Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package yast2-storage-ng for 
openSUSE:Factory checked in at 2022-11-22 16:09:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-storage-ng (Old)
 and      /work/SRC/openSUSE:Factory/.yast2-storage-ng.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "yast2-storage-ng"

Tue Nov 22 16:09:52 2022 rev:133 rq:1037139 version:4.5.14

Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-storage-ng/yast2-storage-ng.changes        
2022-11-18 15:43:13.226479665 +0100
+++ 
/work/SRC/openSUSE:Factory/.yast2-storage-ng.new.1597/yast2-storage-ng.changes  
    2022-11-22 16:09:55.821953097 +0100
@@ -1,0 +2,7 @@
+Mon Nov 21 11:33:52 UTC 2022 - Ancor Gonzalez Sosa <an...@suse.com>
+
+- GuidedProposal: support for LUKS2 encryption with a configurable
+  PBKDF to be used by D-Installer (related to jsc#PED-2182).
+- 4.5.14
+
+-------------------------------------------------------------------

Old:
----
  yast2-storage-ng-4.5.13.tar.bz2

New:
----
  yast2-storage-ng-4.5.14.tar.bz2

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ yast2-storage-ng.spec ++++++
--- /var/tmp/diff_new_pack.VIdGic/_old  2022-11-22 16:09:56.297955513 +0100
+++ /var/tmp/diff_new_pack.VIdGic/_new  2022-11-22 16:09:56.305955553 +0100
@@ -17,7 +17,7 @@
 
 
 Name:           yast2-storage-ng
-Version:        4.5.13
+Version:        4.5.14
 Release:        0
 Summary:        YaST2 - Storage Configuration
 License:        GPL-2.0-only OR GPL-3.0-only

++++++ yast2-storage-ng-4.5.13.tar.bz2 -> yast2-storage-ng-4.5.14.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.changes 
new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.changes
--- old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.changes        
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.changes        
2022-11-21 16:25:40.000000000 +0100
@@ -1,4 +1,11 @@
 -------------------------------------------------------------------
+Mon Nov 21 11:33:52 UTC 2022 - Ancor Gonzalez Sosa <an...@suse.com>
+
+- GuidedProposal: support for LUKS2 encryption with a configurable
+  PBKDF to be used by D-Installer (related to jsc#PED-2182).
+- 4.5.14
+
+-------------------------------------------------------------------
 Tue Nov 15 11:40:40 UTC 2022 - José Iván López González <jlo...@suse.com>
 
 - Validate security policies in both guided proposal and
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.spec 
new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.spec
--- old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.spec   2022-11-17 
06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.spec   2022-11-21 
16:25:40.000000000 +0100
@@ -16,7 +16,7 @@
 #
 
 Name:           yast2-storage-ng
-Version:        4.5.13
+Version:        4.5.14
 Release:        0
 Summary:        YaST2 - Storage Configuration
 License:        GPL-2.0-only OR GPL-3.0-only
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/actions/controllers/encryption.rb
 
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/actions/controllers/encryption.rb
--- 
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/actions/controllers/encryption.rb
 2022-11-17 06:40:00.000000000 +0100
+++ 
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/actions/controllers/encryption.rb
 2022-11-21 16:25:40.000000000 +0100
@@ -58,7 +58,7 @@
         # @return [String] Label for the encryption device if the method 
supports setting one
         attr_accessor :label
 
-        # @return [String] Password-based key derivation function (PBKDF) for 
the LUKS2 device
+        # @return [PbkdFunction] Password-based key derivation function 
(PBKDF) for the LUKS2 device
         attr_accessor :pbkdf
 
         # Contructor
@@ -71,7 +71,7 @@
           @fs_controller = fs_controller
           @action = actions.first
           @password = encryption&.password || ""
-          @pbkdf = encryption&.pbkdf || ""
+          @pbkdf = encryption&.pbkdf
           @method = initial_method
           @apqns = initial_apqns
           @label = initial_label
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/pbkd_function.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/pbkd_function.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/pbkd_function.rb  
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/pbkd_function.rb  
1970-01-01 01:00:00.000000000 +0100
@@ -1,72 +0,0 @@
-# Copyright (c) [2021] SUSE LLC
-#
-# All Rights Reserved.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of version 2 of the GNU General Public License as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
-# more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, contact SUSE LLC.
-#
-# To contact SUSE LLC about this file by physical or electronic mail, you may
-# find current contact information at www.suse.com.
-
-require "yast"
-require "y2storage"
-
-module Y2Partitioner
-  # Class to represent each one of the possible values for 
{Y2Storage::Encryption#pbkdf}
-  class PbkdFunction
-    include Yast::I18n
-    extend Yast::I18n
-
-    # Constructor, to be used internally by the class
-    #
-    # @param value [String] see {#value}
-    # @param name [String] string marked for translation, see {#name}
-    def initialize(value, name)
-      textdomain "storage"
-
-      @value = value
-      @name = name
-    end
-
-    # All possible instances
-    ALL = [
-      # TRANSLATORS: name of a key derivation function used by LUKS
-      new("argon2id", N_("Argon2id")),
-      # TRANSLATORS: name of a key derivation function used by LUKS
-      new("argon2i",  N_("Argon2i")),
-      # TRANSLATORS: name of a key derivation function used by LUKS
-      new("pbkdf2",   N_("PBKDF2"))
-    ].freeze
-    private_constant :ALL
-
-    # Sorted list of all possible roles
-    def self.all
-      ALL.dup
-    end
-
-    # Finds a function by its value
-    #
-    # @param value [String, nil]
-    # @return [PbkdFunction, nil] nil if such value does not exist
-    def self.find(value)
-      ALL.find { |opt| opt.value == value }
-    end
-
-    # @return [String] value for {Y2Storage::Encryption#pbkdf}
-    attr_reader :value
-
-    # @return [String] localized name for the function to display in the UI
-    def name
-      _(@name)
-    end
-  end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/description_section/blk_device.rb
 
