AutoYaST (SLE-15-SP5): support for advanced LUKS(2) settings

ancorgs commented 10 months ago

Problem

AutoYaST does not officially support LUKS2 or setting any of its advanced options.

In fact, preliminary support for LUKS2 was added to YaST at SLE-15-SP4 targeting only the interactive installation. That's explained at the description of #1245. Since there was no feedback about it, the feature was not developed any further.

As a consequence, LUKS2 works partially in AutoYaST if the boot argument YAST_LUKS2_AVAILABLE is used during installation. But there is no way to configure via AutoYaST some of the parameters than can be tweaked in the UI (like the PBKDF or the LUKS2 label). LUKS2 support for AutoYaST is not even officially documented.

But some SUSE customers want to configure LUKS2 devices during installation using AutoYaST, tweaking some of the luksFormat parameters. Even on already released versions of SLE.

Solution

This pull request removes the need to use YAST_LUKS2_AVAILABLE for using LUKS2 with AutoYaST. It's still needed in interactive installation or the UI corresponding to LUKS2 will be hidden.

This also adds support for four new attributes in a <partition> section of AutoYaST: <crypt_pbkdf>, <crypt_label>, <crypt_cipher> and <crypt_key_size>.

Those new attributes are honored when present in an AutoYaST profile (in those cases that make sense) and are also exported to the generated AutoYaST profile when cloning the system.

This pull request targets SLE-15-SP5, but it's still not clear for which version of SLES/Leap will this finally be released (there are security and testing implications).

Extra

This pull request also includes a relatively big commit to refactor a bit the class Y2Storage::AutoinstProfile::PartitionSection, encapsulating the logic for exporting (ie. cloning the system) into an new inner class PartitionExporter.

That was triggered by Rubocop complaining about PartitionSection being too long and complex.

The refactoring is far from being a final solution, but it's likely a step into the right direction without introducing much disruption (despite its size, the commit actually just relocates and reorganizes existing code well covered by unit tests).

Testing

This pull request includes automated unit tests to verify the following aspects:

The new attributes <crypt_cipher> and <crypt_key_size> are honored for devices encrypted with the LUKS1 and LUKS2 encryption methods.
The new attributes <crypt_pbkdf> and <crypt_label> are honored for devices encrypted with the LUKS2 encryption method.
The four attributes are ignored for all other encryptions methods (like SECURE_SWAP).
AutoYaST suggests to create an extra unencrypted /boot partition if LUKS2 is used for root with a password-based key derivation function not supported by Grub2.
AutoYaST does not suggest a separate /boot if root is encrypted with LUKS2 using PBKDF2 as derivation function.
Cloning a system writes the new attributes to the AutoYaST profile if they are known and make sense.

But apart from all those unit tests, this pull request has been successfully tested in a patched SLE-15-SP5 with the following AutoYaST definition. The result looks as expected.

<partitions t="list">
  <partition>
    <create t="boolean">true</create>
    <filesystem t="symbol">xfs</filesystem>
    <format t="boolean">true</format>
    <mount>/</mount>
    <size>12G</size>
  </partition>
  <partition>
    <create t="boolean">true</create>
    <filesystem t="symbol">xfs</filesystem>
    <mount>/home/crypt1</mount>
    <size>3G</size>
    <crypt_method t="symbol">luks2</crypt_method>
    <crypt_key>linuxlinux</crypt_key>
    <crypt_label>aesPBKDF2</crypt_label>
    <crypt_pbkdf t="symbol">pbkdf2</crypt_pbkdf>
  </partition>
  <partition>
    <create t="boolean">true</create>
    <filesystem t="symbol">xfs</filesystem>
    <mount>/home/crypt2</mount>
    <size>3G</size>
    <crypt_method t="symbol">luks2</crypt_method>
    <crypt_key>linuxlinux</crypt_key>
    <crypt_cipher>capi:xts(aes)-plain64</crypt_cipher>
  </partition>
  <partition>
    <create t="boolean">true</create>
    <filesystem t="symbol">xfs</filesystem>
    <mount>/home/crypt3</mount>
    <size>3G</size>
    <crypt_method t="symbol">luks2</crypt_method>
    <crypt_key>linuxlinux</crypt_key>
    <crypt_key_size t="integer">256</crypt_key_size>
  </partition>
  <partition>
    <create t="boolean">true</create>
    <filesystem t="symbol">xfs</filesystem>
    <mount>/home/crypt4</mount>
    <size>3G</size>
    <crypt_method t="symbol">luks2</crypt_method>
    <crypt_key>linuxlinux</crypt_key>
    <crypt_pbkdf t="symbol">argon2i</crypt_pbkdf>
    <crypt_label>twoFish512</crypt_label>
    <crypt_cipher>twofish-xts-plain64</crypt_cipher>
    <crypt_key_size t="integer">512</crypt_key_size>
  </partition>
  <partition>
    <create t="boolean">true</create>
    <filesystem t="symbol">xfs</filesystem>
    <mount>/home/crypt5</mount>
    <size>3G</size>
    <crypt_method t="symbol">luks1</crypt_method>
    <crypt_key>linuxlinux</crypt_key>
  </partition>
</partitions>

Dependencies

This depends on the corresponding updates on two other repositories: yast-autoyast and yast-schema.

coveralls commented 10 months ago

coverage: 97.754% (+0.005%) from 97.749% when pulling d9b7be34a6f21d013309b9ed1fe052781528309a on ancorgs:luks_advanced_sp5 into 8e00070e4f6c07e4c8dc0fdf8861b76ea16231f4 on yast:SLE-15-SP5.

ancorgs commented 10 months ago

It was agreed to release this only for SLE-15-SP6 and upcoming versions (and TW, of course). So closing this in favor of #1355

yast / yast-storage-ng