[neon/neon/calamares-settings/Neon/release_jammy] /: various fixes to ensure luks works
Carlos De Maine
null at kde.org
Sat Aug 31 12:32:05 BST 2024
Git commit 0a6c0d7d630d4764d0240618f971bc4e2beec2d6 by Carlos De Maine.
Committed on 31/08/2024 at 11:11.
Pushed by carlosdem into branch 'Neon/release_jammy'.
various fixes to ensure luks works
* initramfscfg before initramfs before fstab as per calamares examples recommendations to ensure all the necessary bits and hooks are in the right order for luks
* make sure to delete '^live-*' packages from install as they can blow up luks
* move to using grubcfg and fstab for crypsetup
* thus drop shellprocess at cryptsetup.conf
M +2 -4 bigscreen/calamares/bigscreen/settings.conf
M +1 -26 desktop/calamares/desktop/modules/fstab.conf
A +6 -0 desktop/calamares/desktop/modules/grubcfg.conf
M +1 -0 desktop/calamares/desktop/modules/packages.conf
D +0 -14 desktop/calamares/desktop/modules/shellprocess at cryptsetup.conf
M +2 -6 desktop/calamares/desktop/settings.conf
D +0 -22 desktop/usr/bin/calamares-cryptsetup
M +2 -5 mobile/calamares/mobile/settings.conf
M +1 -1 oem-prepare/calamares/oem-prepare/settings.conf
https://invent.kde.org/neon/neon/calamares-settings/-/commit/0a6c0d7d630d4764d0240618f971bc4e2beec2d6
diff --git a/bigscreen/calamares/bigscreen/settings.conf b/bigscreen/calamares/bigscreen/settings.conf
index 9000a96..ca38e54 100644
--- a/bigscreen/calamares/bigscreen/settings.conf
+++ b/bigscreen/calamares/bigscreen/settings.conf
@@ -29,9 +29,6 @@ instances:
- id: nomodeset
module: shellprocess
config: shellprocess at nomodeset.conf
-- id: cryptsetup
- module: shellprocess
- config: shellprocess at cryptsetup.conf
- id: plasma-bigscreen-sddm-config
module: shellprocess
config: shellprocess at plasma-bigscreen-sddm-config.conf
@@ -50,7 +47,6 @@ sequence:
- mount
- unpackfs
- machineid
- - fstab
- locale
- keyboard
- localecfg
@@ -62,7 +58,9 @@ sequence:
- shellprocess at boot_deploy
- shellprocess at boot_reconfigure
- shellprocess at cryptsetup
+ - initramfscfg
- initramfs
+ - fstab
- contextualprocess at before_bootloader
- bootloader
- contextualprocess at after_bootloader
diff --git a/desktop/calamares/desktop/modules/fstab.conf b/desktop/calamares/desktop/modules/fstab.conf
index a70eb21..cdffce0 100644
--- a/desktop/calamares/desktop/modules/fstab.conf
+++ b/desktop/calamares/desktop/modules/fstab.conf
@@ -1,33 +1,8 @@
# SPDX-FileCopyrightText: no
# SPDX-License-Identifier: CC0-1.0
-#
-# Creates /etc/fstab and /etc/crypttab in the target system.
-# Also creates mount points for all the filesystems.
-#
-# When creating fstab entries for a filesystem, this module
-# uses the options previously defined in the mount module
----
-# Additional options added to each line in /etc/crypttab
-# crypttabOptions: luks
-# For Debian and Debian-based distributions, change the above line to:
+efiMountOptions: umask=0077
crypttabOptions: luks,keyscript=/bin/cat
-
-# Options for handling /tmp in /etc/fstab
-# Currently default (required) and ssd are supported
-# The corresponding string can contain the following variables:
-# tmpfs: true or tmpfs: false to either mount /tmp as tmpfs or not
-# options: "<mount options>"
-#
-# Example:
-#tmpOptions:
-# default:
-# tmpfs: false
-# options: ""
-# ssd:
-# tmpfs: true
-# options: "defaults,noatime,mode=1777"
-#
tmpOptions:
default:
tmpfs: false
diff --git a/desktop/calamares/desktop/modules/grubcfg.conf b/desktop/calamares/desktop/modules/grubcfg.conf
new file mode 100644
index 0000000..27bd238
--- /dev/null
+++ b/desktop/calamares/desktop/modules/grubcfg.conf
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: no
+# SPDX-License-Identifier: CC0-1.0
+
+overwrite: false
+defaults:
+ GRUB_ENABLE_CRYPTODISK: true
diff --git a/desktop/calamares/desktop/modules/packages.conf b/desktop/calamares/desktop/modules/packages.conf
index 9425f85..f5ad17d 100644
--- a/desktop/calamares/desktop/modules/packages.conf
+++ b/desktop/calamares/desktop/modules/packages.conf
@@ -9,3 +9,4 @@ operations:
- calamares
- neon-live
- casper
+ - '^live-*'
diff --git a/desktop/calamares/desktop/modules/shellprocess at cryptsetup.conf b/desktop/calamares/desktop/modules/shellprocess at cryptsetup.conf
deleted file mode 100644
index 900d392..0000000
--- a/desktop/calamares/desktop/modules/shellprocess at cryptsetup.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# SPDX-FileCopyrightText: 2020 Harald Sitter <sitter at kde.org>
-# SPDX-License-Identifier: GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
-#
-# Implement crypto bits. Calamares' tech is a bit overbaring vis a vis initramfs
-# setup. This shellprocess effectively replaces grubcfg and initramfscfg with
-# a less aggressive setup.
