File luks-optional-randomize.patch of Package python-kiwi
Index: kiwi-9.24.47/kiwi/storage/luks_device.py
===================================================================
--- kiwi-9.24.47.orig/kiwi/storage/luks_device.py
+++ kiwi-9.24.47/kiwi/storage/luks_device.py
@@ -48,6 +48,7 @@ class LuksDevice(DeviceProvider):
self.luks_device: Optional[str] = None
self.luks_keyfile: Optional[str] = None
self.luks_name = 'luksRoot'
+ self.luks_randomize = True
self.option_map = {
'sle12': [
@@ -109,17 +110,19 @@ class LuksDevice(DeviceProvider):
if not passphrase:
log.warning('Using an empty passphrase for the key setup')
- log.info('--> Randomizing...')
- storage_size_mbytes = self.storage_provider.get_byte_size(
- storage_device
- ) / 1048576
- Command.run(
- [
- 'dd', 'if=/dev/urandom', 'bs=1M',
- 'count=%d' % storage_size_mbytes,
- 'of=%s' % storage_device
- ]
- )
+ if self.luks_randomize:
+ log.info('--> Randomizing...')
+ storage_size_mbytes = self.storage_provider.get_byte_size(
+ storage_device
+ ) / 1048576
+ Command.run(
+ [
+ 'dd', 'if=/dev/urandom', 'bs=1M',
+ 'count=%d' % storage_size_mbytes,
+ 'of=%s' % storage_device
+ ]
+ )
+
log.info('--> Creating LUKS map')
if passphrase:
Index: kiwi-9.24.47/kiwi/schema/kiwi.rnc
===================================================================
--- kiwi-9.24.47.orig/kiwi/schema/kiwi.rnc
+++ kiwi-9.24.47/kiwi/schema/kiwi.rnc
@@ -1963,6 +1963,17 @@ div {
sch:param [ name = "attr" value = "luksOS" ]
sch:param [ name = "types" value = "oem iso pxe kis" ]
]
+ k.type.luks_randomize.attribute =
+ ## By default, all blocks of a LUKS volume will be filled
+ ## with pseudo-random data. If you're shipping an image with
+ ## a well-known key, which is going to be re-encrypted at
+ ## deployment time, you can decrease the size of the image
+ ## by setting this attribute to false.
+ attribute luks_randomize { xsd:boolean }
+ >> sch:pattern [ id = "luks_randomize" is-a = "image_type"
+ sch:param [ name = "attr" value = "luksversion" ]
+ sch:param [ name = "types" value = "oem iso pxe kis" ]
+ ]
k.type.mdraid.attribute =
## Setup software raid in degraded mode with one disk
## Thus only mirroring and striping is possible
@@ -2148,6 +2159,7 @@ div {
k.type.luks.attribute? &
k.type.luks_version.attribute? &
k.type.luksOS.attribute? &
+ k.type.luks_randomize.attribute? &
k.type.mdraid.attribute? &
k.type.overlayroot.attribute? &
k.type.overlayroot_write_partition.attribute? &
Index: kiwi-9.24.47/kiwi/schema/kiwi.rng
===================================================================
--- kiwi-9.24.47.orig/kiwi/schema/kiwi.rng
+++ kiwi-9.24.47/kiwi/schema/kiwi.rng
@@ -2807,6 +2807,20 @@ distribution</a:documentation>
<sch:param name="types" value="oem iso pxe kis"/>
</sch:pattern>
</define>
+ <define name="k.type.luks_randomize.attribute">
+ <attribute name="luks_randomize">
+ <a:documentation>By default, all blocks of a LUKS volume will be filled
+with pseudo-random data. If you're shipping an image with
+a well-known key, which is going to be re-encrypted at
+deployment time, you can decrease the size of the image
+by setting this attribute to false.</a:documentation>
+ <data type="boolean"/>
+ </attribute>
+ <sch:pattern id="luks_randomize" is-a="image_type">
+ <sch:param name="attr" value="luksversion"/>
+ <sch:param name="types" value="oem iso pxe kis"/>
+ </sch:pattern>
+ </define>
<define name="k.type.mdraid.attribute">
<attribute name="mdraid">
<a:documentation>Setup software raid in degraded mode with one disk
@@ -3126,6 +3140,9 @@ kiwi-ng result bundle ...</a:documentati
<ref name="k.type.luksOS.attribute"/>
</optional>
<optional>
+ <ref name="k.type.luks_randomize.attribute"/>
+ </optional>
+ <optional>
<ref name="k.type.mdraid.attribute"/>
