From 6747300278ea8314910bb64023ba536d826c3c6d Mon Sep 17 00:00:00 2001 From: John Baublitz Date: Tue, 16 Jul 2024 14:21:11 -0400 Subject: [PATCH] Add online encrypt ability for Stratis pools --- src/dbus_api/pool/mod.rs | 2 + src/dbus_api/pool/pool_3_0/api.rs | 2 +- src/dbus_api/pool/pool_3_8/api.rs | 32 +++ src/dbus_api/pool/pool_3_8/methods.rs | 99 +++++++++ src/dbus_api/pool/pool_3_8/mod.rs | 8 + src/dbus_api/tree.rs | 63 ++++++ src/dbus_api/types.rs | 14 ++ src/engine/engine.rs | 19 +- src/engine/sim_engine/pool.rs | 14 +- .../strat_engine/backstore/backstore/v2.rs | 20 +- src/engine/strat_engine/crypt/handle/v1.rs | 28 +-- src/engine/strat_engine/crypt/handle/v2.rs | 188 +++++++++++++++--- src/engine/strat_engine/crypt/shared.rs | 76 ++++++- src/engine/strat_engine/pool/dispatch.rs | 18 +- src/engine/strat_engine/pool/v1.rs | 39 ++-- src/engine/strat_engine/pool/v2.rs | 48 ++++- .../strat_engine/thinpool/filesystem.rs | 8 + src/engine/strat_engine/thinpool/thinpool.rs | 179 ++++++++++------- src/engine/types/actions.rs | 16 ++ src/engine/types/mod.rs | 11 +- 20 files changed, 730 insertions(+), 154 deletions(-) create mode 100644 src/dbus_api/pool/pool_3_8/api.rs create mode 100644 src/dbus_api/pool/pool_3_8/methods.rs create mode 100644 src/dbus_api/pool/pool_3_8/mod.rs diff --git a/src/dbus_api/pool/mod.rs b/src/dbus_api/pool/mod.rs index c643560229..876878814e 100644 --- a/src/dbus_api/pool/mod.rs +++ b/src/dbus_api/pool/mod.rs @@ -19,6 +19,7 @@ mod pool_3_3; mod pool_3_5; mod pool_3_6; mod pool_3_7; +mod pool_3_8; pub mod prop_conv; mod shared; @@ -293,6 +294,7 @@ pub fn create_dbus_pool<'a>( .add_m(pool_3_0::rename_method(&f)) .add_m(pool_3_3::grow_physical_device_method(&f)) .add_m(pool_3_7::get_metadata_method(&f)) + .add_m(pool_3_8::encrypt_pool_method(&f)) .add_p(pool_3_0::name_property(&f)) .add_p(pool_3_0::uuid_property(&f)) .add_p(pool_3_0::encrypted_property(&f)) diff --git a/src/dbus_api/pool/pool_3_0/api.rs b/src/dbus_api/pool/pool_3_0/api.rs index 8a5aa5083c..6c3caa6e13 100644 --- a/src/dbus_api/pool/pool_3_0/api.rs +++ b/src/dbus_api/pool/pool_3_0/api.rs @@ -130,7 +130,7 @@ pub fn add_cachedevs_method(f: &Factory, TData>) -> Method, TData>) -> Property, TData> { f.property::(consts::POOL_ENCRYPTED_PROP, ()) .access(Access::Read) - .emits_changed(EmitsChangedSignal::Const) + .emits_changed(EmitsChangedSignal::True) .on_get(get_pool_encrypted) } diff --git a/src/dbus_api/pool/pool_3_8/api.rs b/src/dbus_api/pool/pool_3_8/api.rs new file mode 100644 index 0000000000..b8f9488c29 --- /dev/null +++ b/src/dbus_api/pool/pool_3_8/api.rs @@ -0,0 +1,32 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +use dbus_tree::{Factory, MTSync, Method}; + +use crate::dbus_api::{pool::pool_3_8::methods::encrypt_pool, types::TData}; + +pub fn encrypt_pool_method(f: &Factory, TData>) -> Method, TData> { + f.method("EncryptPool", (), encrypt_pool) + // Optional key description of key in the kernel keyring + // b: true if the pool should be encrypted and able to be + // unlocked with a passphrase associated with this key description. + // s: key description + // + // Rust representation: (bool, String) + .in_arg(("key_desc", "(bs)")) + // Optional Clevis information for binding on initialization. + // b: true if the pool should be encrypted and able to be unlocked + // using Clevis. + // s: pin name + // s: JSON config for Clevis use + // + // Rust representation: (bool, (String, String)) + .in_arg(("clevis_info", "(b(ss))")) + // b: true if pool was newly encrypted + // + // Rust representation: bool + .out_arg(("results", "b")) + .out_arg(("return_code", "q")) + .out_arg(("return_string", "s")) +} diff --git a/src/dbus_api/pool/pool_3_8/methods.rs b/src/dbus_api/pool/pool_3_8/methods.rs new file mode 100644 index 0000000000..cd3ca7e935 --- /dev/null +++ b/src/dbus_api/pool/pool_3_8/methods.rs @@ -0,0 +1,99 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +use std::iter::once; + +use dbus::Message; +use dbus_tree::{MTSync, MethodInfo, MethodResult}; + +use crate::{ + dbus_api::{ + types::{DbusErrorEnum, TData, OK_STRING}, + util::{engine_to_dbus_err_tuple, get_next_arg, tuple_to_option}, + }, + engine::{CreateAction, EncryptionInfo, KeyDescription, PoolEncryptionInfo}, + stratis::StratisError, +}; + +pub fn encrypt_pool(m: &MethodInfo<'_, MTSync, TData>) -> MethodResult { + let message: &Message = m.msg; + let mut iter = message.iter_init(); + + let key_desc_tuple: (bool, String) = get_next_arg(&mut iter, 0)?; + let clevis_tuple: (bool, (String, String)) = get_next_arg(&mut iter, 0)?; + + let dbus_context = m.tree.get_data(); + let object_path = m.path.get_name(); + let return_message = message.method_return(); + let default_return: (bool, Vec) = (false, Vec::new()); + + let key_desc = match tuple_to_option(key_desc_tuple) { + Some(kds) => match KeyDescription::try_from(kds) { + Ok(kd) => Some(kd), + Err(e) => { + let (rc, rs) = engine_to_dbus_err_tuple(&e); + return Ok(vec![return_message.append3(default_return, rc, rs)]); + } + }, + None => None, + }; + let clevis_info = match tuple_to_option(clevis_tuple) { + Some((pin, json_string)) => match serde_json::from_str(json_string.as_str()) { + Ok(j) => Some((pin, j)), + Err(e) => { + let (rc, rs) = engine_to_dbus_err_tuple(&StratisError::Serde(e)); + return Ok(vec![return_message.append3(default_return, rc, rs)]); + } + }, + None => None, + }; + let encryption_info = match EncryptionInfo::from_options((key_desc, clevis_info)) { + Some(enc) => enc, + None => { + let (rc, rs) = ( + DbusErrorEnum::ERROR as u16, + "Either a key description or Clevis info is required for this method".to_string(), + ); + return Ok(vec![return_message.append3(default_return, rc, rs)]); + } + }; + + let pool_path = m + .tree + .get(object_path) + .expect("implicit argument must be in tree"); + let pool_uuid = typed_uuid!( + get_data!(pool_path; default_return; return_message).uuid; + Pool; + default_return; + return_message + ); + + let mut guard = get_mut_pool!(dbus_context.engine; pool_uuid; default_return; return_message); + let (name, _, pool) = guard.as_mut_tuple(); + + let result = handle_action!( + pool.encrypt_pool(&name, pool_uuid, &encryption_info), + dbus_context, + pool_path.get_name() + ); + let msg = match result { + Ok(CreateAction::Created(_)) => { + let pool_enc_info = PoolEncryptionInfo::from(once(&encryption_info)); + dbus_context + .push_pool_key_desc_change(pool_path.get_name(), Some(pool_enc_info.clone())); + dbus_context.push_pool_clevis_info_change(pool_path.get_name(), Some(pool_enc_info)); + dbus_context.push_pool_encryption_status_change(pool_path.get_name(), true); + return_message.append3(true, DbusErrorEnum::OK as u16, OK_STRING.to_string()) + } + Ok(CreateAction::Identity) => { + return_message.append3(false, DbusErrorEnum::OK as u16, OK_STRING.to_string()) + } + Err(err) => { + let (rc, rs) = engine_to_dbus_err_tuple(&err); + return_message.append3(default_return, rc, rs) + } + }; + Ok(vec![msg]) +} diff --git a/src/dbus_api/pool/pool_3_8/mod.rs b/src/dbus_api/pool/pool_3_8/mod.rs new file mode 100644 index 0000000000..b487bccef5 --- /dev/null +++ b/src/dbus_api/pool/pool_3_8/mod.rs @@ -0,0 +1,8 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +mod api; +mod methods; + +pub use api::encrypt_pool_method; diff --git a/src/dbus_api/tree.rs b/src/dbus_api/tree.rs index 42b51f610c..e0269a63da 100644 --- a/src/dbus_api/tree.rs +++ b/src/dbus_api/tree.rs @@ -1055,6 +1055,65 @@ impl DbusTreeHandler { } } + /// Send a signal indicating that the pool encryption status has changed. + fn handle_pool_encryption_change(&self, path: Path<'static>, new_encryption: bool) { + if let Err(e) = self.property_changed_invalidated_signal( + &path, + prop_hashmap!( + consts::POOL_INTERFACE_NAME_3_0 => { + Vec::new(), + consts::POOL_ENCRYPTED_PROP.to_string() => + box_variant!(new_encryption) + }, + consts::POOL_INTERFACE_NAME_3_1 => { + Vec::new(), + consts::POOL_ENCRYPTED_PROP.to_string() => + box_variant!(new_encryption) + }, + consts::POOL_INTERFACE_NAME_3_2 => { + Vec::new(), + consts::POOL_ENCRYPTED_PROP.to_string() => + box_variant!(new_encryption) + }, + consts::POOL_INTERFACE_NAME_3_3 => { + Vec::new(), + consts::POOL_ENCRYPTED_PROP.to_string() => + box_variant!(new_encryption) + }, + consts::POOL_INTERFACE_NAME_3_4 => { + Vec::new(), + consts::POOL_ENCRYPTED_PROP.to_string() => + box_variant!(new_encryption) + }, + consts::POOL_INTERFACE_NAME_3_5 => { + Vec::new(), + consts::POOL_ENCRYPTED_PROP.to_string() => + box_variant!(new_encryption) + }, + consts::POOL_INTERFACE_NAME_3_6 => { + Vec::new(), + consts::POOL_ENCRYPTED_PROP.to_string() => + box_variant!(new_encryption) + }, + consts::POOL_INTERFACE_NAME_3_7 => { + Vec::new(), + consts::POOL_ENCRYPTED_PROP.to_string() => + box_variant!(new_encryption) + }, + consts::POOL_INTERFACE_NAME_3_8 => { + Vec::new(), + consts::POOL_ENCRYPTED_PROP.to_string() => + box_variant!(new_encryption) + } + ), + ) { + warn!( + "Failed to send a signal over D-Bus indicating blockdev total physical size change: {}", + e + ); + } + } + /// Send a signal indicating that the pool overprovisioning mode has changed. fn handle_pool_overprov_mode_change(&self, path: Path<'static>, new_mode: bool) { if let Err(e) = self.property_changed_invalidated_signal( @@ -1379,6 +1438,10 @@ impl DbusTreeHandler { self.handle_blockdev_total_physical_size_change(path, new_total_physical_size); Ok(true) } + DbusAction::PoolEncryptionChange(path, encryption_change) => { + self.handle_pool_encryption_change(path, encryption_change); + Ok(true) + } DbusAction::PoolForegroundChange(item, new_used, new_alloc, new_size, new_no_space) => { self.handle_pool_foreground_change( item, diff --git a/src/dbus_api/types.rs b/src/dbus_api/types.rs index af345c152c..20d47ab949 100644 --- a/src/dbus_api/types.rs +++ b/src/dbus_api/types.rs @@ -108,6 +108,7 @@ pub enum DbusAction { BlockdevTotalPhysicalSizeChange(Path<'static>, Sectors), FsOriginChange(Path<'static>), FsSizeLimitChange(Path<'static>, Option), + PoolEncryptionChange(Path<'static>, bool), FsBackgroundChange( FilesystemUuid, SignalChange>, @@ -465,6 +466,19 @@ impl DbusContext { } } + /// Send changed signal for changed encryption status of pool. + pub fn push_pool_encryption_status_change(&self, path: &Path<'static>, encrypted: bool) { + if let Err(e) = self + .sender + .send(DbusAction::PoolEncryptionChange(path.clone(), encrypted)) + { + warn!