Luks2 enablement

src/lib/y2partitioner/actions/controllers/encryption.rb

@@ -71,7 +71,7 @@ def initialize(fs_controller)
           @fs_controller = fs_controller
           @action = actions.first
           @password = encryption&.password || ""
-          @pbkdf = encryption&.pbkdf
+          @pbkdf = encryption&.pbkdf || Y2Storage::PbkdFunction::PBKDF2
           @method = initial_method
           @apqns = initial_apqns
           @label = initial_label
@@ -215,7 +215,7 @@ def initial_method
           if methods.include?(encryption&.method)
             encryption.method
           else
-            Y2Storage::EncryptionMethod::LUKS1
+            Y2Storage::EncryptionMethod::LUKS2
           end
         end
 

src/lib/y2storage/blk_device.rb

@@ -255,7 +255,7 @@ def udev_full_ids
     #   in the real system. It will fail during commit.
     #
     #   @param dm_name [String] see #dm_table_name
-    #   @param type [EncryptionType] optional encryption type of the new device, LUKS1 by default
+    #   @param type [EncryptionType] optional encryption type of the new device, LUKS2 by default
     #   @return [Encryption]
     storage_forward :create_encryption, as: "Encryption", raise_errors: true
 
@@ -326,7 +326,7 @@ def encrypted?
     #   the documentation of the create_device method of the corresponding class
     #
     # @return [Encryption]
-    def encrypt(method: EncryptionMethod::LUKS1, dm_name: nil, password: nil, **method_args)
+    def encrypt(method: EncryptionMethod::LUKS2, dm_name: nil, password: nil, **method_args)
       enc = encrypt_with_method(method, dm_name, **method_args)
 
       enc.auto_dm_name = enc.dm_table_name.empty?

src/lib/y2storage/dialogs/guided_setup/select_scheme.rb

@@ -44,11 +44,23 @@ def initialize(*params)
           super
         end
 
+        # Handler for :encryption_method ComboBox.
+        # @param focus [Boolean] whether password field should be focused
+        def encryption_method_handler(focus: true)
+          widget_update(:encryption_pbkdf, (using_encryption? && using_luks2_encryption?),
+            attr: :Enabled)
+          return unless focus && using_encryption? && using_luks2_encryption?
+
+          Yast::UI.SetFocus(Id(:encryption_pbkdf))
+        end
+
         # Handler for :encryption check box.
         # @param focus [Boolean] whether password field should be focused
         def encryption_handler(focus: true)
           widget_update(:password, using_encryption?, attr: :Enabled)
           widget_update(:repeat_password, using_encryption?, attr: :Enabled)
+          widget_update(:encryption_method, using_encryption?, attr: :Enabled)
+          encryption_method_handler(focus: focus)
           return unless focus && using_encryption?
 
           Yast::UI.SetFocus(Id(:password))
@@ -119,41 +131,87 @@ def separate_vgs
           )
         end
 
+        def password_widget
+          Left(
+            HBox(
+              HSpacing(2),
+              Password(Id(:password), Opt(:hstretch), _("Password")),
+              Password(Id(:repeat_password), Opt(:hstretch), _("Verify Password"))
+            )
+          )
+        end
+
+        def encryption_method_widget
+          Left(
+            HBox(
+              HSpacing(2),
+              ComboBox(
+                Id(:encryption_method),
+                Opt(:notify, :hstretch),
+                _("Encryption method"),
+                Y2Storage::EncryptionMethod.available.reject(&:only_for_swap?).map do |m|
+                  Item(Id(m.id), m.to_human_string, (m.id == :luks2))
+                end
+              )
+            )
+          )
+        end
+
+        def encryption_pbkdf_widget
+          Left(
+            HBox(
+              HSpacing(2),
+              ComboBox(
+                Id(:encryption_pbkdf),
+                Opt(:hstretch),
+                _("Password-Based Key Derivation &Function (PBKDF)"),
+                Y2Storage::PbkdFunction.all.map do |m|
+                  Item(Id(m.value), m.name, (m.value == "pbkdf2"))
+                end
+              )
+            )
+          )
+        end
+
         def enable_disk_encryption
           VBox(
             Left(CheckBox(Id(:encryption), Opt(:notify), _(WIDGET_LABELS[:enable_disk_encryption]))),
             VSpacing(0.2),
-            Left(
-              HBox(
-                HSpacing(2),
-                Password(Id(:password), Opt(:hstretch), _("Password"))
-              )
-            ),
-            Left(
-              HBox(
-                HSpacing(2),
-                Password(Id(:repeat_password), Opt(:hstretch), _("Verify Password"))
-              )
-            )
+            password_widget,
+            encryption_method_widget,
+            encryption_pbkdf_widget
           )
         end
 