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/description_section/blk_device.rb
--- 
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/description_section/blk_device.rb
 2022-11-17 06:40:00.000000000 +0100
+++ 
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/description_section/blk_device.rb
 2022-11-21 16:25:40.000000000 +0100
@@ -19,7 +19,7 @@
 
 require "y2partitioner/widgets/description_section/base"
 require "y2partitioner/widgets/blk_device_attributes"
-require "y2partitioner/pbkd_function"
+require "y2storage/pbkd_function"
 
 module Y2Partitioner
   module Widgets
@@ -102,7 +102,7 @@
         #
         # @return [String]
         def pbkdf_value
-          pbkdf = PbkdFunction.find(blk_device.encryption.pbkdf)
+          pbkdf = blk_device.encryption.pbkdf
           # TRANSLATORS: %s becomes the name of the PBKDF function used by a 
LUKS2 device (eg. Argon2i)
           format(_("Key Derivation Function (PBKDF): %s"), pbkdf.name)
         end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/pbkdf_selector.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/pbkdf_selector.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/pbkdf_selector.rb 
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/pbkdf_selector.rb 
2022-11-21 16:25:40.000000000 +0100
@@ -19,7 +19,7 @@
 
 require "yast"
 require "cwm"
-require "y2partitioner/pbkd_function"
+require "y2storage/pbkd_function"
 
 module Y2Partitioner
   module Widgets
@@ -45,17 +45,17 @@
       # Sets the initial value
       def init
         enable_on_init ? enable : disable
-        self.value = @controller.pbkdf
+        self.value = @controller.pbkdf&.value
       end
 
       # @macro seeItemsSelection
       def items
-        PbkdFunction.all.map { |opt| [opt.value, opt.name] }
+        Y2Storage::PbkdFunction.all.map { |opt| [opt.value, opt.name] }
       end
 
       # @macro seeAbstractWidget
       def store
-        @controller.pbkdf = value
+        @controller.pbkdf = Y2Storage::PbkdFunction.find(value)
       end
 
       private
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/analyzer.rb
 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/analyzer.rb
--- 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/analyzer.rb
      2022-11-17 06:40:00.000000000 +0100
+++ 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/analyzer.rb
      2022-11-21 16:25:40.000000000 +0100
@@ -259,6 +259,9 @@
 
       # Encryption type of boot device
       #
+      # FIXME: this method does not work well with GuidedProposal if 
LVM+encryption is used.
+      #        It was not a problem before but it is now if LVM and LUKS2 with 
Argon2 are combined.
+      #
       # The device can be a planned one or filesystem from the devicegraph.
       #
       # @return [Y2Storage::EncryptionType] Encryption type
@@ -266,6 +269,14 @@
         encryption_type(device_for_boot)
       end
 
+      # Password-based key derivation function used to encrypt the boot 
device, if such property
+      # makes sense (ie. if LUKS2 encryption is used)
+      #
+      # @return [PbkdFunction, nil] nil if the value is not known
+      def boot_luks2_pbkdf
+        Device.new(device_for_boot).luks2_pbkdf
+      end
+
       # Whether the partition table of the disk used for booting matches the
       # given type.
       #
@@ -519,7 +530,7 @@
       def filesystem_type(device)
         return nil if device.nil?
 
-        device.respond_to?(:filesystem_type) ? device.filesystem_type : 
device.type
+        Device.new(device).filesystem_type
       end
 
       # Whether the device is in a LVM logical volume
@@ -531,11 +542,7 @@
       def in_lvm?(device)
         return false if device.nil?
 
-        if device.is_a?(Planned::Device)
-          device.is_a?(Planned::LvmLv)
-        else
-          device.plain_blk_devices.any? { |dev| dev.is?(:lvm_lv) }
-        end
+        Device.new(device).in_lvm?
       end
 
       # Whether the device is in a thinly provisioned LVM logical volume
@@ -547,16 +554,7 @@
       def in_thin_lvm?(device)
         return false if device.nil?
 
-        if device.is_a?(Planned::Device)
-          device.is_a?(Planned::LvmLv) && device.lv_type == LvType::THIN
-        else
-          # If this is not a BlkFilesystem (e.g. NFS), it can't be on thin LVM
-          return false unless device.respond_to?(:plain_blk_devices)
-
-          device.plain_blk_devices.any? do |dev|
-            dev.is?(:lvm_lv) && dev.lv_type == LvType::THIN
-          end
-        end
+        Device.new(device).in_thin_lvm?
       end
 
       # Whether the device is in a BCache
@@ -568,17 +566,7 @@
       def in_bcache?(device)
         return false if device.nil?
 
-        if device.is_a?(Planned::Device)
-          device.is_a?(Planned::Bcache)
-        else
-          # If this is not a BlkFilesystem (e.g. NFS), it can't be in a BCache
-          return false unless device.respond_to?(:plain_blk_devices)
-
-          # Strictly speaking, with very advanced storage configurations it 
may be possible to
-          # access a filesystem with bcache ancestors in the devicegraph 
without actually accessing
-          # the bcache. But that would be an extreme case and is not supported 
by YaST.
-          device.ancestors.any? { |dev| dev.is?(:bcache) }
-        end
+        Device.new(device).in_bcache?
       end
 
       # Whether the device is encrypted
@@ -598,23 +586,9 @@
       # @param device [Filesystems::Base, Planned::Device, nil]
       # @return [Y2Storage::EncryptionType] Encryption type
       def encryption_type(device)
-        # FIXME: the implementation of this method (and others) would be much 
simpler if the API
-        # offered by Planned::Device and Device would be more consistent which 
each other
-        if device.is_a?(Planned::Device)
-          planned_encryption_type(device)
-        elsif device.respond_to?(:plain_blk_devices)
-          device.plain_blk_devices.map { |d| d.encryption&.type }.compact.first
-        end || Y2Storage::EncryptionType::NONE
-      end
-
-      # @see #encryption_type
-      #
-      # @param planned [Planned::Device]
-      # @return [Y2Storage::EncryptionType] Encryption type
-      def planned_encryption_type(planned)
-        return Y2Storage::EncryptionType::NONE unless 
planned.respond_to?(:encrypt?) && planned.encrypt?
+        return Y2Storage::EncryptionType::NONE if device.nil?
 
