Make use of the additional command line arguments, and API needed to
decrypt LUKS partitions.
This affects only virt-customize, virt-get-kernel, virt-sparsify, and
virt-sysprep, as they are the main OCaml tools interacting with
user-provided images.
---
customize/customize_main.ml | 5 ++++-
customize/virt-customize.pod | 12 ++++++++++++
get-kernel/get_kernel.ml | 5 ++++-
get-kernel/virt-get-kernel.pod | 12 ++++++++++++
sparsify/cmdline.ml | 2 +-
sparsify/copying.ml | 3 +++
sparsify/in_place.ml | 3 +++
sparsify/virt-sparsify.pod | 12 ++++++++++++
sysprep/main.ml | 5 ++++-
sysprep/virt-sysprep.pod | 12 ++++++++++++
10 files changed, 67 insertions(+), 4 deletions(-)
diff --git a/customize/customize_main.ml b/customize/customize_main.ml
index 07fd790..5613277 100644
--- a/customize/customize_main.ml
+++ b/customize/customize_main.ml
@@ -102,7 +102,7 @@ A short summary of the options is given below. For detailed help
please
read the man page virt-customize(1).
")
prog in
- let opthandle = create_standard_options argspec usage_msg in
+ let opthandle = create_standard_options argspec ~key_opts:true usage_msg in
Getopt.parse opthandle;
if not !format_consumed then
@@ -175,6 +175,9 @@ read the man page virt-customize(1).
g#launch ();
g in
+ (* Decrypt the disks. *)
+ inspect_decrypt g;
+
(* Inspection. *)
(match Array.to_list (g#inspect_os ()) with
| [] ->
diff --git a/customize/virt-customize.pod b/customize/virt-customize.pod
index e594f61..a0ca9c9 100644
--- a/customize/virt-customize.pod
+++ b/customize/virt-customize.pod
@@ -107,6 +107,13 @@ used instead of names.
Perform a read-only "dry run" on the guest. This runs the sysprep
operation, but throws away any changes to the disk at the end.
+=item B<--echo-keys>
+
+When prompting for keys and passphrases, virt-customize normally turns
+echoing off so you cannot see what you are typing. If you are not
+worried about Tempest attacks and there is no one else in the room
+you can specify this flag to see what you are typing.
+
=item B<--format> raw|qcow2|..
=item B<--format> auto
@@ -131,6 +138,11 @@ If you have untrusted raw-format guest disk images, you should use
this option to specify the disk format. This avoids a possible
security problem with malicious guests (CVE-2010-3851).
+=item B<--keys-from-stdin>
+
+Read key or passphrase parameters from stdin. The default is
+to try to read passphrases from the user by opening F</dev/tty>.
+
=item B<-m> MB
=item B<--memsize> MB
diff --git a/get-kernel/get_kernel.ml b/get-kernel/get_kernel.ml
index f83a940..adf9649 100644
--- a/get-kernel/get_kernel.ml
+++ b/get-kernel/get_kernel.ml
@@ -70,7 +70,7 @@ A short summary of the options is given below. For detailed help
please
read the man page virt-get-kernel(1).
")
prog in
- let opthandle = create_standard_options argspec usage_msg in
+ let opthandle = create_standard_options argspec ~key_opts:true usage_msg in
Getopt.parse opthandle;
(* Machine-readable mode? Print out some facts about what
@@ -174,6 +174,9 @@ let main () =
add g;
g#launch ();
+ (* Decrypt the disks. *)
+ inspect_decrypt g;
+
let roots = g#inspect_os () in
if Array.length roots = 0 then
error (f_"no operating system found");
diff --git a/get-kernel/virt-get-kernel.pod b/get-kernel/virt-get-kernel.pod
index 97a159c..8298fe5 100644
--- a/get-kernel/virt-get-kernel.pod
+++ b/get-kernel/virt-get-kernel.pod
@@ -70,6 +70,13 @@ not used at all.
Add all the disks from the named libvirt guest. Domain UUIDs can be
used instead of names.
+=item B<--echo-keys>
+
+When prompting for keys and passphrases, virt-get-kernel normally turns
+echoing off so you cannot see what you are typing. If you are not
+worried about Tempest attacks and there is no one else in the room
+you can specify this flag to see what you are typing.
+
=item B<--format> raw|qcow2|..
=item B<--format> auto
@@ -82,6 +89,11 @@ If you have untrusted raw-format guest disk images, you should use
this option to specify the disk format. This avoids a possible
security problem with malicious guests (CVE-2010-3851).
+=item B<--keys-from-stdin>
+
+Read key or passphrase parameters from stdin. The default is
+to try to read passphrases from the user by opening F</dev/tty>.
