block_meta: also add recovery key if zkey is used

When zkey is properly setup, we do not invoke cryptsetup luksFormat ourselves. Instead we lean on zkey to invoke cryptsetup luksFormat for us. zkey seems to have no native support for invoking cryptsetup luksAddKey, so we need to manually call it if we want to add a recovery key in a second slot. Signed-off-by: Olivier Gayot <[email protected]>
author: Olivier Gayot <[email protected]> 2023-09-21 21:06:20 +0000
committer: Server Team CI Bot <[email protected]> 2023-09-21 21:06:20 +0000
commit: 64ea5fbe827aa98ddc63ea87de2de45689180c82 (patch)
tree: 47c7b5643ef64467b8f26e1bbc0d32993ef72f6d
parent: 13c1b8ad9ecc2473ce9ff8aa2e08123eb596fdda (diff)
2 files changed, 71 insertions, 8 deletions
diff --git a/curtin/commands/block_meta.py b/curtin/commands/block_meta.py
index 64bf393c..ebae27cc 100644
--- a/curtin/commands/block_meta.py
+++ b/curtin/commands/block_meta.py
@@ -1693,16 +1693,15 @@ def dm_crypt_handler(info, storage_config, context):
 
             util.subp(cmd)
 
-            # Should this be done as well if we are using zkey?
-            if recovery_keyfile is not None:
-                LOG.debug("Adding recovery key to %s", volume_path)
+        if recovery_keyfile is not None:
+            LOG.debug("Adding recovery key to %s", volume_path)
 
-                cmd = [
-                    "cryptsetup", "luksAddKey",
-                    "--key-file", keyfile,
-                    volume_path, recovery_keyfile]
+            cmd = [
+                "cryptsetup", "luksAddKey",
+                "--key-file", keyfile,
+                volume_path, recovery_keyfile]
 
-                util.subp(cmd)
+            util.subp(cmd)
 
         cmd = ["cryptsetup", "open", "--type", luks_type, volume_path, dm_name,
                "--key-file", keyfile]
diff --git a/tests/unittests/test_commands_block_meta.py b/tests/unittests/test_commands_block_meta.py
index 1a1f65d6..9d7d0f3d 100644
--- a/tests/unittests/test_commands_block_meta.py
+++ b/tests/unittests/test_commands_block_meta.py
@@ -2198,6 +2198,70 @@ class TestDmCryptHandler(CiTestCase):
         self.m_subp.assert_has_calls(expected_calls)
         self.assertEqual(len(util.load_file(self.crypttab).splitlines()), 1)
 
+    def test_dm_crypt_zkey_cryptsetup_with_recovery_key(self):
+        """ verify dm_crypt zkey calls generates and run before crypt open."""
+
+        # zkey binary is present
+        self.m_block.zkey_supported.return_value = True
+        self.m_which.return_value = "/my/path/to/zkey"
+        volume_path = self.random_string()
+        self.m_getpath.return_value = volume_path
+        volume_byid = "/dev/disk/by-id/ccw-%s" % volume_path
+        self.m_block.disk_to_byid_path.return_value = volume_byid
+
+        recovery_keyfile = self.random_string()
+
+        config = {
+            'storage': {
+                'version': 1,
+                'config': [
+                    {'grub_device': True,
+                     'id': 'sda',
+                     'name': 'sda',
+                     'path': '/wark/xxx',
+                     'ptable': 'msdos',
+                     'type': 'disk',
+                     'wipe': 'superblock'},
+                    {'device': 'sda',
+                     'id': 'sda-part1',
+                     'name': 'sda-part1',
+                     'number': 1,
+                     'size': '511705088B',
+                     'type': 'partition'},
+                    {'id': 'dmcrypt0',
+                     'type': 'dm_crypt',
+                     'dm_name': 'cryptroot',
+                     'volume': 'sda-part1',
+                     'cipher': self.cipher,
+                     'keysize': self.keysize,
+                     'keyfile': self.keyfile,
+                     'recovery_keyfile': recovery_keyfile},
+                ],
+            }
+        }
+        storage_config = block_meta.extract_storage_ordered_dict(config)
+
+        info = storage_config['dmcrypt0']
+
+        volume_name = "%s:%s" % (volume_byid, info['dm_name'])
+        block_meta.dm_crypt_handler(info, storage_config, empty_context)
+        expected_calls = [
+            call(['zkey', 'generate', '--xts', '--volume-type', 'luks2',
+                  '--sector-size', '4096', '--name', info['dm_name'],
+                  '--description',
+                  'curtin generated zkey for %s' % volume_name,
+                  '--volumes', volume_name], capture=True),
+            call(['zkey', 'cryptsetup', '--run', '--volumes', volume_byid,
+                  '--batch-mode', '--key-file', self.keyfile], capture=True),
+            call(['cryptsetup', 'luksAddKey',
+                  '--key-file', self.keyfile,
+                  volume_path, recovery_keyfile]),
+            call(['cryptsetup', 'open', '--type', 'luks2', volume_path,
+                  info['dm_name'], '--key-file', self.keyfile]),
+        ]
+        self.m_subp.assert_has_calls(expected_calls)
+        self.assertEqual(len(util.load_file(self.crypttab).splitlines()), 1)
+
     def test_dm_crypt_zkey_gen_failure_fallback_to_cryptsetup(self):
         """ verify dm_cyrpt zkey generate err falls back cryptsetup format. """
author	Olivier Gayot <[email protected]>	2023-09-21 21:06:20 +0000
committer	Server Team CI Bot <[email protected]>	2023-09-21 21:06:20 +0000
commit	64ea5fbe827aa98ddc63ea87de2de45689180c82 (patch)
tree	47c7b5643ef64467b8f26e1bbc0d32993ef72f6d
parent	13c1b8ad9ecc2473ce9ff8aa2e08123eb596fdda (diff)