pmb.install.format: add support for setting FDE passphrase

This adds support for using an environment variable to set the FDE
passphrase, allowing us to automate image creation when using FDE.
The method used here was borrowed from how we set the password with when
using the --password arg: write to a temp file, call something in the
chroot to read/use it, then remove it.

Part-of: https://gitlab.postmarketos.org/postmarketOS/pmbootstrap/-/merge_requests/2538
This commit is contained in:
Clayton Craft 2025-01-27 16:17:58 -08:00
parent 6465a6aa87
commit 561ff0dc4c
No known key found for this signature in database
GPG key ID: 5AE7F5513E0885CB

View file

@ -4,6 +4,8 @@ from pmb.helpers import logging
import pmb.chroot
from pmb.core import Chroot
from pmb.types import PartitionLayout, PmbArgs, PathString
import os
import tempfile
def install_fsprogs(filesystem: str) -> None:
@ -52,8 +54,7 @@ def format_luks_root(args: PmbArgs, device: str) -> None:
# Avoid cryptsetup warning about missing locking directory
pmb.chroot.root(["mkdir", "-p", "/run/cryptsetup"])
pmb.chroot.root(
[
format_cmd = [
"cryptsetup",
"luksFormat",
"-q",
@ -63,10 +64,26 @@ def format_luks_root(args: PmbArgs, device: str) -> None:
args.iter_time,
"--use-random",
device,
],
output="interactive",
)
pmb.chroot.root(["cryptsetup", "luksOpen", device, "pm_crypt"], output="interactive")
]
open_cmd = ["cryptsetup", "luksOpen"]
path_outside = None
fde_key = os.environ.get("PMB_FDE_PASSWORD", None)
if fde_key:
# Write passphrase to a temp file, to avoid printing it in any log
path = tempfile.mktemp(dir="/tmp")
path_outside = Chroot.native() / path
with open(path_outside, "w", encoding="utf-8") as handle:
handle.write(f"{fde_key}")
format_cmd += [str(path)]
open_cmd += ["--key-file", str(path)]
try:
pmb.chroot.root(format_cmd, output="interactive")
pmb.chroot.root([*open_cmd, device, "pm_crypt"], output="interactive")
finally:
if path_outside:
os.unlink(path_outside)
if not (Chroot.native() / mountpoint).exists():
raise RuntimeError("Failed to open cryptdevice!")