Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package yast2-storage-ng for
openSUSE:Factory checked in at 2022-11-22 16:09:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-storage-ng (Old)
and /work/SRC/openSUSE:Factory/.yast2-storage-ng.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-storage-ng"
Tue Nov 22 16:09:52 2022 rev:133 rq:1037139 version:4.5.14
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-storage-ng/yast2-storage-ng.changes
2022-11-18 15:43:13.226479665 +0100
+++
/work/SRC/openSUSE:Factory/.yast2-storage-ng.new.1597/yast2-storage-ng.changes
2022-11-22 16:09:55.821953097 +0100
@@ -1,0 +2,7 @@
+Mon Nov 21 11:33:52 UTC 2022 - Ancor Gonzalez Sosa <an...@suse.com>
+
+- GuidedProposal: support for LUKS2 encryption with a configurable
+ PBKDF to be used by D-Installer (related to jsc#PED-2182).
+- 4.5.14
+
+-------------------------------------------------------------------
Old:
----
yast2-storage-ng-4.5.13.tar.bz2
New:
----
yast2-storage-ng-4.5.14.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-storage-ng.spec ++++++
--- /var/tmp/diff_new_pack.VIdGic/_old 2022-11-22 16:09:56.297955513 +0100
+++ /var/tmp/diff_new_pack.VIdGic/_new 2022-11-22 16:09:56.305955553 +0100
@@ -17,7 +17,7 @@
Name: yast2-storage-ng
-Version: 4.5.13
+Version: 4.5.14
Release: 0
Summary: YaST2 - Storage Configuration
License: GPL-2.0-only OR GPL-3.0-only
++++++ yast2-storage-ng-4.5.13.tar.bz2 -> yast2-storage-ng-4.5.14.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.changes
new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.changes
--- old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.changes
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.changes
2022-11-21 16:25:40.000000000 +0100
@@ -1,4 +1,11 @@
-------------------------------------------------------------------
+Mon Nov 21 11:33:52 UTC 2022 - Ancor Gonzalez Sosa <an...@suse.com>
+
+- GuidedProposal: support for LUKS2 encryption with a configurable
+ PBKDF to be used by D-Installer (related to jsc#PED-2182).
+- 4.5.14
+
+-------------------------------------------------------------------
Tue Nov 15 11:40:40 UTC 2022 - José Iván López González <jlo...@suse.com>
- Validate security policies in both guided proposal and
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.spec
new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.spec
--- old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.spec 2022-11-17
06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.spec 2022-11-21
16:25:40.000000000 +0100
@@ -16,7 +16,7 @@
#
Name: yast2-storage-ng
-Version: 4.5.13
+Version: 4.5.14
Release: 0
Summary: YaST2 - Storage Configuration
License: GPL-2.0-only OR GPL-3.0-only
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/actions/controllers/encryption.rb
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/actions/controllers/encryption.rb
---
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/actions/controllers/encryption.rb
2022-11-17 06:40:00.000000000 +0100
+++
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/actions/controllers/encryption.rb
2022-11-21 16:25:40.000000000 +0100
@@ -58,7 +58,7 @@
# @return [String] Label for the encryption device if the method
supports setting one
attr_accessor :label
- # @return [String] Password-based key derivation function (PBKDF) for
the LUKS2 device
+ # @return [PbkdFunction] Password-based key derivation function
(PBKDF) for the LUKS2 device
attr_accessor :pbkdf
# Contructor
@@ -71,7 +71,7 @@
@fs_controller = fs_controller
@action = actions.first
@password = encryption&.password || ""
- @pbkdf = encryption&.pbkdf || ""
+ @pbkdf = encryption&.pbkdf
@method = initial_method
@apqns = initial_apqns
@label = initial_label
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/pbkd_function.rb
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/pbkd_function.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/pbkd_function.rb
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/pbkd_function.rb
1970-01-01 01:00:00.000000000 +0100
@@ -1,72 +0,0 @@
-# Copyright (c) [2021] SUSE LLC
-#
-# All Rights Reserved.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of version 2 of the GNU General Public License as published
-# by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
-# more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, contact SUSE LLC.
-#
-# To contact SUSE LLC about this file by physical or electronic mail, you may
-# find current contact information at www.suse.com.
