Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package yast2-storage-ng for openSUSE:Factory checked in at 2022-11-22 16:09:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-storage-ng (Old) and /work/SRC/openSUSE:Factory/.yast2-storage-ng.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-storage-ng" Tue Nov 22 16:09:52 2022 rev:133 rq:1037139 version:4.5.14 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-storage-ng/yast2-storage-ng.changes 2022-11-18 15:43:13.226479665 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-storage-ng.new.1597/yast2-storage-ng.changes 2022-11-22 16:09:55.821953097 +0100 @@ -1,0 +2,7 @@ +Mon Nov 21 11:33:52 UTC 2022 - Ancor Gonzalez Sosa <an...@suse.com> + +- GuidedProposal: support for LUKS2 encryption with a configurable + PBKDF to be used by D-Installer (related to jsc#PED-2182). +- 4.5.14 + +------------------------------------------------------------------- Old: ---- yast2-storage-ng-4.5.13.tar.bz2 New: ---- yast2-storage-ng-4.5.14.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-storage-ng.spec ++++++ --- /var/tmp/diff_new_pack.VIdGic/_old 2022-11-22 16:09:56.297955513 +0100 +++ /var/tmp/diff_new_pack.VIdGic/_new 2022-11-22 16:09:56.305955553 +0100 @@ -17,7 +17,7 @@ Name: yast2-storage-ng -Version: 4.5.13 +Version: 4.5.14 Release: 0 Summary: YaST2 - Storage Configuration License: GPL-2.0-only OR GPL-3.0-only ++++++ yast2-storage-ng-4.5.13.tar.bz2 -> yast2-storage-ng-4.5.14.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.changes new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.changes --- old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.changes 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.changes 2022-11-21 16:25:40.000000000 +0100 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Mon Nov 21 11:33:52 UTC 2022 - Ancor Gonzalez Sosa <an...@suse.com> + +- GuidedProposal: support for LUKS2 encryption with a configurable + PBKDF to be used by D-Installer (related to jsc#PED-2182). +- 4.5.14 + +------------------------------------------------------------------- Tue Nov 15 11:40:40 UTC 2022 - José Iván López González <jlo...@suse.com> - Validate security policies in both guided proposal and diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.spec new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.spec --- old/yast2-storage-ng-4.5.13/package/yast2-storage-ng.spec 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/package/yast2-storage-ng.spec 2022-11-21 16:25:40.000000000 +0100 @@ -16,7 +16,7 @@ # Name: yast2-storage-ng -Version: 4.5.13 +Version: 4.5.14 Release: 0 Summary: YaST2 - Storage Configuration License: GPL-2.0-only OR GPL-3.0-only diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/actions/controllers/encryption.rb new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/actions/controllers/encryption.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/actions/controllers/encryption.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/actions/controllers/encryption.rb 2022-11-21 16:25:40.000000000 +0100 @@ -58,7 +58,7 @@ # @return [String] Label for the encryption device if the method supports setting one attr_accessor :label - # @return [String] Password-based key derivation function (PBKDF) for the LUKS2 device + # @return [PbkdFunction] Password-based key derivation function (PBKDF) for the LUKS2 device attr_accessor :pbkdf # Contructor @@ -71,7 +71,7 @@ @fs_controller = fs_controller @action = actions.first @password = encryption&.password || "" - @pbkdf = encryption&.pbkdf || "" + @pbkdf = encryption&.pbkdf @method = initial_method @apqns = initial_apqns @label = initial_label diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/pbkd_function.rb new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/pbkd_function.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/pbkd_function.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/pbkd_function.rb 1970-01-01 01:00:00.000000000 +0100 @@ -1,72 +0,0 @@ -# Copyright (c) [2021] SUSE LLC -# -# All Rights Reserved. -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of version 2 of the GNU General Public License as published -# by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for -# more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, contact SUSE LLC. -# -# To contact SUSE LLC about this file by physical or electronic mail, you may -# find current contact information at www.suse.com. - -require "yast" -require "y2storage" - -module Y2Partitioner - # Class to represent each one of the possible values for {Y2Storage::Encryption#pbkdf} - class PbkdFunction - include Yast::I18n - extend Yast::I18n - - # Constructor, to be used internally by the class - # - # @param value [String] see {#value} - # @param name [String] string marked for translation, see {#name} - def initialize(value, name) - textdomain "storage" - - @value = value - @name = name - end - - # All possible instances - ALL = [ - # TRANSLATORS: name of a key derivation function used by LUKS - new("argon2id", N_("Argon2id")), - # TRANSLATORS: name of a key derivation function used by LUKS - new("argon2i", N_("Argon2i")), - # TRANSLATORS: name of a key derivation function used by LUKS - new("pbkdf2", N_("PBKDF2")) - ].freeze - private_constant :ALL - - # Sorted list of all possible roles - def self.all - ALL.dup - end - - # Finds a function by its value - # - # @param value [String, nil] - # @return [PbkdFunction, nil] nil if such value does not exist - def self.find(value) - ALL.find { |opt| opt.value == value } - end - - # @return [String] value for {Y2Storage::Encryption#pbkdf} - attr_reader :value - - # @return [String] localized name for the function to display in the UI - def name - _(@name) - end - end -end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/description_section/blk_device.rb new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/description_section/blk_device.