crypsetup: only activate disks with detached header

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

Author: daniel-weisse

csi/test/mount_integration_test.go

@@ -27,8 +27,8 @@ import (
 )
 
 const (
-	devicePath string = "testDevice"
-	deviceName string = "testDeviceName"
+	defaultBackingImage = "testDevice"
+	deviceName          = "testDeviceName"
 )
 
 var toolsEnvs = []string{"CP", "DD", "RM", "FSCK_EXT4", "MKFS_EXT4", "BLKID", "FSCK", "MOUNT", "UMOUNT"}
@@ -57,20 +57,35 @@ func addToolsToPATH() error {
 	return nil
 }
 
-func setup(devicePath string) {
-	if err := exec.Command("dd", "if=/dev/zero", fmt.Sprintf("of=%s", devicePath), "bs=64M", "count=1").Run(); err != nil {
+func setup(backingDisk string) string {
+	if err := exec.Command("dd", "if=/dev/zero", fmt.Sprintf("of=%s", backingDisk), "bs=64M", "count=1").Run(); err != nil {
 		panic(err)
 	}
+	out, err := exec.Command("losetup", "-f", "--show", backingDisk).CombinedOutput()
+	if err != nil {
+		panic(err)
+	}
+	return strings.TrimSpace(string(out))
 }
 
-func teardown(devicePath string) {
-	if err := exec.Command("rm", "-f", devicePath).Run(); err != nil {
+func teardown(backingImage, devicePath string) {
+	if err := exec.Command("losetup", "-d", devicePath).Run(); err != nil {
+		panic(err)
+	}
+	if err := exec.Command("rm", "-f", backingImage).Run(); err != nil {
 		panic(err)
 	}
 }
 
-func cp(source, target string) error {
-	return exec.Command("cp", source, target).Run()
+func cp(source, target string) (string, error) {
+	if err := exec.Command("cp", source, target).Run(); err != nil {
+		return "", err
+	}
+	out, err := exec.Command("losetup", "-f", "--show", target).CombinedOutput()
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(out)), nil
 }
 
 func resize(devicePath string) {
@@ -100,8 +115,8 @@ func TestMain(m *testing.M) {
 func TestOpenAndClose(t *testing.T) {
 	assert := assert.New(t)
 	require := require.New(t)
-	setup(devicePath)
-	defer teardown(devicePath)
+	devicePath := setup(defaultBackingImage)
+	defer teardown(defaultBackingImage, devicePath)
 
 	mapper := cryptmapper.New(&fakeKMS{})
 
@@ -124,7 +139,7 @@ func TestOpenAndClose(t *testing.T) {
 	assert.Equal(newPath, newPath2)
 
 	// Resize the device
-	resize(devicePath)
+	resize(defaultBackingImage)
 
 	resizedPath, err := mapper.ResizeCryptDevice(t.Context(), deviceName)
 	require.NoError(err)
@@ -145,8 +160,8 @@ func TestOpenAndClose(t *testing.T) {
 func TestOpenAndCloseIntegrity(t *testing.T) {
 	assert := assert.New(t)
 	require := require.New(t)
-	setup(devicePath)
-	defer teardown(devicePath)
+	devicePath := setup(defaultBackingImage)
+	defer teardown(defaultBackingImage, devicePath)
 
 	mapper := cryptmapper.New(&fakeKMS{})
 
@@ -167,7 +182,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) {
 	assert.Equal(newPath, newPath2)
 
 	// integrity devices do not support resizing
-	resize(devicePath)
+	resize(defaultBackingImage)
 	_, err = mapper.ResizeCryptDevice(t.Context(), deviceName)
 	assert.Error(err)
 
@@ -189,18 +204,19 @@ func TestOpenAndCloseIntegrity(t *testing.T) {
 func TestDeviceCloning(t *testing.T) {
 	assert := assert.New(t)
 	require := require.New(t)
-	setup(devicePath)
-	defer teardown(devicePath)
+	devicePath := setup(defaultBackingImage)
+	defer teardown(defaultBackingImage, devicePath)
 
 	mapper := cryptmapper.New(&dynamicKMS{})
 
 	_, err := mapper.OpenCryptDevice(t.Context(), devicePath, deviceName, false)
 	assert.NoError(err)
 
-	require.NoError(cp(devicePath, devicePath+"-copy"))
-	defer teardown(devicePath + "-copy")
+	cpDevice, err := cp(defaultBackingImage, defaultBackingImage+"-copy")
+	require.NoError(err)
+	defer teardown(defaultBackingImage+"-copy", cpDevice)
 
-	_, err = mapper.OpenCryptDevice(t.Context(), devicePath+"-copy", deviceName+"-copy", false)
+	_, err = mapper.OpenCryptDevice(t.Context(), cpDevice, deviceName+"-copy", false)
 	assert.NoError(err)
 
 	assert.NoError(mapper.CloseCryptDevice(deviceName))
@@ -209,12 +225,12 @@ func TestDeviceCloning(t *testing.T) {
 
 func TestConcurrency(t *testing.T) {
 	assert := assert.New(t)
-	setup(devicePath)
-	defer teardown(devicePath)
+	devicePath := setup(defaultBackingImage)
+	defer teardown(defaultBackingImage, devicePath)
 
-	device2 := devicePath + "-2"
-	setup(device2)
-	defer teardown(device2)
+	backingImage2 := defaultBackingImage + "-2"
+	device2 := setup(backingImage2)
+	defer teardown(backingImage2, device2)
 
 	mapper := cryptmapper.New(&fakeKMS{})
 

disk-mapper/internal/test/integration_test.go

@@ -10,6 +10,7 @@ package integration
 
 import (
 	"encoding/json"
+	"errors"
 	"flag"
 	"fmt"
 	"log/slog"
@@ -31,10 +32,12 @@ import (
 )
 
 const (
-	devicePath   = "testDevice"
+	backingDisk  = "testDevice"
 	mappedDevice = "mappedDevice"
 )
 
