diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata
index 6107d6a..c725069 100644
--- a/.cryptsetup.metadata
+++ b/.cryptsetup.metadata
@@ -1 +1,2 @@
 1f06d268aee0adff931a39fe6709af7804e4f4f6 SOURCES/cryptsetup-1.7.4.tar.xz
+d24bdd0d55be8b27769b07531950ffe60589274b SOURCES/cryptsetup-2.0.3.tar.xz
diff --git a/.gitignore b/.gitignore
index 83bb1c4..3eb9f13 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 SOURCES/cryptsetup-1.7.4.tar.xz
+SOURCES/cryptsetup-2.0.3.tar.xz
diff --git a/SOURCES/cryptsetup-1.7.6-cryptsetup-reencrypt-progress-frequency-parameter.patch b/SOURCES/cryptsetup-1.7.6-cryptsetup-reencrypt-progress-frequency-parameter.patch
deleted file mode 100644
index 75ac6b3..0000000
--- a/SOURCES/cryptsetup-1.7.6-cryptsetup-reencrypt-progress-frequency-parameter.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-diff -rupN cryptsetup-1.7.4.bcp/man/cryptsetup-reencrypt.8 cryptsetup-1.7.4/man/cryptsetup-reencrypt.8
---- cryptsetup-1.7.4.bcp/man/cryptsetup-reencrypt.8	2017-10-18 11:39:01.697902733 +0200
-+++ cryptsetup-1.7.4/man/cryptsetup-reencrypt.8	2017-10-18 13:31:15.944930492 +0200
-@@ -38,7 +38,7 @@ To start (or continue) re-encryption for
- \-\-device-size, \-\-hash, \-\-iter-time, \-\-use-random | \-\-use-urandom,
- \-\-keep-key, \-\-key-size, \-\-key-file, \-\-key-slot, \-\-keyfile-offset,
- \-\-keyfile-size, \-\-tries, \-\-use-directio, \-\-use-fsync, \-\-verbose, \-\-write-log,
--\-\-uuid]
-+\-\-uuid, \-\-progress-frequency]
- 
- To encrypt data on (not yet encrypted) device, use \fI\-\-new\fR with combination
- with \fI\-\-reduce-device-size\fR.
-@@ -190,6 +190,9 @@ of the interrupted decryption process.
- .B "\-\-batch-mode, \-q"
- Suppresses all warnings and reencryption progress output.
- .TP
-+.B "\-\-progress-frequency <seconds>"
-+Print separate line every <seconds> with reencryption progress.
-+.TP
- .B "\-\-version"
- Show the program version.
- .SH RETURN CODES
-diff -rupN cryptsetup-1.7.4.bcp/src/cryptsetup_reencrypt.c cryptsetup-1.7.4/src/cryptsetup_reencrypt.c
---- cryptsetup-1.7.4.bcp/src/cryptsetup_reencrypt.c	2017-10-18 11:39:01.697902733 +0200
-+++ cryptsetup-1.7.4/src/cryptsetup_reencrypt.c	2017-10-18 15:10:24.219013071 +0200
-@@ -51,6 +51,7 @@ static int opt_key_size = 0;
- static int opt_new = 0;
- static int opt_keep_key = 0;
- static int opt_decrypt = 0;
-+static int opt_progress_frequency = 0;
- 
- static const char *opt_reduce_size_str = NULL;
- static uint64_t opt_reduce_size = 0;
-@@ -665,10 +666,18 @@ static void print_progress(struct reenc_
- {
- 	unsigned long long mbytes, eta;
- 	struct timeval now_time;
--	double tdiff, mib;
-+	double tdiff, mib, frequency;
-+	char *eol = "";
- 
- 	gettimeofday(&now_time, NULL);
--	if (!final && time_diff(rc->end_time, now_time) < 0.5)
-+	if (opt_progress_frequency)
-+		frequency = (double)opt_progress_frequency;
-+	else
-+		frequency = 0.5;
-+	if (final || opt_progress_frequency)
-+		eol = "\n";
-+
-+	if (!final && time_diff(rc->end_time, now_time) < frequency)
- 		return;
- 
- 	rc->end_time = now_time;
-@@ -689,12 +698,12 @@ static void print_progress(struct reenc_
- 	eta = (unsigned long long)(rc->device_size / 1024 / 1024 / mib - tdiff);
- 
- 	/* vt100 code clear line */
--	log_err("\33[2K\r");
-+	if (!opt_progress_frequency)
-+		log_err("\33[2K\r");
- 	log_err(_("Progress: %5.1f%%, ETA %02llu:%02llu, "
- 		"%4llu MiB written, speed %5.1f MiB/s%s"),
- 		(double)bytes / rc->device_size * 100,
--		eta / 60, eta % 60, mbytes, mib,
--		final ? "\n" :"");
-+		eta / 60, eta % 60, mbytes, mib, eol);
- }
- 
- static ssize_t read_buf(int fd, void *buf, size_t count)
-@@ -1316,6 +1325,7 @@ int main(int argc, const char **argv)
- 		{ "key-file",          'd',  POPT_ARG_STRING, &opt_key_file,            0, N_("Read the key from a file."), NULL },
- 		{ "iter-time",         'i',  POPT_ARG_INT, &opt_iteration_time,         0, N_("PBKDF2 iteration time for LUKS (in ms)"), N_("msecs") },
- 		{ "batch-mode",        'q',  POPT_ARG_NONE, &opt_batch_mode,            0, N_("Do not ask for confirmation"), NULL },
-+		{ "progress-frequency",'\0', POPT_ARG_INT, &opt_progress_frequency,     0, N_("Progress line update (in seconds)"), N_("secs") },
- 		{ "tries",             'T',  POPT_ARG_INT, &opt_tries,                  0, N_("How often the input of the passphrase can be retried"), NULL },
- 		{ "use-random",        '\0', POPT_ARG_NONE, &opt_random,                0, N_("Use /dev/random for generating volume key."), NULL },
- 		{ "use-urandom",       '\0', POPT_ARG_NONE, &opt_urandom,               0, N_("Use /dev/urandom for generating volume key."), NULL },
diff --git a/SOURCES/cryptsetup-1.7.6-dracut-reencrypt-add-progress-frequency.patch b/SOURCES/cryptsetup-1.7.6-dracut-reencrypt-add-progress-frequency.patch
deleted file mode 100644
index 39cf514..0000000
--- a/SOURCES/cryptsetup-1.7.6-dracut-reencrypt-add-progress-frequency.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 4e275e6da4b61e1d5c978c9726d695476629cb94 Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Wed, 18 Oct 2017 09:57:03 +0200
-Subject: [PATCH] dracut-reencrypt: add --progress-frequency parameter
-
----
- misc/dracut_90reencrypt/reencrypt.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh
-index e6f87e0..b4960d7 100755
---- a/misc/dracut_90reencrypt/reencrypt.sh
-+++ b/misc/dracut_90reencrypt/reencrypt.sh
-@@ -18,7 +18,7 @@ else
-     device="$1"
- fi
- 
--PARAMS="$device -T 1 --use-fsync -B 32"
-+PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32"
- if [ "$3" != "any" ]; then
-     PARAMS="$PARAMS -S $3"
- fi
--- 
-1.8.3.1
-
diff --git a/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch b/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch
new file mode 100644
index 0000000..16a3ed6
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch
@@ -0,0 +1,306 @@
+From 12d00da84239c3dcc4560dc60a0c36d534908cc0 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Wed, 4 Jul 2018 15:39:11 +0200
+Subject: [PATCH 1/6] Add blkid utilities for fast detection of device
+ signatures.
+
+---
+ configure.ac      |  21 ++++++++
+ lib/Makemodule.am |   5 +-
+ lib/utils_blkid.c | 158 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ lib/utils_blkid.h |  48 +++++++++++++++++
+ 4 files changed, 231 insertions(+), 1 deletion(-)
+ create mode 100644 lib/utils_blkid.c
+ create mode 100644 lib/utils_blkid.h
+
+diff --git a/configure.ac b/configure.ac
+index 05da6d6..31508d0 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -415,6 +415,26 @@ if test x$enable_internal_argon2 = xyes ; then
+ fi
+ AM_CONDITIONAL(CRYPTO_INTERNAL_ARGON2, test x$enable_internal_argon2 = xyes)
+ 
++dnl Link with blkid to check for other device types
++AC_ARG_ENABLE(blkid, AS_HELP_STRING([--disable-blkid],
++	[disable use of blkid for device signature detection and wiping.]), [], [enable_blkid=yes])
++
++if test x$enable_blkid = xyes ; then
++	PKG_CHECK_MODULES([BLKID], [blkid],[AC_DEFINE([HAVE_BLKID], 1, [Define to 1 to use blkid for detection of disk signatures.])],[LIBBLKID_LIBS="-lblkid"])
++
++	AC_CHECK_HEADERS(blkid/blkid.h,,[AC_MSG_ERROR([You need blkid development library installed.])])
++	AC_CHECK_DECLS([ blkid_reset_probe,
++			 blkid_probe_set_device,
++			 blkid_probe_filter_superblocks_type,
++			 blkid_do_safeprobe,
++			 blkid_do_probe,
++			 blkid_probe_lookup_value
++		       ],,
++		       [AC_MSG_ERROR([Can not compile with blkid support, disable it by --disable-blkid.])],
++		       [#include <blkid/blkid.h>])
++fi
++AM_CONDITIONAL(HAVE_BLKID, test x$enable_blkid = xyes)
++
+ dnl Magic for cryptsetup.static build.
