storage: add config support for TPM FDE (#1681)

Extend the *storage schema* to allow selecting TPM FDE as encryption method and adapt *config checker* to complain if TPM FDE is selected but is not available.
agama-project · Oct 22, 2024 · eeaf714 · eeaf714
2 parents c0bd649 + c11539f
commit eeaf714
Show file tree

Hide file tree

Showing 16 changed files with 284 additions and 130 deletions.
diff --git a/rust/agama-lib/share/examples/storage/encryption.json b/rust/agama-lib/share/examples/storage/encryption.json
@@ -0,0 +1,53 @@
+{
+  "storage": {
+    "drives": [
+      {
+        "encryption": {
+          "luks1": {
+            "password": "12345",
+            "cipher": "aes-xts-plain64",
+            "keySize": 512
+          }
+        }
+      },
+      {
+        "partitions": [
+          {
+            "encryption": {
+              "luks2": {
+                "password": "12345",
+                "cipher": "aes-xts-plain64",
+                "keySize": 512,
+                "pbkdFunction": "argon2i",
+                "label": "data"
+              }
+            }
+          },
+          {
+            "encryption": {
+              "pervasiveLuks2": {
+                "password": "12345"
+              }
+            }
+          },
+          {
+            "encryption": {
+              "tpmFde": {
+                "password": "12345"
+              }
+            }
+          },
+          {
+            "encryption": "protected_swap"
+          },
+          {
+            "encryption": "secure_swap"
+          },
+          {
+            "encryption": "random_swap"
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/rust/agama-lib/share/profile.schema.json b/rust/agama-lib/share/profile.schema.json
@@ -1180,6 +1180,24 @@
         }
       }
     },
+    "encryptionTPM": {
+      "title": "TPM-Based Full Disk Encrytion",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["tpmFde"],
+      "properties": {
+        "tpmFde": {
+          "type": "object",
+          "additionalProperties": false,
+          "required": ["password"],
+          "properties": {
+            "password": {
+              "$ref": "#/$defs/encryptionPassword"
+            }
+          }
+        }
+      }
+    },
     "encryptionSwap": {
       "title": "Swap encryptions",
       "enum": ["protected_swap", "secure_swap", "random_swap"]
@@ -1189,6 +1207,7 @@
         { "$ref": "#/$defs/encryptionLUKS1" },
         { "$ref": "#/$defs/encryptionLUKS2" },
         { "$ref": "#/$defs/encryptionPervasiveLUKS2" },
+        { "$ref": "#/$defs/encryptionTPM" },
         { "$ref": "#/$defs/encryptionSwap" }
       ]
     },

diff --git a/service/lib/agama/storage/config_checker.rb b/service/lib/agama/storage/config_checker.rb
@@ -192,7 +192,7 @@ def missing_encryption_password_issue(config)
       # @return [Issue, nil]
       def unavailable_encryption_method_issue(config)
         method = config.method
-        return if !method || method.available?
+        return if !method || available_encryption_methods.include?(method)
 
         error(
           format(
@@ -204,6 +204,17 @@ def unavailable_encryption_method_issue(config)
         )
       end
 
+      # @see #unavailable_encryption_method_issue
+      #
+      # @return [Array<Y2Storage::EncryptionMethod::Base>]
+      def available_encryption_methods
+        tpm_fde = Y2Storage::EncryptionMethod::TPM_FDE
+
+        methods = Y2Storage::EncryptionMethod.available
+        methods << tpm_fde if tpm_fde.possible?
+        methods
+      end
+
       # @see #encryption_issues
       #
       # @param config [Configs::Drive, Configs::Partition, Configs::LogicalVolume]

diff --git a/service/lib/agama/storage/config_conversions/from_json_conversions/encryption.rb b/service/lib/agama/storage/config_conversions/from_json_conversions/encryption.rb
@@ -46,28 +46,39 @@ def conversions
             return luks1_conversions if luks1?
             return luks2_conversions if luks2?
             return pervasive_luks2_conversions if pervasive_luks2?
+            return tpm_fde_conversions if tpm_fde?
 
             swap_encryption_conversions
           end
 
+          # @return [Boolean]
           def luks1?
             return false unless encryption_json.is_a?(Hash)
 
             !encryption_json[:luks1].nil?
           end
 
+          # @return [Boolean]
           def luks2?
             return false unless encryption_json.is_a?(Hash)
 
             !encryption_json[:luks2].nil?
           end
 
+          # @return [Boolean]
           def pervasive_luks2?
             return false unless encryption_json.is_a?(Hash)
 
             !encryption_json[:pervasiveLuks2].nil?
           end
 
+          # @return [Boolean]
+          def tpm_fde?
+            return false unless encryption_json.is_a?(Hash)
+
+            !encryption_json[:tpmFde].nil?
+          end
+
           # @return [Hash]
           def luks1_conversions
             luks1_json = encryption_json[:luks1]
@@ -104,6 +115,16 @@ def pervasive_luks2_conversions
             }
           end
 
+          # @return [Hash]
+          def tpm_fde_conversions
+            tpm_fde_json = encryption_json[:tpmFde]
+
+            {
+              method:   Y2Storage::EncryptionMethod::TPM_FDE,
+              password: convert_password(tpm_fde_json)
+            }
+          end
+
           # @return [Hash]
           def swap_encryption_conversions
             return {} unless encryption_json.is_a?(String)

diff --git a/service/lib/agama/storage/config_conversions/to_json_conversions.rb b/service/lib/agama/storage/config_conversions/to_json_conversions.rb
@@ -24,12 +24,10 @@
 require "agama/storage/config_conversions/from_json_conversions/config"
 require "agama/storage/config_conversions/from_json_conversions/drive"
 require "agama/storage/config_conversions/from_json_conversions/encryption"
+require "agama/storage/config_conversions/from_json_conversions/encryption_properties"
 require "agama/storage/config_conversions/from_json_conversions/filesystem"
 require "agama/storage/config_conversions/from_json_conversions/logical_volume"
-require "agama/storage/config_conversions/from_json_conversions/luks1"
-require "agama/storage/config_conversions/from_json_conversions/luks2"
 require "agama/storage/config_conversions/from_json_conversions/partition"
-require "agama/storage/config_conversions/from_json_conversions/pervasive_luks2"
 require "agama/storage/config_conversions/from_json_conversions/search"
 require "agama/storage/config_conversions/from_json_conversions/size"
 require "agama/storage/config_conversions/from_json_conversions/volume_group"

diff --git a/service/lib/agama/storage/config_conversions/to_json_conversions/encryption.rb b/service/lib/agama/storage/config_conversions/to_json_conversions/encryption.rb
@@ -20,9 +20,7 @@
 # find current contact information at www.suse.com.
 
 require "agama/storage/config_conversions/to_json_conversions/base"
-require "agama/storage/config_conversions/to_json_conversions/luks1"
-require "agama/storage/config_conversions/to_json_conversions/luks2"
-require "agama/storage/config_conversions/to_json_conversions/pervasive_luks2"
+require "agama/storage/config_conversions/to_json_conversions/encryption_properties"
 require "agama/storage/configs/encryption"
 
 module Agama
@@ -51,29 +49,41 @@ def conversions
             method = config.method
 
             if method.is?(:luks1)
-              convert_luks1
+              luks1_conversions
             elsif method.is?(:luks2)
-              convert_luks2
+              luks2_conversions
             elsif method.is?(:pervasive_luks2)
-              convert_pervasive_luks2
+              pervasive_luks2_conversions
+            elsif method.is?(:tpm_fde)
+              tpm_fde_conversions
             else
               {}
             end
           end
 
           # @return [Hash]
-          def convert_luks1
-            { luks1: ToJSONConversions::Luks1.new(config).convert }
+          def luks1_conversions
+            { luks1: convert_encryption_properties }
           end
 
           # @return [Hash]
-          def convert_luks2
-            { luks2: ToJSONConversions::Luks2.new(config).convert }
+          def luks2_conversions
+            { luks2: convert_encryption_properties }
           end
 
           # @return [Hash]
-          def convert_pervasive_luks2
-            { pervasiveLuks2: ToJSONConversions::PervasiveLuks2.new(config).convert }
+          def pervasive_luks2_conversions
+            { pervasiveLuks2: convert_encryption_properties }
+          end
+
+          # @return [Hash]
+          def tpm_fde_conversions
+            { tpmFde: convert_encryption_properties }
+          end
+
+          # @return [Hash, nil]
+          def convert_encryption_properties
+            ToJSONConversions::EncryptionProperties.new(config).convert
           end
 
           # @return [String]

diff --git a/..._conversions/to_json_conversions/luks2.rb → ...json_conversions/encryption_properties.rb b/..._conversions/to_json_conversions/luks2.rb → ...json_conversions/encryption_properties.rb
@@ -26,8 +26,8 @@ module Agama
   module Storage
     module ConfigConversions
       module ToJSONConversions
-        # Luks2 conversion to JSON hash according to schema.
-        class Luks2 < Base
+        # Encryption properties conversion to JSON hash according to schema.
+        class EncryptionProperties < Base
           # @see Base
           def self.config_type
             Configs::Encryption
@@ -37,6 +37,32 @@ def self.config_type
 
           # @see Base#conversions
           def conversions
+            method = config.method
+
+            if method.is?(:luks1)
+              luks1_properties_conversions
+            elsif method.is?(:luks2)
+              luks2_properties_conversions
+            elsif method.is?(:pervasive_luks2)
+              pervasive_luks2_properties_conversions
+            elsif method.is?(:tpm_fde)
+              tpm_fde_properties_conversions
+            else
+              {}
+            end
+          end
+
+          # @return [Hash]
+          def luks1_properties_conversions
+            {
+              password: config.password,
+              keySize:  config.key_size,
+              cipher:   config.cipher
+            }
+          end
+
+          # @return [Hash]
+          def luks2_properties_conversions
             {
               password:     config.password,
               keySize:      config.key_size,
@@ -45,6 +71,20 @@ def conversions
               pbkdFunction: config.pbkd_function&.to_s
             }
           end
+
+          # @return [Hash]
+          def pervasive_luks2_properties_conversions
+            {
+              password: config.password
+            }
+          end
+
+          # @return [Hash]
+          def tpm_fde_properties_conversions
+            {
+              password: config.password
+            }
+          end
         end
       end
     end

diff --git a/service/lib/agama/storage/config_conversions/to_json_conversions/luks1.rb b/service/lib/agama/storage/config_conversions/to_json_conversions/luks1.rb