-
-require "yast"
-require "y2storage"
-
-module Y2Partitioner
- # Class to represent each one of the possible values for
{Y2Storage::Encryption#pbkdf}
- class PbkdFunction
- include Yast::I18n
- extend Yast::I18n
-
- # Constructor, to be used internally by the class
- #
- # @param value [String] see {#value}
- # @param name [String] string marked for translation, see {#name}
- def initialize(value, name)
- textdomain "storage"
-
- @value = value
- @name = name
- end
-
- # All possible instances
- ALL = [
- # TRANSLATORS: name of a key derivation function used by LUKS
- new("argon2id", N_("Argon2id")),
- # TRANSLATORS: name of a key derivation function used by LUKS
- new("argon2i", N_("Argon2i")),
- # TRANSLATORS: name of a key derivation function used by LUKS
- new("pbkdf2", N_("PBKDF2"))
- ].freeze
- private_constant :ALL
-
- # Sorted list of all possible roles
- def self.all
- ALL.dup
- end
-
- # Finds a function by its value
- #
- # @param value [String, nil]
- # @return [PbkdFunction, nil] nil if such value does not exist
- def self.find(value)
- ALL.find { |opt| opt.value == value }
- end
-
- # @return [String] value for {Y2Storage::Encryption#pbkdf}
- attr_reader :value
-
- # @return [String] localized name for the function to display in the UI
- def name
- _(@name)
- end
- end
-end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/description_section/blk_device.rb
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/description_section/blk_device.rb
---
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/description_section/blk_device.rb
2022-11-17 06:40:00.000000000 +0100
+++
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/description_section/blk_device.rb
2022-11-21 16:25:40.000000000 +0100
@@ -19,7 +19,7 @@
require "y2partitioner/widgets/description_section/base"
require "y2partitioner/widgets/blk_device_attributes"
-require "y2partitioner/pbkd_function"
+require "y2storage/pbkd_function"
module Y2Partitioner
module Widgets
@@ -102,7 +102,7 @@
#
# @return [String]
def pbkdf_value
- pbkdf = PbkdFunction.find(blk_device.encryption.pbkdf)
+ pbkdf = blk_device.encryption.pbkdf
# TRANSLATORS: %s becomes the name of the PBKDF function used by a
LUKS2 device (eg. Argon2i)
format(_("Key Derivation Function (PBKDF): %s"), pbkdf.name)
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/pbkdf_selector.rb
new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/pbkdf_selector.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/pbkdf_selector.rb
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/pbkdf_selector.rb
2022-11-21 16:25:40.000000000 +0100
@@ -19,7 +19,7 @@
require "yast"
require "cwm"
-require "y2partitioner/pbkd_function"
+require "y2storage/pbkd_function"
module Y2Partitioner
module Widgets
@@ -45,17 +45,17 @@
# Sets the initial value
def init
enable_on_init ? enable : disable
- self.value = @controller.pbkdf
+ self.value = @controller.pbkdf&.value
end
# @macro seeItemsSelection
def items
- PbkdFunction.all.map { |opt| [opt.value, opt.name] }
+ Y2Storage::PbkdFunction.all.map { |opt| [opt.value, opt.name] }
end
# @macro seeAbstractWidget
def store
- @controller.pbkdf = value
+ @controller.pbkdf = Y2Storage::PbkdFunction.find(value)
end
private
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/analyzer.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/analyzer.rb
---
old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/analyzer.rb
2022-11-17 06:40:00.000000000 +0100
+++
new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/analyzer.rb
2022-11-21 16:25:40.000000000 +0100
@@ -259,6 +259,9 @@
# Encryption type of boot device
#
+ # FIXME: this method does not work well with GuidedProposal if
LVM+encryption is used.
+ # It was not a problem before but it is now if LVM and LUKS2 with
Argon2 are combined.
+ #
# The device can be a planned one or filesystem from the devicegraph.
#
# @return [Y2Storage::EncryptionType] Encryption type
@@ -266,6 +269,14 @@
encryption_type(device_for_boot)
end
+ # Password-based key derivation function used to encrypt the boot
device, if such property
+ # makes sense (ie. if LUKS2 encryption is used)
+ #
+ # @return [PbkdFunction, nil] nil if the value is not known
+ def boot_luks2_pbkdf
+ Device.new(device_for_boot).luks2_pbkdf
+ end
+
# Whether the partition table of the disk used for booting matches the
# given type.
#
@@ -519,7 +530,7 @@
def filesystem_type(device)
return nil if device.nil?
- device.respond_to?(:filesystem_type) ? device.filesystem_type :
device.type
+ Device.new(device).filesystem_type
end
# Whether the device is in a LVM logical volume
@@ -531,11 +542,7 @@
def in_lvm?(device)
return false if device.nil?
- if device.is_a?(Planned::Device)
- device.is_a?(Planned::LvmLv)
- else
- device.plain_blk_devices.any? { |dev| dev.is?(:lvm_lv) }
- end
+ Device.new(device).in_lvm?
end
# Whether the device is in a thinly provisioned LVM logical volume
@@ -547,16 +554,7 @@
def in_thin_lvm?(device)
return false if device.nil?
- if device.is_a?(Planned::Device)
- device.is_a?(Planned::LvmLv) && device.lv_type == LvType::THIN
- else
- # If this is not a BlkFilesystem (e.g. NFS), it can't be on thin LVM
- return false unless device.respond_to?(:plain_blk_devices)
-
- device.plain_blk_devices.any? do |dev|
- dev.is?(:lvm_lv) && dev.lv_type == LvType::THIN
- end
- end
+ Device.new(device).in_thin_lvm?
end
# Whether the device is in a BCache
@@ -568,17 +566,7 @@
def in_bcache?(device)
return false if device.nil?
- if device.is_a?(Planned::Device)
- device.is_a?(Planned::Bcache)
- else
- # If this is not a BlkFilesystem (e.g. NFS), it can't be in a BCache
- return false unless device.respond_to?(:plain_blk_devices)
-
- # Strictly speaking, with very advanced storage configurations it
may be possible to
- # access a filesystem with bcache ancestors in the devicegraph
without actually accessing
- # the bcache. But that would be an extreme case and is not supported
by YaST.
- device.ancestors.any? { |dev| dev.is?(:bcache) }
- end
+ Device.new(device).in_bcache?
end
# Whether the device is encrypted
@@ -598,23 +586,9 @@
# @param device [Filesystems::Base, Planned::Device, nil]
# @return [Y2Storage::EncryptionType] Encryption type
def encryption_type(device)
- # FIXME: the implementation of this method (and others) would be much
simpler if the API
- # offered by Planned::Device and Device would be more consistent which
each other
- if device.is_a?(Planned::Device)
- planned_encryption_type(device)
- elsif device.respond_to?(:plain_blk_devices)
- device.plain_blk_devices.map { |d| d.encryption&.type }.compact.first
- end || Y2Storage::EncryptionType::NONE
- end
-
- # @see #encryption_type
- #
- # @param planned [Planned::Device]
- # @return [Y2Storage::EncryptionType] Encryption type
- def planned_encryption_type(planned)
- return Y2Storage::EncryptionType::NONE unless
planned.respond_to?(:encrypt?) && planned.encrypt?
