From patchwork Thu Jan 11 17:35:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tomas Volf <~@wolfsden.cz> X-Patchwork-Id: 58800 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id DEDCC27BBE2; Thu, 11 Jan 2024 17:36:50 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id BE83427BBE9 for ; Thu, 11 Jan 2024 17:36:49 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rNyyM-0006bZ-IZ; Thu, 11 Jan 2024 12:36:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNyyL-0006b7-Fg for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:05 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rNyyL-00037R-3j for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:05 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rNyyI-0007of-IU for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file. References: In-Reply-To: Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499455629988 (code B ref 65002); Thu, 11 Jan 2024 17:36:02 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:35:56 +0000 Received: from localhost ([127.0.0.1]:33786 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyB-0007nb-Ol for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:56 -0500 Received: from wolfsden.cz ([37.205.8.62]:49792) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy6-0007me-3w for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:51 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id 0891F2502A6; Thu, 11 Jan 2024 17:35:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994551; bh=lHhs3cBVhmZ9vJfZow/R++juhXY33XOvQVgyIOmAY+E=; h=From:To:Cc:Subject:Date; b=WJjDmbiBzzUPgDXQxcJdKi+Dny3O1pPDPN+SnlwS+C87yviP0oTBjvh0Nsbsun5qn emKgysAVFf03M4044kGw3iXsPGE2w/9s1apegXWUr+vL6ubcxxJdzntGEx0G+sGoWs pxcAYlb7bbbkcqjorqU6Khe1arZT8vVN3S+Ks73hPieqc/iPkxuz9E4sFvL5vEtATl CR+xc1HBrB1hGNbqxYgHA4W5qfU3THhzHBmE5Vqkr5kl5MHfyUzG9kIbpvwXtzBuO1 rgjbmU+4rdR+MunsUM4BRFDwYn3xXdUdjBYIlqDnURQaJMoAoo9pofJN44cruenMxl cAP7Mwzc4AWU/BNoR3RcEWfPfyjVw/rnFQNOoXwUQVOeixTn+Rxjh7dTwic0wJFsBO 2s235sJGz04wVBJdtGEdfgM/bPTnuoSe8Rr6In9TdqC7chfmoL+w+thW6bZh7AEV30 KbqGAlGYvVx2F9zPD1z/nWk4b6RDpSI3jgTeIlxH/NIn+dkR208GpFbt2d24YjJHn7 2vne5NUfCH1wX00BBP+hfPQuE4eGG0XgPgKcJJTMGC9kJVgdjvsvypgn9CV7iBzEOa jiaAeXBh88RNbs+MKpf7oMjIZd4lpcjODd7iiCgd2wtmQ4bGGoUbKf5BK05W4EV9va rOellMOkcBiDquBKdqhgwTRA= Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 676C72508A6; Thu, 11 Jan 2024 17:35:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994550; bh=lHhs3cBVhmZ9vJfZow/R++juhXY33XOvQVgyIOmAY+E=; h=From:To:Cc:Subject:Date; b=M/wLcrFBdIM5yCCABIetd1GkXv6Jr0zMiBU3tJyyDpYpxtOb3S+FxY3ml7kUi5j5r 9Kwqr5jODhtnB5MEJfb2FN0mXHZ0tKHhEw9W3HVlx353PgUWmRQj1eKVJAzLKiiFjV gKpxuZrcwDdJ1h4whamrYnHALFqD5YyOx6pt4uWbQr8sh53dZqcHRruIKMaDQn1EnB JR8LsRIQwpv5WyoD6mYGMzQVKuDM/zzrVMMfhk5RO2CsJdbPM3qPQ0UZnn5xDSLJQg 9GDVm5KKV5hBaOHQ2HSqU+MnI65H8tGchI893jtAXWWLIPRHiOv/wr+3/oTPI2MQG1 CyX8X4yQzzoqUgwVs1QIMsrldTVKIPOc5qB1V7XnAVZNpKwo6Zt5Fxer1DJbJmdi7T /lVSbtnMIbYgJnT25bBF8pzVarXPPJayIyVNJ1/YH8ESlN5OlN7XS6vNRkm4/fR9kM 3+FGE6QmrrVBScCGPqekK8syEr9NASJFTMpQwBFJp941Zz0JrrzA65XfY9iPpKlKU1 rF8hPuSWbGXzTtL9htU2R0evCdnX3+zfz5iTELSLQOu5+v6n60MdGn/tITAc9HZZNW 6Q81627WCg+e2CYo3JVMOX9LgOlmq1FxdWe9tIIzPIM8cDLM0ngXiFwfzTZjfhQxsZ yL+VtRLudFtLdnQ0tCONRc08= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:39 +0100 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Tomas Volf Requiring the user to input their password in order to unlock a device is not always reasonable, so having an option to unlock the device using a key file is a nice quality of life change. * gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument. (luks-device-mapping-with-options): New procedure. * doc/guix.texi (Mapped Devices): Describe the new procedure. Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4 --- doc/guix.texi | 25 +++++++++++++ gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 2 files changed, 67 insertions(+), 25 deletions(-) base-commit: 5c0f77f4241c9beac0c82deae946bfdc70b49ff0 diff --git a/doc/guix.texi b/doc/guix.texi index 395545bed7..b1202f2182 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -123,6 +123,7 @@ Copyright @copyright{} 2023 Thomas Ieong@* Copyright @copyright{} 2023 Saku Laesvuori@* Copyright @copyright{} 2023 Graham James Addis@* +Copyright @copyright{} 2023 Tomas Volf@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -17992,6 +17993,30 @@ Mapped Devices @code{dm-crypt} Linux kernel module. @end defvar +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] +Return a @code{luks-device-mapping} object, which defines LUKS block +device encryption using the @command{cryptsetup} command from the +package with the same name. It relies on the @code{dm-crypt} Linux +kernel module. + +If @code{key-file} is provided, unlocking is first attempted using that +key file. This has an advantage of not requiring a password entry, so +it can be used (for example) to unlock RAID arrays automatically on +boot. If key file unlock fails, password unlock is attempted as well. +Key file is not stored in the store and needs to be available at the +given location at the time of the unlock attempt. + +@lisp +;; Following definition would be equivalent to running: +;; cryptsetup open --key-file /crypto.key /dev/sdb1 data +(mapped-device + (source "/dev/sdb1) + (target "data) + (type (luks-device-mapping-with-options + #:key-file "/crypto.key"))) +@end lisp +@end deffn + @defvar raid-device-mapping This defines a RAID device, which is assembled using the @code{mdadm} command from the package with the same name. It requires a Linux kernel diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index e6b8970c12..c19a818453 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014-2022 Ludovic Courtès ;;; Copyright © 2016 Andreas Enge ;;; Copyright © 2017, 2018 Mark H Weaver +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices) check-device-initrd-modules ;XXX: needs a better place luks-device-mapping + luks-device-mapping-with-options raid-device-mapping lvm-device-mapping)) @@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location) ;;; Common device mappings. ;;; -(define (open-luks-device source targets) +(define* (open-luks-device source targets #:key key-file) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'." (with-imported-modules (source-module-closure @@ -198,7 +200,8 @@ (define (open-luks-device source targets) ((target) #~(let ((source #$(if (uuid? source) (uuid-bytevector source) - source))) + source)) + (keyfile #$key-file)) ;; XXX: 'use-modules' should be at the top level. (use-modules (rnrs bytevectors) ;bytevector? ((gnu build file-systems) @@ -215,29 +218,35 @@ (define (open-luks-device source targets) ;; 'cryptsetup open' requires standard input to be a tty to allow ;; for interaction but shepherd sets standard input to /dev/null; ;; thus, explicitly request a tty. - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - - ;; Note: We cannot use the "UUID=source" syntax here - ;; because 'cryptsetup' implements it by searching the - ;; udev-populated /dev/disk/by-id directory but udev may - ;; be unavailable at the time we run this. - (if (bytevector? source) - (or (let loop ((tries-left 10)) - (and (positive? tries-left) - (or (find-partition-by-luks-uuid source) - ;; If the underlying partition is - ;; not found, try again after - ;; waiting a second, up to ten - ;; times. FIXME: This should be - ;; dealt with in a more robust way. - (begin (sleep 1) - (loop (- tries-left 1)))))) - (error "LUKS partition not found" source)) - source) - - #$target))))))) + (let ((partition + ;; Note: We cannot use the "UUID=source" syntax here + ;; because 'cryptsetup' implements it by searching the + ;; udev-populated /dev/disk/by-id directory but udev may + ;; be unavailable at the time we run this. + (if (bytevector? source) + (or (let loop ((tries-left 10)) + (and (positive? tries-left) + (or (find-partition-by-luks-uuid source) + ;; If the underlying partition is + ;; not found, try again after + ;; waiting a second, up to ten + ;; times. FIXME: This should be + ;; dealt with in a more robust way. + (begin (sleep 1) + (loop (- tries-left 1)))))) + (error "LUKS partition not found" source)) + source))) + ;; We want to fallback to the password unlock if the keyfile fails. + (or (and keyfile + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + "--key-file" keyfile + partition #$target))) + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + partition #$target))))))))) (define (close-luks-device source targets) "Return a gexp that closes TARGET, a LUKS device." @@ -276,6 +285,14 @@ (define luks-device-mapping (close close-luks-device) (check check-luks-device))) +(define* (luks-device-mapping-with-options #:key key-file) + "Return a luks-device-mapping object with open modified to pass the arguments +into the open-luks-device procedure." + (mapped-device-kind + (inherit luks-device-mapping) + (open (λ (source targets) (open-luks-device source targets + #:key-file key-file))))) + (define (open-raid-device sources targets) "Return a gexp that assembles SOURCES (a list of devices) to the RAID device TARGET (e.g., \"/dev/md0\"), using 'mdadm'."