search for: key_stor

On Wed, Jan 22, 2020 at 10:14:38AM +0100, Jan Synacek wrote: > -val inspect_decrypt : Guestfs.guestfs -> key_store -> unit > +val inspect_decrypt : Guestfs.guestfs -> ?allow_discards:bool -> key_store -> unit > > (** Simple implementation of decryption: look for any [crypto_LUKS] > partitions and decrypt them, then rescan for VGs. This only works > for Fedora whole-disk e...

...keys.c | 4 ++-- options/options.h | 6 +++--- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/options/decrypt.c b/options/decrypt.c index 3511d9f..683cf5e 100644 --- a/options/decrypt.c +++ b/options/decrypt.c @@ -86,7 +86,13 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks) char mapname[32]; make_mapname (partitions[i], mapname, sizeof mapname); - CLEANUP_FREE_STRING_LIST char **keys = get_keys (ks, partitions[i]); +#ifdef GUESTFS_HAVE_LUKS_UUID + CLEANUP_FREE char *uuid = guestfs_luks_uuid (g, partitions[i]); +#else + const char *...

...44 --- a/options/decrypt.c +++ b/options/decrypt.c @@ -26,6 +26,8 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <libintl.h> +#include <error.h> #include "c-ctype.h" @@ -74,21 +76,42 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks) if (partitions == NULL) exit (EXIT_FAILURE); - int need_rescan = 0; - size_t i; + int need_rescan = 0, r; + size_t i, j; + for (i = 0; partitions[i] != NULL; ++i) { CLEANUP_FREE char *type = guestfs_vfs_type (g, partitions[i]); if (type && STREQ (type, &quot...

...44 --- a/options/decrypt.c +++ b/options/decrypt.c @@ -26,6 +26,8 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <libintl.h> +#include <error.h> #include "c-ctype.h" @@ -74,21 +76,42 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks) if (partitions == NULL) exit (EXIT_FAILURE); - int need_rescan = 0; - size_t i; + int need_rescan = 0, r; + size_t i, j; + for (i = 0; partitions[i] != NULL; ++i) { CLEANUP_FREE char *type = guestfs_vfs_type (g, partitions[i]); if (type && STREQ (type, &quot...

...ue gv, value gpv, value keysv) +guestfs_int_mllib_inspect_decrypt (value gv, value gpv, value keysv, value allowdiscards) { - CAMLparam3 (gv, gpv, keysv); + CAMLparam4 (gv, gpv, keysv, allowdiscards); CAMLlocal2 (elemv, v); guestfs_h *g = (guestfs_h *) (intptr_t) Int64_val (gpv); struct key_store *ks = NULL; @@ -86,7 +86,7 @@ guestfs_int_mllib_inspect_decrypt (value gv, value gpv, value keysv) keysv = Field (keysv, 1); } - inspect_do_decrypt (g, ks); + inspect_do_decrypt (g, ks, Int_val (allowdiscards)); CAMLreturn (Val_unit); } diff --git a/mltools/tools_utils.ml b/mltoo...

The first patch fixes a rather serious bug, the second patch allows multiple --key parameters and default parameters. There is a third patch to libguestfs which adds a test, coming up. I did not yet review and fix the documentation. I think we need to centralize it in one place because at the moment the same documentation for --key is copy/pasted all over the tools. Rich.

v1: https://www.redhat.com/archives/libguestfs/2019-November/msg00036.html

This combined patch series enables to decrypt LUKS devices on inspection by allowing the UUID of the LUKS device with the --key syntax. I opted for reusing the option instead of adding another one, as I think that device names and UUIDs are different enough that can be properly distinguished. A test for this (patch #4) can be applied only when the patches for common are applied, and the

...filename/with/key * --key /dev/device:string:the-actual-key this way it is possible to pass all the credentials needed for the specific devices to open, with no risk of conflict with stdin, and also in a secure way (when using the "file" way). On the technical side: this adds a new "key_store" API for the C tools, making sure it is used only when needed. Partially mirror it also for the OCaml tools, although there will be a conversion to the C API because the decryption helpers used are in the common C parts. --- cat/cat.c | 6 ++ cat/log.c...

On Wed, Jan 22, 2020 at 10:50 AM Richard W.M. Jones <rjones@redhat.com> wrote: > On Wed, Jan 22, 2020 at 10:14:38AM +0100, Jan Synacek wrote: > > -val inspect_decrypt : Guestfs.guestfs -> key_store -> unit > > +val inspect_decrypt : Guestfs.guestfs -> ?allow_discards:bool -> > key_store -> unit > > > > (** Simple implementation of decryption: look for any [crypto_LUKS] > > partitions and decrypt them, then rescan for VGs. This only works > &gt...

