From e729457b6c12a00b17207254ee72e98b78912f8d Mon Sep 17 00:00:00 2001 From: Anton Hvornum Date: Tue, 23 Nov 2021 23:09:33 +0000 Subject: Support encrypting multiple partitions (#759) * Added support for storing disk encryption keyfiles and add them to a keyslot. * Added a luks2().add_key() function in order to inject a keyfile into a keyslot on a encrypted volume. * Simplified 'missing encryption password' logic in Filesystem(). Added a call to luks2().add_key() after the root-password is set on the volume, to add the keyfile in slot 2 * Adding in password handling in luks2().add_key(). It's required to enter a previous passphrase to unlock the volume and add a new keyslot. Also simplified the handling of partition in Installer().mount_ordered_layout() * Adding in encryption on all partitions except /boot when encryption is opted in * Removed setting size on Partition() as it's a read only value. No idea how Partition().size = size hasn't caused an issue before. Removed size=X argument to Partition() * Added a uniqueness to the loopdevice name. This should ensure that multiple encrypted volumes can be opened at the same time, except for Partition().detect_inner_filesystem() operations which can only happen one at a time since they share namespace. This should never be an issue since archinstall is single threaded and no concurrent operations can/should happen. * Added partprobe() as part of disk/helpers.py, added a /dev/ -> UUID mapper function called convert_device_to_uuid(path). Added a luks2().crypttab() function that sets up a /etc/crypttab entry. * Moved the responsability for telling archinstall to generate a keyfile from Filesystem() to user_interaction.py. This should in the future be a user-input based value, and not something the Filesystem() automatically dictates. * Added a retry mechanism to luks2().encrypt() to avoid having to re-start the installation when a device simply wasn't up yet. * Swapping UUID= lookup from loopdev to physdev. --- archinstall/lib/disk/blockdevice.py | 4 ++-- archinstall/lib/disk/filesystem.py | 20 +++++++++++++------- archinstall/lib/disk/helpers.py | 22 ++++++++++++++++++++-- archinstall/lib/disk/partition.py | 3 +-- 4 files changed, 36 insertions(+), 13 deletions(-) (limited to 'archinstall/lib/disk') diff --git a/archinstall/lib/disk/blockdevice.py b/archinstall/lib/disk/blockdevice.py index d8c34893..f8575de4 100644 --- a/archinstall/lib/disk/blockdevice.py +++ b/archinstall/lib/disk/blockdevice.py @@ -128,7 +128,7 @@ class BlockDevice: if part_id not in self.part_cache: # TODO: Force over-write even if in cache? if part_id not in self.part_cache or self.part_cache[part_id].size != part['size']: - self.part_cache[part_id] = Partition(root_path + part_id, self, part_id=part_id, size=part['size']) + self.part_cache[part_id] = Partition(root_path + part_id, self, part_id=part_id) return {k: self.part_cache[k] for k in sorted(self.part_cache)} @@ -156,7 +156,7 @@ class BlockDevice: @property def size(self): from .helpers import convert_size_to_gb - + output = json.loads(SysCommand(f"lsblk --json -b -o+SIZE {self.path}").decode('UTF-8')) for device in output['blockdevices']: diff --git a/archinstall/lib/disk/filesystem.py b/archinstall/lib/disk/filesystem.py index 83d7e34f..edf54eb5 100644 --- a/archinstall/lib/disk/filesystem.py +++ b/archinstall/lib/disk/filesystem.py @@ -1,6 +1,7 @@ import time import logging import json +import pathlib from .partition import Partition from .validators import valid_fs_type from ..exceptions import DiskError @@ -80,17 +81,22 @@ class Filesystem: if partition.get('filesystem', {}).get('format', False): if partition.get('encrypted', False): - if not partition.get('!password') and not storage['arguments'].get('!encryption-password'): - if storage['arguments'] == 'silent': - raise ValueError(f"Missing encryption password for {partition['device_instance']}") - else: + if not partition.get('!password'): + if not storage['arguments'].get('!encryption-password'): + if storage['arguments'] == 'silent': + raise ValueError(f"Missing encryption password for {partition['device_instance']}") + from ..user_interaction import get_password - partition['!password'] = get_password(f"Enter a encryption password for {partition['device_instance']}") - elif not partition.get('!password') and storage['arguments'].get('!encryption-password'): + storage['arguments']['!encryption-password'] = get_password(f"Enter a encryption password for {partition['device_instance']}") + partition['!password'] = storage['arguments']['!encryption-password'] + loopdev = f"{storage.get('ENC_IDENTIFIER', 'ai')}{pathlib.Path(partition['mountpoint']).name}loop" + partition['device_instance'].encrypt(password=partition['!password']) - with luks2(partition['device_instance'], storage.get('ENC_IDENTIFIER', 'ai') + 'loop', partition['!password']) as unlocked_device: + + # Immediately unlock the encrypted device to format the inner volume + with luks2(partition['device_instance'], loopdev, partition['!password'], auto_unmount=True) as unlocked_device: if not partition.get('format'): if storage['arguments'] == 'silent': raise ValueError(f"Missing fs-type to format on newly created encrypted partition {partition['device_instance']}") diff --git a/archinstall/lib/disk/helpers.py b/archinstall/lib/disk/helpers.py index 46d86bd5..9442f1b6 100644 --- a/archinstall/lib/disk/helpers.py +++ b/archinstall/lib/disk/helpers.py @@ -1,13 +1,15 @@ -import re -import os import json import logging +import os import pathlib +import re +import time from typing import Union from .blockdevice import BlockDevice from ..exceptions import SysCallError, DiskError from ..general import SysCommand from ..output import log +from ..storage import storage ROOT_DIR_PATTERN = re.compile('^.*?/devices') GIGA = 2 ** 30 @@ -209,3 +211,19 @@ def find_partition_by_mountpoint(block_devices, relative_mountpoint :str): for partition in block_devices[device]['partitions']: if partition.get('mountpoint', None) == relative_mountpoint: return partition + +def partprobe(): + SysCommand(f'bash -c "partprobe"') + +def convert_device_to_uuid(path :str) -> str: + for i in range(storage['DISK_RETRY_ATTEMPTS']): + partprobe() + output = json.loads(SysCommand(f"lsblk --json -o+UUID {path}").decode('UTF-8')) + + for device in output['blockdevices']: + if (dev_uuid := device.get('uuid', None)): + return dev_uuid + + time.sleep(storage['DISK_TIMEOUTS']) + + raise DiskError(f"Could not retrieve the UUID of {path} within a timely manner.") \ No newline at end of file diff --git a/archinstall/lib/disk/partition.py b/archinstall/lib/disk/partition.py index b27c8459..d3efe5cf 100644 --- a/archinstall/lib/disk/partition.py +++ b/archinstall/lib/disk/partition.py @@ -15,7 +15,7 @@ from ..general import SysCommand class Partition: - def __init__(self, path: str, block_device: BlockDevice, part_id=None, size=-1, filesystem=None, mountpoint=None, encrypted=False, autodetect_filesystem=True): + def __init__(self, path: str, block_device: BlockDevice, part_id=None, filesystem=None, mountpoint=None, encrypted=False, autodetect_filesystem=True): if not part_id: part_id = os.path.basename(path) @@ -25,7 +25,6 @@ class Partition: self.mountpoint = mountpoint self.target_mountpoint = mountpoint self.filesystem = filesystem - self.size = size # TODO: Refresh? self._encrypted = None self.encrypted = encrypted self.allow_formatting = False -- cgit v1.2.3-70-g09d2