+ if test x$enable_static_cryptsetup = xyes; then
+ 	saved_PKG_CONFIG=$PKG_CONFIG
+@@ -465,6 +485,7 @@ AC_SUBST([CRYPTO_STATIC_LIBS])
+ 
+ AC_SUBST([JSON_C_LIBS])
+ AC_SUBST([LIBARGON2_LIBS])
++AC_SUBST([BLKID_LIBS])
+ 
+ AC_SUBST([LIBCRYPTSETUP_VERSION])
+ AC_SUBST([LIBCRYPTSETUP_VERSION_INFO])
+diff --git a/lib/Makemodule.am b/lib/Makemodule.am
+index 5e20039..26178b8 100644
+--- a/lib/Makemodule.am
++++ b/lib/Makemodule.am
+@@ -30,6 +30,7 @@ libcryptsetup_la_LIBADD = \
+ 	@CRYPTO_LIBS@		\
+ 	@LIBARGON2_LIBS@	\
+ 	@JSON_C_LIBS@		\
++	@BLKID_LIBS@		\
+ 	libcrypto_backend.la
+ 
+ libcryptsetup_la_SOURCES = \
+@@ -92,4 +93,6 @@ libcryptsetup_la_SOURCES = \
+ 	lib/luks2/luks2_token_keyring.c	\
+ 	lib/luks2/luks2_token.c		\
+ 	lib/luks2/luks2_internal.h	\
+-	lib/luks2/luks2.h
++	lib/luks2/luks2.h		\
++	lib/utils_blkid.c		\
++	lib/utils_blkid.h
+diff --git a/lib/utils_blkid.c b/lib/utils_blkid.c
+new file mode 100644
+index 0000000..7425bc5
+--- /dev/null
++++ b/lib/utils_blkid.c
+@@ -0,0 +1,158 @@
++/*
++ * blkid probe utilities
++ *
++ * Copyright (C) 2018, Red Hat, Inc. All rights reserved.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2
++ * of the License, or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++ */
++
++#include <errno.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++
++#include "utils_blkid.h"
++
++#ifdef HAVE_BLKID
++#include <blkid/blkid.h>
++struct blkid_handle {
++	int fd;
++	blkid_probe pr;
++};
++#endif
++
++void blk_set_chains_for_fast_detection(struct blkid_handle *h)
++{
++#ifdef HAVE_BLKID
++	blkid_probe_enable_partitions(h->pr, 1);
++	blkid_probe_set_partitions_flags(h->pr, 0);
++
++	blkid_probe_enable_superblocks(h->pr, 1);
++	blkid_probe_set_superblocks_flags(h->pr, BLKID_SUBLKS_TYPE);
++#endif
++}
++
++int blk_init_by_path(struct blkid_handle **h, const char *path)
++{
++	int r = -ENOTSUP;
++#ifdef HAVE_BLKID
++	struct blkid_handle *tmp = malloc(sizeof(*tmp));
++	if (!tmp)
++		return -ENOMEM;
++
++	tmp->fd = -1;
++
++	tmp->pr = blkid_new_probe_from_filename(path);
++	if (!tmp->pr) {
++		free(tmp);
++		return -EINVAL;
++	}
++
++	*h = tmp;
++
++	r = 0;
++#endif
++	return r;
++}
++
++int blk_superblocks_filter_luks(struct blkid_handle *h)
++{
++	int r = -ENOTSUP;
++#ifdef HAVE_BLKID
++	char *luks_filter[] = {
++		"crypto_LUKS",
++		NULL
++	};
++	r = blkid_probe_filter_superblocks_type(h->pr, BLKID_FLTR_NOTIN, luks_filter);
++#endif
++	return r;
++}
++
++blk_probe_status blk_safeprobe(struct blkid_handle *h)
++{
++	int r = -1;
++#ifdef HAVE_BLKID
++	r = blkid_do_safeprobe(h->pr);
++#endif
++	switch (r) {
++	case -2:
++		return PRB_AMBIGUOUS;
++	case 1:
++		return PRB_EMPTY;
++	case 0:
++		return PRB_OK;
++	default:
++		return PRB_FAIL;
++	}
++}
++
++int blk_is_partition(struct blkid_handle *h)
++{
++	int r = 0;
++#ifdef HAVE_BLKID
++	r = blkid_probe_has_value(h->pr, "PTTYPE");
++#endif
++	return r;
++}
++
++int blk_is_superblock(struct blkid_handle *h)
++{
++	int r = 0;
++#ifdef HAVE_BLKID
++	r = blkid_probe_has_value(h->pr, "TYPE");
++#endif
++	return r;
++}
++
++const char *blk_get_partition_type(struct blkid_handle *h)
++{
++	const char *value = NULL;
++#ifdef HAVE_BLKID
++	(void) blkid_probe_lookup_value(h->pr, "PTTYPE", &value, NULL);
++#endif
++	return value;
++}
++
++const char *blk_get_superblock_type(struct blkid_handle *h)
++{
++	const char *value = NULL;
++#ifdef HAVE_BLKID
++	(void) blkid_probe_lookup_value(h->pr, "TYPE", &value, NULL);
++#endif
++	return value;
++}
++
++void blk_free(struct blkid_handle *h)
++{
++#ifdef HAVE_BLKID
++	if (!h)
++		return;
++
++	if (h->pr)
++		blkid_free_probe(h->pr);
++
++	free(h);
++#endif
++}
++
++int blk_supported(void)
++{
++	int r = 0;
++#ifdef HAVE_BLKID
++	r = 1;
++#endif
++	return r;
++}
+diff --git a/lib/utils_blkid.h b/lib/utils_blkid.h
+new file mode 100644
+index 0000000..d18b0a0
+--- /dev/null
++++ b/lib/utils_blkid.h
+@@ -0,0 +1,48 @@
++/*
++ * blkid probe utilities
++ *
++ * Copyright (C) 2018, Red Hat, Inc. All rights reserved.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2
++ * of the License, or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++ */
++
++#ifndef _UTILS_BLKID_H
++#define _UTILS_BLKID_H
++
++struct blkid_handle;
++
++typedef enum { PRB_OK = 0, PRB_EMPTY, PRB_AMBIGUOUS, PRB_FAIL } blk_probe_status;
++
++int blk_init_by_path(struct blkid_handle **h, const char *path);
++
++void blk_free(struct blkid_handle *h);
++
++void blk_set_chains_for_fast_detection(struct blkid_handle *h);
++
++int blk_superblocks_filter_luks(struct blkid_handle *h);
++
++blk_probe_status blk_safeprobe(struct blkid_handle *h);
++
++int blk_is_partition(struct blkid_handle *h);
++
++int blk_is_superblock(struct blkid_handle *h);
++
++const char *blk_get_partition_type(struct blkid_handle *h);
++
++const char *blk_get_superblock_type(struct blkid_handle *h);
++
++int blk_supported(void);
++
++#endif
+-- 
+1.8.3.1
+
+--- cryptsetup-2.0.3.old/aclocal.m4	2018-05-03 21:36:53.000000000 +0200
++++ cryptsetup-2.0.3/aclocal.m4	2018-07-16 15:37:34.935817650 +0200
+@@ -31,7 +31,7 @@ To do so, use the procedure documented b
+ # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+ # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ #
+-# Last-changed: 2014-10-02
++# Last-changed: 2018-07-16
+ 
+ 
+ dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION,
diff --git a/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch
new file mode 100644
index 0000000..31737aa
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch
@@ -0,0 +1,131 @@
+From b82eaf14f7a01cfd542cb95fe97b8d3a22d5ba8f Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 28 Jun 2018 15:48:13 +0200
+Subject: [PATCH 3/6] Allow LUKS2 repair to override blkid checks.
+
+Allow user to run cryptsetup repair command and explicitly do
+repair on corrupted LUKS2 headers where blkid decides it's no longer
+a LUKS2 device.
+---
+ lib/luks2/luks2.h               |  2 +-
+ lib/luks2/luks2_json_metadata.c | 13 +++++++------
+ lib/setup.c                     | 10 +++++-----
+ 3 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/lib/luks2/luks2.h b/lib/luks2/luks2.h
+index ee57b41..c431e8f 100644
+--- a/lib/luks2/luks2.h
++++ b/lib/luks2/luks2.h
+@@ -131,7 +131,7 @@ struct luks2_keyslot_params {
+ int LUKS2_hdr_version_unlocked(struct crypt_device *cd,
+ 	const char *backup_file);
+ 
+-int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr);
++int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair);
+ int LUKS2_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr);
+ int LUKS2_hdr_dump(struct crypt_device *cd, struct luks2_hdr *hdr);
+ 
+diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
+index 125cad9..0fd6340 100644
+--- a/lib/luks2/luks2_json_metadata.c
++++ b/lib/luks2/luks2_json_metadata.c
+@@ -842,7 +842,8 @@ int LUKS2_hdr_validate(json_object *hdr_jobj)
+ 	return 0;
+ }
+ 
+-int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr)
++/* FIXME: should we expose do_recovery parameter explicitly? */
++int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr, int repair)
+ {
+ 	int r;
+ 
+@@ -853,7 +854,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr)
+ 		return r;
+ 	}
+ 
+-	r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1);
++	r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, !repair);
+ 	if (r == -EAGAIN) {
+ 		/* unlikely: auto-recovery is required and failed due to read lock being held */
+ 		device_read_unlock(crypt_metadata_device(cd));
+@@ -865,7 +866,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr)
+ 			return r;
+ 		}
+ 
+-		r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1);
++		r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, !repair);
+ 
+ 		device_write_unlock(crypt_metadata_device(cd));
+ 	} else
+@@ -1050,7 +1051,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
+ 		return r;
+ 	}
+ 
+-	r = LUKS2_disk_hdr_read(cd, &hdr_file, backup_device, 0);
++	r = LUKS2_disk_hdr_read(cd, &hdr_file, backup_device, 0, 0);
+ 	device_read_unlock(backup_device);
+ 	device_free(backup_device);
+ 
+@@ -1089,7 +1090,7 @@ int LUKS2_hdr_restore(struct crypt_device *cd, struct luks2_hdr *hdr,
+ 	close(devfd);
+ 	devfd = -1;
+ 
+-	r = LUKS2_hdr_read(cd, &tmp_hdr);
++	r = LUKS2_hdr_read(cd, &tmp_hdr, 0);
+ 	if (r == 0) {
+ 		log_dbg("Device %s already contains LUKS2 header, checking UUID and requirements.", device_path(device));
+ 		r = LUKS2_config_get_requirements(cd, &tmp_hdr, &reqs);
+@@ -1176,7 +1177,7 @@ out:
+ 
+ 	if (!r) {
+ 		LUKS2_hdr_free(hdr);
+-		r = LUKS2_hdr_read(cd, hdr);
++		r = LUKS2_hdr_read(cd, hdr, 1);
+ 	}
+ 
+ 	return r;
+diff --git a/lib/setup.c b/lib/setup.c
+index fddbe7e..a9b2eba 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -644,16 +644,16 @@ struct crypt_pbkdf_type *crypt_get_pbkdf(struct crypt_device *cd)
+ /*
+  * crypt_load() helpers
+  */
+-static int _crypt_load_luks2(struct crypt_device *cd, int reload)
++static int _crypt_load_luks2(struct crypt_device *cd, int reload, int repair)
+ {
+ 	int r;
+ 	char tmp_cipher[MAX_CIPHER_LEN], tmp_cipher_mode[MAX_CIPHER_LEN],
+ 	     *cipher = NULL, *cipher_mode = NULL, *type = NULL;
+ 	struct luks2_hdr hdr2 = {};
+ 
+-	log_dbg("%soading LUKS2 header.", reload ? "Rel" : "L");
++	log_dbg("%soading LUKS2 header (repair %sabled).", reload ? "Rel" : "L", repair ? "en" : "dis");
+ 
+-	r = LUKS2_hdr_read(cd, &hdr2);
++	r = LUKS2_hdr_read(cd, &hdr2, repair);
+ 	if (r)
+ 		return r;
+ 
+@@ -713,7 +713,7 @@ static void _luks2_reload(struct crypt_device *cd)
+ 	if (!cd || !isLUKS2(cd->type))
+ 		return;
+ 
+-	(void) _crypt_load_luks2(cd, 1);
++	(void) _crypt_load_luks2(cd, 1, 0);
+ }
+ 
+ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type,
+@@ -768,7 +768,7 @@ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type,
+ 			return -EINVAL;
+ 		}
+ 
+-		r =  _crypt_load_luks2(cd, cd->type != NULL);
++		r =  _crypt_load_luks2(cd, cd->type != NULL, repair);
+ 	} else
+ 		r = -EINVAL;
+ out:
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch
new file mode 100644
index 0000000..a5d5258
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch
@@ -0,0 +1,26 @@
+From c6dc8dd86c797b982d47ebb918367b4575d59dad Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 9 Jul 2018 18:43:02 +0200
+Subject: [PATCH 6/6] Allow LUKS2 repair with disabled locks.
+
+---
+ lib/luks2/luks2_disk_metadata.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c
+index 6ca9d5e..bd5223f 100644
+--- a/lib/luks2/luks2_disk_metadata.c
++++ b/lib/luks2/luks2_disk_metadata.c
+@@ -592,7 +592,8 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
+ 	int i, r;
+ 	uint64_t hdr_size;
+ 
+-	if (do_recovery && !crypt_metadata_locking_enabled()) {
++	/* Skip auto-recovery if locks are disabled and we're not doing LUKS2 explicit repair */
++	if (do_recovery && do_blkprobe && !crypt_metadata_locking_enabled()) {
+ 		do_recovery = 0;
+ 		log_dbg("Disabling header auto-recovery due to locking being disabled.");
+ 	}
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch b/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch
new file mode 100644
index 0000000..5dc1782
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-allow-explicit-LUKS2-repair.patch
@@ -0,0 +1,44 @@
+From 4b3b6b07ad42ebab346f0fe343aab2a14cd5a9da Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 9 Jul 2018 17:18:17 +0200
+Subject: [PATCH 4/6] Allow explicit LUKS2 repair.
+
+Also moves FIXME comment lower to LUKS2 code with note that currently it's
+safe to do crypt_repair on LUKS2 format without paying attention to LUKS2
+requirements.
+---
+ lib/setup.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index a9b2eba..952fa0e 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -768,6 +768,14 @@ static int _crypt_load_luks(struct crypt_device *cd, const char *requested_type,
+ 			return -EINVAL;
+ 		}
+ 
++		/*
++		 * Current LUKS2 repair just overrides blkid probes
++		 * and perform auto-recovery if possible. This is safe
++		 * unless future LUKS2 repair code do something more
++		 * sophisticated. In such case we would need to check
++		 * for LUKS2 requirements and decide if it's safe to
++		 * perform repair.
++		 */
+ 		r =  _crypt_load_luks2(cd, cd->type != NULL, repair);
+ 	} else
+ 		r = -EINVAL;
+@@ -2023,8 +2031,7 @@ int crypt_repair(struct crypt_device *cd,
+ 	if (!crypt_metadata_device(cd))
+ 		return -EINVAL;
+ 
+-	/* FIXME LUKS2 (if so it also must respect LUKS2 requirements) */
+-	if (requested_type && !isLUKS1(requested_type))
++	if (requested_type && !isLUKS(requested_type))
+ 		return -EINVAL;
+ 
+ 	/* Load with repair */
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-configure.patch b/SOURCES/cryptsetup-2.0.4-configure.patch
new file mode 100644
index 0000000..17b28da
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-configure.patch
@@ -0,0 +1,397 @@
+--- cryptsetup-2.0.3.old/config.h.in	2018-05-03 21:37:10.000000000 +0200
++++ cryptsetup-2.0.3/config.h.in	2018-07-16 09:58:36.283929571 +0200
+@@ -106,6 +106,12 @@
+ /* Define to 1 if you have the <argon2.h> header file. */
+ #undef HAVE_ARGON2_H
+ 
++/* Define to 1 to use blkid for detection of disk signatures. */
++#undef HAVE_BLKID
++
++/* Define to 1 if you have the <blkid/blkid.h> header file. */
++#undef HAVE_BLKID_BLKID_H
++
+ /* Define to 1 if you have the <byteswap.h> header file. */
+ #undef HAVE_BYTESWAP_H
+ 
+@@ -127,6 +133,30 @@
+    */
+ #undef HAVE_DCGETTEXT
+ 
++/* Define to 1 if you have the declaration of `blkid_do_probe', and to 0 if
++   you don't. */
++#undef HAVE_DECL_BLKID_DO_PROBE
++
++/* Define to 1 if you have the declaration of `blkid_do_safeprobe', and to 0
++   if you don't. */
++#undef HAVE_DECL_BLKID_DO_SAFEPROBE
++
++/* Define to 1 if you have the declaration of
++   `blkid_probe_filter_superblocks_type', and to 0 if you don't. */
++#undef HAVE_DECL_BLKID_PROBE_FILTER_SUPERBLOCKS_TYPE
++
++/* Define to 1 if you have the declaration of `blkid_probe_lookup_value ', and
++   to 0 if you don't. */
++#undef HAVE_DECL_BLKID_PROBE_LOOKUP_VALUE__________
++
++/* Define to 1 if you have the declaration of `blkid_probe_set_device', and to
++   0 if you don't. */
++#undef HAVE_DECL_BLKID_PROBE_SET_DEVICE
++
++/* Define to 1 if you have the declaration of `blkid_reset_probe', and to 0 if
++   you don't. */
++#undef HAVE_DECL_BLKID_RESET_PROBE
++
+ /* Define to 1 if you have the declaration of `dm_device_has_holders', and to
+    0 if you don't. */
+ #undef HAVE_DECL_DM_DEVICE_HAS_HOLDERS
+--- cryptsetup-2.0.3.old/Makefile.in	2018-05-03 21:36:55.000000000 +0200
++++ cryptsetup-2.0.3/Makefile.in	2018-07-16 09:58:36.240929810 +0200
+@@ -270,7 +270,8 @@ am_libcryptsetup_la_OBJECTS = lib/libcry
+ 	lib/luks2/libcryptsetup_la-luks2_keyslot.lo \
+ 	lib/luks2/libcryptsetup_la-luks2_keyslot_luks2.lo \
+ 	lib/luks2/libcryptsetup_la-luks2_token_keyring.lo \
+-	lib/luks2/libcryptsetup_la-luks2_token.lo
++	lib/luks2/libcryptsetup_la-luks2_token.lo \
++	lib/libcryptsetup_la-utils_blkid.lo
+ libcryptsetup_la_OBJECTS = $(am_libcryptsetup_la_OBJECTS)
+ libcryptsetup_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ 	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+@@ -591,6 +592,8 @@ AUTOCONF = @AUTOCONF@
+ AUTOHEADER = @AUTOHEADER@
+ AUTOMAKE = @AUTOMAKE@
+ AWK = @AWK@
++BLKID_CFLAGS = @BLKID_CFLAGS@
++BLKID_LIBS = @BLKID_LIBS@
+ CC = @CC@
+ CCDEPMODE = @CCDEPMODE@
+ CFLAGS = @CFLAGS@
+@@ -846,6 +849,7 @@ libcryptsetup_la_LIBADD = \
+ 	@CRYPTO_LIBS@		\
+ 	@LIBARGON2_LIBS@	\
+ 	@JSON_C_LIBS@		\
++	@BLKID_LIBS@		\
+ 	libcrypto_backend.la
+ 
+ libcryptsetup_la_SOURCES = \
+@@ -908,7 +912,9 @@ libcryptsetup_la_SOURCES = \
+ 	lib/luks2/luks2_token_keyring.c	\
+ 	lib/luks2/luks2_token.c		\
+ 	lib/luks2/luks2_internal.h	\
+-	lib/luks2/luks2.h
++	lib/luks2/luks2.h		\
++	lib/utils_blkid.c		\
++	lib/utils_blkid.h
+ 
+ 
+ # cryptsetup
+@@ -1351,6 +1357,8 @@ lib/luks2/libcryptsetup_la-luks2_token_k
+ 	lib/luks2/$(am__dirstamp) lib/luks2/$(DEPDIR)/$(am__dirstamp)
+ lib/luks2/libcryptsetup_la-luks2_token.lo: lib/luks2/$(am__dirstamp) \
+ 	lib/luks2/$(DEPDIR)/$(am__dirstamp)
++lib/libcryptsetup_la-utils_blkid.lo: lib/$(am__dirstamp) \
++	lib/$(DEPDIR)/$(am__dirstamp)
+ 
+ libcryptsetup.la: $(libcryptsetup_la_OBJECTS) $(libcryptsetup_la_DEPENDENCIES) $(EXTRA_libcryptsetup_la_DEPENDENCIES) 
+ 	$(AM_V_CCLD)$(libcryptsetup_la_LINK) -rpath $(libdir) $(libcryptsetup_la_OBJECTS) $(libcryptsetup_la_LIBADD) $(LIBS)
+@@ -1507,6 +1515,7 @@ distclean-compile:
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-setup.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_benchmark.Plo@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_crypt.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo@am__quote@
+@@ -1991,6 +2000,13 @@ lib/luks2/libcryptsetup_la-luks2_token.l
+ @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/luks2/libcryptsetup_la-luks2_token.lo `test -f 'lib/luks2/luks2_token.c' || echo '$(srcdir)/'`lib/luks2/luks2_token.c
+ 
++lib/libcryptsetup_la-utils_blkid.lo: lib/utils_blkid.c
++@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_blkid.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Tpo -c -o lib/libcryptsetup_la-utils_blkid.lo `test -f 'lib/utils_blkid.c' || echo '$(srcdir)/'`lib/utils_blkid.c
++@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_blkid.Plo
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='lib/utils_blkid.c' object='lib/libcryptsetup_la-utils_blkid.lo' libtool=yes @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_blkid.lo `test -f 'lib/utils_blkid.c' || echo '$(srcdir)/'`lib/utils_blkid.c
++
+ python/pycryptsetup_la-pycryptsetup.lo: python/pycryptsetup.c
+ @am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(pycryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT python/pycryptsetup_la-pycryptsetup.lo -MD -MP -MF python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Tpo -c -o python/pycryptsetup_la-pycryptsetup.lo `test -f 'python/pycryptsetup.c' || echo '$(srcdir)/'`python/pycryptsetup.c
+ @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Tpo python/$(DEPDIR)/pycryptsetup_la-pycryptsetup.Plo
+--- cryptsetup-2.0.3.old/configure	2018-05-03 21:36:55.000000000 +0200
++++ cryptsetup-2.0.3/configure	2018-07-16 09:58:36.283929571 +0200
+@@ -664,6 +664,10 @@ PWQUALITY_STATIC_LIBS
+ systemd_tmpfilesdir
+ DEVMAPPER_STATIC_LIBS
+ DEVMAPPER_STATIC_CFLAGS
++HAVE_BLKID_FALSE
++HAVE_BLKID_TRUE
++BLKID_LIBS
++BLKID_CFLAGS
+ CRYPTO_INTERNAL_ARGON2_FALSE
+ CRYPTO_INTERNAL_ARGON2_TRUE
+ LIBARGON2_LIBS
+@@ -878,6 +882,7 @@ enable_gcrypt_pbkdf2
+ with_libgcrypt_prefix
+ enable_internal_argon2
+ enable_libargon2
++enable_blkid
+ enable_dev_random
+ enable_python
+ with_python_version
+@@ -935,6 +940,8 @@ NSS_CFLAGS
+ NSS_LIBS
+ LIBARGON2_CFLAGS
+ LIBARGON2_LIBS
++BLKID_CFLAGS
++BLKID_LIBS
+ DEVMAPPER_STATIC_CFLAGS
+ DEVMAPPER_STATIC_LIBS
+ systemd_tmpfilesdir
+@@ -1607,6 +1614,8 @@ Optional Features:
+                           disable internal implementation of Argon2 PBKDF
+   --enable-libargon2      enable external libargon2 (PHC) library (disables
+                           internal bundled version)
++  --disable-blkid         disable use of blkid for device signature detection
++                          and wiping.
