Add LUKS support via Clevis TPM 2 token

[danzatt]

tldr; Add a LuksScanner actor which scans all crypt devices using cryptsetup luksDump. Don't inhibit, when all devices are LUKS2 with clevs TPM2 token.

So far, upgrades with encrypted drives were not supported. Encrypted
drives require interactively typing unlock passphrases, which is not
suitable for automatic upgrades using Leapp. We add a feature, where
systems with all drives configured with automatic unlock method can be
upgraded.

Currently, we only support drives configured with Clevis/TPM2 token,
because networking is not configured during Leapp upgrade (excluding
NBDE).

We consume LuksDumps message to decide whether the upgrade process
should be inhibited. If there is at least one LUKS2 device without
Clevis TPM2 binding, we inhibit the upgrade because we cannot tell if
the device is not a part of a more complex storage stack and the failure
to unlock the device migt cause boot problem.

Note that IPU 7 -> 8 with encrypted devices stays unsupported / inhibited.
The new solution is applied only for upgrades from RHEL 8+.

jira: RHEL-3294

This PR introduces new shortened URLs:

• https://red.ht/clevis-tpm2-luks-auto-unlock-rhel8
• https://red.ht/clevis-tpm2-luks-auto-unlock-rhel9
• https://red.ht/convert-to-luks2-rhel8
• https://red.ht/convert-to-luks2-rhel9

/cc @pirat89

[github-actions[bot]]

Thank you for contributing to the Leapp project!

Please note that every PR needs to comply with the Leapp Guidelines and must pass all tests in order to be mergeable. If you want to request a review or rebuild a package in copr, you can use following commands as a comment:

• review please @oamg/developers to notify leapp developers of the review request
• /packit copr-build to submit a public copr build using packit

Packit will automatically schedule regression tests for this PR's build and latest upstream leapp build. If you need a different version of leapp, e.g. from PR#42, use /packit test oamg/leapp#42 Note that first time contributors cannot run tests automatically - they will be started by a reviewer.

It is possible to schedule specific on-demand tests as well. Currently 2 test sets are supported, beaker-minimal and kernel-rt, both can be used to be run on all upgrade paths or just a couple of specific ones. To launch on-demand tests with packit:

• /packit test --labels kernel-rt to schedule kernel-rt tests set for all upgrade paths
• /packit test --labels beaker-minimal-8.10to9.4,kernel-rt-8.10to9.4 to schedule kernel-rt and beaker-minimal test sets for 8.10->9.4 upgrade path

See other labels for particular jobs defined in the .packit.yaml file.

Please open ticket in case you experience technical problem with the CI. (RH internal only)

Note: In case there are problems with tests not being triggered automatically on new PR/commit or pending for a long time, please contact leapp-infra.

[pirat89]

@danzatt Hi Dan \o most likely I will get to the review during early May or later June. We are dealing now with additional stuff.

[pirat89]

/packit test

[pirat89]

@danzatt I haven't went through the whole code yet, but covered most of it. I found some things that could be changed, and some that needs to be changed. I do not expect I will find anything else in the rest of the code (and not sure when I will get to it), but i am letting you know about that in advance, in case you would like to wait for the full review.

[danzatt]

Hello @pirat89 thanks for the review! I've hopefully addressed all your remarks now.

[pirat89]

/packit copr-build

[pirat89]

/packit copr-build

[pirat89]

/packit copr-build