov 2020 23:39:25 +0200 Subject: [PATCH 14/15] call function at different scope to avoid name collision --- src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp index ecc42806d..3869fb3cd 100644 --- a/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp +++ b/src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp @@ -141,7 +141,7 @@ partitions() bool hasUnencryptedSeparateBoot() { - const QVariantList partitions = partitions(); + const QVariantList partitions = ::partitions(); for ( const QVariant& partition : partitions ) { QVariantMap partitionMap = partition.toMap(); From ff9f47ec83febfc168e9266a0c9a1eb6369f476e Mon Sep 17 00:00:00 2001 From: Chrysostomus Date: Sun, 15 Nov 2020 01:42:16 +0200 Subject: [PATCH 15/15] Fix syntax errors --- src/modules/grubcfg/main.py | 2 +- src/modules/openrcdmcryptcfg/main.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/modules/grubcfg/main.py b/src/modules/grubcfg/main.py index f13d6552e..9e9615a0c 100644 --- a/src/modules/grubcfg/main.py +++ b/src/modules/grubcfg/main.py @@ -90,7 +90,7 @@ def modify_grub_default(partitions, root_mount_point, distributor): swap_outer_uuid = "" swap_outer_mappername = None no_save_default = False - unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions): + unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions) for partition in partitions: if partition["mountPoint"] in ("/", "/boot") and partition["fs"] in ("btrfs", "f2fs"): diff --git a/src/modules/openrcdmcryptcfg/main.py b/src/modules/openrcdmcryptcfg/main.py index ead8a0a93..06f21da4b 100644 --- a/src/modules/openrcdmcryptcfg/main.py +++ b/src/modules/openrcdmcryptcfg/main.py @@ -29,7 +29,7 @@ def pretty_name(): def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path): crypto_target = "" crypto_source = "" - unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions): + unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions) for partition in partitions: has_luks = "luksMapperName" in partition