New logic to type LUKS passphrase in grub phase

https://progress.opensuse.org/issues/151393
os-autoinst · Dec 13, 2023 · 34f3321 · 34f3321
1 parent 59e4764
commit 34f3321
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 31 deletions.
diff --git a/lib/grub_utils.pm b/lib/grub_utils.pm
@@ -34,7 +34,7 @@ sub grub_test {
 
     reconnect_mgmt_console if is_pvm;
     handle_installer_medium_bootup();
-    workaround_type_encrypted_passphrase;
+    unlock_bootloader;
     # 60 due to rare slowness e.g. multipath poo#11908
     # 90 as a workaround due to the qemu backend fallout
     assert_screen('grub2', $timeout);

diff --git a/lib/opensusebasetest.pm b/lib/opensusebasetest.pm
@@ -458,7 +458,7 @@ sub wait_grub {
     }
     elsif (match_has_tag('encrypted-disk-password-prompt-grub')) {
         # unlock encrypted disk before grub
-        workaround_type_encrypted_passphrase;
+        unlock_bootloader;
         assert_screen("grub2", timeout => ((is_pvm) ? 300 : 90));
     }
     mutex_wait 'support_server_ready' if get_var('USE_SUPPORT_SERVER');
@@ -511,7 +511,7 @@ sub wait_grub_to_boot_on_local_disk {
         check_screen('encrypted-disk-password-prompt', 10);
     }
     if (match_has_tag('encrypted-disk-password-prompt')) {
-        workaround_type_encrypted_passphrase;
+        unlock_bootloader;
         assert_screen('grub2');
     }
 }
@@ -541,7 +541,7 @@ sub reconnect_s390 {
     else {
         my $worker_hostname = get_required_var('WORKER_HOSTNAME');
         my $virsh_guest = get_required_var('VIRSH_GUEST');
-        workaround_type_encrypted_passphrase if get_var('S390_ZKVM');
+        unlock_bootloader if get_var('S390_ZKVM');
 
         select_console('svirt');
         save_svirt_pty;
@@ -905,8 +905,10 @@ sub wait_boot {
     }
     reconnect_xen if check_var('VIRSH_VMM_FAMILY', 'xen');
 
-    # on s390x svirt encryption is unlocked with workaround_type_encrypted_passphrase before here
-    unlock_if_encrypted unless get_var('S390_ZKVM');
+    # on s390x svirt encryption is unlocked with unlock_bootloader before here
+    if (need_passphrase_again) {
+        unlock_if_encrypted unless get_var('S390_ZKVM');
+    }
 
     $self->wait_boot_past_bootloader(%args);
     $self->{in_wait_boot} = 0;

diff --git a/lib/utils.pm b/lib/utils.pm
@@ -11,7 +11,7 @@ use warnings;
 use testapi qw(is_serial_terminal :DEFAULT);
 use lockapi 'mutex_wait';
 use mm_network;
-use version_utils qw(is_sle_micro is_microos is_leap is_public_cloud is_sle is_sle12_hdd_in_upgrade is_storage_ng is_jeos package_version_cmp is_transactional);
+use version_utils qw(is_alp is_sle_micro is_microos is_leap is_leap_micro is_public_cloud is_sle is_sle12_hdd_in_upgrade is_storage_ng is_jeos package_version_cmp is_transactional);
 use Utils::Architectures;
 use Utils::Systemd qw(systemctl disable_and_stop_service);
 use Utils::Backends;
@@ -50,8 +50,9 @@ our @EXPORT = qw(
   zypper_patches
   zypper_install_available
   set_zypper_lock_timeout
-  workaround_type_encrypted_passphrase
+  unlock_bootloader
   is_boot_encrypted
+  need_passphrase_again
   is_bridged_networking
   set_bridged_networking
   assert_screen_with_soft_timeout
@@ -1005,12 +1006,11 @@ sub set_zypper_lock_timeout {
     script_run("export ZYPP_LOCK_TIMEOUT='$timeout'");
 }
 
-=head2 workaround_type_encrypted_passphrase
+=head2 unlock_bootloader
 
- workaround_type_encrypted_passphrase();
+ unlock_bootloader();
 
-Record soft-failure for unresolved feature fsc#320901 which we think is
-important and then unlock encrypted boot partitions if we expect it to be
+Unlock encrypted boot partitions if we expect it to be
 encrypted. This condition is met on 'storage-ng' which by default puts the
 boot partition within the encrypted LVM same as in test scenarios where we
 explicitly create an LVM including boot (C<FULL_LVM_ENCRYPT>). C<ppc64le> was
@@ -1019,14 +1019,8 @@ anymore for storage-ng.
 