( + "Encryption status change event could not be sent to the processing thread; no signal will be sent out for the encryption status state change: {}", + e, + ) + } + } + /// Send changed signal for changed pool properties when blockdevs are /// added. pub fn push_pool_foreground_change( diff --git a/src/engine/engine.rs b/src/engine/engine.rs index 5a72a6d9bb..a58e70aa60 100644 --- a/src/engine/engine.rs +++ b/src/engine/engine.rs @@ -21,11 +21,12 @@ use crate::{ structures::{AllLockReadGuard, AllLockWriteGuard, SomeLockReadGuard, SomeLockWriteGuard}, types::{ ActionAvailability, BlockDevTier, Clevis, CreateAction, DeleteAction, DevUuid, - EncryptionInfo, FilesystemUuid, GrowAction, Key, KeyDescription, LockedPoolsInfo, - MappingCreateAction, MappingDeleteAction, Name, PoolDiff, PoolEncryptionInfo, - PoolIdentifier, PoolUuid, RegenAction, RenameAction, ReportType, SetCreateAction, - SetDeleteAction, SetUnlockAction, StartAction, StopAction, StoppedPoolsInfo, - StratFilesystemDiff, StratSigblockVersion, UdevEngineEvent, UnlockMethod, + EncryptedDevice, EncryptionInfo, FilesystemUuid, GrowAction, Key, KeyDescription, + LockedPoolsInfo, MappingCreateAction, MappingDeleteAction, Name, PoolDiff, + PoolEncryptionInfo, PoolIdentifier, PoolUuid, RegenAction, RenameAction, ReportType, + SetCreateAction, SetDeleteAction, SetUnlockAction, StartAction, StopAction, + StoppedPoolsInfo, StratFilesystemDiff, StratSigblockVersion, UdevEngineEvent, + UnlockMethod, }, }, stratis::StratisResult, @@ -342,6 +343,14 @@ pub trait Pool: Debug + Send + Sync { limit: Option, ) -> StratisResult>>; + /// Encrypted an unencrypted pool. + fn encrypt_pool( + &mut self, + name: &Name, + pool_uuid: PoolUuid, + encryption_info: &EncryptionInfo, + ) -> StratisResult>; + /// Return the metadata that would be written if metadata were written. fn current_metadata(&self, pool_name: &Name) -> StratisResult; diff --git a/src/engine/sim_engine/pool.rs b/src/engine/sim_engine/pool.rs index 71e9dc6953..7f02204c7c 100644 --- a/src/engine/sim_engine/pool.rs +++ b/src/engine/sim_engine/pool.rs @@ -24,8 +24,8 @@ use crate::{ structures::Table, types::{ ActionAvailability, BlockDevTier, Clevis, CreateAction, DeleteAction, DevUuid, - EncryptionInfo, FilesystemUuid, GrowAction, Key, KeyDescription, Name, PoolDiff, - PoolEncryptionInfo, PoolUuid, RegenAction, RenameAction, SetCreateAction, + EncryptedDevice, EncryptionInfo, FilesystemUuid, GrowAction, Key, KeyDescription, Name, + PoolDiff, PoolEncryptionInfo, PoolUuid, RegenAction, RenameAction, SetCreateAction, SetDeleteAction, StratSigblockVersion, }, PropChangeAction, @@ -746,6 +746,16 @@ impl Pool for SimPool { } } + fn encrypt_pool( + &mut self, + _: &Name, + _: PoolUuid, + enc: &EncryptionInfo, + ) -> StratisResult> { + self.encryption_info = Some(enc.clone()); + Ok(CreateAction::Created(EncryptedDevice)) + } + fn current_metadata(&self, pool_name: &Name) -> StratisResult { serde_json::to_string(&self.record(pool_name)).map_err(|e| e.into()) } diff --git a/src/engine/strat_engine/backstore/backstore/v2.rs b/src/engine/strat_engine/backstore/backstore/v2.rs index 3249ddfacc..54b0a10c7b 100644 --- a/src/engine/strat_engine/backstore/backstore/v2.rs +++ b/src/engine/strat_engine/backstore/backstore/v2.rs @@ -4,7 +4,7 @@ // Code to handle the backing store of a pool. -use std::{cmp, collections::HashMap, iter::once, path::PathBuf}; +use std::{cmp, collections::HashMap, iter::once, path::Path, path::PathBuf}; use chrono::{DateTime, Utc}; use either::Either; @@ -29,6 +29,7 @@ use crate::{ names::{format_backstore_ids, CacheRole}, serde_structs::{BackstoreSave, CapSave, PoolFeatures, PoolSave, Recordable}, shared::bds_to_bdas, + thinpool::ThinPool, types::BDARecordResult, writing::wipe_sectors, }, @@ -1106,6 +1107,23 @@ impl Backstore { self.data_tier.grow(dev) } + pub fn encrypt( + &mut self, + pool_uuid: PoolUuid, + thinpool: &mut ThinPool, + encryption_info: &EncryptionInfo, + ) -> StratisResult<()> { + let (dm_name, _) = format_backstore_ids(pool_uuid, CacheRole::Cache); + let handle = CryptHandle::encrypt( + pool_uuid, + thinpool, + Path::new(&format!("/dev/mapper/{}", &dm_name.to_string())), + encryption_info, + )?; + self.enc = Some(Either::Right(handle)); + Ok(()) + } + /// A summary of block sizes pub fn block_size_summary(&self, tier: BlockDevTier) -> Option { match tier { diff --git a/src/engine/strat_engine/crypt/handle/v1.rs b/src/engine/strat_engine/crypt/handle/v1.rs index b31a716223..a667d1d0ff 100644 --- a/src/engine/strat_engine/crypt/handle/v1.rs +++ b/src/engine/strat_engine/crypt/handle/v1.rs @@ -31,7 +31,7 @@ use crate::{ engine::MAX_STRATIS_PASS_SIZE, strat_engine::{ backstore::get_devno_from_path, - cmd::{clevis_decrypt, clevis_luks_bind, clevis_luks_regen, clevis_luks_unbind}, + cmd::{clevis_luks_bind, clevis_luks_regen, clevis_luks_unbind}, crypt::{ consts::{ CLEVIS_LUKS_TOKEN_ID, DEFAULT_CRYPT_KEYSLOTS_SIZE, DEFAULT_CRYPT_METADATA_SIZE, @@ -42,8 +42,8 @@ use crate::{ }, shared::{ acquire_crypt_device, activate, add_keyring_keyslot, check_luks2_token, - clevis_info_from_metadata, device_from_physical_path, ensure_inactive, - ensure_wiped, get_keyslot_number, interpret_clevis_config, + clevis_decrypt, clevis_info_from_metadata, device_from_physical_path, + ensure_inactive, ensure_wiped, get_keyslot_number, interpret_clevis_config, key_desc_from_metadata, luks2_token_type_is_valid, read_key, wipe_fallback, }, }, @@ -956,7 +956,7 @@ impl CryptHandle { /// Add a keyring binding to the underlying LUKS2 volume. pub fn bind_keyring(&mut self, key_desc: &KeyDescription) -> StratisResult<()> { let mut device = self.acquire_crypt_device()?; - let key = Self::clevis_decrypt(&mut device)?.ok_or_else(|| { + let key = clevis_decrypt(&mut device)?.ok_or_else(|| { StratisError::Msg( "The Clevis token appears to have been wiped outside of \ Stratis; cannot add a keyring key binding without an existing \ @@ -1030,24 +1030,6 @@ impl CryptHandle { replace_pool_name(&mut device, pool_name) } - /// Decrypt a Clevis passphrase and return it securely. - fn clevis_decrypt(device: &mut CryptDevice) -> StratisResult> { - let mut token = match device.token_handle().json_get(CLEVIS_LUKS_TOKEN_ID).ok() { - Some(t) => t, - None => return Ok(None), - }; - let jwe = token - .as_object_mut() - .and_then(|map| map.remove("jwe")) - .ok_or_else(|| { - StratisError::Msg(format!( - "Token slot {CLEVIS_LUKS_TOKEN_ID} is occupied but does not appear to be a Clevis \ - token; aborting" - )) - })?; - clevis_decrypt(&jwe).map(Some) - } - /// Deactivate the device referenced by the current device handle. pub fn deactivate(&self) -> StratisResult<()> { ensure_inactive(&mut self.acquire_crypt_device()?, self.activation_name()) @@ -1097,7 +1079,7 @@ impl CryptHandle { StratisError::Msg("Failed to find key with key description".to_string()) })? } else if self.encryption_info().clevis_info().is_some() { - Self::clevis_decrypt(&mut crypt)?.expect("Already checked token exists") + clevis_decrypt(&mut crypt)?.expect("Already checked token exists") } else { unreachable!("Must be encrypted") }; diff --git a/src/engine/strat_engine/crypt/handle/v2.rs b/src/engine/strat_engine/crypt/handle/v2.rs index e3b5a885ac..68fd58f1df 100644 --- a/src/engine/strat_engine/crypt/handle/v2.rs +++ b/src/engine/strat_engine/crypt/handle/v2.rs @@ -4,7 +4,8 @@ use std::{ fmt::Debug, - fs::File, + fs::{File, OpenOptions}, + io::Write, iter::once, path::{Path, PathBuf}, }; @@ -13,14 +14,19 @@ use either::Either; use rand::{distributions::Alphanumeric, thread_rng, Rng}; use serde_json::Value; -use devicemapper::{Device, DmName, DmNameBuf, Sectors}; +use devicemapper::{Bytes, Device, DmName, DmNameBuf, Sectors, IEC}; +use libblkid_rs::BlkidProbe; use libcryptsetup_rs::{ c_uint, consts::{ - flags::{CryptActivate, CryptVolumeKey}, - vals::{EncryptionFormat, KeyslotsSize, MetadataSize}, + flags::{CryptActivate, CryptReencrypt, CryptVolumeKey}, + vals::{ + CryptReencryptDirectionInfo, CryptReencryptModeInfo, EncryptionFormat, KeyslotsSize, + MetadataSize, + }, }, - CryptDevice, CryptInit, CryptParamsLuks2, CryptParamsLuks2Ref, SafeMemHandle, TokenInput, + CryptDevice, CryptInit, CryptParamsLuks2, CryptParamsLuks2Ref, CryptParamsReencrypt, + SafeMemHandle, TokenInput, }; #[cfg(test)] @@ -29,23 +35,24 @@ use crate::{ engine::{ engine::MAX_STRATIS_PASS_SIZE, strat_engine::{ - backstore::get_devno_from_path, - cmd::{clevis_decrypt, clevis_luks_bind, clevis_luks_regen, clevis_luks_unbind}, + backstore::{backstore::v2, get_devno_from_path}, + cmd::{clevis_luks_bind, clevis_luks_regen, clevis_luks_unbind}, crypt::{ consts::{ CLEVIS_LUKS_TOKEN_ID, DEFAULT_CRYPT_KEYSLOTS_SIZE, DEFAULT_CRYPT_METADATA_SIZE, LUKS2_TOKEN_ID, STRATIS_MEK_SIZE, }, shared::{ - acquire_crypt_device, activate, add_keyring_keyslot, clevis_info_from_metadata, - device_from_physical_path, ensure_wiped, get_keyslot_number, - interpret_clevis_config, key_desc_from_metadata, luks2_token_type_is_valid, - wipe_fallback, + acquire_crypt_device, activate, add_keyring_keyslot, clevis_decrypt, + clevis_info_from_metadata, device_from_physical_path, ensure_wiped, + get_keyslot_number, get_passphrase, interpret_clevis_config, + key_desc_from_metadata, luks2_token_type_is_valid, wipe_fallback, }, }, device::blkdev_size, dm::DEVICEMAPPER_PATH, names::format_crypt_backstore_name, + thinpool::ThinPool, }, types::{ DevicePath, EncryptionInfo, KeyDescription, PoolUuid, SizedKeyMemory, UnlockMethod, @@ -404,10 +411,10 @@ impl CryptHandle { Ok(()) } - fn initialize_with_err( + /// Format the device and initialize the unlock methods. + fn initialize_unlock_methods( device: &mut CryptDevice, physical_path: &Path, - pool_uuid: PoolUuid, encryption_info: &EncryptionInfo, luks2_params: Option<&CryptParamsLuks2>, ) -> StratisResult<()> { @@ -440,6 +447,20 @@ impl CryptHandle { } }; + Ok(()) + } + + /// Format the device and initialize the unlock methods, activating the device once it is + /// successfully set up. + fn initialize_with_err( + device: &mut CryptDevice, + physical_path: &Path, + pool_uuid: PoolUuid, + encryption_info: &EncryptionInfo, + luks2_params: Option<&CryptParamsLuks2>, + ) -> StratisResult<()> { + Self::initialize_unlock_methods(device, physical_path, encryption_info, luks2_params)?; + let activation_name = format_crypt_backstore_name(&pool_uuid); activate( device, @@ -639,7 +660,7 @@ impl CryptHandle { /// Add a keyring binding to the underlying LUKS2 volume. pub fn bind_keyring(&mut self, key_desc: &KeyDescription) -> StratisResult<()> { let mut device = self.acquire_crypt_device()?; - let key = Self::clevis_decrypt(&mut device)?.ok_or_else(|| { + let key = clevis_decrypt(&mut device)?.ok_or_else(|| { StratisError::Msg( "The Clevis token appears to have been wiped outside of \ Stratis; cannot add a keyring key binding without an existing \ @@ -707,22 +728,131 @@ impl CryptHandle { Ok(()) } - /// Decrypt a Clevis passphrase and return it securely. - fn clevis_decrypt(device: &mut CryptDevice) -> StratisResult> { - let mut token = match device.token_handle().json_get(CLEVIS_LUKS_TOKEN_ID).ok() { - Some(t) => t, - None => return Ok(None), + /// Encrypt an unencrypted pool. + pub fn encrypt( + pool_uuid: PoolUuid, + thinpool: &mut ThinPool, + unencrypted_path: &Path, + encryption_info: &EncryptionInfo, + ) -> StratisResult { + let tmp_header = format!("/tmp/temp-header-{pool_uuid}"); + { + let mut file = OpenOptions::new() + .create(true) + .truncate(true) + .write(true) + .open(&tmp_header)?; + file.write_all(&[0; 4096])?; + } + + let mut device = CryptInit::init(Path::new(&tmp_header))?; + let data_offset = Bytes::from(16 * IEC::Mi).sectors(); + device.set_data_offset(*data_offset)?; + + let sectors = thinpool + .filesystems() + .iter() + .map(|(_, _, fs)| fs.block_size()) + .collect::>>()?; + let min_sector = sectors.iter().min(); + let sector_size = match min_sector { + Some(min) => convert_int!(*min, u64, u32)?, + None => { + let mut probe = BlkidProbe::new_from_filename(unencrypted_path)?; + let top = probe.get_topology()?; + convert_int!(top.get_logical_sector_size(), u64, u32)? + } }; - let jwe = token - .as_object_mut() - .and_then(|map| map.remove("jwe")) - .ok_or_else(|| { - StratisError::Msg(format!( - "Token slot {CLEVIS_LUKS_TOKEN_ID} is occupied but does not appear to be a Clevis \ - token; aborting" - )) - })?; - clevis_decrypt(&jwe).map(Some) + let params = CryptParamsLuks2 { + data_alignment: 0, + data_device: None, + integrity: None, + integrity_params: None, + pbkdf: None, + label: None, + sector_size, + subsystem: None, + }; + + Self::initialize_unlock_methods( + &mut device, + unencrypted_path, + encryption_info, + Some(¶ms), + )?; + let (keyslot, key) = get_passphrase(&mut device, encryption_info)?; + device.reencrypt_handle().reencrypt_init_by_passphrase( + None, + key.as_ref(), + None, + keyslot, + ("aes", "xts-plain"), + CryptParamsReencrypt { + mode: CryptReencryptModeInfo::Encrypt, + direction: CryptReencryptDirectionInfo::Forward, + resilience: "checksum".to_string(), + hash: "sha256".to_string(), + data_shift: 0, + max_hotzone_size: 0, + device_size: 0, + luks2: CryptParamsLuks2 { + data_alignment: 0, + data_device: None, + integrity: None, + integrity_params: None, + pbkdf: None, + label: None, + sector_size, + subsystem: None, + }, + flags: CryptReencrypt::INITIALIZE_ONLY, + }, + )?; + + let mut device = CryptInit::init(unencrypted_path)?; + device + .backup_handle() + .header_restore(Some(EncryptionFormat::Luks2), Path::new(&tmp_header))?; + + let activation_name = &format_crypt_backstore_name(&pool_uuid).to_string(); + device.activate_handle().activate_by_passphrase( + Some(activation_name), + None, + key.as_ref(), + CryptActivate::SHARED, + )?; + + device.reencrypt_handle().reencrypt_init_by_passphrase( + Some(activation_name), + key.as_ref(), + None, + keyslot, + ("aes", "xts-plain"), + CryptParamsReencrypt { + mode: CryptReencryptModeInfo::Encrypt, + direction: CryptReencryptDirectionInfo::Forward, + resilience: "checksum".to_string(), + hash: "sha256".to_string(), + data_shift: 0, + max_hotzone_size: 0, + device_size: 0, + luks2: CryptParamsLuks2 { + data_alignment: 0, + data_device: None, + integrity: None, + integrity_params: None, + pbkdf: None, + label: None, + sector_size, + subsystem: None, + }, + flags: CryptReencrypt::RESUME_ONLY, + }, + )?; + device.reencrypt_handle().reencrypt2::<()>(None, None)?; + + CryptHandle::setup(unencrypted_path, pool_uuid, UnlockMethod::Any, None) + .map(|h| h.expect("should have crypt device after online encrypt")) } /// Deactivate the device referenced by the current device handle. diff --git a/src/engine/strat_engine/crypt/shared.rs b/src/engine/strat_engine/crypt/shared.rs index 630f663f74..f99dd677ba 100644 --- a/src/engine/strat_engine/crypt/shared.rs +++ b/src/engine/strat_engine/crypt/shared.rs @@ -31,7 +31,7 @@ use libcryptsetup_rs::{ use crate::{ engine::{ strat_engine::{ - cmd::clevis_decrypt, + cmd, crypt::consts::{ CLEVIS_LUKS_TOKEN_ID, CLEVIS_RECURSION_LIMIT, CLEVIS_TANG_TRUST_URL, CLEVIS_TOKEN_NAME, DEFAULT_CRYPT_KEYSLOTS_SIZE, DEFAULT_CRYPT_METADATA_SIZE, @@ -42,6 +42,7 @@ use crate::{ keys, }, types::{KeyDescription, SizedKeyMemory, UnlockMethod}, + EncryptionInfo, }, stratis::{StratisError, StratisResult}, }; @@ -800,7 +801,7 @@ fn open_safe(device: &mut CryptDevice, token: libc::c_int) -> StratisResult StratisResult<()> { )?; Ok(()) } + +/// Decrypt a Clevis passphrase and return it securely. +pub fn clevis_decrypt(device: &mut CryptDevice) -> StratisResult> { + let mut token = match device.token_handle().json_get(CLEVIS_LUKS_TOKEN_ID).ok() { + Some(t) => t, + None => return Ok(None), + }; + let jwe = token + .as_object_mut() + .and_then(|map| map.remove("jwe")) + .ok_or_else(|| { + StratisError::Msg(format!