AutoYaST does not officially support LUKS2 or setting any of its advanced options.
In fact, preliminary support for LUKS2 was added to YaST at SLE-15-SP4 targeting only the interactive installation. That's explained at the description of #1245. Since there was no feedback about it, the feature was not developed any further.
As a consequence, LUKS2 works partially in AutoYaST if the boot argument YAST_LUKS2_AVAILABLE is used during installation. But there is no way to configure via AutoYaST some of the parameters than can be tweaked in the UI (like the PBKDF or the LUKS2 label). LUKS2 support for AutoYaST is not even officially documented.
But some SUSE customers want to configure LUKS2 devices during installation using AutoYaST, tweaking some of the luksFormat parameters. Even on already released versions of SLE.
Solution
This pull request removes the need to use YAST_LUKS2_AVAILABLE for using LUKS2 with AutoYaST. It's still needed in interactive installation or the UI corresponding to LUKS2 will be hidden.
This also adds support for four new attributes in a <partition> section of AutoYaST: <crypt_pbkdf>, <crypt_label>, <crypt_cipher> and <crypt_key_size>.
Those new attributes are honored when present in an AutoYaST profile (in those cases that make sense) and are also exported to the generated AutoYaST profile when cloning the system.
This pull request targets SLE-15-SP6.
Extra
This pull request also includes a relatively big commit to refactor a bit the class Y2Storage::AutoinstProfile::PartitionSection, encapsulating the logic for exporting (ie. cloning the system) into an new inner class PartitionExporter.
That was triggered by Rubocop complaining about PartitionSection being too long and complex.
The refactoring is far from being a final solution, but it's likely a step into the right direction without introducing much disruption (despite its size, the commit actually just relocates and reorganizes existing code well covered by unit tests).
Code review
As mentioned, most of the changes correspond to the code reorganization that actually should change nothing. To distinguish the trees from the forest it's highly advised to review commit by commit.
Automated Testing
This pull request includes automated unit tests to verify the following aspects:
The new attributes <crypt_cipher> and <crypt_key_size> are honored for devices encrypted with the LUKS1 and LUKS2 encryption methods.
The new attributes <crypt_pbkdf> and <crypt_label> are honored for devices encrypted with the LUKS2 encryption method.
The four attributes are ignored for all other encryptions methods (like SECURE_SWAP).
AutoYaST suggests to create an extra unencrypted /boot partition if LUKS2 is used for root with a password-based key derivation function not supported by Grub2.
AutoYaST does not suggest a separate /boot if root is encrypted with LUKS2 using PBKDF2 as derivation function.
Cloning a system writes the new attributes to the AutoYaST profile if they are known and make sense.
Manual Testing
Apart from the mentioned unit tests, this pull request has been successfully tested in a patched SLE-15-SP5 with the following AutoYaST definition. The result looks as expected.
Expand to see the input AutoYaST profile
```xml
truexfstrue/12Gtruexfs/home/crypt13Gluks2linuxlinuxaesPBKDF2pbkdf2truexfs/home/crypt23Gluks2linuxlinuxcapi:xts(aes)-plain64truexfs/home/crypt33Gluks2linuxlinux256truexfs/home/crypt43Gluks2linuxlinuxargon2itwoFish512twofish-xts-plain64512truexfs/home/crypt53Gluks1linuxlinux
```
To complete the manual testing, the system resulting from the previously mentioned autoinstallation was clonned. It resulted in the expected profile (obviously more verbose than the input profile).
