From 0b6891abf50b968c9354c7117bd4263e70405d8a Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 15 May 2024 16:21:45 +0200
Subject: [PATCH 1/3] repart: Improve error message

---
 src/partition/repart.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/partition/repart.c b/src/partition/repart.c
index 7f7b68f9ff4..45f0ab15b5a 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -7819,7 +7819,7 @@ static int find_root(Context *context) {
                                 if (r == -EUCLEAN)
                                         return btrfs_log_dev_root(LOG_ERR, r, p);
                                 if (r != -ENODEV)
-                                        return log_error_errno(r, "Failed to determine backing device of %s: %m", p);
+                                        return log_error_errno(r, "Failed to determine backing device of %s%s: %m", strempty(arg_root), p);
                         } else
                                 return 0;
                 }

From c7d16bc81bfb7feeefa0a6a18cf0e3e2a72f7aa4 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 15 May 2024 14:00:51 +0200
Subject: [PATCH 2/3] TEST-24-CRYPTSETUP: Store tokens in /usr

We want to be able to boot with empty /var.
---
 test/TEST-24-CRYPTSETUP/test.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/TEST-24-CRYPTSETUP/test.sh b/test/TEST-24-CRYPTSETUP/test.sh
index 93b447f583d..a7e118c4f0d 100755
--- a/test/TEST-24-CRYPTSETUP/test.sh
+++ b/test/TEST-24-CRYPTSETUP/test.sh
@@ -80,9 +80,9 @@ setup_pkcs11_token() {
     local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
 
     export SOFTHSM2_CONF="/tmp/softhsm2.conf"
-    mkdir -p "$initdir/var/lib/softhsm/tokens/"
+    mkdir -p "$initdir/usr/lib/softhsm/tokens/"
     cat >${SOFTHSM2_CONF} <<EOF
-directories.tokendir = $initdir/var/lib/softhsm/tokens/
+directories.tokendir = $initdir/usr/lib/softhsm/tokens/
 objectstore.backend = file
 slots.removable = false
 slots.mechanisms = ALL
@@ -139,7 +139,7 @@ EOF
     inst_simple "$P11_MODULE_CONFIGS_DIR/softhsm2.module"
 
     cat >"$initdir/etc/softhsm2.conf" <<EOF
-directories.tokendir = /var/lib/softhsm/tokens/
+directories.tokendir = /usr/lib/softhsm/tokens/
 objectstore.backend = file
 slots.removable = false
 slots.mechanisms = ALL

From 4ac46561e99005b1d3fed51c8099e2789cf390c6 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 15 May 2024 13:19:19 +0200
Subject: [PATCH 3/3] test: Enable TEST-24-CRYPTSETUP for mkosi

Encrypted /var is skipped because meson's limitations make per test
images not really feasible and we can't encrypt /var by default because
it slows down the image build too much.

Co-authored-by: Richard Maw <richard.maw@codethink.co.uk>
---
 .../lib/encrypted-var.repart.d/00-root.conf   |  15 ++
 .../lib/systemd/system/encrypted-var.service  |  20 +++
 mkosi.images/system/mkosi.conf                |   2 +
 .../system/mkosi.conf.d/10-arch/mkosi.conf    |   2 +
 .../mkosi.conf.d/10-centos-fedora/mkosi.conf  |   3 +-
 .../mkosi.conf.d/10-debian-ubuntu/mkosi.conf  |   2 +
 .../mkosi.conf.d/10-opensuse/mkosi.conf       |   2 +
 mkosi.images/system/mkosi.postinst.chroot     | 140 ++++++++++++++++++
 .../keydev.repart/00-root.conf                |   9 ++
 test/TEST-24-CRYPTSETUP/keyfile               |   1 +
 test/TEST-24-CRYPTSETUP/meson.build           |  18 ++-
 test/units/TEST-24-CRYPTSETUP.sh              |   2 +-
 12 files changed, 213 insertions(+), 3 deletions(-)
 create mode 100644 mkosi.images/system/initrd/mkosi.extra/usr/lib/encrypted-var.repart.d/00-root.conf
 create mode 100644 mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/encrypted-var.service
 create mode 100644 test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf
 create mode 100644 test/TEST-24-CRYPTSETUP/keyfile

diff --git a/mkosi.images/system/initrd/mkosi.extra/usr/lib/encrypted-var.repart.d/00-root.conf b/mkosi.images/system/initrd/mkosi.extra/usr/lib/encrypted-var.repart.d/00-root.conf
new file mode 100644
index 00000000000..b252491826d
--- /dev/null
+++ b/mkosi.images/system/initrd/mkosi.extra/usr/lib/encrypted-var.repart.d/00-root.conf
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=var
+# This label is the partition's label. The filesystem inside may have its own label.
+Label=varcrypt
+# This UUID is the decrypted partition UUID, there are also filesystem and luks UUIDs.
+# The original test finds the partition by this UUID, but it doesn't appear
+# since the luks UUID, which is derived by hash of this UUID, is different
+# and the luks UUID is needed before the decrypted partition UUID.
+# The resulting luks UUID is 0d318174-56b0-4d6e-a324-ac1e7e7d235d.
+UUID=deadbeef-dead-dead-beef-000000000000
+Format=ext4
+Encrypt=key-file
+SizeMinBytes=1G
diff --git a/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/encrypted-var.service b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/encrypted-var.service
new file mode 100644
index 00000000000..54a9b8aa9e3
--- /dev/null
+++ b/mkosi.images/system/initrd/mkosi.extra/usr/lib/systemd/system/encrypted-var.service
@@ -0,0 +1,20 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Unit]
+Description=Add encrypted var partition to root disk
+Documentation=man:systemd-repart.service(8)
+
+ConditionVirtualization=!container
+
+DefaultDependencies=no
+Wants=modprobe@loop.service modprobe@dm_mod.service
+After=modprobe@loop.service modprobe@dm_mod.service sysroot.mount
+Before=initrd-root-fs.target
+Conflicts=shutdown.target initrd-switch-root.target
+Before=shutdown.target initrd-switch-root.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=systemd-repart --definitions /usr/lib/encrypted-var.repart.d --key-file %d/keyfile --dry-run=no /sysroot
+ImportCredential=keyfile
diff --git a/mkosi.images/system/mkosi.conf b/mkosi.images/system/mkosi.conf
index f18ad022add..6ab91b19a97 100644
--- a/mkosi.images/system/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf
@@ -54,7 +54,9 @@ Packages=
         nano
         nftables
         nvme-cli
+        opensc
         openssl
+        p11-kit
         python3
         qrencode
         radvd
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf
index ee1f02cfae6..b8a1bc08b4d 100644
--- a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.conf
@@ -26,6 +26,7 @@ Packages=
         fakeroot
         git
         gnutls
+        gnutls
         iproute
         iputils
         linux
@@ -44,6 +45,7 @@ Packages=
         quota-tools
         sbsigntools
         shadow
+        softhsm
         squashfs-tools
         stress
         tgt
diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf
index 4efa2b440e4..be47b1e6350 100644
--- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf
@@ -33,6 +33,7 @@ Packages=
         glibc-langpack-de
         glibc-langpack-en
         gnutls
+        gnutls-utils
         integritysetup
         iproute
         iproute-tc
@@ -47,7 +48,6 @@ Packages=
         netcat
         openssh-clients
         openssh-server
-        p11-kit
         pam
         passwd
         policycoreutils
@@ -58,6 +58,7 @@ Packages=
         rpm-build
         rpmautospec
         sbsigntools
+        softhsm
         squashfs-tools
         stress
         tpm2-tools
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
index 1e70a1b579b..a9cdd9e883c 100644
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
@@ -46,6 +46,7 @@ Packages=
         f2fs-tools
         fdisk
         git-core
+        gnutls-bin
         iproute2
         iputils-ping
         isc-dhcp-server
@@ -66,6 +67,7 @@ Packages=
         python3-psutil
         quota
         sbsigntool
+        softhsm2
         squashfs-tools
         stress
         tgt
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf
index 33d3fe6950f..78208db9c6b 100644
--- a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.conf
@@ -37,6 +37,7 @@ Packages=
         gawk
         git-core
         glibc-locale-base
+        gnutls
         grep
         group(bin)
         group(daemon)
@@ -66,6 +67,7 @@ Packages=
         sbsigntools
         sed
         shadow
+        softhsm
         squashfs
         tgt
         timezone
diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
index de333f364b8..15f268a20ae 100755
--- a/mkosi.images/system/mkosi.postinst.chroot
+++ b/mkosi.images/system/mkosi.postinst.chroot
@@ -78,3 +78,143 @@ cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
 
