Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate possible issue with BitLocker being detected as encrypted #1197

Closed
Torxed opened this issue May 16, 2022 · 2 comments · Fixed by #1201
Closed

Investigate possible issue with BitLocker being detected as encrypted #1197

Torxed opened this issue May 16, 2022 · 2 comments · Fixed by #1201
Labels
bug Something isn't working Security Issue Security related issues
Milestone
v2.5.1

Comments

@Torxed
Copy link
Member

Torxed commented May 16, 2022

There appears to be an issue with mainly "encrypted": True encrypting the drive despite the filesystem format being invalid.
In the below scenario, the filesystem BitLocker will bail because it's an alien filesystem type. But it will happily encrypt the drive wiping anything inside.

There also appear to be an issue with "encrypted": true being set despite never setting it in the manual tool. Which is another issue we need to investigate.

A user_disk_layout.json example ```json { "/dev/nvme0n1": { "partitions": [ { "ESP": true, "PARTUUID": "c3ddf24b-e29a-48eb-bdf2-5471d6c63982", "boot": true, "encrypted": false, "filesystem": { "format": "vfat" }, "mountpoint": "/boot", "size": 307200, "start": 2048, "type": "primary", "wipe": false }, { "ESP": false, "PARTUUID": "20676392-a478-444b-a4ef-ccf481554d4d", "boot": false, "encrypted": true, "filesystem": { "format": "" }, "generate-encryption-key-file": true, "mountpoint": null, "size": 262144, "start": 309248, "type": "primary", "wipe": false }, { "ESP": false, "PARTUUID": "7f40c607-ff78-406d-8208-011c0767637e", "boot": false, "encrypted": true, "filesystem": { "format": "BitLocker" }, "generate-encryption-key-file": true, "mountpoint": null, "size": 299753472, "start": 571392, "type": "primary", "wipe": false }, { "ESP": false, "PARTUUID": "91cf08a2-a41a-4cdc-84fb-8cf9d1a8a1c5", "boot": false, "encrypted": true, "filesystem": { "format": "ext4" }, "mountpoint": "/", "size": 147671040, "start": 300324864, "type": "primary", "wipe": true }, { "ESP": false, "PARTUUID": "94972435-f8c1-42f3-bb55-09cd221202ff", "boot": false, "encrypted": true, "filesystem": { "format": "" }, "generate-encryption-key-file": true, "mountpoint": null, "size": 16777216, "start": 447995904, "type": "primary", "wipe": false }, { "ESP": false, "PARTUUID": "b582d97e-d680-4e0f-89e1-fecc113a4043", "boot": false, "encrypted": true, "filesystem": { "format": "ntfs" }, "generate-encryption-key-file": true, "mountpoint": null, "size": 2027520, "start": 464775168, "type": "primary", "wipe": false }, { "ESP": false, "PARTUUID": "c86e4277-7708-4f8d-886a-b61925ef8046", "boot": false, "encrypted": true, "filesystem": { "format": "ntfs" }, "generate-encryption-key-file": true, "mountpoint": null, "size": 30468096, "start": 466802688, "type": "primary", "wipe": false }, { "ESP": false, "PARTUUID": "01914a4a-566a-4d1d-8e6d-4b42ced48dda", "boot": false, "encrypted": true, "filesystem": { "format": "ntfs" }, "generate-encryption-key-file": true, "mountpoint": null, "size": 2844672, "start": 497272832, "type": "primary", "wipe": false } ] } } ```

PXL_20220516_231000015
@Torxed Torxed added bug Something isn't working Security Issue Security related issues labels May 16, 2022
@Torxed Torxed added this to the v2.4.3 milestone May 16, 2022
@Torxed Torxed mentioned this issue May 16, 2022
Closed
@Torxed
Copy link
Member Author

Torxed commented May 17, 2022

After some investigation and debugging by a patient discord user, it's the mark as encrypted that marks all partitions as encrypted.

So this is where the menu system exits and initiate a checks:

archinstall/archinstall/lib/menu/global_menu.py

Lines 192 to 197 in bdf1191

if self._data_store.get('harddrives', None) and self._data_store.get('!encryption-password', None):
# If no partitions was marked as encrypted, but a password was supplied and we have some disks to format..
# Then we need to identify which partitions to encrypt. This will default to / (root).
if len(list(encrypted_partitions(storage['arguments'].get('disk_layouts', [])))) == 0:
storage['arguments']['disk_layouts'] = select_encrypted_partitions(
storage['arguments']['disk_layouts'], storage['arguments']['!encryption-password'])

And that calls this buggy function:

archinstall/archinstall/lib/user_interaction/partitioning_conf.py

Lines 364 to 375 in bdf1191

def select_encrypted_partitions(block_devices: dict, password: str) -> dict:
for device in block_devices:
for partition in block_devices[device]['partitions']:
if partition.get('mountpoint', None) != '/boot':
partition['encrypted'] = True
partition['!password'] = password
if not has_mountpoint(partition,'/'):
# Tell the upcoming steps to generate a key-file for non root mounts.
partition['generate-encryption-key-file'] = True
return block_devices

I thought we corrected this way way way back..

@Torxed Torxed mentioned this issue May 17, 2022
Merged
@Torxed
Copy link
Member Author

Torxed commented May 17, 2022

Verified that only 1 and 2 got encrypted as selected:

screenshot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Security Issue Security related issues
Projects
None yet
Milestone
v2.5.1
Development

Successfully merging a pull request may close this issue.

Reworking select_encrypted_partitions() to use the new Menu system, archlinux/archinstall
1 participant
@Torxed