search for: keyslot

...ks.c +++ b/daemon/luks.c @@ -29,6 +29,7 @@ #define MAX_ARGS 64 GUESTFSD_EXT_CMD(str_cryptsetup, cryptsetup); +GUESTFSD_EXT_CMD(str_cryptsetup_reencrypt, cryptsetup_reencrypt); int optgroup_luks_available (void) @@ -294,3 +295,48 @@ do_luks_kill_slot (const char *device, const char *key, int keyslot) return 0; } + +int +optgroup_luksreencrypt_available (void) +{ + return prog_exists (str_cryptsetup_reencrypt); +} + +/* Takes optional arguments, consult optargs_bitmask. */ +int +do_cryptsetup_reencrypt (const char *device, const char *key, int keyslot, + const cha...

...ang: This is the server component, ie. it must always be running on the trusted network so your guests can boot unattended. - JOSE: Something something JSON encryption. Does some JSON reformatting and is otherwise very opaque. A disk from a VM which is using LUKS + NBDE will have a Clevis keyslot, shown in luksDump output: # cryptsetup luksDump /dev/sda2 ... Tokens: 0: clevis Keyslot: 1 It will also usually have one or more regular keyslots, since a guest which uses NBDE can also be booted disconnected from the trusted network using a regular passphrase at the keyboard. Th...

The changes since the previous patch: - safe ADD_ARG macro for adding arguments to a fixed size stack array - support for testing functions that return RHashtable, ie. tune2fs-l. - add tests that set (tune2fs) and get (tune2fs-l) various parameters. - only one 'intervalbetweenchecks' parameter (in seconds) Rich.

..._ERROR (luks, -1); + /* Must be /dev/mapper/... */ if (! STRPREFIX (device, "/dev/mapper/")) { reply_with_error ("luks_close: you must call this on the /dev/mapper device created by luks_open"); @@ -210,6 +216,8 @@ luks_format (const char *device, const char *key, int keyslot, int do_luks_format (const char *device, const char *key, int keyslot) { + IF_NOT_AVAILABLE_ERROR (luks, -1); + return luks_format (device, key, keyslot, NULL); } @@ -217,6 +225,8 @@ int do_luks_format_cipher (const char *device, const char *key, int keyslot, cons...

....ml | 1 + lib/MAX_PROC_NR | 2 +- 4 files changed, 35 insertions(+), 1 deletion(-) diff --git a/daemon/luks.c b/daemon/luks.c index 5c48a91eb..d631cb100 100644 --- a/daemon/luks.c +++ b/daemon/luks.c @@ -292,3 +292,28 @@ do_luks_kill_slot (const char *device, const char *key, int keyslot) return 0; } + +char * +do_luks_uuid (const char *device) +{ + const char *argv[MAX_ARGS]; + size_t i = 0; + + ADD_ARG (argv, i, "cryptsetup"); + ADD_ARG (argv, i, "luksUUID"); + ADD_ARG (argv, i, device); + ADD_ARG (argv, i, NULL); + + char *out = NULL; + CLEANUP_...

Is "luks-format" supposed to work with guestfish? Like guestfish <<EOF luks-format /dev/sda4 0 EOF Appearently it lacks an option to give the passphrase programmatically. Was this option skipped on purpose? Olaf

...tically. > Was this option skipped on purpose? The underlying API takes a passphrase parameter, ie: guestfs_luks_format (guestfs_h *g, const char *device, const char *key, <<-- this one int keyslot); However the mapping between the API and guestfish intentionally omits these key/passphrase parameters. Instead guestfish is supposed to prompt for a passphrase. It does this using /dev/tty so you have to have a human type the passphrase. If you want to do this programmatically [apart from usi...

...X_PROC_NR index 175b6c5..10b0c0d 100644 --- a/src/MAX_PROC_NR +++ b/src/MAX_PROC_NR @@ -1 +1 @@ -263 +264 diff --git a/src/generator.ml b/src/generator.ml index d537945..20f7ac0 100755 --- a/src/generator.ml +++ b/src/generator.ml @@ -4953,6 +4953,16 @@ This command deletes the key in key slot C<keyslot> from the encrypted LUKS device C<device>. C<key> must be one of the I<other> keys."); + ("is_lv", (RBool "lvflag", [Device "device"]), 264, [Optional "lvm2"], + [InitBasicFSonLVM, IfAvailable "lvm2", TestOutputTrue...

I'm currently working on gobject bindings for libguestfs. I haven't got as far as compiling anything yet, but I've attached the C header for initial review. Matt -- Matthew Booth, RHCA, RHCSS Red Hat Engineering, Virtualisation Team GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 -------------- next part -------------- An embedded and

...= NULL; - int r = command (NULL, &err, "cryptsetup", "luksClose", mapname, NULL); - if (r == -1) { - reply_with_error ("%s", err); - return -1; - } - - udev_settle (); - - return 0; -} - static int luks_format (const char *device, const char *key, int keyslot, const char *cipher) diff --git a/generator/actions_core.ml b/generator/actions_core.ml index 9a24a8d78..54156b2b8 100644 --- a/generator/actions_core.ml +++ b/generator/actions_core.ml @@ -5664,52 +5664,6 @@ will be able to see every block device. This command also clears the LVM ca...

...= NULL; - int r = command (NULL, &err, "cryptsetup", "luksClose", mapname, NULL); - if (r == -1) { - reply_with_error ("%s", err); - return -1; - } - - udev_settle (); - - return 0; -} - static int luks_format (const char *device, const char *key, int keyslot, const char *cipher) diff --git a/generator/actions_core.ml b/generator/actions_core.ml index 9a24a8d78..54156b2b8 100644 --- a/generator/actions_core.ml +++ b/generator/actions_core.ml @@ -5664,52 +5664,6 @@ will be able to see every block device. This command also clears the LVM ca...

This combined patch series enables to decrypt LUKS devices on inspection by allowing the UUID of the LUKS device with the --key syntax. I opted for reusing the option instead of adding another one, as I think that device names and UUIDs are different enough that can be properly distinguished. A test for this (patch #4) can be applied only when the patches for common are applied, and the

Original version linked from here: https://bugzilla.redhat.com/show_bug.cgi?id=1808977#c8 There is no change in the code in this series, but feedback from the original series was we shouldn't lose the error message in patch 7. When I tested this just now in fact we don't lose the error if debugging is enabled, but I have updated the commit message to note what the error message is in the

These commits, along with the associated changes to common: https://www.redhat.com/archives/libguestfs/2020-March/msg00286.html support the transparent decryption and inspection of Windows guests encrypted with BitLocker encryption. To do the BitLocker decryption requires cryptsetup 2.3.0 (although cryptsetup 2.3 is not required for existing LUKS use). It also requires a new-ish Linux kernel, I

As discussed in the emails today, this is the third version addressing most points from the v1/v2 review. You will need to pair this with the changes in libguestfs-common from this series: https://www.redhat.com/archives/libguestfs/2020-September/msg00050.html Rich.

..."; shortdesc = "close a LUKS device"; longdesc = "\ @@ -5896,7 +5896,7 @@ of the underlying block device." }; { defaults with name = "luks_format"; added = (1, 5, 2); - style = RErr, [Device "device"; Key "key"; Int "keyslot"], []; + style = RErr, [String (Device, "device"); String (Key, "key"); Int "keyslot"], []; optional = Some "luks"; shortdesc = "format a block device as a LUKS encrypted device"; longdesc = "\ @@ -5907,7 +5907,7 @@ suppo...

Very large but mechanical change to the generator. Rich.

...f the underlying block device." }; longdesc = "\ This command erases existing data on C<device> and formats the device as a LUKS encrypted device. C<key> is the -initial key, which is added to key slot C<slot>. (LUKS +initial key, which is added to key slot C<keyslot>. (LUKS supports 8 key slots, numbered 0-7)." }; { defaults with @@ -6115,7 +6115,7 @@ See also: C<guestfs_lgetxattrs>, C<guestfs_getxattr>, L<attr(5)>." }; longdesc = "\ This command is the same as C<guestfs_resize2fs>, but the filesystem is...

This is a follow-up to the other generator changes in: https://www.redhat.com/archives/libguestfs/2017-February/msg00217.html Rich.

...yptsetup", "luksClose", mapname, NULL); + int r = command (NULL, &err, str_cryptsetup, "luksClose", mapname, NULL); if (r == -1) { reply_with_error ("%s", err); free (err); @@ -176,7 +178,7 @@ luks_format (const char *device, const char *key, int keyslot, char keyslot_s[16]; size_t i = 0; - ADD_ARG (argv, i, "cryptsetup"); + ADD_ARG (argv, i, str_cryptsetup); ADD_ARG (argv, i, "-q"); if (cipher) { ADD_ARG (argv, i, "--cipher"); @@ -238,7 +240,7 @@ do_luks_add_key (const char *device, const char *ke...