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/description_section/blk_device.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/description_section/blk_device.rb 2022-11-21 16:25:40.000000000 +0100 @@ -19,7 +19,7 @@ require "y2partitioner/widgets/description_section/base" require "y2partitioner/widgets/blk_device_attributes" -require "y2partitioner/pbkd_function" +require "y2storage/pbkd_function" module Y2Partitioner module Widgets @@ -102,7 +102,7 @@ # # @return [String] def pbkdf_value - pbkdf = PbkdFunction.find(blk_device.encryption.pbkdf) + pbkdf = blk_device.encryption.pbkdf # TRANSLATORS: %s becomes the name of the PBKDF function used by a LUKS2 device (eg. Argon2i) format(_("Key Derivation Function (PBKDF): %s"), pbkdf.name) end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/pbkdf_selector.rb new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/pbkdf_selector.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2partitioner/widgets/pbkdf_selector.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2partitioner/widgets/pbkdf_selector.rb 2022-11-21 16:25:40.000000000 +0100 @@ -19,7 +19,7 @@ require "yast" require "cwm" -require "y2partitioner/pbkd_function" +require "y2storage/pbkd_function" module Y2Partitioner module Widgets @@ -45,17 +45,17 @@ # Sets the initial value def init enable_on_init ? enable : disable - self.value = @controller.pbkdf + self.value = @controller.pbkdf&.value end # @macro seeItemsSelection def items - PbkdFunction.all.map { |opt| [opt.value, opt.name] } + Y2Storage::PbkdFunction.all.map { |opt| [opt.value, opt.name] } end # @macro seeAbstractWidget def store - @controller.pbkdf = value + @controller.pbkdf = Y2Storage::PbkdFunction.find(value) end private diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/analyzer.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/analyzer.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/analyzer.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/analyzer.rb 2022-11-21 16:25:40.000000000 +0100 @@ -259,6 +259,9 @@ # Encryption type of boot device # + # FIXME: this method does not work well with GuidedProposal if LVM+encryption is used. + # It was not a problem before but it is now if LVM and LUKS2 with Argon2 are combined. + # # The device can be a planned one or filesystem from the devicegraph. # # @return [Y2Storage::EncryptionType] Encryption type @@ -266,6 +269,14 @@ encryption_type(device_for_boot) end + # Password-based key derivation function used to encrypt the boot device, if such property + # makes sense (ie. if LUKS2 encryption is used) + # + # @return [PbkdFunction, nil] nil if the value is not known + def boot_luks2_pbkdf + Device.new(device_for_boot).luks2_pbkdf + end + # Whether the partition table of the disk used for booting matches the # given type. # @@ -519,7 +530,7 @@ def filesystem_type(device) return nil if device.nil? - device.respond_to?(:filesystem_type) ? device.filesystem_type : device.type + Device.new(device).filesystem_type end # Whether the device is in a LVM logical volume @@ -531,11 +542,7 @@ def in_lvm?(device) return false if device.nil? - if device.is_a?(Planned::Device) - device.is_a?(Planned::LvmLv) - else - device.plain_blk_devices.any? { |dev| dev.is?(:lvm_lv) } - end + Device.new(device).in_lvm? end # Whether the device is in a thinly provisioned LVM logical volume @@ -547,16 +554,7 @@ def in_thin_lvm?(device) return false if device.nil? - if device.is_a?(Planned::Device) - device.is_a?(Planned::LvmLv) && device.lv_type == LvType::THIN - else - # If this is not a BlkFilesystem (e.g. NFS), it can't be on thin LVM - return false unless device.respond_to?(:plain_blk_devices) - - device.plain_blk_devices.any? do |dev| - dev.is?(:lvm_lv) && dev.lv_type == LvType::THIN - end - end + Device.new(device).in_thin_lvm? end # Whether the device is in a BCache @@ -568,17 +566,7 @@ def in_bcache?(device) return false if device.nil? - if device.is_a?(Planned::Device) - device.is_a?(Planned::Bcache) - else - # If this is not a BlkFilesystem (e.g. NFS), it can't be in a BCache - return false unless device.respond_to?(:plain_blk_devices) - - # Strictly speaking, with very advanced storage configurations it may be possible to - # access a filesystem with bcache ancestors in the devicegraph without actually accessing - # the bcache. But that would be an extreme case and is not supported by YaST. - device.ancestors.any? { |dev| dev.is?(:bcache) } - end + Device.new(device).in_bcache? end # Whether the device is encrypted @@ -598,23 +586,9 @@ # @param device [Filesystems::Base, Planned::Device, nil] # @return [Y2Storage::EncryptionType] Encryption type def encryption_type(device) - # FIXME: the implementation of this method (and others) would be much simpler if the API - # offered by Planned::Device and Device would be more consistent which each other - if device.is_a?