search for: luks_open

The following patch attempts to implement sparsification of LUKS-encrypted partitions. It uses lsblk to pair the underlying LUKS block device with its mapped name. Also, --allow-discards was added by default to luks_open(). There are several potential issues that I can think of: 1) If and entire device is encrypted (not just one of more partitions), the lsblk trick might not work. 2) The --allow-discards is needed to be able to run fstrim on a decrypted partition. I *think* that it's safe to be added uncondi...

...pe mnt] + ) (* A single btrfs device can turn into many volumes. *) else if vfs_type = "btrfs" then ( diff --git a/daemon/luks.c b/daemon/luks.c index d631cb100..306b2dcfb 100644 --- a/daemon/luks.c +++ b/daemon/luks.c @@ -83,7 +83,7 @@ remove_temp (char *tempfile) static int luks_open (const char *device, const char *key, const char *mapname, - int readonly) + int readonly, int allowdiscards) { /* Sanity check: /dev/mapper/mapname must not exist already. Note * that the device-mapper control device (/dev/mapper/control) is @@ -110,6 +110,7 @@ luks_op...

...pe mnt] + ) (* A single btrfs device can turn into many volumes. *) else if vfs_type = "btrfs" then ( diff --git a/daemon/luks.c b/daemon/luks.c index d631cb100..306b2dcfb 100644 --- a/daemon/luks.c +++ b/daemon/luks.c @@ -83,7 +83,7 @@ remove_temp (char *tempfile) static int luks_open (const char *device, const char *key, const char *mapname, - int readonly) + int readonly, int allowdiscards) { /* Sanity check: /dev/mapper/mapname must not exist already. Note * that the device-mapper control device (/dev/mapper/control) is @@ -110,6 +110,7 @@ luks_op...

...ST char **partitions = guestfs_list_partitions (g); if (partitions == NULL) @@ -101,7 +101,8 @@ inspect_do_decrypt (guestfs_h *g, struct key_store *ks) * is set? This might break 'mount_ro'. */ guestfs_push_error_handler (g, NULL, NULL); - r = guestfs_luks_open (g, partitions[i], keys[j], mapname); + r = guestfs_luks_open_opts (g, partitions[i], keys[j], mapname, + GUESTFS_LUKS_OPEN_OPTS_ALLOWDISCARDS, allowdiscards, -1); guestfs_pop_error_handler (g); if (r == 0) goto opened; diff --g...

On Tue, Jan 21, 2020 at 03:07:11PM +0100, Jan Synacek wrote: > The following patch attempts to implement sparsification of > LUKS-encrypted partitions. It uses lsblk to pair the underlying LUKS > block device with its mapped name. Also, --allow-discards was added > by default to luks_open(). > > There are several potential issues that I can think of: > > 1) If and entire device is encrypted (not just one of more partitions), > the lsblk trick might not work. > > 2) The --allow-discards is needed to be able to run fstrim on a > decrypted partition. I *think*...

...t for existing callers we do not specify the + * crypttype parameter. This means that callers of these APIs + * will be able to open BitLocker drives transparently. (If + * we wanted to be strict we would pass ~crypttype:"luks" + * here, but that seems to have only downsides). + *) +let luks_open device key mapname = cryptsetup_open device key mapname +let luks_open_ro device key mapname = + cryptsetup_open ~readonly:true device key mapname +let luks_close = cryptsetup_close diff --git a/daemon/luks.c b/daemon/luks.c index d631cb100..51ced585d 100644 --- a/daemon/luks.c +++ b/daemon/luks.c...

...t for existing callers we do not specify the + * crypttype parameter. This means that callers of these APIs + * will be able to open BitLocker drives transparently. (If + * we wanted to be strict we would pass ~crypttype:"luks" + * here, but that seems to have only downsides). + *) +let luks_open device key mapname = cryptsetup_open device key mapname +let luks_open_ro device key mapname = + cryptsetup_open ~readonly:true device key mapname +let luks_close = cryptsetup_close diff --git a/daemon/luks.c b/daemon/luks.c index d631cb100..51ced585d 100644 --- a/daemon/luks.c +++ b/daemon/luks.c...

Original version linked from here: https://bugzilla.redhat.com/show_bug.cgi?id=1808977#c8 There is no change in the code in this series, but feedback from the original series was we shouldn't lose the error message in patch 7. When I tested this just now in fact we don't lose the error if debugging is enabled, but I have updated the commit message to note what the error message is in the

These commits, along with the associated changes to common: https://www.redhat.com/archives/libguestfs/2020-March/msg00286.html support the transparent decryption and inspection of Windows guests encrypted with BitLocker encryption. To do the BitLocker decryption requires cryptsetup 2.3.0 (although cryptsetup 2.3 is not required for existing LUKS use). It also requires a new-ish Linux kernel, I

As discussed in the emails today, this is the third version addressing most points from the v1/v2 review. You will need to pair this with the changes in libguestfs-common from this series: https://www.redhat.com/archives/libguestfs/2020-September/msg00050.html Rich.

On Fri, Oct 09, 2020 at 05:02:57PM +0200, Martin Kletzander wrote: > Basically what I did was create a small disk, create one partition > over the whole disk, then cryptsetup luksFormat the partition, open > it and format it with a filesystem (without any LVM). That is one > of the things you were adding support for, but it is not limited to > Windows Bitlocker setup, it can just

...; + * crypttype parameter. This means that callers of these APIs > + * will be able to open BitLocker drives transparently. (If > + * we wanted to be strict we would pass ~crypttype:"luks" > + * here, but that seems to have only downsides). I disagree here: if an user uses the luks_open API, IMHO they expect it to be LUKS; if they want to use other types, then they want to switch to the new cryptsetup_open. So I'd pass ~crypttype:"luks" in luks_open. > + { defaults with > + name = "cryptsetup_open"; added = (1, 43, 1); > + style = RErr, [St...

...part in + Some [mnt, Blkid.vfs_type mnt] + ) (* A single btrfs device can turn into many volumes. *) else if vfs_type = "btrfs" then ( diff --git a/daemon/luks.c b/daemon/luks.c index d631cb100..1ffeaf293 100644 --- a/daemon/luks.c +++ b/daemon/luks.c @@ -110,6 +110,7 @@ luks_open (const char *device, const char *key, const char *mapname, ADD_ARG (argv, i, "-d"); ADD_ARG (argv, i, tempfile); if (readonly) ADD_ARG (argv, i, "--readonly"); + ADD_ARG (argv, i, "--allow-discards"); ADD_ARG (argv, i, "luksOpen"); ADD_ARG (ar...

...;\n" out with > + | "" -> None > + | part -> > + let mnt = Mountable.of_path @@ "/dev/mapper/" ^ part in > + Some [mnt, Blkid.vfs_type mnt] Now Some doesn't line up with let :-/ > { defaults with > name = "luks_open"; added = (1, 5, 1); > - style = RErr, [String (Device, "device"); String (Key, "key"); String (PlainString, "mapname")], []; > + style = RErr, [String (Device, "device"); String (Key, "key"); String (PlainString, "mapname&quot...

...822bd97c05a0b5fa0a702fa which, according to me reading the code it might not have worked before your series. One more thing that I noticed when testing this a little bit more was that two things were not updated: - internal API usage (for example the mentioned make-fedora-img.pl still uses luks_open) - various docs still refer to any encryption as LUKS and there is *lot* of them >This image can be opened: > > $ guestfish --ro -a test-data/phony-guests/fedora-luks.img -i > > Enter key or passphrase ("/dev/sda2"): FEDORA > > Welcome to guestfish, the guest f...

...-1,5 +1,5 @@ /* libguestfs - the guestfsd daemon - * Copyright (C) 2010 Red Hat Inc. + * Copyright (C) 2010-2012 Red Hat Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -129,18 +129,24 @@ luks_open (const char *device, const char *key, const char *mapname, int do_luks_open (const char *device, const char *key, const char *mapname) { + IF_NOT_AVAILABLE_ERROR (luks, -1); + return luks_open (device, key, mapname, 0); } int do_luks_open_ro (const char *device, const char *key, const c...

...in callback: wrong argument type Proc (expected Data)" - 731744 libguestfs should escape special/non-printing characters in debug output - 729887 appliance crashes running aug_init with flags=4 - 729075 libguestfs confuses Hp_recovery partition with Windows root filesystem - 727178 error: luks_open: cryptsetup: error while loading shared libraries: libfipscheck.so.1: cannot open shared object file: No such file or directory - 726739 libguestfs: error: aug_get: no matching node, trying to find hostname - 723474 If hivex and/or pcre not installed, libguestfs fails to compile - 693359 virt-ca...

...> - snprintf (filename, len+10, "%s/%08d", dir, i); > + CLEANUP_FREE char *filename; Missing "= NULL" here. > diff --git a/daemon/luks.c b/daemon/luks.c > index a720e25..b8530c5 100644 > --- a/daemon/luks.c > +++ b/daemon/luks.c > @@ -91,9 +91,11 @@ luks_open (const char *device, const char *key, const char *mapname, > * that the device-mapper control device (/dev/mapper/control) is > * always there, so you can't ever have mapname == "control". > */ > - size_t len = strlen (mapname); > - char devmapper[len+32];...

I was attempting one way to solve: https://bugzilla.redhat.com/show_bug.cgi?id=1400332 "RFE: virt-builder should support templates with encrypted filesystems" However this approach doesn't really work because templates containing encrypted partitions cannot be compressed, and therefore the guest template would be a multi-gigabyte download. I better approach will likely be to use

v2: - Changes as suggested by Pino in previous review.