+ return Y2Storage::EncryptionType::NONE if device.nil?
- planned.encryption_method&.encryption_type ||
Y2Storage::EncryptionType::LUKS1
+ Device.new(device).encryption_type
end
# Whether the device is in a software RAID
@@ -626,15 +600,7 @@
def in_software_raid?(device)
return false if device.nil?
- if device.is_a?(Planned::Device)
- device.is_a?(Planned::Md)
- else
- device.ancestors.any? do |dev|
- # Don't check boot_disk as it might validly be a RAID1 itself
- # (full disks as RAID case) - we want to treat this as 'no RAID'.
- dev.is?(:software_raid) && dev != boot_disk
- end
- end
+ Device.new(device).in_software_raid?(boot_disk)
end
# Check if device is a direct member of a RAID1 (RAID over entire disks).
@@ -658,6 +624,133 @@
raid1_dev
end
+
+ # Auxiliar class to check the properties or a given device
+ #
+ # FIXME: this class wouldn't be needed if the API offered by
Planned::Device and Device would
+ # be more consistent which each other. Having all the affected code in a
single class helps
+ # readability and makes easier to fix the inconsistency problem in the
future.
+ class Device
+ # Constructor
+ #
+ # @param device [Filesystems::Base, Planned::Device] see {#device}
+ def initialize(device)
+ @device = device
+ end
+
+ # Device being analyzed, it can be a planned device or a filesystem
from the devicegraph
+ #
+ # @return [Filesystems::Base, Planned::Device]
+ attr_reader :device
+
+ # Whether the analyzed device is a planned one
+ #
+ # @return [Boolean]
+ def planned?
+ device.is_a?(Planned::Device)
+ end
+
+ # Filesystem type used for the device
+ #
+ # @return [Filesystems::Type, nil] nil if is a planned device not
going to be formatted
+ def filesystem_type
+ device.respond_to?(:filesystem_type) ? device.filesystem_type :
device.type
+ end
+
+ # Whether the device is in a LVM logical volume
+ def in_lvm?
+ return device.is_a?(Planned::LvmLv) if planned?
+
+ device.plain_blk_devices.any? { |dev| dev.is?(:lvm_lv) }
+ end
+
+ # Whether the device is in a thinly provisioned LVM logical volume
+ #
+ # @return [Boolean]
+ def in_thin_lvm?
+ return planned_in_thin_lvm? if planned?
+
+ # If this is not a BlkFilesystem (e.g. NFS), it can't be on thin LVM
+ return false unless device.respond_to?(:plain_blk_devices)
+
+ device.plain_blk_devices.any? do |dev|
+ dev.is?(:lvm_lv) && dev.lv_type == LvType::THIN
+ end
+ end
+
+ # @see #in_thin_lvm?
+ def planned_in_thin_lvm?
+ device.is_a?(Planned::LvmLv) && device.lv_type == LvType::THIN
+ end
+
+ # Whether the device is in a software RAID
+ #
+ # @return [Boolean]
+ def in_software_raid?(boot_disk)
+ return device.is_a?(Planned::Md) if planned?
+
+ device.ancestors.any? do |dev|
+ # Don't check boot_disk as it might validly be a RAID1 itself
+ # (full disks as RAID case) - we want to treat this as 'no RAID'.
+ dev.is?(:software_raid) && dev != boot_disk
+ end
+ end
+
+ # Whether the device is in a BCache
+ #
+ # @return [Boolean]
+ def in_bcache?
+ return device.is_a?(Planned::Bcache) if planned?
+
+ # If this is not a BlkFilesystem (e.g. NFS), it can't be in a BCache
+ return false unless device.respond_to?(:plain_blk_devices)
+
+ # Strictly speaking, with very advanced storage configurations it
may be possible to
+ # access a filesystem with bcache ancestors in the devicegraph
without actually accessing
+ # the bcache. But that would be an extreme case and is not supported
by YaST.
+ device.ancestors.any? { |dev| dev.is?(:bcache) }
+ end
+
+ # Encryption type of the device
+ #
+ # @return [Y2Storage::EncryptionType]
+ def encryption_type
+ return planned_encryption_type if planned?
+
+ filesystem_encryption&.type || Y2Storage::EncryptionType::NONE
+ end
+
+ # Encryption device associated to the filesystem
+ #
+ # To be used only when {#device} is a filesystem from the devicegraph
+ #
+ # @return [Encryption, nil]
+ def filesystem_encryption
+ return nil unless device.respond_to?(:plain_blk_devices)
+
+ device.plain_blk_devices.map(&:encryption).compact.first
+ end
+
+ # @see #encryption_type
+ #
+ # @return [Y2Storage::EncryptionType] Encryption type
+ def planned_encryption_type
+ return Y2Storage::EncryptionType::NONE unless
device.respond_to?(:encrypt?) && device.encrypt?
+
+ device.encryption_method&.encryption_type ||
Y2Storage::EncryptionType::LUKS1
+ end
+
+ # Password-based key derivation function used to encrypt the device
with LUKS2
+ #
+ # @return [PbkdFunction, nil] nil if the device is not formatted with
LUKS2 or the
+ # function is unknown
+ def luks2_pbkdf
+ return nil unless encryption_type.is?(:luks2)
+ return device.encryption_pbkdf if planned?
