Package: guix-patches;
Reported by: Sisiutl <sisiutl <at> egregore.fun>
Date: Sun, 6 Oct 2024 09:45:01 UTC
Severity: normal
Tags: moreinfo, patch
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: soeren <at> soeren-tempel.net To: 73654 <at> debbugs.gnu.org Cc: sisiutl <at> egregore.fun, hako <at> ultrarare.space, ludo <at> gnu.org, maxim.cournoyer <at> gmail.com Subject: [bug#73654] [PATCH v3] mapped-devices: luks: Support passing --allow-discards during open Date: Fri, 14 Mar 2025 21:27:06 +0100
From: Sören Tempel <soeren <at> soeren-tempel.net>
* gnu/system/mapped-devices.scm (open-luks-device): Support opening
LUKS devices with the --allow-discards option.
* gnu/system/mapped-devices.scm (luks-device-mapping-with-options):
Pass through the allow-discards? keyword argument.
* doc/guix.texi (Mapped Devices): Update documentation for the
luks-device-mapping-with-options procedure.
Co-authored-by: Sisiutl <sisiutl <at> egregore.fun>
---
Change since v2:
* Revert doc change in luks-device-mapping-with-options procedure
* Reformat zero? expression to make it fit into the 80 characters
* Do not use let* expression
* Reword "filesystem" to "file system"
* Reword "Solid State Drives" to "solid state drives"
* Streamline description of new feature in documentation
* Use co-authored-by and swap author and co-author
doc/guix.texi | 13 ++++++++++--
gnu/system/mapped-devices.scm | 39 +++++++++++++++++++++--------------
2 files changed, 34 insertions(+), 18 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index b1b6d98e74..91588ca02f 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -18402,7 +18402,7 @@ command from the package with the same name. It relies on the
@code{dm-crypt} Linux kernel module.
@end defvar
-@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards?]
Return a @code{luks-device-mapping} object, which defines LUKS block
device encryption using the @command{cryptsetup} command from the
package with the same name. It relies on the @code{dm-crypt} Linux
@@ -18424,6 +18424,15 @@ given location at the time of the unlock attempt.
(type (luks-device-mapping-with-options
#:key-file "/crypto.key")))
@end lisp
+
+
+@code{allow-discards?} allows the use of discard (TRIM) requests for the
+underlying device. This is useful for Solid State Drives. However,
+this option can have a negative security impact because it can make
+file system level operations visible on the physical device. For more
+information, refer to the description of the @code{--allow-discards}
+option in the @code{cryptsetup-open(8)} man page.
+
@end deffn
@defvar raid-device-mapping
@@ -18591,7 +18600,7 @@ priority after prioritized spaces, and in the order that they appeared in
@item @code{discard?} (default: @code{#f})
Only supported by the Linux kernel. When true, the kernel will notify
the disk controller of discarded pages, for example with the TRIM
-operation on Solid State Drives.
+operation on solid state drives.
@end table
@end deftp
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index 931c371425..3a8f0d66fe 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -194,9 +194,10 @@ (define missing
;;; Common device mappings.
;;;
-(define* (open-luks-device source targets #:key key-file)
+(define* (open-luks-device source targets #:key key-file allow-discards?)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
-'cryptsetup'."
+'cryptsetup'. When ALLOW-DISCARDS? is true, the use of discard (TRIM) requests is
+allowed for the underlying device."
(with-imported-modules (source-module-closure
'((gnu build file-systems)
(guix build utils))) ;; For mkdir-p
@@ -234,17 +235,21 @@ (define* (open-luks-device source targets #:key key-file)
(loop (- tries-left 1))))))
(error "LUKS partition not found" source))
source)))
- ;; We want to fallback to the password unlock if the keyfile fails.
- (or (and keyfile
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
- "--key-file" keyfile
- partition #$target)))
- (zero? (system*/tty
- #$(file-append cryptsetup-static "/sbin/cryptsetup")
- "open" "--type" "luks"
- partition #$target)))))))))
+ (let ((cryptsetup-flags (cons*
+ "open" "--type" "luks" partition #$target
+ (if allow-discards?
+ '("--allow-discards")
+ '()))))
+ ;; We want to fallback to the password unlock if the keyfile fails.
+ (or (and keyfile
+ (zero?
+ (apply system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ "--key-file" keyfile
+ cryptsetup-flags)))
+ (zero? (apply system*/tty
+ #$(file-append cryptsetup-static "/sbin/cryptsetup")
+ cryptsetup-flags))))))))))
(define (close-luks-device source targets)
"Return a gexp that closes TARGET, a LUKS device."
@@ -286,13 +291,15 @@ (define luks-device-mapping
((gnu build file-systems)
#:select (find-partition-by-luks-uuid system*/tty))))))
-(define* (luks-device-mapping-with-options #:key key-file)
+(define* (luks-device-mapping-with-options #:key key-file allow-discards?)
"Return a luks-device-mapping object with open modified to pass the arguments
into the open-luks-device procedure."
(mapped-device-kind
(inherit luks-device-mapping)
- (open (λ (source targets) (open-luks-device source targets
- #:key-file key-file)))))
+ (open (λ (source targets)
+ (open-luks-device source targets
+ #:key-file key-file
+ #:allow-discards? allow-discards?)))))
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.