rpms / python-blivet

Clone
Source Code
GIT

Blame 0014-Do-not-set-memory-limit-for-LUKS2-when-running-in-FI.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale-spin c9 c9-beta c9s-sig-hyperscale c9s-sig-hyperscale-spin
  1.   79ab9918f9f38a946bf672a107f7d8e5146a25ea
  2.   0014-Do-not-set-memory-limit-for-LUKS2-when-running-in-FI.patch
Blob History Raw
Vojtech Trefny eabe00 
From c2b06150df0b876c7d442097b6c9ca90c9ca2ecc Mon Sep 17 00:00:00 2001
Vojtech Trefny eabe00 
From: Vojtech Trefny <vtrefny@redhat.com>
Vojtech Trefny eabe00 
Date: Thu, 4 May 2023 11:35:44 +0200
Vojtech Trefny eabe00 
Subject: [PATCH] Do not set memory limit for LUKS2 when running in FIPS mode
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
With FIPS enabled LUKS uses pbkdf and not argon so the memory
Vojtech Trefny eabe00 
limit is not a valid parameter.
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
Resolves: rhbz#2193096
Vojtech Trefny eabe00 
---
Vojtech Trefny eabe00 
 blivet/devicelibs/crypto.py                   | 11 +++++++
Vojtech Trefny eabe00 
 blivet/formats/luks.py                        | 12 ++++----
Vojtech Trefny eabe00 
 tests/unit_tests/formats_tests/luks_test.py   | 30 +++++++++++++++++++
Vojtech Trefny eabe00 
 .../unit_tests/formats_tests/methods_test.py  |  3 +-
Vojtech Trefny eabe00 
 4 files changed, 50 insertions(+), 6 deletions(-)
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
diff --git a/blivet/devicelibs/crypto.py b/blivet/devicelibs/crypto.py
Vojtech Trefny eabe00 
index f0caf0f7..68e68db1 100644
Vojtech Trefny eabe00 
--- a/blivet/devicelibs/crypto.py
Vojtech Trefny eabe00 
+++ b/blivet/devicelibs/crypto.py
Vojtech Trefny eabe00 
@@ -21,6 +21,7 @@
Vojtech Trefny eabe00 
 #
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
 import hashlib
Vojtech Trefny eabe00 
+import os
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
 import gi
Vojtech Trefny eabe00 
 gi.require_version("BlockDev", "2.0")
Vojtech Trefny eabe00 
@@ -100,3 +101,13 @@ def calculate_integrity_metadata_size(device_size, algorithm=DEFAULT_INTEGRITY_A
Vojtech Trefny eabe00 
     jsize = (jsize / SECTOR_SIZE + 1) * SECTOR_SIZE  # round up to sector
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
     return msize + jsize
Vojtech Trefny eabe00 
+
Vojtech Trefny eabe00 
+
Vojtech Trefny eabe00 
+def is_fips_enabled():
Vojtech Trefny eabe00 
+    if not os.path.exists("/proc/sys/crypto/fips_enabled"):
Vojtech Trefny eabe00 
+        # if the file doesn't exist, we are definitely not in FIPS mode
Vojtech Trefny eabe00 
+        return False
Vojtech Trefny eabe00 
+
Vojtech Trefny eabe00 
+    with open("/proc/sys/crypto/fips_enabled", "r") as f:
Vojtech Trefny eabe00 
+        enabled = f.read()
Vojtech Trefny eabe00 
+    return enabled.strip() == "1"
Vojtech Trefny eabe00 
diff --git a/blivet/formats/luks.py b/blivet/formats/luks.py
Vojtech Trefny eabe00 
index 2637e0c5..adf3c711 100644
Vojtech Trefny eabe00 
--- a/blivet/formats/luks.py
Vojtech Trefny eabe00 
+++ b/blivet/formats/luks.py
Vojtech Trefny eabe00 
@@ -303,11 +303,13 @@ class LUKS(DeviceFormat):
Vojtech Trefny eabe00 
             if luks_data.pbkdf_args:
Vojtech Trefny eabe00 
                 self.pbkdf_args = luks_data.pbkdf_args
Vojtech Trefny eabe00 
             else:
Vojtech Trefny eabe00 
-                mem_limit = crypto.calculate_luks2_max_memory()
Vojtech Trefny eabe00 
-                if mem_limit:
Vojtech Trefny eabe00 
-                    self.pbkdf_args = LUKS2PBKDFArgs(max_memory_kb=int(mem_limit.convert_to(KiB)))
Vojtech Trefny eabe00 
-                    luks_data.pbkdf_args = self.pbkdf_args
Vojtech Trefny eabe00 
-                    log.info("PBKDF arguments for LUKS2 not specified, using defaults with memory limit %s", mem_limit)
Vojtech Trefny eabe00 
+                # argon is not used with FIPS so we don't need to adjust the memory when in FIPS mode
Vojtech Trefny eabe00 
+                if not crypto.is_fips_enabled():
Vojtech Trefny eabe00 
+                    mem_limit = crypto.calculate_luks2_max_memory()
Vojtech Trefny eabe00 
+                    if mem_limit:
Vojtech Trefny eabe00 
+                        self.pbkdf_args = LUKS2PBKDFArgs(max_memory_kb=int(mem_limit.convert_to(KiB)))
Vojtech Trefny eabe00 
+                        luks_data.pbkdf_args = self.pbkdf_args
Vojtech Trefny eabe00 
+                        log.info("PBKDF arguments for LUKS2 not specified, using defaults with memory limit %s", mem_limit)
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
         if self.pbkdf_args:
Vojtech Trefny eabe00 
