properly handle already unlocked luks volumes

craftyguy commented 2 years ago

Running portfolio on my device, there's an entry for the luks partition that has my rootfs. Tapping on it prompts me for the passphrase to unlock it... but it's already unlocked. Perhaps portfolio should hide an encrypted volume if it's already unlocked and mounted to / ?

I'm not quite sure how it should be handled to be honest. This problem is mostly cosmetic, since I don't think I'd be able to actually unlock it through portfolio (since it's already unlocked, I think cryptsetup will complain), and it's unlikely that the 'eject' button would work too (I didn't try it... for obvious reasons... heh)

tchx84 commented 2 years ago

hey @craftyguy !

First of all, thanks for testing!

Weird, I made sure these would be hidden and I can't reproduce on the laptop I have with me (with several encrypted devices)...

Can you run these from the terminal?

run udisksctl dump and find your encrypted device(s), e.g. search for a /org/freedesktop/UDisks2/block_devices/<name> which has a org.freedesktop.UDisks2.Encrypted interface.
for each, you will see they have a CleartextDevice property, e.g. it could point to something like /org/freedesktop/UDisks2/block_devices/<another_name> or simply / or maybe some other value (?).
Can you paste these /org/freedesktop/UDisks2/block_devices/<name(s)> here and their CleartextDevice values?

Also, pretty please, run from latest master :pray:

craftyguy commented 2 years ago

retested with 785a89e7e42ea5ac7d9c35994a5ecb3909e806eb (I filed this issue while running 9842728) :

/org/freedesktop/UDisks2/block_devices/mmcblk0p2:
  org.freedesktop.UDisks2.Block:
    Configuration:              []
    CryptoBackingDevice:        '/'
    Device:                     /dev/mmcblk0p2
    DeviceNumber:               45826
    Drive:                      '/org/freedesktop/UDisks2/drives/032G32_0xeeeeeeee'
    HintAuto:                   false
    HintIconName:
    HintIgnore:                 false
    HintName:
    HintPartitionable:          true
    HintSymbolicIconName:
    HintSystem:                 true
    Id:                         by-id-mmc-032G32_0xeeeeeeee-part2
    IdLabel:
    IdType:                     crypto_LUKS
    IdUUID:                     
    IdUsage:                    crypto
    IdVersion:                  2
    MDRaid:                     '/'
    MDRaidMember:               '/'
    PreferredDevice:            /dev/mmcblk0p2
    ReadOnly:                   false
    Size:                       31068258304
    Symlinks:                   /dev/disk/by-id/mmc-032G32_0xeeeeeeee-part2
                                /dev/disk/by-partuuid/111111111-02
                                /dev/disk/by-path/platform-30b40000.mmc-part2
                                /dev/disk/by-uuid/<uuid>
    UserspaceMountOptions:
  org.freedesktop.UDisks2.Encrypted:
    ChildConfiguration:         []
    CleartextDevice:            '/'
    HintEncryptionType:
    MetadataSize:               16777216
  org.freedesktop.UDisks2.Partition:
    Flags:              0
    IsContained:        false
    IsContainer:        false
    Name:
    Number:             2
    Offset:             200278016
    Size:               31068258304
    Table:              '/org/freedesktop/UDisks2/block_devices/mmcblk0'
    Type:               0x83
    UUID:               111111111-11

20220203_02h19m23s_grim

tchx84 commented 2 years ago

I find it strange that CleartextDevice is set to /, my understanding is that, if it's really unlocked it should specify the actual object path for the device, e.g. /org/freedesktop/UDisks2/block_devices/dm_2d0.

Let's try two more things:

do you see any other /org/freedesktop/UDisks2/block_devices/* device with the org.freedesktop.UDisks2.Encrypted interface?
do you see any /org/freedesktop/UDisks2/block_devices/* device with the org.freedesktop.UDisks2.Block interface, that has a CryptoBackingDevice property set to something different than / ?

craftyguy commented 2 years ago

do you see any other /org/freedesktop/UDisks2/block_devices/* device with the org.freedesktop.UDisks2.Encrypted interface?

hmm, no, only that one I pasted earlier

do you see any /org/freedesktop/UDisks2/block_devices/* device with the org.freedesktop.UDisks2.Block interface, that has a CryptoBackingDevice property set to something different than / ?

yeah, actually, it seems like a lot of things (zram, some loop devices) are showing up with CryptoBackingDevice: '/', for example:

/org/freedesktop/UDisks2/block_devices/loop0:
  org.freedesktop.UDisks2.Block:
    Configuration:              []
    CryptoBackingDevice:        '/'
    Device:                     /dev/loop0
    DeviceNumber:               1792
    Drive:                      '/'
    HintAuto:                   false
    HintIconName:
    HintIgnore:                 false
    HintName:
    HintPartitionable:          true
    HintSymbolicIconName:
    HintSystem:                 true
    Id:
    IdLabel:
    IdType:
    IdUUID:
    IdUsage:
    IdVersion:
    MDRaid:                     '/'
    MDRaidMember:               '/'
    PreferredDevice:            /dev/loop0
    ReadOnly:                   false
    Size:                       0
    Symlinks:
    UserspaceMountOptions:
  org.freedesktop.UDisks2.Loop:
    Autoclear:          false
    BackingFile:
    SetupByUID:         0

...

/org/freedesktop/UDisks2/block_devices/sda:
  org.freedesktop.UDisks2.Block:
    Configuration:              []
    CryptoBackingDevice:        '/'
    Device:                     /dev/sda
    DeviceNumber:               2048
    Drive:                      '/org/freedesktop/UDisks2/drives/Generic_Ultra_HS_SD_2fMMC_000008264001'
    HintAuto:                   true
    HintIconName:
    HintIgnore:                 false
    HintName:
    HintPartitionable:          true
    HintSymbolicIconName:
    HintSystem:                 false
    Id:
    IdLabel:
    IdType:
    IdUUID:
    IdUsage:
    IdVersion:
    MDRaid:                     '/'
    MDRaidMember:               '/'
    PreferredDevice:            /dev/sda
    ReadOnly:                   false
    Size:                       0
    Symlinks:                   /dev/disk/by-id/usb-Generic_Ultra_HS-SD_MMC_000008264001-0:0
                                /dev/disk/by-path/platform-xhci-hcd.4.auto-usb-0:1.1:1.0-scsi-0:0:0:0
    UserspaceMountOptions:

/org/freedesktop/UDisks2/block_devices/zram0:
  org.freedesktop.UDisks2.Block:
    Configuration:              []
    CryptoBackingDevice:        '/'
    Device:                     /dev/zram0
    DeviceNumber:               64768
    Drive:                      '/'
    HintAuto:                   false
    HintIconName:
    HintIgnore:                 false
    HintName:
    HintPartitionable:          true
    HintSymbolicIconName:
    HintSystem:                 true
    Id:
    IdLabel:
    IdType:
    IdUUID:
    IdUsage:
    IdVersion:
    MDRaid:                     '/'
    MDRaidMember:               '/'
    PreferredDevice:            /dev/zram0
    ReadOnly:                   false
    Size:                       783286272
    Symlinks:
    UserspaceMountOptions:
  org.freedesktop.UDisks2.Swapspace:
    Active:             true

craftyguy commented 2 years ago

I find it strange that CleartextDevice is set to /, my understanding is that, if it's really unlocked it should specify the actual object path for the device, e.g. /org/freedesktop/UDisks2/block_devices/dm_2d0.

Ahhh! I might have the makings of a theory here...

on postmarketOS, we unlock the rootfs luks volume in the initfs, but anything created in /dev/mapper is not carried forward when we call switch_root.

librem5:~$ ls /dev/mapper/
control
librem5:~$ df /
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/root      29874052  22703688   5637852  80% /

I bet that is throwing off udisks2...

tchx84 commented 2 years ago

do you see any other /org/freedesktop/UDisks2/block_devices/* device with the org.freedesktop.UDisks2.Encrypted interface?

hmm, no, only that one I pasted earlier

Strange... I will try to reproduce this when I free from work.

do you see any /org/freedesktop/UDisks2/block_devices/* device with the org.freedesktop.UDisks2.Block interface, that has a CryptoBackingDevice property set to something different than / ?

yeah, actually, it seems like a lot of things (zram, some loop devices) are showing up with CryptoBackingDevice: '/', for example:

Oh, wait, I am actually asking the opposite. Do you see a device where CryptoBackingDevice is not / ?

craftyguy commented 2 years ago

Oh, wait, I am actually asking the opposite. Do you see a device where CryptoBackingDevice is not / ?

