GNU bug report logs -
#77203
[PATCH 0/4] gnu: Add fscrypt.
Previous Next
Reported by: 45mg <45mg.writes <at> gmail.com>
Date: Sun, 23 Mar 2025 10:23:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 77203 in the body.
You can then email your comments to 77203 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Sun, 23 Mar 2025 10:23:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
45mg <45mg.writes <at> gmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 23 Mar 2025 10:23:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi Guix,
The following patch series adds support for Linux native filesystem encryption
to Guix, via the `fscrypt` kernel interface and associated userspace tools
`fscrypt` and `fscryptctl`.
Patch 1/4 enables the relevant kernel configuration option,
CONFIG_FS_ENCRYPTION. This is the same patch as #77202 [1].
Patch 2/4 and 3/4 add the high-level `fscrypt` command-line utility (which is
implemented in Go); these are the same patches as #77174 [2].
Patch 4/4 adds `fscryptctl`, a lower-level tool written in C; this is the same
patch as #77175 [3].
I thought it would be good to group all these patches in a single series, so
I'll close #77202, #77174 and #77175 in favor of this one.
Further reference:
https://docs.kernel.org/filesystems/fscrypt.html
https://github.com/google/fscrypt?tab=readme-ov-file#runtime-dependencies
https://github.com/google/fscryptctl
[1] https://yhetil.org/guix/4a6e1c443ee07929cd582395bdcc5865610569f2.1742723412.git.45mg.writes <at> gmail.com/
[2] https://yhetil.org/guix/cover.1742646222.git.45mg.writes <at> gmail.com/
[3] https://yhetil.org/guix/933a717801203ce2e23173a8cebb957c153cdbd8.1742648529.git.45mg.writes <at> gmail.com/
45mg (4):
gnu: linux-libre: Enable CONFIG_FS_ENCRYPTION.
gnu: Add go-github-com-wadey-gocovmerge.
gnu: Add fscrypt.
gnu: Add fscryptctl.
gnu/packages/crypto.scm | 33 +++++++++++++++
gnu/packages/golang-crypto.scm | 74 +++++++++++++++++++++++++++++++++-
gnu/packages/golang-xyz.scm | 26 ++++++++++++
gnu/packages/linux.scm | 2 +
4 files changed, 134 insertions(+), 1 deletion(-)
base-commit: fbfd2b93831978aadbb96f32cafdab997b04c6c6
--
2.49.0
Information forwarded
to
leo <at> famulari.name, w <at> wmeyer.eu, guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Sun, 23 Mar 2025 10:36:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 77203 <at> debbugs.gnu.org (full text, mbox):
This enables support for filesystem-level encryption via the fscrypt
library. Many distributions such as Debian [1] and Arch Linux [2] have
it enabled (so it should be safe).
[1] https://salsa.debian.org/kernel-team/linux/-/blob/988ee7494a62a63a8b92b2e18bf730072e54413c/debian/config/config?page=6#L5843
[2] https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/a7e2a17f9c0e55937ea3e18c4d5b905a8e4f8047/config?page=11#L10752
* gnu/packages/linux.scm (default-extra-linux-options): Add CONFIG_FS_ENCRYPTION.
Change-Id: Ibee34871a25e880e7c16eaa51ddebee85ee172f5
---
gnu/packages/linux.scm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index b0dc6cbcfd..e5d97111a8 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -901,6 +901,8 @@ (define (default-extra-linux-options version)
("CONFIG_PROC_PID_CPUSET" . #t)
;; Allow disk encryption by default
("CONFIG_DM_CRYPT" . m)
+ ;; Allow fscrypt filesystem encryption by default
+ ("CONFIG_FS_ENCRYPTION" . #t)
;; Support zram on all kernel configs
("CONFIG_ZSWAP" . #t)
("CONFIG_ZSMALLOC" . #t)
--
2.49.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Sun, 23 Mar 2025 10:36:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 77203 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/golang-xyz.scm (go-github-com-wadey-gocovmerge): New
variable.
