From patchwork Fri Mar 14 20:27:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?S=C3=B6ren_Tempel?= X-Patchwork-Id: 40189 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 56F9527BBEA; Fri, 14 Mar 2025 20:34:28 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 74EE027BBE2 for ; Fri, 14 Mar 2025 20:34:27 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ttBjU-0002QA-DD; Fri, 14 Mar 2025 16:34:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ttBjG-0002M8-Va for guix-patches@gnu.org; Fri, 14 Mar 2025 16:34:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ttBjG-0005Ap-JK for guix-patches@gnu.org; Fri, 14 Mar 2025 16:34:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=GCqDOZNI7AB8i4MjLQ+AJWVjGd/mzmCWhQe3Nw0gSQc=; b=Oi3+P+ss95uyHWIIrV/VefljvG2jVv3I/vojuN/wsUwH9l7C/olrH5JbMBnizGjdthvR3c5KeuJtyCD9OcqQg6jzJDuv3O/yQi5lCghhgv/qEyRizqNnLZOVDwt9zuj3+W2aCAz5EYNI9WXpUMPpHRtiu1zuIoNnO3kP8MPHMQ4cpTauPy3a5rbTu/H5w4tEhQ0D7WWx9eiDbDk38eMlxrSloMzl1B747N742ek9hkWIQeEzIKwuj0DPFN2jYRNd8mg88AmtZuDnDZP/k12stlWa8xm4XLheKYKCdoNkjShfb0Cmh6lnD/I2XWwQWeZgXMLcsZ9hmfHNELROLVKRDQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ttBjG-0004Tr-2i for guix-patches@gnu.org; Fri, 14 Mar 2025 16:34:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73654] [PATCH v3] mapped-devices: luks: Support passing --allow-discards during open References: <20241006094239.7157-1-sisiutl@egregore.fun> In-Reply-To: <20241006094239.7157-1-sisiutl@egregore.fun> Resent-From: soeren@soeren-tempel.net Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 14 Mar 2025 20:34:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73654 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 73654@debbugs.gnu.org Cc: sisiutl@egregore.fun, hako@ultrarare.space, ludo@gnu.org, maxim.cournoyer@gmail.com Received: via spool by 73654-submit@debbugs.gnu.org id=B73654.174198438617126 (code B ref 73654); Fri, 14 Mar 2025 20:34:02 +0000 Received: (at 73654) by debbugs.gnu.org; 14 Mar 2025 20:33:06 +0000 Received: from localhost ([127.0.0.1]:36425 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ttBiM-0004S9-7a for submit@debbugs.gnu.org; Fri, 14 Mar 2025 16:33:06 -0400 Received: from magnesium.8pit.net ([45.76.88.171]:32506) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1ttBiF-0004RQ-6C; Fri, 14 Mar 2025 16:33:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=opensmtpd; bh=GCqDOZNI 7AB8i4MjLQ+AJWVjGd/mzmCWhQe3Nw0gSQc=; h=date:subject:cc:to:from; d=soeren-tempel.net; b=Md/JuQ/ok/ZSAzROUvSbV/A57Z8QSX4i6HOnHyYY99c21g+ ZRWdTkvrYQfPoyenGRC1ipWJnZDmZfw1A4JxDjqEGb4N7emRblu5ScjBOqK/utvOa/2RaR PH5uP3jt+MFsHBgDllLRMEOEDTKT3+TG1ra+d+S6zr7cw/Ti3XgIUM= Received: from localhost ( [2003:a:a33:8400:3ce:3f8f:e5d6:2e4d]) by magnesium.8pit.net (OpenSMTPD) with ESMTPSA id eb4d8b04 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:YES); Fri, 14 Mar 2025 21:32:55 +0100 (CET) From: soeren@soeren-tempel.net Date: Fri, 14 Mar 2025 21:27:06 +0100 Message-ID: <20250314203029.13613-2-soeren@soeren-tempel.net> X-Mailer: git-send-email 2.48.1 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Sören Tempel * gnu/system/mapped-devices.scm (open-luks-device): Support opening LUKS devices with the --allow-discards option. * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): Pass through the allow-discards? keyword argument. * doc/guix.texi (Mapped Devices): Update documentation for the luks-device-mapping-with-options procedure. Co-authored-by: Sisiutl --- Change since v2: * Revert doc change in luks-device-mapping-with-options procedure * Reformat zero? expression to make it fit into the 80 characters * Do not use let* expression * Reword "filesystem" to "file system" * Reword "Solid State Drives" to "solid state drives" * Streamline description of new feature in documentation * Use co-authored-by and swap author and co-author doc/guix.texi | 13 ++++++++++-- gnu/system/mapped-devices.scm | 39 +++++++++++++++++++++-------------- 2 files changed, 