add dm-integrity kmods based on header info

desultory · desultory · commit a3f106bbd4dc · 2025-10-19T15:00:18.000-05:00
Signed-off-by: Zen &lt;z@pyl.onl&gt;
diff --git a/src/ugrd/crypto/cryptsetup.py b/src/ugrd/crypto/cryptsetup.py
@@ -211,7 +211,7 @@ def _detect_luks_aes_module(self, luks_cipher_name: str) -> None:
         self["_kmod_auto"] = crypto_config["module"]
 
 
-def _detect_luks_header_aes(self, luks_info: dict) -> dict:
+def _detect_luks_header_aes(self, luks_info: dict) -> None:
     """Checks the cipher type in the LUKS header, reads /proc/crypto to find the
     corresponding driver. If it's not builtin, adds the module to the kernel modules."""
     for keyslot in luks_info.get("keyslots", {}).values():
@@ -222,7 +222,7 @@ def _detect_luks_header_aes(self, luks_info: dict) -> dict:
             _detect_luks_aes_module(self, segment["encryption"])
 
 
-def _detect_luks_header_sha(self, luks_info: dict) -> dict:
+def _detect_luks_header_sha(self, luks_info: dict) -> None:
     """Reads the hash algorithm from the LUKS header,
     enables the corresponding kernel module using _crypto_ciphers"""
     for keyslot in luks_info.get("keyslots", {}).values():
@@ -233,13 +233,19 @@ def _detect_luks_header_sha(self, luks_info: dict) -> dict:
             self["kernel_modules"] = self._crypto_ciphers[digest["hash"]]["driver"]
 
 
-def _detect_luks_header_integrity(self, luks_info: dict) -> dict:
+def _detect_luks_header_integrity(self, luks_info: dict, mapped_name: str) -> None:
     """Reads the integrity algorithm from the LUKS header,
     Enables the dm-integrity module, and returns the integrity type."""
     for segment in luks_info.get("segments", {}).values():
         if integrity_type := segment.get("integrity", {}).get("type"):
-            self["_kmod_auto"] = ["dm_integrity", "authenc"]
-            return integrity_type
+            integrity_kmods = ["dm_integrity", "authenc"]
+            if integrity_type.startswith("hmac"):
+                integrity_kmods.append("hmac")
+            self.logger.info(
+                f"[{c_(mapped_name, 'blue')}]({c_(integrity_type, 'cyan')}) Enabling kernel modules for dm-integrity: {c_(', '.join(integrity_kmods), 'magenta', bright=True)}"
+            )
+            self["cryptsetup"][mapped_name]["_dm-integrity"] = integrity_type
+            return
 
 
 @contains("cryptsetup_header_validation", "Skipping cryptsetup header validation.", log_level=30)
@@ -278,9 +284,7 @@ def _validate_cryptsetup_header(self, mapped_name: str) -> None:
 
     _detect_luks_header_aes(self, luks_info)
     _detect_luks_header_sha(self, luks_info)
-    if integrity_type := _detect_luks_header_integrity(self, luks_info):
-        self.logger.info(f"[{c_(mapped_name, 'blue')}] Detected dm-integrity type: {c_(integrity_type, 'cyan')}")
-        self["cryptsetup"][mapped_name]["_dm-integrity"] = integrity_type
+    _detect_luks_header_integrity(self, luks_info, mapped_name)
 
     if not self["argon2"]:  # if argon support was not detected, check if the header wants it
         for keyslot in luks_info.get("keyslots", {}).values():
