Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
path: root/archinstall/lib/installer.py
diff options
context:
space:
mode:
Diffstat (limited to 'archinstall/lib/installer.py')
-rw-r--r--archinstall/lib/installer.py44
1 files changed, 20 insertions, 24 deletions
diff --git a/archinstall/lib/installer.py b/archinstall/lib/installer.py
index 49ce4d7f..1926f593 100644
--- a/archinstall/lib/installer.py
+++ b/archinstall/lib/installer.py
@@ -15,16 +15,16 @@ from .hardware import has_uefi, is_vm, cpu_vendor
from .locale_helpers import verify_keyboard_layout, verify_x11_keyboard_layout
from .disk.helpers import findmnt
from .mirrors import use_mirrors
+from .models.disk_encryption import DiskEncryption
from .plugins import plugins
from .storage import storage
-# from .user_interaction import *
from .output import log
from .profiles import Profile
from .disk.partition import get_mount_fs_type
from .exceptions import DiskError, ServiceException, RequirementError, HardwareIncompatibilityError, SysCallError
-from .hsm import fido2_enroll
from .models.users import User
from .models.subvolume import Subvolume
+from .hsm import Fido2
if TYPE_CHECKING:
_: Any
@@ -135,6 +135,8 @@ class Installer:
self._zram_enabled = False
+ self._disk_encryption: DiskEncryption = storage['arguments'].get('disk_encryption')
+
def log(self, *args :str, level :int = logging.DEBUG, **kwargs :str):
"""
installer.log() wraps output.log() mainly to set a default log-level for this install session.
@@ -196,7 +198,7 @@ class Installer:
def _create_keyfile(self,luks_handle , partition :dict, password :str):
""" roiutine to create keyfiles, so it can be moved elsewhere
"""
- if partition.get('generate-encryption-key-file'):
+ if self._disk_encryption.generate_encryption_file(partition):
if not (cryptkey_dir := pathlib.Path(f"{self.target}/etc/cryptsetup-keys.d")).exists():
cryptkey_dir.mkdir(parents=True)
# Once we store the key as ../xyzloop.key systemd-cryptsetup can automatically load this key
@@ -244,26 +246,20 @@ class Installer:
mount_queue = {}
# we manage the encrypted partititons
- for partition in [entry for entry in list_part if entry.get('encrypted', False)]:
+ for partition in self._disk_encryption.partitions:
# open the luks device and all associate stuff
- if not (password := partition.get('!password', None)) and storage['arguments'].get('!encryption-password'):
- password = storage['arguments'].get('!encryption-password')
- elif not password:
- raise RequirementError(f"Missing partition encryption password in layout: {partition}")
-
loopdev = f"{storage.get('ENC_IDENTIFIER', 'ai')}{pathlib.Path(partition['device_instance'].path).name}"
# note that we DON'T auto_unmount (i.e. close the encrypted device so it can be used
- with (luks_handle := luks2(partition['device_instance'], loopdev, password, auto_unmount=False)) as unlocked_device:
- if partition.get('generate-encryption-key-file', False) and not self._has_root(partition):
- list_luks_handles.append([luks_handle, partition, password])
+ with (luks_handle := luks2(partition['device_instance'], loopdev, self._disk_encryption.encryption_password, auto_unmount=False)) as unlocked_device:
+ if self._disk_encryption.generate_encryption_file(partition) and not self._has_root(partition):
+ list_luks_handles.append([luks_handle, partition, self._disk_encryption.encryption_password])
# this way all the requesrs will be to the dm_crypt device and not to the physical partition
partition['device_instance'] = unlocked_device
- if self._has_root(partition) and partition.get('generate-encryption-key-file', False) is False:
- if storage['arguments'].get('HSM'):
- hsm_device_path = storage['arguments']['HSM']
- fido2_enroll(hsm_device_path, partition['device_instance'], password)
+ if self._has_root(partition) and self._disk_encryption.generate_encryption_file(partition) is False:
+ if self._disk_encryption.hsm_device:
+ Fido2.fido2_enroll(self._disk_encryption.hsm_device, partition['device_instance'], self._disk_encryption.encryption_password)
btrfs_subvolumes = [entry for entry in list_part if entry.get('btrfs', {}).get('subvolumes', [])]
@@ -650,7 +646,7 @@ class Installer:
mkinit.write(f"BINARIES=({' '.join(self.BINARIES)})\n")
mkinit.write(f"FILES=({' '.join(self.FILES)})\n")
- if not storage['arguments'].get('HSM'):
+ if not self._disk_encryption.hsm_device:
# For now, if we don't use HSM we revert to the old
# way of setting up encryption hooks for mkinitcpio.
# This is purely for stability reasons, we're going away from this.
@@ -694,7 +690,7 @@ class Installer:
self.HOOKS.remove('fsck')
if self.detect_encryption(partition):
- if storage['arguments'].get('HSM'):
+ if self._disk_encryption.hsm_device:
# Required bby mkinitcpio to add support for fido2-device options
self.pacstrap('libfido2')
@@ -758,7 +754,7 @@ class Installer:
# TODO: Use python functions for this
SysCommand(f'/usr/bin/arch-chroot {self.target} chmod 700 /root')
- if storage['arguments'].get('HSM'):
+ if self._disk_encryption.hsm_device:
# TODO:
# A bit of a hack, but we need to get vconsole.conf in there
# before running `mkinitcpio` because it expects it in HSM mode.
@@ -865,9 +861,9 @@ class Installer:
root_fs_type = get_mount_fs_type(root_partition.filesystem)
if root_fs_type is not None:
- options_entry = f'rw intel_pstate=no_hwp rootfstype={root_fs_type} {" ".join(self.KERNEL_PARAMS)}\n'
+ options_entry = f'rw rootfstype={root_fs_type} {" ".join(self.KERNEL_PARAMS)}\n'
else:
- options_entry = f'rw intel_pstate=no_hwp {" ".join(self.KERNEL_PARAMS)}\n'
+ options_entry = f'rw {" ".join(self.KERNEL_PARAMS)}\n'
for subvolume in root_partition.subvolumes:
if subvolume.root is True and subvolume.name != '<FS_TREE>':
@@ -886,7 +882,7 @@ class Installer:
kernel_options = f"options"
- if storage['arguments'].get('HSM'):
+ if self._disk_encryption.hsm_device:
# Note: lsblk UUID must be used, not PARTUUID for sd-encrypt to work
kernel_options += f" rd.luks.name={real_device.uuid}=luksdev"
# Note: tpm2-device and fido2-device don't play along very well:
@@ -984,10 +980,10 @@ class Installer:
# TODO: We need to detect if the encrypted device is a whole disk encryption,
# or simply a partition encryption. Right now we assume it's a partition (and we always have)
log(f"Identifying root partition by PART-UUID on {real_device}: '{real_device.part_uuid}'.", level=logging.DEBUG)
- kernel_parameters.append(f'cryptdevice=PARTUUID={real_device.part_uuid}:luksdev root=/dev/mapper/luksdev rw intel_pstate=no_hwp rootfstype={root_fs_type} {" ".join(self.KERNEL_PARAMS)}')
+ kernel_parameters.append(f'cryptdevice=PARTUUID={real_device.part_uuid}:luksdev root=/dev/mapper/luksdev rw rootfstype={root_fs_type} {" ".join(self.KERNEL_PARAMS)}')
else:
log(f"Identifying root partition by PART-UUID on {root_partition}, looking for '{root_partition.part_uuid}'.", level=logging.DEBUG)
- kernel_parameters.append(f'root=PARTUUID={root_partition.part_uuid} rw intel_pstate=no_hwp rootfstype={root_fs_type} {" ".join(self.KERNEL_PARAMS)}')
+ kernel_parameters.append(f'root=PARTUUID={root_partition.part_uuid} rw rootfstype={root_fs_type} {" ".join(self.KERNEL_PARAMS)}')
SysCommand(f'efibootmgr --disk {boot_partition.path[:-1]} --part {boot_partition.path[-1]} --create --label "{label}" --loader {loader} --unicode \'{" ".join(kernel_parameters)}\' --verbose')