34 insertions(+), 18 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index b1b6d98e74..91588ca02f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18402,7 +18402,7 @@ command from the package with the same name. It relies on the @code{dm-crypt} Linux kernel module. @end defvar -@deffn {Procedure} luks-device-mapping-with-options [#:key-file] +@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards?] Return a @code{luks-device-mapping} object, which defines LUKS block device encryption using the @command{cryptsetup} command from the package with the same name. It relies on the @code{dm-crypt} Linux @@ -18424,6 +18424,15 @@ given location at the time of the unlock attempt. (type (luks-device-mapping-with-options #:key-file "/crypto.key"))) @end lisp + + +@code{allow-discards?} allows the use of discard (TRIM) requests for the +underlying device. This is useful for Solid State Drives. However, +this option can have a negative security impact because it can make +file system level operations visible on the physical device. For more +information, refer to the description of the @code{--allow-discards} +option in the @code{cryptsetup-open(8)} man page. + @end deffn @defvar raid-device-mapping @@ -18591,7 +18600,7 @@ priority after prioritized spaces, and in the order that they appeared in @item @code{discard?} (default: @code{#f}) Only supported by the Linux kernel. When true, the kernel will notify the disk controller of discarded pages, for example with the TRIM -operation on Solid State Drives. +operation on solid state drives. @end table @end deftp diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index 931c371425..3a8f0d66fe 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -194,9 +194,10 @@ (define missing ;;; Common device mappings. ;;; -(define* (open-luks-device source targets #:key key-file) +(define* (open-luks-device source targets #:key key-file allow-discards?) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using -'cryptsetup'." +'cryptsetup'. When ALLOW-DISCARDS? is true, the use of discard (TRIM) requests is +allowed for the underlying device." (with-imported-modules (source-module-closure '((gnu build file-systems) (guix build utils))) ;; For mkdir-p @@ -234,17 +235,21 @@ (define* (open-luks-device source targets #:key key-file) (loop (- tries-left 1)))))) (error "LUKS partition not found" source)) source))) - ;; We want to fallback to the password unlock if the keyfile fails. - (or (and keyfile - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - "--key-file" keyfile - partition #$target))) - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - partition #$target))))))))) + (let ((cryptsetup-flags (cons* + "open" "--type" "luks" partition #$target + (if allow-discards? + '("--allow-discards") + '())))) + ;; We want to fallback to the password unlock if the keyfile fails. + (or (and keyfile + (zero? + (apply system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "--key-file" keyfile + cryptsetup-flags))) + (zero? (apply system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + cryptsetup-flags)))))))))) (define (close-luks-device source targets) "Return a gexp that closes TARGET, a LUKS device." @@ -286,13 +291,15 @@ (define luks-device-mapping ((gnu build file-systems) #:select (find-partition-by-luks-uuid system*/tty)))))) -(define* (luks-device-mapping-with-options #:key key-file) +(define* (luks-device-mapping-with-options #:key key-file allow-discards?) "Return a luks-device-mapping object with open modified to pass the arguments into the open-luks-device procedure." (mapped-device-kind (inherit luks-device-mapping) - (open (λ (source targets) (open-luks-device source targets - #:key-file key-file))))) + (open (λ (source targets) + (open-luks-device source targets + #:key-file key-file + #:allow-discards? allow-discards?))))) (define (open-raid-device sources targets) "Return a gexp that assembles SOURCES (a list of devices) to the RAID device