napcok/calamares
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1566 from Chrysostomus/calamares

Browse Source 
Don't use a keyfile for encrypted partitions if /boot in unecrypted
This commit is contained in:
Adriaan de Groot 2020-11-24 16:13:32 +01:00 committed by GitHub
commit ccfbd6b972
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 40 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/modules/grubcfg/main.py
View File

@ -90,6 +90,7 @@ def modify_grub_default(partitions, root_mount_point, distributor):
swap_outer_uuid = "" swap_outer_uuid = ""
swap_outer_mappername = None swap_outer_mappername = None
no_save_default = False no_save_default = False
unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions)
for partition in partitions: for partition in partitions:
if partition["mountPoint"] in ("/", "/boot") and partition["fs"] in ("btrfs", "f2fs"): if partition["mountPoint"] in ("/", "/boot") and partition["fs"] in ("btrfs", "f2fs"):
@ -239,7 +240,7 @@ def modify_grub_default(partitions, root_mount_point, distributor):
if not have_distributor_line: if not have_distributor_line:
lines.append(distributor_line) lines.append(distributor_line)
if cryptdevice_params: if cryptdevice_params and not unencrypted_separate_boot:
lines.append("GRUB_ENABLE_CRYPTODISK=y") lines.append("GRUB_ENABLE_CRYPTODISK=y")
with open(default_grub, 'w') as grub_file: with open(default_grub, 'w') as grub_file:

3
src/modules/initcpiocfg/main.py
View File

@ -146,8 +146,7 @@ def modify_mkinitcpio_conf(partitions, root_mount_point):
if partition["mountPoint"] == "/" and "luksMapperName" in partition: if partition["mountPoint"] == "/" and "luksMapperName" in partition:
encrypt_hook = True encrypt_hook = True
if (partition["mountPoint"] == "/boot" if (partition["mountPoint"] == "/boot" and "luksMapperName" not in partition):
and "luksMapperName" not in partition):
unencrypted_separate_boot = True unencrypted_separate_boot = True
if partition["mountPoint"] == "/usr": if partition["mountPoint"] == "/usr":

32
src/modules/luksbootkeyfile/LuksBootKeyFileJob.cpp
View File

@ -129,6 +129,31 @@ setupLuks( const LuksDevice& d )
return true; return true;
} }
// static
QVariantList
partitions()
{
Calamares::GlobalStorage* globalStorage = Calamares::JobQueue::instance()->globalStorage();
return globalStorage->value( QStringLiteral( "partitions" ) ).toList();
}
// static
bool
hasUnencryptedSeparateBoot()
{
const QVariantList partitions = ::partitions();
for ( const QVariant& partition : partitions )
{
QVariantMap partitionMap = partition.toMap();
QString mountPoint = partitionMap.value( QStringLiteral( "mountPoint" ) ).toString();
if ( mountPoint == QStringLiteral( "/boot" ) )
{
return !partitionMap.contains( QStringLiteral( "luksMapperName" ) );
}
}
return false;
}
Calamares::JobResult Calamares::JobResult
LuksBootKeyFileJob::exec() LuksBootKeyFileJob::exec()
{ {
@ -174,6 +199,13 @@ LuksBootKeyFileJob::exec()
return Calamares::JobResult::ok(); return Calamares::JobResult::ok();
} }
// /boot partition is not encrypted, keyfile must not be used
if ( hasUnencryptedSeparateBoot() )
{
cDebug() << Logger::SubEntry << "/boot partition is not encrypted, skipping keyfile creation.";
return Calamares::JobResult::ok();
}
if ( s.devices.first().passphrase.isEmpty() ) if ( s.devices.first().passphrase.isEmpty() )
{ {
cDebug() << Logger::SubEntry << "No root passphrase."; cDebug() << Logger::SubEntry << "No root passphrase.";

5
src/modules/openrcdmcryptcfg/main.py
View File

@ -21,6 +21,7 @@ _ = gettext.translation("calamares-python",
fallback=True).gettext fallback=True).gettext
def pretty_name(): def pretty_name():
return _("Configuring OpenRC dmcrypt service.") return _("Configuring OpenRC dmcrypt service.")
@ -28,6 +29,7 @@ def pretty_name():
def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path): def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path):
crypto_target = "" crypto_target = ""
crypto_source = "" crypto_source = ""
unencrypted_separate_boot = any(p["mountPoint"] == "/boot" and "luksMapperName" not in p for p in partitions)
for partition in partitions: for partition in partitions:
has_luks = "luksMapperName" in partition has_luks = "luksMapperName" in partition
@ -36,7 +38,6 @@ def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path):
if not has_luks and not skip_partitions: if not has_luks and not skip_partitions:
libcalamares.utils.debug( libcalamares.utils.debug(
"Skip writing OpenRC LUKS configuration for partition {!s}".format(partition["mountPoint"])) "Skip writing OpenRC LUKS configuration for partition {!s}".format(partition["mountPoint"]))
if has_luks and not skip_partitions: if has_luks and not skip_partitions:
crypto_target = partition["luksMapperName"] crypto_target = partition["luksMapperName"]
crypto_source = "/dev/disk/by-uuid/{!s}".format(partition["uuid"]) crypto_source = "/dev/disk/by-uuid/{!s}".format(partition["uuid"])
@ -46,6 +47,8 @@ def write_dmcrypt_conf(partitions, root_mount_point, dmcrypt_conf_path):
with open(os.path.join(root_mount_point, dmcrypt_conf_path), 'a+') as dmcrypt_file: with open(os.path.join(root_mount_point, dmcrypt_conf_path), 'a+') as dmcrypt_file:
dmcrypt_file.write("\ntarget=" + crypto_target) dmcrypt_file.write("\ntarget=" + crypto_target)
dmcrypt_file.write("\nsource=" + crypto_source) dmcrypt_file.write("\nsource=" + crypto_source)
# Don't use keyfile if boot is unencrypted, keys must not be stored on unencrypted partitions
if not unencrypted_separate_boot:
dmcrypt_file.write("\nkey=/crypto_keyfile.bin") dmcrypt_file.write("\nkey=/crypto_keyfile.bin")
dmcrypt_file.write("\n") dmcrypt_file.write("\n")