On Wed, Oct 29, 2008 at 04:35:04PM -0500, David Lehman wrote:
> Bug 468910 (5.3) - anaconda doesn't handle encrypting pre-existing
> partitions well
>
> Somehow you can run luksFormat on a device that previously held an
> ext[34] filesystem and afterwards libblkid will still find the ext[34]
> magic on the device. It then uses the ext UUID instead of the LUKS UUID,
> rendering the device impossible to locate by UUID using our tools
> (blkid).
>
> This patch writes zeros to the first and last 1MB of a device we are
> about to run luksFormat on to ensure that any residual metadata gets
> wiped away. The 1MB is based on a quick of read through libblkid's
> probing code. I don't see anything that would require us to zero out
> more of the device. In fact, this is quite a bit more than appears to be
> necessary, but I prefer to be certain.
>
> diff --git a/cryptodev.py b/cryptodev.py
> index 3dac057..11da86d 100644
> --- a/cryptodev.py
> +++ b/cryptodev.py
> @@ -163,6 +163,17 @@ class LUKSDevice:
> if not device:
> raise ValueError, "Cannot open mapping without a device."
>
> + # zero out the 1MB at the beginning and end of the device in
> the
> + # hope that it will wipe any metadata from filesystems that
> + # previously occupied this device
> + log.warn("zeroing out beginning and end of %s..." % device)
> + fd = os.open("%s/%s" % (devPrefix, device), os.O_RDWR)
> + buf = '\0' * 1024 * 1024
> + os.write(fd, buf)
> + os.lseek(fd, -1024 * 1024, 2)
> + os.write(fd, buf)
> + os.close(fd)
> +
> log.info("formatting %s as %s" % (device, self.getScheme()))
> p = os.pipe()
> os.write(p[1], "%s\n" % (self.passphrase,))
>
>
> I originally thought it would be nice to do this from clobberDevice in
> fsset, but that is more complicated than it would seem. The first thing
> those methods do is to call Device.setupDevice(), which would is where
> we format new LUKS devices. That means we have a chicken/egg problem.
> The problem has only manifested with newly formatted LUKS devices thus
> far, so I decided to just kill it where it grows (in cryptodev.py).
>
> Thoughts?
The only thing I would suggest on top of this is try/except to catch any
exceptions that fall out of the os.WHATEVER calls.
--
David Cantrell <dcantrell@xxxxxxxxxx>
Red Hat / Honolulu, HI
Attachment:
pgpXJzOc9l5NK.pgp
Description: PGP signature
_______________________________________________ Anaconda-devel-list mailing list Anaconda-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/anaconda-devel-list