Change-Id: Idde447ff494064fbc74c973b49ff0fd5699f9346
---
gnu/packages/golang-xyz.scm | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/gnu/packages/golang-xyz.scm b/gnu/packages/golang-xyz.scm
index 13eb2b4c7f..230e53eec5 100644
--- a/gnu/packages/golang-xyz.scm
+++ b/gnu/packages/golang-xyz.scm
@@ -57,6 +57,7 @@
;;; Copyright © 2024 gemmaro <gemmaro.dev <at> gmail.com>
;;; Copyright © 2024 Roman Scherer <roman <at> burningswell.com>
;;; Copyright © 2025 Ashvith Shetty <ashvithshetty0010 <at> zohomail.in>
+;;; Copyright © 2025 45mg <45mg.writes <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -15430,6 +15431,31 @@ (define-public go-github-com-warpfork-go-fsx
;; BSD-3-Clause terms.
(license (list license:expat license:asl2.0 license:bsd-3))))
+(define-public go-github-com-wadey-gocovmerge
+ (package
+ (name "go-github-com-wadey-gocovmerge")
+ (version "0.0.0-20160331181800-b5bfa59ec0ad")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/wadey/gocovmerge")
+ (commit (go-version->git-ref version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00m7kxcmmw0l9z0m7z6ii06n5j4bcrxqjbhxjbfzmsdgdsvkic31"))))
+ (build-system go-build-system)
+ (arguments
+ (list
+ #:import-path "github.com/wadey/gocovmerge"))
+ (propagated-inputs (list go-golang-org-x-tools))
+ (home-page "https://github.com/wadey/gocovmerge")
+ (synopsis "Merge coverprofile results from multiple go cover runs")
+ (description
+ "gocovmerge takes the results from multiple @command{go test -coverprofile} runs and
+merges them into one profile.")
+ (license license:bsd-2)))
+
(define-public go-github-com-whyrusleeping-base32
(package
(name "go-github-com-whyrusleeping-base32")
--
2.49.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Sun, 23 Mar 2025 10:36:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 77203 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/golang-crypto.scm (fscrypt): New variable.
Change-Id: I7df45a9345726480518c598583a10b6e905e8a1f
---
gnu/packages/golang-crypto.scm | 74 +++++++++++++++++++++++++++++++++-
1 file changed, 73 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/golang-crypto.scm b/gnu/packages/golang-crypto.scm
index 17567219e4..61a911a494 100644
--- a/gnu/packages/golang-crypto.scm
+++ b/gnu/packages/golang-crypto.scm
@@ -26,6 +26,7 @@
;;; Copyright © 2024 Superfly Johnson <superfly.johnson <at> yahoo.com>
;;; Copyright © 2025 Roman Scherer <roman <at> burningswell.com>
;;; Copyright © 2025 Sharlatan Hellseher <sharlatanus <at> gmail.com>
+;;; Copyright © 2025 45mg <45mg.writes <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -50,6 +51,7 @@ (define-module (gnu packages golang-crypto)
#:use-module (guix packages)
#:use-module (guix utils)
#:use-module (gnu packages)
+ #:use-module (gnu packages base)
#:use-module (gnu packages gnupg)
#:use-module (gnu packages golang)
#:use-module (gnu packages golang-build)
@@ -57,8 +59,11 @@ (define-module (gnu packages golang-crypto)
#:use-module (gnu packages golang-compression)
#:use-module (gnu packages golang-web)
#:use-module (gnu packages golang-xyz)
+ #:use-module (gnu packages linux)
+ #:use-module (gnu packages m4)
#:use-module (gnu packages password-utils)
- #:use-module (gnu packages specifications))
+ #:use-module (gnu packages specifications)
+ #:use-module (gnu packages version-control))
;;; Commentary:
;;;
@@ -2608,6 +2613,73 @@ (define-public age
(define-public age-keygen
(deprecated-package "age-keygen" age))
+(define-public fscrypt
+ (package
+ (name "fscrypt")
+ (version "0.3.5")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/google/fscrypt")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "15b89g7imv4691aq16xn9q6nh6fcdldkxmvysc7igm6a8p1n6bai"))))
+ (build-system go-build-system)
+ (arguments
+ (list
+ #:import-path "github.com/google/fscrypt"
+ #:install-source? #f
+ #:test-flags
+ #~(list "-skip"
+ (string-join (list
+ ;; These tests expect to be able to find /home,
+ ;; /mnt and /tmp.
+ "TestLoadReadOnlyMount"
+ "TestReadWriteMountIsPreferredOverReadOnlyMount"
+ "TestLoadAmbiguousMounts"
+ "TestRootSubtreeIsPreferred") "|"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-before 'build 'fix-version-detection
+ ;; We don't have .git in the build directory.
+ (lambda _
+ (substitute* "src/github.com/google/fscrypt/Makefile"
+ (("\\$\\(shell git describe --tags\\)")
+ (string-append "v" #$version)))))
+ (replace 'build
+ (lambda* (#:key parallel-build? #:allow-other-keys)
+ (with-directory-excursion "src/github.com/google/fscrypt"
+ (invoke "make"
+ "-j" (if parallel-build?
+ (number->string (parallel-job-count))
+ "1")
+ (string-append "CC=" #$(cc-for-target))))))
+ (replace 'install
+ (lambda _
+ (with-directory-excursion "src/github.com/google/fscrypt"
+ (invoke "make" "install"
+ (string-append "PREFIX=" #$output))))))))
+ (propagated-inputs (list go-github-com-client9-misspell
+ go-github-com-pkg-errors
+ go-github-com-urfave-cli
+ go-github-com-wadey-gocovmerge
+ go-golang-org-x-crypto
+ go-golang-org-x-sys
+ go-golang-org-x-term
+ go-golang-org-x-tools
+ go-google-golang-org-protobuf
+ go-honnef-co-go-tools))
+ (native-inputs (list gnu-make linux-pam m4))
+ (home-page "https://github.com/google/fscrypt")
+ (synopsis "Go tool for managing Linux filesystem encryption")
+ (description "@command{fscrypt} is a high-level tool for the management of
+Linux native filesystem encryption. It manages metadata, key generation, key
+wrapping, PAM integration, and provides a uniform interface for creating and
+modifying encrypted directories.")
+ (license license:asl2.0)))
+
(define-public go-jwker
(package/inherit go-github-com-jphastings-jwker
(name "go-jwker")
--
2.49.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Sun, 23 Mar 2025 10:36:03 GMT)
Full text and
rfc822 format available.
Message #17 received at 77203 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/crypto.scm (fscryptctl): New variable.
Change-Id: I98b0100402307d0f3e0af6d46e0d1abbf7cd59d5
---
gnu/packages/crypto.scm | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/gnu/packages/crypto.scm b/gnu/packages/crypto.scm
index bbbe4a1ba0..cdc8513050 100644
--- a/gnu/packages/crypto.scm
+++ b/gnu/packages/crypto.scm
@@ -28,6 +28,7 @@
;;; Copyright © 2023 Ivan Vilata-i-Balaguer <ivan <at> selidor.net>
;;; Copyright © 2023 Foundation Devices, Inc. <hello <at> foundationdevices.com>
;;; Copyright © 2024 Janneke Nieuwenhuizen <janneke <at> gnu.org>
+;;; Copyright © 2025 45mg <45mg.writes <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -65,6 +66,7 @@ (define-module (gnu packages crypto)
#:use-module (gnu packages golang-crypto)
#:use-module (gnu packages golang-build)
#:use-module (gnu packages graphviz)
+ #:use-module (gnu packages haskell-xyz)
#:use-module (gnu packages image)
#:use-module (gnu packages kerberos)
#:use-module (gnu packages libbsd)
@@ -407,6 +409,37 @@ (define-public keyutils
(license (list license:lgpl2.1+ ; the files keyutils.*
license:gpl2+)))) ; the rest
+(define-public fscryptctl
+ (package
+ (name "fscryptctl")
+ (version "1.2.0")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/google/fscryptctl")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "15zbmh9jlhqbai7lcaqyvymrjjcdi0l9zli9j51skwap59sq9jz6"))))
+ (build-system gnu-build-system)
+ (arguments
+ (list
+ #:make-flags #~(list (string-append "PREFIX=" #$output)
+ (string-append "CC=" #$(cc-for-target)))
+ #:tests? #f ;Test setup requires root
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'configure))))
+ (native-inputs (list pandoc))
+ (home-page "https://github.com/google/fscryptctl")
+ (synopsis "Small C tool for Linux filesystem encryption")
+ (description "@command{fscryptctl} is a low-level tool written in C that
+handles raw keys and manages policies for Linux filesystem encryption,
+specifically the @code{fscrypt} kernel interface which is supported by the
+ext4, f2fs, UBIFS, and CephFS filesystems.")
