Allow using multiple "contexts" for LUKS #1354
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently one passphrase and one key file can be specified when creating or managing LUKS devices. This means a second passphrase can be added only manually after creating the LUKS format. This change add support for specifying multiple "key slot contexts" for the LUKS format. This will also allow using some more advanced "contexts" for LUKS in the future, like referencing keys saved in the kernel keyring or creating LUKS devices protected with TPM. The original API for setting passphrase and key file will not be removed, but it internally uses the new "context" API.
This is for backward compatibility, Anaconda sets passphrase to None to remove passphrases that don't work.
add_password and remove_password are kept for backwards compatibility, add_key and remove_key which work with contexts should be prefered.
This way we can protect it from being overwritten and also document its usage better.
|
Marking as ready for review. The anaconda tests are now passing and I also run some luks kickstart tests which also passed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently only one passphrase and one key file can be specified when creating new LUKS, this change allows specifying multiple different "contexts" for when creating a new or unlocking an existing LUKS device. For now only passphrase and key file contexts are supported, but this change will also allow adding support for new types of contexts (kernel keyring, TPM etc.) in the future.
The change is made to be backwards compatible so "passphrase" can still be specified for the LUKS format, it will just internally create a new passphrase context so no changes are needed for existing code.