Merge pull request #2792 from OSInside/fix_use_disk_password_for_random_keys

Fix setup of use_disk_password for random secret

Author: Conan-Kudo

kiwi/builder/disk.py

@@ -1805,8 +1805,10 @@ def _install_bootloader(
                 bootloader.install()
             bootloader.secure_boot_install()
 
-            if self.use_disk_password and self.luks:
-                bootloader.set_disk_password(self.luks)
+            if self.use_disk_password and self.storage_map['luks_root']:
+                bootloader.set_disk_password(
+                    self.storage_map['luks_root'].passphrase
+                )
         else:
             log.warning(
                 'No install of bootcode on read-only root possible'

kiwi/storage/luks_device.py

@@ -17,6 +17,7 @@
 #
 import os
 import logging
+import binascii
 from typing import Optional
 
 # project
@@ -47,6 +48,7 @@ def __init__(self, storage_provider: DeviceProvider) -> None:
 
         self.luks_device: Optional[str] = None
         self.luks_keyfile: str = ''
+        self.passphrase: str = ''
         self.luks_name = 'luksRoot'
 
         self.option_map = {
@@ -95,6 +97,7 @@ def create_crypto_luks(
         :param string root_dir: root dir path
         """
         keyslot = '0'
+        self.passphrase = passphrase
         if not options:
             options = []
         if osname:
@@ -116,7 +119,7 @@ def create_crypto_luks(
             keyfile_path = os.path.normpath(
                 os.sep.join([root_dir, self.luks_keyfile])
             )
-            LuksDevice.create_random_keyfile(keyfile_path)
+            random_passphrase = LuksDevice.create_random_keyfile(keyfile_path)
 
         if randomize:
             log.info('--> Randomizing...')
@@ -139,6 +142,7 @@ def create_crypto_luks(
             # initrd also gets protected, e.g through encryption
             # like it is done with the secure linux execution on
             # zSystems
+            self.passphrase = random_passphrase
             passphrase_file = keyfile_path
             # Do not add an additional keyfile
             keyfile = ''
@@ -242,15 +246,19 @@ def is_loop(self) -> bool:
         return self.storage_provider.is_loop()
 
     @staticmethod
-    def create_random_keyfile(filename: str) -> None:
+    def create_random_keyfile(filename: str) -> str:
         """
         Create keyfile with random data
 
         :param string filename: file path name
         """
-        with open(filename, 'wb') as keyfile:
-            keyfile.write(os.urandom(Defaults.get_luks_key_length()))
+        random_data = binascii.hexlify(
+            os.urandom(Defaults.get_luks_key_length())
+        ).decode()
+        with open(filename, 'w') as keyfile:
+            keyfile.write(random_data)
         os.chmod(filename, 0o600)
+        return random_data
 
     def __exit__(self, exc_type, exc_value, traceback):
         if self.luks_device:

test/unit/builder/disk_test.py

@@ -167,6 +167,7 @@ def side_effect(filename):
             return_value=self.integrity_root
         )
         self.luks_root = Mock()
+        self.luks_root.passphrase = 'passphrase'
         kiwi.builder.disk.LuksDevice = Mock(
             return_value=self.luks_root
         )

test/unit/storage/luks_device_test.py

@@ -247,7 +247,7 @@ def test_create_random_keyfile(self, mock_os_chmod, mock_os_urandom):
             mock_open.return_value = MagicMock(spec=io.IOBase)
             file_handle = mock_open.return_value.__enter__.return_value
             LuksDevice.create_random_keyfile('some-file')
-            file_handle.write.assert_called_once_with(secret)
+            file_handle.write.assert_called_once_with('736563726574')
             mock_os_chmod.assert_called_once_with('some-file', 0o600)
 
     def test_is_loop(self):