 # Remove to make TEST-73-LOCALE pass on Ubuntu.
 rm -f /etc/default/keyboard
+
+# mkfs.ext4 on CentOS doesn't know the orphan_file feature so clear the mkfs options when we're building for
+# CentOS.
+if [[ "$DISTRIBUTION" == "centos" ]]; then
+    SYSTEMD_REPART_MKFS_OPTIONS_EXT4=""
+fi
+
+export SYSTEMD_REPART_MKFS_OPTIONS_EXT4
+
+systemd-repart \
+    --empty=create \
+    --dry-run=no \
+    --size=auto \
+    --offline=true \
+    --root test/TEST-24-CRYPTSETUP \
+    --definitions test/TEST-24-CRYPTSETUP/keydev.repart \
+    "$OUTPUTDIR/keydev.raw"
+
+can_test_pkcs11() {
+    if [[ "$DISTRIBUTION" == "opensuse" ]]; then
+        echo "softhsm is broken on opensuse (https://bugzilla.opensuse.org/show_bug.cgi?id=1224356), skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! command -v "softhsm2-util" >/dev/null; then
+        echo "softhsm2-util not available, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! command -v "pkcs11-tool" >/dev/null; then
+        echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! command -v "certtool" >/dev/null; then
+        echo "certtool not available, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+P11KIT"; then
+        echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+OPENSSL"; then
+        echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then
+        echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+    if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
+        echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2
+        return 1
+    fi
+
+    return 0
+}
+
+setup_pkcs11_token() {
+    echo "Setup PKCS#11 token" >&2
+    local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
+
+    export SOFTHSM2_CONF="/tmp/softhsm2.conf"
+    mkdir -p /usr/lib/softhsm/tokens/
+    cat >$SOFTHSM2_CONF <<EOF
+directories.tokendir = /usr/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+EOF
+    export GNUTLS_PIN="1234"
+    export GNUTLS_SO_PIN="12345678"
+    softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN"
+
+    if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
+        echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
+        P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
+    fi
+
+    if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
+        echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
+        P11_MODULE_DIR="/usr/lib/pkcs11"
+    fi
+
+    SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
+    if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
+        SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
+    fi
+
+    # RSA #####################################################
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
+
+    certtool --generate-self-signed \
+      --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
+      --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
+      --template "test/TEST-24-CRYPTSETUP/template.cfg" \
+      --outder --outfile "/tmp/rsa_test.crt"
+
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
+    rm "/tmp/rsa_test.crt"
+
+    # prime256v1 ##############################################
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
+
+    certtool --generate-self-signed \
+      --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
+      --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
+      --template "test/TEST-24-CRYPTSETUP/template.cfg" \
+      --outder --outfile "/tmp/ec_test.crt"
+
+    pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
+    rm "/tmp/ec_test.crt"
+
+    ###########################################################
+    rm "$SOFTHSM2_CONF"
+    unset SOFTHSM2_CONF
+
+    cat >/etc/softhsm2.conf <<EOF
+directories.tokendir = /usr/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+log.level = INFO
+EOF
+
+    mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d
+    cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF
+[Unit]
+# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
+StartLimitBurst=10
+
+[Service]
+Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
+Environment="PIN=$GNUTLS_PIN"
+EOF
+
+    unset GNUTLS_PIN
+    unset GNUTLS_SO_PIN
+}
+
+if can_test_pkcs11; then
+    setup_pkcs11_token
+fi
diff --git a/test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf b/test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf
new file mode 100644
index 00000000000..d6cdad05463
--- /dev/null
+++ b/test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=linux-generic
+UUID=0fc63daf-8483-4772-8e79-3d69d8477de4
+Label=varcrypt_keydev
+SizeMinBytes=16M
+Format=ext4
+CopyFiles=/keyfile:/keyfile
diff --git a/test/TEST-24-CRYPTSETUP/keyfile b/test/TEST-24-CRYPTSETUP/keyfile
new file mode 100644
index 00000000000..9daeafb9864
--- /dev/null
+++ b/test/TEST-24-CRYPTSETUP/keyfile
@@ -0,0 +1 @@
+test
diff --git a/test/TEST-24-CRYPTSETUP/meson.build b/test/TEST-24-CRYPTSETUP/meson.build
index d53dbe562c5..ec621d5068e 100644
--- a/test/TEST-24-CRYPTSETUP/meson.build
+++ b/test/TEST-24-CRYPTSETUP/meson.build
@@ -3,6 +3,22 @@
 integration_tests += [
         integration_test_template + {
                 'name' : fs.name(meson.current_source_dir()),
-                'enabled' : false,
+                'credentials' : integration_test_template['credentials'] + [
+                        files('keyfile'),
+                        'fstab.extra="/dev/mapper/test24_varcrypt /var ext4 defaults 0 1"',
+                ],
+                'cmdline' : [
+                        'rd.systemd.wants=encrypted-var.service',
+                        'rd.luks=1',
+                        'luks.name=0d318174-56b0-4d6e-a324-ac1e7e7d235d=test24_varcrypt',
+                        'luks.key=0d318174-56b0-4d6e-a324-ac1e7e7d235d=/keyfile:LABEL=varcrypt_keydev',
+                        'luks.options=0d318174-56b0-4d6e-a324-ac1e7e7d235d=x-initrd.attach',
+                ],
+                'qemu-args' : [
+                        '-drive', 'format=raw,cache=unsafe,file=@0@'.format(project_build_root / 'mkosi.output/keydev.raw'),
+                ],
+                'mkosi-args' : integration_test_template['mkosi-args'] + [
+                        '--runtime-size=11G',
+                ],
         },
 ]
diff --git a/test/units/TEST-24-CRYPTSETUP.sh b/test/units/TEST-24-CRYPTSETUP.sh
index 0822b86f1a5..439a45c0157 100755
--- a/test/units/TEST-24-CRYPTSETUP.sh
+++ b/test/units/TEST-24-CRYPTSETUP.sh
@@ -228,7 +228,7 @@ mkdir -p /run/cryptsetup-keys.d
 cp "$IMAGE_EMPTY_KEYFILE" /run/cryptsetup-keys.d/empty_nokey.key
 cryptsetup_start_and_check empty_nokey
 
-if [[ -r /etc/softhsm2.conf ]]; then
+if [[ -d /usr/lib/softhsm/tokens ]]; then
     # Test unlocking with a PKCS#11 token
     export SOFTHSM2_CONF="/etc/softhsm2.conf"