Fix reencryption master key passphrase

schaefi · schaefi · commit 43ea22c9fd51 · 2025-05-02T21:28:53.000+02:00
Make sure to use the correct passphrase for the master
key such that it can be decrypted with the same credentials
as before. The credentials reset is a subsequent task
after reencryption.
diff --git a/dracut/modules.d/99kiwi-lib/kiwi-luks-lib.sh b/dracut/modules.d/99kiwi-lib/kiwi-luks-lib.sh
@@ -47,15 +47,6 @@ function reencrypt_luks {
         cut -f1 -d" "; rm -f "${header_checksum_cur}"
     )
     if [ "${header_checksum_origin}" == "${header_checksum_cur}" ];then
-        # setup credentials
-        if [ "${kiwi_luks_empty_passphrase}" = "true" ];then
-            echo -n > "${passphrase_file}"
-        elif [ -e "${keyfile}" ];then
-            cp "${keyfile}" "${passphrase_file}"
-        else
-            ask_for_credentials "Enter Credentials for Key Slot(0)"
-            get_dialog_result > "${passphrase_file}"
-        fi
         if getargbool 0 rd.kiwi.oem.luks.reencrypt_randompass; then
             # reset insecure built time passphrase with a random
             # onetime passphrase that will be stored in memory at $new_keyfile
diff --git a/kiwi/builder/disk.py b/kiwi/builder/disk.py
@@ -118,6 +118,7 @@ def __init__(
         self.root_dir = root_dir
         self.target_dir = target_dir
         self.xml_state = xml_state
+        self.cmdline = xml_state.build_type.get_kernelcmdline() or ''
         self.spare_part_mbsize = xml_state.get_build_type_spare_part_size()
         self.spare_part_fs = xml_state.build_type.get_spare_part_fs()
         self.spare_part_is_last = xml_state.build_type.get_spare_part_is_last()
@@ -784,7 +785,8 @@ def _build_main_system(
 
         self._write_crypttab_to_system_image(luks_root)
 
-        self._write_luks_header_checksum_to_boot_image(luks_root)
+        if 'rd.kiwi.oem.luks.reencrypt' in self.cmdline:
+            self._write_luks_header_checksum_to_boot_image(luks_root)
 
         self._write_integritytab_to_system_image(integrity_root)
 
@@ -1289,7 +1291,8 @@ def _write_luks_header_checksum_to_boot_image(
             )
             filenames = [
                 ''.join([self.root_dir, '/root/.luks.header']),
-                ''.join([self.root_dir, '/root/.luks.slot'])
+                ''.join([self.root_dir, '/root/.luks.slot']),
+                ''.join([self.root_dir, '/root/.slotpass'])
             ]
             for filename in filenames:
                 self.boot_image.include_file(
diff --git a/kiwi/storage/luks_device.py b/kiwi/storage/luks_device.py
@@ -179,7 +179,6 @@ def create_crypto_luks(
                     'luksAddKey', storage_device, keyfile_path
                 ]
             )
-            keyslot = '1'
 
         # Create backup header checksum as reencryption reference
         master_checksum = f'{root_dir}/root/.luks.header'
@@ -201,6 +200,11 @@ def create_crypto_luks(
         with open(master_slot, 'w') as slot:
             slot.write(keyslot)
 
+        # Create slot passphrase as reencryption reference
+        master_slotpass = f'{root_dir}/root/.slotpass'
+        with open(master_slotpass, 'w') as slotpass:
+            slotpass.write(self.passphrase)
+
         # open the pool
         Command.run(
             [
diff --git a/test/unit/builder/disk_test.py b/test/unit/builder/disk_test.py
@@ -1182,6 +1182,7 @@ def test_create_disk_luks_root(
         self.disk_builder.boot_is_crypto = True
         disk.public_partition_id_map = self.id_map
         disk.public_partition_id_map['kiwi_ROPart'] = 1
+        self.disk_builder.cmdline = 'rd.kiwi.oem.luks.reencrypt'
 
         with patch('builtins.open'):
             self.disk_builder.create_disk()
@@ -1200,7 +1201,8 @@ def test_create_disk_luks_root(
             call('/config.partids'),
             call('/etc/crypttab'),
             call(filename='/root/.luks.header', delete_after_include=True),
-            call(filename='/root/.luks.slot', delete_after_include=True)
+            call(filename='/root/.luks.slot', delete_after_include=True),
+            call(filename='/root/.slotpass', delete_after_include=True)
         ]
         self.boot_image_task.write_system_config_file.assert_called_once_with(
             config={'install_items': ['/root/.root.keyfile']},
@@ -1238,6 +1240,7 @@ def test_create_disk_luks_root_with_disk_password(
         disk.public_partition_id_map = self.id_map
         disk.public_partition_id_map['kiwi_ROPart'] = 1
         bootloader = mock_BootLoaderInstall.return_value
+        self.disk_builder.cmdline = 'rd.kiwi.oem.luks.reencrypt'
 
         with patch('builtins.open'):
             self.disk_builder.create_disk()
@@ -1256,7 +1259,8 @@ def test_create_disk_luks_root_with_disk_password(
             call('/config.partids'),
             call('/etc/crypttab'),
             call(filename='/root/.luks.header', delete_after_include=True),
-            call(filename='/root/.luks.slot', delete_after_include=True)
+            call(filename='/root/.luks.slot', delete_after_include=True),
+            call(filename='/root/.slotpass', delete_after_include=True)
         ]
         self.boot_image_task.write_system_config_file.assert_called_once_with(
             config={'install_items': ['/root/.root.keyfile']},

Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,6 @@ def create_crypto_luks(`
`179`	`179`	`'luksAddKey', storage_device, keyfile_path`
`180`	`180`	`]`
`181`	`181`	`)`
`182`		`- keyslot = '1'`
`183`	`182`
`184`	`183`	`# Create backup header checksum as reencryption reference`
`185`	`184`	`master_checksum = f'{root_dir}/root/.luks.header'`
`@@ -201,6 +200,11 @@ def create_crypto_luks(`
`201`	`200`	`with open(master_slot, 'w') as slot:`
`202`	`201`	`slot.write(keyslot)`
`203`	`202`
	`203`	`+ # Create slot passphrase as reencryption reference`
	`204`	`+ master_slotpass = f'{root_dir}/root/.slotpass'`
	`205`	`+ with open(master_slotpass, 'w') as slotpass:`
	`206`	`+ slotpass.write(self.passphrase)`
	`207`	`+`
`204`	`208`	`# open the pool`
`205`	`209`	`Command.run(`
`206`	`210`	`[`