+        def initialize_encryption_widgets
+          widget_update(:password, settings.encryption_password)
+          widget_update(:repeat_password, settings.encryption_password)
+        end
+
         def initialize_widgets
           widget_update(:lvm, settings.use_lvm)
-          widget_update(:separate_vgs, settings.separate_vgs)
+          widget_update(:separate_vgs, settings.separate_vgs) if settings.separate_vgs_relevant?
           widget_update(:encryption, settings.use_encryption)
           encryption_handler(focus: false)
-          return unless settings.use_encryption
-
-          widget_update(:password, settings.encryption_password)
-          widget_update(:repeat_password, settings.encryption_password)
+          widget_update(:encryption_method, settings.encryption_method.id) if settings.encryption_method
+          if settings.encryption_pbkdf
+            widget_update(:encryption_pbkdf,
+              Id(settings.encryption_pbkdf.value))
+          end
+          encryption_method_handler(focus: false)
+          initialize_encryption_widgets if settings.use_encryption
         end
 
         def update_settings!
           settings.use_lvm = widget_value(:lvm)
-          settings.separate_vgs = widget_value(:separate_vgs)
-          password = using_encryption? ? widget_value(:password) : nil
-          settings.encryption_password = password
+          settings.separate_vgs = widget_value(:separate_vgs) if settings.separate_vgs_relevant?
+          settings.encryption_password = using_encryption? ? widget_value(:password) : nil
+          settings.encryption_method = if using_encryption?
+            Y2Storage::EncryptionMethod.find(widget_value(:encryption_method))
+          end
+          settings.encryption_pbkdf = if using_encryption? && using_luks2_encryption?
+            Y2Storage::PbkdFunction.find(widget_value(:encryption_pbkdf))
+          end
         end
 
         def help_text
@@ -225,6 +283,10 @@ def using_encryption?
           widget_value(:encryption)
         end
 
+        def using_luks2_encryption?
+          widget_value(:encryption_method) == :luks2
+        end
+
         def valid_password?
           msg = passwd_checker.error_msg(
             widget_value(:password), widget_value(:repeat_password)

src/lib/y2storage/dialogs/proposal.rb

@@ -139,12 +139,29 @@ def summary
       def actions_html
         actions_source_html +
           boss_html +
+          encryption_error +
           setup_errors_html +
           # Reuse the exact string "Changes to partitioning" from the partitioner
           _("<p>Changes to partitioning:</p>") +
           @actions_presenter.to_html
       end
 
+      def encryption_error
+        ret = ""
+        if !@proposal.nil? &&
+            !@proposal.settings.nil? &&
+            !@proposal.settings.encryption_method.nil? &&
+            @proposal.settings.encryption_password.nil?
+          ret = Yast::HTML.Para(
+              _("Missing encryption password - Proposal has been done without encryption.") +
+              Yast::HTML.Newline +
+              _("Please use \"Guided Setup\" in order to set the password or to disable encryption.")
+            )
+          ret = Yast::HTML.Colorize(ret, "red")
+        end
+        ret
+      end
+
       def boss_html
         return "" if boss_devices.empty?
 

src/lib/y2storage/encryption_method/luks2.rb

@@ -60,12 +60,6 @@ def create_device(blk_device, dm_name, pbkdf: nil, label: "")
         encryption_process.create_device(blk_device, dm_name, pbkdf: pbkdf, label: label)
       end
 
