Merge pull request #1399 from ancorgs/pervasive_options_sp7

New options for pervasive encryption, first prototype
yast · Jan 21, 2025 · 9a52844 · 9a52844
2 parents 9fe8af2 + bb1850d
commit 9a52844
Show file tree

Hide file tree

Showing 29 changed files with 1,201 additions and 189 deletions.
diff --git a/package/yast2-storage-ng.changes b/package/yast2-storage-ng.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jan 21 09:43:35 UTC 2025 - Ancor Gonzalez Sosa <[email protected]>
+
+- Pervasive encryption: support for AES-CIPHER and EP11 and better
+  user interface at Partitioner (jsc#IBM-1444, jsc#PED-9558).
+- 4.7.2
+
+-------------------------------------------------------------------
 Thu Sep 19 13:42:45 UTC 2024 - Stefan Hundhammer <[email protected]>
 
 - Use the newer exfatprogs instead of exfat-utils (bsc#1187854)

diff --git a/package/yast2-storage-ng.spec b/package/yast2-storage-ng.spec
@@ -16,7 +16,7 @@
 #
 
 Name:           yast2-storage-ng
-Version:        4.7.1
+Version:        4.7.2
 Release:        0
 Summary:        YaST2 - Storage Configuration
 License:        GPL-2.0-only OR GPL-3.0-only

diff --git a/src/lib/y2partitioner/actions/controllers/encryption.rb b/src/lib/y2partitioner/actions/controllers/encryption.rb
@@ -1,4 +1,4 @@
-# Copyright (c) [2019-2020] SUSE LLC
+# Copyright (c) [2019-2025] SUSE LLC
 #
 # All Rights Reserved.
 #
@@ -55,6 +55,9 @@ class Encryption < Base
         # @return [Array<Y2Storage:.EncryptionProcesses::Apqn>]
         attr_accessor :apqns
 
+        # @return [String] Type for the new secure key for pervasive encryption
+        attr_accessor :secure_key_type
+
         # @return [String] Label for the encryption device if the method supports setting one
         attr_accessor :label
 
@@ -74,6 +77,7 @@ def initialize(fs_controller)
           @pbkdf = encryption&.pbkdf
           @method = initial_method
           @apqns = initial_apqns
+          @secure_key_type = initial_secure_key_type
           @label = initial_label
         end
 
@@ -151,7 +155,7 @@ def secure_key
         #
         # @return [Array<Y2Storage::EncryptionProcesses::Apqn>]
         def online_apqns
-          @online_apqns ||= Y2Storage::EncryptionProcesses::Apqn.online
+          @online_apqns ||= Y2Storage::EncryptionProcesses::Apqn.online.select(&:master_key_pattern)
         end
 
         # Finds an online APQN by its name
@@ -165,16 +169,19 @@ def find_apqn(name)
         # Tests the generation of a secure key
         #
         # Note that the command for generating a secure key might fail when the APQNs are not correctly
-        # configured. An APQN without a master key makes the command to tail. All the APQNs used for
+        # configured. An APQN without a master key makes the command fail. All the APQNs used for
         # generating the secure key must have the same master key.
         #
         # @param apqns [Array<Y2Storage::EncryptionProcesses::Apqn>]
+        # @param key_type [String]
         # @return [String, nil] error message or nil if the secure key can be generated
-        def test_secure_key_generation(apqns: [])
+        def test_secure_key_generation(apqns, key_type)
           key_name = "yast2_tmp_secure_key_test"
 
           begin
-            key = Y2Storage::EncryptionProcesses::SecureKey.generate!(key_name, apqns: apqns)
+            key = Y2Storage::EncryptionProcesses::SecureKey.generate!(
+              key_name, apqns: apqns, key_type: key_type
+            )
           rescue Cheetah::ExecutionFailed => e
             return e.message
           end
@@ -224,12 +231,21 @@ def initial_method
         # @return [Array<Y2Storage::EncryptionProcesses::Apqn>]
         def initial_apqns
           process = encryption&.encryption_process
-
           return [] unless process.respond_to?(:apqns)
 
           process.apqns
         end
 
+        # Currently used key type when the device is encrypted with pervasive encryption
+        #
+        # @return [String, nil]
+        def initial_secure_key_type
+          process = encryption&.encryption_process
+          return nil unless process.respond_to?(:key_type)
+
+          process.key_type
+        end
+
         # Currently used label when the device is encrypted with an encryption method that
         # supports setting such a label
         #
@@ -358,7 +374,8 @@ def finish_remove
         def finish_encrypt
           blk_device.remove_encryption if blk_device.encrypted?
           blk_device.encrypt(
-            method: method, password: password, apqns: apqns, label: label, pbkdf: pbkdf
+            method: method, password: password, label: label, pbkdf: pbkdf,
+            apqns: apqns, key_type: secure_key_type
           )
         end
 

