AutoYaST (SLE-15-SP6): support for advanced LUKS(2) settings

[ancorgs]

Problem

AutoYaST does not officially support LUKS2 or setting any of its advanced options.

In fact, preliminary support for LUKS2 was added to YaST at SLE-15-SP4 targeting only the interactive installation. That's explained at the description of #1245. Since there was no feedback about it, the feature was not developed any further.

As a consequence, LUKS2 works partially in AutoYaST if the boot argument YAST_LUKS2_AVAILABLE is used during installation. But there is no way to configure via AutoYaST some of the parameters than can be tweaked in the UI (like the PBKDF or the LUKS2 label). LUKS2 support for AutoYaST is not even officially documented.

But some SUSE customers want to configure LUKS2 devices during installation using AutoYaST, tweaking some of the luksFormat parameters. Even on already released versions of SLE.

Solution

This pull request removes the need to use YAST_LUKS2_AVAILABLE for using LUKS2 with AutoYaST. It's still needed in interactive installation or the UI corresponding to LUKS2 will be hidden.

This also adds support for four new attributes in a <partition> section of AutoYaST: <crypt_pbkdf>, <crypt_label>, <crypt_cipher> and <crypt_key_size>.

Those new attributes are honored when present in an AutoYaST profile (in those cases that make sense) and are also exported to the generated AutoYaST profile when cloning the system.

This pull request targets SLE-15-SP6.

Extra

This pull request also includes a relatively big commit to refactor a bit the class Y2Storage::AutoinstProfile::PartitionSection, encapsulating the logic for exporting (ie. cloning the system) into an new inner class PartitionExporter.

That was triggered by Rubocop complaining about PartitionSection being too long and complex.

The refactoring is far from being a final solution, but it's likely a step into the right direction without introducing much disruption (despite its size, the commit actually just relocates and reorganizes existing code well covered by unit tests).

Code review

As mentioned, most of the changes correspond to the code reorganization that actually should change nothing. To distinguish the trees from the forest it's highly advised to review commit by commit.

Automated Testing

This pull request includes automated unit tests to verify the following aspects:

• The new attributes <crypt_cipher> and <crypt_key_size> are honored for devices encrypted with the LUKS1 and LUKS2 encryption methods.
• The new attributes <crypt_pbkdf> and <crypt_label> are honored for devices encrypted with the LUKS2 encryption method.
• The four attributes are ignored for all other encryptions methods (like SECURE_SWAP).
• AutoYaST suggests to create an extra unencrypted /boot partition if LUKS2 is used for root with a password-based key derivation function not supported by Grub2.
• AutoYaST does not suggest a separate /boot if root is encrypted with LUKS2 using PBKDF2 as derivation function.
• Cloning a system writes the new attributes to the AutoYaST profile if they are known and make sense.

Manual Testing

Apart from the mentioned unit tests, this pull request has been successfully tested in a patched SLE-15-SP5 with the following AutoYaST definition. The result looks as expected.

Expand to see the input AutoYaST profile

```xml true xfs true / 12G true xfs /home/crypt1 3G luks2 linuxlinux aesPBKDF2 pbkdf2 true xfs /home/crypt2 3G luks2 linuxlinux capi:xts(aes)-plain64 true xfs /home/crypt3 3G luks2 linuxlinux 256 true xfs /home/crypt4 3G luks2 linuxlinux argon2i twoFish512 twofish-xts-plain64 512 true xfs /home/crypt5 3G luks1 linuxlinux ```

To complete the manual testing, the system resulting from the previously mentioned autoinstallation was clonned. It resulted in the expected profile (obviously more verbose than the input profile).

Expand to see the cloned AutoYaST profile

```xml true xfs false root false false 16106127360 1 0 4194304 CT_LVM /dev/sda gpt false vfat true 259 1 false 104857600 false ntfs true 18 4 false 655360000 CT_DISK 1,4 /dev/sdb gpt false true false 263 1 false 4194304 true xfs true / uuid 131 2 false 12884901888 true aes-xts-plain64 ENTER KEY HERE 512 aesPBKDF2 luks2 pbkdf2 xfs true true /home/crypt1 device 131 3 false 3221225472 true capi:xts(aes)-plain64 ENTER KEY HERE 256 luks2 argon2id xfs true true /home/crypt2 device 131 4 false 3221225472 true aes-xts-plain64 ENTER KEY HERE 256 luks2 argon2id xfs true true /home/crypt3 device 131 5 false 3221225472 true twofish-xts-plain64 ENTER KEY HERE 512 twoFish512 luks2 argon2i xfs true true /home/crypt4 device 131 6 false 3221225472 true aes-xts-plain64 ENTER KEY HERE 512 luks1 xfs true true /home/crypt5 device 131 7 false 3221225472 ```

Dependencies

This depends on the corresponding updates on two other repositories:

• https://github.com/yast/yast-autoinstallation/pull/872
• https://github.com/yast/yast-schema/pull/152

[coveralls]

coverage: 97.76% (+0.004%) from 97.756% when pulling 4c4cf2ca665835fd2d0cf5b3f01c9066697b3f87 on ancorgs:luks_advanced_sp6 into e8fe69fa8d973a4369d4887951a03fa390d5368d on yast:SLE-15-SP6.

[yast-bot]

:heavy_check_mark: Internal Jenkins job #3 successfully finished :heavy_check_mark: Created IBS submit request #308067