 =cut
 
-sub workaround_type_encrypted_passphrase {
-    # nothing to do if the boot partition is not encrypted in FULL_LVM_ENCRYPT
-    return unless is_boot_encrypted();
-    record_info(
-        "LUKS pass", "Workaround for 'Provide kernel interface to pass LUKS password from bootloader'.\n" .
-          'For further info, please, see https://fate.suse.com/320901, https://jira.suse.com/browse/SLE-2941, ' .
-          'https://jira.suse.com/browse/SLE-3976') if is_sle('12-SP4+');
-    unlock_if_encrypted;
+sub unlock_bootloader {
+    unlock_if_encrypted if is_boot_encrypted();
 }
 
 =head2 is_boot_encrypted
@@ -1057,6 +1051,24 @@ sub is_boot_encrypted {
     return 1;
 }
 
+=head2 need_passphrase_again
+
+ need_passphrase_again();
+
+With newer grub2 (in TW and SLE15-SP6 currently), if root disk is encrypted and
+contains `/boot`, entering the passphrase in GRUB2 is enough. The key is passed
+on during boot, so it's not asked for a second time.
+We need to enter the passphrase again if there are separate partitions encrypted
+without LVM configuration (cr_swap,cr_home etc).
+
+=cut
+
+sub need_passphrase_again {
+    my $need_passphrase_again = is_leap('<15.6') || is_sle('<15-sp6') || is_leap_micro || is_sle_micro || is_alp || (!get_var('LVM', '0') && !get_var('FULL_LVM_ENCRYPT', '0'));
+    return 0 if is_boot_encrypted && !$need_passphrase_again;
+    return 1;
+}
+
 =head2 is_bridged_networking
 
  is_bridged_networking();

diff --git a/tests/boot/grub_test_snapshot.pm b/tests/boot/grub_test_snapshot.pm
@@ -12,7 +12,7 @@ use warnings;
 use base 'opensusebasetest';
 use testapi;
 use power_action_utils 'power_action';
-use utils qw(workaround_type_encrypted_passphrase reconnect_mgmt_console);
+use utils qw(unlock_bootloader reconnect_mgmt_console);
 use bootloader_setup qw(stop_grub_timeout boot_into_snapshot change_grub_config);
 use Utils::Backends 'is_pvm';
 use Utils::Architectures qw(is_aarch64);

diff --git a/tests/installation/boot_encrypt.pm b/tests/installation/boot_encrypt.pm
@@ -12,16 +12,9 @@ use strict;
 use warnings;
 use base "installbasetest";
 use utils;
-use testapi qw(check_var get_var record_info);
-use version_utils qw(is_leap is_sle is_leap_micro is_sle_micro is_alp);
 
 sub run {
-    # With newer grub2 (in TW only currently), entering the passphrase in GRUB2
-    # is enough. The key is passed on during boot, so it's not asked for
-    # a second time.
-    return if is_boot_encrypted && !is_leap && !is_sle && !is_leap_micro && !is_sle_micro && !is_alp;
-
-    unlock_if_encrypted(check_typed_password => 1);
+    unlock_if_encrypted(check_typed_password => 1) if need_passphrase_again;
 }
 
 1;
diff --git a/tests/x11/reboot_and_install.pm b/tests/x11/reboot_and_install.pm
@@ -12,7 +12,7 @@ use warnings;
 
 use testapi;
 use Utils::Architectures;
-use utils 'workaround_type_encrypted_passphrase';
+use utils 'unlock_bootloader';
 use power_action_utils 'power_action';
 use version_utils 'is_sle12_hdd_in_upgrade';
 
@@ -22,7 +22,7 @@ use registration;
 sub run {
     # reboot from previously booted hdd to do pre check or change e.g. before upgrade
     power_action('reboot');
-    workaround_type_encrypted_passphrase;
+    unlock_bootloader;
 
     # If the target has a different version, make sure the matching needles are used
     # for the bootmenu below already.