+   --enable-dev-random     use blocking /dev/random by default for key
+                           generator (otherwise use /dev/urandom)
+   --enable-python         enable Python bindings
+@@ -1719,6 +1728,9 @@ Some influential environment variables:
+               C compiler flags for LIBARGON2, overriding pkg-config
+   LIBARGON2_LIBS
+               linker flags for LIBARGON2, overriding pkg-config
++  BLKID_CFLAGS
++              C compiler flags for BLKID, overriding pkg-config
++  BLKID_LIBS  linker flags for BLKID, overriding pkg-config
+   DEVMAPPER_STATIC_CFLAGS
+               C compiler flags for DEVMAPPER_STATIC, overriding pkg-config
+   DEVMAPPER_STATIC_LIBS
+@@ -18580,6 +18592,211 @@ else
+ fi
+ 
+ 
++# Check whether --enable-blkid was given.
++if test "${enable_blkid+set}" = set; then :
++  enableval=$enable_blkid;
++else
++  enable_blkid=yes
++fi
++
++
++if test x$enable_blkid = xyes ; then
++
++pkg_failed=no
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for BLKID" >&5
++$as_echo_n "checking for BLKID... " >&6; }
++
++if test -n "$BLKID_CFLAGS"; then
++    pkg_cv_BLKID_CFLAGS="$BLKID_CFLAGS"
++ elif test -n "$PKG_CONFIG"; then
++    if test -n "$PKG_CONFIG" && \
++    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"blkid\""; } >&5
++  ($PKG_CONFIG --exists --print-errors "blkid") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; then
++  pkg_cv_BLKID_CFLAGS=`$PKG_CONFIG --cflags "blkid" 2>/dev/null`
++		      test "x$?" != "x0" && pkg_failed=yes
++else
++  pkg_failed=yes
++fi
++ else
++    pkg_failed=untried
++fi
++if test -n "$BLKID_LIBS"; then
++    pkg_cv_BLKID_LIBS="$BLKID_LIBS"
++ elif test -n "$PKG_CONFIG"; then
++    if test -n "$PKG_CONFIG" && \
++    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"blkid\""; } >&5
++  ($PKG_CONFIG --exists --print-errors "blkid") 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; then
++  pkg_cv_BLKID_LIBS=`$PKG_CONFIG --libs "blkid" 2>/dev/null`
++		      test "x$?" != "x0" && pkg_failed=yes
++else
++  pkg_failed=yes
++fi
++ else
++    pkg_failed=untried
++fi
++
++
++
++if test $pkg_failed = yes; then
++   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++
++if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
++        _pkg_short_errors_supported=yes
++else
++        _pkg_short_errors_supported=no
++fi
++        if test $_pkg_short_errors_supported = yes; then
++	        BLKID_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "blkid" 2>&1`
++        else
++	        BLKID_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "blkid" 2>&1`
++        fi
++	# Put the nasty error message in config.log where it belongs
++	echo "$BLKID_PKG_ERRORS" >&5
++
++	LIBBLKID_LIBS="-lblkid"
++elif test $pkg_failed = untried; then
++     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
++$as_echo "no" >&6; }
++	LIBBLKID_LIBS="-lblkid"
++else
++	BLKID_CFLAGS=$pkg_cv_BLKID_CFLAGS
++	BLKID_LIBS=$pkg_cv_BLKID_LIBS
++        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
++$as_echo "yes" >&6; }
++
++$as_echo "#define HAVE_BLKID 1" >>confdefs.h
++
++fi
++
++	for ac_header in blkid/blkid.h
++do :
++  ac_fn_c_check_header_mongrel "$LINENO" "blkid/blkid.h" "ac_cv_header_blkid_blkid_h" "$ac_includes_default"
++if test "x$ac_cv_header_blkid_blkid_h" = xyes; then :
++  cat >>confdefs.h <<_ACEOF
++#define HAVE_BLKID_BLKID_H 1
++_ACEOF
++
++else
++  as_fn_error $? "You need blkid development library installed." "$LINENO" 5
++fi
++
++done
++
++	ac_fn_c_check_decl "$LINENO" "blkid_reset_probe" "ac_cv_have_decl_blkid_reset_probe" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_reset_probe" = xyes; then :
++  ac_have_decl=1
++else
++  ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_RESET_PROBE $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++  as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++ac_fn_c_check_decl "$LINENO" "blkid_probe_set_device" "ac_cv_have_decl_blkid_probe_set_device" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_probe_set_device" = xyes; then :
++  ac_have_decl=1
++else
++  ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_PROBE_SET_DEVICE $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++  as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++ac_fn_c_check_decl "$LINENO" "blkid_probe_filter_superblocks_type" "ac_cv_have_decl_blkid_probe_filter_superblocks_type" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_probe_filter_superblocks_type" = xyes; then :
++  ac_have_decl=1
++else
++  ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_PROBE_FILTER_SUPERBLOCKS_TYPE $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++  as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++ac_fn_c_check_decl "$LINENO" "blkid_do_safeprobe" "ac_cv_have_decl_blkid_do_safeprobe" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_do_safeprobe" = xyes; then :
++  ac_have_decl=1
++else
++  ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_DO_SAFEPROBE $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++  as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++ac_fn_c_check_decl "$LINENO" "blkid_do_probe" "ac_cv_have_decl_blkid_do_probe" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_do_probe" = xyes; then :
++  ac_have_decl=1
++else
++  ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_DO_PROBE $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++  as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++ac_fn_c_check_decl "$LINENO" "blkid_probe_lookup_value
++		       " "ac_cv_have_decl_blkid_probe_lookup_value__________" "#include <blkid/blkid.h>
++"
++if test "x$ac_cv_have_decl_blkid_probe_lookup_value__________" = xyes; then :
++  ac_have_decl=1
++else
++  ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_BLKID_PROBE_LOOKUP_VALUE__________ $ac_have_decl
++_ACEOF
++if test $ac_have_decl = 1; then :
++
++else
++  as_fn_error $? "Can not compile with blkid support, disable it by --disable-blkid." "$LINENO" 5
++fi
++
++fi
++ if test x$enable_blkid = xyes; then
++  HAVE_BLKID_TRUE=
++  HAVE_BLKID_FALSE='#'
++else
++  HAVE_BLKID_TRUE='#'
++  HAVE_BLKID_FALSE=
++fi
++
++
+ if test x$enable_static_cryptsetup = xyes; then
+ 	saved_PKG_CONFIG=$PKG_CONFIG
+ 	PKG_CONFIG="$PKG_CONFIG --static"
+@@ -19043,6 +19260,7 @@ $as_echo "$systemd_tmpfilesdir" >&6; }
+ 
+ 
+ 
++
+ # Check whether --enable-dev-random was given.
+ if test "${enable_dev_random+set}" = set; then :
+   enableval=$enable_dev_random; default_rng=/dev/random
+@@ -20146,6 +20364,10 @@ if test -z "${CRYPTO_INTERNAL_ARGON2_TRU
+   as_fn_error $? "conditional \"CRYPTO_INTERNAL_ARGON2\" was never defined.
+ Usually this means the macro was only invoked conditionally." "$LINENO" 5
+ fi
++if test -z "${HAVE_BLKID_TRUE}" && test -z "${HAVE_BLKID_FALSE}"; then
++  as_fn_error $? "conditional \"HAVE_BLKID\" was never defined.