(Planned::Device) - planned_encryption_type(device) - elsif device.respond_to?(:plain_blk_devices) - device.plain_blk_devices.map { |d| d.encryption&.type }.compact.first - end || Y2Storage::EncryptionType::NONE - end - - # @see #encryption_type - # - # @param planned [Planned::Device] - # @return [Y2Storage::EncryptionType] Encryption type - def planned_encryption_type(planned) - return Y2Storage::EncryptionType::NONE unless planned.respond_to?(:encrypt?) && planned.encrypt? + return Y2Storage::EncryptionType::NONE if device.nil? - planned.encryption_method&.encryption_type || Y2Storage::EncryptionType::LUKS1 + Device.new(device).encryption_type end # Whether the device is in a software RAID @@ -626,15 +600,7 @@ def in_software_raid?(device) return false if device.nil? - if device.is_a?(Planned::Device) - device.is_a?(Planned::Md) - else - device.ancestors.any? do |dev| - # Don't check boot_disk as it might validly be a RAID1 itself - # (full disks as RAID case) - we want to treat this as 'no RAID'. - dev.is?(:software_raid) && dev != boot_disk - end - end + Device.new(device).in_software_raid?(boot_disk) end # Check if device is a direct member of a RAID1 (RAID over entire disks). @@ -658,6 +624,133 @@ raid1_dev end + + # Auxiliar class to check the properties or a given device + # + # FIXME: this class wouldn't be needed if the API offered by Planned::Device and Device would + # be more consistent which each other. Having all the affected code in a single class helps + # readability and makes easier to fix the inconsistency problem in the future. + class Device + # Constructor + # + # @param device [Filesystems::Base, Planned::Device] see {#device} + def initialize(device) + @device = device + end + + # Device being analyzed, it can be a planned device or a filesystem from the devicegraph + # + # @return [Filesystems::Base, Planned::Device] + attr_reader :device + + # Whether the analyzed device is a planned one + # + # @return [Boolean] + def planned? + device.is_a?(Planned::Device) + end + + # Filesystem type used for the device + # + # @return [Filesystems::Type, nil] nil if is a planned device not going to be formatted + def filesystem_type + device.respond_to?(:filesystem_type) ? device.filesystem_type : device.type + end + + # Whether the device is in a LVM logical volume + def in_lvm? + return device.is_a?(Planned::LvmLv) if planned? + + device.plain_blk_devices.any? { |dev| dev.is?(:lvm_lv) } + end + + # Whether the device is in a thinly provisioned LVM logical volume + # + # @return [Boolean] + def in_thin_lvm? + return planned_in_thin_lvm? if planned? + + # If this is not a BlkFilesystem (e.g. NFS), it can't be on thin LVM + return false unless device.respond_to?(:plain_blk_devices) + + device.plain_blk_devices.any? do |dev| + dev.is?(:lvm_lv) && dev.lv_type == LvType::THIN + end + end + + # @see #in_thin_lvm? + def planned_in_thin_lvm? + device.is_a?(Planned::LvmLv) && device.lv_type == LvType::THIN + end + + # Whether the device is in a software RAID + # + # @return [Boolean] + def in_software_raid?(boot_disk) + return device.is_a?(Planned::Md) if planned? + + device.ancestors.any? do |dev| + # Don't check boot_disk as it might validly be a RAID1 itself + # (full disks as RAID case) - we want to treat this as 'no RAID'. + dev.is?(:software_raid) && dev != boot_disk + end + end + + # Whether the device is in a BCache + # + # @return [Boolean] + def in_bcache? + return device.is_a?(Planned::Bcache) if planned? + + # If this is not a BlkFilesystem (e.g. NFS), it can't be in a BCache + return false unless device.respond_to?(:plain_blk_devices) + + # Strictly speaking, with very advanced storage configurations it may be possible to + # access a filesystem with bcache ancestors in the devicegraph without actually accessing + # the bcache. But that would be an extreme case and is not supported by YaST. + device.ancestors.any? { |dev| dev.is?(:bcache) } + end + + # Encryption type of the device + # + # @return [Y2Storage::EncryptionType] + def encryption_type + return planned_encryption_type if planned? + + filesystem_encryption&.type || Y2Storage::EncryptionType::NONE + end + + # Encryption device associated to the filesystem + # + # To be used only when {#device} is a filesystem from the devicegraph + # + # @return [Encryption, nil] + def filesystem_encryption + return nil unless device.respond_to?(:plain_blk_devices) + + device.plain_blk_devices.map(&:encryption).compact.first + end + + # @see #encryption_type + # + # @return [Y2Storage::EncryptionType] Encryption type + def planned_encryption_type + return Y2Storage::EncryptionType::NONE unless device.respond_to?(:encrypt?) && device.encrypt? + + device.encryption_method&.encryption_type || Y2Storage::EncryptionType::LUKS1 + end + + # Password-based key derivation function used to encrypt the device with LUKS2 + # + # @return [PbkdFunction, nil] nil if the device is not formatted with LUKS2 or the + # function is unknown + def luks2_pbkdf + return nil unless encryption_type.is?(:luks2) + return device.encryption_pbkdf if planned? + + filesystem_encryption.pbkdf + end + end end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/base.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/base.