try to add FDE support but it doesn't work

Signed-off-by: Casey Connolly <kcxt@postmarketos.org>
2025-07-23 12:35:12 +03:00 · 2025-05-24 14:24:28 +02:00 · 2025-05-24 14:24:28 +02:00 · b9d6a304dc
commit b9d6a304dc
parent ecf1d54e39
4 changed files with 37 additions and 22 deletions
--- a/pmb/install/_install.py
+++ b/pmb/install/_install.py
@ -688,14 +688,16 @@ def sanity_check_disk_size(args: PmbArgs) -> None:
            raise RuntimeError("Aborted.")


-def get_partition_layout(chroot: Chroot, kernel: bool, split: bool, single_partition: bool) -> PartitionLayout:
+def get_partition_layout(
+    chroot: Chroot, kernel: bool, split: bool, single_partition: bool, fde: bool
+) -> PartitionLayout:
    """
    :param kernel: create a separate kernel partition before all other
                   partitions, e.g. for the ChromeOS devices with cgpt
    :returns: the partition layout, e.g. without reserve and kernel:
              {"kernel": None, "boot": 1, "reserve": None, "root": 2}
    """
-    layout: PartitionLayout = PartitionLayout("/dev/install", split)
+    layout: PartitionLayout = PartitionLayout("/dev/install", split, fde)

    if kernel:
        layout.append(DiskPartition("kernel", pmb.parse.deviceinfo().cgpt_kpart_size))
@ -836,7 +838,8 @@ def install_system_image(
    layout = get_partition_layout(chroot,
        bool(deviceinfo.cgpt_kpart and args.install_cgpt),
        split,
-        single_partition
+        single_partition,
+        args.full_disk_encryption,
    )
    logging.info(f"split: {split}")
    logging.info("Using partition layout:")
--- a/pmb/install/format.py
+++ b/pmb/install/format.py
@ -99,54 +99,55 @@ def format_and_mount_boot(layout: PartitionLayout) -> None:
        )


-def format_luks_root(args: PmbArgs, layout: PartitionLayout, device: str) -> None:
+def format_luks_root(args: PmbArgs, layout: PartitionLayout) -> None:
    """
    :param device: root partition on install block device (e.g. /dev/installp2)
    """
-    mountpoint = "/dev/mapper/pm_crypt"
+    device = layout.path

-    logging.info(f"(native) format {device} (root, luks), mount to {mountpoint}")
+    logging.info("(native) Encrypting root filesystem!")
+    if not os.environ.get("PMB_FDE_PASSWORD", None):
        logging.info(" *** TYPE IN THE FULL DISK ENCRYPTION PASSWORD (TWICE!) ***")

    # Avoid cryptsetup warning about missing locking directory
    pmb.chroot.root(["mkdir", "-p", "/run/cryptsetup"])

+    # FIXME: this /should/ work but we get:
+    # Device /dev/install contains broken LUKS metadata. Aborting operation.
+    # sooo
    format_cmd = [
        "cryptsetup",
-        "luksFormat",
+        "reencrypt",
        "-q",
+        "--encrypt",
        "--cipher",
        args.cipher,
        "--iter-time",
        args.iter_time,
        "--use-random",
+        "--reduce-device-size",
+        "32M",
+        "--force-offline-reencrypt",
        "--offset",
-        str(layout.root.offset),
+        str(layout.root.offset_sectors(512)),
        device,
    ]
-    open_cmd = ["cryptsetup", "luksOpen"]

    path_outside = None
    fde_key = os.environ.get("PMB_FDE_PASSWORD", None)
    if fde_key:
        # Write passphrase to a temp file, to avoid printing it in any log
-        path = tempfile.mktemp(dir="/tmp")
-        path_outside = Chroot.native() / path
+        path_outside = Chroot.native() / "tmp/fde_key"
        with open(path_outside, "w", encoding="utf-8") as handle:
            handle.write(f"{fde_key}")
-        format_cmd += [str(path)]
-        open_cmd += ["--key-file", str(path)]
+        format_cmd += [str(path_outside.relative_to(Chroot.native().path))]

    try:
        pmb.chroot.root(format_cmd, output="interactive")
-        pmb.chroot.root([*open_cmd, device, "pm_crypt"], output="interactive")
    finally:
        if path_outside:
            os.unlink(path_outside)

-    if not (Chroot.native() / mountpoint).exists():
-        raise RuntimeError("Failed to open cryptdevice!")
-

 def prepare_btrfs_subvolumes(args: PmbArgs, device: str, mountpoint: str) -> None:
    """
@ -253,6 +254,10 @@ def format_and_mount_root(args: PmbArgs, layout: PartitionLayout) -> None:

        install_fsprogs(filesystem)
        logging.info(f"(native) format {layout.root.path} (root, {filesystem})")
+        rootfs_size = round(layout.root.size / 1024)
+        # Leave some empty space for LUKS
+        if layout.fde:
+            rootfs_size -= 64 * 1024
        pmb.chroot.root([*mkfs_root_args, layout.root.path, f"{round(layout.root.size / 1024)}k"])

        # Unmount the empty dir we mounted over /boot
@ -286,3 +291,6 @@ def format(
    # FIXME: better way to check if we are running with --single-partition
    if len(layout) > 1:
        format_and_mount_boot(layout)
+
+    if args.full_disk_encryption:
+        format_luks_root(args, layout)
--- a/pmb/install/partition.py
+++ b/pmb/install/partition.py
@ -20,6 +20,7 @@ def get_partition_layout(partition: str, disk: str) -> tuple[int, int]:
    """
    Get the size of a partition in a disk image in bytes
    """
+    # FIXME: use sfdisk -J to get JSON output which is nicer :)
    out = pmb.chroot.root(
        [
            "fdisk",
--- a/pmb/types.py
+++ b/pmb/types.py
@ -144,14 +144,17 @@ class PartitionLayout(list[DiskPartition]):
    fragile indexes while still allowing the partitions to be
    iterated over for simplicity. This is not a good design tbh
    """
+
    path: str  # path to disk image
    split: bool  # image per partition
+    fde: bool

-    def __init__(self, path: str, split: bool):
+    def __init__(self, path: str, split: bool, fde: bool):
        super().__init__(self)
        # Path to the disk image
        self.path = path
        self.split = split
+        self.fde = fde

    @property
    def kernel(self):