From 73dc5ba6f4cadf9e500258d508c86af98a4b02cd Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 6 Jul 2023 11:22:08 +0200
Subject: [slx-dmsetup] Introduce SLX_ID44_CRYPT for encrypting

This will encrypt the entire writable device(s) before creating any
partitions and pools inside it.
---
 modules.d/slx-dmsetup/scripts/dmsetup-slx-device | 28 +++++++++++++++++++-----
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/modules.d/slx-dmsetup/scripts/dmsetup-slx-device b/modules.d/slx-dmsetup/scripts/dmsetup-slx-device
index e01b1f97..8bf0f097 100755
--- a/modules.d/slx-dmsetup/scripts/dmsetup-slx-device
+++ b/modules.d/slx-dmsetup/scripts/dmsetup-slx-device
@@ -476,6 +476,7 @@ dev_find_partitions &> /dev/null
 dev_swap_version &> /dev/null
 
 # This is the main variable driving this script
+declare -g id44_crypted=
 declare -g writable_device=
 if [ -z "$SLX_WRITABLE_DEVICE_IDENTIFIER" ]; then
 	SLX_WRITABLE_DEVICE_IDENTIFIER=("44" "87f86132-ff94-4987-b250-444444444444")
@@ -485,7 +486,6 @@ if [ -z "$SLX_WRITABLE_DEVICE_IDENTIFIER" ]; then
 fi
 # XXX The fuck? This may or may not be an array? Shit will defintely break some day...
 if [ -n "$SLX_WRITABLE_DEVICE_IDENTIFIER" ]; then
-	# only first one for now TODO create linear devices of all ID44s
 	declare -a writable_devices
 	writable_devices=( $( dev_find_partitions "${SLX_WRITABLE_DEVICE_IDENTIFIER[@]}" ) )
 	if [[ "${#writable_devices[@]}" -eq 0 && "$SLX_NTFSFREE" != "never" ]] || [ "$SLX_NTFSFREE" = "always" ]; then
@@ -551,6 +551,16 @@ fi
 if [ -z "$writable_device" ]; then
 	echo "$0: Could not find writable device with id '$SLX_WRITABLE_DEVICE_IDENTIFIER'."
 	ramdisk_fallback
+elif [ -n "$SLX_ID44_CRYPT" ] && [ "$SLX_ID44_CRYPT" != 0 ]; then
+	# Config option crypts the entire ID44 device(s), before any slices are taken from it.
+	if encrypt_device "$writable_device" "id44-crypt"; then
+		echo "$0: ID44 encrypted"
+		writable_device="/dev/mapper/id44-crypt"
+		# Remember the whole device is already encrypted, and ignore the crypt flag for the partition table later
+		id44_crypted=1
+	else
+		echo "$0: Error encrypting ID44 partition"
+	fi
 fi
 
 # NOTE: from here on out, every value related to size is in 512 bytes sectors!
@@ -652,11 +662,13 @@ fi
 save_partition_info "${scratch_device##*/}" "*" "1" "$scratch_device_sz"
 
 # encrypt the scratch device, if configured
-if [ "$crypt" -ne 0 ] && encrypt_device \
-	"$scratch_device" "${scratch_device##*/}-crypt" "$scratch_device_sz"; then
-	scratch_device="/dev/mapper/${scratch_device##*/}-crypt"
-else
-	echo "$0: Continuing with unencrypted scratch"
+if [ -z "$id44_crypted" ]; then
+	if [ "$crypt" -ne 0 ] && encrypt_device \
+		"$scratch_device" "${scratch_device##*/}-crypt" "$scratch_device_sz"; then
+		scratch_device="/dev/mapper/${scratch_device##*/}-crypt"
+	else
+		echo "$0: Continuing with unencrypted scratch"
+	fi
 fi
 
 writable_device_used_sz="$scratch_device_sz"
@@ -665,6 +677,7 @@ writable_device_used_sz="$scratch_device_sz"
 for line in "${linear[@]}"; do
 	[ -z "$line" ] && continue
 	read -r name crypt min max ignore <<< "$line"
+	[ -n "$id44_crypted" ] && crypt=0
 	free_space="$(( writable_device_sz - writable_device_used_sz ))"
 	if [ "$min" -gt "$free_space" ]; then
 		echo "$0: Not enough space left for linear devices: '$line'"
@@ -710,6 +723,7 @@ if [ -n "$thin_snapshot" ] || [ -n "$thin_volume" ]; then
 		for line in "${thin_volume[@]}"; do
 			[ -z "$line" ] && continue
 			read -r name crypt min max ignore <<< "$line"
+			[ -n "$id44_crypted" ] && crypt=0
 			# thin-volume can be created with max size,
 			# since they are overprovisioned anyway.
 			if ! create_volume "$name" "$(( volume_id++ ))" "$max"; then
@@ -725,6 +739,7 @@ if [ -n "$thin_snapshot" ] || [ -n "$thin_volume" ]; then
 		if [ -n "$thin_snapshot" ]; then
 			# create thin-snapshot, use first one
 			read -r name crypt min max ignore <<< "$thin_snapshot"
+			[ -n "$id44_crypted" ] && crypt=0
 			# min/max was used for the pool data device, ignore it here!
 			# Calculate how much of the CoW space we reserve for changes in the base
 			# system. Usually all the files in the base system should be static, but
@@ -761,6 +776,7 @@ fi
 ###
 if [ -n "$snapshot" ] && require_exact_scratch_size; then
 	read -r name crypt min max ignore <<< "$snapshot"
+	[ -n "$id44_crypted" ] && crypt=0
 	if ! create_snapshot "$name $persist"; then
 		echo "Failed to create regular snapshot for '$read_only_device' on '$scratch_device'."
 	else
-- 
cgit v1.2.3-55-g7522