+ (license license:asl2.0)))
+
(define-public ssss
(package
(name "ssss")
--
2.49.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Sun, 30 Mar 2025 15:41:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 77203 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi
Thank you for the patches.
I picked it upas I've checked "tag:team-go" on it.
CC Leo Famulari for patches related to Linux.
This is a first round of review just touching most obvious points.
> [PATCH 4/4] gnu: Add fscryptctl.
That may go to (gnu packages filesystems) to reduce cross references and
as it's a final command and not golang module.
It also contains all required modules:
--8<---------------cut here---------------start------------->8---
(define-module (gnu packages file-systems)
...
#:use-module (gnu packages base)
...
#:use-module (gnu packages golang-build)
#:use-module (gnu packages golang-check)
#:use-module (gnu packages golang-crypto)
#:use-module (gnu packages golang-xyz)
...
#:use-module (gnu packages linux)
...
#:use-module (gnu packages m4)
...
#:use-module (gnu packages version-control)
--8<---------------cut here---------------end--------------->8---
--8<---------------cut here---------------start------------->8---
+ (propagated-inputs (list go-github-com-client9-misspell
--8<---------------cut here---------------end--------------->8---
As it's a final command all Golang modules need to be listed in native
inputs.
--
Thanks,
Oleg
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Thu, 03 Apr 2025 18:42:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 77203 <at> debbugs.gnu.org (full text, mbox):
Addresses initial feedback [1].
v1: [2].
Actually, 1/4 is not sufficient for the option to take effect in existing
kernel versions, as the corresponding files in
gnu/packages/aux-files/linux-libre/ need to change as well. Do I need to
change these myself? Or do we wait until the next kernel version and add it
only to the new files?
[1] https://yhetil.org/guix/87ecyeo7c9.fsf <at> gmail.com/
[2] https://yhetil.org/guix/cover.1742725211.git.45mg.writes <at> gmail.com/
45mg (4):
gnu: linux-libre: Enable CONFIG_FS_ENCRYPTION.
gnu: Add go-github-com-wadey-gocovmerge.
gnu: Add fscrypt.
gnu: Add fscryptctl.
gnu/packages/file-systems.scm | 102 ++++++++++++++++++++++++++++++++++
gnu/packages/golang-xyz.scm | 26 +++++++++
gnu/packages/linux.scm | 2 +
3 files changed, 130 insertions(+)
base-commit: 4ea012fc6ddcb32574fbd4a854b11808c34fbca8
--
2.49.0
Information forwarded
to
leo <at> famulari.name, w <at> wmeyer.eu, guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Thu, 03 Apr 2025 18:43:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 77203 <at> debbugs.gnu.org (full text, mbox):
This enables support for filesystem-level encryption via the fscrypt
library. Many distributions such as Debian [1] and Arch Linux [2] have
it enabled (so it should be safe).
[1] https://salsa.debian.org/kernel-team/linux/-/blob/988ee7494a62a63a8b92b2e18bf730072e54413c/debian/config/config?page=6#L5843
[2] https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/a7e2a17f9c0e55937ea3e18c4d5b905a8e4f8047/config?page=11#L10752
* gnu/packages/linux.scm (default-extra-linux-options): Add CONFIG_FS_ENCRYPTION.