-        planned.encryption_method&.encryption_type || 
Y2Storage::EncryptionType::LUKS1
+        Device.new(device).encryption_type
       end
 
       # Whether the device is in a software RAID
@@ -626,15 +600,7 @@
       def in_software_raid?(device)
         return false if device.nil?
 
-        if device.is_a?(Planned::Device)
-          device.is_a?(Planned::Md)
-        else
-          device.ancestors.any? do |dev|
-            # Don't check boot_disk as it might validly be a RAID1 itself
-            # (full disks as RAID case) - we want to treat this as 'no RAID'.
-            dev.is?(:software_raid) && dev != boot_disk
-          end
-        end
+        Device.new(device).in_software_raid?(boot_disk)
       end
 
       # Check if device is a direct member of a RAID1 (RAID over entire disks).
@@ -658,6 +624,133 @@
 
         raid1_dev
       end
+
+      # Auxiliar class to check the properties or a given device
+      #
+      # FIXME: this class wouldn't be needed if the API offered by 
Planned::Device and Device would
+      # be more consistent which each other. Having all the affected code in a 
single class helps
+      # readability and makes easier to fix the inconsistency problem in the 
future.
+      class Device
+        # Constructor
+        #
+        # @param device [Filesystems::Base, Planned::Device] see {#device}
+        def initialize(device)
+          @device = device
+        end
+
+        # Device being analyzed, it can be a planned device or a filesystem 
from the devicegraph
+        #
+        # @return [Filesystems::Base, Planned::Device]
+        attr_reader :device
+
+        # Whether the analyzed device is a planned one
+        #
+        # @return [Boolean]
+        def planned?
+          device.is_a?(Planned::Device)
+        end
+
+        # Filesystem type used for the device
+        #
+        # @return [Filesystems::Type, nil] nil if is a planned device not 
going to be formatted
+        def filesystem_type
+          device.respond_to?(:filesystem_type) ? device.filesystem_type : 
device.type
+        end
+
+        # Whether the device is in a LVM logical volume
+        def in_lvm?
+          return device.is_a?(Planned::LvmLv) if planned?
+
+          device.plain_blk_devices.any? { |dev| dev.is?(:lvm_lv) }
+        end
+
+        # Whether the device is in a thinly provisioned LVM logical volume
+        #
+        # @return [Boolean]
+        def in_thin_lvm?
+          return planned_in_thin_lvm? if planned?
+
+          # If this is not a BlkFilesystem (e.g. NFS), it can't be on thin LVM
+          return false unless device.respond_to?(:plain_blk_devices)
+
+          device.plain_blk_devices.any? do |dev|
+            dev.is?(:lvm_lv) && dev.lv_type == LvType::THIN
+          end
+        end
+
+        # @see #in_thin_lvm?
+        def planned_in_thin_lvm?
+          device.is_a?(Planned::LvmLv) && device.lv_type == LvType::THIN
+        end
+
+        # Whether the device is in a software RAID
+        #
+        # @return [Boolean]
+        def in_software_raid?(boot_disk)
+          return device.is_a?(Planned::Md) if planned?
+
+          device.ancestors.any? do |dev|
+            # Don't check boot_disk as it might validly be a RAID1 itself
+            # (full disks as RAID case) - we want to treat this as 'no RAID'.
+            dev.is?(:software_raid) && dev != boot_disk
+          end
+        end
+
+        # Whether the device is in a BCache
+        #
+        # @return [Boolean]
+        def in_bcache?
+          return device.is_a?(Planned::Bcache) if planned?
+
+          # If this is not a BlkFilesystem (e.g. NFS), it can't be in a BCache
+          return false unless device.respond_to?(:plain_blk_devices)
+
+          # Strictly speaking, with very advanced storage configurations it 
may be possible to
+          # access a filesystem with bcache ancestors in the devicegraph 
without actually accessing
+          # the bcache. But that would be an extreme case and is not supported 
by YaST.
+          device.ancestors.any? { |dev| dev.is?(:bcache) }
+        end
+
+        # Encryption type of the device
+        #
+        # @return [Y2Storage::EncryptionType]
+        def encryption_type
+          return planned_encryption_type if planned?
+
+          filesystem_encryption&.type || Y2Storage::EncryptionType::NONE
+        end
+
+        # Encryption device associated to the filesystem
+        #
+        # To be used only when {#device} is a filesystem from the devicegraph
+        #
+        # @return [Encryption, nil]
+        def filesystem_encryption
+          return nil unless device.respond_to?(:plain_blk_devices)
+
+          device.plain_blk_devices.map(&:encryption).compact.first
+        end
+
+        # @see #encryption_type
+        #
+        # @return [Y2Storage::EncryptionType] Encryption type
+        def planned_encryption_type
+          return Y2Storage::EncryptionType::NONE unless 
device.respond_to?(:encrypt?) && device.encrypt?
+
+          device.encryption_method&.encryption_type || 
Y2Storage::EncryptionType::LUKS1
+        end
+
+        # Password-based key derivation function used to encrypt the device 
with LUKS2
+        #
+        # @return [PbkdFunction, nil] nil if the device is not formatted with 
LUKS2 or the
+        #   function is unknown
+        def luks2_pbkdf
+          return nil unless encryption_type.is?(:luks2)
+          return device.encryption_pbkdf if planned?
+
+          filesystem_encryption.pbkdf
+        end
+      end
     end
   end
 end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/base.rb
 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/base.rb
--- 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/base.rb
  2022-11-17 06:40:00.000000000 +0100
+++ 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/base.rb
  2022-11-21 16:25:40.000000000 +0100
@@ -27,6 +27,7 @@
 require "y2storage/volume_specification"
 require "y2storage/setup_error"
 require "y2storage/volume_specification_builder"
+require "y2storage/pbkd_function"
 
 module Y2Storage
   module BootRequirementsStrategies
@@ -45,7 +46,7 @@
         :root_in_lvm?, :root_in_software_raid?, :encrypted_root?, :btrfs_root?,
         :root_fs_can_embed_grub?, :boot_in_lvm?,
         :boot_in_thin_lvm?, :boot_in_bcache?, :boot_in_software_raid?, 
:encrypted_boot?,
-        :boot_fs_can_embed_grub?, :boot_filesystem_type, :boot_encryption_type,
+        :boot_fs_can_embed_grub?, :boot_filesystem_type, 
:boot_encryption_type, :boot_luks2_pbkdf,
         :esp_in_lvm?, :esp_in_software_raid?, :esp_in_software_raid1?, 
:encrypted_esp?
 
       # Constructor
@@ -224,10 +225,15 @@
       #
       # * it is not encrypted (obviously),
       # * or it is encrypted using LUKS1.
+      # * or it is encrypted using LUKS2 with PBKDF2 as key derivation function
       #
       # @return [Boolean] true if grub can read the boot device
       def boot_readable_by_grub?
         t = boot_encryption_type
+        # FIXME: In fact, this is true only in TW and ALP. The Grub2 package 
at SLE-15-SP5 is not able
+        # to perform the autoconfiguration for LUKS2 devices, no matter what 
PBKDF is used.
+        return boot_luks2_pbkdf == PbkdFunction::PBKDF2 if t.is?(:luks2)
+
         t.is?(:none) || t.is?(:luks1)
       end
     end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption.rb 2022-11-17 
06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption.rb 2022-11-21 
16:25:40.000000000 +0100
@@ -67,15 +67,12 @@
     storage_forward :cipher
     storage_forward :cipher=
 
-    # @!attribute pbkdf
-    #   PBKDF (Password-Based Key Derivation Function), currently only 
supported for LUKS2 where
-    #   this attribute corresponds to the PBKDF of the first used keyslot.
-    #
-    #   If is set to empty, during the commit phase the default of cryptsetup 
will be used.
+    # @!attribute pbkdf_value
+    #   String representation of {#pbkdf}, an empty string is equivalent to a 
nil value on {#pbkdf}
     #
     #   @return [String]
-    storage_forward :pbkdf
-    storage_forward :pbkdf=
+    storage_forward :pbkdf_value, to: :pbkdf
+    storage_forward :pbkdf_value=, to: :pbkdf=
 
     # @!attribute crypt_options
     #   Options in the fourth field of /etc/crypttab
@@ -408,6 +405,30 @@
       self.storage_in_etc_crypttab = value
     end
 
+    # PBKDF (Password-Based Key Derivation Function), currently only supported 
for LUKS2 where
+    # this attribute corresponds to the PBKDF of the first used keyslot.
+    #
+    # If is set to nil, during the commit phase the default of cryptsetup will 
be used.
+    #
+    # @return [PbkdFunction, nil]
+    def pbkdf
+      PbkdFunction.find(pbkdf_value)
+    end
+
+    # @see #pbkdf
+    #
+    # @param function [PbkdFunction, nil]
+    def pbkdf=(function)
+      self.pbkdf_value = function&.value || ""
+    end
+
+    # Whether the attribute #pbkdf makes sense for this object
+    #
+    # @return [Boolean]
+    def supports_pbkdf?
+      type.is?(:luks2)
+    end
+
     protected
 
     # @see Device#is?
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_method/luks2.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_method/luks2.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_method/luks2.rb    
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_method/luks2.rb    
2022-11-21 16:25:40.000000000 +0100
@@ -21,6 +21,7 @@
 require "y2storage/encryption_method/base"
 require "y2storage/encryption_method/pervasive_luks2"
 require "y2storage/encryption_processes/luks"
+require "y2storage/pbkd_function"
 