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage/boot_requirements_strategies/base.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/boot_requirements_strategies/base.rb 2022-11-21 16:25:40.000000000 +0100 @@ -27,6 +27,7 @@ require "y2storage/volume_specification" require "y2storage/setup_error" require "y2storage/volume_specification_builder" +require "y2storage/pbkd_function" module Y2Storage module BootRequirementsStrategies @@ -45,7 +46,7 @@ :root_in_lvm?, :root_in_software_raid?, :encrypted_root?, :btrfs_root?, :root_fs_can_embed_grub?, :boot_in_lvm?, :boot_in_thin_lvm?, :boot_in_bcache?, :boot_in_software_raid?, :encrypted_boot?, - :boot_fs_can_embed_grub?, :boot_filesystem_type, :boot_encryption_type, + :boot_fs_can_embed_grub?, :boot_filesystem_type, :boot_encryption_type, :boot_luks2_pbkdf, :esp_in_lvm?, :esp_in_software_raid?, :esp_in_software_raid1?, :encrypted_esp? # Constructor @@ -224,10 +225,15 @@ # # * it is not encrypted (obviously), # * or it is encrypted using LUKS1. + # * or it is encrypted using LUKS2 with PBKDF2 as key derivation function # # @return [Boolean] true if grub can read the boot device def boot_readable_by_grub? t = boot_encryption_type + # FIXME: In fact, this is true only in TW and ALP. The Grub2 package at SLE-15-SP5 is not able + # to perform the autoconfiguration for LUKS2 devices, no matter what PBKDF is used. + return boot_luks2_pbkdf == PbkdFunction::PBKDF2 if t.is?(:luks2) + t.is?(:none) || t.is?(:luks1) end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption.rb 2022-11-21 16:25:40.000000000 +0100 @@ -67,15 +67,12 @@ storage_forward :cipher storage_forward :cipher= - # @!attribute pbkdf - # PBKDF (Password-Based Key Derivation Function), currently only supported for LUKS2 where - # this attribute corresponds to the PBKDF of the first used keyslot. - # - # If is set to empty, during the commit phase the default of cryptsetup will be used. + # @!attribute pbkdf_value + # String representation of {#pbkdf}, an empty string is equivalent to a nil value on {#pbkdf} # # @return [String] - storage_forward :pbkdf - storage_forward :pbkdf= + storage_forward :pbkdf_value, to: :pbkdf + storage_forward :pbkdf_value=, to: :pbkdf= # @!attribute crypt_options # Options in the fourth field of /etc/crypttab @@ -408,6 +405,30 @@ self.storage_in_etc_crypttab = value end + # PBKDF (Password-Based Key Derivation Function), currently only supported for LUKS2 where + # this attribute corresponds to the PBKDF of the first used keyslot. + # + # If is set to nil, during the commit phase the default of cryptsetup will be used. + # + # @return [PbkdFunction, nil] + def pbkdf + PbkdFunction.find(pbkdf_value) + end + + # @see #pbkdf + # + # @param function [PbkdFunction, nil] + def pbkdf=(function) + self.pbkdf_value = function&.value || "" + end + + # Whether the attribute #pbkdf makes sense for this object + # + # @return [Boolean] + def supports_pbkdf? + type.is?(:luks2) + end + protected # @see Device#is? diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_method/luks2.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_method/luks2.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_method/luks2.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_method/luks2.rb 2022-11-21 16:25:40.000000000 +0100 @@ -21,6 +21,7 @@ require "y2storage/encryption_method/base" require "y2storage/encryption_method/pervasive_luks2" require "y2storage/encryption_processes/luks" +require "y2storage/pbkd_function" module Y2Storage module EncryptionMethod @@ -48,12 +49,12 @@ # # @param blk_device [Y2Storage::BlkDevice] # @param dm_name [String] - # @param pbkdf [String] password-based key derivation function to be used by the created + # @param pbkdf [PbkdFunction, nil] password-based key derivation function to be used by the created # LUKS2 device # @param label [String] optional LUKS label # # @return [Y2Storage::Encryption] - def create_device(blk_device, dm_name, pbkdf: "", label: "") + def create_device(blk_device, dm_name, pbkdf: nil, label: "") encryption_process.create_device(blk_device, dm_name, pbkdf: pbkdf, label: label) end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_processes/luks.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_processes/luks.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage/encryption_processes/luks.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/encryption_processes/luks.rb 2022-11-21 16:25:40.000000000 +0100 @@ -41,7 +41,7 @@ # # @param blk_device [Y2Storage::BlkDevice] # @param dm_name [String] - # @param pbkdf [String, nil] PBKDF of the LUKS device, only relevant for LUKS2 + # @param pbkdf [PbkdFunction] PBKDF of the LUKS device, only relevant for LUKS2 # @param label [String, nil] label of the LUKS device, only relevant for LUKS2 # # @return [Encryption] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage/pbkd_function.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage/pbkd_function.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage/pbkd_function.