From b9d6a304dc88f66fbf7d9d7be82a13a622bcc5eb Mon Sep 17 00:00:00 2001 From: Casey Connolly Date: Sat, 24 May 2025 14:24:28 +0200 Subject: [PATCH] try to add FDE support but it doesn't work Signed-off-by: Casey Connolly --- pmb/install/_install.py | 11 +++++++---- pmb/install/format.py | 38 +++++++++++++++++++++++--------------- pmb/install/partition.py | 1 + pmb/types.py | 9 ++++++--- 4 files changed, 37 insertions(+), 22 deletions(-) diff --git a/pmb/install/_install.py b/pmb/install/_install.py index eb4c4f3d..6d647661 100644 --- a/pmb/install/_install.py +++ b/pmb/install/_install.py @@ -688,15 +688,17 @@ def sanity_check_disk_size(args: PmbArgs) -> None: raise RuntimeError("Aborted.") -def get_partition_layout(chroot: Chroot, kernel: bool, split: bool, single_partition: bool) -> PartitionLayout: +def get_partition_layout( + chroot: Chroot, kernel: bool, split: bool, single_partition: bool, fde: bool +) -> PartitionLayout: """ :param kernel: create a separate kernel partition before all other partitions, e.g. for the ChromeOS devices with cgpt :returns: the partition layout, e.g. without reserve and kernel: {"kernel": None, "boot": 1, "reserve": None, "root": 2} """ - layout: PartitionLayout = PartitionLayout("/dev/install", split) - + layout: PartitionLayout = PartitionLayout("/dev/install", split, fde) + if kernel: layout.append(DiskPartition("kernel", pmb.parse.deviceinfo().cgpt_kpart_size)) @@ -836,7 +838,8 @@ def install_system_image( layout = get_partition_layout(chroot, bool(deviceinfo.cgpt_kpart and args.install_cgpt), split, - single_partition + single_partition, + args.full_disk_encryption, ) logging.info(f"split: {split}") logging.info("Using partition layout:") diff --git a/pmb/install/format.py b/pmb/install/format.py index 3c177d47..ec1b03cb 100644 --- a/pmb/install/format.py +++ b/pmb/install/format.py @@ -99,54 +99,55 @@ def format_and_mount_boot(layout: PartitionLayout) -> None: ) -def format_luks_root(args: PmbArgs, layout: PartitionLayout, device: str) -> None: +def format_luks_root(args: PmbArgs, layout: PartitionLayout) -> None: """ :param device: root partition on install block device (e.g. /dev/installp2) """ - mountpoint = "/dev/mapper/pm_crypt" + device = layout.path - logging.info(f"(native) format {device} (root, luks), mount to {mountpoint}") - logging.info(" *** TYPE IN THE FULL DISK ENCRYPTION PASSWORD (TWICE!) ***") + logging.info("(native) Encrypting root filesystem!") + if not os.environ.get("PMB_FDE_PASSWORD", None): + logging.info(" *** TYPE IN THE FULL DISK ENCRYPTION PASSWORD (TWICE!) ***") # Avoid cryptsetup warning about missing locking directory pmb.chroot.root(["mkdir", "-p", "/run/cryptsetup"]) + # FIXME: this /should/ work but we get: + # Device /dev/install contains broken LUKS metadata. Aborting operation. + # sooo format_cmd = [ "cryptsetup", - "luksFormat", + "reencrypt", "-q", + "--encrypt", "--cipher", args.cipher, "--iter-time", args.iter_time, "--use-random", + "--reduce-device-size", + "32M", + "--force-offline-reencrypt", "--offset", - str(layout.root.offset), + str(layout.root.offset_sectors(512)), device, ] - open_cmd = ["cryptsetup", "luksOpen"] path_outside = None fde_key = os.environ.get("PMB_FDE_PASSWORD", None) if fde_key: # Write passphrase to a temp file, to avoid printing it in any log - path = tempfile.mktemp(dir="/tmp") - path_outside = Chroot.native() / path + path_outside = Chroot.native() / "tmp/fde_key" with open(path_outside, "w", encoding="utf-8") as handle: handle.write(f"{fde_key}") - format_cmd += [str(path)] - open_cmd += ["--key-file", str(path)] + format_cmd += [str(path_outside.relative_to(Chroot.native().path))] try: pmb.chroot.root(format_cmd, output="interactive") - pmb.chroot.root([*open_cmd, device, "pm_crypt"], output="interactive") finally: if path_outside: os.unlink(path_outside) - if not (Chroot.native() / mountpoint).exists(): - raise RuntimeError("Failed to open cryptdevice!") - def prepare_btrfs_subvolumes(args: PmbArgs, device: str, mountpoint: str) -> None: """ @@ -253,6 +254,10 @@ def format_and_mount_root(args: PmbArgs, layout: PartitionLayout) -> None: install_fsprogs(filesystem) logging.info(f"(native) format {layout.root.path} (root, {filesystem})") + rootfs_size = round(layout.root.size / 1024) + # Leave some empty space for LUKS + if layout.fde: + rootfs_size -= 64 * 1024 pmb.chroot.root([*mkfs_root_args, layout.root.path, f"{round(layout.root.size / 1024)}k"]) # Unmount the empty dir we mounted over /boot @@ -286,3 +291,6 @@ def format( # FIXME: better way to check if we are running with --single-partition if len(layout) > 1: format_and_mount_boot(layout) + + if args.full_disk_encryption: + format_luks_root(args, layout) diff --git a/pmb/install/partition.py b/pmb/install/partition.py index dcaadf2a..44fe9cf7 100644 --- a/pmb/install/partition.py +++ b/pmb/install/partition.py @@ -20,6 +20,7 @@ def get_partition_layout(partition: str, disk: str) -> tuple[int, int]: """ Get the size of a partition in a disk image in bytes """ + # FIXME: use sfdisk -J to get JSON output which is nicer :) out = pmb.chroot.root( [ "fdisk", diff --git a/pmb/types.py b/pmb/types.py index d8346abc..46a55667 100644 --- a/pmb/types.py +++ b/pmb/types.py @@ -144,14 +144,17 @@ class PartitionLayout(list[DiskPartition]): fragile indexes while still allowing the partitions to be iterated over for simplicity. This is not a good design tbh """ - path: str # path to disk image - split: bool # image per partition - def __init__(self, path: str, split: bool): + path: str # path to disk image + split: bool # image per partition + fde: bool + + def __init__(self, path: str, split: bool, fde: bool): super().__init__(self) # Path to the disk image self.path = path self.split = split + self.fde = fde @property def kernel(self):