Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:coolo:alp:hostos:Staging:A
python-kiwi
luks-optional-randomize.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File luks-optional-randomize.patch of Package python-kiwi
Index: kiwi-9.24.47/kiwi/storage/luks_device.py =================================================================== --- kiwi-9.24.47.orig/kiwi/storage/luks_device.py +++ kiwi-9.24.47/kiwi/storage/luks_device.py @@ -48,6 +48,7 @@ class LuksDevice(DeviceProvider): self.luks_device: Optional[str] = None self.luks_keyfile: Optional[str] = None self.luks_name = 'luksRoot' + self.luks_randomize = True self.option_map = { 'sle12': [ @@ -109,17 +110,19 @@ class LuksDevice(DeviceProvider): if not passphrase: log.warning('Using an empty passphrase for the key setup') - log.info('--> Randomizing...') - storage_size_mbytes = self.storage_provider.get_byte_size( - storage_device - ) / 1048576 - Command.run( - [ - 'dd', 'if=/dev/urandom', 'bs=1M', - 'count=%d' % storage_size_mbytes, - 'of=%s' % storage_device - ] - ) + if self.luks_randomize: + log.info('--> Randomizing...') + storage_size_mbytes = self.storage_provider.get_byte_size( + storage_device + ) / 1048576 + Command.run( + [ + 'dd', 'if=/dev/urandom', 'bs=1M', + 'count=%d' % storage_size_mbytes, + 'of=%s' % storage_device + ] + ) + log.info('--> Creating LUKS map') if passphrase: Index: kiwi-9.24.47/kiwi/schema/kiwi.rnc =================================================================== --- kiwi-9.24.47.orig/kiwi/schema/kiwi.rnc +++ kiwi-9.24.47/kiwi/schema/kiwi.rnc @@ -1963,6 +1963,17 @@ div { sch:param [ name = "attr" value = "luksOS" ] sch:param [ name = "types" value = "oem iso pxe kis" ] ] + k.type.luks_randomize.attribute = + ## By default, all blocks of a LUKS volume will be filled + ## with pseudo-random data. If you're shipping an image with + ## a well-known key, which is going to be re-encrypted at + ## deployment time, you can decrease the size of the image + ## by setting this attribute to false. + attribute luks_randomize { xsd:boolean } + >> sch:pattern [ id = "luks_randomize" is-a = "image_type" + sch:param [ name = "attr" value = "luksversion" ] + sch:param [ name = "types" value = "oem iso pxe kis" ] + ] k.type.mdraid.attribute = ## Setup software raid in degraded mode with one disk ## Thus only mirroring and striping is possible @@ -2148,6 +2159,7 @@ div { k.type.luks.attribute? & k.type.luks_version.attribute? & k.type.luksOS.attribute? & + k.type.luks_randomize.attribute? & k.type.mdraid.attribute? & k.type.overlayroot.attribute? & k.type.overlayroot_write_partition.attribute? & Index: kiwi-9.24.47/kiwi/schema/kiwi.rng =================================================================== --- kiwi-9.24.47.orig/kiwi/schema/kiwi.rng +++ kiwi-9.24.47/kiwi/schema/kiwi.rng @@ -2807,6 +2807,20 @@ distribution</a:documentation> <sch:param name="types" value="oem iso pxe kis"/> </sch:pattern> </define> + <define name="k.type.luks_randomize.attribute"> + <attribute name="luks_randomize"> + <a:documentation>By default, all blocks of a LUKS volume will be filled +with pseudo-random data. If you're shipping an image with +a well-known key, which is going to be re-encrypted at +deployment time, you can decrease the size of the image +by setting this attribute to false.</a:documentation> + <data type="boolean"/> + </attribute> + <sch:pattern id="luks_randomize" is-a="image_type"> + <sch:param name="attr" value="luksversion"/> + <sch:param name="types" value="oem iso pxe kis"/> + </sch:pattern> + </define> <define name="k.type.mdraid.attribute"> <attribute name="mdraid"> <a:documentation>Setup software raid in degraded mode with one disk @@ -3126,6 +3140,9 @@ kiwi-ng result bundle ...