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/pbkd_function.rb 2022-11-21 16:25:40.000000000 +0100 @@ -0,0 +1,103 @@ +# Copyright (c) [2021-2022] SUSE LLC +# +# All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of version 2 of the GNU General Public License as published +# by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for +# more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, contact SUSE LLC. +# +# To contact SUSE LLC about this file by physical or electronic mail, you may +# find current contact information at www.suse.com. + +require "yast" + +module Y2Storage + # Class to represent each one of the possible values for {Y2Storage::Encryption#pbkdf} + class PbkdFunction + include Yast::I18n + extend Yast::I18n + + # Constructor, to be used internally by the class + # + # @param value [String] see {#value} + # @param name [String] string marked for translation, see {#name} + def initialize(value, name) + textdomain "storage" + + @value = value + @name = name + end + + # Instance of the function to be always returned by the class + # TRANSLATORS: name of a key derivation function used by LUKS + ARGON2ID = new("argon2id", N_("Argon2id")) + # Instance of the function to be always returned by the class + # TRANSLATORS: name of a key derivation function used by LUKS + ARGON2I = new("argon2i", N_("Argon2i")) + # Instance of the function to be always returned by the class + # TRANSLATORS: name of a key derivation function used by LUKS + PBKDF2 = new("pbkdf2", N_("PBKDF2")) + + # All possible instances + ALL = [ARGON2ID, ARGON2I, PBKDF2].freeze + private_constant :ALL + + # Sorted list of all possible roles + def self.all + ALL.dup + end + + # Finds a function by its value + # + # @param value [#to_s] + # @return [PbkdFunction, nil] nil if such value does not exist + def self.find(value) + ALL.find { |opt| opt.value == value.to_s } + end + + # @return [String] value for {Y2Storage::Encryption#pbkdf} + attr_reader :value + + # @return [String] localized name for the function to display in the UI + def name + _(@name) + end + + alias_method :to_s, :value + + # @return [Symbol] + def to_sym + value.to_sym + end + + # Checks whether the object corresponds to any of the given enum values. + # + # By default, this will be the base comparison used in the case statements. + # + # @param names [#to_sym] + # @return [Boolean] + def is?(*names) + names.any? { |n| n.to_sym == to_sym } + end + + # @return [Boolean] + def ==(other) + other.class == self.class && other.value == value + end + + alias_method :eql?, :== + + # @return [Boolean] + def ===(other) + other.instance_of?(self.class) && is?(other) + end + end +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/can_be_encrypted.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/can_be_encrypted.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/can_be_encrypted.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/can_be_encrypted.rb 2022-11-21 16:25:40.000000000 +0100 @@ -46,6 +46,11 @@ # @return [String, nil] password used to encrypt the device. secret_attr :encryption_password + # PBKDF to use when encrypting the device if such property makes sense (eg. LUKS2) + # + # @return [PbkdFunction, nil] nil to use the default derivation function + attr_accessor :encryption_pbkdf + # Initializations of the mixin, to be called from the class constructor. def initialize_can_be_encrypted; end @@ -80,6 +85,7 @@ if create_encryption? method = encryption_method || EncryptionMethod.find(:luks1) result = plain_device.encrypt(method: method, password: encryption_password) + result.pbkdf = encryption_pbkdf if encryption_pbkdf && result.supports_pbkdf? log.info "Device encrypted. Returning the new device #{result.inspect}" else log.info "No need to encrypt. Returning the existing device #{result.inspect}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/lvm_vg.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/lvm_vg.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage/planned/lvm_vg.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/planned/lvm_vg.rb 2022-11-21 16:25:40.000000000 +0100 @@ -68,6 +68,17 @@ # physical volumes. If nil, the PVs will not be encrypted. secret_attr :pvs_encryption_password + # Method used to encrypt the newly created physical volumes if {#pvs_encryption_password} is set + # + # @return [EncryptionMethod] + attr_accessor :pvs_encryption_method + + # PBKDF used to encrypt the newly created physical volumes if {#pvs_encryption_password} is set + # and LUKS2 is used + # + # @return [PbkdFunction, nil] nil to use the default function + attr_accessor :pvs_encryption_pbkdf + # Strategy used by the guided proposal to calculate the size of the resulting # volume group # @@ -132,7 +143,7 @@ res = Planned::Partition.new(nil) res.partition_id = PartitionId::LVM res.lvm_volume_group_name = volume_group_name - res.encryption_password = pvs_encryption_password + adjust_encryption(res) res.min_size = min_pv_size res.disk = forced_disk_name res @@ -268,6 +279,15 @@ Y2Storage::LvmVg.find_by_vg_name(devicegraph, reuse_name) end + # @see #minimal_pv_partition + def adjust_encryption(planned_pv) + return unless pvs_encryption_password + + planned_pv.encryption_password = pvs_encryption_password + planned_pv.encryption_method = pvs_encryption_method + planned_pv.encryption_pbkdf = pvs_encryption_pbkdf + end + # Whether the created PVs should be encrypted # # @see #pvs_encryption_password diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/devices_planner.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/devices_planner.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/devices_planner.