-# To make this work partition.conf needs luks enabled and luksbootkeyfile needs to
-# be part of settings.conf.
-# https://github.com/calamares/calamares/wiki/Deploy-LUKS
----
-dontChroot: false
-timeout: 300
-script:
- - "/usr/bin/calamares-cryptsetup"
diff --git a/desktop/calamares/desktop/settings.conf b/desktop/calamares/desktop/settings.conf
index 99190e8..bfb9929 100644
--- a/desktop/calamares/desktop/settings.conf
+++ b/desktop/calamares/desktop/settings.conf
@@ -29,9 +29,6 @@ instances:
- id: nomodeset
module: shellprocess
config: shellprocess at nomodeset.conf
-- id: cryptsetup
- module: shellprocess
- config: shellprocess at cryptsetup.conf
sequence:
@@ -47,20 +44,19 @@ sequence:
- mount
- unpackfs
- machineid
- - fstab
- locale
- keyboard
- localecfg
- luksbootkeyfile
- - initramfscfg
- users
- displaymanager
- networkcfg
- hwclock
- shellprocess at boot_deploy
- shellprocess at boot_reconfigure
- - shellprocess at cryptsetup
+ - initramfscfg
- initramfs
+ - fstab
- contextualprocess at before_bootloader
- bootloader
- contextualprocess at after_bootloader
diff --git a/desktop/usr/bin/calamares-cryptsetup b/desktop/usr/bin/calamares-cryptsetup
deleted file mode 100755
index 94e8819..0000000
--- a/desktop/usr/bin/calamares-cryptsetup
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/sh
-# SPDX-FileCopyrightText: 2020 Harald Sitter <sitter at kde.org>
-# SPDX-License-Identifier: GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
-
-# Simplified cryptsetup heavily relying on cryptsetup-initramfs.
-# https://github.com/calamares/calamares/wiki/Deploy-LUKS
-# https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
-
-set -ex
-
-if [ ! -f /crypto_keyfile.bin ]; then
- # noop when not doing an ecrypted installation
- exit 0
-fi
-
-# Replaces grubcfg by simply opting into disk encryption. Since calamares only supports
-# full disk encryption (unlike ubuntu by default) we need to let grub be encrypted as well.
-echo 'GRUB_ENABLE_CRYPTODISK=y' > /etc/default/grub.d/00_calamares.cfg
-
-# Since the initrd contains the keyfile in a full disk encryption setup it must not
-# be world readable. This is also set by calamares, but better safe than sorry I should think.
-echo 'UMASK=0077' > /etc/initramfs-tools/conf.d/00_calamares-neon-hardening.conf
diff --git a/mobile/calamares/mobile/settings.conf b/mobile/calamares/mobile/settings.conf
index d0b9952..100d1dd 100644
--- a/mobile/calamares/mobile/settings.conf
+++ b/mobile/calamares/mobile/settings.conf
@@ -29,9 +29,6 @@ instances:
- id: nomodeset
module: shellprocess
config: shellprocess at nomodeset.conf
-- id: cryptsetup
- module: shellprocess
- config: shellprocess at cryptsetup.conf
- id: plasma-mobile-sddm-config
module: shellprocess
config: shellprocess at plasma-mobile-sddm-config.conf
@@ -50,7 +47,6 @@ sequence:
- mount
- unpackfs
- machineid
- - fstab
- locale
- keyboard
- localecfg
@@ -61,8 +57,9 @@ sequence:
- hwclock
- shellprocess at boot_deploy
- shellprocess at boot_reconfigure
- - shellprocess at cryptsetup
+ - initramfscfg
- initramfs
+ - fstab
- contextualprocess at before_bootloader
- bootloader
- contextualprocess at after_bootloader
diff --git a/oem-prepare/calamares/oem-prepare/settings.conf b/oem-prepare/calamares/oem-prepare/settings.conf
index 36f99af..654e610 100644
--- a/oem-prepare/calamares/oem-prepare/settings.conf
+++ b/oem-prepare/calamares/oem-prepare/settings.conf
@@ -51,7 +51,6 @@ sequence:
- mount
- unpackfs
- machineid
- - fstab
- locale
- keyboard
- localecfg
@@ -65,6 +64,7 @@ sequence:
- shellprocess at boot_reconfigure
- contextualprocess at oem-kernel
- initramfs
+ - fstab
- contextualprocess at before_bootloader
- bootloader
- contextualprocess at after_bootloader
More information about the Neon-commits
mailing list