 module Y2Storage
   module EncryptionMethod
@@ -48,12 +49,12 @@
       #
       # @param blk_device [Y2Storage::BlkDevice]
       # @param dm_name [String]
-      # @param pbkdf [String] password-based key derivation function to be 
used by the created
+      # @param pbkdf [PbkdFunction, nil] password-based key derivation 
function to be used by the created
       #   LUKS2 device
       # @param label [String] optional LUKS label
       #
       # @return [Y2Storage::Encryption]
-      def create_device(blk_device, dm_name, pbkdf: "", label: "")
+      def create_device(blk_device, dm_name, pbkdf: nil, label: "")
         encryption_process.create_device(blk_device, dm_name, pbkdf: pbkdf, 
label: label)
       end
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_processes/luks.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_processes/luks.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_processes/luks.rb  
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_processes/luks.rb  
2022-11-21 16:25:40.000000000 +0100
@@ -41,7 +41,7 @@
       #
       # @param blk_device [Y2Storage::BlkDevice]
       # @param dm_name [String]
-      # @param pbkdf [String, nil] PBKDF of the LUKS device, only relevant for 
LUKS2
+      # @param pbkdf [PbkdFunction] PBKDF of the LUKS device, only relevant 
for LUKS2
       # @param label [String, nil] label of the LUKS device, only relevant for 
LUKS2
       #
       # @return [Encryption]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/pbkd_function.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/pbkd_function.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/pbkd_function.rb      
1970-01-01 01:00:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/pbkd_function.rb      
2022-11-21 16:25:40.000000000 +0100
@@ -0,0 +1,103 @@
+# Copyright (c) [2021-2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require "yast"
+
+module Y2Storage
+  # Class to represent each one of the possible values for 
{Y2Storage::Encryption#pbkdf}
+  class PbkdFunction
+    include Yast::I18n
+    extend Yast::I18n
+
+    # Constructor, to be used internally by the class
+    #
+    # @param value [String] see {#value}
+    # @param name [String] string marked for translation, see {#name}
+    def initialize(value, name)
+      textdomain "storage"
+
+      @value = value
+      @name = name
+    end
+
+    # Instance of the function to be always returned by the class
+    # TRANSLATORS: name of a key derivation function used by LUKS
+    ARGON2ID = new("argon2id", N_("Argon2id"))
+    # Instance of the function to be always returned by the class
+    # TRANSLATORS: name of a key derivation function used by LUKS
+    ARGON2I = new("argon2i", N_("Argon2i"))
+    # Instance of the function to be always returned by the class
+    # TRANSLATORS: name of a key derivation function used by LUKS
+    PBKDF2 = new("pbkdf2", N_("PBKDF2"))
+
+    # All possible instances
+    ALL = [ARGON2ID, ARGON2I, PBKDF2].freeze
+    private_constant :ALL
+
+    # Sorted list of all possible roles
+    def self.all
+      ALL.dup
+    end
+
+    # Finds a function by its value
+    #
+    # @param value [#to_s]
+    # @return [PbkdFunction, nil] nil if such value does not exist
+    def self.find(value)
+      ALL.find { |opt| opt.value == value.to_s }
+    end
+
+    # @return [String] value for {Y2Storage::Encryption#pbkdf}
+    attr_reader :value
+
+    # @return [String] localized name for the function to display in the UI
+    def name
+      _(@name)
+    end
+
+    alias_method :to_s, :value
+
+    # @return [Symbol]
+    def to_sym
+      value.to_sym
+    end
+
+    # Checks whether the object corresponds to any of the given enum values.
+    #
+    # By default, this will be the base comparison used in the case statements.
+    #
+    # @param names [#to_sym]
+    # @return [Boolean]
+    def is?(*names)
+      names.any? { |n| n.to_sym == to_sym }
+    end
+
+    # @return [Boolean]
+    def ==(other)
+      other.class == self.class && other.value == value
+    end
+
+    alias_method :eql?, :==
+
+    # @return [Boolean]
+    def ===(other)
+      other.instance_of?(self.class) && is?(other)
+    end
+  end
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/can_be_encrypted.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/can_be_encrypted.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/can_be_encrypted.rb   
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/can_be_encrypted.rb   
2022-11-21 16:25:40.000000000 +0100
@@ -46,6 +46,11 @@
       #   @return [String, nil] password used to encrypt the device.
       secret_attr :encryption_password
 
+      # PBKDF to use when encrypting the device if such property makes sense 
(eg. LUKS2)
+      #
+      # @return [PbkdFunction, nil] nil to use the default derivation function
+      attr_accessor :encryption_pbkdf
+
       # Initializations of the mixin, to be called from the class constructor.
       def initialize_can_be_encrypted; end
 
@@ -80,6 +85,7 @@
         if create_encryption?
           method = encryption_method || EncryptionMethod.find(:luks1)
           result = plain_device.encrypt(method: method, password: 
encryption_password)
+          result.pbkdf = encryption_pbkdf if encryption_pbkdf && 
result.supports_pbkdf?
           log.info "Device encrypted. Returning the new device 
#{result.inspect}"
         else
           log.info "No need to encrypt. Returning the existing device 
#{result.inspect}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/lvm_vg.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/lvm_vg.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/lvm_vg.rb     
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/lvm_vg.rb     
2022-11-21 16:25:40.000000000 +0100
@@ -68,6 +68,17 @@
       #     physical volumes. If nil, the PVs will not be encrypted.
       secret_attr :pvs_encryption_password
 
+      # Method used to encrypt the newly created physical volumes if 
{#pvs_encryption_password} is set
+      #
+      # @return [EncryptionMethod]
+      attr_accessor :pvs_encryption_method
+
+      # PBKDF used to encrypt the newly created physical volumes if 
{#pvs_encryption_password} is set
+      # and LUKS2 is used
+      #
+      # @return [PbkdFunction, nil] nil to use the default function
+      attr_accessor :pvs_encryption_pbkdf
+
       # Strategy used by the guided proposal to calculate the size of the 
resulting
       # volume group
       #
@@ -132,7 +143,7 @@
         res = Planned::Partition.new(nil)
         res.partition_id = PartitionId::LVM
         res.lvm_volume_group_name = volume_group_name
-        res.encryption_password = pvs_encryption_password
+        adjust_encryption(res)
         res.min_size = min_pv_size
         res.disk = forced_disk_name
         res
@@ -268,6 +279,15 @@
         Y2Storage::LvmVg.find_by_vg_name(devicegraph, reuse_name)
       end
 
+      # @see #minimal_pv_partition
+      def adjust_encryption(planned_pv)
+        return unless pvs_encryption_password
+
+        planned_pv.encryption_password = pvs_encryption_password
+        planned_pv.encryption_method = pvs_encryption_method
+        planned_pv.encryption_pbkdf = pvs_encryption_pbkdf
+      end
+
       # Whether the created PVs should be encrypted
       #
       # @see #pvs_encryption_password
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/devices_planner.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/devices_planner.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/devices_planner.rb   
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/devices_planner.rb   
2022-11-21 16:25:40.000000000 +0100
@@ -160,10 +160,21 @@
         adjust_to_settings(lv, volume)
 
         planned_device = Planned::LvmVg.new(volume_group_name: 
volume.separate_vg_name, lvs: [lv])
-        planned_device.pvs_encryption_password = settings.encryption_password
+        adjust_pvs_encryption(planned_device)
         planned_device
       end
 
