Support for LUKS2 in the GuidedProposal

[ancorgs]

Problem

The GuidedProposal (and its variants) is the component responsible of calculating a good storage layout to install the system. So far it's used:

• By YaST to calculate the initial storage proposal
• By YaST if the option "Guided Setup" is used in the partitioning screen
• By AutoYaST if any of the options for automatic partitioning or for guided partitioning is used
• By the current prototypes of D-Installer

For many reasons outlined in this bugzilla comment and several other places, the GuidedProposal always uses LUKS1 to encrypt the devices.

But recent versions of openSUSE Tumbleweed and the ALP prototypes include a heavily patched version of Grub2 that can handle LUKS2 reasonably well as long as PBKDF2 is used as password-based key derivation function.

When installing any ALP-based product with D-Installer we want to make it possible to use TPM-based encryption. For that, LUKS2 is the only option, it cannot work with LUKS1.

Solution

Important: this pull request also includes some previous commits to do some cleanup and refactor some parts. Review commit by commit.

Implement support for LUKS2 (with a configurable PBKDF) in the GuidedProposal so it can be used by D-Installer to implement TPM-based encryption.

There are no plans to use that capability from (Auto)YaST. Everything remains full backwards compatible using LUKS1 by default for any encryption done by the proposal.

The code assumes Grub2 can handle LUKS2 devices using PBKDF2. At the moment of writing, that is not true in the case of SLE-15-SP5 or any previous version of SLE or Leap. That implies we need to revisit that logic in the BootRequirementsChecker in the close future. On the bright side, Michael Chang commented he could make SLE-15-SP5 work just like TW in that regard. If that happens we would just need to remove the warning comments. :-)

GuidedProposal will always propose a separate unencrypted partition for /boot if LUKS2 is used with Argon2i or Argon2id, since Grub2 cannot handle those key derivation functions, not even in Tumbleweed or ALP-based systems. Due to a current bug, that's not true in the following case: LVM with the physical volumes encrypted with LUKS2 using Argon2i or Argon2id. The plan is to fix that in an upcoming pull request, to not block the current one (LVM+LUKS2 with Argon is out of the scope of both YaST and D-Installer for now).

Testing

• Tested manually. It works in a current Factory (and Grub2 indeed opens the LUKS2 device with PBKDF2)
• Created new unit tests and adapted the existing ones

Pending for the future (after merging)

• Fix the LVM+Argon2 case - BootRequirementsChecker is not proposing a separate /boot
• As explained above, we need to re-evaluate the SLE-15-SP5 case in the following months. Very likely SP5 will be adapted and we will only need to delete the comments.
• As the number of parameters to configure encryption grows, it would make sense to reconsider how those parameters are passed GuidedProposal. We could likely add some kind of new class (eg. EncryptionSettings) to encapsulate that information instead of using three fields in the already overloaded ProposalSettings.

[coveralls]

Coverage decreased (-0.002%) to 97.753% when pulling f7d23593cae7d78712c11a55a0c5d5ede8ea88c9 on ancorgs:luks2_proposal into 34339f561d2660ad15b8b2b2019ee579681877a5 on yast:master.

[yast-bot]

:heavy_check_mark: Public Jenkins job #448 successfully finished :heavy_check_mark: Created OBS submit request #1037139

[yast-bot]

:heavy_check_mark: Internal Jenkins job #1134 successfully finished :heavy_check_mark: Created IBS submit request #284782