From fb33b2a74eb7bebf9a558af97561fc03500a1010 Mon Sep 17 00:00:00 2001
From: Adphi <philippe.adrien.nousse@gmail.com>
Date: Wed, 1 Mar 2023 13:29:10 +0100
Subject: [PATCH] luks: do not support ubuntu < 20.04 and debian < 10

Signed-off-by: Adphi <philippe.adrien.nousse@gmail.com>
---
 .dockerignore               |  1 +
 Dockerfile                  |  2 +-
 README.md                   |  2 ++
 builder.go                  |  5 ++++-
 convert.go                  |  5 +++++
 e2e/e2e_test.go             |  3 ++-
 os_release.go               | 26 ++++++++++++++++++++++++++
 templates/debian.Dockerfile |  3 ++-
 templates/ubuntu.Dockerfile |  2 +-
 9 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 5b63c3b..c5d48a7 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -8,3 +8,4 @@ dist
 images
 examples/build
 e2e
+**/*_test.go
diff --git a/Dockerfile b/Dockerfile
index aa6f175..8bb0bc8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -38,7 +38,7 @@ RUN apt-get update && \
         mount \
         tar \
         extlinux \
-        cryptsetup \
+        cryptsetup-bin \
         qemu-utils && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
diff --git a/README.md b/README.md
index 6ed08c4..7693e28 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,9 @@ or when running without *root* privileges.
 Working and tested:
 
 - [x] Ubuntu (18.04+)
+  Luks support is available only on Ubuntu 20.04+
 - [x] Debian (stretch+)
+  Luks support is available only on Debian buster+
 - [x] Alpine
 - [x] CentOS (8+)
 
diff --git a/builder.go b/builder.go
index 4c5afd6..bc0fa75 100644
--- a/builder.go
+++ b/builder.go
@@ -153,6 +153,9 @@ func NewBuilder(ctx context.Context, workdir, imgTag, disk string, size uint64,
 		if !splitBoot {
 			return nil, fmt.Errorf("luks encryption requires split boot")
 		}
+		if !osRelease.SupportsLUKS() {
+			return nil, fmt.Errorf("luks encryption not supported on %s %s", osRelease.ID, osRelease.VersionID)
+		}
 	}
 	f := strings.ToLower(format)
 	valid := false
@@ -505,7 +508,7 @@ func (b *builder) installKernel(ctx context.Context) error {
 		case ReleaseCentOS:
 			cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s rd.luks.name=UUID=%s rd.luks.uuid=%s rd.luks.crypttab=0", b.cmdLineExtra, b.rootUUID, b.cryptUUID))
 		default:
-			// for some versions of debian, the cryptopts parameter MUST contain all the following: target,srouce,key,opts...
+			// for some versions of debian, the cryptopts parameter MUST contain all the following: target,source,key,opts...
 			// see https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/buster/debian/functions
 			// and https://cryptsetup-team.pages.debian.net/cryptsetup/README.initramfs.html
 			cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s root=/dev/mapper/root cryptopts=target=root,source=UUID=%s,key=none,luks", b.cmdLineExtra, b.cryptUUID))
diff --git a/convert.go b/convert.go
index 8a15b75..361599d 100644
--- a/convert.go
+++ b/convert.go
@@ -45,6 +45,11 @@ func Convert(ctx context.Context, img string, opts ...ConvertOption) error {
 	if err != nil {
 		return err
 	}
+
+	if o.luksPassword != "" && !r.SupportsLUKS() {
+		return fmt.Errorf("luks is not supported for %s %s", r.Name, r.Version)
+	}
+
 	if !o.raw {
 		d, err := NewDockerfile(r, img, o.password, o.networkManager, o.luksPassword != "")
 		if err != nil {
diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go
index 554fb21..65cd6aa 100644
--- a/e2e/e2e_test.go
+++ b/e2e/e2e_test.go
@@ -45,8 +45,9 @@ type img struct {
 
 var images = []img{
 	{name: "alpine:3.17", luks: "Enter passphrase for /dev/sda2:"},
-	{name: "ubuntu:18.04", luks: "Please unlock disk root:"},
+	{name: "ubuntu:20.04", luks: "Please unlock disk root:"},
 	{name: "ubuntu:22.04", luks: "Please unlock disk root:"},
+	{name: "debian:10", luks: "Please unlock disk root:"},
 	{name: "debian:11", luks: "Please unlock disk root:"},
 	{name: "centos:8", luks: "Please enter passphrase for disk"},
 }
diff --git a/os_release.go b/os_release.go
index 5c1d6bc..3374bb5 100644
--- a/os_release.go
+++ b/os_release.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"text/template"
 
@@ -66,6 +67,31 @@ type OSRelease struct {
 	VersionCodeName string
 }
 
+func (r OSRelease) SupportsLUKS() bool {
+	switch r.ID {
+	case ReleaseUbuntu:
+		return r.VersionID >= "20.04"
+	case ReleaseDebian:
+		v, err := strconv.Atoi(r.VersionID)
+		if err != nil {
+			logrus.Warnf("%s: failed to parse version id: %v", r.Version, err)
+			return false
+		}
+		return v >= 10
+	case ReleaseKali:
+		// TODO: check version
+		return true
+	case ReleaseCentOS:
+		return true
+	case ReleaseAlpine:
+		return true
+	case ReleaseRHEL:
+		return false
+	default:
+		return false
+	}
+}
+
 func ParseOSRelease(s string) (OSRelease, error) {
 	env, err := godotenv.Parse(strings.NewReader(s))
 	if err != nil {
diff --git a/templates/debian.Dockerfile b/templates/debian.Dockerfile
index 472dcbd..bcb5062 100644
--- a/templates/debian.Dockerfile
+++ b/templates/debian.Dockerfile
@@ -45,5 +45,6 @@ iface eth0 inet dhcp\n\
 
 {{- if .Luks }}
 RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cryptsetup-initramfs && \
-     update-initramfs -u -v
+    echo "CRYPTSETUP=y" >> /etc/cryptsetup-initramfs/conf-hook && \
+    update-initramfs -u -v
 {{- end }}
diff --git a/templates/ubuntu.Dockerfile b/templates/ubuntu.Dockerfile
index 5cf1ba7..1cfe6c4 100644
--- a/templates/ubuntu.Dockerfile
+++ b/templates/ubuntu.Dockerfile
@@ -43,5 +43,5 @@ iface eth0 inet dhcp\n\
 
 {{- if .Luks }}
 RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cryptsetup-initramfs && \
-     update-initramfs -u -v
+    update-initramfs -u -v
 {{- end }}