+
+ filesystem_encryption.pbkdf
+ end
+ end
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/base.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/base.rb
---
old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/base.rb
2022-11-17 06:40:00.000000000 +0100
+++
new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/base.rb
2022-11-21 16:25:40.000000000 +0100
@@ -27,6 +27,7 @@
require "y2storage/volume_specification"
require "y2storage/setup_error"
require "y2storage/volume_specification_builder"
+require "y2storage/pbkd_function"
module Y2Storage
module BootRequirementsStrategies
@@ -45,7 +46,7 @@
:root_in_lvm?, :root_in_software_raid?, :encrypted_root?, :btrfs_root?,
:root_fs_can_embed_grub?, :boot_in_lvm?,
:boot_in_thin_lvm?, :boot_in_bcache?, :boot_in_software_raid?,
:encrypted_boot?,
- :boot_fs_can_embed_grub?, :boot_filesystem_type, :boot_encryption_type,
+ :boot_fs_can_embed_grub?, :boot_filesystem_type,
:boot_encryption_type, :boot_luks2_pbkdf,
:esp_in_lvm?, :esp_in_software_raid?, :esp_in_software_raid1?,
:encrypted_esp?
# Constructor
@@ -224,10 +225,15 @@
#
# * it is not encrypted (obviously),
# * or it is encrypted using LUKS1.
+ # * or it is encrypted using LUKS2 with PBKDF2 as key derivation function
#
# @return [Boolean] true if grub can read the boot device
def boot_readable_by_grub?
t = boot_encryption_type
+ # FIXME: In fact, this is true only in TW and ALP. The Grub2 package
at SLE-15-SP5 is not able
+ # to perform the autoconfiguration for LUKS2 devices, no matter what
PBKDF is used.
+ return boot_luks2_pbkdf == PbkdFunction::PBKDF2 if t.is?(:luks2)
+
t.is?(:none) || t.is?(:luks1)
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption.rb 2022-11-17
06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption.rb 2022-11-21
16:25:40.000000000 +0100
@@ -67,15 +67,12 @@
storage_forward :cipher
storage_forward :cipher=
- # @!attribute pbkdf
- # PBKDF (Password-Based Key Derivation Function), currently only
supported for LUKS2 where
- # this attribute corresponds to the PBKDF of the first used keyslot.
- #
- # If is set to empty, during the commit phase the default of cryptsetup
will be used.
+ # @!attribute pbkdf_value
+ # String representation of {#pbkdf}, an empty string is equivalent to a
nil value on {#pbkdf}
#
# @return [String]
- storage_forward :pbkdf
- storage_forward :pbkdf=
+ storage_forward :pbkdf_value, to: :pbkdf
+ storage_forward :pbkdf_value=, to: :pbkdf=
# @!attribute crypt_options
# Options in the fourth field of /etc/crypttab
@@ -408,6 +405,30 @@
self.storage_in_etc_crypttab = value
end
+ # PBKDF (Password-Based Key Derivation Function), currently only supported
for LUKS2 where
+ # this attribute corresponds to the PBKDF of the first used keyslot.
+ #
+ # If is set to nil, during the commit phase the default of cryptsetup will
be used.
+ #
+ # @return [PbkdFunction, nil]
+ def pbkdf
+ PbkdFunction.find(pbkdf_value)
+ end
+
+ # @see #pbkdf
+ #
+ # @param function [PbkdFunction, nil]
+ def pbkdf=(function)
+ self.pbkdf_value = function&.value || ""
+ end
+
+ # Whether the attribute #pbkdf makes sense for this object
+ #
+ # @return [Boolean]
+ def supports_pbkdf?
+ type.is?(:luks2)
+ end
+
protected
# @see Device#is?
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_method/luks2.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_method/luks2.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_method/luks2.rb
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_method/luks2.rb
2022-11-21 16:25:40.000000000 +0100
@@ -21,6 +21,7 @@
require "y2storage/encryption_method/base"
require "y2storage/encryption_method/pervasive_luks2"
require "y2storage/encryption_processes/luks"
+require "y2storage/pbkd_function"
module Y2Storage
module EncryptionMethod
@@ -48,12 +49,12 @@
#
# @param blk_device [Y2Storage::BlkDevice]
# @param dm_name [String]
- # @param pbkdf [String] password-based key derivation function to be
used by the created
+ # @param pbkdf [PbkdFunction, nil] password-based key derivation
function to be used by the created
# LUKS2 device
# @param label [String] optional LUKS label
#
# @return [Y2Storage::Encryption]
- def create_device(blk_device, dm_name, pbkdf: "", label: "")
+ def create_device(blk_device, dm_name, pbkdf: nil, label: "")
encryption_process.create_device(blk_device, dm_name, pbkdf: pbkdf,
label: label)
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_processes/luks.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_processes/luks.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_processes/luks.rb
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_processes/luks.rb
2022-11-21 16:25:40.000000000 +0100
@@ -41,7 +41,7 @@
#
# @param blk_device [Y2Storage::BlkDevice]
# @param dm_name [String]
- # @param pbkdf [String, nil] PBKDF of the LUKS device, only relevant for
LUKS2
+ # @param pbkdf [PbkdFunction] PBKDF of the LUKS device, only relevant
for LUKS2
# @param label [String, nil] label of the LUKS device, only relevant for
LUKS2
#
# @return [Encryption]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2storage/pbkd_function.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage/pbkd_function.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/pbkd_function.rb
1970-01-01 01:00:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/pbkd_function.rb
