V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 00:27:27 +01:00
parent ac32202060
commit 89e5a0b72a
5 changed files with 29 additions and 17 deletions
--- a/func/cdi_3200_partitioning/3220_partition_encryption.sh
+++ b/func/cdi_3200_partitioning/3220_partition_encryption.sh
@@ -141,14 +141,14 @@ partition_encryption() {

          var_filesystem_label=$(get_label "${var_encryption_path}" "${var_fs}" "file")

-          mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}" 1M
-          do_log "info" "file_only" "3220() Ephemeral: '${var_encryption_path}' prepared on: '/dev/${var_dev}'."
+          #mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}" 1M
+          #do_log "info" "file_only" "3220() Ephemeral: '${var_encryption_path}' prepared on: '/dev/${var_dev}'."

-          var_fs_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
+          #var_fs_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
          ### Gathering information for '/etc/fstab'-generation in 4040() and '/etc/crypttab'-generation in 4060().
          # shellcheck disable=SC2034
-          HMP_PATH_FSUUID["${var_encryption_path}"]="${var_fs_uuid}"
-          do_log "debug" "file_only" "3220() [HMP_PATH_FSUUID]       : '${var_encryption_path}' -> '${HMP_PATH_FSUUID["${var_encryption_path}"]}'"
+          #HMP_PATH_FSUUID["${var_encryption_path}"]="${var_fs_uuid}"
+          #do_log "debug" "file_only" "3220() [HMP_PATH_FSUUID]       : '${var_encryption_path}' -> '${HMP_PATH_FSUUID["${var_encryption_path}"]}'"

          HMP_EPHEMERAL_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}"
          HMP_EPHEMERAL_FS_LABEL["${var_encryption_path}"]="${var_filesystem_label}"
--- a/func/cdi_3200_partitioning/3240_partition_formatting.sh
+++ b/func/cdi_3200_partitioning/3240_partition_formatting.sh
@@ -59,7 +59,7 @@ partition_formatting() {

    case "${var_format_path,,}" in
      swap|/tmp)
-        do_log "info" "file_only" "3240() Partition: '/dev/${var_dev}' ephemeral encryption already prepared in 3220(): '${var_format_path}'."
+        do_log "info" "file_only" "3240() Partition: '/dev/${var_dev}' ephemeral encryption devices do not need formatting: '${var_format_path}'."
        ### Nothing more to do here.
        continue
        ;;
--- a/func/cdi_3200_partitioning/3280_mount_partition.sh
+++ b/func/cdi_3200_partitioning/3280_mount_partition.sh
@@ -187,7 +187,7 @@ mount_partition() {
  declare     var_mount_path="" var_dev_part="" var_dev="" var_btrfs_options="" \
              var_encryption_label="" var_fs_btrfs_compress="" var_fs_btrfs_level="" var_fs_btrfs_snapshot="" \
              var_fs_btrfs_subvolume="" var_fs_version="" var_mount_options="" var_mount_optsnap="" var_mount_path="" \
-              var_snapshot="" var_fs_uuid=""
+              var_snapshot="" var_fs_uuid="" var_partuuid=""

  declare -a  ary_cmd=() ary_cmd_mount=()

@@ -213,6 +213,7 @@ mount_partition() {
    fi

    var_fs_uuid="${HMP_PATH_FSUUID["${var_mount_path}"]}"
+    var_partuuid="${HMP_PATH_PARTUUID["${var_mount_path}"]}"

    if [[ -z "${var_fs_uuid}" ]]; then
      do_log "error" "file_only" "3280() FS-UUID for mount path: '${var_mount_path}' not found in: 'HMP_PATH_FSUUID'."
@@ -222,9 +223,14 @@ mount_partition() {
    ### Mounting of Ephemeral 'SWAP' and '/tmp' as per https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#UUID_and_LABEL
    if [[ "${var_mount_path,,}" == "swap" ]]; then

-      cryptsetup open --type plain --key-file /dev/random \
-        --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
-        --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+      #cryptsetup open --type plain --key-file /dev/random \
+      #  --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
+      #  --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+
+      cryptsetup open --type plain --hash=plain \
+        --key-file /dev/random --keyfile-size 256 \
+        --cipher aes-xts-plain64 --key-size 512 \
+        "/dev/disk/by-partuuid/${var_partuuid}" "${var_encryption_label}"

      mkswap "/dev/mapper/${var_encryption_label}"
      do_log "debug" "file_only" "3280() [mkswap /dev/mapper/${var_encryption_label}]."
@@ -239,9 +245,14 @@ mount_partition() {

    elif [[ "${var_mount_path,,}" == "/tmp" ]]; then

-      cryptsetup open --type plain --key-file /dev/random \
-        --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
-        --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+      #cryptsetup open --type plain --key-file /dev/random \
+      #  --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
+      #  --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+
+      cryptsetup open --type plain --hash=plain \
+        --key-file /dev/random --keyfile-size 256 \
+        --cipher aes-xts-plain64 --key-size 512 \
+        "/dev/disk/by-partuuid/${var_partuuid}" "${var_encryption_label}"

      mkdir -p "${TARGET}/tmp"