fscrypt: Determine best supported fscrypt policy on node init

Currently fscrypt supports policies version 1 and 2. 2 is the best
choice and was the only choice prior to this commit. This adds support
for kernels < 5.4, by selecting policy version 1 there.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>

internal/util/fscrypt/fscrypt.go

@@ -47,6 +47,17 @@ const (
 	encryptionPassphraseSize = 64
 )
 
+var policyV2Support = []util.KernelVersion{
+	{
+		Version:      5,
+		PatchLevel:   4,
+		SubLevel:     0,
+		ExtraVersion: 0,
+		Distribution: "",
+		Backport:     false,
+	},
+}
+
 func AppendEncyptedSubdirectory(dir string) string {
 	return path.Join(dir, FscryptSubdir)
 }
@@ -266,10 +277,30 @@ func IsDirectoryUnlocked(directoryPath, filesystem string) error {
 	return nil
 }
 
+func getBestPolicyVersion() (int64, error) {
+	// fetch the current running kernel info
+	release, err := util.GetKernelVersion()
+	if err != nil {
+		return 0, fmt.Errorf("fetching current kernel version failed: %w", err)
+	}
+
+	switch {
+	case util.CheckKernelSupport(release, policyV2Support):
+		return 2, nil
+	default:
+		return 1, nil
+	}
+}
+
 // InitializeNode performs once per nodeserver initialization
 // required by the fscrypt library. Creates /etc/fscrypt.conf.
 func InitializeNode(ctx context.Context) error {
-	err := fscryptactions.CreateConfigFile(FscryptHashingTimeTarget, 2)
+	policyVersion, err := getBestPolicyVersion()
+	if err != nil {
+		return fmt.Errorf("fscrypt node init failed to determine best policy version: %w", err)
+	}
+
+	err = fscryptactions.CreateConfigFile(FscryptHashingTimeTarget, policyVersion)
 	if err != nil {
 		existsError := &fscryptactions.ErrConfigFileExists{}
 		if errors.As(err, &existsError) {