curtin-dev team mailing list archive

[Dan Bungert <mp+460874@xxxxxxxxxxxxxxxxxx>]

Dan Bungert has proposed merging ~dbungert/curtin:cryptoswap-dmc-type into curtin:master.

Commit message:
cryptoswap: fix changing type

At create time, it was LUKS2, but it would change to PLAIN on first
boot, causing problems when attempting to actually use the device



Requested reviews:
  curtin developers (curtin-dev)

For more details, see:
https://code.launchpad.net/~dbungert/curtin/+git/curtin/+merge/460874
-- 
Your team curtin developers is requested to review the proposed merge of ~dbungert/curtin:cryptoswap-dmc-type into curtin:master.

diff --git a/curtin/commands/block_meta.py b/curtin/commands/block_meta.py
index 9fde9c6..e2e99e3 100644
--- a/curtin/commands/block_meta.py
+++ b/curtin/commands/block_meta.py
@@ -1633,16 +1633,18 @@ def dm_crypt_handler(info, storage_config, context):
     volume_path = get_path_to_storage_volume(volume, storage_config)
     volume_byid_path = block.disk_to_byid_path(volume_path)
 
+    create_dmcrypt = True
+    open_dmcrypt = False
     if 'keyfile' in info:
         if 'key' in info:
             raise ValueError("cannot specify both key and keyfile")
         keyfile = info['keyfile']
         if keyfile in ("/dev/random", "/dev/urandom"):
             crypttab_keyfile = keyfile
-            keyfile = tempfile.mkstemp()[1]
-            keyfile_is_tmp = True
-        else:
-            keyfile_is_tmp = False
+            luks_type = "plain"
+            open_dmcrypt = True
+            create_dmcrypt = False
+        keyfile_is_tmp = False
     elif 'key' in info:
         # TODO: this is insecure, find better way to do this
         key = info.get('key')
@@ -1654,7 +1656,6 @@ def dm_crypt_handler(info, storage_config, context):
 
     recovery_keyfile = info.get('recovery_keyfile')
 
-    create_dmcrypt = True
     if preserve:
         dm_crypt_verify(dmcrypt_dev, volume_path)
         LOG.debug('dm_crypt %s already present, skipping create', dmcrypt_dev)
@@ -1664,6 +1665,7 @@ def dm_crypt_handler(info, storage_config, context):
         # if zkey is available, attempt to generate and use it; if it's not
         # available or fails to setup properly, fallback to normal cryptsetup
         # passing strict=False downgrades log messages to warnings
+        open_dmcrypt = True
         zkey_used = None
         if block.zkey_supported(strict=False):
             volume_name = "%s:%s" % (volume_byid_path, dm_name)
@@ -1710,6 +1712,7 @@ def dm_crypt_handler(info, storage_config, context):
 
             util.subp(cmd)
 
+    if open_dmcrypt:
         cmd = ["cryptsetup", "open", "--type", luks_type, volume_path, dm_name,
                "--key-file", keyfile]
 
diff --git a/tests/integration/test_block_meta.py b/tests/integration/test_block_meta.py
index ec9b33c..f7bec5d 100644
--- a/tests/integration/test_block_meta.py
+++ b/tests/integration/test_block_meta.py
@@ -1328,6 +1328,13 @@ table-length: 256'''.encode()
         self.assertEqual("/dev/urandom", tokens[2])
         self.assertEqual("swap,initramfs", tokens[3])
 
+        cmd = ["cryptsetup", "status", cryptoswap]
+        status = util.subp(cmd, capture=True)[0]
+        for line in status.splitlines():
+            key, _, value = line.strip().partition(':')
+            if key == "type":
+                self.assertEqual("PLAIN", value.strip())
+
     @parameterized.expand(((1,), (2,)))
     def test_msftres(self, sv):
         self.img = self.tmp_path('image.img')