Loading pkgs/by-name/bc/bcachefs-tools/fix-encrypted-boot.patch 0 → 100644 +92 −0 Original line number Diff line number Diff line From f76ad4da12e6a65550d564bb626a1429ae75433a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BChlbacher?= <tmuehlbacher@posteo.net> Date: Thu, 9 May 2024 23:52:47 +0200 Subject: [PATCH 1/2] `check_for_key` before `ask_for_passphrase` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit let's always first check if there is already a key in the keyring available before we try to get the key from some more involved means. Fixes: #261 Signed-off-by: Thomas Mühlbacher <tmuehlbacher@posteo.net> --- src/commands/mount.rs | 13 +++++++++++-- src/key.rs | 4 +++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/commands/mount.rs b/src/commands/mount.rs index 9414c77f..34a741cb 100644 --- a/src/commands/mount.rs +++ b/src/commands/mount.rs @@ -344,8 +344,17 @@ fn cmd_mount_inner(opt: Cli) -> anyhow::Result<()> { if block_devices_to_mount.len() == 0 { Err(anyhow::anyhow!("No device found from specified parameters"))?; } - // Check if the filesystem's master key is encrypted - if unsafe { bcachefs::bch2_sb_is_encrypted_and_locked(block_devices_to_mount[0].sb) } { + + let key_name = CString::new(format!( + "bcachefs:{}", + block_devices_to_mount[0].sb().uuid() + )) + .unwrap(); + + // Check if the filesystem's master key is encrypted and we don't have a key + if unsafe { bcachefs::bch2_sb_is_encrypted_and_locked(block_devices_to_mount[0].sb) } + && !key::check_for_key(&key_name)? + { // First by password_file, if available let fallback_to_unlock_policy = if let Some(passphrase_file) = &opt.passphrase_file { match key::read_from_passphrase_file(&block_devices_to_mount[0], passphrase_file.as_path()) { diff --git a/src/key.rs b/src/key.rs index d0018805..568b3cdb 100644 --- a/src/key.rs +++ b/src/key.rs @@ -58,7 +58,7 @@ impl fmt::Display for UnlockPolicy { } } -fn check_for_key(key_name: &std::ffi::CStr) -> anyhow::Result<bool> { +pub fn check_for_key(key_name: &std::ffi::CStr) -> anyhow::Result<bool> { use bch_bindgen::keyutils::{self, keyctl_search}; let key_name = key_name.to_bytes_with_nul().as_ptr() as *const _; let key_type = c_str!("user"); @@ -86,10 +86,12 @@ fn wait_for_unlock(uuid: &uuid::Uuid) -> anyhow::Result<()> { } } +// blocks indefinitely if no input is available on stdin fn ask_for_passphrase(sb: &bch_sb_handle) -> anyhow::Result<()> { let passphrase = if stdin().is_terminal() { rpassword::prompt_password("Enter passphrase: ")? } else { + info!("Trying to read passphrase from stdin..."); let mut line = String::new(); stdin().read_line(&mut line)?; line From 734ccc58f42c3cccb0960bdd84808839e2b62ca9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BChlbacher?= <tmuehlbacher@posteo.net> Date: Sun, 12 May 2024 19:39:19 +0200 Subject: [PATCH 2/2] fix unfortunate typo causes mounting encrypted devices to become stuck in a busy loop. --- include/crypto/skcipher.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h index 70905a5a..833729dc 100644 --- a/include/crypto/skcipher.h +++ b/include/crypto/skcipher.h @@ -112,7 +112,7 @@ static inline void skcipher_request_set_sync_tfm(struct skcipher_request *req, skcipher_request_set_tfm(req, &tfm->base); } -#define skcipher_request_set_callback(...) do {} while (9) +#define skcipher_request_set_callback(...) do {} while (0) static inline void skcipher_request_set_crypt( struct skcipher_request *req, pkgs/tools/filesystems/bcachefs-tools/default.nix→pkgs/by-name/bc/bcachefs-tools/package.nix +8 −10 Original line number Diff line number Diff line Loading @@ -2,7 +2,6 @@ lib, stdenv, fetchFromGitHub, fetchpatch, pkg-config, libuuid, libsodium, Loading @@ -27,13 +26,15 @@ stdenv.mkDerivation (finalAttrs: { pname = "bcachefs-tools"; version = "1.7.0"; version = "1.7.0-unstable-2024-05-09"; src = fetchFromGitHub { owner = "koverstreet"; repo = "bcachefs-tools"; rev = "v${finalAttrs.version}"; hash = "sha256-nHT18bADESDBHoo9P+J3gGc092hRYs2vaWupgqlkvaA="; # FIXME: switch to a tagged release once available > 1.7.0 # Fix for https://github.com/NixOS/nixpkgs/issues/313350 rev = "3ac510f6a41feb1b695381fa30869d557c00b822"; hash = "sha256-ZmkeYPiCy7vkXnMFbtUF4761K+I+Ef7UbmSY7dJG09U="; }; nativeBuildInputs = [ Loading Loading @@ -76,10 +77,7 @@ stdenv.mkDerivation (finalAttrs: { patches = [ # code refactoring of bcachefs-tools broke reading passphrases from stdin (vs. terminal) # upstream issue https://github.com/koverstreet/bcachefs-tools/issues/261 (fetchpatch { url = "https://github.com/koverstreet/bcachefs-tools/commit/38b0cb721d2a35f5a4af429bc7bd367461f2fa26.patch"; hash = "sha256-/9reye+Qoa+EMkS+wfdX+KwDeLHHJ/S+Qm7sWl0MtqM="; }) ./fix-encrypted-boot.patch ]; preCheck = lib.optionalString (!fuseSupport) '' Loading @@ -95,7 +93,7 @@ stdenv.mkDerivation (finalAttrs: { postInstall = '' substituteInPlace $out/libexec/bcachefsck_all \ --replace "/usr/bin/python3" "${python3}/bin/python3" --replace-fail "/usr/bin/python3" "${python3}/bin/python3" ''; passthru = { Loading pkgs/top-level/all-packages.nix +0 −2 Original line number Diff line number Diff line Loading @@ -3484,8 +3484,6 @@ with pkgs; bazarr = callPackage ../servers/bazarr { }; bcachefs-tools = callPackage ../tools/filesystems/bcachefs-tools { }; bisq-desktop = callPackage ../applications/blockchains/bisq-desktop { openjdk11 = openjdk11.override { enableJavaFX = true; }; }; Loading
pkgs/by-name/bc/bcachefs-tools/fix-encrypted-boot.patch 0 → 100644 +92 −0 Original line number Diff line number Diff line From f76ad4da12e6a65550d564bb626a1429ae75433a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BChlbacher?= <tmuehlbacher@posteo.net> Date: Thu, 9 May 2024 23:52:47 +0200 Subject: [PATCH 1/2] `check_for_key` before `ask_for_passphrase` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit let's always first check if there is already a key in the keyring available before we try to get the key from some more involved means. Fixes: #261 Signed-off-by: Thomas Mühlbacher <tmuehlbacher@posteo.net> --- src/commands/mount.rs | 13 +++++++++++-- src/key.rs | 4 +++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/commands/mount.rs b/src/commands/mount.rs index 9414c77f..34a741cb 100644 --- a/src/commands/mount.rs +++ b/src/commands/mount.rs @@ -344,8 +344,17 @@ fn cmd_mount_inner(opt: Cli) -> anyhow::Result<()> { if block_devices_to_mount.len() == 0 { Err(anyhow::anyhow!("No device found from specified parameters"))?; } - // Check if the filesystem's master key is encrypted - if unsafe { bcachefs::bch2_sb_is_encrypted_and_locked(block_devices_to_mount[0].sb) } { + + let key_name = CString::new(format!( + "bcachefs:{}", + block_devices_to_mount[0].sb().uuid() + )) + .unwrap(); + + // Check if the filesystem's master key is encrypted and we don't have a key + if unsafe { bcachefs::bch2_sb_is_encrypted_and_locked(block_devices_to_mount[0].sb) } + && !key::check_for_key(&key_name)? + { // First by password_file, if available let fallback_to_unlock_policy = if let Some(passphrase_file) = &opt.passphrase_file { match key::read_from_passphrase_file(&block_devices_to_mount[0], passphrase_file.as_path()) { diff --git a/src/key.rs b/src/key.rs index d0018805..568b3cdb 100644 --- a/src/key.rs +++ b/src/key.rs @@ -58,7 +58,7 @@ impl fmt::Display for UnlockPolicy { } } -fn check_for_key(key_name: &std::ffi::CStr) -> anyhow::Result<bool> { +pub fn check_for_key(key_name: &std::ffi::CStr) -> anyhow::Result<bool> { use bch_bindgen::keyutils::{self, keyctl_search}; let key_name = key_name.to_bytes_with_nul().as_ptr() as *const _; let key_type = c_str!("user"); @@ -86,10 +86,12 @@ fn wait_for_unlock(uuid: &uuid::Uuid) -> anyhow::Result<()> { } } +// blocks indefinitely if no input is available on stdin fn ask_for_passphrase(sb: &bch_sb_handle) -> anyhow::Result<()> { let passphrase = if stdin().is_terminal() { rpassword::prompt_password("Enter passphrase: ")? } else { + info!("Trying to read passphrase from stdin..."); let mut line = String::new(); stdin().read_line(&mut line)?; line From 734ccc58f42c3cccb0960bdd84808839e2b62ca9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BChlbacher?= <tmuehlbacher@posteo.net> Date: Sun, 12 May 2024 19:39:19 +0200 Subject: [PATCH 2/2] fix unfortunate typo causes mounting encrypted devices to become stuck in a busy loop. --- include/crypto/skcipher.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h index 70905a5a..833729dc 100644 --- a/include/crypto/skcipher.h +++ b/include/crypto/skcipher.h @@ -112,7 +112,7 @@ static inline void skcipher_request_set_sync_tfm(struct skcipher_request *req, skcipher_request_set_tfm(req, &tfm->base); } -#define skcipher_request_set_callback(...) do {} while (9) +#define skcipher_request_set_callback(...) do {} while (0) static inline void skcipher_request_set_crypt( struct skcipher_request *req,
pkgs/tools/filesystems/bcachefs-tools/default.nix→pkgs/by-name/bc/bcachefs-tools/package.nix +8 −10 Original line number Diff line number Diff line Loading @@ -2,7 +2,6 @@ lib, stdenv, fetchFromGitHub, fetchpatch, pkg-config, libuuid, libsodium, Loading @@ -27,13 +26,15 @@ stdenv.mkDerivation (finalAttrs: { pname = "bcachefs-tools"; version = "1.7.0"; version = "1.7.0-unstable-2024-05-09"; src = fetchFromGitHub { owner = "koverstreet"; repo = "bcachefs-tools"; rev = "v${finalAttrs.version}"; hash = "sha256-nHT18bADESDBHoo9P+J3gGc092hRYs2vaWupgqlkvaA="; # FIXME: switch to a tagged release once available > 1.7.0 # Fix for https://github.com/NixOS/nixpkgs/issues/313350 rev = "3ac510f6a41feb1b695381fa30869d557c00b822"; hash = "sha256-ZmkeYPiCy7vkXnMFbtUF4761K+I+Ef7UbmSY7dJG09U="; }; nativeBuildInputs = [ Loading Loading @@ -76,10 +77,7 @@ stdenv.mkDerivation (finalAttrs: { patches = [ # code refactoring of bcachefs-tools broke reading passphrases from stdin (vs. terminal) # upstream issue https://github.com/koverstreet/bcachefs-tools/issues/261 (fetchpatch { url = "https://github.com/koverstreet/bcachefs-tools/commit/38b0cb721d2a35f5a4af429bc7bd367461f2fa26.patch"; hash = "sha256-/9reye+Qoa+EMkS+wfdX+KwDeLHHJ/S+Qm7sWl0MtqM="; }) ./fix-encrypted-boot.patch ]; preCheck = lib.optionalString (!fuseSupport) '' Loading @@ -95,7 +93,7 @@ stdenv.mkDerivation (finalAttrs: { postInstall = '' substituteInPlace $out/libexec/bcachefsck_all \ --replace "/usr/bin/python3" "${python3}/bin/python3" --replace-fail "/usr/bin/python3" "${python3}/bin/python3" ''; passthru = { Loading
pkgs/top-level/all-packages.nix +0 −2 Original line number Diff line number Diff line Loading @@ -3484,8 +3484,6 @@ with pkgs; bazarr = callPackage ../servers/bazarr { }; bcachefs-tools = callPackage ../tools/filesystems/bcachefs-tools { }; bisq-desktop = callPackage ../applications/blockchains/bisq-desktop { openjdk11 = openjdk11.override { enableJavaFX = true; }; };