++Usually this means the macro was only invoked conditionally." "$LINENO" 5
++fi
+ if test -z "${PYTHON_CRYPTSETUP_TRUE}" && test -z "${PYTHON_CRYPTSETUP_FALSE}"; then
+   as_fn_error $? "conditional \"PYTHON_CRYPTSETUP\" was never defined.
+ Usually this means the macro was only invoked conditionally." "$LINENO" 5
diff --git a/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch b/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch
new file mode 100644
index 0000000..abca3a3
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-dracut-reencrypt.patch
@@ -0,0 +1,106 @@
+From 1b9148f12f85f326cb8127665ecfc2136c9822d5 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Wed, 18 Oct 2017 09:57:03 +0200
+Subject: [PATCH] dracut-reencrypt: add --progress-frequency parameter
+
+---
+ misc/dracut_90reencrypt/reencrypt.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh
+index e6f87e0..b4960d7 100755
+--- a/misc/dracut_90reencrypt/reencrypt.sh
++++ b/misc/dracut_90reencrypt/reencrypt.sh
+@@ -18,7 +18,7 @@ else
+     device="$1"
+ fi
+ 
+-PARAMS="$device -T 1 --use-fsync -B 32"
++PARAMS="$device -T 1 --use-fsync --progress-frequency 5 -B 32"
+ if [ "$3" != "any" ]; then
+     PARAMS="$PARAMS -S $3"
+ fi
+-- 
+1.8.3.1
+
+From cda0a8ac7f30f120cdf5fadf16484715e8f9a040 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 19 Jul 2018 17:33:58 +0200
+Subject: [PATCH 2/2] Indicate running in initrd phase.
+
+---
+ misc/dracut_90reencrypt/reencrypt.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh
+index e6f87e0..24c7716 100755
+--- a/misc/dracut_90reencrypt/reencrypt.sh
++++ b/misc/dracut_90reencrypt/reencrypt.sh
+@@ -11,6 +11,8 @@
+ 
+ . /lib/dracut-lib.sh
+ 
++export CRYPT_REENCRYPT_IN_INITRD=1
++
+ # if device name is /dev/dm-X, convert to /dev/mapper/name
+ if [ "${1##/dev/dm-}" != "$1" ]; then
+     device="/dev/mapper/$(dmsetup info -c --noheadings -o name "$1")"
+-- 
+1.8.3.1
+
+From 5da5e7f095e09c9501179864f6a20293dd9cada5 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 16 Jul 2018 17:17:45 +0200
+Subject: [PATCH] Redirect stdout to stderr during reencryption in initrd.
+
+Stdout is not printed in initrd unless user invokes debug mode.
+It's inconvenient to have users waiting for reencryption to
+finish with no input at all.
+---
+ misc/dracut_90reencrypt/module-setup.sh      | 1 +
+ misc/dracut_90reencrypt/reencrypt-verbose.sh | 5 +++++
+ misc/dracut_90reencrypt/reencrypt.sh         | 4 ++--
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+ create mode 100755 misc/dracut_90reencrypt/reencrypt-verbose.sh
+
+diff --git a/misc/dracut_90reencrypt/module-setup.sh b/misc/dracut_90reencrypt/module-setup.sh
+index 2ec9953..fcd7c92 100755
+--- a/misc/dracut_90reencrypt/module-setup.sh
++++ b/misc/dracut_90reencrypt/module-setup.sh
+@@ -28,4 +28,5 @@ install() {
+     # shellcheck disable=SC2154
+     inst_hook cmdline 30 "$moddir/parse-reencrypt.sh"
+     inst_simple "$moddir"/reencrypt.sh /sbin/reencrypt
++    inst_simple "$moddir"/reencrypt-verbose.sh /sbin/cryptsetup-reencrypt-verbose
+ }
+diff --git a/misc/dracut_90reencrypt/reencrypt-verbose.sh b/misc/dracut_90reencrypt/reencrypt-verbose.sh
+new file mode 100755
+index 0000000..5db75d5
+--- /dev/null
++++ b/misc/dracut_90reencrypt/reencrypt-verbose.sh
+@@ -0,0 +1,5 @@
++#!/bin/sh
++
++# Route stdout to stderr in initrd. Otherwise output is invisible
++# unless we run in debug mode.
++/sbin/cryptsetup-reencrypt $@ 1>&2
+diff --git a/misc/dracut_90reencrypt/reencrypt.sh b/misc/dracut_90reencrypt/reencrypt.sh
+index b4960d7..4243773 100755
+--- a/misc/dracut_90reencrypt/reencrypt.sh
++++ b/misc/dracut_90reencrypt/reencrypt.sh
+@@ -50,10 +50,10 @@ reenc_run() {
+ 	fi
+         /bin/plymouth ask-for-password \
+         --prompt "$_prompt" \
+-        --command="/sbin/cryptsetup-reencrypt $PARAMS"
++        --command="/sbin/cryptsetup-reencrypt-verbose $PARAMS"
+     else
+         info "REENCRYPT using key $1"
+-        reenc_readkey "$1" | /sbin/cryptsetup-reencrypt -d - $PARAMS
++        reenc_readkey "$1" | /sbin/cryptsetup-reencrypt-verbose -d - $PARAMS
+     fi
+     _ret=$?
+     cd $cwd
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch b/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch
new file mode 100644
index 0000000..8821a14
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-fix-write_blockwise-on-short-files.patch
@@ -0,0 +1,40 @@
+From 63d66e7a3356da4bca77f521fd93df7cdf09b41a Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 19 Jun 2018 15:10:33 +0200
+Subject: [PATCH 3/4] Fix write_blockwise on short files.
+
+see unit test write_blockwise(length=2097153, bsize=4096), on x86
+with original test file size=2097152.
+
+The test is trying to write_blockwise 1 more byte than actual file
+size.
+---
+ lib/utils_io.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/lib/utils_io.c b/lib/utils_io.c
+index 8336b18..e0c2381 100644
+--- a/lib/utils_io.c
++++ b/lib/utils_io.c
+@@ -105,15 +105,13 @@ ssize_t write_blockwise(int fd, size_t bsize, size_t alignment,
+ 	if (hangover) {
+ 		if (posix_memalign(&hangover_buf, alignment, bsize))
+ 			goto out;
++		memset(hangover_buf, 0, bsize);
+ 
+ 		r = read_buffer(fd, hangover_buf, bsize);
+-		if (r < 0 || r < (ssize_t)hangover)
++		if (r < 0)
+ 			goto out;
+ 
+-		if (r < (ssize_t)bsize)
+-			bsize = r;
+-
+-		if (lseek(fd, -(off_t)bsize, SEEK_CUR) < 0)
++		if (lseek(fd, -(off_t)r, SEEK_CUR) < 0)
+ 			goto out;
+ 
+ 		memcpy(hangover_buf, (char*)buf + solid, hangover);
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch b/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch
new file mode 100644
index 0000000..92f889b
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch
@@ -0,0 +1,32 @@
+From 6392be68c4d481148e20dbc2a8380cc246f27ad1 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 19 Jun 2018 14:45:45 +0200
+Subject: [PATCH 2/4] Fix write_lseek_blockwise for in the middle of sector
+ case.
+
+See unit test write_lseek_blockwise(bsize=512, offset=1, length=1).
+
+The test tries to modify single byte at offset 1 of device with
+bsize=512.
+---
+ lib/utils_io.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/utils_io.c b/lib/utils_io.c
+index 94c4ef6..8336b18 100644
+--- a/lib/utils_io.c
++++ b/lib/utils_io.c
+@@ -216,8 +216,8 @@ ssize_t write_lseek_blockwise(int fd, size_t bsize, size_t alignment,
+ 		if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+ 			goto out;
+ 
+-		r = write_buffer(fd, frontPadBuf, frontHang + innerCount);
+-		if (r < 0 || r != (ssize_t)(frontHang + innerCount))
++		r = write_buffer(fd, frontPadBuf, bsize);
++		if (r < 0 || r != (ssize_t)bsize)
+ 			goto out;
+ 
+ 		buf = (char*)buf + innerCount;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch b/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch
new file mode 100644
index 0000000..c472424
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch
@@ -0,0 +1,164 @@
+From 078ed81d14904f48a6237646050ba5eb74d702b7 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Wed, 4 Jul 2018 15:58:09 +0200
+Subject: [PATCH 2/6] Make LUKS2 auto-recovery aware of device signatures.
+
+auto-recovery triggers any time when only single correct LUKS2
+header instance was found. That may be dangerous.
+
+We should suppress auto-recovery in case blkid decided the
+device is no longer LUKS device. For example if secondary (intact)
+LUKS2 header was left behind and blkid declares the device is LVM2
+member.
+
+Moreover if at least one header instance is corrupted and blkid
+declares device non-empty and non-LUKS in the same time, header load
+operation will be aborted with error.
