import UBI cryptsetup-2.8.1-2.el10

.gitignore

@@ -1 +1 @@
-cryptsetup-2.7.5.tar.xz
+cryptsetup-2.8.1.tar.xz

cryptsetup-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch

@@ -0,0 +1,31 @@
+From 55e0209a4e751e4edb3662827a57cd5d330f30c2 Mon Sep 17 00:00:00 2001
+Message-ID: <55e0209a4e751e4edb3662827a57cd5d330f30c2.1766066332.git.khanicov@redhat.com>
+From: Milan Broz <gmazyland@gmail.com>
+Date: Thu, 11 Dec 2025 23:40:14 +0100
+Subject: [PATCH] Fix LUKS2 device status in inline HW mode and detached header
+
+Internal type is not set if detached header is not specified,
+but inline tag check should be done anyway.
+---
+ lib/setup.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index 3a411733..1ee02db5 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -5838,8 +5838,12 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
+ 	if (r < 0)
+ 		return r;
+ 
+-	/* For LUKS2 with integrity we need flags from underlying dm-integrity */
+-	if (isLUKS2(cd->type) && crypt_get_integrity_tag_size(cd) &&
++	/*
++	 * For integrity and LUKS2 (and detached header where context is NULL)
++	 * we need flags from underlying dm-integrity device.
++	 * This check must be skipped for non-LUKS2 integrity device.
++	 */
++	if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) &&
+ 		(iname = dm_get_active_iname(cd, name))) {
+ 		if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
+ 			dmd.flags |= dmdi.flags;

cryptsetup-2.8.2-Fix-possible-use-of-uninitialized-variable.patch

@@ -0,0 +1,29 @@
+From a8e8e39007f9a3ab91267ff2b4f0aee45cc48752 Mon Sep 17 00:00:00 2001
+Message-ID: <a8e8e39007f9a3ab91267ff2b4f0aee45cc48752.1766065101.git.khanicov@redhat.com>
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 30 Oct 2025 13:59:52 +0100
+Subject: [PATCH] Fix possible use of uninitialized variable.
+
+device_tag_size variable was not initialized and used
+when device_is_nop_dif returned negative error code.
+---
+ lib/setup.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index 37e6f7d9..48b67ce6 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -3045,7 +3045,11 @@ int crypt_format_inline(struct crypt_device *cd,
+ 	    iparams->journal_integrity_key_size))
+ 		return -EINVAL;
+ 
+-	if (!device_is_nop_dif(idevice, &device_tag_size)) {
++	r = device_is_nop_dif(idevice, &device_tag_size);
++	if (r < 0)
++		return r;
++
++	if (!r) {
+ 		log_err(cd, _("Device %s does not provide inline integrity data fields."), mdata_device_path(cd));
+ 		return -EINVAL;
+ 	}

cryptsetup-2.8.2-Read-integrity-profile-info-from-top-level-device.patch

@@ -0,0 +1,49 @@
+From 9810c6fb2f24073796aa1482680151ddbc668790 Mon Sep 17 00:00:00 2001
+Message-ID: <9810c6fb2f24073796aa1482680151ddbc668790.1766065092.git.khanicov@redhat.com>
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Fri, 17 Oct 2025 15:13:41 +0200
+Subject: [PATCH] Read integrity profile info from top level device.
+
+When formating device with --integrity-inline option
+there's a check if underlying device properly advertise
+integrity profile support. The check did not work
+properly for partition device nodes. We have to read
+integrity profile info from top level block device.
+
+Fixes: #964.
+---
+ lib/utils_device.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/lib/utils_device.c b/lib/utils_device.c
+index 90ec9de4..1cdbcc65 100644
+--- a/lib/utils_device.c
++++ b/lib/utils_device.c
+@@ -1004,12 +1004,26 @@ int device_is_zoned(struct device *device)
+ 
+ int device_is_nop_dif(struct device *device, uint32_t *tag_size)
+ {
++	char *base_device_path;
++	int r;
+ 	struct stat st;
+ 
+ 	if (!device)
+ 		return -EINVAL;
+ 
+-	if (stat(device_path(device), &st) < 0)
++	/*
++	 * For partition devices, check integrity profile on the base device.
++	 * Partition device nodes don't advertise integrity profile directly
++	 * via sysfs attributes.
++	 */
++	base_device_path = crypt_get_base_device(device_path(device));
++	if (base_device_path) {
++		r = stat(base_device_path, &st);
++		free(base_device_path);
++	} else
++		r = stat(device_path(device), &st);
++
++	if (r < 0)
+ 		return -EINVAL;
+ 
+ 	if (!S_ISBLK(st.st_mode))