Change-Id: Ibee34871a25e880e7c16eaa51ddebee85ee172f5
---
gnu/packages/linux.scm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 1417925dc8..f679a4e55c 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -901,6 +901,8 @@ (define (default-extra-linux-options version)
("CONFIG_PROC_PID_CPUSET" . #t)
;; Allow disk encryption by default
("CONFIG_DM_CRYPT" . m)
+ ;; Allow fscrypt filesystem encryption by default
+ ("CONFIG_FS_ENCRYPTION" . #t)
;; Support zram on all kernel configs
("CONFIG_ZSWAP" . #t)
("CONFIG_ZSMALLOC" . #t)
--
2.49.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Thu, 03 Apr 2025 18:43:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 77203 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/golang-xyz.scm (go-github-com-wadey-gocovmerge): New
variable.
Change-Id: Idde447ff494064fbc74c973b49ff0fd5699f9346
---
gnu/packages/golang-xyz.scm | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/gnu/packages/golang-xyz.scm b/gnu/packages/golang-xyz.scm
index 13eb2b4c7f..230e53eec5 100644
--- a/gnu/packages/golang-xyz.scm
+++ b/gnu/packages/golang-xyz.scm
@@ -57,6 +57,7 @@
;;; Copyright © 2024 gemmaro <gemmaro.dev <at> gmail.com>
;;; Copyright © 2024 Roman Scherer <roman <at> burningswell.com>
;;; Copyright © 2025 Ashvith Shetty <ashvithshetty0010 <at> zohomail.in>
+;;; Copyright © 2025 45mg <45mg.writes <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -15430,6 +15431,31 @@ (define-public go-github-com-warpfork-go-fsx
;; BSD-3-Clause terms.
(license (list license:expat license:asl2.0 license:bsd-3))))
+(define-public go-github-com-wadey-gocovmerge
+ (package
+ (name "go-github-com-wadey-gocovmerge")
+ (version "0.0.0-20160331181800-b5bfa59ec0ad")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/wadey/gocovmerge")
+ (commit (go-version->git-ref version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "00m7kxcmmw0l9z0m7z6ii06n5j4bcrxqjbhxjbfzmsdgdsvkic31"))))
+ (build-system go-build-system)
+ (arguments
+ (list
+ #:import-path "github.com/wadey/gocovmerge"))
+ (propagated-inputs (list go-golang-org-x-tools))
+ (home-page "https://github.com/wadey/gocovmerge")
+ (synopsis "Merge coverprofile results from multiple go cover runs")
+ (description
+ "gocovmerge takes the results from multiple @command{go test -coverprofile} runs and
+merges them into one profile.")
+ (license license:bsd-2)))
+
(define-public go-github-com-whyrusleeping-base32
(package
(name "go-github-com-whyrusleeping-base32")
--
2.49.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Thu, 03 Apr 2025 18:43:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 77203 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/file-systems.scm (fscrypt): New variable.
Change-Id: I7df45a9345726480518c598583a10b6e905e8a1f
---
gnu/packages/file-systems.scm | 69 +++++++++++++++++++++++++++++++++++
1 file changed, 69 insertions(+)
diff --git a/gnu/packages/file-systems.scm b/gnu/packages/file-systems.scm
index 01c564bc77..890557625d 100644
--- a/gnu/packages/file-systems.scm
+++ b/gnu/packages/file-systems.scm
@@ -455,6 +455,75 @@ (define-public fsarchiver
(home-page "https://www.fsarchiver.org/")
(license license:gpl2)))
+(define-public fscrypt
+ (package
+ (name "fscrypt")
+ (version "0.3.5")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/google/fscrypt")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "15b89g7imv4691aq16xn9q6nh6fcdldkxmvysc7igm6a8p1n6bai"))))
+ (build-system go-build-system)
+ (arguments
+ (list
+ #:import-path "github.com/google/fscrypt"
+ #:install-source? #f
+ #:test-flags
+ #~(list "-skip"
+ (string-join (list
+ ;; These tests expect to be able to find /home,
+ ;; /mnt and /tmp.
