Re: [PATCH] zero out a devices before formatting as LUKS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Oct 29, 2008 at 04:35:04PM -0500, David Lehman wrote:
> Bug 468910 (5.3) - anaconda doesn't handle encrypting pre-existing
> partitions well
> 
> Somehow you can run luksFormat on a device that previously held an
> ext[34] filesystem and afterwards libblkid will still find the ext[34]
> magic on the device. It then uses the ext UUID instead of the LUKS UUID,
> rendering the device impossible to locate by UUID using our tools
> (blkid).
> 
> This patch writes zeros to the first and last 1MB of a device we are
> about to run luksFormat on to ensure that any residual metadata gets
> wiped away. The 1MB is based on a quick of read through libblkid's
> probing code. I don't see anything that would require us to zero out
> more of the device. In fact, this is quite a bit more than appears to be
> necessary, but I prefer to be certain.
> 
> diff --git a/cryptodev.py b/cryptodev.py
> index 3dac057..11da86d 100644
> --- a/cryptodev.py
> +++ b/cryptodev.py
> @@ -163,6 +163,17 @@ class LUKSDevice:
>          if not device:
>              raise ValueError, "Cannot open mapping without a device."
>  
> +        # zero out the 1MB at the beginning and end of the device in
> the
> +        # hope that it will wipe any metadata from filesystems that
> +        # previously occupied this device
> +        log.warn("zeroing out beginning and end of %s..." % device)
> +        fd = os.open("%s/%s" % (devPrefix, device), os.O_RDWR)
> +        buf = '\0' * 1024 * 1024
> +        os.write(fd, buf)
> +        os.lseek(fd, -1024 * 1024, 2)
> +        os.write(fd, buf)
> +        os.close(fd)
> +
>          log.info("formatting %s as %s" % (device, self.getScheme()))
>          p = os.pipe()
>          os.write(p[1], "%s\n" % (self.passphrase,))
> 
> 
> I originally thought it would be nice to do this from clobberDevice in
> fsset, but that is more complicated than it would seem. The first thing
> those methods do is to call Device.setupDevice(), which would is where
> we format new LUKS devices. That means we have a chicken/egg problem.
> The problem has only manifested with newly formatted LUKS devices thus
> far, so I decided to just kill it where it grows (in cryptodev.py).
> 
> Thoughts?

The only thing I would suggest on top of this is try/except to catch any
exceptions that fall out of the os.WHATEVER calls.

-- 
David Cantrell <dcantrell@xxxxxxxxxx>
Red Hat / Honolulu, HI

Attachment: pgpXJzOc9l5NK.pgp
Description: PGP signature

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list

[Index of Archives]     [Kickstart]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]
  Powered by Linux