-      # @see Base#available?
-      def available?
-        # jsc#PED-3878 and jsc#GEHC-6
-        Yast::Mode.auto || StorageEnv.instance.luks2_available?
-      end
-
       private
 
       # @see Base#encryption_process

src/lib/y2storage/proposal_settings.rb

@@ -263,7 +263,7 @@ def deep_copy
     # Whether encryption must be used
     # @return [Boolean]
     def use_encryption
-      !encryption_password.nil?
+      !encryption_method.nil? || !encryption_password.nil?
     end
 
     def_delegators :@space_settings,
@@ -399,7 +399,7 @@ def root_volume
       lvm:                        false,
       lvm_vg_strategy:            :use_available,
       lvm_vg_reuse:               true,
-      encryption_method:          EncryptionMethod::LUKS1,
+      encryption_method:          nil,
       multidisk_first:            false,
       other_delete_mode:          :ondemand,
       resize_windows:             true,
@@ -446,20 +446,28 @@ def load_features
       load_encryption
     end
 
-    # Loads the default encryption settings
+    # Loads the encryption settings
     #
-    # The encryption settings are not part of control.xml, but can be injected by a previous step of
-    # the installation, eg. the dialog of the Common Criteria system role
     def load_encryption
-      enc = feature(:proposal, :encryption)
+      enc_method = feature(:proposal, :encryption_method)
+      self.encryption_method = EncryptionMethod.find(enc_method.to_sym) if !enc_method.nil?
+
+      enc_pbkdf = feature(:proposal, :encryption_pbkdf)
+      self.encryption_pbkdf = Y2Storage::PbkdFunction.find(enc_pbkdf) if !enc_pbkdf.nil?
 
+      # The encryption password is not part of control.xml, but can be injected by a previous step of
+      # the installation, eg. the dialog of the Common Criteria system role.
+      enc = feature(:proposal, :encryption)
       return unless enc
       return unless enc.respond_to?(:password)
 
       passwd = enc.password.to_s
       return if passwd.nil? || passwd.empty?
 
       self.encryption_password = passwd
+
+      # If an encryption password and no method have been set, we are using LUKS2 as default
+      self.encryption_method = EncryptionMethod::LUKS2 if encryption_method.nil?
     end
 
     def validated_delete_mode(mode)

src/lib/y2storage/storage_env.rb

@@ -32,13 +32,11 @@ class StorageEnv
 
     ENV_ACTIVATE_LUKS = "YAST_ACTIVATE_LUKS".freeze
 
-    ENV_LUKS2_AVAILABLE = "YAST_LUKS2_AVAILABLE".freeze
-
     ENV_LIBSTORAGE_IGNORE_PROBE_ERRORS = "LIBSTORAGE_IGNORE_PROBE_ERRORS".freeze
 
     ENV_REUSE_LVM = "YAST_REUSE_LVM".freeze
 
-    private_constant :ENV_MULTIPATH, :ENV_BIOS_RAID, :ENV_ACTIVATE_LUKS, :ENV_LUKS2_AVAILABLE
+    private_constant :ENV_MULTIPATH, :ENV_BIOS_RAID, :ENV_ACTIVATE_LUKS
     private_constant :ENV_LIBSTORAGE_IGNORE_PROBE_ERRORS
     private_constant :ENV_REUSE_LVM
 
@@ -82,16 +80,6 @@ def activate_luks?
       active?(ENV_ACTIVATE_LUKS, default: true)
     end
 
-    # Whether YaST should offer the encryption method for regular LUKS2
-    #
-    # See jsc#SLE-21309 where is stated that YaST support to setup LUKS2 devices should be
-    # "available only via a special Linuxrc option and communicated as a tech preview".
-    #
-    # @return [Boolean]
-    def luks2_available?
-      active?(ENV_LUKS2_AVAILABLE, default: false)
-    end
-
     # Whether YaST should reuse existing LVM
     #
     # see jsc#PED-6407 or jsc#IBM-1315