( + "Token slot {CLEVIS_LUKS_TOKEN_ID} is occupied but does not appear to be a Clevis \ + token; aborting" + )) + })?; + cmd::clevis_decrypt(&jwe).map(Some) +} + +/// Get one of the passphrases for the encrypted device. +pub fn get_passphrase( + device: &mut CryptDevice, + encryption_info: &EncryptionInfo, +) -> StratisResult<(c_uint, SizedKeyMemory)> { + match encryption_info { + EncryptionInfo::KeyDesc(kd) => Ok(( + get_keyslot_number(device, LUKS2_TOKEN_ID)? + .expect("encryption info specified that there is a keyring binding"), + read_key(kd)?.ok_or_else(|| { + StratisError::Msg("Key description {kd} was not found in the keyring".to_string()) + })?, + )), + EncryptionInfo::ClevisInfo(_) => Ok(( + get_keyslot_number(device, CLEVIS_LUKS_TOKEN_ID)? + .expect("encryption info specified that there is a Clevis binding"), + clevis_decrypt(device)? + .expect("encryption info specified that there is a Clevis binding"), + )), + EncryptionInfo::Both(kd, _) => match read_key(kd) { + Ok(Some(key)) => Ok(( + get_keyslot_number(device, LUKS2_TOKEN_ID)? + .expect("encryption info specified that there is a keyring binding"), + key, + )), + Ok(None) => { + warn!( + "Key description {} not found in keyring; falling back on Clevis", + kd.as_application_str() + ); + Ok(( + get_keyslot_number(device, CLEVIS_LUKS_TOKEN_ID)? + .expect("encryption info specified that there is a Clevis binding"), + clevis_decrypt(device)? + .expect("encryption info specified that there is a Clevis binding"), + )) + } + Err(_) => { + warn!( + "Fetching key description {} failed; falling back on Clevis", + kd.as_application_str() + ); + Ok(( + get_keyslot_number(device, CLEVIS_LUKS_TOKEN_ID)? + .expect("encryption info specified that there is a Clevis binding"), + clevis_decrypt(device)? + .expect("encryption info specified that there is a Clevis binding"), + )) + } + }, + } +} diff --git a/src/engine/strat_engine/pool/dispatch.rs b/src/engine/strat_engine/pool/dispatch.rs index c1baf3d45f..85ababd963 100644 --- a/src/engine/strat_engine/pool/dispatch.rs +++ b/src/engine/strat_engine/pool/dispatch.rs @@ -14,9 +14,9 @@ use crate::{ strat_engine::pool::{v1, v2}, types::{ ActionAvailability, BlockDevTier, Clevis, CreateAction, DeleteAction, DevUuid, - FilesystemUuid, GrowAction, Key, KeyDescription, Name, PoolDiff, PoolEncryptionInfo, - PoolUuid, PropChangeAction, RegenAction, RenameAction, SetCreateAction, - SetDeleteAction, StratSigblockVersion, + EncryptedDevice, EncryptionInfo, FilesystemUuid, GrowAction, Key, KeyDescription, Name, + PoolDiff, PoolEncryptionInfo, PoolUuid, PropChangeAction, RegenAction, RenameAction, + SetCreateAction, SetDeleteAction, StratSigblockVersion, }, }, stratis::StratisResult, @@ -328,6 +328,18 @@ impl Pool for AnyPool { } } + fn encrypt_pool( + &mut self, + name: &Name, + pool_uuid: PoolUuid, + encryption_info: &EncryptionInfo, + ) -> StratisResult> { + match self { + AnyPool::V1(p) => p.encrypt_pool(name, pool_uuid, encryption_info), + AnyPool::V2(p) => p.encrypt_pool(name, pool_uuid, encryption_info), + } + } + fn current_metadata(&self, pool_name: &Name) -> StratisResult { match self { AnyPool::V1(p) => p.current_metadata(pool_name), diff --git a/src/engine/strat_engine/pool/v1.rs b/src/engine/strat_engine/pool/v1.rs index 6c2506c5c5..c8ac561b26 100644 --- a/src/engine/strat_engine/pool/v1.rs +++ b/src/engine/strat_engine/pool/v1.rs @@ -11,13 +11,10 @@ use devicemapper::{Bytes, DmNameBuf, Sectors}; use stratisd_proc_macros::strat_pool_impl_gen; #[cfg(any(test, feature = "test_extras"))] -use crate::engine::{ - strat_engine::{ - backstore::UnownedDevices, - metadata::MDADataSize, - thinpool::{ThinPoolSizeParams, DATA_BLOCK_SIZE}, - }, - types::EncryptionInfo, +use crate::engine::strat_engine::{ + backstore::UnownedDevices, + metadata::MDADataSize, + thinpool::{ThinPoolSizeParams, DATA_BLOCK_SIZE}, }; use crate::{ engine::{ @@ -41,9 +38,10 @@ use crate::{ }, types::{ ActionAvailability, BlockDevTier, Clevis, Compare, CreateAction, DeleteAction, DevUuid, - Diff, FilesystemUuid, GrowAction, Key, KeyDescription, Name, PoolDiff, - PoolEncryptionInfo, PoolUuid, RegenAction, RenameAction, SetCreateAction, - SetDeleteAction, StratFilesystemDiff, StratPoolDiff, StratSigblockVersion, + Diff, EncryptedDevice, EncryptionInfo, FilesystemUuid, GrowAction, Key, KeyDescription, + Name, OffsetDirection, PoolDiff, PoolEncryptionInfo, PoolUuid, RegenAction, + RenameAction, SetCreateAction, SetDeleteAction, StratFilesystemDiff, StratPoolDiff, + StratSigblockVersion, }, PropChangeAction, }, @@ -659,10 +657,14 @@ impl Pool for StratPool { ) .and_then(|bdi| { self.thin_pool - .set_device(self.backstore.device().expect( - "Since thin pool exists, space must have been allocated \ + .set_device( + self.backstore.device().expect( + "Since thin pool exists, space must have been allocated \ from the backstore, so backstore must have a cap device", - )) + ), + Sectors(0), + OffsetDirection::Forwards, + ) .and(Ok(bdi)) }); self.thin_pool.resume()?; @@ -1279,6 +1281,17 @@ impl Pool for StratPool { } } + fn encrypt_pool( + &mut self, + _: &Name, + _: PoolUuid, + _: &EncryptionInfo, + ) -> StratisResult> { + Err(StratisError::Msg( + "Encrypting an unencrypted device is only supported in V2 of the metadata".to_string(), + )) + } + fn current_metadata(&self, pool_name: &Name) -> StratisResult { serde_json::to_string(&self.record(pool_name)).map_err(|e| e.into()) } diff --git a/src/engine/strat_engine/pool/v2.rs b/src/engine/strat_engine/pool/v2.rs index f8af4f4696..c81a246f39 100644 --- a/src/engine/strat_engine/pool/v2.rs +++ b/src/engine/strat_engine/pool/v2.rs @@ -23,6 +23,7 @@ use crate::{ blockdev::{v2::StratBlockDev, InternalBlockDev}, ProcessedPathInfos, UnownedDevices, }, + crypt::crypt_metadata_size, liminal::DeviceSet, metadata::{MDADataSize, BDA}, serde_structs::{FlexDevsSave, PoolFeatures, PoolSave, Recordable}, @@ -32,10 +33,10 @@ use crate::{ }, types::{ ActionAvailability, BlockDevTier, Clevis, Compare, CreateAction, DeleteAction, DevUuid, - Diff, EncryptionInfo, FilesystemUuid, GrowAction, Key, KeyDescription, Name, PoolDiff, - PoolEncryptionInfo, PoolUuid, PropChangeAction, RegenAction, RenameAction, - SetCreateAction, SetDeleteAction, SizedKeyMemory, StratFilesystemDiff, StratPoolDiff, - StratSigblockVersion, UnlockMethod, + Diff, EncryptedDevice, EncryptionInfo, FilesystemUuid, GrowAction, Key, KeyDescription, + Name, OffsetDirection, PoolDiff, PoolEncryptionInfo, PoolUuid, PropChangeAction, + RegenAction, RenameAction, SetCreateAction, SetDeleteAction, SizedKeyMemory, + StratFilesystemDiff, StratPoolDiff, StratSigblockVersion, UnlockMethod, }, }, stratis::{StratisError, StratisResult}, @@ -1186,6 +1187,45 @@ impl Pool for StratPool { } } + #[pool_mutating_action("NoRequests")] + fn encrypt_pool( + &mut self, + name: &Name, + pool_uuid: PoolUuid, + encryption_info: &EncryptionInfo, + ) -> StratisResult> { + match self.backstore.encryption_info() { + Some(enc) => { + if enc != encryption_info { + Err(StratisError::Msg("Encryption information does not match the existing encryption information for encrypted pool".to_string())) + } else { + Ok(CreateAction::Identity) + } + } + None => { + self.thin_pool.suspend()?; + let encrypt_res = self + .backstore + .encrypt(pool_uuid, &mut self.thin_pool, encryption_info) + .map(|_| { + self.thin_pool.set_device( + self.backstore.device().expect( + "Since thin pool exists, space must have been allocated \ + from the backstore, so backstore must have a cap device", + ), + crypt_metadata_size().sectors(), + OffsetDirection::Backwards, + ) + }); + self.thin_pool.resume()?; + let metadata_res = self.write_metadata(name); + let _ = encrypt_res?; + metadata_res?; + Ok(CreateAction::Created(EncryptedDevice)) + } + } + } + fn current_metadata(&self, pool_name: &Name) -> StratisResult { serde_json::to_string(&self.record(pool_name)).map_err(|e| e.into()) } diff --git a/src/engine/strat_engine/thinpool/filesystem.rs b/src/engine/strat_engine/thinpool/filesystem.rs index ba3748a507..6e0f6f6a73 100644 --- a/src/engine/strat_engine/thinpool/filesystem.rs +++ b/src/engine/strat_engine/thinpool/filesystem.rs @@ -18,6 +18,7 @@ use devicemapper::{ Bytes, DevId, DmDevice, DmName, DmOptions, DmUuid, Sectors, ThinDev, ThinDevId, ThinPoolDev, ThinStatus, }; +use libblkid_rs::BlkidProbe; use nix::{ mount::{mount, umount, MsFlags}, @@ -450,6 +451,13 @@ impl StratFilesystem { self.origin = None; changed } + + /// Get the sector size reported by libblkid for this filesystem. + pub fn block_size(&self) -> StratisResult { + let mut probe = BlkidProbe::new_from_filename(&self.devnode())?; + let top = probe.get_topology()?; + Ok(top.get_logical_sector_size()) + } } impl Filesystem for StratFilesystem { diff --git a/src/engine/strat_engine/thinpool/thinpool.rs b/src/engine/strat_engine/thinpool/thinpool.rs index 97ea5d79df..40705e38bc 100644 --- a/src/engine/strat_engine/thinpool/thinpool.rs +++ b/src/engine/strat_engine/thinpool/thinpool.rs @@ -38,7 +38,10 @@ use crate::{ writing::wipe_sectors, }, structures::Table, - types::{Compare, Diff, FilesystemUuid, Name, PoolUuid, StratFilesystemDiff, ThinPoolDiff}, + types::{ + Compare, Diff, FilesystemUuid, Name, OffsetDirection, PoolUuid, StratFilesystemDiff, + ThinPoolDiff, + }, }, stratis::{StratisError, StratisResult}, }; @@ -887,72 +890,6 @@ impl ThinPool { backstore: PhantomData, }) } - - /// Set the device on all DM devices - pub fn set_device(&mut self, backstore_device: Device) -> StratisResult { - if backstore_device == self.backstore_device { - return Ok(false); - } - - let xform_target_line = - |line: &TargetLine| -> TargetLine { - let new_params = match line.params { - LinearDevTargetParams::Linear(ref params) => LinearDevTargetParams::Linear( - LinearTargetParams::new(backstore_device, params.start_offset), - ), - LinearDevTargetParams::Flakey(ref params) => { - let feature_args = params.feature_args.iter().cloned().collect::>(); - LinearDevTargetParams::Flakey(FlakeyTargetParams::new( - backstore_device, - params.start_offset, - params.up_interval, - params.down_interval, - feature_args, - )) - } - }; - - TargetLine::new(line.start, line.length, new_params) - }; - - let meta_table = self - .thin_pool - .meta_dev() - .table() - .table - .clone() - .iter() - .map(&xform_target_line) - .collect::>(); - - let data_table = self - .thin_pool - .data_dev() - .table() - .table - .clone() - .iter() - .map(&xform_target_line) - .collect::>(); - - let mdv_table = self - .mdv - .device() - .table() - .table - .clone() - .iter() - .map(&xform_target_line) - .collect::>(); - - self.thin_pool.set_meta_table(get_dm(), meta_table)?; - self.thin_pool.set_data_table(get_dm(), data_table)?; - self.mdv.set_table(mdv_table)?; - - self.backstore_device = backstore_device; - - Ok(true) - } } impl ThinPool { @@ -1752,6 +1689,111 @@ where } Ok(changed) } + + /// Set the device on all DM devices + pub fn set_device( + &mut self, + backstore_device: Device, + offset: Sectors, + dir: OffsetDirection, + ) -> StratisResult { + if backstore_device == self.backstore_device { + return Ok(false); + } + + let xform_target_line = + |line: &TargetLine| -> TargetLine { + let new_params = match line.params { + LinearDevTargetParams::Linear(ref params) => { + LinearDevTargetParams::Linear(LinearTargetParams::new( + backstore_device, + match dir { + OffsetDirection::Forwards => params.start_offset + offset, + OffsetDirection::Backwards => params.start_offset - offset, + }, + )) + } + LinearDevTargetParams::Flakey(ref params) => { + let feature_args = params.feature_args.iter().cloned().collect::>(); + LinearDevTargetParams::Flakey(FlakeyTargetParams::new( + backstore_device, + match dir { + OffsetDirection::Forwards => params.start_offset + offset, + OffsetDirection::Backwards => params.start_offset - offset, + }, + params.up_interval, + params.down_interval, + feature_args, + )) + } + }; + + TargetLine::new(line.start, line.length, new_params) + }; + + let meta_table = self + .thin_pool + .meta_dev() + .table() + .table + .clone() + .iter() + .map(&xform_target_line) + .collect::>(); + + let data_table = self + .thin_pool + .data_dev() + .table() + .table + .clone() + .iter() + .map(&xform_target_line) + .collect::>(); + + let mdv_table = self + .mdv + .device() + .table() + .table + .clone() + .iter() + .map(&xform_target_line) + .collect::>(); + + self.thin_pool.set_meta_table(get_dm(), meta_table)?; + self.thin_pool.set_data_table(get_dm(), data_table)?; + self.mdv.set_table(mdv_table)?; + + for (start, _) in self.segments.meta_segments.iter_mut() { + match dir { + OffsetDirection::Forwards => *start += offset, + OffsetDirection::Backwards => *start -= offset, + } + } + for (start, _) in self.segments.meta_spare_segments.iter_mut() { + match dir { + OffsetDirection::Forwards => *start += offset, + OffsetDirection::Backwards => *start -= offset, + } + } + for (start, _) in self.segments.data_segments.iter_mut() { + match dir { + OffsetDirection::Forwards => *start += offset, + OffsetDirection::Backwards => *start -= offset, + } + } + for (start, _) in self.segments.mdv_segments.iter_mut() { + match dir { + OffsetDirection::Forwards => *start += offset, + OffsetDirection::Backwards => *start -= offset, + } + } + + self.backstore_device = backstore_device; + + Ok(true) + } } impl<'a, B> Into for &'a ThinPool { @@ -2705,7 +2747,8 @@ mod tests { .device() .expect("Space already allocated from backstore, backstore must have device"); assert_ne!(old_device, new_device); - pool.set_device(new_device).unwrap(); + pool.set_device(new_device, Sectors(0), OffsetDirection::Forwards) + .unwrap(); pool.resume().unwrap(); let mut buf = [0u8; 10]; diff --git a/src/engine/types/actions.rs b/src/engine/types/actions.rs index ca8088404a..4a9c5b1029 100644 --- a/src/engine/types/actions.rs +++ b/src/engine/types/actions.rs @@ -23,6 +23,9 @@ pub struct Key; /// Return value indicating clevis operation pub struct Clevis; +/// Return value indicating an encrypt operation on the pool +pub struct EncryptedDevice; + /// A trait for a generic kind of action. Defines the type of the thing to /// be changed, and also a method to indicate what changed. pub trait EngineAction { @@ -137,6 +140,19 @@ where } } +impl Display for CreateAction { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + match self { + CreateAction::Created(_) => { + write!(f, "Unencrypted pool successfully encrypted") + } + CreateAction::Identity => { + write!(f, "The requested pool was already encrypted") + } + } + } +} + /// Idempotent type representing a create action for a mapping from a key to a value #[derive(Debug, PartialEq, Eq)] pub enum MappingCreateAction { diff --git a/src/engine/types/mod.rs b/src/engine/types/mod.rs index ba108a21af..b10a4048d2 100644 --- a/src/engine/types/mod.rs +++ b/src/engine/types/mod.rs @@ -23,9 +23,9 @@ pub use crate::engine::{ structures::Lockable, types::{ actions::{ - Clevis, CreateAction, DeleteAction, EngineAction, GrowAction, Key, MappingCreateAction, - MappingDeleteAction, PropChangeAction, RegenAction, RenameAction, SetCreateAction, - SetDeleteAction, SetUnlockAction, StartAction, StopAction, ToDisplay, + Clevis, CreateAction, DeleteAction, EncryptedDevice, EngineAction, GrowAction, Key, + MappingCreateAction, MappingDeleteAction, PropChangeAction, RegenAction, RenameAction, + SetCreateAction, SetDeleteAction, SetUnlockAction, StartAction, StopAction, ToDisplay, }, diff::{ Compare, Diff, PoolDiff, StratBlockDevDiff, StratFilesystemDiff, StratPoolDiff, @@ -538,3 +538,8 @@ impl From for u8 { } } } + +pub enum OffsetDirection { + Backwards, + Forwards, +}