2022-11-21 16:25:40.000000000 +0100
@@ -0,0 +1,103 @@
+# Copyright (c) [2021-2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require "yast"
+
+module Y2Storage
+ # Class to represent each one of the possible values for
{Y2Storage::Encryption#pbkdf}
+ class PbkdFunction
+ include Yast::I18n
+ extend Yast::I18n
+
+ # Constructor, to be used internally by the class
+ #
+ # @param value [String] see {#value}
+ # @param name [String] string marked for translation, see {#name}
+ def initialize(value, name)
+ textdomain "storage"
+
+ @value = value
+ @name = name
+ end
+
+ # Instance of the function to be always returned by the class
+ # TRANSLATORS: name of a key derivation function used by LUKS
+ ARGON2ID = new("argon2id", N_("Argon2id"))
+ # Instance of the function to be always returned by the class
+ # TRANSLATORS: name of a key derivation function used by LUKS
+ ARGON2I = new("argon2i", N_("Argon2i"))
+ # Instance of the function to be always returned by the class
+ # TRANSLATORS: name of a key derivation function used by LUKS
+ PBKDF2 = new("pbkdf2", N_("PBKDF2"))
+
+ # All possible instances
+ ALL = [ARGON2ID, ARGON2I, PBKDF2].freeze
+ private_constant :ALL
+
+ # Sorted list of all possible roles
+ def self.all
+ ALL.dup
+ end
+
+ # Finds a function by its value
+ #
+ # @param value [#to_s]
+ # @return [PbkdFunction, nil] nil if such value does not exist
+ def self.find(value)
+ ALL.find { |opt| opt.value == value.to_s }
+ end
+
+ # @return [String] value for {Y2Storage::Encryption#pbkdf}
+ attr_reader :value
+
+ # @return [String] localized name for the function to display in the UI
+ def name
+ _(@name)
+ end
+
+ alias_method :to_s, :value
+
+ # @return [Symbol]
+ def to_sym
+ value.to_sym
+ end
+
+ # Checks whether the object corresponds to any of the given enum values.
+ #
+ # By default, this will be the base comparison used in the case statements.
+ #
+ # @param names [#to_sym]
+ # @return [Boolean]
+ def is?(*names)
+ names.any? { |n| n.to_sym == to_sym }
+ end
+
+ # @return [Boolean]
+ def ==(other)
+ other.class == self.class && other.value == value
+ end
+
+ alias_method :eql?, :==
+
+ # @return [Boolean]
+ def ===(other)
+ other.instance_of?(self.class) && is?(other)
+ end
+ end
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/can_be_encrypted.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/can_be_encrypted.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/can_be_encrypted.rb
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/can_be_encrypted.rb
2022-11-21 16:25:40.000000000 +0100
@@ -46,6 +46,11 @@
# @return [String, nil] password used to encrypt the device.
secret_attr :encryption_password
+ # PBKDF to use when encrypting the device if such property makes sense
(eg. LUKS2)
+ #
+ # @return [PbkdFunction, nil] nil to use the default derivation function
+ attr_accessor :encryption_pbkdf
+
# Initializations of the mixin, to be called from the class constructor.
def initialize_can_be_encrypted; end
@@ -80,6 +85,7 @@
if create_encryption?
method = encryption_method || EncryptionMethod.find(:luks1)
result = plain_device.encrypt(method: method, password:
encryption_password)
+ result.pbkdf = encryption_pbkdf if encryption_pbkdf &&
result.supports_pbkdf?
log.info "Device encrypted. Returning the new device
#{result.inspect}"
else
log.info "No need to encrypt. Returning the existing device
#{result.inspect}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/lvm_vg.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/lvm_vg.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/lvm_vg.rb
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/lvm_vg.rb
2022-11-21 16:25:40.000000000 +0100
@@ -68,6 +68,17 @@
# physical volumes. If nil, the PVs will not be encrypted.
secret_attr :pvs_encryption_password
+ # Method used to encrypt the newly created physical volumes if
{#pvs_encryption_password} is set
+ #
+ # @return [EncryptionMethod]
+ attr_accessor :pvs_encryption_method
+
+ # PBKDF used to encrypt the newly created physical volumes if
{#pvs_encryption_password} is set
+ # and LUKS2 is used
+ #
+ # @return [PbkdFunction, nil] nil to use the default function
+ attr_accessor :pvs_encryption_pbkdf
+
# Strategy used by the guided proposal to calculate the size of the
resulting
# volume group
#
@@ -132,7 +143,7 @@
res = Planned::Partition.new(nil)
res.partition_id = PartitionId::LVM
res.lvm_volume_group_name = volume_group_name
- res.encryption_password = pvs_encryption_password
+ adjust_encryption(res)
res.min_size = min_pv_size
res.disk = forced_disk_name
res
@@ -268,6 +279,15 @@
Y2Storage::LvmVg.find_by_vg_name(devicegraph, reuse_name)
end
+ # @see #minimal_pv_partition
+ def adjust_encryption(planned_pv)
+ return unless pvs_encryption_password
+
+ planned_pv.encryption_password = pvs_encryption_password
+ planned_pv.encryption_method = pvs_encryption_method
+ planned_pv.encryption_pbkdf = pvs_encryption_pbkdf
+ end
+
