Merge pull request #2781 from OSInside/fix_key_slot_handling_for_reencrypt

Fix key slot selection for luks reencrypt

Author: Conan-Kudo

build-tests/x86/tumbleweed/test-image-luks/appliance.kiwi

@@ -60,15 +60,15 @@
         </type>
     </preferences>
     <preferences profiles="ReEncryptFullDisk">
-        <type image="oem" filesystem="ext4" kernelcmdline="console=ttyS0 rd.kiwi.oem.luks.reencrypt" firmware="uefi" luks="linux" luks_version="luks2" luks_pbkdf="pbkdf2" bootpartition="false">
+        <type image="oem" filesystem="ext4" kernelcmdline="console=ttyS0 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet" firmware="uefi" luks="linux" luks_version="luks2" luks_pbkdf="pbkdf2" bootpartition="false" eficsm="false">
             <luksformat>
                 <option name="--cipher" value="aes-xts-plain64"/>
                 <option name="--key-size" value="256"/>
             </luksformat>
             <oemconfig>
                 <oem-resize>true</oem-resize>
             </oemconfig>
-            <bootloader name="grub2" console="serial" timeout="10"/>
+            <bootloader name="grub2" console="serial" timeout="10" use_disk_password="true"/>
         </type>
     </preferences>
     <users>

dracut/modules.d/99kiwi-lib/kiwi-luks-lib.sh

@@ -25,17 +25,19 @@ function deactivate_luks {
 function reencrypt_luks {
     declare kiwi_RootPart=${kiwi_RootPart}
     local disk=$1
+    local keyslot=/root/.luks.slot
     local header_checksum_origin=/root/.luks.header
     local header_checksum_cur=/root/.luks.header.cur
     local keyfile=/root/.root.keyfile
     local new_keyfile=/run/.kiwi_reencrypt.keyfile
-    local passphrase_file=/root/.slot0
+    local passphrase_file=/root/.slotpass
     local progress=/dev/install_progress
     local load_text="Reencrypting..."
     local title_text="LUKS"
     local device
     device=$(get_partition_node_name "${disk}" "${kiwi_RootPart}")
     read -r header_checksum_origin < "${header_checksum_origin}"
+    read -r keyslot < "${keyslot}"
 
     # Checksum test if luks header is still the image origin header
     cryptsetup luksHeaderBackup \
@@ -66,18 +68,18 @@ function reencrypt_luks {
             chmod 0400 "${new_keyfile}"
             cryptsetup \
                 --key-file "${passphrase_file}" \
-                --key-slot 0 \
+                --key-slot "${keyslot}" \
             luksChangeKey "${device}" "${new_keyfile}"
             cp "${new_keyfile}" "${passphrase_file}"
         fi
         # reencrypt
         setup_progress_fifo ${progress}
         (
-            # reencrypt slot0, this will wipe all key slots
+            # reencrypt, this will overwrite all key slots
             cryptsetup reencrypt \
                 --progress-frequency 1 \
                 --key-file "${passphrase_file}" \
-                --key-slot 0 \
+                --key-slot "${keyslot}" \
             "${device}" 2>&1 | sed -u 's/.* \([0-9]*\)[0-9.]*%.*/\1/'
         ) >"${progress}" &
         run_progress_dialog "${load_text}" "${title_text}"

kiwi/builder/disk.py

@@ -1277,15 +1277,19 @@ def _write_luks_header_checksum_to_boot_image(
         self, luks_root: Optional[LuksDevice]
     ) -> None:
         if luks_root is not None:
-            log.info('Including origin LUKS header checksum')
-            filename = ''.join(
-                [self.root_dir, '/root/.luks.header']
-            )
-            self.boot_image.include_file(
-                filename=os.sep + os.sep.join(
-                    ['root', os.path.basename(filename)]
-                ), delete_after_include=True
+            log.info(
+                'Including origin LUKS header checksum and key slot number'
             )
+            filenames = [
+                ''.join([self.root_dir, '/root/.luks.header']),
+                ''.join([self.root_dir, '/root/.luks.slot'])
+            ]
+            for filename in filenames:
+                self.boot_image.include_file(
+                    filename=os.sep + os.sep.join(
+                        ['root', os.path.basename(filename)]
+                    ), delete_after_include=True
+                )
 
     def _write_generic_fstab_to_system_image(
         self, device_map: Dict,

kiwi/storage/luks_device.py

@@ -94,6 +94,7 @@ def create_crypto_luks(
             to unlock the luks device
         :param string root_dir: root dir path
         """
+        keyslot = '0'
         if not options:
             options = []
         if osname:
@@ -174,6 +175,7 @@ def create_crypto_luks(
                     'luksAddKey', storage_device, keyfile_path
                 ]
             )
+            keyslot = '1'
 
         # Create backup header checksum as reencryption reference
         master_checksum = f'{root_dir}/root/.luks.header'
@@ -190,6 +192,11 @@ def create_crypto_luks(
         with open(master_checksum, 'w') as shasum:
             shasum.write(checksum)
 
+        # Create key slot number as reencryption reference
+        master_slot = f'{root_dir}/root/.luks.slot'
+        with open(master_slot, 'w') as slot:
+            slot.write(keyslot)
+
         # open the pool
         Command.run(
             [

test/unit/builder/disk_test.py

@@ -1196,7 +1196,8 @@ def test_create_disk_luks_root(
             call('/root/.root.keyfile'),
             call('/config.partids'),
             call('/etc/crypttab'),
-            call(filename='/root/.luks.header', delete_after_include=True)
+            call(filename='/root/.luks.header', delete_after_include=True),
+            call(filename='/root/.luks.slot', delete_after_include=True)
         ]
         self.boot_image_task.write_system_config_file.assert_called_once_with(
             config={'install_items': ['/root/.root.keyfile']},
@@ -1251,7 +1252,8 @@ def test_create_disk_luks_root_with_disk_password(
             call('/root/.root.keyfile'),
             call('/config.partids'),
             call('/etc/crypttab'),
-            call(filename='/root/.luks.header', delete_after_include=True)
+            call(filename='/root/.luks.header', delete_after_include=True),
+            call(filename='/root/.luks.slot', delete_after_include=True)
         ]
         self.boot_image_task.write_system_config_file.assert_called_once_with(
             config={'install_items': ['/root/.root.keyfile']},