[PATCH] zero out a devices before formatting as LUKS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Bug 468910 (5.3) - anaconda doesn't handle encrypting pre-existing
partitions well

Somehow you can run luksFormat on a device that previously held an
ext[34] filesystem and afterwards libblkid will still find the ext[34]
magic on the device. It then uses the ext UUID instead of the LUKS UUID,
rendering the device impossible to locate by UUID using our tools
(blkid).

This patch writes zeros to the first and last 1MB of a device we are
about to run luksFormat on to ensure that any residual metadata gets
wiped away. The 1MB is based on a quick of read through libblkid's
probing code. I don't see anything that would require us to zero out
more of the device. In fact, this is quite a bit more than appears to be
necessary, but I prefer to be certain.

diff --git a/cryptodev.py b/cryptodev.py
index 3dac057..11da86d 100644
--- a/cryptodev.py
+++ b/cryptodev.py
@@ -163,6 +163,17 @@ class LUKSDevice:
         if not device:
             raise ValueError, "Cannot open mapping without a device."
 
+        # zero out the 1MB at the beginning and end of the device in
the
+        # hope that it will wipe any metadata from filesystems that
+        # previously occupied this device
+        log.warn("zeroing out beginning and end of %s..." % device)
+        fd = os.open("%s/%s" % (devPrefix, device), os.O_RDWR)
+        buf = '\0' * 1024 * 1024
+        os.write(fd, buf)
+        os.lseek(fd, -1024 * 1024, 2)
+        os.write(fd, buf)
+        os.close(fd)
+
         log.info("formatting %s as %s" % (device, self.getScheme()))
         p = os.pipe()
         os.write(p[1], "%s\n" % (self.passphrase,))


I originally thought it would be nice to do this from clobberDevice in
fsset, but that is more complicated than it would seem. The first thing
those methods do is to call Device.setupDevice(), which would is where
we format new LUKS devices. That means we have a chicken/egg problem.
The problem has only manifested with newly formatted LUKS devices thus
far, so I decided to just kill it where it grows (in cryptodev.py).

Thoughts?


_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
[Index of Archives]     [Kickstart]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]
  Powered by Linux