Fix: check for cipher_null before attaching LUKS container

grydz · grydz · commit 63268f4155ee · 2025-11-04T17:26:08.000+04:00
diff --git a/pkg/mount_luks.sh b/pkg/mount_luks.sh
@@ -15,6 +15,21 @@ case $? in
     ;;
 # failure; the directory is not a mountpoint, or device is not a block device on --devno
 32)
+    LUKS_DUMP=$(cryptsetup luksDump --dump-json-metadata /var/lib/cosmian_vm/header)
+    STATUS=$?
+
+    if [ $STATUS -ne 0 ]; then
+        echo "LUKS header does not exist"
+        exit 2
+    fi
+
+    NULL_CIPHERS=$(echo "$LUKS_DUMP" | jq '[.keyslots.[].area.encryption] | select(any(contains("null")))')
+
+    if [ -n "$NULL_CIPHERS" ]; then
+        echo "cipher_null is not allowed in LUKS header"
+        exit 3
+    fi 
+
     # unlock the partition
     /lib/systemd/systemd-cryptsetup attach cosmian_vm_container /var/lib/cosmian_vm/container - tpm2-device=auto,headless=true,header=/var/lib/cosmian_vm/header || exit 1
     # mount the partition
