Feature #15253
Iteration 1: Backport support for unlocking VeraCrypt partitions to udisks in Stretch
100%
Description
Development repository: https://github.com/segfault3/udisks-debian (based on Debian’s udisks2 packaging repository: https://anonscm.debian.org/git/pkg-utopia/udisks2.git)
Branch: 2.1.8-support-tcrypt
The current udisks version (and the one in Buster) uses libblockdev to handle unlocking of block devices. The version in Stretch does not, so we will have to create an additional patch for udisks in Stretch, in order to be able to ship this functionality in Tails 3.9.
Subtasks
Related issues
|
Blocks Tails - |
Resolved | 2018-04-11 |
History
#1 Updated by segfault 2018-01-25 21:42:37
- Description updated
#2 Updated by segfault 2018-04-09 12:50:29
The cryptsetup version in Stretch (1.7.3) does not support the VeraCrypt PIM parameter. We could install cryptsetup 2.0 from Buster, to have PIM support in udisks. Alternatively, we could use zuluCrypt-cli instead of cryptsetup in Tails 3.X, because the zuluCrypt-cli version in Stretch already supports PIM.
#3 Updated by segfault 2018-04-09 19:23:35
- Description updated
- Assignee changed from segfault to anonym
- QA Check set to Ready for QA
I backported our patches to the udisks version in Stretch (2.1.8-1) and created an additional patch which uses the cryptsetup command instead of libblockdev. I tested it successfully on a Debian Stretch. I omitted the support for the PIM for now, because of the issue I explained in the previous comment.
#4 Updated by segfault 2018-04-09 19:37:24
- Description updated
#5 Updated by segfault 2018-04-11 10:38:39
We need a decision regarding the PIM (see Feature #15253#note-2). Then the next step is creating a Debian package for this, see Feature #15522.
#6 Updated by intrigeri 2018-04-15 13:00:26
- blocks
Feature #15522: Iteration 1: Create custom Debian package for udisks added
#7 Updated by intrigeri 2018-04-15 13:01:19
- Status changed from Confirmed to In Progress
#8 Updated by intrigeri 2018-05-07 14:06:04
- Target version changed from Tails_3.7 to Tails_3.8
#9 Updated by intrigeri 2018-05-21 14:07:42
- Assignee changed from anonym to segfault
I think you should not block on anonym for this. If you need help / uploads, ask me (or possibly u if she’s fine with that).
#10 Updated by intrigeri 2018-06-03 11:47:26
- QA Check changed from Ready for QA to Info Needed
Do I get it right that there’s no branch based on upstream 2.1.8 with the backported work, and then I should compare https://github.com/segfault3/udisks/tree/support-tcrypt (for upstream) with https://github.com/segfault3/udisks-debian/tree/2.1.8-support-tcrypt (backported for Stretch), right?
Then please reassign to me :)
#11 Updated by intrigeri 2018-06-04 19:36:40
- Target version changed from Tails_3.8 to Tails_3.9
#12 Updated by segfault 2018-06-05 08:40:20
- Assignee changed from segfault to intrigeri
- QA Check changed from Info Needed to Ready for QA
intrigeri wrote:
> Do I get it right that there’s no branch based on upstream 2.1.8 with the backported work, and then I should compare https://github.com/segfault3/udisks/tree/support-tcrypt (for upstream) with https://github.com/segfault3/udisks-debian/tree/2.1.8-support-tcrypt (backported for Stretch), right?
Correct. (And those repos are the right ones, I didn’t move them to gitlab.)
#13 Updated by intrigeri 2018-06-05 09:33:13
- Assignee changed from intrigeri to segfault
- % Done changed from 0 to 60
- QA Check changed from Ready for QA to Info Needed
Disclaimer: as you know I’m not a C developer so I might write very stupid things here.
It feels like you’ve backported a slightly older version of the patches that got merged upstream, e.g. BYTES_TO_CHECK vs. CHI_SQUARE_BYTES_TO_CHECK, discrepancies in the doc, no support for udisks_daemon_get_enable_tcrypt, no error handling of the seems_encrypted method call return value and so on. Right?
In most cases that seems to be a detail not worth spending more time on to backport stuff again, but:
- Can you please compare the patches and check that we can do without every such improvement that’s part of the version merged upstream? If you already did that since your udisks2 + libblockdev work was merged upstream, cool: just tell me :)
- In the backported version I see
{} /* LUKS is detectable, so we don't have to set the hint */while upstream I seeudisks_encrypted_set_hint_encryption_type (encrypted, "LUKS"). Maybe that should be backported too?
#14 Updated by segfault 2018-07-06 07:45:37
- Assignee changed from segfault to intrigeri
- QA Check changed from Info Needed to Ready for QA
Sorry, I forgot about this and just noticed that this was not resolved yet.
intrigeri wrote:
> Disclaimer: as you know I’m not a C developer so I might write very stupid things here.
>
> It feels like you’ve backported a slightly older version of the patches that got merged upstream, e.g. BYTES_TO_CHECK vs. CHI_SQUARE_BYTES_TO_CHECK, discrepancies in the doc, no support for udisks_daemon_get_enable_tcrypt, no error handling of the seems_encrypted method call return value and so on. Right?
Yes. That is mainly because I didn’t backport style changes.
> In most cases that seems to be a detail not worth spending more time on to backport stuff again, but:
>
> * Can you please compare the patches and check that we can do without every such improvement that’s part of the version merged upstream? If you already did that since your udisks2 + libblockdev work was merged upstream, cool: just tell me :)
I did that now and found no differences worth backporting.
> * In the backported version I see {} /* LUKS is detectable, so we don't have to set the hint */ while upstream I see udisks_encrypted_set_hint_encryption_type (encrypted, "LUKS"). Maybe that should be backported too?
No, that hint really doesn’t make any difference, it is never used for LUKS.
#15 Updated by intrigeri 2018-07-06 11:44:42
- Status changed from In Progress to Resolved
- Assignee deleted (
intrigeri) - % Done changed from 60 to 100
- QA Check changed from Ready for QA to Pass
Thanks!