CSI driver fixes (#668)

* Fix invalid key id for resize operations

* Add udev rule for unlabeled disks

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-11-30 08:35:38 +01:00 committed by GitHub
parent 6bd62f0f7a
commit ad7baa667a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 8 deletions

View File

@ -182,12 +182,7 @@ func (c *CryptMapper) OpenCryptDevice(ctx context.Context, source, volumeID stri
// ResizeCryptDevice resizes the underlying crypt device and returns the mapped device path.
func (c *CryptMapper) ResizeCryptDevice(ctx context.Context, volumeID string) (string, error) {
dek, err := c.kms.GetDEK(ctx, volumeID, crypto.StateDiskKeyLength)
if err != nil {
return "", err
}
if err := resizeCryptDevice(c.mapper, volumeID, string(dek)); err != nil {
if err := resizeCryptDevice(ctx, c.mapper, volumeID, c.kms.GetDEK); err != nil {
return "", err
}
@ -352,7 +347,9 @@ func performWipe(device DeviceMapper, volumeID string) error {
return nil
}
func resizeCryptDevice(device DeviceMapper, name, passphrase string) error {
func resizeCryptDevice(ctx context.Context, device DeviceMapper, name string,
getKey func(ctx context.Context, keyID string, keySize int) ([]byte, error),
) error {
packageLock.Lock()
defer packageLock.Unlock()
@ -365,7 +362,12 @@ func resizeCryptDevice(device DeviceMapper, name, passphrase string) error {
return fmt.Errorf("loading device: %w", err)
}
if err := device.ActivateByPassphrase("", 0, passphrase, cryptsetup.CRYPT_ACTIVATE_KEYRING_KEY); err != nil {
passphrase, err := getKey(ctx, device.GetUUID(), crypto.StateDiskKeyLength)
if err != nil {
return fmt.Errorf("getting key: %w", err)
}
if err := device.ActivateByPassphrase("", 0, string(passphrase), cryptsetup.CRYPT_ACTIVATE_KEYRING_KEY); err != nil {
return fmt.Errorf("activating keyrung for crypt device %q with passphrase: %w", name, err)
}

View File

@ -1,3 +1,4 @@
# prevent systemd udev rules from marking unformatted device mapper device as unready (SYSTEMD_READY=0)
# this is the offending rule from systemd: SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="0"
SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}="constellation-encrypted-disk"
SUBSYSTEM=="block", ENV{DM_NAME}=="state", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}="constellation-state"