diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata index 65fb1bd..9b26198 100644 --- a/.cryptsetup.metadata +++ b/.cryptsetup.metadata @@ -1 +1 @@ -bb89099b839b962a13efacdd52d6ce6e408ca971 SOURCES/cryptsetup-2.2.0.tar.xz +135dc2e7b84bc8c74f01447f93d1392485b47a37 SOURCES/cryptsetup-2.2.2.tar.xz diff --git a/.gitignore b/.gitignore index 51ae054..af155c9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/cryptsetup-2.2.0.tar.xz +SOURCES/cryptsetup-2.2.2.tar.xz diff --git a/SOURCES/cryptsetup-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch b/SOURCES/cryptsetup-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch deleted file mode 100644 index c95ca7e..0000000 --- a/SOURCES/cryptsetup-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 4862e22cd0ac9ed8395003c209d048889a009969 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Fri, 23 Aug 2019 16:34:33 +0200 -Subject: [PATCH 2/5] Add opt-io size parameter to LUKS2 reencrypt test device. - -So that we can test recovery is not broken for optimal io size -optimization added to reencryption code. ---- - tests/luks2-reencryption-test | 21 ++++++++++++--------- - 1 file changed, 12 insertions(+), 9 deletions(-) - -diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test -index f88e7f1..558b8dd 100755 ---- a/tests/luks2-reencryption-test -+++ b/tests/luks2-reencryption-test -@@ -244,15 +244,16 @@ function fix_writes() { # $1 dmdev, $2 data dev - } - - function prepare_linear_dev() { -- if [ "$1" -gt 32 ]; then -- preparebig $1 -+ local _sizemb=$1 -+ shift -+ -+ if [ "$_sizemb" -gt 32 ]; then -+ preparebig $_sizemb - else -- prepare dev_size_mb=$1 -+ prepare dev_size_mb=$_sizemb $@ - fi - -- local _size=$(blockdev --getsz $DEV) -- -- dmsetup create $OVRDEV --table "0 $_size linear $DEV 0" || fail -+ dmsetup create $OVRDEV --table "0 $((_sizemb*1024*2)) linear $DEV 0" || fail - - OLD_DEV=$DEV - DEV=/dev/mapper/$OVRDEV -@@ -875,7 +876,9 @@ if ! dm_delay_features; then - fi - - echo "[6] Reencryption recovery" --prepare_linear_dev 32 -+# (check opt-io size optimization in reencryption code does not affect recovery) -+# device with opt-io size 32k -+prepare_linear_dev 32 opt_blks=64 opt_xferlen_exp=6 - OFFSET=8192 - - echo "sector size 512->512" -@@ -957,7 +960,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then - fi - - echo "[8] Reencryption with detached header recovery" --prepare_linear_dev 31 -+prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6 - - echo "sector size 512->512" - -@@ -1076,7 +1079,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then - fi - - echo "[12] Encryption with detached header recovery" --prepare_linear_dev 31 -+prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6 - - get_error_offsets 31 0 - --- -1.8.3.1 - diff --git a/SOURCES/cryptsetup-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch b/SOURCES/cryptsetup-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch deleted file mode 100644 index 2a54dd5..0000000 --- a/SOURCES/cryptsetup-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch +++ /dev/null @@ -1,158 +0,0 @@ -From 8f8f0b3258152a260c6a40be89b485f943f81484 Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Mon, 26 Aug 2019 10:01:17 +0200 -Subject: [PATCH] Fix mapped segments overflow on 32bit architectures. - -All set_segment funcions must use uin64_t everywhere, -not size_t that is platform dependent. - -The code later uses it correctly, it is just wrong function -prototype definitions. - -Reported in -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935702 - -(TODO: add a test for other segment types.) ---- - lib/libdevmapper.c | 12 ++++++------ - lib/utils_dm.h | 12 ++++++------ - tests/integrity-compat-test | 26 ++++++++++++++++++++++++++ - 3 files changed, 38 insertions(+), 12 deletions(-) - -diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c -index e92ceda..9c40bb1 100644 ---- a/lib/libdevmapper.c -+++ b/lib/libdevmapper.c -@@ -2759,9 +2759,9 @@ int dm_is_dm_kernel_name(const char *name) - return strncmp(name, "dm-", 3) ? 0 : 1; - } - --int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, -+int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, - struct device *data_device, struct volume_key *vk, const char *cipher, -- size_t iv_offset, size_t data_offset, const char *integrity, uint32_t tag_size, -+ uint64_t iv_offset, uint64_t data_offset, const char *integrity, uint32_t tag_size, - uint32_t sector_size) - { - int r = -EINVAL; -@@ -2800,7 +2800,7 @@ err: - return r; - } - --int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, -+int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, - struct device *data_device, struct device *hash_device, struct device *fec_device, - const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block, - uint64_t hash_blocks, struct crypt_params_verity *vp) -@@ -2826,7 +2826,7 @@ int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_si - return 0; - } - --int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, -+int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, - struct device *meta_device, - struct device *data_device, uint64_t tag_size, uint64_t offset, - uint32_t sector_size, struct volume_key *vk, -@@ -2865,8 +2865,8 @@ int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg - return 0; - } - --int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, -- struct device *data_device, size_t data_offset) -+int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, -+ struct device *data_device, uint64_t data_offset) - { - if (!data_device) - return -EINVAL; -diff --git a/lib/utils_dm.h b/lib/utils_dm.h -index 4a1e1d3..124a1c7 100644 ---- a/lib/utils_dm.h -+++ b/lib/utils_dm.h -@@ -168,22 +168,22 @@ void dm_backend_exit(struct crypt_device *cd); - int dm_targets_allocate(struct dm_target *first, unsigned count); - void dm_targets_free(struct crypt_device *cd, struct crypt_dm_active_device *dmd); - --int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, -+int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, - struct device *data_device, struct volume_key *vk, const char *cipher, -- size_t iv_offset, size_t data_offset, const char *integrity, -+ uint64_t iv_offset, uint64_t data_offset, const char *integrity, - uint32_t tag_size, uint32_t sector_size); --int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, -+int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, - struct device *data_device, struct device *hash_device, struct device *fec_device, - const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block, - uint64_t hash_blocks, struct crypt_params_verity *vp); --int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, -+int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, - struct device *meta_device, - struct device *data_device, uint64_t tag_size, uint64_t offset, uint32_t sector_size, - struct volume_key *vk, - struct volume_key *journal_crypt_key, struct volume_key *journal_mac_key, - const struct crypt_params_integrity *ip); --int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size, -- struct device *data_device, size_t data_offset); -+int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size, -+ struct device *data_device, uint64_t data_offset); - - int dm_remove_device(struct crypt_device *cd, const char *name, uint32_t flags); - int dm_status_device(struct crypt_device *cd, const char *name); -diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test -index 5f2c14e..836975d 100755 ---- a/tests/integrity-compat-test -+++ b/tests/integrity-compat-test -@@ -9,6 +9,8 @@ INTSETUP_VALGRIND=../.libs/integritysetup - INTSETUP_LIB_VALGRIND=../.libs - - DEV_NAME=dmc_test -+DEV_NAME_BIG=dmc_fake -+DEV_LOOP="" - DEV=test123.img - DEV2=test124.img - KEY_FILE=key.img -@@ -20,6 +22,9 @@ dmremove() { # device - - cleanup() { - [ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME -+ [ -b /dev/mapper/$DEV_NAME_BIG ] && dmremove $DEV_NAME_BIG -+ [ -n "$DEV_LOOP" ] && losetup -d "$DEV_LOOP" -+ DEV_LOOP="" - rm -f $DEV $DEV2 $KEY_FILE >/dev/null 2>&1 - } - -@@ -292,6 +297,7 @@ int_mode() # alg tag_size sector_size [keyfile keysize] - - [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." - [ ! -x "$INTSETUP" ] && skip "Cannot find $INTSETUP, test skipped." -+which blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped." - - [ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run - which