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/devices_planner.rb 2022-11-21 16:25:40.000000000 +0100 @@ -160,10 +160,21 @@ adjust_to_settings(lv, volume) planned_device = Planned::LvmVg.new(volume_group_name: volume.separate_vg_name, lvs: [lv]) - planned_device.pvs_encryption_password = settings.encryption_password + adjust_pvs_encryption(planned_device) planned_device end + # @see #planned_separate_vg + # + # @param vg [Planned::LvmVg] + def adjust_pvs_encryption(vg) + return unless settings.encryption_password + + vg.pvs_encryption_password = settings.encryption_password + vg.pvs_encryption_method = settings.encryption_method + vg.pvs_encryption_pbkdf = settings.encryption_pbkdf + end + # Adjusts planned device values according to settings # # @note planned_device is modified @@ -195,8 +206,11 @@ # @param _volume [VolumeSpecification] def adjust_encryption(planned_device, _volume) return unless planned_device.is_a?(Planned::Partition) + return unless settings.encryption_password planned_device.encryption_password = settings.encryption_password + planned_device.encryption_method = settings.encryption_method + planned_device.encryption_pbkdf = settings.encryption_pbkdf end # Adjusts planned device sizes according to settings diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/lvm_helper.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/lvm_helper.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal/lvm_helper.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal/lvm_helper.rb 2022-11-21 16:25:40.000000000 +0100 @@ -111,6 +111,8 @@ @reused_volume_group.lvs = planned_lvs @reused_volume_group.size_strategy = vg_strategy @reused_volume_group.pvs_encryption_password = settings.encryption_password + @reused_volume_group.pvs_encryption_method = settings.encryption_method + @reused_volume_group.pvs_encryption_pbkdf = settings.encryption_pbkdf end # Checks whether the passed device is the volume group to be reused @@ -153,6 +155,8 @@ def new_volume_group vg = Planned::LvmVg.new(volume_group_name: DEFAULT_VG_NAME, lvs: planned_lvs) vg.pvs_encryption_password = settings.encryption_password + vg.pvs_encryption_method = settings.encryption_method + vg.pvs_encryption_pbkdf = settings.encryption_pbkdf vg.size_strategy = vg_strategy vg end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal_settings.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal_settings.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage/proposal_settings.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage/proposal_settings.rb 2022-11-21 16:25:40.000000000 +0100 @@ -25,6 +25,7 @@ require "y2storage/filesystems/type" require "y2storage/partitioning_features" require "y2storage/volume_specifications_set" +require "y2storage/encryption_method" module Y2Storage # Class to manage settings used by the proposal (typically read from control.xml) @@ -149,10 +150,23 @@ # @return [Array<String>, nil] attr_reader :explicit_candidate_devices + # TODO: it makes sense to encapsulate #encryption_password, #encryption_method and + # #encryption_pbkdf in some new class (eg. EncryptionSettings), posponed for now + # @!attribute encryption_password # @return [String] password to use when creating new encryption devices secret_attr :encryption_password + # Encryption method to use if {#encryption_password} is set + # + # @return [EncryptionMethod::Base] + attr_accessor :encryption_method + + # PBKDF to use if {#encryption_password} is set and {#encryption_method} is LUKS2 + # + # @return [PbkdFunction, nil] nil to use the default + attr_accessor :encryption_pbkdf + # @return [Boolean] whether to resize Windows systems if needed attr_accessor :resize_windows @@ -384,6 +398,7 @@ linux_delete_mode: :ondemand, lvm: false, lvm_vg_strategy: :use_available, + encryption_method: EncryptionMethod::LUKS1, multidisk_first: false, other_delete_mode: :ondemand, resize_windows: true, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/src/lib/y2storage.rb new/yast2-storage-ng-4.5.14/src/lib/y2storage.rb --- old/yast2-storage-ng-4.5.13/src/lib/y2storage.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/src/lib/y2storage.rb 2022-11-21 16:25:40.000000000 +0100 @@ -63,6 +63,7 @@ require "y2storage/btrfs_qgroup" require "y2storage/btrfs_subvolume" require "y2storage/storage_features_list" +require "y2storage/pbkd_function" require "y2storage/exceptions" require "y2storage/boot_requirements_checker" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/test/support/boot_requirements_context.rb new/yast2-storage-ng-4.5.14/test/support/boot_requirements_context.rb --- old/yast2-storage-ng-4.5.13/test/support/boot_requirements_context.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/test/support/boot_requirements_context.rb 2022-11-21 16:25:40.000000000 +0100 @@ -64,7 +64,8 @@ esp_in_software_raid?: false, esp_in_software_raid1?: false, encrypted_esp?: false, - boot_encryption_type: boot_enc_type + boot_encryption_type: boot_enc_type, + boot_luks2_pbkdf: boot_pbkdf ) end @@ -80,6 +81,7 @@ end let(:boot_ptable_type) { :msdos } let(:boot_enc_type) { Y2Storage::EncryptionType::NONE } + let(:boot_pbkdf) { nil } # Mocks for Raspberry Pi detection let(:raspi_system) { false } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/description_section/blk_device_test.rb new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/description_section/blk_device_test.rb --- old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/description_section/blk_device_test.