From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id kF6GF0xUymTHVgAASxT56A (envelope-from ) for ; Wed, 02 Aug 2023 15:04:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id EI1lFkxUymSJ+AAAG6o9tA (envelope-from ) for ; Wed, 02 Aug 2023 15:04:12 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C1E614976C for ; Wed, 2 Aug 2023 15:04:11 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=ZMuZrmUk; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=ZMuZrmUk; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=wolfsden.cz (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1690981452; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=5d+HWPMJvanzmgsLIfsneQFvBo/QpMJ0i5YiB6zwVYM=; b=ddhPRHw3C1kgSchBISKQYFuc+Aljm50getsXk9YDlYPyH/s0GahGa7CjgEkOrGqxv8wlLK WjYSrALi7gEBQY/UJbQy8f62+uZsJOYA8wFSP0YRi0w8N1xFhG+VHb8V6IvLS7tc7Xs3vY rEdc/Ch2rzvCq52PjxNxlIGASN1YWvs03NR6ljKdwiMV1Cqx000hfq1Uu3wjz2V7DMr/eo Js56Qp5TcNJUZdw5/RZoclBtihCgj1o6tFLFXcu/hpWMcsAkjxMKvZa06HePExrKkSWiwY 8R/+MHT41mJ8PlbeQxlqPh20KrHBtebADkeI4luOcsiwaPcxh7gaX1IPVpkTtg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=ZMuZrmUk; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=ZMuZrmUk; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=wolfsden.cz (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1690981452; a=rsa-sha256; cv=none; b=TT6xHSgxs3im6VkN7bAycO8dvADcNIhvzujpefXgkhR+NFotitD2xmk8iPYfdwaHshKeK4 zGwMExRtQD8bJ3Bj+1uKMerPkyL54/dS1pZ9hDAsoydWbCYmjWgngHBrtv9/1p+AefoUfw QMfofkrxUS7OcnC8BpCxAXNc05rjp+RgUWPhGurR8K8Zw1a6/Q7cKC7Kj5FuCPoxU3tJ9b HFm4LqgXxgV9hXd8K8GLA01B71/haApP6r3RiPQ12Snf4u/XScO8XyrtqKntYPnfWPj3iw MsK4l5csDBMhdN6wQy/Iqz05+Hew8rm3BhnK0CdZQchWtVHgF0OBOjeUw6zwug== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qRBWF-0005fT-OP; Wed, 02 Aug 2023 09:04:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qRBWE-0005eo-1I for guix-patches@gnu.org; Wed, 02 Aug 2023 09:04:02 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qRBWD-0004qU-PI for guix-patches@gnu.org; Wed, 02 Aug 2023 09:04:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qRBWD-0004vm-Kf for guix-patches@gnu.org; Wed, 02 Aug 2023 09:04:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file References: In-Reply-To: Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 02 Aug 2023 13:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.169098141418909 (code B ref 65002); Wed, 02 Aug 2023 13:04:01 +0000 Received: (at 65002) by debbugs.gnu.org; 2 Aug 2023 13:03:34 +0000 Received: from localhost ([127.0.0.1]:49126 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qRBVm-0004uu-1g for submit@debbugs.gnu.org; Wed, 02 Aug 2023 09:03:34 -0400 Received: from wolfsden.cz ([37.205.8.62]:34554) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qRBVi-0004ud-QR for 65002@debbugs.gnu.org; Wed, 02 Aug 2023 09:03:32 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id F122726954E; Wed, 2 Aug 2023 13:03:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690981408; bh=o1DQWolTJQWBaolJy5Uy13XFPLHZUmoqKMvz8csQvIQ=; h=From:To:Cc:Subject:Date; b=ZMuZrmUkRtXZwZTn+BN0KNB93T9iX6ntZEVO9gy3W1z97gCSSCyh35i4p+8e7qGIH ui7YDmqXfb3JeCfZADc23AKUu21lf0l10i1FJdI8XxDJITJlMVv5YSneOn7yotLaOq Dr/y8Tx3VDgbSWgu2p+MPCHzL3wQQ6vZh2I0bCxVnHGeFiBMaTUjC2XQHa2Bz7Zvwv e3f9Tk/8IZMX4J1+ooseLtQCD/22T9CKe8mhHkTy7ZaLUms6yN+OnyN3OK4Oij4ksN lTRD8zJSio5rFqZDsJuxi7F1OcLlmngy6WtcXKg6nho0XQO0zBal2YyzIOG3fnnrMk tuIc2lptcswZ96jZOL9DR8YGgtJtOT9w5uBGIu2bFOA1vs6OYR4WmdCSCEEunDDndm WUbiiOgto+4ij4hMf+F3dbLbT/YeaRz/Nd/wwzH3mEZPdPqoCfOgwpG7YcjWbUjCS5 53z/wPd3Ennl5r10DVje8Wiy9Z/KXz4qTos8CSh5vgI1IjVmMV9XjMJXYCoSTqD0Xd IOLhyOn8cdjEXoBXfJypU2AHH8feGXlzIMgzM6WRoRwDhT93mOVv6eHGJv0xGMl0nf U7IRKOCvmltsnLS462817OARBcr/660WPMdCObKzZVspKeA0ey7ZRkbqlfvpt7azLD nKz2Rl4m6a8QpUUFFsuK/tvU= Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 7594D26B986; Wed, 2 Aug 2023 13:03:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690981408; bh=o1DQWolTJQWBaolJy5Uy13XFPLHZUmoqKMvz8csQvIQ=; h=From:To:Cc:Subject:Date; b=ZMuZrmUkRtXZwZTn+BN0KNB93T9iX6ntZEVO9gy3W1z97gCSSCyh35i4p+8e7qGIH ui7YDmqXfb3JeCfZADc23AKUu21lf0l10i1FJdI8XxDJITJlMVv5YSneOn7yotLaOq Dr/y8Tx3VDgbSWgu2p+MPCHzL3wQQ6vZh2I0bCxVnHGeFiBMaTUjC2XQHa2Bz7Zvwv e3f9Tk/8IZMX4J1+ooseLtQCD/22T9CKe8mhHkTy7ZaLUms6yN+OnyN3OK4Oij4ksN lTRD8zJSio5rFqZDsJuxi7F1OcLlmngy6WtcXKg6nho0XQO0zBal2YyzIOG3fnnrMk tuIc2lptcswZ96jZOL9DR8YGgtJtOT9w5uBGIu2bFOA1vs6OYR4WmdCSCEEunDDndm WUbiiOgto+4ij4hMf+F3dbLbT/YeaRz/Nd/wwzH3mEZPdPqoCfOgwpG7YcjWbUjCS5 53z/wPd3Ennl5r10DVje8Wiy9Z/KXz4qTos8CSh5vgI1IjVmMV9XjMJXYCoSTqD0Xd IOLhyOn8cdjEXoBXfJypU2AHH8feGXlzIMgzM6WRoRwDhT93mOVv6eHGJv0xGMl0nf U7IRKOCvmltsnLS462817OARBcr/660WPMdCObKzZVspKeA0ey7ZRkbqlfvpt7azLD nKz2Rl4m6a8QpUUFFsuK/tvU= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id ec9f89d1; Wed, 2 Aug 2023 13:03:27 +0000 (UTC) From: Tomas Volf Date: Wed, 2 Aug 2023 15:02:44 +0200 Message-ID: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: 0.45 X-Spam-Score: 0.45 X-Migadu-Queue-Id: C1E614976C X-Migadu-Scanner: mx1.migadu.com X-TUID: Q1A4PCzaGloT Requiring the user to input their password in order to unlock a device is not always reasonable, so having an option to unlock the device using a key file is a nice quality of life change. * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New procedure --- untabify doc/guix.texi | 12 +++++++ gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 2 files changed, 54 insertions(+), 25 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 58cc3d7aad..a857654191 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17622,6 +17622,18 @@ Mapped Devices @code{dm-crypt} Linux kernel module. @end defvar +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] +Return a @code{luks-device-mapping} object, which defines LUKS block +device encryption using the @command{cryptsetup} command from the +package with the same name. It relies on the @code{dm-crypt} Linux +kernel module. + +If @code{key-file} is provided, unlocking is first attempted using that +key file. If it fails, password unlock is attempted as well. Key file +is not stored in the store and needs to be available at the specified +path at the time of the unlock attempt. +@end deffn + @defvar raid-device-mapping This defines a RAID device, which is assembled using the @code{mdadm} command from the package with the same name. It requires a Linux kernel diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index e6b8970c12..0755036763 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014-2022 Ludovic Courtès ;;; Copyright © 2016 Andreas Enge ;;; Copyright © 2017, 2018 Mark H Weaver +;;; Copyright © 2023 Tomas Volf ;;; ;;; This file is part of GNU Guix. ;;; @@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices) check-device-initrd-modules ;XXX: needs a better place luks-device-mapping + luks-device-mapping-with-options raid-device-mapping lvm-device-mapping)) @@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location) ;;; Common device mappings. ;;; -(define (open-luks-device source targets) +(define* (open-luks-device source targets #:key key-file) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'." (with-imported-modules (source-module-closure @@ -198,7 +200,8 @@ (define (open-luks-device source targets) ((target) #~(let ((source #$(if (uuid? source) (uuid-bytevector source) - source))) + source)) + (keyfile #$key-file)) ;; XXX: 'use-modules' should be at the top level. (use-modules (rnrs bytevectors) ;bytevector? ((gnu build file-systems) @@ -215,29 +218,35 @@ (define (open-luks-device source targets) ;; 'cryptsetup open' requires standard input to be a tty to allow ;; for interaction but shepherd sets standard input to /dev/null; ;; thus, explicitly request a tty. - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - - ;; Note: We cannot use the "UUID=source" syntax here - ;; because 'cryptsetup' implements it by searching the - ;; udev-populated /dev/disk/by-id directory but udev may - ;; be unavailable at the time we run this. - (if (bytevector? source) - (or (let loop ((tries-left 10)) - (and (positive? tries-left) - (or (find-partition-by-luks-uuid source) - ;; If the underlying partition is - ;; not found, try again after - ;; waiting a second, up to ten - ;; times. FIXME: This should be - ;; dealt with in a more robust way. - (begin (sleep 1) - (loop (- tries-left 1)))))) - (error "LUKS partition not found" source)) - source) - - #$target))))))) + (let ((partition + ;; Note: We cannot use the "UUID=source" syntax here + ;; because 'cryptsetup' implements it by searching the + ;; udev-populated /dev/disk/by-id directory but udev may + ;; be unavailable at the time we run this. + (if (bytevector? source) + (or (let loop ((tries-left 10)) + (and (positive? tries-left) + (or (find-partition-by-luks-uuid source) + ;; If the underlying partition is + ;; not found, try again after + ;; waiting a second, up to ten + ;; times. FIXME: This should be + ;; dealt with in a more robust way. + (begin (sleep 1) + (loop (- tries-left 1)))))) + (error "LUKS partition not found" source)) + source))) + ;; We want to fallback to the password unlock if the keyfile fails. + (or (and keyfile + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + "--key-file" keyfile + partition #$target))) + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + partition #$target))))))))) (define (close-luks-device source targets) "Return a gexp that closes TARGET, a LUKS device." @@ -276,6 +285,14 @@ (define luks-device-mapping (close close-luks-device) (check check-luks-device))) +(define* (luks-device-mapping-with-options #:key key-file) + "Return a luks-device-mapping object with open modified to pass the arguments +into the open-luks-device procedure." + (mapped-device-kind + (inherit luks-device-mapping) + (open (λ (source targets) (open-luks-device source targets + #:key-file key-file))))) + (define (open-raid-device sources targets) "Return a gexp that assembles SOURCES (a list of devices) to the RAID device TARGET (e.g., \"/dev/md0\"), using 'mdadm'." base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7 -- 2.41.0