Expand to see the cloned AutoYaST profile
```xml
truexfsfalserootfalsefalse16106127360104194304CT_LVM/dev/sdagptfalsevfattrue2591false104857600falsentfstrue184false655360000CT_DISK/dev/sdbgptfalsetruefalse2631false4194304truexfstrue/uuid1312false12884901888trueaes-xts-plain64ENTER KEY HERE512aesPBKDF2luks2pbkdf2xfstruetrue/home/crypt1device1313false3221225472truecapi:xts(aes)-plain64ENTER KEY HERE256luks2argon2idxfstruetrue/home/crypt2device1314false3221225472trueaes-xts-plain64ENTER KEY HERE256luks2argon2idxfstruetrue/home/crypt3device1315false3221225472truetwofish-xts-plain64ENTER KEY HERE512twoFish512luks2argon2ixfstruetrue/home/crypt4device1316false3221225472trueaes-xts-plain64ENTER KEY HERE512luks1xfstruetrue/home/crypt5device1317false3221225472
```
Dependencies
This depends on the corresponding updates on two other repositories:
coverage: 97.76% (+0.004%) from 97.756% when pulling 4c4cf2ca665835fd2d0cf5b3f01c9066697b3f87 on ancorgs:luks_advanced_sp6 into e8fe69fa8d973a4369d4887951a03fa390d5368d on yast:SLE-15-SP6.
Problem
AutoYaST does not officially support LUKS2 or setting any of its advanced options.
In fact, preliminary support for LUKS2 was added to YaST at SLE-15-SP4 targeting only the interactive installation. That's explained at the description of #1245. Since there was no feedback about it, the feature was not developed any further.
As a consequence, LUKS2 works partially in AutoYaST if the boot argument
YAST_LUKS2_AVAILABLE
is used during installation. But there is no way to configure via AutoYaST some of the parameters than can be tweaked in the UI (like the PBKDF or the LUKS2 label). LUKS2 support for AutoYaST is not even officially documented.But some SUSE customers want to configure LUKS2 devices during installation using AutoYaST, tweaking some of the luksFormat parameters. Even on already released versions of SLE.
Solution
This pull request removes the need to use
YAST_LUKS2_AVAILABLE
for using LUKS2 with AutoYaST. It's still needed in interactive installation or the UI corresponding to LUKS2 will be hidden.This also adds support for four new attributes in a
<partition>
section of AutoYaST:<crypt_pbkdf>
,<crypt_label>
,<crypt_cipher>
and<crypt_key_size>
.Those new attributes are honored when present in an AutoYaST profile (in those cases that make sense) and are also exported to the generated AutoYaST profile when cloning the system.
This pull request targets SLE-15-SP6.
Extra
This pull request also includes a relatively big commit to refactor a bit the class
Y2Storage::AutoinstProfile::PartitionSection
, encapsulating the logic for exporting (ie. cloning the system) into an new inner classPartitionExporter
.That was triggered by Rubocop complaining about
PartitionSection
being too long and complex.The refactoring is far from being a final solution, but it's likely a step into the right direction without introducing much disruption (despite its size, the commit actually just relocates and reorganizes existing code well covered by unit tests).
Code review
As mentioned, most of the changes correspond to the code reorganization that actually should change nothing. To distinguish the trees from the forest it's highly advised to review commit by commit.
Automated Testing
This pull request includes automated unit tests to verify the following aspects:
<crypt_cipher>
and<crypt_key_size>
are honored for devices encrypted with the LUKS1 and LUKS2 encryption methods.<crypt_pbkdf>
and<crypt_label>
are honored for devices encrypted with the LUKS2 encryption method./boot
partition if LUKS2 is used for root with a password-based key derivation function not supported by Grub2./boot
if root is encrypted with LUKS2 using PBKDF2 as derivation function.Manual Testing
Apart from the mentioned unit tests, this pull request has been successfully tested in a patched SLE-15-SP5 with the following AutoYaST definition. The result looks as expected.
Expand to see the input AutoYaST profile
```xmlTo complete the manual testing, the system resulting from the previously mentioned autoinstallation was clonned. It resulted in the expected profile (obviously more verbose than the input profile).
Expand to see the cloned AutoYaST profile
```xmlDependencies
This depends on the corresponding updates on two other repositories: