mirror/guix
mirror/guix
1
Fork 0
mirror of https://https.git.savannah.gnu.org/git/guix.git/ synced 2025-07-10 08:30:39 +02:00
Code Releases Activity

mapped-devices/luks: Add support for --allow-discards.

Browse source 
* gnu/system/mapped-devices.scm (open-luks-device): Support opening
LUKS devices with the --allow-discards option.
* gnu/system/mapped-devices.scm (luks-device-mapping-with-options):
Pass through the allow-discards? keyword argument.
* doc/guix.texi (Mapped Devices): Update documentation for the
luks-device-mapping-with-options procedure.

Co-authored-by: Sisiutl <sisiutl@egregore.fun>
Modified-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Change-Id: Iff82d7d548486f028d19f6aa35dd30ca194f57cc
This commit is contained in:
Sören Tempel 2025-03-16 12:49:50 +01:00 committed by Maxim Cournoyer
parent 8984d4bbb2
commit 7aa855b05b
No known key found for this signature in database
GPG key ID: 1260E46482E63562
2 changed files with 32 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

11
doc/guix.texi
View file

@ -18461,7 +18461,7 @@ command from the package with the same name. It relies on the
@code{dm-crypt} Linux kernel module. @code{dm-crypt} Linux kernel module.
@end defvar @end defvar
@deffn {Procedure} luks-device-mapping-with-options [#:key-file] @deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards?]
Return a @code{luks-device-mapping} object, which defines LUKS block Return a @code{luks-device-mapping} object, which defines LUKS block
device encryption using the @command{cryptsetup} command from the device encryption using the @command{cryptsetup} command from the
package with the same name. It relies on the @code{dm-crypt} Linux package with the same name. It relies on the @code{dm-crypt} Linux
@ -18483,6 +18483,15 @@ given location at the time of the unlock attempt.
(type (luks-device-mapping-with-options (type (luks-device-mapping-with-options
#:key-file "/crypto.key"))) #:key-file "/crypto.key")))
@end lisp @end lisp
@code{allow-discards?} allows the use of discard (TRIM) requests for the
underlying device. This is useful for solid state drives. However,
this option can have a negative security impact because it can make
file system level operations visible on the physical device. For more
information, refer to the description of the @code{--allow-discards}
option in the @code{cryptsetup-open(8)} man page.
@end deffn @end deffn
@defvar raid-device-mapping @defvar raid-device-mapping

38
gnu/system/mapped-devices.scm
View file

@ -194,9 +194,10 @@ option of @command{guix system}.\n")
;;; Common device mappings. ;;; Common device mappings.
;;; ;;;
(define* (open-luks-device source targets #:key key-file) (define* (open-luks-device source targets #:key key-file allow-discards?)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'." 'cryptsetup'. When ALLOW-DISCARDS? is true, the use of discard (TRIM)
requests is allowed for the underlying device."
(with-imported-modules (source-module-closure (with-imported-modules (source-module-closure
'((gnu build file-systems) '((gnu build file-systems)
(guix build utils))) ;; For mkdir-p (guix build utils))) ;; For mkdir-p
@ -234,17 +235,20 @@ option of @command{guix system}.\n")
(loop (- tries-left 1)))))) (loop (- tries-left 1))))))
(error "LUKS partition not found" source)) (error "LUKS partition not found" source))
source))) source)))
;; We want to fallback to the password unlock if the keyfile fails. (let ((cryptsetup #$(file-append cryptsetup-static
(or (and keyfile "/sbin/cryptsetup"))
(zero? (system*/tty (cryptsetup-flags (cons*
#$(file-append cryptsetup-static "/sbin/cryptsetup") "open" "--type" "luks" partition #$target
"open" "--type" "luks" (if #$allow-discards?
"--key-file" keyfile '("--allow-discards")
partition #$target))) '()))))
(zero? (system*/tty ;; We want to fallback to the password unlock if the keyfile
#$(file-append cryptsetup-static "/sbin/cryptsetup") ;; fails.
"open" "--type" "luks" (or (and keyfile
partition #$target))))))))) (zero? (apply system*/tty cryptsetup
"--key-file" keyfile cryptsetup-flags)))
(zero? (apply system*/tty cryptsetup
cryptsetup-flags))))))))))
(define (close-luks-device source targets) (define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device." "Return a gexp that closes TARGET, a LUKS device."
@ -286,13 +290,15 @@ option of @command{guix system}.\n")
((gnu build file-systems) ((gnu build file-systems)
#:select (find-partition-by-luks-uuid system*/tty)))))) #:select (find-partition-by-luks-uuid system*/tty))))))
(define* (luks-device-mapping-with-options #:key key-file) (define* (luks-device-mapping-with-options #:key key-file allow-discards?)
"Return a luks-device-mapping object with open modified to pass the arguments "Return a luks-device-mapping object with open modified to pass the arguments
into the open-luks-device procedure." into the open-luks-device procedure."
(mapped-device-kind (mapped-device-kind
(inherit luks-device-mapping) (inherit luks-device-mapping)
(open (λ (source targets) (open-luks-device source targets (open (λ (source targets)
#:key-file key-file))))) (open-luks-device source targets
#:key-file key-file
#:allow-discards? allow-discards?)))))
(define (open-raid-device sources targets) (define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device "Return a gexp that assembles SOURCES (a list of devices) to the RAID device