Libguestfs - Oct 2020 - Re: [PATCH v3 0/8] Windows BitLocker support.

On Fri, Oct 09, 2020 at 05:02:57PM +0200, Martin Kletzander
wrote:
> Basically what I did was create a small disk, create one partition
> over the whole disk, then cryptsetup luksFormat the partition, open
> it and format it with a filesystem (without any LVM).  That is one
> of the things you were adding support for, but it is not limited to
> Windows Bitlocker setup, it can just as well be a custom setup when
> installing any Linux distro.
>
> Even after quite a bit of fighting, rebuilding the appliance and so
> on I did not manage for it to show up in the list-filesystems or
> even do a cryptsetup-open on the partition even though it uses an
> appliance built from git master with the patches applied.  But I'm
> quite sure I could've done something wrong, so if that works for
> you, that's enough.
There's something in the test suite that already does this, so

  $ make && make -C test-data check

should produce test-data/phony-guests/fedora-luks.img (see
test-data/phony-guests/make-fedora-img.pl for how).

This image can be opened:

  $ guestfish --ro -a test-data/phony-guests/fedora-luks.img -i 

  Enter key or passphrase ("/dev/sda2"): FEDORA

  Welcome to guestfish, the guest filesystem shell for
  editing virtual machine filesystems and disk images.

  Type: ‘help’ for help on commands
        ‘man’ to read the manual
        ‘quit’ to quit the shell

  Operating system: Fedora release 14 (Phony)
  /dev/VG/Root mounted on /
  /dev/sda1 mounted on /boot

  ><fs> list-devices 
  /dev/sda
  ><fs> list-partitions 
  /dev/sda1
  /dev/sda2
  ><fs> vfs-type /dev/sda2
  crypto_LUKS

However ...
> Still, since you cannot do the test for Bitlocker, my idea was that
> you could make the test for non-lvm parition encrypted by LUKS as
> that would check some of the other code.
... cryptsetup cannot create a new BitLocker disk, which is rather
unfortunate.  I created a BitLocker disk using Windows, and I'll
privately send you a link, but because of the cryptsetup problem
there's no way to automate this kind of test.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/

On Fri, Oct 09, 2020 at 04:33:53PM +0100, Richard W.M. Jones
wrote:
> On Fri, Oct 09, 2020 at 05:02:57PM +0200, Martin Kletzander wrote:
> > Still, since you cannot do the test for Bitlocker, my idea was that
> > you could make the test for non-lvm parition encrypted by LUKS as
> > that would check some of the other code.
> 
> ... cryptsetup cannot create a new BitLocker disk, which is rather
> unfortunate.  I created a BitLocker disk using Windows, and I'll
> privately send you a link, but because of the cryptsetup problem
> there's no way to automate this kind of test.
If anyone is looking for a fun thing to hack on, it could be interesting
to add bitlocker support to QEMU's crypto block layer. That would give
you ability to create volumes with qemu-img, etc.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

On Fri, Oct 09, 2020 at 04:33:53PM +0100, Richard W.M. Jones
wrote:
>On Fri, Oct 09, 2020 at 05:02:57PM +0200, Martin Kletzander wrote:
>> Basically what I did was create a small disk, create one partition
>> over the whole disk, then cryptsetup luksFormat the partition, open
>> it and format it with a filesystem (without any LVM).  That is one
>> of the things you were adding support for, but it is not limited to
>> Windows Bitlocker setup, it can just as well be a custom setup when
>> installing any Linux distro.
>>
>> Even after quite a bit of fighting, rebuilding the appliance and so
>> on I did not manage for it to show up in the list-filesystems or
>> even do a cryptsetup-open on the partition even though it uses an
>> appliance built from git master with the patches applied.  But I'm
>> quite sure I could've done something wrong, so if that works for
>> you, that's enough.
>
>There's something in the test suite that already does this, so
>
>  $ make && make -C test-data check
>
>should produce test-data/phony-guests/fedora-luks.img (see
>test-data/phony-guests/make-fedora-img.pl for how).
>
Not really what I meant.  What I had in mind was something like this:

https://gitlab.com/nertpinx/libguestfs/-/commit/7c8ea3a35438f95dd822bd97c05a0b5fa0a702fa

which, according to me reading the code it might not have worked before your
series.

One more thing that I noticed when testing this a little bit more was that two
things were not updated:

  - internal API usage (for example the mentioned make-fedora-img.pl still uses
    luks_open)

  - various docs still refer to any encryption as LUKS and there is *lot* of
them
>This image can be opened:
>
>  $ guestfish --ro -a test-data/phony-guests/fedora-luks.img -i
>
>  Enter key or passphrase ("/dev/sda2"): FEDORA
>
>  Welcome to guestfish, the guest filesystem shell for
>  editing virtual machine filesystems and disk images.
>
>  Type: ‘help’ for help on commands
>        ‘man’ to read the manual
>        ‘quit’ to quit the shell
>
>  Operating system: Fedora release 14 (Phony)
>  /dev/VG/Root mounted on /
>  /dev/sda1 mounted on /boot
>
>  ><fs> list-devices
>  /dev/sda
>  ><fs> list-partitions
>  /dev/sda1
>  /dev/sda2
>  ><fs> vfs-type /dev/sda2
>  crypto_LUKS
>
>However ...
>
>> Still, since you cannot do the test for Bitlocker, my idea was that
>> you could make the test for non-lvm parition encrypted by LUKS as
>> that would check some of the other code.
>
>... cryptsetup cannot create a new BitLocker disk, which is rather
>unfortunate.  I created a BitLocker disk using Windows, and I'll
>privately send you a link, but because of the cryptsetup problem
>there's no way to automate this kind of test.
>
>Rich.
>
>-- 
>Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
>Read my programming and virtualization blog: http://rwmj.wordpress.com
>virt-df lists disk usage of guests without needing to install any
>software inside the virtual machine.  Supports Linux and Windows.
>http://people.redhat.com/~rjones/virt-df/

On Mon, Oct 12, 2020 at 04:14:27PM +0200, Martin Kletzander
wrote:
>  - internal API usage (for example the mentioned make-fedora-img.pl still
uses
>    luks_open)
I'll fix these as I find them.
>  - various docs still refer to any encryption as LUKS and there is *lot* of
them
Yup, that is going to take a while to resolve :-/

I guess the vast majority of encryption usage is still going to be
LUKS though, especially as you can't actually use BitLocker for new
disks on Linux.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/