diff --git a/src/lib/y2partitioner/widgets/apqn_selector.rb b/src/lib/y2partitioner/widgets/apqn_selector.rb
@@ -1,4 +1,4 @@
-# Copyright (c) [2020] SUSE LLC
+# Copyright (c) [2020-2025] SUSE LLC
 #
 # All Rights Reserved.
 #
@@ -19,66 +19,120 @@
 
 require "yast2/popup"
 require "cwm"
-require "y2partitioner/actions/controllers/encryption"
 
 module Y2Partitioner
   module Widgets
     # Widget to select APQNs for generating a new secure key for pervasive encryption
-    class ApqnSelector < CWM::MultiSelectionBox
+    class ApqnSelector < CWM::ReplacePoint
+      # Internal widget used when there are several candidate APQNs for the given key
+      class ApqnMultiSelector < CWM::MultiSelectionBox
+        # Constructor
+        def initialize(id, all_apqns, selected_apqns)
+          super()
+          textdomain "storage"
+
+          self.widget_id = id
+          @apqns = all_apqns
+          @selected_apqns = selected_apqns
+        end
+
+        # @return [String]
+        def label
+          _("Available APQNs:")
+        end
+
+        # @return [Array<String, String>]
+        def items
+          @apqns.map { |a| [a, a] }
+        end
+
+        def init
+          self.value = @selected_apqns
+        end
+      end
+
       # Constructor
-      #
-      # @param controller [Actions::Controllers::Encryption]
-      # @param enable [Boolean] whether the widget should be enabled on init
-      def initialize(controller, enable: true)
-        super()
+      def initialize(apqns_by_key, initial_key, initial_apqns, enable: true)
         textdomain "storage"
 
-        @controller = controller
+        @apqns_by_key = apqns_by_key
+        @initial_key = initial_key
+        @initial_apqns = initial_apqns
         @enable_on_init = enable
-      end
 
-      # @return [String]
-      def label
-        _("Available APQNs:")
+        super(id: "apqn_selector", widget: widgets_by_key[initial_key])
       end
 
       # @macro seeAbstractWidget
       def init
+        super
         enable_on_init ? enable : disable
-        self.value = controller.apqns
       end
 
-      # @return [Array<String, String>]
-      def items
-        controller.online_apqns.map { |d| [d.name, d.name] }
+      # @macro seeAbstractWidget
+      #
+      # Note its internal widget needs to be enabled.
+      def enable
+        super
+
+        widgets_by_key.each_value { |w| w.enable if w.respond_to?(:enable) }
       end
 
-      # All selected APQNs
+      # @macro seeAbstractWidget
       #
-      # @return [Array<Y2Storage::EncryptionProcesses::Apqn>]
-      def value
-        super.map { |d| controller.find_apqn(d) }.compact
+      # Note its internal widget needs to be disabled.
+      def disable
+        super
+
+        widgets_by_key.each_value { |w| w.disable if w.respond_to?(:disable) }
       end
 
-      # Sets selected APQNs
+      # Redraws the widget to show the options for given master key
       #
-      # @param apqns [Array<Y2Storage::EncryptionProcesses::Apqn>]
-      def value=(apqns)
-        super(apqns.map(&:name))
+      # @param key [String]
+      def refresh(key)
+        replace(widgets_by_key[key])
       end
 
-      # Saves the selected APQNs into the controller
-      def store
-        controller.apqns = value
+      # All selected APQNs, if there are several possible ones
+      #
+      # @return [Array<Y2Storage::EncryptionProcesses::Apqn>, nil] nil if there is only one possible APQN
+      def value
+        return unless @widget.respond_to?(:value)
+
+        @widget.value
       end
 
       private
 
-      # @return [Actions::Controllers::Encryption]
-      attr_reader :controller
-
       # @return [Boolean]
       attr_reader :enable_on_init
+
+      # @return [Hash] list of possible APQNs for each configured master key
+      attr_reader :apqns_by_key
+
+      # @return [Hash{String => CWM::AbstractWidget}]
+      def widgets_by_key
+        return @widgets_by_key if @widgets_by_key
+
+        @widgets_by_key = {}
+        apqns_by_key.each do |key, apqns|
+          selected = key == @initial_key ? @initial_apqns : apqns
+          @widgets_by_key[key] = widget_for(key, apqns, selected)
+        end
+
+        @widgets_by_key
+      end
+
+      # Returns either a selector or an empty widget (if there is only one possible APQN)
+      def widget_for(key, apqns, selected)
+        widget_id = "Details#{key}"
+        if apqns.size > 1
+          ApqnMultiSelector.new(widget_id, apqns.map(&:name), selected.map(&:name))
+        else
+          CWM::Empty.new(widget_id)
+        end
+      end
     end
   end
 end