From aff62fa055c1bfa891c209320b8c5b234aaeeba1 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Mon, 12 Feb 2024 17:21:42 -0600 Subject: [PATCH] Sync with archive --- debian/changelog | 19 +++ ...y-present-with-encryption-partitions.patch | 126 ++++++++++++++++++ .../enable-optional-part-encryption.patch | 98 ++++++++++++++ debian/patches/fix-btrfs-luks.patch | 28 ++++ debian/patches/series | 3 + 5 files changed, 274 insertions(+) create mode 100644 debian/patches/enable-only-present-with-encryption-partitions.patch create mode 100644 debian/patches/enable-optional-part-encryption.patch create mode 100644 debian/patches/fix-btrfs-luks.patch diff --git a/debian/changelog b/debian/changelog index 9b5b973..39893f9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,22 @@ +calamares (3.3.1-0ubuntu4) noble; urgency=medium + + * Fix BTRFS+LUKS installations with unencrypted /boot. + + -- Aaron Rainbolt Mon, 12 Feb 2024 11:51:59 -0600 + +calamares (3.3.1-0ubuntu3) noble; urgency=medium + + * Allow specifying partitions that must remain unencrypted when using FDE. + * Allow specifying partitions that are only created when FDE is enabled. + + -- Aaron Rainbolt Mon, 05 Feb 2024 18:12:47 -0600 + +calamares (3.3.1-0ubuntu2) noble; urgency=medium + + * No-change rebuild with Python 3.12 as default + + -- Graham Inggs Sat, 20 Jan 2024 08:39:43 +0000 + calamares (3.3.1-0ubuntu1) noble; urgency=medium * New upstream release. diff --git a/debian/patches/enable-only-present-with-encryption-partitions.patch b/debian/patches/enable-only-present-with-encryption-partitions.patch new file mode 100644 index 0000000..4c1955d --- /dev/null +++ b/debian/patches/enable-only-present-with-encryption-partitions.patch @@ -0,0 +1,126 @@ +Description: Allow specifying partitions that are only present when FDE is used. +Author: Aaron Rainbolt +Origin: ubuntu +Forwarded: not-needed +Last-Update: 2024-02-06 + +Index: calamares-3.3.1/src/modules/partition/core/PartitionLayout.cpp +=================================================================== +--- calamares-3.3.1.orig/src/modules/partition/core/PartitionLayout.cpp ++++ calamares-3.3.1/src/modules/partition/core/PartitionLayout.cpp +@@ -62,6 +62,7 @@ PartitionLayout::PartitionEntry::Partiti + const QString& mountPoint, + const QString& fs, + const bool& noEncrypt, ++ const bool& onlyPresentWithEncryption, + const QVariantMap& features, + const QString& size, + const QString& minSize, +@@ -78,6 +79,7 @@ PartitionLayout::PartitionEntry::Partiti + { + PartUtils::canonicalFilesystemName( fs, &partFileSystem ); + partNoEncrypt = noEncrypt; ++ partOnlyPresentWithEncryption = onlyPresentWithEncryption; + } + + bool +@@ -119,6 +121,7 @@ PartitionLayout::init( FileSystem::Type + Calamares::getString( pentry, "mountPoint" ), + Calamares::getString( pentry, "filesystem", "unformatted" ), + Calamares::getBool( pentry, "noEncrypt", false ), ++ Calamares::getBool( pentry, "onlyPresentWithEncryption", false ), + Calamares::getSubMap( pentry, "features", ok ), + Calamares::getString( pentry, "size", QStringLiteral( "0" ) ), + Calamares::getString( pentry, "minSize", QStringLiteral( "0" ) ), +@@ -228,6 +231,10 @@ PartitionLayout::createPartitions( Devic + cWarning() << "Partition" << entry.partMountPoint << "size is invalid, skipping..."; + continue; + } ++ if ( luksPassphrase.isEmpty() && entry.partOnlyPresentWithEncryption ) { ++ // this partition is being skipped entirely ++ continue; ++ } + + // Calculate partition size: Rely on "possibly uninitialized use" + // warnings to ensure that all the cases are covered below. +@@ -252,6 +259,10 @@ PartitionLayout::createPartitions( Devic + availableSectors = totalSectors; + for ( const auto& entry : qAsConst( m_partLayout ) ) + { ++ if ( luksPassphrase.isEmpty() && entry.partOnlyPresentWithEncryption ) { ++ // this partition is being skipped entirely ++ continue; ++ } + qint64 sectors = partSectorsMap.value( &entry ); + if ( entry.partMinSize.isValid() ) + { +@@ -265,6 +276,10 @@ PartitionLayout::createPartitions( Devic + // Assign sectors for percentage-defined partitions. + for ( const auto& entry : qAsConst( m_partLayout ) ) + { ++ if ( luksPassphrase.isEmpty() && entry.partOnlyPresentWithEncryption ) { ++ // this partition is being skipped entirely ++ continue; ++ } + if ( entry.partSize.unit() == Calamares::Partition::SizeUnit::Percent ) + { + qint64 sectors +@@ -288,6 +303,10 @@ PartitionLayout::createPartitions( Devic + availableSectors = totalSectors; + for ( const auto& entry : qAsConst( m_partLayout ) ) + { ++ if ( luksPassphrase.isEmpty() && entry.partOnlyPresentWithEncryption ) { ++ // this partition is being skipped entirely ++ continue; ++ } + // Adjust partition size based on available space. + qint64 sectors = partSectorsMap.value( &entry ); + sectors = std::min( sectors, availableSectors ); +Index: calamares-3.3.1/src/modules/partition/core/PartitionLayout.h +=================================================================== +--- calamares-3.3.1.orig/src/modules/partition/core/PartitionLayout.h ++++ calamares-3.3.1/src/modules/partition/core/PartitionLayout.h +@@ -38,6 +38,7 @@ public: + QString partMountPoint; + FileSystem::Type partFileSystem = FileSystem::Unknown; + bool partNoEncrypt; ++ bool partOnlyPresentWithEncryption; + QVariantMap partFeatures; + Calamares::Partition::PartitionSize partSize; + Calamares::Partition::PartitionSize partMinSize; +@@ -63,6 +64,7 @@ public: + const QString& mountPoint, + const QString& fs, + const bool& noEncrypt, ++ const bool& onlyPresentWithEncryption, + const QVariantMap& features, + const QString& size, + const QString& minSize = QString(), +Index: calamares-3.3.1/src/modules/partition/partition.conf +=================================================================== +--- calamares-3.3.1.orig/src/modules/partition/partition.conf ++++ calamares-3.3.1/src/modules/partition/partition.conf +@@ -259,6 +259,7 @@ defaultFileSystemType: "ext4" + # type: "4f68bce3-e8cd-4db1-96e7-fbcaf984b709" + # filesystem: "ext4" + # noEncrypt: false ++# onlyPresentWithEncryption: false + # mountPoint: "/" + # size: 20% + # minSize: 500M +@@ -268,6 +269,7 @@ defaultFileSystemType: "ext4" + # type: "933ac7e1-2eb4-4f13-b844-0e14e2aef915" + # filesystem: "ext4" + # noEncrypt: false ++# onlyPresentWithEncryption: false + # mountPoint: "/home" + # size: 3G + # minSize: 1.5G +@@ -296,6 +298,7 @@ defaultFileSystemType: "ext4" + # default filesystem type, or the user's choice, will be applied instead + # of "unknown" (e.g. the user might pick ext4, or xfs). + # - noEncrypt: whether this partition is exempt from encryption if enabled (optional parameter; default is false) ++# - onlyPresentWithEncryption: whether this partition is only created when encryption is enabled (optional parameter; default is false; ONLY SUPPORTED IN UBUNTU) + # - mountPoint: partition mount point (optional parameter; not mounted if unset) + # - size: partition size in bytes (append 'K', 'M' or 'G' for KiB, MiB or GiB) + # or diff --git a/debian/patches/enable-optional-part-encryption.patch b/debian/patches/enable-optional-part-encryption.patch new file mode 100644 index 0000000..b33befd --- /dev/null +++ b/debian/patches/enable-optional-part-encryption.patch @@ -0,0 +1,98 @@ +Description: Allow specifying partitions to keep unencrypted when using FDE +Author: Aaron Rainbolt +Origin: vendor +Bug: https://github.com/calamares/calamares/issues/1938 +Forwarded: https://github.com/calamares/calamares/pull/2280 +Last-Update: 2024-02-05 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/modules/partition/core/PartitionLayout.cpp ++++ b/src/modules/partition/core/PartitionLayout.cpp +@@ -61,6 +61,7 @@ PartitionLayout::PartitionEntry::Partiti + quint64 attributes, + const QString& mountPoint, + const QString& fs, ++ const bool& noEncrypt, + const QVariantMap& features, + const QString& size, + const QString& minSize, +@@ -76,6 +77,7 @@ PartitionLayout::PartitionEntry::Partiti + , partMaxSize( maxSize ) + { + PartUtils::canonicalFilesystemName( fs, &partFileSystem ); ++ partNoEncrypt = noEncrypt; + } + + bool +@@ -116,6 +118,7 @@ PartitionLayout::init( FileSystem::Type + Calamares::getUnsignedInteger( pentry, "attributes", 0 ), + Calamares::getString( pentry, "mountPoint" ), + Calamares::getString( pentry, "filesystem", "unformatted" ), ++ Calamares::getBool( pentry, "noEncrypt", false ), + Calamares::getSubMap( pentry, "features", ok ), + Calamares::getString( pentry, "size", QStringLiteral( "0" ) ), + Calamares::getString( pentry, "minSize", QStringLiteral( "0" ) ), +@@ -295,8 +298,8 @@ PartitionLayout::createPartitions( Devic + + Partition* part = nullptr; + +- // Encryption for zfs is handled in the zfs module +- if ( luksPassphrase.isEmpty() || correctFS( entry.partFileSystem ) == FileSystem::Zfs ) ++ // Encryption for zfs is handled in the zfs module, skip encryption on noEncrypt partitions ++ if ( luksPassphrase.isEmpty() || correctFS( entry.partFileSystem ) == FileSystem::Zfs || entry.partNoEncrypt ) + { + part = KPMHelpers::createNewPartition( parent, + *dev, +@@ -329,7 +332,7 @@ PartitionLayout::createPartitions( Devic + QVariantMap zfsInfo; + + // Save the information subsequent modules will need +- zfsInfo[ "encrypted" ] = !luksPassphrase.isEmpty(); ++ zfsInfo[ "encrypted" ] = !luksPassphrase.isEmpty() && !entry.partNoEncrypt; + zfsInfo[ "passphrase" ] = luksPassphrase; + zfsInfo[ "mountpoint" ] = entry.partMountPoint; + +--- a/src/modules/partition/core/PartitionLayout.h ++++ b/src/modules/partition/core/PartitionLayout.h +@@ -37,6 +37,7 @@ public: + quint64 partAttributes = 0; + QString partMountPoint; + FileSystem::Type partFileSystem = FileSystem::Unknown; ++ bool partNoEncrypt; + QVariantMap partFeatures; + Calamares::Partition::PartitionSize partSize; + Calamares::Partition::PartitionSize partMinSize; +@@ -61,6 +62,7 @@ public: + quint64 attributes, + const QString& mountPoint, + const QString& fs, ++ const bool& noEncrypt, + const QVariantMap& features, + const QString& size, + const QString& minSize = QString(), +--- a/src/modules/partition/partition.conf ++++ b/src/modules/partition/partition.conf +@@ -258,6 +258,7 @@ defaultFileSystemType: "ext4" + # - name: "rootfs" + # type: "4f68bce3-e8cd-4db1-96e7-fbcaf984b709" + # filesystem: "ext4" ++# noEncrypt: false + # mountPoint: "/" + # size: 20% + # minSize: 500M +@@ -266,6 +267,7 @@ defaultFileSystemType: "ext4" + # - name: "home" + # type: "933ac7e1-2eb4-4f13-b844-0e14e2aef915" + # filesystem: "ext4" ++# noEncrypt: false + # mountPoint: "/home" + # size: 3G + # minSize: 1.5G +@@ -293,6 +295,7 @@ defaultFileSystemType: "ext4" + # - if "unknown" (or an unknown FS name, like "elephant") then the + # default filesystem type, or the user's choice, will be applied instead + # of "unknown" (e.g. the user might pick ext4, or xfs). ++# - noEncrypt: whether this partition is exempt from encryption if enabled (optional parameter; default is false) + # - mountPoint: partition mount point (optional parameter; not mounted if unset) + # - size: partition size in bytes (append 'K', 'M' or 'G' for KiB, MiB or GiB) + # or diff --git a/debian/patches/fix-btrfs-luks.patch b/debian/patches/fix-btrfs-luks.patch new file mode 100644 index 0000000..6367d4a --- /dev/null +++ b/debian/patches/fix-btrfs-luks.patch @@ -0,0 +1,28 @@ +Description: Fix BTRFS+LUKS installations with unencrypted /boot +Author: TJ +Origin: upstream, https://github.com/calamares/calamares/commit/60989290e02f20b56f7e90056a0239f000198cbb +Bug: https://github.com/calamares/calamares/issues/2281 +Last-Update: 2024-02-12 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/src/modules/fstab/main.py b/src/modules/fstab/main.py +index 97e7e7486a..78cae63494 100755 +--- a/src/modules/fstab/main.py ++++ b/src/modules/fstab/main.py +@@ -14,6 +14,7 @@ + + import os + import re ++import copy + + import libcalamares + +@@ -201,7 +202,7 @@ def generate_fstab(self): + # so all subvolumes here should be safe to add to fstab + btrfs_subvolumes = libcalamares.globalstorage.value("btrfsSubvolumes") + for s in btrfs_subvolumes: +- mount_entry = partition ++ mount_entry = copy.deepcopy(partition) + mount_entry["mountPoint"] = s["mountPoint"] + mount_entry["subvol"] = s["subvolume"] + dct = self.generate_fstab_line_info(mount_entry) diff --git a/debian/patches/series b/debian/patches/series index 683ca99..af36110 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,5 @@ 0001-replace-pkexec-by-sudo.patch apport-package-hook.patch +enable-optional-part-encryption.patch +enable-only-present-with-encryption-partitions.patch +fix-btrfs-luks.patch