hexdump >/dev/null 2>&1 || skip "WARNING: hexdump tool required." -@@ -389,4 +395,24 @@ else - echo "[N/A]" - fi - -+echo -n "Big device:" -+add_device -+DEV_LOOP=$(losetup -f $DEV --show) -+if [ -n "$DEV_LOOP" ] ; then -+dmsetup create $DEV_NAME_BIG < -Date: Thu, 22 Aug 2019 17:05:43 +0200 -Subject: [PATCH 1/5] Take optimal io size in account with LUKS2 reencryption. - -If device properly exposes optimal io size, let's align -reencryption hotzone to it. Otherwise device-mapper driver -complaints about misaligned tables and reencryption performance -is not optimal. ---- - lib/luks2/luks2_reencrypt.c | 23 +++++++++++++++++++++-- - 1 file changed, 21 insertions(+), 2 deletions(-) - -diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c -index 1d70aaf..1f5eb5f 100644 ---- a/lib/luks2/luks2_reencrypt.c -+++ b/lib/luks2/luks2_reencrypt.c -@@ -817,8 +817,13 @@ static int reencrypt_offset(struct luks2_hdr *hdr, - return -EINVAL; - } - --static uint64_t reencrypt_length(struct luks2_hdr *hdr, struct luks2_reenc_context *rh, uint64_t keyslot_area_length, uint64_t length_max) -+static uint64_t reencrypt_length(struct crypt_device *cd, -+ struct luks2_hdr *hdr, -+ struct luks2_reenc_context *rh, -+ uint64_t keyslot_area_length, -+ uint64_t length_max) - { -+ unsigned long dummy, optimal_alignment; - uint64_t length; - - if (rh->rp.type == REENC_PROTECTION_NONE) -@@ -835,6 +840,20 @@ static uint64_t reencrypt_length(struct luks2_hdr *hdr, struct luks2_reenc_conte - - length -= (length % rh->alignment); - -+ /* Emits error later */ -+ if (!length) -+ return length; -+ -+ device_topology_alignment(cd, crypt_data_device(cd), &optimal_alignment, &dummy, length); -+ -+ /* we have to stick with encryption sector size alignment */ -+ if (optimal_alignment % rh->alignment) -+ return length; -+ -+ /* align to opt-io size only if remaining size allows it */ -+ if (length > optimal_alignment) -+ length -= (length % optimal_alignment); -+ - return length; - } - -@@ -920,7 +939,7 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr - } else - rh->fixed_length = false; - -- rh->length = reencrypt_length(hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT); -+ rh->length = reencrypt_length(cd, hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT); - if (reencrypt_offset(hdr, rh->direction, device_size, &rh->length, &rh->offset)) { - log_dbg(cd, "Failed to get reencryption offset."); - return -EINVAL; --- -1.8.3.1 - diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec index 5431380..e78d0f7 100644 --- a/SPECS/cryptsetup.spec +++ b/SPECS/cryptsetup.spec @@ -4,8 +4,8 @@ Obsoletes: cryptsetup-python3 Summary: A utility for setting up encrypted disks Name: cryptsetup -Version: 2.2.0 -Release: 2%{?dist} +Version: 2.2.2 +Release: 1%{?dist} License: GPLv2+ and LGPLv2+ Group: Applications/System URL: https://gitlab.com/cryptsetup/cryptsetup @@ -23,9 +23,6 @@ Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{ups Patch0: %{name}-add-system-library-paths.patch # Remove the patch when (if ever) osci infrastructure gets stable enough Patch1: %{name}-disable-verity-compat-test.patch -Patch2: %{name}-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch -Patch3: %{name}-2.2.1-take-optimal-io-size-in-account-with-LUKS2-reencrypt.patch -Patch4: %{name}-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch %description The cryptsetup package contains a utility for setting up @@ -82,9 +79,6 @@ can be used for offline reencryption of disk in situ. %prep %setup -q -n cryptsetup-%{upstream_version} %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 %patch0 -p1 chmod -x misc/dracut_90reencrypt/* @@ -144,6 +138,14 @@ rm -rf %{buildroot}/%{_libdir}/*.la %clean %changelog +* Mon Nov 18 2019 Ondrej Kozina - 2.2.2-1 +- Update to cryptsetup 2.2.2 +- LUKS2 reencryption honors activation flags (one time and persistent). +- LUKS2 reencryption works also without volume keys put in kernel + keyring service. +- Resolves: #1757783 #1750680 #1753597 #1743399 + +- Resolves: #1742815 #1746532 * Fri Aug 30 2019 Ondrej Kozina - 2.2.0-2 - patch: Fix mapped segments overflow on 32bit architectures. - patch: Take optimal io size in account with LUKS2 reencryption.