Ancor Gonzalez Sosa wrote:
On 8/24/21 5:16 AM, Michael Chang wrote:
On Mon, Aug 23, 2021 at 04:20:29PM +0200, Ludwig Nussel wrote:
Michael Chang wrote:
On Mon, Aug 23, 2021 at 03:13:04PM +0200, Ludwig Nussel wrote:
[...]
I would be surprised if that can pass the staging test ...
I thought I saw it green with the RC version. Still building in :M now after rebase, we'll see..
I'm not sure if staging test covers FDE (full disk encryption) with luks2, or we only use that for data volumes, leaving /boot unencrypted.
It passes because YaST explicitly enforces LUKS1 to the devices it encrypts. So no matter what's the cryptsetup default, if the users choose "Enable Disk Encryption" in the Guided Setup or if they use the Expert Partitioner to setup an encrypted volume, YaST will execute in the end something like:
cryptsetup --type luks1 luksFormat /foo/bar
That's done on purpose due to all the LUKS2 concerns I already linked before.
Oh well that explains why the tests work then. So far I assumed that the responsibility to use defaults that work with the distro were with libcryptsetup and other tools just follow (hence PBKDF2 despite LUKS2). How come yast even bothers? cryptsetup in openSUSE never used LUKS2 as default so potential problems with it should have never appeared on your radar, right? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Software Solutions Germany GmbH, GF: Felix Imendörffer HRB 36809 (AG Nürnberg)