+ "TestLoadReadOnlyMount"
+ "TestReadWriteMountIsPreferredOverReadOnlyMount"
+ "TestLoadAmbiguousMounts"
+ "TestRootSubtreeIsPreferred") "|"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-before 'build 'fix-version-detection
+ ;; We don't have .git in the build directory.
+ (lambda _
+ (substitute* "src/github.com/google/fscrypt/Makefile"
+ (("\\$\\(shell git describe --tags\\)")
+ (string-append "v" #$version)))))
+ (replace 'build
+ (lambda* (#:key parallel-build? #:allow-other-keys)
+ (with-directory-excursion "src/github.com/google/fscrypt"
+ (invoke "make"
+ "-j" (if parallel-build?
+ (number->string (parallel-job-count))
+ "1")
+ (string-append "CC=" #$(cc-for-target))))))
+ (replace 'install
+ (lambda _
+ (with-directory-excursion "src/github.com/google/fscrypt"
+ (invoke "make" "install"
+ (string-append "PREFIX=" #$output))))))))
+ (native-inputs (list gnu-make
+ go-github-com-client9-misspell
+ go-github-com-pkg-errors
+ go-github-com-urfave-cli
+ go-github-com-wadey-gocovmerge
+ go-golang-org-x-crypto
+ go-golang-org-x-sys
+ go-golang-org-x-term
+ go-golang-org-x-tools
+ go-google-golang-org-protobuf
+ go-honnef-co-go-tools
+ linux-pam
+ m4))
+ (home-page "https://github.com/google/fscrypt")
+ (synopsis "Go tool for managing Linux filesystem encryption")
+ (description "@command{fscrypt} is a high-level tool for the management of
+Linux native filesystem encryption. It manages metadata, key generation, key
+wrapping, PAM integration, and provides a uniform interface for creating and
+modifying encrypted directories.")
+ (license license:asl2.0)))
+
(define-public fstransform
(package
(name "fstransform")
--
2.49.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Thu, 03 Apr 2025 18:44:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 77203 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/file-systems.scm (fscryptctl): New variable.
Change-Id: I98b0100402307d0f3e0af6d46e0d1abbf7cd59d5
---
gnu/packages/file-systems.scm | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/gnu/packages/file-systems.scm b/gnu/packages/file-systems.scm
index 890557625d..3b2098df2b 100644
--- a/gnu/packages/file-systems.scm
+++ b/gnu/packages/file-systems.scm
@@ -17,6 +17,7 @@
;;; Copyright © 2025 Julian Flake <flake <at> uni-koblenz.de>
;;; Copyright © 2025 Ashish SHUKLA <ashish.is <at> lostca.se>
;;; Copyright © 2020-2025 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
+;;; Copyright © 2025 45mg <45mg.writes <at> gmail.com>
;;
;;; This file is part of GNU Guix.
;;;
@@ -85,6 +86,7 @@ (define-module (gnu packages file-systems)
#:use-module (gnu packages golang-crypto)
#:use-module (gnu packages golang-xyz)
#:use-module (gnu packages guile)
+ #:use-module (gnu packages haskell-xyz)
#:use-module (gnu packages jemalloc)
#:use-module (gnu packages kerberos)
#:use-module (gnu packages libevent)
@@ -524,6 +526,37 @@ (define-public fscrypt
modifying encrypted directories.")
(license license:asl2.0)))
+(define-public fscryptctl
+ (package
+ (name "fscryptctl")
+ (version "1.2.0")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/google/fscryptctl")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32 "15zbmh9jlhqbai7lcaqyvymrjjcdi0l9zli9j51skwap59sq9jz6"))))
+ (build-system gnu-build-system)
+ (arguments
+ (list
+ #:make-flags #~(list (string-append "PREFIX=" #$output)
+ (string-append "CC=" #$(cc-for-target)))
+ #:tests? #f ;Test setup requires root
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'configure))))
+ (native-inputs (list pandoc))
+ (home-page "https://github.com/google/fscryptctl")
+ (synopsis "Small C tool for Linux filesystem encryption")
+ (description "@command{fscryptctl} is a low-level tool written in C that
+handles raw keys and manages policies for Linux filesystem encryption,
+specifically the @code{fscrypt} kernel interface which is supported by the
+ext4, f2fs, UBIFS, and CephFS filesystems.")