# Whether the created PVs should be encrypted
#
# @see #pvs_encryption_password
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/devices_planner.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/devices_planner.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/devices_planner.rb
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/devices_planner.rb
2022-11-21 16:25:40.000000000 +0100
@@ -160,10 +160,21 @@
adjust_to_settings(lv, volume)
planned_device = Planned::LvmVg.new(volume_group_name:
volume.separate_vg_name, lvs: [lv])
- planned_device.pvs_encryption_password = settings.encryption_password
+ adjust_pvs_encryption(planned_device)
planned_device
end
+ # @see #planned_separate_vg
+ #
+ # @param vg [Planned::LvmVg]
+ def adjust_pvs_encryption(vg)
+ return unless settings.encryption_password
+
+ vg.pvs_encryption_password = settings.encryption_password
+ vg.pvs_encryption_method = settings.encryption_method
+ vg.pvs_encryption_pbkdf = settings.encryption_pbkdf
+ end
+
# Adjusts planned device values according to settings
#
# @note planned_device is modified
@@ -195,8 +206,11 @@
# @param _volume [VolumeSpecification]
def adjust_encryption(planned_device, _volume)
return unless planned_device.is_a?(Planned::Partition)
+ return unless settings.encryption_password
planned_device.encryption_password = settings.encryption_password
+ planned_device.encryption_method = settings.encryption_method
+ planned_device.encryption_pbkdf = settings.encryption_pbkdf
end
# Adjusts planned device sizes according to settings
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/lvm_helper.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/lvm_helper.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/lvm_helper.rb
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/lvm_helper.rb
2022-11-21 16:25:40.000000000 +0100
@@ -111,6 +111,8 @@
@reused_volume_group.lvs = planned_lvs
@reused_volume_group.size_strategy = vg_strategy
@reused_volume_group.pvs_encryption_password =
settings.encryption_password
+ @reused_volume_group.pvs_encryption_method = settings.encryption_method
+ @reused_volume_group.pvs_encryption_pbkdf = settings.encryption_pbkdf
end
# Checks whether the passed device is the volume group to be reused
@@ -153,6 +155,8 @@
def new_volume_group
vg = Planned::LvmVg.new(volume_group_name: DEFAULT_VG_NAME, lvs:
planned_lvs)
vg.pvs_encryption_password = settings.encryption_password
+ vg.pvs_encryption_method = settings.encryption_method
+ vg.pvs_encryption_pbkdf = settings.encryption_pbkdf
vg.size_strategy = vg_strategy
vg
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal_settings.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal_settings.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal_settings.rb
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal_settings.rb
2022-11-21 16:25:40.000000000 +0100
@@ -25,6 +25,7 @@
require "y2storage/filesystems/type"
require "y2storage/partitioning_features"
require "y2storage/volume_specifications_set"
+require "y2storage/encryption_method"
module Y2Storage
# Class to manage settings used by the proposal (typically read from
control.xml)
@@ -149,10 +150,23 @@
# @return [Array<String>, nil]
attr_reader :explicit_candidate_devices
+ # TODO: it makes sense to encapsulate #encryption_password,
#encryption_method and
+ # #encryption_pbkdf in some new class (eg. EncryptionSettings), posponed
for now
+
# @!attribute encryption_password
# @return [String] password to use when creating new encryption devices
secret_attr :encryption_password
+ # Encryption method to use if {#encryption_password} is set
+ #
+ # @return [EncryptionMethod::Base]
+ attr_accessor :encryption_method
+
+ # PBKDF to use if {#encryption_password} is set and {#encryption_method}
is LUKS2
+ #
+ # @return [PbkdFunction, nil] nil to use the default
+ attr_accessor :encryption_pbkdf
+
# @return [Boolean] whether to resize Windows systems if needed
attr_accessor :resize_windows
@@ -384,6 +398,7 @@
linux_delete_mode: :ondemand,
lvm: false,
lvm_vg_strategy: :use_available,
+ encryption_method: EncryptionMethod::LUKS1,
multidisk_first: false,
other_delete_mode: :ondemand,
resize_windows: true,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage.rb
new/yast2-storage-ng-4.5.14/src/lib/y2storage.rb
--- old/yast2-storage-ng-4.5.13/src/lib/y2storage.rb 2022-11-17
06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/src/lib/y2storage.rb 2022-11-21
16:25:40.000000000 +0100
@@ -63,6 +63,7 @@
require "y2storage/btrfs_qgroup"
require "y2storage/btrfs_subvolume"
require "y2storage/storage_features_list"
+require "y2storage/pbkd_function"
require "y2storage/exceptions"
require "y2storage/boot_requirements_checker"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/test/support/boot_requirements_context.rb
new/yast2-storage-ng-4.5.14/test/support/boot_requirements_context.rb
--- old/yast2-storage-ng-4.5.13/test/support/boot_requirements_context.rb
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/test/support/boot_requirements_context.rb
2022-11-21 16:25:40.000000000 +0100
@@ -64,7 +64,8 @@
esp_in_software_raid?: false,
esp_in_software_raid1?: false,
encrypted_esp?: false,
- boot_encryption_type: boot_enc_type
+ boot_encryption_type: boot_enc_type,
+ boot_luks2_pbkdf: boot_pbkdf
)
end