Ah sorry, I misread.

so I see two things that do not have CryptoBackingDevice=/:

/org/freedesktop/UDisks2/drives/032G32_0xeeeeeeee:
  org.freedesktop.UDisks2.Drive:
    CanPowerOff:                false
    Configuration:              {}
    ConnectionBus:              sdio
    Ejectable:                  false
    Id:                         032G32-0xeeeeeeee
    Media:
    MediaAvailable:             true
    MediaChangeDetected:        true
    MediaCompatibility:
    MediaRemovable:             false
    Model:                      032G32
    Optical:                    false
    OpticalBlank:               false
    OpticalNumAudioTracks:      0
    OpticalNumDataTracks:       0
    OpticalNumSessions:         0
    OpticalNumTracks:           0
    Removable:                  false
    Revision:
    RotationRate:               0
    Seat:                       seat0
    Serial:                     0xeeeeeeee
    SiblingId:
    Size:                       31268536320
    SortKey:                    00coldplug/00fixed/mmcblk0
    TimeDetected:               21127373
    TimeMediaDetected:          21127373
    Vendor:
    WWN:

/org/freedesktop/UDisks2/drives/Generic_Ultra_HS_SD_2fMMC_000008264001:
  org.freedesktop.UDisks2.Drive:
    CanPowerOff:                false
    Configuration:              {}
    ConnectionBus:              usb
    Ejectable:                  true
    Id:                         Generic-Ultra-HS-SD-MMC-000008264001
    Media:
    MediaAvailable:             false
    MediaChangeDetected:        true
    MediaCompatibility:         flash_sd
    MediaRemovable:             true
    Model:                      Ultra HS-SD/MMC
    Optical:                    false
    OpticalBlank:               false
    OpticalNumAudioTracks:      0
    OpticalNumDataTracks:       0
    OpticalNumSessions:         0
    OpticalNumTracks:           0
    Removable:                  true
    Revision:                   2.09
    RotationRate:               0
    Seat:                       seat0
    Serial:                     000008264001
    SiblingId:                  /sys/devices/platform/soc@0/38200000.usb/xhci-hcd.4.auto/usb1/1-1/1-1.1/1-1.1:1.0
    Size:                       0
    SortKey:                    00coldplug/12removable/sd____a
    TimeDetected:               22443874
    TimeMediaDetected:          0
    Vendor:                     Generic
    WWN:

tchx84 commented 2 years ago

hehe, I mean, that do have CryptoBackingDevice but the value is different from / :)

tchx84 commented 2 years ago

Ahhh! I might have the makings of a theory here...

on postmarketOS, we unlock the rootfs luks volume in the initfs, but anything created in /dev/mapper is not carried forward when we call switch_root.
librem5:~$ ls /dev/mapper/
control
librem5:~$ df /
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/root      29874052  22703688   5637852  80% /
I bet that is throwing off udisks2...

Interesting... I imagined something like that could be in play... but I am not entirely sure what I could do in that scenario...

craftyguy commented 2 years ago

Interesting... I imagined something like that could be in play... but I am not entirely sure what I could do in that scenario...

Yeah if that's the problem, then I don't think it's your fault. I'll try modifying our initfs to not remove /dev prior to switch_root and see if that 'fixes' it. But I'm not sure if anyone remembers why we do that in the first place :P

tchx84 commented 2 years ago

Interesting... I imagined something like that could be in play... but I am not entirely sure what I could do in that scenario...

Yeah if that's the problem, then I don't think it's your fault. I'll try modifying our initfs to not remove /dev prior to switch_root and see if that 'fixes' it. But I'm not sure if anyone remembers why we do that in the first place :P

haha, well, I rather not force anyone to break pmOS xD, so if there's something reasonable I can do on Portfolio's side I can try it.

craftyguy commented 2 years ago

yeah I want to get to the bottom of why we are doing that in pmOS before making any further requests here. it seems like we shouldn't be umounting /dev before switch_root. anyways, thanks for the help, I'll report back if there's something that could be done in Portfolio, but for now I'll try to get some more context here; https://gitlab.com/postmarketOS/pmaports/-/issues/1410

craftyguy commented 2 years ago

well I patched our initfs to preserve /dev when switch_root is called, and I still see the exact same behavior as above, the root disk still has:

/org/freedesktop/UDisks2/block_devices/mmcblk0p2:
  org.freedesktop.UDisks2.Block:
    Configuration:              []
    CryptoBackingDevice:        '/'
    Device:                     /dev/mmcblk0p2
...
    IdType:                     crypto_LUKS
...

and you can see here that the device that is mounted to / is present now in /dev:

foo:~$ ls -lah /dev/mapper/root
total 0
brw-------    1 root     root      254,   0 Feb 21 11:36 root
foo:~$ df /
Filesystem           1K-blocks      Used Available Use% Mounted on
devtmpfs                 10240         0     10240   0% /dev
/dev/mapper/root      29873320   1624680  26718820   6% /

tchx84 commented 2 years ago

Hmm, on the object_path with the org.freedesktop.UDisks2.Encrypted interface, I assume CleartextDevice is also set to / then...