+ (license license:asl2.0)))
+
(define-public fstransform
(package
(name "fstransform")
--
2.49.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Sat, 05 Apr 2025 17:30:02 GMT)
Full text and
rfc822 format available.
Message #38 received at 77203 <at> debbugs.gnu.org (full text, mbox):
On Fri, Apr 04, 2025 at 12:10:46AM +0530, 45mg wrote:
> Addresses initial feedback [1].
>
> v1: [2].
>
> Actually, 1/4 is not sufficient for the option to take effect in existing
> kernel versions, as the corresponding files in
> gnu/packages/aux-files/linux-libre/ need to change as well. Do I need to
> change these myself? Or do we wait until the next kernel version and add it
> only to the new files?
Can you be specific about what changes need to be made to the kernel
configs? We should feel free to change.
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Sun, 06 Apr 2025 06:39:01 GMT)
Full text and
rfc822 format available.
Message #41 received at 77203 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> On Fri, Apr 04, 2025 at 12:10:46AM +0530, 45mg wrote:
>> Addresses initial feedback [1].
>>
>> v1: [2].
>>
>> Actually, 1/4 is not sufficient for the option to take effect in existing
>> kernel versions, as the corresponding files in
>> gnu/packages/aux-files/linux-libre/ need to change as well. Do I need to
>> change these myself? Or do we wait until the next kernel version and add it
>> only to the new files?
>
> Can you be specific about what changes need to be made to the kernel
> configs? We should feel free to change.
Actually, ignore that - I don't think any changes are required.
After posting v1 I tried to build a VM with it, and when I checked
/proc/config.gz inside the VM CONFIG_FS_ENCRYPTION was not enabled. So I
thought maybe it needed to be enabled in aux-files/*.
But I tried it again, and when I do './pre-inst-env guix build
linux-libre' with this patch applied, I see this output from the
configure phase:
FS Encryption (Per-file encryption) (FS_ENCRYPTION) [Y/n/?] y
So I guess I must have done something wrong when building the VM, since
the option is clearly enabled for the build.
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Sun, 06 Apr 2025 08:36:01 GMT)
Full text and
rfc822 format available.
Message #44 received at 77203 <at> debbugs.gnu.org (full text, mbox):
45mg <45mg.writes <at> gmail.com> writes:
> After posting v1 I tried to build a VM with it, and when I checked
> /proc/config.gz inside the VM CONFIG_FS_ENCRYPTION was not enabled. So I
> thought maybe it needed to be enabled in aux-files/*.
[...]
> So I guess I must have done something wrong when building the VM, since
> the option is clearly enabled for the build.
Yep, just did the exact same VM test again, and from inside the VM:
# zcat /proc/config.gz | grep 'CONFIG_FS_ENCRYPTION='
CONFIG_FS_ENCRYPTION=y
Within the VM, I successfully performed the example from the fscryptctl
README:
https://github.com/google/fscryptctl?tab=readme-ov-file#example-usage
I've attached the system config I used for the VM below.
# ./pre-inst-env guix system vm test-system.scm
--8<---------------cut here---------------start------------->8---
;; -*- mode: scheme; -*-
;; This is an operating system configuration template
;; for a "bare bones" setup, with no X11 display server.
(use-modules (gnu))
(use-package-modules file-systems)
(operating-system
(host-name "komputilo")
(timezone "Europe/Berlin")
(locale "en_US.utf8")
;; Boot in "legacy" BIOS mode, assuming /dev/sdX is the
;; target hard disk, and "my-root" is the label of the target
;; root file system.
