block.quick_zero not always sufficient to remove luks headers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
curtin |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
When you set up luks on a volume, the header gets written at the start of the device and a backup copy gets written at one of these offsets:
{ 0x04000, 0x008000, 0x010000, 0x020000, 0x40000, 0x080000, 0x100000, 0x200000, 0x400000 }
(which one gets used depends on how much JSON data is included when setting up the volume I think).
Looking at this list of offsets reveals that wiping the first megabyte of the device will not touch the backup header if one of the last three offsets is chosen.
(Even more astonishingly, if you wipe just the primary header, _something_ (and I have not yet found what) notices this and repairs it, presumably by copying the secondary header over it).
Not sure what to do about this TBH. We could default to wiping just over 4MiB ...
Related branches
- Dan Bungert: Approve
- Server Team CI bot: Approve (continuous-integration)
-
Diff: 17 lines (+2/-1)1 file modifiedcurtin/block/__init__.py (+2/-1)
Actually I think quick_zero should probably call wipefs -a before writing 1MiB of zeroes at the beginning and end.