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/description_section/blk_device_test.rb 2022-11-21 16:25:40.000000000 +0100 @@ -22,6 +22,7 @@ require_relative "help_fields_examples" require "y2partitioner/widgets/description_section/blk_device" +require "y2storage/pbkd_function" describe Y2Partitioner::Widgets::DescriptionSection::BlkDevice do before { devicegraph_stub(scenario) } @@ -73,7 +74,9 @@ end context "if LUKS2 is used as encryption type" do - before { device.encrypt(method: :luks2, label: "something", pbkdf: "argon2i") } + before do + device.encrypt(method: :luks2, label: "something", pbkdf: Y2Storage::PbkdFunction::ARGON2I) + end it "includes an entry about the encryption including the encryption type" do expect(subject.value).to match(/Encrypted: Yes/) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/pbkdf_selector_test.rb new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/pbkdf_selector_test.rb --- old/yast2-storage-ng-4.5.13/test/y2partitioner/widgets/pbkdf_selector_test.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/test/y2partitioner/widgets/pbkdf_selector_test.rb 2022-11-21 16:25:40.000000000 +0100 @@ -22,12 +22,15 @@ require "cwm/rspec" require "y2partitioner/widgets/pbkdf_selector" +require "y2storage/pbkd_function" describe Y2Partitioner::Widgets::PbkdfSelector do subject(:widget) { described_class.new(controller) } - let(:controller) { double("Controllers::Encryption", pbkdf: initial_pbkdf) } let(:initial_pbkdf) { "pbkdf2" } + let(:controller) do + double("Controllers::Encryption", pbkdf: Y2Storage::PbkdFunction.find(initial_pbkdf)) + end include_examples "CWM::ComboBox" @@ -71,7 +74,8 @@ end it "sets the selected pbkdf" do - expect(controller).to receive(:pbkdf=).with(selected_pbkdf) + pbkdf = Y2Storage::PbkdFunction.find(selected_pbkdf) + expect(controller).to receive(:pbkdf=).with(pbkdf) widget.store end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/test/y2storage/encryption_method_test.rb new/yast2-storage-ng-4.5.14/test/y2storage/encryption_method_test.rb --- old/yast2-storage-ng-4.5.13/test/y2storage/encryption_method_test.rb 2022-11-17 06:40:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/test/y2storage/encryption_method_test.rb 2022-11-21 16:25:40.000000000 +0100 @@ -21,6 +21,7 @@ require_relative "spec_helper" require "y2storage/encryption_method" +require "y2storage/pbkd_function" describe Y2Storage::EncryptionMethod do describe ".all" do @@ -274,10 +275,12 @@ it "sets the given label and PBKDF for the LUKS2 device" do expect(device.encrypted?).to eq(false) - subject.create_device(device, "cr_dev", label: "cool_luks", pbkdf: "argon2i") + subject.create_device( + device, "cr_dev", label: "cool_luks", pbkdf: Y2Storage::PbkdFunction::ARGON2I + ) expect(device.encryption.label).to eq "cool_luks" - expect(device.encryption.pbkdf).to eq "argon2i" + expect(device.encryption.pbkdf.value).to eq "argon2i" end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/test/y2storage/pbkd_function_test.rb new/yast2-storage-ng-4.5.14/test/y2storage/pbkd_function_test.rb --- old/yast2-storage-ng-4.5.13/test/y2storage/pbkd_function_test.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/test/y2storage/pbkd_function_test.rb 2022-11-21 16:25:40.000000000 +0100 @@ -0,0 +1,68 @@ +#!/usr/bin/env rspec +# Copyright (c) [2022] SUSE LLC +# +# All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of version 2 of the GNU General Public License as published +# by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for +# more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, contact SUSE LLC. +# +# To contact SUSE LLC about this file by physical or electronic mail, you may +# find current contact information at www.suse.com. + +require_relative "spec_helper" +require "y2storage/pbkd_function" + +describe Y2Storage::PbkdFunction do + subject { Y2Storage::PbkdFunction::ARGON2I } + + describe "#is?" do + it "returns true for an equivalent function object" do + expect(subject.is?(Y2Storage::PbkdFunction.find("argon2i"))).to eq true + end + + it "returns false for a non-equivalent function object" do + expect(subject.is?(Y2Storage::PbkdFunction.find("pbkdf2"))).to eq false + end + + it "returns true for a list of symbols including the equivalent one" do + expect(subject.is?(:argon2i, :pbkdf)).to eq true + end + + it "returns false for list of symbols not including the equivalent one" do + expect(subject.is?(:argon2id, :pbkdf)).to eq false + end + end + + describe "#===" do + it "returns true for the equivalent object" do + value = + case subject + when Y2Storage::PbkdFunction.find("argon2i") + true + else + false + end + expect(value).to eq true + end + + it "returns false for the equivalent symbol" do + value = + case subject + when :argon2i + true + else + false + end + expect(value).to eq false + end + end +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-storage-ng-4.5.13/test/y2storage/proposal_luks2_x86_test.rb new/yast2-storage-ng-4.5.14/test/y2storage/proposal_luks2_x86_test.rb --- old/yast2-storage-ng-4.5.13/test/y2storage/proposal_luks2_x86_test.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-storage-ng-4.5.14/test/y2storage/proposal_luks2_x86_test.rb 2022-11-21 16:25:40.000000000 +0100 @@ -0,0 +1,175 @@ +#!