+---
+ lib/internal.h                  |  1 +
+ lib/luks2/luks2_disk_metadata.c | 61 ++++++++++++++++++++++++++++++++++++++++-
+ lib/luks2/luks2_internal.h      |  2 +-
+ lib/luks2/luks2_json_metadata.c |  4 +--
+ 4 files changed, 64 insertions(+), 4 deletions(-)
+
+diff --git a/lib/internal.h b/lib/internal.h
+index 07a1a08..e6d2323 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -32,6 +32,7 @@
+ 
+ #include "nls.h"
+ #include "bitops.h"
++#include "utils_blkid.h"
+ #include "utils_crypt.h"
+ #include "utils_loop.h"
+ #include "utils_dm.h"
+diff --git a/lib/luks2/luks2_disk_metadata.c b/lib/luks2/luks2_disk_metadata.c
+index 4d9bce2..6ca9d5e 100644
+--- a/lib/luks2/luks2_disk_metadata.c
++++ b/lib/luks2/luks2_disk_metadata.c
+@@ -531,12 +531,59 @@ static json_object *parse_and_validate_json(const char *json_area, int length)
+ 	return jobj;
+ }
+ 
++static int detect_device_signatures(const char *path)
++{
++	blk_probe_status prb_state;
++	int r;
++	struct blkid_handle *h;
++
++	if (!blk_supported()) {
++		log_dbg("Blkid probing of device signatures disabled.");
++		return 0;
++	}
++
++	if ((r = blk_init_by_path(&h, path))) {
++		log_dbg("Failed to initialize blkid_handle by path.");
++		return -EINVAL;
++	}
++
++	/* We don't care about details. Be fast. */
++	blk_set_chains_for_fast_detection(h);
++
++	/* Filter out crypto_LUKS. we don't care now */
++	blk_superblocks_filter_luks(h);
++
++	prb_state = blk_safeprobe(h);
++
++	switch (prb_state) {
++	case PRB_AMBIGUOUS:
++		log_dbg("Blkid probe couldn't decide device type unambiguously.");
++		/* fall through */
++	case PRB_FAIL:
++		log_dbg("Blkid probe failed.");
++		r = -EINVAL;
++		break;
++	case PRB_OK: /* crypto_LUKS type is filtered out */
++		r = -EINVAL;
++
++		if (blk_is_partition(h))
++			log_dbg("Blkid probe detected partition type '%s'", blk_get_partition_type(h));
++		else if (blk_is_superblock(h))
++			log_dbg("blkid probe detected superblock type '%s'", blk_get_superblock_type(h));
++		break;
++	case PRB_EMPTY:
++		log_dbg("Blkid probe detected no foreign device signature.");
++	}
++	blk_free(h);
++	return r;
++}
++
+ /*
+  * Read and convert on-disk LUKS2 header to in-memory representation..
+  * Try to do recovery if on-disk state is not consistent.
+  */
+ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
+-			struct device *device, int do_recovery)
++			struct device *device, int do_recovery, int do_blkprobe)
+ {
+ 	enum { HDR_OK, HDR_OBSOLETE, HDR_FAIL, HDR_FAIL_IO } state_hdr1, state_hdr2;
+ 	struct luks2_hdr_disk hdr_disk1, hdr_disk2;
+@@ -616,6 +663,12 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
+ 	if (state_hdr1 == HDR_OK && state_hdr2 != HDR_OK) {
+ 		log_dbg("Secondary LUKS2 header requires recovery.");
+ 
++		if (do_blkprobe && (r = detect_device_signatures(device_path(device)))) {
++			log_err(cd, _("Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
++				      "Please run \"cryptsetup repair\" for recovery."));
++			goto err;
++		}
++
+ 		if (do_recovery) {
+ 			memcpy(&hdr_disk2, &hdr_disk1, LUKS2_HDR_BIN_LEN);
+ 			r = crypt_random_get(NULL, (char*)hdr_disk2.salt, sizeof(hdr_disk2.salt), CRYPT_RND_SALT);
+@@ -631,6 +684,12 @@ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
+ 	} else if (state_hdr1 != HDR_OK && state_hdr2 == HDR_OK) {
+ 		log_dbg("Primary LUKS2 header requires recovery.");
+ 
++		if (do_blkprobe && (r = detect_device_signatures(device_path(device)))) {
++			log_err(cd, _("Device contains ambiguous signatures, cannot auto-recover LUKS2.\n"
++				      "Please run \"cryptsetup repair\" for recovery."));
++			goto err;
++		}
++
+ 		if (do_recovery) {
+ 			memcpy(&hdr_disk1, &hdr_disk2, LUKS2_HDR_BIN_LEN);
+ 			r = crypt_random_get(NULL, (char*)hdr_disk1.salt, sizeof(hdr_disk1.salt), CRYPT_RND_SALT);
+diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h
+index e9beab8..dcabed7 100644
+--- a/lib/luks2/luks2_internal.h
++++ b/lib/luks2/luks2_internal.h
+@@ -42,7 +42,7 @@
+  * On-disk access function prototypes
+  */
+ int LUKS2_disk_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr,
+-			struct device *device, int do_recovery);
++			struct device *device, int do_recovery, int do_blkprobe);
+ int LUKS2_disk_hdr_write(struct crypt_device *cd, struct luks2_hdr *hdr,
+ 			 struct device *device);
+ 
+diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
+index 362388e..125cad9 100644
+--- a/lib/luks2/luks2_json_metadata.c
++++ b/lib/luks2/luks2_json_metadata.c
+@@ -853,7 +853,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr)
+ 		return r;
+ 	}
+ 
+-	r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1);
++	r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1);
+ 	if (r == -EAGAIN) {
+ 		/* unlikely: auto-recovery is required and failed due to read lock being held */
+ 		device_read_unlock(crypt_metadata_device(cd));
+@@ -865,7 +865,7 @@ int LUKS2_hdr_read(struct crypt_device *cd, struct luks2_hdr *hdr)
+ 			return r;
+ 		}
+ 
+-		r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1);
++		r = LUKS2_disk_hdr_read(cd, hdr, crypt_metadata_device(cd), 1, 1);
+ 
+ 		device_write_unlock(crypt_metadata_device(cd));
+ 	} else
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch b/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch
new file mode 100644
index 0000000..6c34ab8
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch
@@ -0,0 +1,25 @@
+From b60e856087db77abbc5aa62a7f980e62b8b75029 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 17 Jul 2018 10:53:13 +0200
+Subject: [PATCH] Rephrase error message for invalid --type param in convert.
+
+---
+ src/cryptsetup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cryptsetup.c b/src/cryptsetup.c
+index fc3481d..5f8df37 100644
+--- a/src/cryptsetup.c
++++ b/src/cryptsetup.c
+@@ -1851,7 +1851,7 @@ static int action_luksConvert(void)
+ 	} else if (!strcmp(opt_type, "luks1")) {
+ 		to_type = CRYPT_LUKS1;
+ 	} else {
+-		log_err(_("Missing LUKS target type, option --type is required."));
++		log_err(_("Invalid LUKS type, only luks1 and luks2 are supported."));
+ 		return -EINVAL;
+ 	}
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch b/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch
new file mode 100644
index 0000000..a2f9d2e
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch
@@ -0,0 +1,40 @@
+From 167da99eaa9708289492e8fca2ebe4964cf5baa7 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 9 Jul 2018 17:27:55 +0200
+Subject: [PATCH 5/6] Update crypt_repair API documentation for LUKS2.
+
+---
+ lib/libcryptsetup.h | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
+index 0a7ebdb..2d959fa 100644
+--- a/lib/libcryptsetup.h
++++ b/lib/libcryptsetup.h
+@@ -624,7 +624,7 @@ int crypt_load(struct crypt_device *cd,
+ 	void *params);
+ 
+ /**
+- * Try to repair crypt device LUKS1 on-disk header if invalid.
++ * Try to repair crypt device LUKS on-disk header if invalid.
+  *
+  * @param cd crypt device handle
+  * @param requested_type @link crypt-type @endlink or @e NULL for all known
+@@ -632,9 +632,11 @@ int crypt_load(struct crypt_device *cd,
+  *
+  * @returns 0 on success or negative errno value otherwise.
+  *
+- * @note Does not support LUKS2 devices explicitly. LUKS2 header is auto-repaired
+- *	 (if exactly one header checksum does not match) automatically on
+- *	 crypt_load().
++ * @note For LUKS2 device crypt_repair bypass blkid checks and
++ * 	 perform auto-recovery even though there're third party device
++ * 	 signatures found by blkid probes. Currently the crypt_repair on LUKS2
++ * 	 works only if exactly one header checksum does not match or exactly
++ * 	 one header is missing.
+  */
+ int crypt_repair(struct crypt_device *cd,
+ 	const char *requested_type,
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch b/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch
new file mode 100644
index 0000000..d21d220
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch
@@ -0,0 +1,110 @@
+From 3f0f7acbc0dd72f1d98feb7af214cf12eb9bc47e Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 10 Jul 2018 14:36:45 +0200
+Subject: [PATCH] Update cryptsetup man page for --type option usage.
+
+Fixes #394.
+---
+ man/cryptsetup.8 | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
+index b2ef8cd..96d4fef 100644
+--- a/man/cryptsetup.8
++++ b/man/cryptsetup.8
+@@ -70,8 +70,8 @@ The following are valid actions for all supported device types.
+ .IP
+ Opens (creates a mapping with) <name> backed by device <device>.
+ 
+-Device type can be \fIplain\fR, \fIluks\fR (default), \fIloopaes\fR
+-or \fItcrypt\fR.
++Device type can be \fIplain\fR, \fIluks\fR (default), \fIluks1\fR, \fIluks2\fR,
++\fIloopaes\fR or \fItcrypt\fR.
+ 
+ For backward compatibility there are \fBopen\fR command aliases:
+ 
+@@ -243,7 +243,7 @@ the command prompts for it interactively.
+ \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+ \-\-keyfile\-size, \-\-readonly, \-\-test\-passphrase,
+ \-\-allow\-discards, \-\-header, \-\-key-slot, \-\-master\-key\-file, \-\-token\-id,
+-\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks].
++\-\-token\-only, \-\-disable\-keyring, \-\-disable\-locks, \-\-type].
+ .PP
+ \fIluksSuspend\fR <name>
+ .IP
+@@ -266,7 +266,7 @@ Resumes a suspended device and reinstates the encryption key.
+ Prompts interactively for a passphrase if \-\-key-file is not given.
+ 
+ \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-size, \-\-header,
+-\-\-disable\-keyring,\-\-disable\-locks]
++\-\-disable\-keyring, \-\-disable\-locks, \-\-type]
+ .PP
+ \fIluksAddKey\fR <device> [<key file with new key>]
+ .IP
+@@ -285,7 +285,7 @@ is not required.
+ \-\-keyfile\-size, \-\-new\-keyfile\-offset,
+ \-\-new\-keyfile\-size, \-\-key\-slot, \-\-master\-key\-file,
+ \-\-iter\-time, \-\-force\-password, \-\-header, \-\-disable\-locks,
+-\-\-unbound].
++\-\-unbound, \-\-type].
+ .PP
+ \fIluksRemoveKey\fR <device> [<key file with passphrase to be removed>]
+ .IP
+@@ -294,7 +294,7 @@ passphrase to be removed can be specified interactively,
+ as the positional argument or via \-\-key-file.
+ 
+ \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+-\-\-keyfile\-size, \-\-header, \-\-disable\-locks]
++\-\-keyfile\-size, \-\-header, \-\-disable\-locks, \-\-type]
+ 
+ \fBWARNING:\fR If you read the passphrase from stdin
+ (without further argument or with '-' as an argument
+@@ -328,7 +328,7 @@ inaccessible.
