Administration/pmbootstrap-meow
2
0
Fork 0
forked from Mirror/pmbootstrap
Code Pull requests Activity Actions

pmb.install.format: add support for setting FDE passphrase

Browse source 
This adds support for using an environment variable to set the FDE
passphrase, allowing us to automate image creation when using FDE.
The method used here was borrowed from how we set the password with when
using the --password arg: write to a temp file, call something in the
chroot to read/use it, then remove it.

Part-of: https://gitlab.postmarketos.org/postmarketOS/pmbootstrap/-/merge_requests/2538
This commit is contained in:
Clayton Craft 2025-01-27 16:17:58 -08:00
parent 6465a6aa87
commit 561ff0dc4c
No known key found for this signature in database
GPG key ID: 5AE7F5513E0885CB
1 changed files with 32 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

47
pmb/install/format.py
View file

@ -4,6 +4,8 @@ from pmb.helpers import logging
import pmb.chroot import pmb.chroot
from pmb.core import Chroot from pmb.core import Chroot
from pmb.types import PartitionLayout, PmbArgs, PathString from pmb.types import PartitionLayout, PmbArgs, PathString
import os
import tempfile
def install_fsprogs(filesystem: str) -> None: def install_fsprogs(filesystem: str) -> None:
@ -52,21 +54,36 @@ def format_luks_root(args: PmbArgs, device: str) -> None:
# Avoid cryptsetup warning about missing locking directory # Avoid cryptsetup warning about missing locking directory
pmb.chroot.root(["mkdir", "-p", "/run/cryptsetup"]) pmb.chroot.root(["mkdir", "-p", "/run/cryptsetup"])
pmb.chroot.root( format_cmd = [
[ "cryptsetup",
"cryptsetup", "luksFormat",
"luksFormat", "-q",
"-q", "--cipher",
"--cipher", args.cipher,
args.cipher, "--iter-time",
"--iter-time", args.iter_time,
args.iter_time, "--use-random",
"--use-random", device,
device, ]
], open_cmd = ["cryptsetup", "luksOpen"]
output="interactive",
) path_outside = None
pmb.chroot.root(["cryptsetup", "luksOpen", device, "pm_crypt"], output="interactive") fde_key = os.environ.get("PMB_FDE_PASSWORD", None)
if fde_key:
# Write passphrase to a temp file, to avoid printing it in any log
path = tempfile.mktemp(dir="/tmp")
path_outside = Chroot.native() / path
with open(path_outside, "w", encoding="utf-8") as handle:
handle.write(f"{fde_key}")
format_cmd += [str(path)]
open_cmd += ["--key-file", str(path)]
try:
pmb.chroot.root(format_cmd, output="interactive")
pmb.chroot.root([*open_cmd, device, "pm_crypt"], output="interactive")
finally:
if path_outside:
os.unlink(path_outside)
if not (Chroot.native() / mountpoint).exists(): if not (Chroot.native() / mountpoint).exists():
raise RuntimeError("Failed to open cryptdevice!") raise RuntimeError("Failed to open cryptdevice!")