def _create(self, **kwargs):
log_method_call(self, device=self.device,
type=self.type, status=self.status)
super(LUKS, self)._create(**kwargs) # set up the event sync
if not self.pbkdf_args and self.luks_version == "luks2":
if luks_data.pbkdf_args:
self.pbkdf_args = luks_data.pbkdf_args
else:
mem_limit = crypto.calculate_luks2_max_memory()
if mem_limit:
self.pbkdf_args = LUKS2PBKDFArgs(max_memory_kb=int(mem_limit.convert_to(KiB)))
luks_data.pbkdf_args = self.pbkdf_args
log.info("PBKDF arguments for LUKS2 not specified, using defaults with memory limit %s", mem_limit)
if self.pbkdf_args:
pbkdf = blockdev.CryptoLUKSPBKDF(type=self.pbkdf_args.type,
hash=None,
max_memory_kb=self.pbkdf_args.max_memory_kb,
iterations=self.pbkdf_args.iterations,
time_ms=self.pbkdf_args.time_ms)
extra = blockdev.CryptoLUKSExtra(pbkdf=pbkdf)
else:
extra = None
blockdev.crypto.luks_format(self.device,
passphrase=self.__passphrase,
key_file=self._key_file,
cipher=self.cipher,
key_size=self.key_size,
min_entropy=self.min_luks_entropy,
luks_version=crypto.LUKS_VERSIONS[self.luks_version],
extra=extra)
def test_luks2_format(self):
"""Verify that formating device as LUKS 2 works"""
# no passphrase nor keyfile
with self.assertRaises(GLib.GError):
BlockDev.crypto_luks_format(self.loop_dev, None, 0, None, None, 0)
# the simple case with password
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, PASSWD,
None, 0)
self.assertTrue(succ)
# create with a keyfile
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0)
self.assertTrue(succ)
# the simple case with password blob
succ = BlockDev.crypto_luks_format_blob(self.loop_dev,
"aes-cbc-essiv:sha256", 0,
[ord(c) for c in PASSWD], 0)
self.assertTrue(succ)
# simple case with extra options
extra = BlockDev.CryptoLUKSExtra(label="blockdevLUKS")
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
_ret, label, _err = run_command("lsblk -oLABEL -n %s" % self.loop_dev)
self.assertEqual(label, "blockdevLUKS")
# different key derivation function
pbkdf = BlockDev.CryptoLUKSPBKDF(type="pbkdf2")
extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf)
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
_ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev)
m = re.search(r"PBKDF:\s*(\S+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
self.assertEqual(m.group(1), "pbkdf2")
# different options for argon2 -- all parameters set
pbkdf = BlockDev.CryptoLUKSPBKDF(type="argon2id",
max_memory_kb=100 * 1024,
iterations=10,
parallel_threads=1)
extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf)
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
_ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev)
m = re.search(r"PBKDF:\s*(\S+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
self.assertEqual(m.group(1), "argon2id")
m = re.search(r"Memory:\s*(\d+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
# both iterations and memory is set --> cryptsetup will use exactly max_memory_kb
self.assertEqual(int(m.group(1)), 100 * 1024)
m = re.search(r"Threads:\s*(\d+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
self.assertEqual(int(m.group(1)), 1)
m = re.search(r"Time cost:\s*(\d+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
self.assertEqual(int(m.group(1)), 10)
# different options for argon2 -- only memory set
pbkdf = BlockDev.CryptoLUKSPBKDF(max_memory_kb=100 * 1024)
extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf)
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
_ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev)
m = re.search(r"Memory:\s*(\d+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
# only memory is set -> cryptsetup will run a benchmark and use
# at most max_memory_kb
self.assertLessEqual(int(m.group(1)), 100 * 1024)
# different options for argon2 -- only miterations set
pbkdf = BlockDev.CryptoLUKSPBKDF(iterations=5)
extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf)
succ = BlockDev.crypto_luks_format(self.loop_dev,
"aes-cbc-essiv:sha256", 0, None,
self.keyfile, 0,
BlockDev.CryptoLUKSVersion.LUKS2,
extra)
self.assertTrue(succ)
_ret, out, err = run_command("cryptsetup luksDump %s" % self.loop_dev)
m = re.search(r"Time cost:\s*(\d+)\s*", out)
if not m or len(m.groups()) != 1:
self.fail("Failed to get pbkdf information from:\n%s %s" %
(out, err))
self.assertEqual(int(m.group(1)), 5)