             pbkdf = blockdev.CryptoLUKSPBKDF(type=self.pbkdf_args.type,
Vojtech Trefny eabe00 
diff --git a/tests/unit_tests/formats_tests/luks_test.py b/tests/unit_tests/formats_tests/luks_test.py
Vojtech Trefny eabe00 
index ec7b7592..1127e968 100644
Vojtech Trefny eabe00 
--- a/tests/unit_tests/formats_tests/luks_test.py
Vojtech Trefny eabe00 
+++ b/tests/unit_tests/formats_tests/luks_test.py
Vojtech Trefny eabe00 
@@ -6,9 +6,14 @@ except ImportError:
Vojtech Trefny eabe00 
 import unittest
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
 from blivet.formats.luks import LUKS
Vojtech Trefny eabe00 
+from blivet.size import Size
Vojtech Trefny eabe00 
+from blivet.static_data import luks_data
Vojtech Trefny eabe00
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
 class LUKSNodevTestCase(unittest.TestCase):
Vojtech Trefny eabe00 
+    def setUp(self):
Vojtech Trefny eabe00 
+        luks_data.pbkdf_args = None
Vojtech Trefny eabe00 
+
Vojtech Trefny eabe00 
     def test_create_discard_option(self):
Vojtech Trefny eabe00 
         # flags.discard_new=False --> no discard
Vojtech Trefny eabe00 
         fmt = LUKS(exists=False)
Vojtech Trefny eabe00 
@@ -51,6 +56,31 @@ class LUKSNodevTestCase(unittest.TestCase):
Vojtech Trefny eabe00 
         fmt = LUKS(cipher="aes-cbc-plain64")
Vojtech Trefny eabe00 
         self.assertEqual(fmt.key_size, 0)
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
+    def test_luks2_pbkdf_memory_fips(self):
Vojtech Trefny eabe00 
+        fmt = LUKS()
Vojtech Trefny eabe00 
+        with patch("blivet.formats.luks.blockdev.crypto") as bd:
Vojtech Trefny eabe00 
+            # fips enabled, pbkdf memory should not be set
Vojtech Trefny eabe00 
+            with patch("blivet.formats.luks.crypto") as crypto:
Vojtech Trefny eabe00 
+                attrs = {"is_fips_enabled.return_value": True,
Vojtech Trefny eabe00 
+                         "get_optimal_luks_sector_size.return_value": 0,
Vojtech Trefny eabe00 
+                         "calculate_luks2_max_memory.return_value": Size("256 MiB")}
Vojtech Trefny eabe00 
+                crypto.configure_mock(**attrs)
Vojtech Trefny eabe00 
+
Vojtech Trefny eabe00 
+                fmt._create()
Vojtech Trefny eabe00 
+                crypto.calculate_luks2_max_memory.assert_not_called()
Vojtech Trefny eabe00 
+                self.assertEqual(bd.luks_format.call_args[1]["extra"].pbkdf.max_memory_kb, 0)
Vojtech Trefny eabe00 
+
Vojtech Trefny eabe00 
+            # fips disabled, pbkdf memory should be set
Vojtech Trefny eabe00 
+            with patch("blivet.formats.luks.crypto") as crypto:
Vojtech Trefny eabe00 
+                attrs = {"is_fips_enabled.return_value": False,
Vojtech Trefny eabe00 
+                         "get_optimal_luks_sector_size.return_value": 0,
Vojtech Trefny eabe00 
+                         "calculate_luks2_max_memory.return_value": Size("256 MiB")}
Vojtech Trefny eabe00 
+                crypto.configure_mock(**attrs)
Vojtech Trefny eabe00 
+
Vojtech Trefny eabe00 
+                fmt._create()
Vojtech Trefny eabe00 
+                crypto.calculate_luks2_max_memory.assert_called()
Vojtech Trefny eabe00 
+                self.assertEqual(bd.luks_format.call_args[1]["extra"].pbkdf.max_memory_kb, 256 * 1024)
Vojtech Trefny eabe00 
+
Vojtech Trefny eabe00 
     def test_sector_size(self):
Vojtech Trefny eabe00 
         fmt = LUKS()
Vojtech Trefny eabe00 
         self.assertEqual(fmt.luks_sector_size, 512)
Vojtech Trefny eabe00 
diff --git a/tests/unit_tests/formats_tests/methods_test.py b/tests/unit_tests/formats_tests/methods_test.py
Vojtech Trefny eabe00 
index 2743b7db..5d30c260 100644
Vojtech Trefny eabe00 
--- a/tests/unit_tests/formats_tests/methods_test.py
Vojtech Trefny eabe00 
+++ b/tests/unit_tests/formats_tests/methods_test.py
Vojtech Trefny eabe00 
@@ -366,7 +366,8 @@ class LUKSMethodsTestCase(FormatMethodsTestCase):
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
     def _test_create_backend(self):
Vojtech Trefny eabe00 
         self.format.exists = False
Vojtech Trefny eabe00 
-        self.format.create()
Vojtech Trefny eabe00 
+        with patch("blivet.devicelibs.crypto.is_fips_enabled", return_value=False):
Vojtech Trefny eabe00 
+            self.format.create()
Vojtech Trefny eabe00 
         self.assertTrue(self.patches["blockdev"].crypto.luks_format.called)  # pylint: disable=no-member
Vojtech Trefny eabe00
Vojtech Trefny eabe00 
     def _test_setup_backend(self):
Vojtech Trefny eabe00 
--
Vojtech Trefny eabe00 
2.40.1
Vojtech Trefny eabe00

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation