From 08d8a003e65fb136c4c7d1a93d76f95fbb0ba495 Mon Sep 17 00:00:00 2001 From: Itxaka Date: Thu, 13 Mar 2025 10:34:23 +0100 Subject: [PATCH] Add label to luks partition and dont gate on label (#471) * Add label to luks partition and dont gate on label Instead of gating on labels, lets just add the label to the luks partition, the same way we do to the underlying unlocked partition, so they share the fs label. That way, the locking and unlocking refer to the same label always --------- Signed-off-by: Itxaka (cherry picked from commit b0b2518e6ad9b30e906056f45b654209ebfe2ace) --- pkg/config/config.go | 23 ----------------------- pkg/lib/lock.go | 9 +++++++-- pkg/lib/unlock.go | 31 +++++-------------------------- 3 files changed, 12 insertions(+), 51 deletions(-) diff --git a/pkg/config/config.go b/pkg/config/config.go index c0520df..a344588 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -7,7 +7,6 @@ import ( "os" "strings" - "github.com/gofrs/uuid" "github.com/jaypipes/ghw/pkg/block" "github.com/kairos-io/kairos-sdk/collector" "github.com/pkg/errors" @@ -121,25 +120,3 @@ func (c Config) LookupLabelForUUID(uuid string) string { return "" } - -// GetLabelForUUID returns the partition label for a known UUID -// UUIDS are generated on luksify method -// They are generated by setting the namespace to DNS and the name to the fs label, so they are always the same -func (c Config) GetLabelForUUID(uuidCheck string) (string, error) { - persistent := uuid.NewV5(uuid.NamespaceURL, "COS_PERSISTENT") - oem := uuid.NewV5(uuid.NamespaceURL, "COS_OEM") - fmt.Printf("Checking uuid: %s\n", uuidCheck) - parsedUUID, err := uuid.FromString(uuidCheck) - if err != nil { - return "", err - } - switch parsedUUID { - case persistent: - return "COS_PERSISTENT", nil - case oem: - return "COS_OEM", nil - default: - return "", errors.New("no partition found with that uuid") - - } -} diff --git a/pkg/lib/lock.go b/pkg/lib/lock.go index 6bdf298..ecd4f34 100644 --- a/pkg/lib/lock.go +++ b/pkg/lib/lock.go @@ -76,6 +76,7 @@ func Luksify(label string, logger zerolog.Logger, argsCreate ...string) (string, device := fmt.Sprintf("/dev/%s", part) extraArgs := []string{"--uuid", uuid.NewV5(uuid.NamespaceURL, label).String()} + extraArgs = append(extraArgs, "--label", label) extraArgs = append(extraArgs, argsCreate...) if err := CreateLuks(device, pass, extraArgs...); err != nil { @@ -207,10 +208,14 @@ func formatLuks(device, name, mapper, label, pass string, logger zerolog.Logger) return fmt.Errorf("mkfs err: %w, out: %s", err, out) } + // Refresh needs the password as its doing actions on the device directly l.Debug().Msg("discards") - out, err = SH(fmt.Sprintf("cryptsetup refresh --persistent --allow-discards %s", mapper)) + cmd := exec.Command("cryptsetup", "refresh", "--persistent", "--allow-discards", mapper) + cmd.Stdin = strings.NewReader(pass) + output, err := cmd.CombinedOutput() + if err != nil { - return fmt.Errorf("refresh err: %w, out: %s", err, out) + return fmt.Errorf("refresh err: %w, out: %s", err, string(output)) } l.Debug().Msg("close") diff --git a/pkg/lib/unlock.go b/pkg/lib/unlock.go index b9b7c21..3653b68 100644 --- a/pkg/lib/unlock.go +++ b/pkg/lib/unlock.go @@ -3,14 +3,12 @@ package lib import ( "fmt" "path/filepath" - "strings" "github.com/anatol/luks.go" "github.com/jaypipes/ghw" "github.com/jaypipes/ghw/pkg/block" "github.com/kairos-io/kairos-sdk/utils" "github.com/kairos-io/kcrypt/pkg/bus" - configpkg "github.com/kairos-io/kcrypt/pkg/config" "github.com/mudler/go-pluggable" "github.com/rs/zerolog" "github.com/rs/zerolog/log" @@ -26,11 +24,6 @@ func UnlockAll(tpm bool) error { func UnlockAllWithLogger(tpm bool, logger zerolog.Logger) error { bus.Manager.Initialize() - config, err := configpkg.GetConfiguration(configpkg.ConfigScanDirs) - if err != nil { - logger.Info().Msgf("Warning: Could not read kcrypt configuration '%s'\n", err.Error()) - } - blk, err := ghw.Block() if err != nil { logger.Warn().Msgf("Warning: Error reading partitions '%s \n", err.Error()) @@ -49,36 +42,22 @@ func UnlockAllWithLogger(tpm bool, logger zerolog.Logger) error { for _, disk := range blk.Disks { for _, p := range disk.Partitions { if p.Type == "crypto_LUKS" { - // Get the luks UUID directly from cryptsetup - volumeUUID, err := utils.SH(fmt.Sprintf("cryptsetup luksUUID %s", filepath.Join("/dev", p.Name))) - logger.Info().Msgf("Got luks UUID %s for partition %s\n", volumeUUID, p.Name) - if err != nil { - return err - } - volumeUUID = strings.TrimSpace(volumeUUID) - if volumeUUID == "" { - logger.Warn().Msgf("No uuid for %s, skipping\n", p.Name) - continue - } // Check if device is already mounted // We mount it under /dev/mapper/DEVICE, so It's pretty easy to check if !utils.Exists(filepath.Join("/dev", "mapper", p.Name)) { - logger.Info().Msgf("Unmounted Luks found at '%s' \n", filepath.Join("/dev", p.Name)) + logger.Info().Msgf("Unmounted Luks found at '%s'", filepath.Join("/dev", p.Name)) if tpm { out, err := utils.SH(fmt.Sprintf("/usr/lib/systemd/systemd-cryptsetup attach %s %s - tpm2-device=auto", p.Name, filepath.Join("/dev", p.Name))) if err != nil { - logger.Warn().Msgf("Unlocking failed: '%s'\n", err.Error()) - logger.Warn().Msgf("Unlocking failed, command output: '%s'\n", out) + logger.Warn().Msgf("Unlocking failed: '%s'", err.Error()) + logger.Warn().Msgf("Unlocking failed, command output: '%s'", out) } } else { - p.FilesystemLabel, err = config.GetLabelForUUID(volumeUUID) - if err != nil { - return err - } err = UnlockDisk(p) if err != nil { - logger.Warn().Msgf("Unlocking failed: '%s'\n", err.Error()) + logger.Warn().Msgf("Unlocking failed: '%s'", err.Error()) } + logger.Info().Msg("Unlocking succeeded") } } else { logger.Info().Msgf("Device %s seems to be mounted at %s, skipping\n", filepath.Join("/dev", p.Name), filepath.Join("/dev", "mapper", p.Name))