+var devicePath string
+
 var diskPath = flag.String("disk", "", "Path to the disk to use for the benchmark")
 
 var toolsEnvs = []string{"DD", "RM"}
@@ -64,11 +67,22 @@ func addToolsToPATH() error {
 }
 
 func setup(sizeGB int) error {
-	return exec.Command("dd", "if=/dev/random", fmt.Sprintf("of=%s", devicePath), "bs=1G", fmt.Sprintf("count=%d", sizeGB)).Run()
+	if err := exec.Command("dd", "if=/dev/random", fmt.Sprintf("of=%s", backingDisk), "bs=1G", fmt.Sprintf("count=%d", sizeGB)).Run(); err != nil {
+		return err
+	}
+	cmd := exec.Command("losetup", "-f", "--show", backingDisk)
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("losetup failed: %w\nOutput: %s", err, out)
+	}
+	devicePath = strings.TrimSpace(string(out))
+	return nil
 }
 
 func teardown() error {
-	return exec.Command("rm", "-f", devicePath).Run()
+	err := exec.Command("losetup", "-d", devicePath).Run()
+	errors.Join(err, exec.Command("rm", "-f", backingDisk).Run())
+	return err
 }
 
 func TestMain(m *testing.M) {

internal/cryptsetup/cryptsetup.go

@@ -121,11 +121,12 @@ func (c *CryptSetup) Free() {
 func (c *CryptSetup) ActivateByPassphrase(deviceName string, keyslot int, passphrase string, flags int) error {
 	packageLock.Lock()
 	defer packageLock.Unlock()
-	device, err := c.getActiveDevice()
-	if err != nil {
-		return err
+	if !c.hasDetachedHeaderDevice() {
+		if err := c.reload(); err != nil {
+			return fmt.Errorf("re-loading crypt device for activation: %w", err)
+		}
 	}
-	if err := device.ActivateByPassphrase(deviceName, keyslot, passphrase, flags); err != nil {
+	if err := c.deviceWithDetachedHeader.ActivateByPassphrase(deviceName, keyslot, passphrase, flags); err != nil {
 		return fmt.Errorf("activating crypt device %q using passphrase: %w", deviceName, err)
 	}
 	return nil
@@ -136,11 +137,12 @@ func (c *CryptSetup) ActivateByPassphrase(deviceName string, keyslot int, passph
 func (c *CryptSetup) ActivateByVolumeKey(deviceName, volumeKey string, volumeKeySize, flags int) error {
 	packageLock.Lock()
 	defer packageLock.Unlock()
-	device, err := c.getActiveDevice()
-	if err != nil {
-		return err
+	if !c.hasDetachedHeaderDevice() {
+		if err := c.reload(); err != nil {
+			return fmt.Errorf("re-loading crypt device for activation: %w", err)
+		}
 	}
-	if err := device.ActivateByVolumeKey(deviceName, volumeKey, volumeKeySize, flags); err != nil {
+	if err := c.deviceWithDetachedHeader.ActivateByVolumeKey(deviceName, volumeKey, volumeKeySize, flags); err != nil {
 		return fmt.Errorf("activating crypt device %q using volume key: %w", deviceName, err)
 	}
 	return nil
@@ -441,6 +443,30 @@ func (c *CryptSetup) free() {
 	}
 }
 
+func (c *CryptSetup) reload() error {
+	if !c.hasAttachedHeaderDevice() {
+		return errDeviceNotOpen
+	}
+
+	backingDevice := c.deviceWithAttachedHeader.GetDeviceName()
+	c.free()
+	var err error
+	c.deviceWithDetachedHeader, c.deviceWithAttachedHeader, c.headerDevice, c.headerFile, err = c.pathInit(backingDevice)
+	if err != nil {
+		return fmt.Errorf("re-loading crypt device: %w", err)
+	}
+
+	if !c.hasDetachedHeaderDevice() {
+		return errors.New("failed to reload device without detached header")
+	}
+
+	if err := loadLUKS2(c.deviceWithDetachedHeader); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // getActiveDevice returns a handle to the active cryptsetup device with detached header if set,
 // or one with attached header otherwise.
 func (c *CryptSetup) getActiveDevice() (cryptDevice, error) {

internal/cryptsetup/cryptsetup_cgo.go

@@ -97,7 +97,7 @@ func initByDevicePath(devicePath string) (deviceDetachedHeader, deviceAttachedHe
 	}
 	// If the device is not LUKS2 formatted, this is treated as a new device,
 	// meaning no header exists yet
-	if tmpDevice.Load(cryptsetup.LUKS2{}) != nil {
+	if err := tmpDevice.Load(cryptsetup.LUKS2{}); err != nil {
 		return nil, tmpDevice, "", "", nil
 	}
 	defer tmpDevice.Free()
@@ -133,7 +133,7 @@ func initByName(name string) (deviceDetachedHeader, deviceAttachedHeader cryptDe
 	}
 	// If the device is not LUKS2 formatted, this is treated as a new device,
 	// meaning no header exists yet
-	if tmpDevice.Load(cryptsetup.LUKS2{}) != nil {
+	if err := tmpDevice.Load(cryptsetup.LUKS2{}); err != nil {
 		return nil, tmpDevice, "", "", nil
 	}
 	defer tmpDevice.Free()