+      # @see #planned_separate_vg
+      #
+      # @param vg [Planned::LvmVg]
+      def adjust_pvs_encryption(vg)
+        return unless settings.encryption_password
+
+        vg.pvs_encryption_password = settings.encryption_password
+        vg.pvs_encryption_method = settings.encryption_method
+        vg.pvs_encryption_pbkdf = settings.encryption_pbkdf
+      end
+
       # Adjusts planned device values according to settings
       #
       # @note planned_device is modified
@@ -195,8 +206,11 @@
       # @param _volume [VolumeSpecification]
       def adjust_encryption(planned_device, _volume)
         return unless planned_device.is_a?(Planned::Partition)
+        return unless settings.encryption_password
 
         planned_device.encryption_password = settings.encryption_password
+        planned_device.encryption_method = settings.encryption_method
+        planned_device.encryption_pbkdf = settings.encryption_pbkdf
       end
 
       # Adjusts planned device sizes according to settings
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/lvm_helper.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/lvm_helper.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/lvm_helper.rb        
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/lvm_helper.rb        
2022-11-21 16:25:40.000000000 +0100
@@ -111,6 +111,8 @@
         @reused_volume_group.lvs = planned_lvs
         @reused_volume_group.size_strategy = vg_strategy
         @reused_volume_group.pvs_encryption_password = 
settings.encryption_password
+        @reused_volume_group.pvs_encryption_method = settings.encryption_method
+        @reused_volume_group.pvs_encryption_pbkdf = settings.encryption_pbkdf
       end
 
       # Checks whether the passed device is the volume group to be reused
@@ -153,6 +155,8 @@
       def new_volume_group
         vg = Planned::LvmVg.new(volume_group_name: DEFAULT_VG_NAME, lvs: 
planned_lvs)
         vg.pvs_encryption_password = settings.encryption_password
+        vg.pvs_encryption_method = settings.encryption_method
+        vg.pvs_encryption_pbkdf = settings.encryption_pbkdf
         vg.size_strategy = vg_strategy
         vg
       end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal_settings.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal_settings.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal_settings.rb  
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal_settings.rb  
2022-11-21 16:25:40.000000000 +0100
@@ -25,6 +25,7 @@
 require "y2storage/filesystems/type"
 require "y2storage/partitioning_features"
 require "y2storage/volume_specifications_set"
+require "y2storage/encryption_method"
 
 module Y2Storage
   # Class to manage settings used by the proposal (typically read from 
control.xml)
@@ -149,10 +150,23 @@
     # @return [Array<String>, nil]
     attr_reader :explicit_candidate_devices
 
+    # TODO: it makes sense to encapsulate #encryption_password, 
#encryption_method and
+    # #encryption_pbkdf in some new class (eg. EncryptionSettings), posponed 
for now
+
     # @!attribute encryption_password
     #   @return [String] password to use when creating new encryption devices
     secret_attr :encryption_password
 
+    # Encryption method to use if {#encryption_password} is set
+    #
+    # @return [EncryptionMethod::Base]
+    attr_accessor :encryption_method
+
+    # PBKDF to use if {#encryption_password} is set and {#encryption_method} 
is LUKS2
+    #
+    # @return [PbkdFunction, nil] nil to use the default
+    attr_accessor :encryption_pbkdf
+
     # @return [Boolean] whether to resize Windows systems if needed
     attr_accessor :resize_windows
 
@@ -384,6 +398,7 @@
       linux_delete_mode:          :ondemand,
       lvm:                        false,
       lvm_vg_strategy:            :use_available,
+      encryption_method:          EncryptionMethod::LUKS1,
       multidisk_first:            false,
       other_delete_mode:          :ondemand,
       resize_windows:             true,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage.rb 
new/yast2-storage-ng-4.5.14/src/lib/y2storage.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage.rb    2022-11-17 
06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage.rb    2022-11-21 
16:25:40.000000000 +0100
@@ -63,6 +63,7 @@
 require "y2storage/btrfs_qgroup"
 require "y2storage/btrfs_subvolume"
 require "y2storage/storage_features_list"
+require "y2storage/pbkd_function"
 
 require "y2storage/exceptions"
 require "y2storage/boot_requirements_checker"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/test/support/boot_requirements_context.rb 
new/yast2-storage-ng-4.5.14/test/support/boot_requirements_context.rb
--- old/yast2-storage-ng-4.5.13/test/support/boot_requirements_context.rb       
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/test/support/boot_requirements_context.rb       
2022-11-21 16:25:40.000000000 +0100
@@ -64,7 +64,8 @@
       esp_in_software_raid?:   false,
       esp_in_software_raid1?:  false,
       encrypted_esp?:          false,
-      boot_encryption_type:    boot_enc_type
+      boot_encryption_type:    boot_enc_type,
+      boot_luks2_pbkdf:        boot_pbkdf
     )
   end
 
@@ -80,6 +81,7 @@
   end
   let(:boot_ptable_type) { :msdos }
   let(:boot_enc_type) { Y2Storage::EncryptionType::NONE }
+  let(:boot_pbkdf) { nil }
 
   # Mocks for Raspberry Pi detection
   let(:raspi_system) { false }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/description_section/blk_device_test.rb
 
new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/description_section/blk_device_test.rb
--- 
old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/description_section/blk_device_test.rb
       2022-11-17 06:40:00.000000000 +0100
+++ 
new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/description_section/blk_device_test.rb
       2022-11-21 16:25:40.000000000 +0100
@@ -22,6 +22,7 @@
 require_relative "help_fields_examples"
 
 require "y2partitioner/widgets/description_section/blk_device"
+require "y2storage/pbkd_function"
 
 describe Y2Partitioner::Widgets::DescriptionSection::BlkDevice do
   before { devicegraph_stub(scenario) }
@@ -73,7 +74,9 @@
       end
 
       context "if LUKS2 is used as encryption type" do
-        before { device.encrypt(method: :luks2, label: "something", pbkdf: 
"argon2i") }
+        before do
+          device.encrypt(method: :luks2, label: "something", pbkdf: 
Y2Storage::PbkdFunction::ARGON2I)
+        end
 
         it "includes an entry about the encryption including the encryption 
type" do
           expect(subject.value).to match(/Encrypted: Yes/)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/pbkdf_selector_test.rb 
new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/pbkdf_selector_test.rb
--- 
old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/pbkdf_selector_test.rb   
    2022-11-17 06:40:00.000000000 +0100
+++ 
new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/pbkdf_selector_test.rb   
    2022-11-21 16:25:40.000000000 +0100
@@ -22,12 +22,15 @@
 
 require "cwm/rspec"
 require "y2partitioner/widgets/pbkdf_selector"
+require "y2storage/pbkd_function"
 
 describe Y2Partitioner::Widgets::PbkdfSelector do
   subject(:widget) { described_class.new(controller) }
 
-  let(:controller) { double("Controllers::Encryption", pbkdf: initial_pbkdf) }
   let(:initial_pbkdf) { "pbkdf2" }
+  let(:controller) do
+    double("Controllers::Encryption", pbkdf: 
Y2Storage::PbkdFunction.find(initial_pbkdf))
+  end
 
   include_examples "CWM::ComboBox"
 
@@ -71,7 +74,8 @@
     end
 
     it "sets the selected pbkdf" do
-      expect(controller).to receive(:pbkdf=).with(selected_pbkdf)
+      pbkdf = Y2Storage::PbkdFunction.find(selected_pbkdf)
+      expect(controller).to receive(:pbkdf=).with(pbkdf)
 
       widget.store
     end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/test/y2storage/encryption_method_test.rb 
new/yast2-storage-ng-4.5.14/test/y2storage/encryption_method_test.rb
--- old/yast2-storage-ng-4.5.13/test/y2storage/encryption_method_test.rb        
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/test/y2storage/encryption_method_test.rb        
2022-11-21 16:25:40.000000000 +0100
@@ -21,6 +21,7 @@
 
 require_relative "spec_helper"
 require "y2storage/encryption_method"
+require "y2storage/pbkd_function"
 
 describe Y2Storage::EncryptionMethod do
   describe ".all" do
@@ -274,10 +275,12 @@
       it "sets the given label and PBKDF for the LUKS2 device" do
         expect(device.encrypted?).to eq(false)
 
-        subject.create_device(device, "cr_dev", label: "cool_luks", pbkdf: 
"argon2i")
+        subject.create_device(
+          device, "cr_dev", label: "cool_luks", pbkdf: 
Y2Storage::PbkdFunction::ARGON2I
+        )
 
