secboot: use uuid of luks2 instead of partition #14400
Conversation
valentindavid
added
FDE Manager
valentindavid
force-pushed
the
valentindavid/use-luks2-uuid
branch
from
88e9db9
to
195df00
Compare
valentindavid
force-pushed
the
valentindavid/use-luks2-uuid
branch
from
195df00
to
fef4bf4
Compare
valentindavid
force-pushed
the
valentindavid/use-luks2-uuid
branch
5 times, most recently
from
c9cb79d
to
6491f5f
Compare
osutil/disks/disks_linux.go
Outdated
| func PartitionUUIDFromMountPoint(mountpoint string, opts *Options) (string, error) { | ||
| var dmUUIDRe = regexp.MustCompile(`^CRYPT-(?P<type>.*)-(?P<uuid1>[0-9a-f]{8})(?P<uuid2>[0-9a-f]{4})(?P<uuid3>[0-9a-f]{4})(?P<uuid4>[0-9a-f]{4})(?P<uuid5>[0-9a-f]{12})-(?P<name>.*)$`) | ||
|
|
||
| func DmCryptUUIDFromMountPoint(mountpoint string) (string, error) { |
There was a problem hiding this comment.
maybe MapperCryptUUID... or DeviceMapper.., or simply DMCrypt... ?
| @@ -963,41 +964,40 @@ func AllPhysicalDisks() ([]Disk, error) { | |||
| return disks, nil | |||
| } | |||
|
|
|||
| // PartitionUUIDFromMountPoint returns the UUID of the partition which is a | |||
| // source of a given mount point. | |||
| func PartitionUUIDFromMountPoint(mountpoint string, opts *Options) (string, error) { | |||
There was a problem hiding this comment.
This doesn't seem to have been used in non-encryption contexts, so the change should be fine
osutil/disks/disks_linux.go
Outdated
| func PartitionUUIDFromMountPoint(mountpoint string, opts *Options) (string, error) { | ||
| var dmUUIDRe = regexp.MustCompile(`^CRYPT-(?P<type>.*)-(?P<uuid1>[0-9a-f]{8})(?P<uuid2>[0-9a-f]{4})(?P<uuid3>[0-9a-f]{4})(?P<uuid4>[0-9a-f]{4})(?P<uuid5>[0-9a-f]{12})-(?P<name>.*)$`) | ||
|
|
||
| func DmCryptUUIDFromMountPoint(mountpoint string) (string, error) { |
There was a problem hiding this comment.
This would need a function description
| } | ||
|
|
||
| // PartitionUUID returns the UUID of a given partition | ||
| func PartitionUUID(node string) (string, error) { | ||
| func FilesystemUUID(node string) (string, error) { |
There was a problem hiding this comment.
This would need tests in the package, and a description
There was a problem hiding this comment.
still doesn't seem to have tests
osutil/disks/disks_darwin.go
Outdated
There was a problem hiding this comment.
Wouldn't this need a definition of the new package functions?
There was a problem hiding this comment.
I have opened #14557 to enable the tests.
There was a problem hiding this comment.
I was expecting a failure but nothing happened.
valentindavid
force-pushed
the
valentindavid/use-luks2-uuid
branch
from
825af20
to
c53f1be
Compare
| if err != nil { | ||
| return res, fmt.Errorf("error enumerating partitions for disk to find unencrypted device %q: %v", name, err) | ||
| } | ||
| } | ||
|
|
||
| partDevice := filepath.Join("/dev/disk/by-partuuid", partUUID) | ||
| partDevice := filepath.Join("/dev/disk/by-partuuid", part.PartitionUUID) |
There was a problem hiding this comment.
is it intentional to keep using by-partuuid here?
There was a problem hiding this comment.
That requires more changes in snap-bootstrap. For now it is not needed. The main point here is to simplify everywhere where we need to get keys from keyring.
We will probably have to refactor snap-bootstrap to match primary keys, and we can do that refactoring in the same time.
| } | ||
|
|
||
| // PartitionUUID returns the UUID of a given partition | ||
| func PartitionUUID(node string) (string, error) { | ||
| func FilesystemUUID(node string) (string, error) { |
There was a problem hiding this comment.
still doesn't seem to have tests
valentindavid
force-pushed
the
valentindavid/use-luks2-uuid
branch
from
c53f1be
to
1921cff
Compare
`by-partuuid` does not make much sense because it uselessly assumes that it is a partition. Conceptually we should not care about it. It also makes the resolution more complex as we need to fetch information about the device which we do not really need at this point. It is more common to resolve by filesystem UUID than part UUID. For instance cryptsetup accepts path as `UUID=deadbeef-dead-dead-dead-deaddeafbeef`. But it does not accept this kind of syntax for partitions.
valentindavid
force-pushed
the
valentindavid/use-luks2-uuid
branch
from
39026f3
to
8df73a3
Compare
|
|
pedronis
merged commit 663bc3b
into
canonical:fde-manager-features
by-partuuiddoes not make much sense because it uselessly assumes that it is a partition. Conceptually we should not care about it. It also makes the resolution more complex as we need to fetch information about the device which we do not really need at this point.It is more common to resolve by filesystem UUID than part UUID. For instance cryptsetup accepts path as
UUID=deadbeef-dead-dead-dead-deaddeafbeef. But it does not accept this kind of syntax for partitions.We will also need to register the old paths with something like canonical/secboot#331