+
=item B<--machine-readable>
This option is used to make the output more machine friendly
diff --git a/sparsify/cmdline.ml b/sparsify/cmdline.ml
index 523d612..2a9dd48 100644
--- a/sparsify/cmdline.ml
+++ b/sparsify/cmdline.ml
@@ -90,7 +90,7 @@ A short summary of the options is given below. For detailed help
please
read the man page virt-sparsify(1).
")
prog in
- let opthandle = create_standard_options argspec ~anon_fun usage_msg in
+ let opthandle = create_standard_options argspec ~anon_fun ~key_opts:true usage_msg in
Getopt.parse opthandle;
(* Dereference the rest of the args. *)
diff --git a/sparsify/copying.ml b/sparsify/copying.ml
index 003dbf8..9c66428 100644
--- a/sparsify/copying.ml
+++ b/sparsify/copying.ml
@@ -182,6 +182,9 @@ You can ignore this warning or change it to a hard failure using the
g in
+ (* Decrypt the disks. *)
+ inspect_decrypt g;
+
(* Modify SIGINT handler (set first above) to cancel the handle. *)
let do_sigint _ =
g#user_cancel ();
diff --git a/sparsify/in_place.ml b/sparsify/in_place.ml
index e2ee9d9..5411892 100644
--- a/sparsify/in_place.ml
+++ b/sparsify/in_place.ml
@@ -57,6 +57,9 @@ let run disk format ignores machine_readable zeroes =
if not (g#feature_available [|"fstrim"|]) then
error ~exit_code:3 (f_"discard/trim is not supported");
+ (* Decrypt the disks. *)
+ inspect_decrypt g;
+
(* Discard non-ignored filesystems that we are able to mount, and
* selected swap partitions.
*)
diff --git a/sparsify/virt-sparsify.pod b/sparsify/virt-sparsify.pod
index 177cd03..fa72c23 100644
--- a/sparsify/virt-sparsify.pod
+++ b/sparsify/virt-sparsify.pod
@@ -192,6 +192,13 @@ For fine-tuning the output format, see: I<--compress>,
I<-o>.
You cannot use this option and I<--in-place> together.
+=item B<--echo-keys>
+
+When prompting for keys and passphrases, virt-sparsify normally turns
+echoing off so you cannot see what you are typing. If you are not
+worried about Tempest attacks and there is no one else in the room
+you can specify this flag to see what you are typing.
+
=item B<--format> raw
=item B<--format> qcow2
@@ -223,6 +230,11 @@ You can give this option multiple times.
Do in-place sparsification instead of copying sparsification.
See L</IN-PLACE SPARSIFICATION> below.
+=item B<--keys-from-stdin>
+
+Read key or passphrase parameters from stdin. The default is
+to try to read passphrases from the user by opening F</dev/tty>.
+
=item B<--machine-readable>
This option is used to make the output more machine friendly
diff --git a/sysprep/main.ml b/sysprep/main.ml
index 01ea590..2fa416f 100644
--- a/sysprep/main.ml
+++ b/sysprep/main.ml
@@ -147,7 +147,7 @@ A short summary of the options is given below. For detailed help
please
read the man page virt-sysprep(1).
")
prog in
- let opthandle = create_standard_options args usage_msg in
+ let opthandle = create_standard_options args ~key_opts:true usage_msg in
Getopt.parse opthandle;
if not !format_consumed then
@@ -216,6 +216,9 @@ read the man page virt-sysprep(1).
operations, g, mount_opts in
+ (* Decrypt the disks. *)
+ inspect_decrypt g;
+
(* Inspection. *)
(match Array.to_list (g#inspect_os ()) with
| [] ->
diff --git a/sysprep/virt-sysprep.pod b/sysprep/virt-sysprep.pod
index bdb4580..0e59b4c 100644
--- a/sysprep/virt-sysprep.pod
+++ b/sysprep/virt-sysprep.pod
@@ -155,6 +155,13 @@ version of virt-sysprep.
See L</OPERATIONS> below for a list and an explanation of each
operation.
+=item B<--echo-keys>
+
+When prompting for keys and passphrases, virt-sysprep normally turns
+echoing off so you cannot see what you are typing. If you are not
+worried about Tempest attacks and there is no one else in the room
+you can specify this flag to see what you are typing.
+
=item B<--format> raw|qcow2|..
=item B<--format> auto
@@ -179,6 +186,11 @@ If you have untrusted raw-format guest disk images, you should use
this option to specify the disk format. This avoids a possible
security problem with malicious guests (CVE-2010-3851).
+=item B<--keys-from-stdin>
+
+Read key or passphrase parameters from stdin. The default is
+to try to read passphrases from the user by opening F</dev/tty>.
+
=item B<--list-operations>
List the operations supported by the virt-sysprep program.
--
2.7.4