+ \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+ \-\-keyfile\-size, \-\-new\-keyfile\-offset,
+ \-\-new\-keyfile\-size, \-\-key\-slot, \-\-force\-password, \-\-header,
+-\-\-disable\-locks].
++\-\-disable\-locks, \-\-type].
+ .PP
+ .PP
+ \fIluksConvertKey\fR <device>
+@@ -364,7 +364,7 @@ an interactive confirmation when doing so. Removing the last
+ passphrase makes a LUKS container permanently inaccessible.
+ 
+ \fB<options>\fR can be [\-\-key\-file, \-\-keyfile\-offset,
+-\-\-keyfile\-size, \-\-header, \-\-disable\-locks].
++\-\-keyfile\-size, \-\-header, \-\-disable\-locks, \-\-type].
+ 
+ \fBWARNING:\fR If you read the passphrase from stdin
+ (without further argument or with '-' as an argument
+@@ -399,6 +399,8 @@ Set new UUID if \fI\-\-uuid\fR option is specified.
+ Returns true, if <device> is a LUKS device, false otherwise.
+ Use option \-v to get human-readable feedback. 'Command successful.'
+ means the device is a LUKS device.
++
++By specifying \-\-type you may query for specific LUKS version.
+ .PP
+ \fIluksDump\fR <device>
+ .IP
+@@ -417,7 +419,7 @@ either interactively or via \-\-key\-file.
+ 
+ \fB<options>\fR can be [\-\-dump\-master\-key, \-\-key\-file,
+ \-\-keyfile\-offset, \-\-keyfile\-size, \-\-header, \-\-disable\-locks,
+-\-\-master\-key\-file].
++\-\-master\-key\-file, \-\-type].
+ 
+ \fBWARNING:\fR If \-\-dump\-master\-key is used with \-\-key\-file
+ and the argument to \-\-key\-file is '-', no validation question
+@@ -663,7 +665,8 @@ for LUKS device type.
+ This command is useful to fix some known benign LUKS metadata
+ header corruptions. Only basic corruptions of unused keyslot
+ are fixable. This command will only change the LUKS header, not
+-any key-slot data.
++any key-slot data. You may enforce LUKS version by adding \-\-type
++option.
+ 
+ \fBWARNING:\fR Always create a binary backup of the original
+ header before calling this command.
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch b/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch
new file mode 100644
index 0000000..6d4d7e3
--- /dev/null
+++ b/SOURCES/cryptsetup-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch
@@ -0,0 +1,39 @@
+From 685bcc56351b3e46b69d46118d23268b69052097 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 19 Jun 2018 14:07:20 +0200
+Subject: [PATCH 1/4] Zero length lseek blockwise i/o should return zero.
+
+Note that both functions perform seek operations aligned to sector
+boundary if possible before returning.
+
+Unaligned input offset gets aligned on first preceding sector
+boundary.
+---
+ lib/utils_io.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/utils_io.c b/lib/utils_io.c
+index 0f671d6..94c4ef6 100644
+--- a/lib/utils_io.c
++++ b/lib/utils_io.c
+@@ -199,7 +199,7 @@ ssize_t write_lseek_blockwise(int fd, size_t bsize, size_t alignment,
+ 	if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+ 		return -1;
+ 
+-	if (frontHang) {
++	if (frontHang && length) {
+ 		if (posix_memalign(&frontPadBuf, alignment, bsize))
+ 			return -1;
+ 
+@@ -253,7 +253,7 @@ ssize_t read_lseek_blockwise(int fd, size_t bsize, size_t alignment,
+ 	if (lseek(fd, offset - frontHang, SEEK_SET) < 0)
+ 		return -1;
+ 
+-	if (frontHang) {
++	if (frontHang && length) {
+ 		if (posix_memalign(&frontPadBuf, alignment, bsize))
+ 			return -1;
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/cryptsetup-argon2-fips.patch b/SOURCES/cryptsetup-argon2-fips.patch
new file mode 100644
index 0000000..5261c8d
--- /dev/null
+++ b/SOURCES/cryptsetup-argon2-fips.patch
@@ -0,0 +1,33 @@
+diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
+index 3716c26..540915b 100644
+--- a/lib/luks2/luks2_keyslot_luks2.c
++++ b/lib/luks2/luks2_keyslot_luks2.c
+@@ -350,6 +350,13 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
+ 		crypt_free_volume_key(derived_key);
+ 		return -ENOMEM;
+ 	}
++
++	if (crypt_fips_mode() &&
++	    (!strcmp(pbkdf.type, CRYPT_KDF_ARGON2I) ||
++	     !strcmp(pbkdf.type, CRYPT_KDF_ARGON2ID)))
++		log_verbose(cd, _("%s key derivation function is not currently FIPS-compliant."),
++			    pbkdf.type);
++
+ 	/*
+ 	 * Calculate derived key, decrypt keyslot content and merge it.
+ 	 */
+@@ -406,6 +413,14 @@ static int luks2_keyslot_update_json(struct crypt_device *cd,
+ 	if (!pbkdf)
+ 		return -EINVAL;
+ 
++	if (crypt_fips_mode() &&
++	    (!strcmp(pbkdf->type, CRYPT_KDF_ARGON2I) ||
++	     !strcmp(pbkdf->type, CRYPT_KDF_ARGON2ID))) {
++		log_err(cd, _("%s key derivation function is not allowed in FIPS mode."),
++			pbkdf->type);
++		return -EINVAL;
++	}
++
+ 	r = crypt_benchmark_pbkdf_internal(cd, CONST_CAST(struct crypt_pbkdf_type *)pbkdf, keyslot_key_len);
+ 	if (r < 0)
+ 		return r;
diff --git a/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch b/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch
new file mode 100644
index 0000000..2e9a27f
--- /dev/null
+++ b/SOURCES/cryptsetup-new-avoid-rh-kernel-bug.patch
@@ -0,0 +1,59 @@
+diff -rupN cryptsetup-2.0.3.old/lib/crypto_backend/crypto_cipher_kernel.c cryptsetup-2.0.3/lib/crypto_backend/crypto_cipher_kernel.c
+--- cryptsetup-2.0.3.old/lib/crypto_backend/crypto_cipher_kernel.c	2018-04-17 09:20:35.000000000 +0200
++++ cryptsetup-2.0.3/lib/crypto_backend/crypto_cipher_kernel.c	2018-05-07 14:13:45.176124062 +0200
+@@ -31,6 +31,7 @@
+ #ifdef ENABLE_AF_ALG
+ 
+ #include <linux/if_alg.h>
++#include <sys/utsname.h>
+ 
+ #ifndef AF_ALG
+ #define AF_ALG 38
+@@ -44,6 +45,36 @@ struct crypt_cipher {
+ 	int opfd;
+ };
+ 
++ 
++static size_t pagesize(size_t defsize)
++{
++	long r = sysconf(_SC_PAGESIZE);
++	return r < 0 ? defsize : (size_t)r;
++}
++
++static int check_rh_kernel_version(void)
++{
++	unsigned maj, mid, min, rel;
++	static struct utsname uts = {{ 0 }};
++	size_t ps = pagesize(32768);
++
++	if (ps < 32768)
++		return 0;
++
++	if (!*uts.release && uname(&uts) < 0)
++		return -ENOTSUP;
++	/*
++	 * RH kernels 3.10.0-185 and lower are affected by a crypto API kernel
++	 * socket bug. The bug only manifests on archs with page size >= 32 KiB.
++	 *
++	 * For reference, see rhbz#1136075
++	 */
++	if (sscanf(uts.release, "%u.%u.%u-%u", &maj, &mid, &min, &rel) == 4)
++		return (maj == 3 && mid == 10 && min == 0 && rel < 186) ? -ENOTSUP : 0;
++
++	return -ENOTSUP;
++}
++
+ /*
+  * ciphers
+  *
+@@ -60,6 +91,9 @@ int crypt_cipher_init(struct crypt_ciphe
+ 		.salg_type = "skcipher",
+ 	};
+ 
++	if (check_rh_kernel_version())
++		return -ENOTSUP;
++
+ 	h = malloc(sizeof(*h));
+ 	if (!h)
+ 		return -ENOMEM;
+Binary files cryptsetup-2.0.3.old/lib/crypto_backend/.crypto_cipher_kernel.c.rej.swp and cryptsetup-2.0.3/lib/crypto_backend/.crypto_cipher_kernel.c.rej.swp differ
diff --git a/SOURCES/cryptsetup-sector-size-detection.patch b/SOURCES/cryptsetup-sector-size-detection.patch
new file mode 100644
index 0000000..a10bff0
--- /dev/null
+++ b/SOURCES/cryptsetup-sector-size-detection.patch
@@ -0,0 +1,13 @@
+--- cryptsetup-2.0.3.old/lib/libdevmapper.c	2018-05-03 18:30:59.000000000 +0200
++++ cryptsetup-2.0.3/lib/libdevmapper.c	2018-06-19 20:01:10.263369754 +0200
+@@ -164,6 +164,10 @@ static void _dm_set_crypt_compat(unsigne
+ 		_dm_flags |= DM_CAPI_STRING_SUPPORTED;
+ 	}
+ 
++	if (!_dm_satisfies_version(1, 15, 0, crypt_maj, crypt_min, crypt_patch) &&
++	     _dm_satisfies_version(1, 14, 5, crypt_maj, crypt_min, crypt_patch))
++		_dm_flags |= DM_SECTOR_SIZE_SUPPORTED;
++
+ 	_dm_crypt_checked = true;
+ }
+ 
diff --git a/SOURCES/cryptsetup-tests-device-test.patch b/SOURCES/cryptsetup-tests-device-test.patch
new file mode 100644
index 0000000..ebc7186
--- /dev/null
+++ b/SOURCES/cryptsetup-tests-device-test.patch
@@ -0,0 +1,17 @@
+diff -rupN cryptsetup-2.0.3.old/tests/device-test cryptsetup-2.0.3/tests/device-test
+--- cryptsetup-2.0.3.old/tests/device-test	2018-06-06 11:00:28.716305843 -0400
++++ cryptsetup-2.0.3/tests/device-test	2018-06-06 11:00:37.036343168 -0400
+@@ -39,11 +39,12 @@ function dm_crypt_features()
+ 
+ 	VER_MAJ=$(echo $VER_STR | cut -f 1 -d.)
