Merge pull request #969 from joseivanlopez/encryption_swap_methods_s390

Protected and Secure swap encryption

package/yast2-storage-ng.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Sep 25 08:09:53 UTC 2019 - José Iván López González <jlopez@suse.com>
+
+- Partitioner: allow encrypting swap with protected and secure
+  keys (part of jsc#SLE-7376).
+- Partitioner: allow importing mount points from encrypted swap
+  with protected and secure keys.
+- 4.2.42
+
 -------------------------------------------------------------------
 Mon Sep 23 11:08:38 UTC 2019 - David Diaz <dgonzalez@suse.com>
 

package/yast2-storage-ng.spec

@@ -16,7 +16,7 @@
 #
 
 Name:           yast2-storage-ng
-Version:        4.2.41
+Version:        4.2.42
 Release:        0
 Summary:        YaST2 - Storage Configuration
 License:        GPL-2.0-only OR GPL-3.0-only
@@ -25,8 +25,8 @@ Url:            https://github.com/yast/yast-storage-ng
 
 Source:         %{name}-%{version}.tar.bz2
 
-# PlainEncyption
-BuildRequires:	libstorage-ng-ruby >= 4.2.4
+# Encryption#open_options
+BuildRequires:	libstorage-ng-ruby >= 4.2.13
 BuildRequires:  update-desktop-files
 # CWM::Dialog#next_handler (4.1 branch) and improved CWM::Dialog
 BuildRequires:  yast2 >= 4.1.11
@@ -47,8 +47,8 @@ BuildRequires:  rubygem(%{rb_default_ruby_abi}:parallel_tests)
 
 # findutils for xargs
 Requires:       findutils
-# PlainEncyption
-Requires:       libstorage-ng-ruby >= 4.2.4
+# Encryption#open_options
+Requires:       libstorage-ng-ruby >= 4.2.13
 # CWM::Dialog#next_handler (4.1 branch) and improved CWM::Dialog
 Requires:       yast2 >= 4.1.11
 # Y2Packager::Repository

src/lib/y2partitioner/actions/controllers/encryption.rb

@@ -32,11 +32,14 @@ class Encryption < Base
 
         # Action to perform when {#finish} is called
         #
+        # Possible values:
         # * :keep preserves the encryption layer from the system devicegraph
-        # * :encrypt adds an encryption device or modifies the previously added one
+        # * :encrypt adds an encryption device or replaces the previously added one
         # * :remove ensures the block device will not be encrypted
+        # * sanitize removes current encryption layer when it cannot be preserved, see
+        #   {#sanitize_encryption}
         #
-        # @return [Symbol] :keep, :encrypt, :remove
+        # @return [Symbol] :keep, :encrypt, :remove or :sanitize
         attr_accessor :action
 
         # @return [Y2Storage::EncryptionMethod] Encryption method
@@ -55,7 +58,7 @@ def initialize(fs_controller)
           @fs_controller = fs_controller
           @action = actions.first
           @password = encryption&.password || ""
-          @method = encryption&.method || Y2Storage::EncryptionMethod::LUKS1
+          @method = initial_method
         end
 
         # Whether the dialog to select and configure the action makes sense
@@ -68,24 +71,14 @@ def show_dialog?
         # Actions that make sense for the block device
         #
         # @see #action
+        # @see #calculate_actions
         #
-        # If there is more than one possible action, the user should be able to
-        # use the UI to select which one to perform
+        # If there is more than one possible action, the user should be able to use the UI to select
+        # which one to perform.
         #
         # @return [Array<Symbol>]
         def actions
-          return @actions if @actions
-
-          @actions =
-            if fs_controller.encrypt
-              if can_keep?
-                [:keep, :encrypt]
-              else
-                [:encrypt]
-              end
-            else
-              [:remove]
-            end
+          @actions ||= calculate_actions
         end
 
         # Whether there are more than one encryption methods available
@@ -108,22 +101,16 @@ def methods
             end
         end
 
-        # Applies last changes to the block device at the end of the wizard, which
-        # mainly means
+        # Applies last changes to the block device at the end of the wizard, which mainly means: sanitize
+        # current encryption layer or perform the proper finish action to create or remove the encryption
         #
-        #   * removing unused LvmPv descendant (bsc#1129663)
-        #   * encrypting the device, modifying the encryption layer or removing it
+        # @see #sanitize_encryption
+        # @see #perform_finish_action
         def finish
-          return unless can_change_encrypt?
-
-          remove_unused_lvm_pv
-
-          return if action == :keep
-
-          if action == :encrypt
-            finish_encrypt
-          else
-            finish_remove
+          if action == :sanitize
+            sanitize_encryption
+          elsif can_change_encrypt?
+            perform_finish_action
           end
         ensure
           fs_controller.update_checkpoint
@@ -137,6 +124,7 @@ def encryption
         end
 
         # Title to display in the dialog during the process
+        #
         # @return [String]
         def wizard_title
           title =
@@ -147,6 +135,7 @@ def wizard_title
             else
               _("Encrypt %s")
             end
+
           format(title, blk_device.name)
         end
 
@@ -156,6 +145,36 @@ def wizard_title
         #   device that will be modified by this controller
         attr_reader :fs_controller
 
+        # Initial encryption method
+        #
+        # Note that the encryption method used by the current encryption device might not be available.
+        #
+        # @return [Y2Storage::EncryptionMethod]
+        def initial_method
+          if methods.include?(encryption&.method)
+            encryption.method
+          else
+            Y2Storage::EncryptionMethod::LUKS1
+          end
+        end
+
+        # Calculate actions that make sense for the block device
+        #
+        # @see #actions
+        #
+        # @return [Array<Symbol>]
+        def calculate_actions
+          return [:remove] unless fs_controller.encrypt
+
+          if sanitize_encryption? && !show_dialog?
+            [:sanitize]
+          elsif can_keep?
+            [:keep, :encrypt]
+          else
+            [:encrypt]
+          end
+        end
+
         # Whether the device will be used as swap
         #
         # @return [Boolean] true when the device will be used as swap; false otherwise
@@ -189,6 +208,51 @@ def filesystem
           blk_device.filesystem
         end
 
+        # Performs the proper action (create or delete the encryption)
+        #
+        # @note Unused LvmPv descendant are removed (bsc#1129663)
+        #
+        # @see #finish_encrypt
+        # @see #finish_remove
+        def perform_finish_action
+          remove_unused_lvm_pv
+
+          return if action == :keep
+
+          if action == :encrypt
+            finish_encrypt
+          else
+            finish_remove
+          end
+        end
+
+        # Sanitizes (removes) the encryption layer when needed
+        #
+        # Note that the filesystem is also deleted when it exists on disk (see {#can_change_encrypt?}).
+        #
+        # @see #sanitize_encryption?
+        def sanitize_encryption
+          return unless sanitize_encryption?
+
+          if can_change_encrypt?
+            blk_device.remove_encryption
+          else
+            blk_device.remove_descendants
+          end
+        end
+
+        # Whether the current encryption layer should be removed
+        #
+        # Basically, when an original swap device was encrypted with an encryption method that is only
+        # available for swap but the device is not used as swap anymore.
+        #
+        # @return [Boolean]
+        def sanitize_encryption?
+          return false unless blk_device.encrypted?
+
+          !swap? && encryption.method&.only_for_swap?
+        end
+
         # Removes from the block device or its encryption layer a LvmPv not associated to an LvmVg
         # (bsc#1129663)
         def remove_unused_lvm_pv
@@ -227,6 +291,7 @@ def new_encryption?
         def can_keep?
           return false unless blk_device.encrypted?
           return false if new?(encryption)
+          return false if sanitize_encryption?
 
           encryption.active?
         end

src/lib/y2partitioner/actions/controllers/fstabs.rb

@@ -454,7 +454,7 @@ def add_crypttab_names_to(devicegraph)
 
           return fixed_devicegraph unless crypttab
 
-          Y2Storage::Encryption.save_crypttab_names(fixed_devicegraph, crypttab)
+          crypttab.save_encryption_names(fixed_devicegraph)
           fixed_devicegraph
         end
 
@@ -465,34 +465,36 @@ def crypttab
           disk_analyzer.crypttabs.find { |c| c.filesystem == selected_fstab.filesystem }
         end
 
-        # Whether the device represents a not probed plain encryption with random password for swap
+        # Whether the given device represents a not probed encryption generated by a swap encryption
+        # method
         #
         # Note that no headers are written into the device when using plain encryption (which is the
         # underlying technology used for randomly encrypted swaps). For this reason, plain encryption
         # devices are only probed for the root filesystem by parsing its crypttab file.
         #
-        # A plain encryption device could be created when searching for a device from a fstab entry, see
-        # {Y2Storage::Encryption.save_crypttab_names}.
+        # A plain encryption device might be created when searching for a device from a fstab entry, see
+        # {Y2Storage::Crypttab.save_encryption_names}.
         #
         # @param device [Y2Storage::Device]
         # @return [Boolean]
         def missing_swap_encryption?(device)
-          missing_device?(device) && random_password_swap?(device)
+          missing_device?(device) && swap_encryption?(device)
         end
 
-        # Whether the device is missing in the probed devicegraph
+        # Whether the given device is missing in the probed devicegraph
         #
         # @param device [Y2Storage::Device]
         # @return [Boolean]
         def missing_device?(device)
           !device.exists_in_devicegraph?(system_graph)
         end
 
-        # Whether the device represents a plain encrypted swap with random password
+        # Whether the given device is an encryption generated by a swap encryption method
         #
+        # @param device [Y2Storage::Encryption]
         # @return [Boolean]
-        def random_password_swap?(device)
-          device.is?(:encryption) && device.method.is?(:random_swap)
+        def swap_encryption?(device)
+          device.is?(:encryption) && device.method.only_for_swap?
         end
       end
     end