I can't think of a reason for why udisk is not setting CryptoBackingDevice and CleartextDevice properties :confused: ... In the short term, maybe there's something else that can characterized those "already unlocked" blocks so I can least hide these.

craftyguy commented 2 years ago

here's what I see:

/org/freedesktop/UDisks2/block_devices/mmcblk0p2:
  org.freedesktop.UDisks2.Block:
    Configuration:              []
    CryptoBackingDevice:        '/'
    Device:                     /dev/mmcblk0p2
    DeviceNumber:               45826
    Drive:                      '/org/freedesktop/UDisks2/drives/032G32_0xxxxxxxxxx'
    HintAuto:                   false
    HintIconName:
    HintIgnore:                 false
    HintName:
    HintPartitionable:          true
    HintSymbolicIconName:
    HintSystem:                 true
    Id:                         by-id-mmc-032G32_0xxxxxxxxxx-part2
    IdLabel:
    IdType:                     crypto_LUKS
    IdUUID:                     xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    IdUsage:                    crypto
    IdVersion:                  2
    MDRaid:                     '/'
    MDRaidMember:               '/'
    PreferredDevice:            /dev/mmcblk0p2
    ReadOnly:                   false
    Size:                       31012683776
    Symlinks:                   /dev/disk/by-id/mmc-032G32_0xxxxxxxxxx-part2
                                /dev/disk/by-partuuid/xxxxxxxxxx-xx
                                /dev/disk/by-path/platform-xxxxxxx.mmc-part2
                                /dev/disk/by-uuid/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    UserspaceMountOptions:
  org.freedesktop.UDisks2.Encrypted:
    ChildConfiguration:         []
    CleartextDevice:            '/'
    HintEncryptionType:
    MetadataSize:               16777216
  org.freedesktop.UDisks2.Partition:
    Flags:              0
    IsContained:        false
    IsContainer:        false
    Name:
    Number:             2
    Offset:             255852544
    Size:               31012683776
    Table:              '/org/freedesktop/UDisks2/block_devices/mmcblk0'
    Type:               0x83
    UUID:               xxxxxxxx-xx

craftyguy commented 2 years ago

tl;dr: now I suspect that it's udev, so now I'm trying to figure out how to handle that....

I dug around in the udisks2 source to try and figure out how it is detecting encrypted volumes, and I think this "TODO" says it all: https://github.com/storaged-project/udisks/blob/master/src/udiskslinuxblock.c#L988

I've confirmed (through gdb) that udisksd is not finding any dm crypt devices on the system, which is odd because /dev/dm-0 exists and is the root partition...

foo:~$ udisksctl info -b /dev/dm-0
Error looking up object for device /dev/dm-0

I noticed that there are udev rules for device-mapper, and that the dm-0 device has some env set that seemed suspicious:

E: DM_UDEV_DISABLE_DISK_RULES_FLAG=1
E: DM_UDEV_DISABLE_OTHER_RULES_FLAG=1
E: DM_UDEV_DISABLE_SUBSYSTEM_RULES_FLAG=1

Specifically, it's this rule that is setting those flags:

ENV{DM_UDEV_RULES_VSN}!="1", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}!="1", GOTO="dm_disable"

And I confirmed it by removing that rule, and Portfolio was able to see the root partition disk as already mounted/unlocked!! Unfortunately those flags are set to help with coldplugging devices from initfs and allowing add events later without retriggering previously created devices, or something. udev in rootfs seems to expect udev in initfs to pass along the device database with already-initialized devices in it. Unfortunately for pmOS, we aren't using udev in initfs, so there's nothing to pass along and udev skips over the existing dm-0.

Anyways, unless you find some quick trick to ID the volume, it looks like I have a lot more work ahead of me to clean up this mess.

tchx84 commented 2 years ago

tl;dr: now I suspect that it's udev, so now I'm trying to figure out how to handle that....

@craftyguy impressive detective work !

unless you find some quick trick to ID the volume, it looks like I have a lot more work ahead of me to clean up this mess.

I need to get my head around this and see what I can do.

tchx84 commented 2 years ago

@craftyguy this is me thinking out of the box... see #261 (other FMs, such Nautilus, do this)

tchx84 / Portfolio

properly handle already unlocked luks volumes #245