         expect(device.encryption.label).to eq "cool_luks"
-        expect(device.encryption.pbkdf).to eq "argon2i"
+        expect(device.encryption.pbkdf.value).to eq "argon2i"
       end
     end
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/test/y2storage/pbkd_function_test.rb 
new/yast2-storage-ng-4.5.14/test/y2storage/pbkd_function_test.rb
--- old/yast2-storage-ng-4.5.13/test/y2storage/pbkd_function_test.rb    
1970-01-01 01:00:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/test/y2storage/pbkd_function_test.rb    
2022-11-21 16:25:40.000000000 +0100
@@ -0,0 +1,68 @@
+#!/usr/bin/env rspec
+# Copyright (c) [2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require_relative "spec_helper"
+require "y2storage/pbkd_function"
+
+describe Y2Storage::PbkdFunction do
+  subject { Y2Storage::PbkdFunction::ARGON2I }
+
+  describe "#is?" do
+    it "returns true for an equivalent function object" do
+      expect(subject.is?(Y2Storage::PbkdFunction.find("argon2i"))).to eq true
+    end
+
+    it "returns false for a non-equivalent function object" do
+      expect(subject.is?(Y2Storage::PbkdFunction.find("pbkdf2"))).to eq false
+    end
+
+    it "returns true for a list of symbols including the equivalent one" do
+      expect(subject.is?(:argon2i, :pbkdf)).to eq true
+    end
+
+    it "returns false for list of symbols not including the equivalent one" do
+      expect(subject.is?(:argon2id, :pbkdf)).to eq false
+    end
+  end
+
+  describe "#===" do
+    it "returns true for the equivalent object" do
+      value =
+        case subject
+        when Y2Storage::PbkdFunction.find("argon2i")
+          true
+        else
+          false
+        end
+      expect(value).to eq true
+    end
+
+    it "returns false for the equivalent symbol" do
+      value =
+        case subject
+        when :argon2i
+          true
+        else
+          false
+        end
+      expect(value).to eq false
+    end
+  end
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-storage-ng-4.5.13/test/y2storage/proposal_luks2_x86_test.rb 
new/yast2-storage-ng-4.5.14/test/y2storage/proposal_luks2_x86_test.rb
--- old/yast2-storage-ng-4.5.13/test/y2storage/proposal_luks2_x86_test.rb       
1970-01-01 01:00:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/test/y2storage/proposal_luks2_x86_test.rb       
2022-11-21 16:25:40.000000000 +0100
@@ -0,0 +1,175 @@
+#!/usr/bin/env rspec
+# Copyright (c) [2017] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require_relative "spec_helper"
+require "storage"
+require "y2storage"
+require_relative "#{TEST_PATH}/support/proposal_examples"
+require_relative "#{TEST_PATH}/support/proposal_context"
+
+describe Y2Storage::GuidedProposal do
+  using Y2Storage::Refinements::SizeCasts
+
+  describe "#propose" do
+    include_context "proposal"
+
+    subject(:proposal) { described_class.new(settings: settings) }
+    let(:scenario) { "empty_hard_disk_50GiB" }
+    let(:architecture) { :x86 }
+    let(:control_file) { "legacy_settings.xml" }
+    let(:encrypt) { true }
+
+    before do
+      allow(Yast::Kernel).to receive(:propose_hibernation?).and_return(true)
+      allow(storage_arch).to receive(:efiboot?).and_return(efi)
+
+      settings.encryption_method = Y2Storage::EncryptionMethod::LUKS2
+      settings.encryption_pbkdf = pbkdf
+    end
+
+    # Helper method to check the properties of an encrypted filesystem
+    def expect_luks2_fs(mount_path, pbkdf)
+      fs = proposal.devices.filesystems.find { |i| i.mount_path == mount_path }
+      expect(fs.encrypted?).to eq true
+
+      enc = fs.blk_devices.first
+      expect(enc.type).to eq Y2Storage::EncryptionType::LUKS2
+      expect(enc.pbkdf).to eq pbkdf
+    end
+
+    # Helper method to check the properties of a filesystem inside an 
encrypted LVM
+    def expect_luks2_lvm_fs(mount_path, pbkdf)
+      fs = proposal.devices.filesystems.find { |i| i.mount_path == mount_path }
+      expect(fs.encrypted?).to eq false
+
+      lv = fs.blk_devices.first
+      expect(lv.is?(:lvm_lv)).to eq true
+
+      pvs = lv.lvm_vg.lvm_pvs
+      encs = pvs.map(&:blk_device)
+      expect(encs.map(&:type)).to all(eq Y2Storage::EncryptionType::LUKS2)
+      expect(encs.map(&:pbkdf)).to all(eq pbkdf)
+    end
+
+    RSpec.shared_examples "/boot unless PBKDF2" do
+      context "using Argon2id as key derivation function" do
+        let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
+
+        it "proposes a separate unencrypted /boot partition" do
+          proposal.propose
+          boot_fs = proposal.devices.filesystems.find { |fs| fs.mount_path == 
"/boot" }
+          expect(boot_fs.encrypted?).to eq false
+        end
+      end
+
+      context "using PBKDF2 as key derivation function" do
+        let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
+
+        it "does not propose a separate /boot partition" do
+          proposal.propose
+          boot_fs = proposal.devices.filesystems.find { |fs| fs.mount_path == 
"/boot" }
+          expect(boot_fs).to be_nil
+        end
+      end
+    end
+
+    RSpec.shared_examples "correct PBKDF encrypted partitions" do
+      context "using Argon2id as key derivation function" do
+        let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
+
+        it "proposes LUKS2 encrypted partitions with Argon2 for all system 
partitions" do
+          proposal.propose
+          expect_luks2_fs("/", Y2Storage::PbkdFunction::ARGON2ID)
+          expect_luks2_fs("swap", Y2Storage::PbkdFunction::ARGON2ID)
+        end
+      end
+
+      context "using PBKDF2 as key derivation function" do
+        let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
+
+        it "proposes LUKS2 encrypted partitions with PBKDF2 for all system 
partitions" do
+          proposal.propose
+          expect_luks2_fs("/", Y2Storage::PbkdFunction::PBKDF2)
+          expect_luks2_fs("swap", Y2Storage::PbkdFunction::PBKDF2)
+        end
+      end
+    end
+
+    RSpec.shared_examples "correct PBKDF encrypted LVM" do
+      context "using Argon2id as key derivation function" do
+        let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
+
+        it "proposes LUKS2 encrypted LVM with Argon2 for all system volumes" do
+          proposal.propose
+          expect_luks2_lvm_fs("/", Y2Storage::PbkdFunction::ARGON2ID)
+          expect_luks2_lvm_fs("swap", Y2Storage::PbkdFunction::ARGON2ID)
+        end
+      end
+
+      context "using PBKDF2 as key derivation function" do
+        let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
+
+        it "proposes LUKS2 encrypted LVM with PBKDF2 for all system volumes" do
+          proposal.propose
+          expect_luks2_lvm_fs("/", Y2Storage::PbkdFunction::PBKDF2)
+          expect_luks2_lvm_fs("swap", Y2Storage::PbkdFunction::PBKDF2)
+        end
+      end
+    end
+
+    context "In a UEFI system" do
+      let(:efi) { true }
+
+      context "proposing LVM" do
+        let(:lvm) { true }
+
+        # FIXME: commented out because the combination of LVM + LUKS2 with 
Argon2 doesn't work yet
+        # include_examples "/boot unless PBKDF2"
+        include_examples "correct PBKDF encrypted LVM"
+      end
+
+      context "proposing partitions (no LVM)" do
+        let(:lvm) { false }
+
+        include_examples "/boot unless PBKDF2"
+        include_examples "correct PBKDF encrypted partitions"
+      end
+    end
+
+    context "In a legacy BIOS boot system" do
+      let(:efi) { false }
+
+      context "proposing LVM" do
+        let(:lvm) { true }
+
+        # FIXME: commented out because the combination of LVM + LUKS2 with 
Argon2 doesn't work yet
+        # include_examples "/boot unless PBKDF2"
+        include_examples "correct PBKDF encrypted LVM"
+      end
+
+      context "proposing partitions (no LVM)" do
+        let(:lvm) { false }
+
+        include_examples "/boot unless PBKDF2"
+        include_examples "correct PBKDF encrypted partitions"
+      end
+    end
+  end
+end

Reply via email to