Hi, the following series adds a --key option in the majority of tools: this makes it possible to pass LUKS credentials programmatically, avoid the need to manually input them, or unsafely pass them via stdin. Thanks, Pino Toscano (2): mltools: create a cmdline_options struct Introduce a --key option in tools that accept keys builder/cmdline.ml | 2 +-

...ue gv, value gpv, value keysv) +guestfs_int_mllib_inspect_decrypt (value gv, value gpv, value keysv, value allowdiscards) { - CAMLparam3 (gv, gpv, keysv); + CAMLparam4 (gv, gpv, keysv, allowdiscards); CAMLlocal2 (elemv, v); guestfs_h *g = (guestfs_h *) (intptr_t) Int64_val (gpv); struct key_store *ks = NULL; @@ -86,7 +86,7 @@ guestfs_int_mllib_inspect_decrypt (value gv, value gpv, value keysv) keysv = Field (keysv, 1); } - inspect_do_decrypt (g, ks); + inspect_do_decrypt (g, ks, Int_val (allowdiscards)); CAMLreturn (Val_unit); } diff --git a/mltools/tools_utils.ml b/mltoo...

Support transparent decryption/inspection of Windows guests encrypted with BitLocker encryption. This won't make much sense without the associated libguestfs patches which I will post momentarily. (Submodules, ho hum) Rich.

The following patch attempts to implement sparsification of LUKS-encrypted partitions. It uses lsblk to pair the underlying LUKS block device with its mapped name. Also, --allow-discards was added by default to luks_open(). There are several potential issues that I can think of: 1) If and entire device is encrypted (not just one of more partitions), the lsblk trick might not work. 2) The

For links to the original patch series, see: https://bugzilla.redhat.com/show_bug.cgi?id=1808977#c8 The original feedback was that ignoring errors from guestfs_luks_uuid would ignore legitimate errors from non-BitLocker disks, so I have modified this series so that errors are only ignored in the BitLocker case. As noted in the 4th patch there is no actual error in the BitLocker case, cryptsetup

...t. This should have no effect. --- options/keys.c | 35 ++++++++++++++--------------------- 1 file changed, 14 insertions(+), 21 deletions(-) diff --git a/options/keys.c b/options/keys.c index f783066..74b5497 100644 --- a/options/keys.c +++ b/options/keys.c @@ -153,49 +153,42 @@ get_key (struct key_store *ks, const char *device) } struct key_store * -key_store_add_from_selector (struct key_store *ks, const char *selector_orig) +key_store_add_from_selector (struct key_store *ks, const char *selector) { - CLEANUP_FREE char *selector = strdup (selector_orig); - const char *elem; - char *savep...

...+ b/options/decrypt.c >@@ -25,6 +25,7 @@ > > #include <stdio.h> > #include <stdlib.h> >+#include <stdbool.h> > #include <string.h> > #include <libintl.h> > #include <error.h> >@@ -82,11 +83,23 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks) > CLEANUP_FREE char *type = guestfs_vfs_type (g, partitions[i]); > if (type && > (STREQ (type, "crypto_LUKS") || STREQ (type, "BitLocker"))) { >+ bool is_bitlocker = STREQ (type, "BitLocker"); > char mapname[32];...

...les changed, 15 insertions(+), 12 deletions(-) diff --git a/mltools/tools_utils-c.c b/mltools/tools_utils-c.c index 3b80091..6c43b8d 100644 --- a/mltools/tools_utils-c.c +++ b/mltools/tools_utils-c.c @@ -57,8 +57,8 @@ guestfs_int_mllib_inspect_decrypt (value gv, value gpv, value keysv) struct key_store_key key; elemv = Field (keysv, 0); - key.device = strdup (String_val (Field (elemv, 0))); - if (!key.device) + key.id = strdup (String_val (Field (elemv, 0))); + if (!key.id) caml_raise_out_of_memory (); v = Field (elemv, 1); diff --git a/options/key-option.pod b/o...

...>#include <stdio.h> >> >#include <stdlib.h> >> >+#include <stdbool.h> >> >#include <string.h> >> >#include <libintl.h> >> >#include <error.h> >> >@@ -82,11 +83,23 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks) >> > CLEANUP_FREE char *type = guestfs_vfs_type (g, partitions[i]); >> > if (type && >> > (STREQ (type, "crypto_LUKS") || STREQ (type, "BitLocker"))) { >> >+ bool is_bitlocker = STREQ (type, "BitLocker&quot...

From: Nikolay Ivanets <stenavin@gmail.com> v4 fixes issues found during code review: - whitespace-change-only hunks are removed - options are alphabetically orderred now v3 is just a spelling correction spotted by Eric Blake https://www.redhat.com/archives/libguestfs/2020-February/msg00111.html In v2 I've moved '--blocksize' parameter description into the separate file called