Merge pull request #1383 from ancorgs/luks2_configurable

LUKS2 enablement: alternative take

package/yast2-storage-ng.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue May  7 14:38:42 UTC 2024 - Ancor Gonzalez Sosa <ancor@suse.com>
+
+- Proposal: Make the encryption method and the key derivation
+  function configurable by product.
+- Partitioner: LUKS2 is always available and used by default, with
+  PBKDF2 as default derivation function (related to bsc#1185291).
+- 5.0.14
+
 -------------------------------------------------------------------
 Wed Apr 24 07:48:08 UTC 2024 - Ancor Gonzalez Sosa <ancor@suse.com>
 

package/yast2-storage-ng.spec

@@ -16,7 +16,7 @@
 #
 
 Name:           yast2-storage-ng
-Version:        5.0.13
+Version:        5.0.14
 Release:        0
 Summary:        YaST2 - Storage Configuration
 License:        GPL-2.0-only OR GPL-3.0-only

src/lib/y2partitioner/actions/controllers/encryption.rb

@@ -71,8 +71,8 @@ def initialize(fs_controller)
           @fs_controller = fs_controller
           @action = actions.first
           @password = encryption&.password || ""
-          @pbkdf = encryption&.pbkdf
           @method = initial_method
+          @pbkdf = initial_pbkdf
           @apqns = initial_apqns
           @label = initial_label
         end
@@ -215,10 +215,22 @@ def initial_method
           if methods.include?(encryption&.method)
             encryption.method
           else
-            Y2Storage::EncryptionMethod::LUKS1
+            Y2Storage::EncryptionMethod::LUKS2
           end
         end
 
+        # Initial password-based key derivation function, if relevant
+        #
+        # @return [Y2Storage::PbkdFunction, nil]
+        def initial_pbkdf
+          function = encryption&.pbkdf
+          return function unless function.nil? && method.is?(:luks2)
+
+          # Hardcoded conservative default, we can either change it or make it configurable
+          # (see Y2Storage::Configuration) in the future if needed.
+          Y2Storage::PbkdFunction::PBKDF2
+        end
+
         # Currently used APQNs when the device is encrypted with pervasive encryption
         #
         # @return [Array<Y2Storage::EncryptionProcesses::Apqn>]

src/lib/y2storage/encryption_method/luks2.rb

@@ -60,12 +60,6 @@ def create_device(blk_device, dm_name, pbkdf: nil, label: "")
         encryption_process.create_device(blk_device, dm_name, pbkdf: pbkdf, label: label)
       end
 
-      # @see Base#available?
-      def available?
-        # jsc#PED-3878 and jsc#GEHC-6
-        Yast::Mode.auto || StorageEnv.instance.luks2_available?
-      end
-
       private
 
       # @see Base#encryption_process

src/lib/y2storage/proposal_settings.rb

@@ -448,9 +448,18 @@ def load_features
 
     # Loads the default encryption settings
     #
-    # The encryption settings are not part of control.xml, but can be injected by a previous step of
+    # The default encryption settings can be read from control.xml.
+    #
+    # Additionally, the encryption password can be injected by a previous step of
     # the installation, eg. the dialog of the Common Criteria system role
     def load_encryption
+      enc_method = EncryptionMethod.find(feature(:proposal, :encryption_method).to_s)
+      self.encryption_method = enc_method if enc_method
+
+      enc_pbkdf = PbkdFunction.find(feature(:proposal, :encryption_pbkdf))
+      self.encryption_pbkdf = enc_pbkdf if enc_pbkdf
+
+      # Password potentially injected by a previous step
       enc = feature(:proposal, :encryption)
 
       return unless enc

src/lib/y2storage/storage_env.rb

@@ -32,13 +32,11 @@ class StorageEnv
 
     ENV_ACTIVATE_LUKS = "YAST_ACTIVATE_LUKS".freeze
 
-    ENV_LUKS2_AVAILABLE = "YAST_LUKS2_AVAILABLE".freeze
-
     ENV_LIBSTORAGE_IGNORE_PROBE_ERRORS = "LIBSTORAGE_IGNORE_PROBE_ERRORS".freeze
 
     ENV_REUSE_LVM = "YAST_REUSE_LVM".freeze
 
-    private_constant :ENV_MULTIPATH, :ENV_BIOS_RAID, :ENV_ACTIVATE_LUKS, :ENV_LUKS2_AVAILABLE
+    private_constant :ENV_MULTIPATH, :ENV_BIOS_RAID, :ENV_ACTIVATE_LUKS
     private_constant :ENV_LIBSTORAGE_IGNORE_PROBE_ERRORS
     private_constant :ENV_REUSE_LVM
 
@@ -82,16 +80,6 @@ def activate_luks?
       active?(ENV_ACTIVATE_LUKS, default: true)
     end
 
-    # Whether YaST should offer the encryption method for regular LUKS2
-    #
-    # See jsc#SLE-21309 where is stated that YaST support to setup LUKS2 devices should be
-    # "available only via a special Linuxrc option and communicated as a tech preview".
-    #
-    # @return [Boolean]
-    def luks2_available?
-      active?(ENV_LUKS2_AVAILABLE, default: false)
-    end
-
     # Whether YaST should reuse existing LVM
     #
     # see jsc#PED-6407 or jsc#IBM-1315

test/y2partitioner/actions/controllers/encryption_test.rb

@@ -54,7 +54,7 @@
       let(:dev_name) { "/dev/vda2" }
 
       it "assigns the default encryption method" do
-        expect(subject.method.is?(:luks1)).to eq(true)
+        expect(subject.method.is?(:luks2)).to eq(true)
       end
     end
 
@@ -78,7 +78,7 @@
         end
 
         it "assigns the default encryption method" do
-          expect(subject.method.is?(:luks1)).to eq(true)
+          expect(subject.method.is?(:luks2)).to eq(true)
         end
       end
     end