Disable integrity and encryption for debug builds
This disables disk encryption and integrity when running in the debug profile.
It also makes mkfs.xfs not issue discards as the backend is either a sparse file
(during development) or dm-crypt/dm-integrity which ignores them. In both cases
they are counterproductive and slow things down.
Test Plan: Not exercised by normal tests, manually tested.
X-Origin-Diff: phab/D681
GitOrigin-RevId: 24fae1e3de8d852b414ebd50f3fbe032440683fb
diff --git a/metropolis/node/core/delve_enabled.go b/metropolis/node/core/delve_enabled.go
index b3b859c..0aca50e 100644
--- a/metropolis/node/core/delve_enabled.go
+++ b/metropolis/node/core/delve_enabled.go
@@ -21,6 +21,7 @@
"fmt"
"os/exec"
+ "git.monogon.dev/source/nexantic.git/metropolis/node"
"git.monogon.dev/source/nexantic.git/metropolis/node/core/network"
)
@@ -32,7 +33,7 @@
// and in early-boot no network interface is available to do that through. Also external access isn't possible
// early on anyways.
networkSvc.GetIP(context.Background(), true)
- dlvCmd := exec.Command("/dlv", "--headless=true", fmt.Sprintf("--listen=:%v", common.DebuggerPort),
+ dlvCmd := exec.Command("/dlv", "--headless=true", fmt.Sprintf("--listen=:%v", node.DebuggerPort),
"--accept-multiclient", "--only-same-user=false", "attach", "--continue", "1", "/init")
if err := dlvCmd.Start(); err != nil {
panic(err)
diff --git a/metropolis/node/core/localstorage/crypt/BUILD.bazel b/metropolis/node/core/localstorage/crypt/BUILD.bazel
index 41cb78e..be5b068 100644
--- a/metropolis/node/core/localstorage/crypt/BUILD.bazel
+++ b/metropolis/node/core/localstorage/crypt/BUILD.bazel
@@ -2,10 +2,13 @@
go_library(
name = "go_default_library",
+ # keep
srcs = [
"blockdev.go",
- "crypt.go",
- ],
+ ] + select({
+ "//metropolis/node:debug_build": ["crypt_debug.go"],
+ "//conditions:default": ["crypt.go"],
+ }),
importpath = "git.monogon.dev/source/nexantic.git/metropolis/node/core/localstorage/crypt",
visibility = ["//metropolis/node/core/localstorage:__subpackages__"],
deps = [
diff --git a/metropolis/node/core/localstorage/crypt/crypt_debug.go b/metropolis/node/core/localstorage/crypt/crypt_debug.go
new file mode 100644
index 0000000..db59809
--- /dev/null
+++ b/metropolis/node/core/localstorage/crypt/crypt_debug.go
@@ -0,0 +1,43 @@
+// Copyright 2020 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package crypt
+
+import (
+ "fmt"
+
+ "golang.org/x/sys/unix"
+)
+
+// CryptMap implements a debug version of CryptMap from crypt.go. It aliases the given baseName device into name
+// without any encryption.
+func CryptMap(name string, baseName string, _ []byte) error {
+ var stat unix.Stat_t
+ if err := unix.Stat(baseName, &stat); err != nil {
+ return fmt.Errorf("cannot stat base device: %w", err)
+ }
+ cryptDevName := fmt.Sprintf("/dev/%v", name)
+ if err := unix.Mknod(cryptDevName, 0600|unix.S_IFBLK, int(stat.Rdev)); err != nil {
+ return fmt.Errorf("failed to create crypt device node: %w", err)
+ }
+ return nil
+}
+
+// CryptInit implements a debug version of CryptInit from crypt.go. It aliases the given baseName device into name
+// without any encryption. As an identity mapping doesn't need any initialization it doesn't do anything else.
+func CryptInit(name, baseName string, encryptionKey []byte) error {
+ return CryptMap(name, baseName, encryptionKey)
+}
diff --git a/metropolis/node/core/localstorage/directory_data.go b/metropolis/node/core/localstorage/directory_data.go
index 3f41738..a0dfcd9 100644
--- a/metropolis/node/core/localstorage/directory_data.go
+++ b/metropolis/node/core/localstorage/directory_data.go
@@ -106,7 +106,7 @@
if err := crypt.CryptInit("data", crypt.NodeDataCryptPath, key); err != nil {
return nil, fmt.Errorf("initializing encrypted block device: %w", err)
}
- mkfsCmd := exec.Command("/bin/mkfs.xfs", "-qf", "/dev/data")
+ mkfsCmd := exec.Command("/bin/mkfs.xfs", "-qKf", "/dev/data")
if _, err := mkfsCmd.Output(); err != nil {
return nil, fmt.Errorf("formatting encrypted block device: %w", err)
}