-
Notifications
You must be signed in to change notification settings - Fork 19
/
tpm_fde_tools.rb
125 lines (105 loc) · 3.88 KB
/
tpm_fde_tools.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# Copyright (c) [2023] SUSE LLC
#
# All Rights Reserved.
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of version 2 of the GNU General Public License as published
# by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
# more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, contact SUSE LLC.
#
# To contact SUSE LLC about this file by physical or electronic mail, you may
# find current contact information at www.suse.com.
require "yast2/execute"
require "yast"
require "y2storage/encryption_type"
require "y2storage/encryption_processes/fde_tools"
require "y2storage/encryption_processes/fde_tools_config"
Yast.import "Mode"
module Y2Storage
module EncryptionProcesses
# Encryption process that ...
class TpmFdeTools < Base
CRYPT_OPTIONS = ["x-initrd.attach"]
private_constant :CRYPT_OPTIONS
KEY_FILE_NAME = "/.fde-virtual.key".freeze
private_constant :KEY_FILE_NAME
def self.key_file_name
KEY_FILE_NAME.dup
end
class << self
attr_accessor :devices
end
# Creates an encryption layer over the given block device
#
# @param blk_device [Y2Storage::BlkDevice]
# @param dm_name [String]
# @param label [String] optional LUKS2 label
#
# @return [Encryption]
def create_device(blk_device, dm_name, label: nil)
enc = super(blk_device, dm_name)
enc.label = label if label
# TODO: Check if this is really relevant or this configuration value affects only
# the slots added by fde-tools
enc.pbkdf = FdeToolsConfig.instance.pbkd_function
enc.crypt_options |= CRYPT_OPTIONS
enc.key_file = self.class.key_file_name
enc.use_key_file_in_commit = false
enc
end
# @see Base#encryption_type
def encryption_type
EncryptionType::LUKS2
end
# @see Base#post_commit
#
# TODO: this implemented only for the installation case. In an installed system the procedure
# would be completely different and will likely include steps like configuring the fde-tools,
# calling "fdectl regenerate-key" and regenerating initrd and the bootloader configuration.
#
# @param device [Encryption] encryption that has just been created in the system
def post_commit(device)
return unless Yast::Mode.installation
self.class.devices ||= []
self.class.devices << device
end
# @see Base#finish_installation
def finish_installation
# This process is only needed once
return if self.class.devices.empty?
return unless configure_fde_tools(self.class.devices)
fde = FdeTools.new(recovery_password)
fde.add_secondary_password && fde.add_secondary_key && fde.enroll_service&.enable
# Mark as done
self.class.devices = []
end
# @see Base#commit_features
def commit_features
# In installation mode is needed to ensure the enroll service is present in the new system.
# In an installed system is needed in order to be able to execute the fdectl commands.
[YastFeature::ENCRYPTION_TPM_FDE]
end
private
def configure_fde_tools(devices)
plain_devices = plain_names(devices)
config = FdeToolsConfig.instance
config.devices = plain_devices
# Check if everything went well
config.devices == plain_devices
end
def plain_names(devices)
devices.map { |d| d.plain_device.preferred_name }.sort
end
def recovery_password
self.class.devices.first.password
end
end
end
end