Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LUKS2 enablement: alternative take #1383

Merged
merged 4 commits into from
May 8, 2024
Merged

LUKS2 enablement: alternative take #1383

merged 4 commits into from
May 8, 2024

Conversation

ancorgs
Copy link
Contributor

@ancorgs ancorgs commented May 3, 2024
edited
Loading

Problem

We have been discussing for some time how to make LUKS2 easily configurable (and the default option) when installing Tumbleweed with YaST.

This relatively old comment summarizes my proposal, which was:

  • Make LUKS2 always available in the Expert Partitioner.
  • Make the storage proposal (a.k.a. Guided Setup) more configurable via control.xml. So Tumbleweed can set the encryption method and the key derivation function to be used by the proposal (LUKS2 + PBKDF2 is the most-compatible configuration right now).
  • Always use LUKS2 + PBKDF2 as default value in the Expert Partitioner form for encryption (same rationale about compatibility).

Solution

This pull request implements exactly that. One commit per item.

There are no user-visible changes in the installation workflow or in the Guided Setup. YaST will now simply use LUKS2 and PBKDF2 if configured to do so at control.xml and the user decided to encrypt the system.

The default encryption step at the Expert partitioner now looks like this (for all systems, it does not depend on control.xml).

default_partitioner

Testing

I just did some preliminary manual tests of the Partitioner (see screenshot above).

@ancorgs ancorgs mentioned this pull request May 3, 2024
Closed
@coveralls
Copy link

coveralls commented May 3, 2024
edited
Loading

Coverage Status

coverage: 97.8% (-0.002%) from 97.802%
when pulling 57dc977 on ancorgs:luks2_configurable
into 0e39eba on yast:master.

@lnussel
Copy link

lnussel commented May 7, 2024

sounds good. who can put an official review on this?

joseivanlopez
joseivanlopez reviewed May 7, 2024
View reviewed changes
Copy link
Contributor

@joseivanlopez joseivanlopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only miss changelog and new version.

@ancorgs
Copy link
Contributor Author

ancorgs commented May 7, 2024

I only miss changelog and new version.

Added.

@ancorgs ancorgs mentioned this pull request May 7, 2024
Merged
joseivanlopez
joseivanlopez approved these changes May 8, 2024
View reviewed changes
Copy link
Contributor

@joseivanlopez joseivanlopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@schubi2 schubi2 mentioned this pull request May 8, 2024
Merged
@ancorgs ancorgs merged commit f54c8c4 into yast:master May 8, 2024
7 checks passed
@yast-bot
Copy link

yast-bot commented May 8, 2024

✔️ Internal Jenkins job #1156 successfully finished
✔️ Created OBS submit request #1172660

@lnussel
Copy link

lnussel commented May 16, 2024

how does the control.xml snippet have to look like for that?

@schubi2
Copy link
Member

schubi2 commented May 16, 2024

E.g.:

<partitioning>
    <expert_partitioner_warning config:type="boolean">false</expert_partitioner_warning>

    <proposal>
        <lvm config:type="boolean">false</lvm>
        <encryption_method>luks2</encryption_method>
        <encryption_pbkdf>argon2i</encryption_pbkdf>
    </proposal>

@lnussel
Copy link

lnussel commented May 16, 2024

yast/skelcd-control-openSUSE#285

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joseivanlopez joseivanlopez joseivanlopez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@ancorgs @coveralls @lnussel @yast-bot @schubi2 @joseivanlopez