mirror of
https://https.git.savannah.gnu.org/git/guix.git/
synced 2025-07-10 08:30:39 +02:00
mapped-devices/luks: Add support for --allow-discards.
* gnu/system/mapped-devices.scm (open-luks-device): Support opening LUKS devices with the --allow-discards option. * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): Pass through the allow-discards? keyword argument. * doc/guix.texi (Mapped Devices): Update documentation for the luks-device-mapping-with-options procedure. Co-authored-by: Sisiutl <sisiutl@egregore.fun> Modified-by: Maxim Cournoyer <maxim.cournoyer@gmail.com> Change-Id: Iff82d7d548486f028d19f6aa35dd30ca194f57cc
This commit is contained in:
parent
8984d4bbb2
commit
7aa855b05b
2 changed files with 32 additions and 17 deletions
|
@ -18461,7 +18461,7 @@ command from the package with the same name. It relies on the
|
||||||
@code{dm-crypt} Linux kernel module.
|
@code{dm-crypt} Linux kernel module.
|
||||||
@end defvar
|
@end defvar
|
||||||
|
|
||||||
@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
|
@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards?]
|
||||||
Return a @code{luks-device-mapping} object, which defines LUKS block
|
Return a @code{luks-device-mapping} object, which defines LUKS block
|
||||||
device encryption using the @command{cryptsetup} command from the
|
device encryption using the @command{cryptsetup} command from the
|
||||||
package with the same name. It relies on the @code{dm-crypt} Linux
|
package with the same name. It relies on the @code{dm-crypt} Linux
|
||||||
|
@ -18483,6 +18483,15 @@ given location at the time of the unlock attempt.
|
||||||
(type (luks-device-mapping-with-options
|
(type (luks-device-mapping-with-options
|
||||||
#:key-file "/crypto.key")))
|
#:key-file "/crypto.key")))
|
||||||
@end lisp
|
@end lisp
|
||||||
|
|
||||||
|
|
||||||
|
@code{allow-discards?} allows the use of discard (TRIM) requests for the
|
||||||
|
underlying device. This is useful for solid state drives. However,
|
||||||
|
this option can have a negative security impact because it can make
|
||||||
|
file system level operations visible on the physical device. For more
|
||||||
|
information, refer to the description of the @code{--allow-discards}
|
||||||
|
option in the @code{cryptsetup-open(8)} man page.
|
||||||
|
|
||||||
@end deffn
|
@end deffn
|
||||||
|
|
||||||
@defvar raid-device-mapping
|
@defvar raid-device-mapping
|
||||||
|
|
|
@ -194,9 +194,10 @@ option of @command{guix system}.\n")
|
||||||
;;; Common device mappings.
|
;;; Common device mappings.
|
||||||
;;;
|
;;;
|
||||||
|
|
||||||
(define* (open-luks-device source targets #:key key-file)
|
(define* (open-luks-device source targets #:key key-file allow-discards?)
|
||||||
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
|
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
|
||||||
'cryptsetup'."
|
'cryptsetup'. When ALLOW-DISCARDS? is true, the use of discard (TRIM)
|
||||||
|
requests is allowed for the underlying device."
|
||||||
(with-imported-modules (source-module-closure
|
(with-imported-modules (source-module-closure
|
||||||
'((gnu build file-systems)
|
'((gnu build file-systems)
|
||||||
(guix build utils))) ;; For mkdir-p
|
(guix build utils))) ;; For mkdir-p
|
||||||
|
@ -234,17 +235,20 @@ option of @command{guix system}.\n")
|
||||||
(loop (- tries-left 1))))))
|
(loop (- tries-left 1))))))
|
||||||
(error "LUKS partition not found" source))
|
(error "LUKS partition not found" source))
|
||||||
source)))
|
source)))
|
||||||
;; We want to fallback to the password unlock if the keyfile fails.
|
(let ((cryptsetup #$(file-append cryptsetup-static
|
||||||
(or (and keyfile
|
"/sbin/cryptsetup"))
|
||||||
(zero? (system*/tty
|
(cryptsetup-flags (cons*
|
||||||
#$(file-append cryptsetup-static "/sbin/cryptsetup")
|
"open" "--type" "luks" partition #$target
|
||||||
"open" "--type" "luks"
|
(if #$allow-discards?
|
||||||
"--key-file" keyfile
|
'("--allow-discards")
|
||||||
partition #$target)))
|
'()))))
|
||||||
(zero? (system*/tty
|
;; We want to fallback to the password unlock if the keyfile
|
||||||
#$(file-append cryptsetup-static "/sbin/cryptsetup")
|
;; fails.
|
||||||
"open" "--type" "luks"
|
(or (and keyfile
|
||||||
partition #$target)))))))))
|
(zero? (apply system*/tty cryptsetup
|
||||||
|
"--key-file" keyfile cryptsetup-flags)))
|
||||||
|
(zero? (apply system*/tty cryptsetup
|
||||||
|
cryptsetup-flags))))))))))
|
||||||
|
|
||||||
(define (close-luks-device source targets)
|
(define (close-luks-device source targets)
|
||||||
"Return a gexp that closes TARGET, a LUKS device."
|
"Return a gexp that closes TARGET, a LUKS device."
|
||||||
|
@ -286,13 +290,15 @@ option of @command{guix system}.\n")
|
||||||
((gnu build file-systems)
|
((gnu build file-systems)
|
||||||
#:select (find-partition-by-luks-uuid system*/tty))))))
|
#:select (find-partition-by-luks-uuid system*/tty))))))
|
||||||
|
|
||||||
(define* (luks-device-mapping-with-options #:key key-file)
|
(define* (luks-device-mapping-with-options #:key key-file allow-discards?)
|
||||||
"Return a luks-device-mapping object with open modified to pass the arguments
|
"Return a luks-device-mapping object with open modified to pass the arguments
|
||||||
into the open-luks-device procedure."
|
into the open-luks-device procedure."
|
||||||
(mapped-device-kind
|
(mapped-device-kind
|
||||||
(inherit luks-device-mapping)
|
(inherit luks-device-mapping)
|
||||||
(open (λ (source targets) (open-luks-device source targets
|
(open (λ (source targets)
|
||||||
#:key-file key-file)))))
|
(open-luks-device source targets
|
||||||
|
#:key-file key-file
|
||||||
|
#:allow-discards? allow-discards?)))))
|
||||||
|
|
||||||
(define (open-raid-device sources targets)
|
(define (open-raid-device sources targets)
|
||||||
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
|
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue