From ad7baa667a67e8503ad558bfb6f7297450fc5daa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <66256922+daniel-weisse@users.noreply.github.com> Date: Wed, 30 Nov 2022 08:35:38 +0100 Subject: [PATCH] CSI driver fixes (#668) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix invalid key id for resize operations * Add udev rule for unlabeled disks Signed-off-by: Daniel Weiße --- csi/cryptmapper/cryptmapper.go | 18 ++++++++++-------- .../lib/udev/rules.d/98-override-systemd.rules | 1 + 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/csi/cryptmapper/cryptmapper.go b/csi/cryptmapper/cryptmapper.go index b5c1c6b76..c7beed058 100644 --- a/csi/cryptmapper/cryptmapper.go +++ b/csi/cryptmapper/cryptmapper.go @@ -182,12 +182,7 @@ func (c *CryptMapper) OpenCryptDevice(ctx context.Context, source, volumeID stri // ResizeCryptDevice resizes the underlying crypt device and returns the mapped device path. func (c *CryptMapper) ResizeCryptDevice(ctx context.Context, volumeID string) (string, error) { - dek, err := c.kms.GetDEK(ctx, volumeID, crypto.StateDiskKeyLength) - if err != nil { - return "", err - } - - if err := resizeCryptDevice(c.mapper, volumeID, string(dek)); err != nil { + if err := resizeCryptDevice(ctx, c.mapper, volumeID, c.kms.GetDEK); err != nil { return "", err } @@ -352,7 +347,9 @@ func performWipe(device DeviceMapper, volumeID string) error { return nil } -func resizeCryptDevice(device DeviceMapper, name, passphrase string) error { +func resizeCryptDevice(ctx context.Context, device DeviceMapper, name string, + getKey func(ctx context.Context, keyID string, keySize int) ([]byte, error), +) error { packageLock.Lock() defer packageLock.Unlock() @@ -365,7 +362,12 @@ func resizeCryptDevice(device DeviceMapper, name, passphrase string) error { return fmt.Errorf("loading device: %w", err) } - if err := device.ActivateByPassphrase("", 0, passphrase, cryptsetup.CRYPT_ACTIVATE_KEYRING_KEY); err != nil { + passphrase, err := getKey(ctx, device.GetUUID(), crypto.StateDiskKeyLength) + if err != nil { + return fmt.Errorf("getting key: %w", err) + } + + if err := device.ActivateByPassphrase("", 0, string(passphrase), cryptsetup.CRYPT_ACTIVATE_KEYRING_KEY); err != nil { return fmt.Errorf("activating keyrung for crypt device %q with passphrase: %w", name, err) } diff --git a/image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules b/image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules index e5a704e2d..057d84e8d 100644 --- a/image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules +++ b/image/mkosi.skeleton/usr/lib/udev/rules.d/98-override-systemd.rules @@ -1,3 +1,4 @@ # prevent systemd udev rules from marking unformatted device mapper device as unready (SYSTEMD_READY=0) # this is the offending rule from systemd: SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="0" +SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}="constellation-encrypted-disk" SUBSYSTEM=="block", ENV{DM_NAME}=="state", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}="constellation-state"