Project

General

Profile

Feature #15253

Feature #14468: Add VeraCrypt support to Tails

Feature #15214: Iteration 1: Support unlocking VeraCrypt partitions in GNOME

Iteration 1: Backport support for unlocking VeraCrypt partitions to udisks in Stretch

Added by segfault over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
01/25/2018
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

Development repository: https://github.com/segfault3/udisks-debian (based on Debian's udisks2 packaging repository: https://anonscm.debian.org/git/pkg-utopia/udisks2.git)
Branch: 2.1.8-support-tcrypt

The current udisks version (and the one in Buster) uses libblockdev to handle unlocking of block devices. The version in Stretch does not, so we will have to create an additional patch for udisks in Stretch, in order to be able to ship this functionality in Tails 3.9.


Related issues

Blocks Tails - Feature #15522: Iteration 1: Create custom Debian package for udisks Resolved 04/11/2018

History

#1 Updated by segfault over 1 year ago

  • Description updated (diff)

#2 Updated by segfault over 1 year ago

The cryptsetup version in Stretch (1.7.3) does not support the VeraCrypt PIM parameter. We could install cryptsetup 2.0 from Buster, to have PIM support in udisks. Alternatively, we could use zuluCrypt-cli instead of cryptsetup in Tails 3.X, because the zuluCrypt-cli version in Stretch already supports PIM.

#3 Updated by segfault over 1 year ago

  • Description updated (diff)
  • Assignee changed from segfault to anonym
  • QA Check set to Ready for QA

I backported our patches to the udisks version in Stretch (2.1.8-1) and created an additional patch which uses the cryptsetup command instead of libblockdev. I tested it successfully on a Debian Stretch. I omitted the support for the PIM for now, because of the issue I explained in the previous comment.

#4 Updated by segfault over 1 year ago

  • Description updated (diff)

#5 Updated by segfault over 1 year ago

We need a decision regarding the PIM (see #15253#note-2). Then the next step is creating a Debian package for this, see #15522.

#6 Updated by intrigeri over 1 year ago

  • Blocks Feature #15522: Iteration 1: Create custom Debian package for udisks added

#7 Updated by intrigeri over 1 year ago

  • Status changed from Confirmed to In Progress

#8 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.7 to Tails_3.8

#9 Updated by intrigeri over 1 year ago

  • Assignee changed from anonym to segfault

I think you should not block on anonym for this. If you need help / uploads, ask me (or possibly u if she's fine with that).

#10 Updated by intrigeri about 1 year ago

  • QA Check changed from Ready for QA to Info Needed

Do I get it right that there's no branch based on upstream 2.1.8 with the backported work, and then I should compare https://github.com/segfault3/udisks/tree/support-tcrypt (for upstream) with https://github.com/segfault3/udisks-debian/tree/2.1.8-support-tcrypt (backported for Stretch), right?

Then please reassign to me :)

#11 Updated by intrigeri about 1 year ago

  • Target version changed from Tails_3.8 to Tails_3.9

#12 Updated by segfault about 1 year ago

  • Assignee changed from segfault to intrigeri
  • QA Check changed from Info Needed to Ready for QA

intrigeri wrote:

Do I get it right that there's no branch based on upstream 2.1.8 with the backported work, and then I should compare https://github.com/segfault3/udisks/tree/support-tcrypt (for upstream) with https://github.com/segfault3/udisks-debian/tree/2.1.8-support-tcrypt (backported for Stretch), right?

Correct. (And those repos are the right ones, I didn't move them to gitlab.)

#13 Updated by intrigeri about 1 year ago

  • Assignee changed from intrigeri to segfault
  • % Done changed from 0 to 60
  • QA Check changed from Ready for QA to Info Needed

Disclaimer: as you know I'm not a C developer so I might write very stupid things here.

It feels like you've backported a slightly older version of the patches that got merged upstream, e.g. BYTES_TO_CHECK vs. CHI_SQUARE_BYTES_TO_CHECK, discrepancies in the doc, no support for udisks_daemon_get_enable_tcrypt, no error handling of the seems_encrypted method call return value and so on. Right?

In most cases that seems to be a detail not worth spending more time on to backport stuff again, but:

  • Can you please compare the patches and check that we can do without every such improvement that's part of the version merged upstream? If you already did that since your udisks2 + libblockdev work was merged upstream, cool: just tell me :)
  • In the backported version I see {} /* LUKS is detectable, so we don't have to set the hint */ while upstream I see udisks_encrypted_set_hint_encryption_type (encrypted, "LUKS"). Maybe that should be backported too?

#14 Updated by segfault about 1 year ago

  • Assignee changed from segfault to intrigeri
  • QA Check changed from Info Needed to Ready for QA

Sorry, I forgot about this and just noticed that this was not resolved yet.

intrigeri wrote:

Disclaimer: as you know I'm not a C developer so I might write very stupid things here.

It feels like you've backported a slightly older version of the patches that got merged upstream, e.g. BYTES_TO_CHECK vs. CHI_SQUARE_BYTES_TO_CHECK, discrepancies in the doc, no support for udisks_daemon_get_enable_tcrypt, no error handling of the seems_encrypted method call return value and so on. Right?

Yes. That is mainly because I didn't backport style changes.

In most cases that seems to be a detail not worth spending more time on to backport stuff again, but:

  • Can you please compare the patches and check that we can do without every such improvement that's part of the version merged upstream? If you already did that since your udisks2 + libblockdev work was merged upstream, cool: just tell me :)

I did that now and found no differences worth backporting.

  • In the backported version I see {} /* LUKS is detectable, so we don't have to set the hint */ while upstream I see udisks_encrypted_set_hint_encryption_type (encrypted, "LUKS"). Maybe that should be backported too?

No, that hint really doesn't make any difference, it is never used for LUKS.

#15 Updated by intrigeri about 1 year ago

  • Status changed from In Progress to Resolved
  • Assignee deleted (intrigeri)
  • % Done changed from 60 to 100
  • QA Check changed from Ready for QA to Pass

Thanks!

Also available in: Atom PDF