</optional>
<optional>
Index: kiwi-9.24.47/kiwi/xml_parse.py
===================================================================
--- kiwi-9.24.47.orig/kiwi/xml_parse.py
+++ kiwi-9.24.47/kiwi/xml_parse.py
@@ -19,7 +19,7 @@
# /home/okir/.local/bin/generateDS.py -f --external-encoding="utf-8" --no-dates --no-warnings -o "kiwi/xml_parse.py" kiwi/schema/kiwi_for_generateDS.xsd
#
# Current working directory (os.getcwd()):
-# kiwi-9.24.41
+# kiwi-9.24.47
#
import sys
@@ -2798,7 +2798,7 @@ class type_(GeneratedsSuper):
"""The Image Type of the Logical Extend"""
subclass = None
superclass = None
- def __init__(self, boot=None, bootfilesystem=None, firmware=None, bootkernel=None, bootpartition=None, bootpartsize=None, efipartsize=None, efifatimagesize=None, efiparttable=None, dosparttable_extended_layout=None, bootprofile=None, btrfs_quota_groups=None, btrfs_root_is_snapshot=None, btrfs_root_is_readonly_snapshot=None, compressed=None, devicepersistency=None, editbootconfig=None, editbootinstall=None, filesystem=None, flags=None, format=None, formatoptions=None, fsmountoptions=None, fscreateoptions=None, squashfscompression=None, gcelicense=None, hybridpersistent=None, hybridpersistent_filesystem=None, gpt_hybrid_mbr=None, force_mbr=None, initrd_system=None, image=None, metadata_path=None, installboot=None, install_continue_on_timeout=None, installprovidefailsafe=None, installiso=None, installstick=None, installpxe=None, mediacheck=None, kernelcmdline=None, luks=None, luks_version=None, luksOS=None, mdraid=None, overlayroot=None, overlayroot_write_partition=None, overlayroot_readonly_partsize=None, verity_blocks=None, embed_verity_metadata=None, standalone_integrity=None, embed_integrity_metadata=None, integrity_metadata_key_description=None, integrity_keyfile=None, primary=None, ramonly=None, rootfs_label=None, spare_part=None, spare_part_mountpoint=None, spare_part_fs=None, spare_part_fs_attributes=None, spare_part_is_last=None, target_blocksize=None, target_removable=None, selinux_policy=None, vga=None, vhdfixedtag=None, volid=None, wwid_wait_timeout=None, derived_from=None, ensure_empty_tmpdirs=None, xen_server=None, publisher=None, disk_start_sector=None, root_clone=None, boot_clone=None, bundle_format=None, bootloader=None, containerconfig=None, machine=None, oemconfig=None, size=None, systemdisk=None, partitions=None, vagrantconfig=None, installmedia=None, luksformat=None):
+ def __init__(self, boot=None, bootfilesystem=None, firmware=None, bootkernel=None, bootpartition=None, bootpartsize=None, efipartsize=None, efifatimagesize=None, efiparttable=None, dosparttable_extended_layout=None, bootprofile=None, btrfs_quota_groups=None, btrfs_root_is_snapshot=None, btrfs_root_is_readonly_snapshot=None, compressed=None, devicepersistency=None, editbootconfig=None, editbootinstall=None, filesystem=None, flags=None, format=None, formatoptions=None, fsmountoptions=None, fscreateoptions=None, squashfscompression=None, gcelicense=None, hybridpersistent=None, hybridpersistent_filesystem=None, gpt_hybrid_mbr=None, force_mbr=None, initrd_system=None, image=None, metadata_path=None, installboot=None, install_continue_on_timeout=None, installprovidefailsafe=None, installiso=None, installstick=None, installpxe=None, mediacheck=None, kernelcmdline=None, luks=None, luks_version=None, luksOS=None, luks_randomize=None, mdraid=None, overlayroot=None, overlayroot_write_partition=None, overlayroot_readonly_partsize=None, verity_blocks=None, embed_verity_metadata=None, standalone_integrity=None, embed_integrity_metadata=None, integrity_metadata_key_description=None, integrity_keyfile=None, primary=None, ramonly=None, rootfs_label=None, spare_part=None, spare_part_mountpoint=None, spare_part_fs=None, spare_part_fs_attributes=None, spare_part_is_last=None, target_blocksize=None, target_removable=None, selinux_policy=None, vga=None, vhdfixedtag=None, volid=None, wwid_wait_timeout=None, derived_from=None, ensure_empty_tmpdirs=None, xen_server=None, publisher=None, disk_start_sector=None, root_clone=None, boot_clone=None, bundle_format=None, bootloader=None, containerconfig=None, machine=None, oemconfig=None, size=None, systemdisk=None, partitions=None, vagrantconfig=None, installmedia=None, luksformat=None):
self.original_tagname_ = None
self.boot = _cast(None, boot)
self.bootfilesystem = _cast(None, bootfilesystem)
@@ -2844,6 +2844,7 @@ class type_(GeneratedsSuper):
self.luks = _cast(None, luks)
self.luks_version = _cast(None, luks_version)
self.luksOS = _cast(None, luksOS)
+ self.luks_randomize = _cast(bool, luks_randomize)
self.mdraid = _cast(None, mdraid)
self.overlayroot = _cast(bool, overlayroot)
self.overlayroot_write_partition = _cast(bool, overlayroot_write_partition)
@@ -3066,6 +3067,8 @@ class type_(GeneratedsSuper):
def set_luks_version(self, luks_version): self.luks_version = luks_version
def get_luksOS(self): return self.luksOS
def set_luksOS(self, luksOS): self.luksOS = luksOS
+ def get_luks_randomize(self): return self.luks_randomize
+ def set_luks_randomize(self, luks_randomize): self.luks_randomize = luks_randomize
def get_mdraid(self): return self.mdraid
def set_mdraid(self, mdraid): self.mdraid = mdraid
def get_overlayroot(self): return self.overlayroot
@@ -3344,6 +3347,9 @@ class type_(GeneratedsSuper):
if self.luksOS is not None and 'luksOS' not in already_processed:
already_processed.add('luksOS')
outfile.write(' luksOS=%s' % (self.gds_encode(self.gds_format_string(quote_attrib(self.luksOS), input_name='luksOS')), ))
+ if self.luks_randomize is not None and 'luks_randomize' not in already_processed:
+ already_processed.add('luks_randomize')
+ outfile.write(' luks_randomize="%s"' % self.gds_format_boolean(self.luks_randomize, input_name='luks_randomize'))
if self.mdraid is not None and 'mdraid' not in already_processed:
already_processed.add('mdraid')
outfile.write(' mdraid=%s' % (self.gds_encode(self.gds_format_string(quote_attrib(self.mdraid), input_name='mdraid')), ))
@@ -3756,6 +3762,15 @@ class type_(GeneratedsSuper):
already_processed.add('luksOS')
self.luksOS = value
self.luksOS = ' '.join(self.luksOS.split())
+ value = find_attr_value_('luks_randomize', node)
+ if value is not None and 'luks_randomize' not in already_processed:
+ already_processed.add('luks_randomize')
+ if value in ('true', '1'):
+ self.luks_randomize = True
+ elif value in ('false', '0'):
+ self.luks_randomize = False
+ else:
+ raise_parse_error(node, 'Bad boolean attribute')
value = find_attr_value_('mdraid', node)
if value is not None and 'mdraid' not in already_processed:
already_processed.add('mdraid')
Index: kiwi-9.24.47/kiwi/builder/disk.py
===================================================================
--- kiwi-9.24.47.orig/kiwi/builder/disk.py
+++ kiwi-9.24.47/kiwi/builder/disk.py
@@ -133,6 +133,7 @@ class DiskBuilder:
self.root_filesystem_embed_integrity_metadata = \
xml_state.build_type.get_embed_integrity_metadata()
self.luks_format_options = xml_state.get_luks_format_options()
+ self.luks_randomize = xml_state.build_type.get_luks_randomize()
self.luks_os = xml_state.build_type.get_luksOS()
self.xen_server = xml_state.is_xen_server()
self.requested_filesystem = xml_state.build_type.get_filesystem()
@@ -342,6 +343,7 @@ class DiskBuilder:
self.luks_boot_keyfile = ''.join(
[self.root_dir, self.luks_boot_keyname]
)
+ luks_root.luks_randomize = self.luks_randomize
# use LUKS key file for the following conditions:
# 1. /boot is encrypted
# In this case grub needs to read from LUKS via the