/usr/bin/env rspec +# Copyright (c) [2017] SUSE LLC +# +# All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of version 2 of the GNU General Public License as published +# by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for +# more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, contact SUSE LLC. +# +# To contact SUSE LLC about this file by physical or electronic mail, you may +# find current contact information at www.suse.com. + +require_relative "spec_helper" +require "storage" +require "y2storage" +require_relative "#{TEST_PATH}/support/proposal_examples" +require_relative "#{TEST_PATH}/support/proposal_context" + +describe Y2Storage::GuidedProposal do + using Y2Storage::Refinements::SizeCasts + + describe "#propose" do + include_context "proposal" + + subject(:proposal) { described_class.new(settings: settings) } + let(:scenario) { "empty_hard_disk_50GiB" } + let(:architecture) { :x86 } + let(:control_file) { "legacy_settings.xml" } + let(:encrypt) { true } + + before do + allow(Yast::Kernel).to receive(:propose_hibernation?).and_return(true) + allow(storage_arch).to receive(:efiboot?).and_return(efi) + + settings.encryption_method = Y2Storage::EncryptionMethod::LUKS2 + settings.encryption_pbkdf = pbkdf + end + + # Helper method to check the properties of an encrypted filesystem + def expect_luks2_fs(mount_path, pbkdf) + fs = proposal.devices.filesystems.find { |i| i.mount_path == mount_path } + expect(fs.encrypted?).to eq true + + enc = fs.blk_devices.first + expect(enc.type).to eq Y2Storage::EncryptionType::LUKS2 + expect(enc.pbkdf).to eq pbkdf + end + + # Helper method to check the properties of a filesystem inside an encrypted LVM + def expect_luks2_lvm_fs(mount_path, pbkdf) + fs = proposal.devices.filesystems.find { |i| i.mount_path == mount_path } + expect(fs.encrypted?).to eq false + + lv = fs.blk_devices.first + expect(lv.is?(:lvm_lv)).to eq true + + pvs = lv.lvm_vg.lvm_pvs + encs = pvs.map(&:blk_device) + expect(encs.map(&:type)).to all(eq Y2Storage::EncryptionType::LUKS2) + expect(encs.map(&:pbkdf)).to all(eq pbkdf) + end + + RSpec.shared_examples "/boot unless PBKDF2" do + context "using Argon2id as key derivation function" do + let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID } + + it "proposes a separate unencrypted /boot partition" do + proposal.propose + boot_fs = proposal.devices.filesystems.find { |fs| fs.mount_path == "/boot" } + expect(boot_fs.encrypted?).to eq false + end + end + + context "using PBKDF2 as key derivation function" do + let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 } + + it "does not propose a separate /boot partition" do + proposal.propose + boot_fs = proposal.devices.filesystems.find { |fs| fs.mount_path == "/boot" } + expect(boot_fs).to be_nil + end + end + end + + RSpec.shared_examples "correct PBKDF encrypted partitions" do + context "using Argon2id as key derivation function" do + let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID } + + it "proposes LUKS2 encrypted partitions with Argon2 for all system partitions" do + proposal.propose + expect_luks2_fs("/", Y2Storage::PbkdFunction::ARGON2ID) + expect_luks2_fs("swap", Y2Storage::PbkdFunction::ARGON2ID) + end + end + + context "using PBKDF2 as key derivation function" do + let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 } + + it "proposes LUKS2 encrypted partitions with PBKDF2 for all system partitions" do + proposal.propose + expect_luks2_fs("/", Y2Storage::PbkdFunction::PBKDF2) + expect_luks2_fs("swap", Y2Storage::PbkdFunction::PBKDF2) + end + end + end + + RSpec.shared_examples "correct PBKDF encrypted LVM" do + context "using Argon2id as key derivation function" do + let(:pbkdf) { Y2Storage::PbkdFunction::ARGON2ID } + + it "proposes LUKS2 encrypted LVM with Argon2 for all system volumes" do + proposal.propose + expect_luks2_lvm_fs("/", Y2Storage::PbkdFunction::ARGON2ID) + expect_luks2_lvm_fs("swap", Y2Storage::PbkdFunction::ARGON2ID) + end + end + + context "using PBKDF2 as key derivation function" do + let(:pbkdf) { Y2Storage::PbkdFunction::PBKDF2 } + + it "proposes LUKS2 encrypted LVM with PBKDF2 for all system volumes" do + proposal.propose + expect_luks2_lvm_fs("/", Y2Storage::PbkdFunction::PBKDF2) + expect_luks2_lvm_fs("swap", Y2Storage::PbkdFunction::PBKDF2) + end + end + end + + context "In a UEFI system" do + let(:efi) { true } + + context "proposing LVM" do + let(:lvm) { true } + + # FIXME: commented out because the combination of LVM + LUKS2 with Argon2 doesn't work yet + # include_examples "/boot unless PBKDF2" + include_examples "correct PBKDF encrypted LVM" + end + + context "proposing partitions (no LVM)" do + let(:lvm) { false } + + include_examples "/boot unless PBKDF2" + include_examples "correct PBKDF encrypted partitions" + end + end + + context "In a legacy BIOS boot system" do + let(:efi) { false } + + context "proposing LVM" do + let(:lvm) { true } + + # FIXME: commented out because the combination of LVM + LUKS2 with Argon2 doesn't work yet + # include_examples "/boot unless PBKDF2" + include_examples "correct PBKDF encrypted LVM" + end + + context "proposing partitions (no LVM)" do + let(:lvm) { false } + + include_examples "/boot unless PBKDF2" + include_examples "correct PBKDF encrypted partitions" + end + end + end +end