From patchwork Sun Mar 16 11:49:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?S=C3=B6ren_Tempel?= X-Patchwork-Id: 40256 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 1EC7927BBEA; Sun, 16 Mar 2025 11:52:20 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 6CDF227BBE2 for ; Sun, 16 Mar 2025 11:52:19 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ttmXI-0002nQ-SW; Sun, 16 Mar 2025 07:52:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ttmXG-0002mz-AP for guix-patches@gnu.org; Sun, 16 Mar 2025 07:52:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ttmXG-0000Nc-0h; Sun, 16 Mar 2025 07:52:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=SheiNrvSzWxTfavPpidV6/+1Lk2Y9xQuu+3SaMLr/oQ=; b=IL+TahtNuim0IP8RK6a8OaWF4io4x64kUbCIXn/ZDzncG6p6f/6n74ZsMJLMUAJTbibQPymqyxlbT9txuX4UkSFSTAYLaZO8N9aeCcZJ/ZSswiC9paftQGXHObIVeRIc1+PFquPKpg63hfJqhHL3C+CxYpBUURLGPANocdSrYvH2274UK9OeOlbHkrogdej124/yzMrhkIG1kf5BBfvJEp91OP8e4aNVjViODamo5CNEQd1f/VulW3zgw27G8ZfixQIKWc3OqVF/37uYqRP41bRa6LEiNyAOOFJ6XVtugosHg2eABzMPf2y0K9iPIUlei92Vn0u5ffo1Jjn2v+Yh8w==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ttmXF-0006Ov-RD; Sun, 16 Mar 2025 07:52:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73654] [PATCH v4] mapped-devices: luks: Support passing --allow-discards during open References: <20241006094239.7157-1-sisiutl@egregore.fun> In-Reply-To: <20241006094239.7157-1-sisiutl@egregore.fun> Resent-From: soeren@soeren-tempel.net Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Sun, 16 Mar 2025 11:52:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73654 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 73654@debbugs.gnu.org Cc: sisiutl@egregore.fun, hako@ultrarare.space, ludo@gnu.org, maxim.cournoyer@gmail.com, Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 73654-submit@debbugs.gnu.org id=B73654.174212586824199 (code B ref 73654); Sun, 16 Mar 2025 11:52:05 +0000 Received: (at 73654) by debbugs.gnu.org; 16 Mar 2025 11:51:08 +0000 Received: from localhost ([127.0.0.1]:45856 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ttmWJ-0006I5-9C for submit@debbugs.gnu.org; Sun, 16 Mar 2025 07:51:08 -0400 Received: from magnesium.8pit.net ([2001:19f0:6c01:4ae:5400:ff:fe66:af9d]:8975) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ttmWF-0006H7-4f; Sun, 16 Mar 2025 07:51:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=opensmtpd; bh=SheiNrvS zWxTfavPpidV6/+1Lk2Y9xQuu+3SaMLr/oQ=; h=date:subject:cc:to:from; d=soeren-tempel.net; b=XXWmvTBoev73DbYr0I3A2HXHAzw7c0eteHrThHMOKE170qK NoeJ6zym11GxxazCJnoWqE6RqP1uv+2R8U20PDoJjXILjY2bhNDN/6T8lBo2pCiE86RQEa 3S575BAOSal9TxJ+q1ImZZwIbGmYPLsPp7QXJLJZyqeJJ93Y4HAQuo= Received: from localhost ( [2a02:560:4d26:5100:f610:5d2e:3bbb:124c]) by magnesium.8pit.net (OpenSMTPD) with ESMTPSA id 4ccfc949 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:YES); Sun, 16 Mar 2025 12:50:58 +0100 (CET) From: soeren@soeren-tempel.net Date: Sun, 16 Mar 2025 12:49:50 +0100 Message-ID: <94e28c2091f319bfdb681055b7e5bdafa0cb9120.1742125790.git.soeren@soeren-tempel.net> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Sören Tempel * gnu/system/mapped-devices.scm (open-luks-device): Support opening LUKS devices with the --allow-discards option. * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): Pass through the allow-discards? keyword argument. * doc/guix.texi (Mapped Devices): Update documentation for the luks-device-mapping-with-options procedure. Co-authored-by: Sisiutl --- Changes since v3: Fix replacement of “Solid State Disks” with “solid state disks” in doc/guix.texi. That is, only perform this replacement locally on the added text and not the whole document. doc/guix.texi | 11 +++++++++- gnu/system/mapped-devices.scm | 39 +++++++++++++++++++++-------------- 2 files changed, 33 insertions(+), 17 deletions(-) base-commit: f2b3c36bee8c232b026a66de93db38e13fbd7076 diff --git a/doc/guix.texi b/doc/guix.texi index b1b6d98e74..6eb9fcb8ee 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18402,7 +18402,7 @@ Mapped Devices @code{dm-crypt} Linux kernel module. @end defvar -@deffn {Procedure} luks-device-mapping-with-options [#:key-file] +@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards?] Return a @code{luks-device-mapping} object, which defines LUKS block device encryption using the @command{cryptsetup} command from the package with the same name. It relies on the @code{dm-crypt} Linux @@ -18424,6 +18424,15 @@ Mapped Devices (type (luks-device-mapping-with-options #:key-file "/crypto.key"))) @end lisp + + +@code{allow-discards?} allows the use of discard (TRIM) requests for the +underlying device. This is useful for solid state drives. However, +this option can have a negative security impact because it can make +file system level operations visible on the physical device. For more +information, refer to the description of the @code{--allow-discards} +option in the @code{cryptsetup-open(8)} man page. + @end deffn @defvar raid-device-mapping diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index 931c371425..3a8f0d66fe 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -194,9 +194,10 @@ (define (check-device-initrd-modules device linux-modules location) ;;; Common device mappings. ;;; -(define* (open-luks-device source targets #:key key-file) +(define* (open-luks-device source targets #:key key-file allow-discards?) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using -'cryptsetup'." +'cryptsetup'. When ALLOW-DISCARDS? is true, the use of discard (TRIM) requests is +allowed for the underlying device." (with-imported-modules (source-module-closure '((gnu build file-systems) (guix build utils))) ;; For mkdir-p @@ -234,17 +235,21 @@ (define* (open-luks-device source targets #:key key-file) (loop (- tries-left 1)))))) (error "LUKS partition not found" source)) source))) - ;; We want to fallback to the password unlock if the keyfile fails. - (or (and keyfile - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - "--key-file" keyfile - partition #$target))) - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - partition #$target))))))))) + (let ((cryptsetup-flags (cons* + "open" "--type" "luks" partition #$target + (if allow-discards? + '("--allow-discards") + '())))) + ;; We want to fallback to the password unlock if the keyfile fails. + (or (and keyfile + (zero? + (apply system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "--key-file" keyfile + cryptsetup-flags))) + (zero? (apply system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + cryptsetup-flags)))))))))) (define (close-luks-device source targets) "Return a gexp that closes TARGET, a LUKS device." @@ -286,13 +291,15 @@ (define luks-device-mapping ((gnu build file-systems) #:select (find-partition-by-luks-uuid system*/tty)))))) -(define* (luks-device-mapping-with-options #:key key-file) +(define* (luks-device-mapping-with-options #:key key-file allow-discards?) "Return a luks-device-mapping object with open modified to pass the arguments into the open-luks-device procedure." (mapped-device-kind (inherit luks-device-mapping) - (open (λ (source targets) (open-luks-device source targets - #:key-file key-file))))) + (open (λ (source targets) + (open-luks-device source targets + #:key-file key-file + #:allow-discards? allow-discards?))))) (define (open-raid-device sources targets) "Return a gexp that assembles SOURCES (a list of devices) to the RAID device