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(targets '("/dev/sdX"))))
;; It's fitting to support the equally bare bones ‘-nographic’
;; QEMU option, which also nicely sidesteps forcing QWERTY.
(kernel-arguments (list "console=ttyS0,115200"))
(file-systems (cons (file-system
(device (file-system-label "myroot"))
(mount-point "/")
(type "btrfs"))
%base-file-systems))
;; Globally-installed packages.
(packages (cons* fscrypt fscryptctl %base-packages)))
--8<---------------cut here---------------end--------------->8---
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Sun, 06 Apr 2025 18:19:02 GMT)
Full text and
rfc822 format available.
Message #47 received at 77203 <at> debbugs.gnu.org (full text, mbox):
On Sun, Apr 06, 2025 at 08:35:37AM +0000, 45mg wrote:
> Yep, just did the exact same VM test again, and from inside the VM:
>
> # zcat /proc/config.gz | grep 'CONFIG_FS_ENCRYPTION='
> CONFIG_FS_ENCRYPTION=y
>
> Within the VM, I successfully performed the example from the fscryptctl
> README:
> https://github.com/google/fscryptctl?tab=readme-ov-file#example-usage
Great. I've made cosmetic adjustments and pushed to the kernel-updates
branch:
https://ci.guix.gnu.org/jobset/kernel-updates
It should be build kernels based on these patches for testing.
I'm merely going to test that my systems boot and operate properly.
Please test functionality based on this branch.
Looking at the documentation, should we adjust any other options? Or
will they automatically be adjusted to something sensible?
https://www.kernel.org/doc/html/v6.13/filesystems/fscrypt.html#kernel-config-options
Information forwarded
to
guix-patches <at> gnu.org:
bug#77203; Package
guix-patches.
(Mon, 07 Apr 2025 06:46:01 GMT)
Full text and
rfc822 format available.
Message #50 received at 77203 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> writes:
> Great. I've made cosmetic adjustments and pushed to the kernel-updates
> branch:
>
> https://ci.guix.gnu.org/jobset/kernel-updates
>
> It should be build kernels based on these patches for testing.
Great, thanks!
> Looking at the documentation, should we adjust any other options? Or
> will they automatically be adjusted to something sensible?
>
> https://www.kernel.org/doc/html/v6.13/filesystems/fscrypt.html#kernel-config-options
From that page and from the test I described above, it looks like
CONFIG_FS_ENCRYPTION is the only option that's strictly necessary for
the default encryption mode.
The other options mentioned in the docs seem to be either (1) for using
other encryption modes, or (2) for hardware acceleration, which is
platform-specific. I don't have any need for (1) so I probably won't
look into it in the near future. Once this patch series is merged and I
start relying on fscrypt, I should get an idea of the performance
situation; at that point I might look into (2) if I feel that the
un-accelerated performance isn't good enough.
(In the meantime, of course, anyone else is welcome to look into it.)
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Wed, 09 Apr 2025 00:30:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
45mg <45mg.writes <at> gmail.com>:
bug acknowledged by developer.
(Wed, 09 Apr 2025 00:30:03 GMT)
Full text and
rfc822 format available.
Message #55 received at 77203-done <at> debbugs.gnu.org (full text, mbox):
On Mon, Apr 07, 2025 at 06:44:40AM +0000, 45mg wrote:
> From that page and from the test I described above, it looks like
> CONFIG_FS_ENCRYPTION is the only option that's strictly necessary for
> the default encryption mode.
>
> The other options mentioned in the docs seem to be either (1) for using
> other encryption modes, or (2) for hardware acceleration, which is
> platform-specific. I don't have any need for (1) so I probably won't
> look into it in the near future. Once this patch series is merged and I
> start relying on fscrypt, I should get an idea of the performance
> situation; at that point I might look into (2) if I feel that the
> un-accelerated performance isn't good enough.
>
> (In the meantime, of course, anyone else is welcome to look into it.)
Sounds good! I pushed the patches as
bf6736bd878a14e0520a550bf8fbf8edb69876df
Thanks for working on this!
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 07 May 2025 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 42 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.