</a:documentati <ref name="k.type.luksOS.attribute"/> </optional> <optional> + <ref name="k.type.luks_randomize.attribute"/> + </optional> + <optional> <ref name="k.type.mdraid.attribute"/> </optional> <optional> Index: kiwi-9.24.47/kiwi/xml_parse.py =================================================================== --- kiwi-9.24.47.orig/kiwi/xml_parse.py +++ kiwi-9.24.47/kiwi/xml_parse.py @@ -19,7 +19,7 @@ # /home/okir/.local/bin/generateDS.py -f --external-encoding="utf-8" --no-dates --no-warnings -o "kiwi/xml_parse.py" kiwi/schema/kiwi_for_generateDS.xsd # # Current working directory (os.getcwd()): -# kiwi-9.24.41 +# kiwi-9.24.47 # import sys @@ -2798,7 +2798,7 @@ class type_(GeneratedsSuper): """The Image Type of the Logical Extend""" subclass = None superclass = None - def __init__(self, boot=None, bootfilesystem=None, firmware=None, bootkernel=None, bootpartition=None, bootpartsize=None, efipartsize=None, efifatimagesize=None, efiparttable=None, dosparttable_extended_layout=None, bootprofile=None, btrfs_quota_groups=None, btrfs_root_is_snapshot=None, btrfs_root_is_readonly_snapshot=None, compressed=None, devicepersistency=None, editbootconfig=None, editbootinstall=None, filesystem=None, flags=None, format=None, formatoptions=None, fsmountoptions=None, fscreateoptions=None, squashfscompression=None, gcelicense=None, hybridpersistent=None, hybridpersistent_filesystem=None, gpt_hybrid_mbr=None, force_mbr=None, initrd_system=None, image=None, metadata_path=None, installboot=None, install_continue_on_timeout=None, installprovidefailsafe=None, installiso=None, installstick=None, installpxe=None, mediacheck=None, kernelcmdline=None, luks=None, luks_version=None, luksOS=None, mdraid=None, overlayroot=None, overlayroot_write_partition=None, overlayroot_readonly_partsize=None, verity_blocks=None, embed_verity_metadata=None, standalone_integrity=None, embed_integrity_metadata=None, integrity_metadata_key_description=None, integrity_keyfile=None, primary=None, ramonly=None, rootfs_label=None, spare_part=None, spare_part_mountpoint=None, spare_part_fs=None, spare_part_fs_attributes=None, spare_part_is_last=None, target_blocksize=None, target_removable=None, selinux_policy=None, vga=None, vhdfixedtag=None, volid=None, wwid_wait_timeout=None, derived_from=None, ensure_empty_tmpdirs=None, xen_server=None, publisher=None, disk_start_sector=None, root_clone=None, boot_clone=None, bundle_format=None, bootloader=None, containerconfig=None, machine=None, oemconfig=None, size=None, systemdisk=None, partitions=None, vagrantconfig=None, installmedia=None, luksformat=None): + def __init__(self, boot=None, bootfilesystem=None, firmware=None, bootkernel=None, bootpartition=None, bootpartsize=None, efipartsize=None, efifatimagesize=None, efiparttable=None, dosparttable_extended_layout=None, bootprofile=None, btrfs_quota_groups=None, btrfs_root_is_snapshot=None, btrfs_root_is_readonly_snapshot=None, compressed=None, devicepersistency=None, editbootconfig=None, editbootinstall=None, filesystem=None, flags=None, format=None, formatoptions=None, fsmountoptions=None, fscreateoptions=None, squashfscompression=None, gcelicense=None, hybridpersistent=None, hybridpersistent_filesystem=None, gpt_hybrid_mbr=None, force_mbr=None, initrd_system=None, image=None, metadata_path=None, installboot=None, install_continue_on_timeout=None, installprovidefailsafe=None, installiso=None, installstick=None, installpxe=None, mediacheck=None, kernelcmdline=None, luks=None, luks_version=None, luksOS=None, luks_randomize=None, mdraid=None, overlayroot=None, overlayroot_write_partition=None, overlayroot_readonly_partsize=None, verity_blocks=None, embed_verity_metadata=None, standalone_integrity=None, embed_integrity_metadata=None, integrity_metadata_key_description=None, integrity_keyfile=None, primary=None, ramonly=None, rootfs_label=None, spare_part=None, spare_part_mountpoint=None, spare_part_fs=None, spare_part_fs_attributes=None, spare_part_is_last=None, target_blocksize=None, target_removable=None, selinux_policy=None, vga=None, vhdfixedtag=None, volid=None, wwid_wait_timeout=None, derived_from=None, ensure_empty_tmpdirs=None, xen_server=None, publisher=None, disk_start_sector=None, root_clone=None, boot_clone=None, bundle_format=None, bootloader=None, containerconfig=None, machine=None, oemconfig=None, size=None, systemdisk=None, partitions=None, vagrantconfig=None, installmedia=None, luksformat=None): self.original_tagname_ = None self.boot = _cast(None, boot) self.bootfilesystem = _cast(None, bootfilesystem) @@ -2844,6 +2844,7 @@ class type_(GeneratedsSuper): self.luks = _cast(None, luks) self.luks_version = _cast(None, luks_version) self.luksOS = _cast(None, luksOS) + self.luks_randomize = _cast(bool, luks_randomize) self.mdraid = _cast(None, mdraid) self.overlayroot = _cast(bool, overlayroot) self.overlayroot_write_partition = _cast(bool, overlayroot_write_partition) @@ -3066,6 +3067,8 @@ class type_(GeneratedsSuper): def set_luks_version(self, luks_version): self.luks_version = luks_version def get_luksOS(self): return self.luksOS def set_luksOS(self, luksOS): self.luksOS = luksOS + def get_luks_randomize(self): return self.luks_randomize + def set_luks_randomize(self, luks_randomize): self.luks_randomize = luks_randomize def get_mdraid(self): return self.mdraid def set_mdraid(self, mdraid): self.mdraid = mdraid def get_overlayroot(self): return self.overlayroot @@ -3344,6 +3347,9 @@ class type_(GeneratedsSuper): if self.luksOS is not None and 'luksOS' not in already_processed: already_processed.add('luksOS') outfile.write(' luksOS=%s' % (self.gds_encode(self.gds_format_string(quote_attrib(self.luksOS), input_name='luksOS')), )) + if self.luks_randomize is not None and 'luks_randomize' not in already_processed: + already_processed.add('luks_randomize') + outfile.write(' luks_randomize="%s"' % self.gds_format_boolean(self.luks_randomize, input_name='luks_randomize')) if self.mdraid is not None and 'mdraid' not in already_processed: already_processed.add('mdraid') outfile.write(' mdraid=%s' % (self.gds_encode(self.gds_format_string(quote_attrib(self.mdraid), input_name='mdraid')), )) @@ -3756,6 +3762,15 @@ class type_(GeneratedsSuper): already_processed.add('luksOS') self.luksOS = value self.luksOS = ' '.join(self.luksOS.split()) + value = find_attr_value_('luks_randomize', node) + if value is not None and 'luks_randomize' not in already_processed: + already_processed.add('luks_randomize') + if value in ('true', '1'): + self.luks_randomize = True + elif value in ('false', '0'): + self.luks_randomize = False + else: + raise_parse_error(node, 'Bad boolean attribute') value = find_attr_value_('mdraid', node) if value is not None and 'mdraid' not in already_processed: already_processed.add('mdraid') Index: kiwi-9.24.47/kiwi/builder/disk.py =================================================================== --- kiwi-9.24.47.orig/kiwi/builder/disk.py +++ kiwi-9.24.47/kiwi/builder/disk.py @@ -133,6 +133,7 @@ class DiskBuilder: self.root_filesystem_embed_integrity_metadata = \ xml_state.build_type.get_embed_integrity_metadata() self.luks_format_options = xml_state.get_luks_format_options() + self.luks_randomize = xml_state.build_type.get_luks_randomize() self.luks_os = xml_state.build_type.get_luksOS() self.xen_server = xml_state.is_xen_server() self.requested_filesystem = xml_state.build_type.get_filesystem() @@ -342,6 +343,7 @@ class DiskBuilder: self.luks_boot_keyfile = ''.join( [self.root_dir, self.luks_boot_keyname] ) + luks_root.luks_randomize = self.luks_randomize # use LUKS key file for the following conditions: # 1. /boot is encrypted # In this case grub needs to read from LUKS via the
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