@@ -80,6 +81,7 @@
end
let(:boot_ptable_type) { :msdos }
let(:boot_enc_type) { Y2Storage::EncryptionType::NONE }
+ let(:boot_pbkdf) { nil }
# Mocks for Raspberry Pi detection
let(:raspi_system) { false }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/description_section/blk_device_test.rb
new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/description_section/blk_device_test.rb
---
old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/description_section/blk_device_test.rb
2022-11-17 06:40:00.000000000 +0100
+++
new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/description_section/blk_device_test.rb
2022-11-21 16:25:40.000000000 +0100
@@ -22,6 +22,7 @@
require_relative "help_fields_examples"
require "y2partitioner/widgets/description_section/blk_device"
+require "y2storage/pbkd_function"
describe Y2Partitioner::Widgets::DescriptionSection::BlkDevice do
before { devicegraph_stub(scenario) }
@@ -73,7 +74,9 @@
end
context "if LUKS2 is used as encryption type" do
- before { device.encrypt(method: :luks2, label: "something", pbkdf:
"argon2i") }
+ before do
+ device.encrypt(method: :luks2, label: "something", pbkdf:
Y2Storage::PbkdFunction::ARGON2I)
+ end
it "includes an entry about the encryption including the encryption
type" do
expect(subject.value).to match(/Encrypted: Yes/)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/pbkdf_selector_test.rb
new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/pbkdf_selector_test.rb
---
old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/pbkdf_selector_test.rb
2022-11-17 06:40:00.000000000 +0100
+++
new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/pbkdf_selector_test.rb
2022-11-21 16:25:40.000000000 +0100
@@ -22,12 +22,15 @@
require "cwm/rspec"
require "y2partitioner/widgets/pbkdf_selector"
+require "y2storage/pbkd_function"
describe Y2Partitioner::Widgets::PbkdfSelector do
subject(:widget) { described_class.new(controller) }
- let(:controller) { double("Controllers::Encryption", pbkdf: initial_pbkdf) }
let(:initial_pbkdf) { "pbkdf2" }
+ let(:controller) do
+ double("Controllers::Encryption", pbkdf:
Y2Storage::PbkdFunction.find(initial_pbkdf))
+ end
include_examples "CWM::ComboBox"
@@ -71,7 +74,8 @@
end
it "sets the selected pbkdf" do
- expect(controller).to receive(:pbkdf=).with(selected_pbkdf)
+ pbkdf = Y2Storage::PbkdFunction.find(selected_pbkdf)
+ expect(controller).to receive(:pbkdf=).with(pbkdf)
widget.store
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/test/y2storage/encryption_method_test.rb
new/yast2-storage-ng-4.5.14/test/y2storage/encryption_method_test.rb
--- old/yast2-storage-ng-4.5.13/test/y2storage/encryption_method_test.rb
2022-11-17 06:40:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/test/y2storage/encryption_method_test.rb
2022-11-21 16:25:40.000000000 +0100
@@ -21,6 +21,7 @@
require_relative "spec_helper"
require "y2storage/encryption_method"
+require "y2storage/pbkd_function"
describe Y2Storage::EncryptionMethod do
describe ".all" do
@@ -274,10 +275,12 @@
it "sets the given label and PBKDF for the LUKS2 device" do
expect(device.encrypted?).to eq(false)
- subject.create_device(device, "cr_dev", label: "cool_luks", pbkdf:
"argon2i")
+ subject.create_device(
+ device, "cr_dev", label: "cool_luks", pbkdf:
Y2Storage::PbkdFunction::ARGON2I
+ )
expect(device.encryption.label).to eq "cool_luks"
- expect(device.encryption.pbkdf).to eq "argon2i"
+ expect(device.encryption.pbkdf.value).to eq "argon2i"
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/test/y2storage/pbkd_function_test.rb
new/yast2-storage-ng-4.5.14/test/y2storage/pbkd_function_test.rb
--- old/yast2-storage-ng-4.5.13/test/y2storage/pbkd_function_test.rb
1970-01-01 01:00:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/test/y2storage/pbkd_function_test.rb
2022-11-21 16:25:40.000000000 +0100
@@ -0,0 +1,68 @@
+#!/usr/bin/env rspec
+# Copyright (c) [2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require_relative "spec_helper"
+require "y2storage/pbkd_function"
+
+describe Y2Storage::PbkdFunction do
+ subject { Y2Storage::PbkdFunction::ARGON2I }
+
+ describe "#is?" do
+ it "returns true for an equivalent function object" do
+ expect(subject.is?(Y2Storage::PbkdFunction.find("argon2i"))).to eq true
+ end
+
+ it "returns false for a non-equivalent function object" do
+ expect(subject.is?(Y2Storage::PbkdFunction.find("pbkdf2"))).to eq false
+ end
+
+ it "returns true for a list of symbols including the equivalent one" do
+ expect(subject.is?(:argon2i, :pbkdf)).to eq true
+ end
+
+ it "returns false for list of symbols not including the equivalent one" do
+ expect(subject.is?(:argon2id, :pbkdf)).to eq false
+ end
+ end
+
+ describe "#===" do
+ it "returns true for the equivalent object" do
+ value =
+ case subject
+ when Y2Storage::PbkdFunction.find("argon2i")
+ true
+ else
+ false
+ end
+ expect(value).to eq true
+ end
+
+ it "returns false for the equivalent symbol" do
+ value =
+ case subject
+ when :argon2i
+ true
+ else
+ false
+ end
+ expect(value).to eq false
+ end
+ end
+end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yast2-storage-ng-4.5.13/test/y2storage/proposal_luks2_x86_test.rb
new/yast2-storage-ng-4.5.14/test/y2storage/proposal_luks2_x86_test.rb
--- old/yast2-storage-ng-4.5.13/test/y2storage/proposal_luks2_x86_test.rb
1970-01-01 01:00:00.000000000 +0100
+++ new/yast2-storage-ng-4.5.14/test/y2storage/proposal_luks2_x86_test.rb
2022-11-21 16:25:40.000000000 +0100
@@ -0,0 +1,175 @@
+#!/usr/bin/env rspec
+# Copyright (c) [2017] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require_relative "spec_helper"
+require "storage"
+require "y2storage"
+require_relative "#{TEST_PATH}/support/proposal_examples"
+require_relative "#{TEST_PATH}/support/proposal_context"
+
+describe Y2Storage::GuidedProposal do
+ using Y2Storage::Refinements::SizeCasts
+
+ describe "#propose" do
+ include_context "proposal"
+
+ subject(:proposal) { described_class.new(settings: settings) }
+ let(:scenario) { "empty_hard_disk_50GiB" }
+ let(:architecture) { :x86 }
+ let(:control_file) { "legacy_settings.xml" }
+ let(:encrypt) { true }
+
+ before do
+ allow(Yast::Kernel).to receive(:propose_hibernation?).and_return(true)
+ allow(storage_arch).to receive(:efiboot?).and_return(efi)
+
+ settings.encryption_method = Y2Storage::EncryptionMethod::LUKS2
+ settings.encryption_pbkdf = pbkdf
+ end
+
+ # Helper method to check the properties of an encrypted filesystem
+ def expect_luks2_fs(mount_path, pbkdf)
+ fs = proposal.devices.filesystems.find { |i| i.mount_path == mount_path }
+ expect(fs.encrypted?).to eq true
+
+ enc = fs.blk_devices.first
+ expect(enc.type).to eq Y2Storage::EncryptionType::LUKS2
+ expect(enc.pbkdf).to eq pbkdf
+ end
+
+ # Helper method to check the properties of a filesystem inside an
encrypted LVM
+ def expect_luks2_lvm_fs(mount_path, pbkdf)
+ fs = proposal.devices.filesystems.find { |i| i.mount_path == mount_path }
+ expect(fs.encrypted?).to eq false
+
+ lv = fs.blk_devices.first
+ expect(lv.is?(:lvm_lv)).to eq true
+
+ pvs = lv.lvm_vg.lvm_pvs
+ encs = pvs.map(&:blk_device)
+ expect(encs.map(&:type)).to all(eq Y2Storage::EncryptionType::LUKS2)
+ expect(encs.map(&:pbkdf)).to all(eq pbkdf)
+ end
+
+ RSpec.shared_examples "/boot unless PBKDF2" do
+ context "using Argon2id as key derivation function" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
+
+ it "proposes a separate unencrypted /boot partition" do
+ proposal.propose
+ boot_fs = proposal.devices.filesystems.find { |fs| fs.mount_path ==
"/boot" }
+ expect(boot_fs.encrypted?).to eq false
+ end
+ end
+
+ context "using PBKDF2 as key derivation function" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
+
+ it "does not propose a separate /boot partition" do
+ proposal.propose
+ boot_fs = proposal.devices.filesystems.find { |fs| fs.mount_path ==
"/boot" }
+ expect(boot_fs).to be_nil
+ end
+ end
+ end
+
+ RSpec.shared_examples "correct PBKDF encrypted partitions" do
+ context "using Argon2id as key derivation function" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
+
+ it "proposes LUKS2 encrypted partitions with Argon2 for all system
partitions" do
+ proposal.propose
+ expect_luks2_fs("/", Y2Storage::PbkdFunction::ARGON2ID)
+ expect_luks2_fs("swap", Y2Storage::PbkdFunction::ARGON2ID)
+ end
+ end
+
+ context "using PBKDF2 as key derivation function" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
+
+ it "proposes LUKS2 encrypted partitions with PBKDF2 for all system
partitions" do
+ proposal.propose
+ expect_luks2_fs("/", Y2Storage::PbkdFunction::PBKDF2)
+ expect_luks2_fs("swap", Y2Storage::PbkdFunction::PBKDF2)
+ end
+ end
+ end
+
+ RSpec.shared_examples "correct PBKDF encrypted LVM" do
+ context "using Argon2id as key derivation function" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID }
+
+ it "proposes LUKS2 encrypted LVM with Argon2 for all system volumes" do
+ proposal.propose
+ expect_luks2_lvm_fs("/", Y2Storage::PbkdFunction::ARGON2ID)
+ expect_luks2_lvm_fs("swap", Y2Storage::PbkdFunction::ARGON2ID)
+ end
+ end
+
+ context "using PBKDF2 as key derivation function" do
+ let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 }
+
+ it "proposes LUKS2 encrypted LVM with PBKDF2 for all system volumes" do
+ proposal.propose
+ expect_luks2_lvm_fs("/", Y2Storage::PbkdFunction::PBKDF2)
+ expect_luks2_lvm_fs("swap", Y2Storage::PbkdFunction::PBKDF2)
+ end
+ end
+ end
+
+ context "In a UEFI system" do
+ let(:efi) { true }
+
+ context "proposing LVM" do
+ let(:lvm) { true }
+
+ # FIXME: commented out because the combination of LVM + LUKS2 with
Argon2 doesn't work yet
+ # include_examples "/boot unless PBKDF2"
+ include_examples "correct PBKDF encrypted LVM"
+ end
+
+ context "proposing partitions (no LVM)" do
+ let(:lvm) { false }
+
+ include_examples "/boot unless PBKDF2"
+ include_examples "correct PBKDF encrypted partitions"
+ end
+ end
+
+ context "In a legacy BIOS boot system" do
+ let(:efi) { false }
+
+ context "proposing LVM" do
+ let(:lvm) { true }
+
+ # FIXME: commented out because the combination of LVM + LUKS2 with
Argon2 doesn't work yet
+ # include_examples "/boot unless PBKDF2"
+ include_examples "correct PBKDF encrypted LVM"
+ end
+
+ context "proposing partitions (no LVM)" do
+ let(:lvm) { false }
+
+ include_examples "/boot unless PBKDF2"
+ include_examples "correct PBKDF encrypted partitions"
+ end
+ end
+ end
+end