+ 	VER_MIN=$(echo $VER_STR | cut -f 2 -d.)
++	VER_PAT=$(echo $VER_STR | cut -f 3 -d.)
+ 
+ 	[ $VER_MAJ -lt 1 ] && return
+ 	[ $VER_MAJ -eq 1 -a $VER_MIN -lt 14 ] && return
+ 	DM_PERF_CPU=1
+-	[ $VER_MAJ -eq 1 -a $VER_MIN -lt 17 ] && return
++	[ $VER_MAJ -eq 1 -a $VER_MIN -lt 15 -a $VER_PAT -lt 5 ] && return
+ 	DM_SECTOR_SIZE=1
+ }
+ 
diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec
index 6dce8eb..cdd8c23 100644
--- a/SPECS/cryptsetup.spec
+++ b/SPECS/cryptsetup.spec
@@ -1,20 +1,52 @@
 %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 
-%define python3_enable 0
+%if 0%{?fedora}
+%if 0%{?fedora} >= 29
+Obsoletes: python2-cryptsetup
+Obsoletes: cryptsetup-python3
+%global python2_enable 0
+%global python3_enable 0
+%else
+%global python2_enable 1
+%global python3_enable 1
+%endif
+%else
+Obsoletes: cryptsetup-python3
+%global python3_enable 0
+%if 0%{?rhel} == 7
+%global python2_enable 1
+# Change to 1 when argon2 lands
+%global libargon2_enable 0
+# Change to 1 when dm-integrity gets backported
+%global integritysetup_enable 0
+%else
+Obsoletes: cryptsetup-python
+Obsoletes: python2-cryptsetup
+%global python2_enable 0
+%endif
+%endif
+
 
 Summary: A utility for setting up encrypted disks
 Name: cryptsetup
-Version: 1.7.4
-Release: 4%{?dist}
+Version: 2.0.3
+Release: 3%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: Applications/System
 URL: https://gitlab.com/cryptsetup/cryptsetup
 BuildRequires: libgcrypt-devel, popt-devel, device-mapper-devel
 BuildRequires: libgpg-error-devel, libuuid-devel, libsepol-devel
-BuildRequires: libselinux-devel, python-devel, libpwquality-devel
+BuildRequires: libselinux-devel, gcc, libblkid-devel
+%if %{python2_enable}
+BuildRequires: python-devel
+%endif
 %if %{python3_enable}
 BuildRequires: python3-devel
 %endif
+BuildRequires: libpwquality-devel, json-c-devel
+%if 0%{?libargon2_enable}
+BuildRequires: libargon2-devel
+%endif
 Provides: cryptsetup-luks = %{version}-%{release}
 Obsoletes: cryptsetup-luks < 1.4.0
 Requires: cryptsetup-libs%{?_isa} = %{version}-%{release}
@@ -22,14 +54,34 @@ Requires: libpwquality >= 1.2.0
 
 %define dracutmodulesdir %{_prefix}/lib/dracut/modules.d
 %define upstream_version %{version}
-Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{upstream_version}.tar.xz
+%define upstream_version_old 1.7.4
+Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{upstream_version}.tar.xz
+Source1: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-%{upstream_version_old}.tar.xz
+# version 1.7.4 only (all of it, up to next comment)
 Patch0: %{name}-avoid-rh-kernel-bug.patch
 Patch1: %{name}-1.7.5-fix-unaligned-access-to-hidden-truecrypt.patch
 Patch2: %{name}-1.7.5-fix-luksformat-in-fips-mode.patch
 Patch3: %{name}-1.7.6-fix-blockwise-access-functions-for-64k-page-size.patch
 Patch4: %{name}-1.7.6-crypt_deactivate-fail-earlier-when-holders-detected.patch
-Patch5: %{name}-1.7.6-cryptsetup-reencrypt-progress-frequency-parameter.patch
-Patch6: %{name}-1.7.6-dracut-reencrypt-add-progress-frequency.patch
+# 2.0.x only
+Patch5: %{name}-2.0.4-dracut-reencrypt.patch
+Patch6: %{name}-new-avoid-rh-kernel-bug.patch
+Patch7: %{name}-sector-size-detection.patch
+Patch8: %{name}-tests-device-test.patch
+Patch9: %{name}-argon2-fips.patch
+Patch10: %{name}-2.0.4-zero-length-lseek-blockwise-i-o-should-return-zero.patch
+Patch11: %{name}-2.0.4-fix-write_lseek_blockwise-for-in-the-middle-of-secto.patch
+Patch12: %{name}-2.0.4-fix-write_blockwise-on-short-files.patch
+Patch13: %{name}-2.0.4-add-blkid-utilities-for-fast-detection-of-device-sig.patch
+Patch14: %{name}-2.0.4-make-LUKS2-auto-recovery-aware-of-device-signatures.patch
+Patch15: %{name}-2.0.4-allow-LUKS2-repair-to-override-blkid-checks.patch
+Patch16: %{name}-2.0.4-allow-explicit-LUKS2-repair.patch
+Patch17: %{name}-2.0.4-update-crypt_repair-API-documentation-for-LUKS2.patch
+Patch18: %{name}-2.0.4-allow-LUKS2-repair-with-disabled-locks.patch
+# the configure patch must be applied last
+Patch19: %{name}-2.0.4-configure.patch
+Patch20: %{name}-2.0.4-update-cryptsetup-man-page-for-type-option-usage.patch
+Patch21: %{name}-2.0.4-rephrase-error-message-for-invalid-type-param-in-con.patch
 
 %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7
 %define configure_cipher --enable-gcrypt-pbkdf2
@@ -37,6 +89,15 @@ Patch6: %{name}-1.7.6-dracut-reencrypt-add-progress-frequency.patch
 %define configure_cipher --with-luks1-cipher=aes --with-luks1-mode=cbc-essiv:sha256 --with-luks1-keybits=256
 %endif
 
+%if 0%{?libargon2_enable}
+%define configure_libargon2 --enable-libargon2
+%endif
+%if 0%{?integritysetup_enable}
+%define configure_integritysetup --enable-integritysetup
+%else
+%define configure_integritysetup --disable-integritysetup
+%endif
+
 %description
 The cryptsetup package contains a utility for setting up
 disk encryption using dm-crypt kernel module.
@@ -115,22 +176,49 @@ for setting up disk encryption using dm-crypt kernel module.
 
 %prep
 %setup -q -n cryptsetup-%{upstream_version}
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch20 -p1
+%patch21 -p1
+# the configure patch (always last)
+%patch19 -p1
 chmod -x python/pycryptsetup-test.py
+chmod -x misc/dracut_90reencrypt/*
 
 %if %{python3_enable}
 # copy the whole directory for the python3 build
 cp -a . %{py3dir}
 %endif
 
+%setup -T -a 1 -D -n cryptsetup-%{upstream_version}
+pushd cryptsetup-1.7.4
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+
 %build
-%configure --enable-python --enable-fips --enable-cryptsetup-reencrypt --enable-pwquality %{?configure_cipher}
+%configure --enable-fips --enable-pwquality --with-default-luks-format=LUKS1 %{?configure_cipher} %{?configure_libargon2} %{?configure_integritysetup}
+pushd cryptsetup-1.7.4
+%configure --enable-python --enable-fips --enable-pwquality --disable-cryptsetup-reencrypt --disable-veritysetup %{?configure_cipher}
+# remove rpath
+sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+make %{?_smp_mflags}
+popd
 # remove rpath
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
@@ -144,6 +232,9 @@ popd
 %endif
 
 %install
+pushd cryptsetup-1.7.4
+make install DESTDIR=%{buildroot}
+popd
 make install DESTDIR=%{buildroot}
 rm -rf %{buildroot}/%{_libdir}/*.la
 
@@ -160,6 +251,7 @@ install -d -m755 %{buildroot}/%{dracutmodulesdir}/90reencrypt
 install -m755 misc/dracut_90reencrypt/module-setup.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt
 install -m755 misc/dracut_90reencrypt/parse-reencrypt.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt
 install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt
+install -m755 misc/dracut_90reencrypt/reencrypt-verbose.sh %{buildroot}/%{dracutmodulesdir}/90reencrypt
 
 %post -n cryptsetup-libs -p /sbin/ldconfig
 
@@ -178,6 +270,14 @@ install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesd
 %{_mandir}/man8/veritysetup.8.gz
 %{_sbindir}/veritysetup
 
+%if %{integritysetup_enable}
+%files -n integritysetup
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%{_mandir}/man8/integritysetup.8.gz
+%{_sbindir}/integritysetup
+%endif
+
 %files reencrypt
 %{!?_licensedir:%global license %%doc}
 %license COPYING
@@ -197,6 +297,8 @@ install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesd
 %{!?_licensedir:%global license %%doc}
 %license COPYING COPYING.LGPL
 %{_libdir}/libcryptsetup.so.*
+%{_tmpfilesdir}/cryptsetup.conf
+%ghost %attr(700, -, -) %dir /run/cryptsetup
 
 %files python
 %{!?_licensedir:%global license %%doc}
@@ -217,6 +319,24 @@ install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesd
 %clean
 
 %changelog
+* Tue Jul 31 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-3
+- Add expected permissions explicitly for locking directory.
+- Reinstate sed script removing library rpath from libtool
+  script due to bug in upstream sources distribution.
+- Resolves: #1609847 #1610379
+
+* Mon Jul 16 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-2
+- patch: stop LUKS2 auto-recovery if device is no longer LUKS
+  type
+- patch: update cryptsetup man page for --type option
+- patch: rephrase error message for invalid --type option in
+  convert action
+- Resolves: #1599281 #1601477 #1601481
+
+* Wed Jun 20 2018 Ondrej Kozina <okozina@redhat.com> - 2.0.3-1
+- Update to cryptsetup 2.0.3.
+- Resolves: #1475904 #1380347 #1416174 #1536105 #1574239
+
 * Thu Oct 19 2017 Ondrej Kozina <okozina@redhat.com> - 1.7.4-4
 - patch: fix regression in blockwise functions
 - patch: avoid repeating error messages when device holders