try to add FDE support but it doesn't work

Signed-off-by: Casey Connolly <kcxt@postmarketos.org>

pmb/install/_install.py

@@ -688,15 +688,17 @@ def sanity_check_disk_size(args: PmbArgs) -> None:
             raise RuntimeError("Aborted.")
 
 
-def get_partition_layout(chroot: Chroot, kernel: bool, split: bool, single_partition: bool) -> PartitionLayout:
+def get_partition_layout(
+    chroot: Chroot, kernel: bool, split: bool, single_partition: bool, fde: bool
+) -> PartitionLayout:
     """
     :param kernel: create a separate kernel partition before all other
                    partitions, e.g. for the ChromeOS devices with cgpt
     :returns: the partition layout, e.g. without reserve and kernel:
               {"kernel": None, "boot": 1, "reserve": None, "root": 2}
     """
-    layout: PartitionLayout = PartitionLayout("/dev/install", split)
-    
+    layout: PartitionLayout = PartitionLayout("/dev/install", split, fde)
+
     if kernel:
         layout.append(DiskPartition("kernel", pmb.parse.deviceinfo().cgpt_kpart_size))
 
@@ -836,7 +838,8 @@ def install_system_image(
     layout = get_partition_layout(chroot,
         bool(deviceinfo.cgpt_kpart and args.install_cgpt),
         split,
-        single_partition
+        single_partition,
+        args.full_disk_encryption,
     )
     logging.info(f"split: {split}")
     logging.info("Using partition layout:")

pmb/install/format.py

@@ -99,54 +99,55 @@ def format_and_mount_boot(layout: PartitionLayout) -> None:
         )
 
 
-def format_luks_root(args: PmbArgs, layout: PartitionLayout, device: str) -> None:
+def format_luks_root(args: PmbArgs, layout: PartitionLayout) -> None:
     """
     :param device: root partition on install block device (e.g. /dev/installp2)
     """
-    mountpoint = "/dev/mapper/pm_crypt"
+    device = layout.path
 
-    logging.info(f"(native) format {device} (root, luks), mount to {mountpoint}")
-    logging.info(" *** TYPE IN THE FULL DISK ENCRYPTION PASSWORD (TWICE!) ***")
+    logging.info("(native) Encrypting root filesystem!")
+    if not os.environ.get("PMB_FDE_PASSWORD", None):
+        logging.info(" *** TYPE IN THE FULL DISK ENCRYPTION PASSWORD (TWICE!) ***")
 
     # Avoid cryptsetup warning about missing locking directory
     pmb.chroot.root(["mkdir", "-p", "/run/cryptsetup"])
 
+    # FIXME: this /should/ work but we get:
+    # Device /dev/install contains broken LUKS metadata. Aborting operation.
+    # sooo
     format_cmd = [
         "cryptsetup",
-        "luksFormat",
+        "reencrypt",
         "-q",
+        "--encrypt",
         "--cipher",
         args.cipher,
         "--iter-time",
         args.iter_time,
         "--use-random",
+        "--reduce-device-size",
+        "32M",
+        "--force-offline-reencrypt",
         "--offset",
-        str(layout.root.offset),
+        str(layout.root.offset_sectors(512)),
         device,
     ]
-    open_cmd = ["cryptsetup", "luksOpen"]
 
     path_outside = None
     fde_key = os.environ.get("PMB_FDE_PASSWORD", None)
     if fde_key:
         # Write passphrase to a temp file, to avoid printing it in any log
-        path = tempfile.mktemp(dir="/tmp")
-        path_outside = Chroot.native() / path
+        path_outside = Chroot.native() / "tmp/fde_key"
         with open(path_outside, "w", encoding="utf-8") as handle:
             handle.write(f"{fde_key}")
-        format_cmd += [str(path)]
-        open_cmd += ["--key-file", str(path)]
+        format_cmd += [str(path_outside.relative_to(Chroot.native().path))]
 
     try:
         pmb.chroot.root(format_cmd, output="interactive")
-        pmb.chroot.root([*open_cmd, device, "pm_crypt"], output="interactive")
     finally:
         if path_outside:
             os.unlink(path_outside)
 
-    if not (Chroot.native() / mountpoint).exists():
-        raise RuntimeError("Failed to open cryptdevice!")
-
 
 def prepare_btrfs_subvolumes(args: PmbArgs, device: str, mountpoint: str) -> None:
     """
@@ -253,6 +254,10 @@ def format_and_mount_root(args: PmbArgs, layout: PartitionLayout) -> None:
 
         install_fsprogs(filesystem)
         logging.info(f"(native) format {layout.root.path} (root, {filesystem})")
+        rootfs_size = round(layout.root.size / 1024)
+        # Leave some empty space for LUKS
+        if layout.fde:
+            rootfs_size -= 64 * 1024
         pmb.chroot.root([*mkfs_root_args, layout.root.path, f"{round(layout.root.size / 1024)}k"])
 
         # Unmount the empty dir we mounted over /boot
@@ -286,3 +291,6 @@ def format(
     # FIXME: better way to check if we are running with --single-partition
     if len(layout) > 1:
         format_and_mount_boot(layout)
+
+    if args.full_disk_encryption:
+        format_luks_root(args, layout)

pmb/install/partition.py

@@ -20,6 +20,7 @@ def get_partition_layout(partition: str, disk: str) -> tuple[int, int]:
     """
     Get the size of a partition in a disk image in bytes
     """
+    # FIXME: use sfdisk -J to get JSON output which is nicer :)
     out = pmb.chroot.root(
         [
             "fdisk",

pmb/types.py

@@ -144,14 +144,17 @@ class PartitionLayout(list[DiskPartition]):
     fragile indexes while still allowing the partitions to be
     iterated over for simplicity. This is not a good design tbh
     """
-    path: str # path to disk image
-    split: bool # image per partition
 
-    def __init__(self, path: str, split: bool):
+    path: str  # path to disk image
+    split: bool  # image per partition
+    fde: bool
+
+    def __init__(self, path: str, split: bool, fde: bool):
         super().__init__(self)
         # Path to the disk image
         self.path = path
         self.split = split
+        self.fde = fde
 
     @property
     def kernel(self):