cryptsetup-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch

@@ -0,0 +1,41 @@
+From 5d69c34f59dbe7fce07d76057fc39198666ab44e Mon Sep 17 00:00:00 2001
+Message-ID: <5d69c34f59dbe7fce07d76057fc39198666ab44e.1766065109.git.khanicov@redhat.com>
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 27 Nov 2025 10:49:24 +0100
+Subject: [PATCH] Reinstate pbkdf serialization flag in device activation.
+
+crypt_activate_by_keyslot_context never respected pbkdf serialation
+flag (CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF).
+
+In fact it worked only when device was activated via passphrase or via
+passphrase file. It was never respected when device was activated
+by a token for example.
+
+When the internal code was fully switched to activation via keyslot
+context the legacy code for passphrase based activation was dropped
+and we lost track of serialization flag completely.
+
+This fixes all of the issues so now the serialization flag will be
+respected also with tokens (and all other activation methods unlocking
+LUKS2 keyslot with memory hard pbkdf).
+
+Fixes: 58385d68d8f4 (Allow activation via keyslot context)
+Fixes: #968.
+---
+ lib/setup.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index f1b2033b..367d2d11 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -5450,6 +5450,9 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd,
+ 		return _activate_loopaes(cd, name, passphrase, passphrase_size, flags);
+ 	}
+ 
++	if (flags & CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF)
++		cd->memory_hard_pbkdf_lock_enabled = true;
++
+ 	/* acquire the volume key(s) */
+ 	r = -EINVAL;
+ 	if (isLUKS1(cd->type)) {

cryptsetup-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch

@@ -0,0 +1,38 @@
+From cdb6a5626089a56a7a135042be7c157acda70506 Mon Sep 17 00:00:00 2001
+Message-ID: <cdb6a5626089a56a7a135042be7c157acda70506.1766065116.git.khanicov@redhat.com>
+From: Kristina Hanicova <khanicov@redhat.com>
+Date: Wed, 10 Dec 2025 17:58:36 +0100
+Subject: [PATCH] Set inline integrity flag if no underlying dm-integrity
+ device
+
+Cryptsetup status does not report when the hw inline integrity is
+set without the underlying dm-integrity device.
+
+Fixes: #965
+---
+ lib/setup.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index 1ee02db5..93c7ef5f 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -5843,11 +5843,13 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
+ 	 * we need flags from underlying dm-integrity device.
+ 	 * This check must be skipped for non-LUKS2 integrity device.
+ 	 */
+-	if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) &&
+-		(iname = dm_get_active_iname(cd, name))) {
+-		if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
+-			dmd.flags |= dmdi.flags;
+-		free(iname);
++	if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd)) {
++	    if ((iname = dm_get_active_iname(cd, name))) {
++	        if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
++	            dmd.flags |= dmdi.flags;
++	        free(iname);
++	    } else
++	        dmd.flags |= (CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_INLINE_MODE);
+ 	}
+ 
+ 	if (cd && isTCRYPT(cd->type)) {

cryptsetup-2.8.2-opal-Submit-PSID-reset-command-to-R-W-file-descripto.patch

@@ -0,0 +1,38 @@
+From 4d98add260cfffcbfa4d233b5cf44d958691cde6 Mon Sep 17 00:00:00 2001
+Message-ID: <4d98add260cfffcbfa4d233b5cf44d958691cde6.1767995036.git.khanicov@redhat.com>
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Mon, 6 Oct 2025 10:37:35 +0200
+Subject: [PATCH] opal: Submit PSID reset command to R/W file descriptor.
+
+The PSID reset erases the block device it's submitted to
+succesfully.
+
+By submitting the command to read-only fd previously
+there were partition device nodes still visible in
+the /dev directory because kernel does not trigger rescan
+after OPAL2 PSID reset. Even though all the partition were
+actually erased (including the partition table).
+
+We workaround the issue by submitting the PSID reset
+to R/W fd so that it triggers rescan event on close.
+---
+ lib/luks2/hw_opal/hw_opal.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/luks2/hw_opal/hw_opal.c b/lib/luks2/hw_opal/hw_opal.c
+index 8f88433f..ed1c5155 100644
+--- a/lib/luks2/hw_opal/hw_opal.c
++++ b/lib/luks2/hw_opal/hw_opal.c
+@@ -790,7 +790,11 @@ int opal_factory_reset(struct crypt_device *cd,
+ 	if (password_len > OPAL_KEY_MAX)
+ 		return -EINVAL;
+ 
+-	fd = device_open(cd, dev, O_RDONLY);
++	/*
++	 * Submit PSID reset on R/W file descriptor so it
++	 * triggers blkid rescan after we close it.
++	 */
++	fd = device_open(cd, dev, O_RDWR);
+ 	if (fd < 0)
+ 		return -EIO;
+ 

cryptsetup-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch

@@ -0,0 +1,143 @@
+From 7fa4cd930814073cb8abe997d8fac19a849daecd Mon Sep 17 00:00:00 2001
+Message-ID: <7fa4cd930814073cb8abe997d8fac19a849daecd.1767967753.git.khanicov@redhat.com>
+From: Milan Broz <gmazyland@gmail.com>
+Date: Fri, 2 Jan 2026 20:58:26 +0100
+Subject: [PATCH] Fix wrong device size status reports in cryptsetup and
+ integritysetup
+
+In version 2.8.0 the status output was modified to strictly use
+units and also bytes device size was added.
+
+Unfortunately, the size was wrongly calculated if sector size was
+different than 512-byte default.
+
+Fixes: #972
+---
+ src/cryptsetup.c            | 8 +++-----
+ src/integritysetup.c        | 6 ++----
+ src/veritysetup.c           | 2 +-
+ tests/compat-test2          | 2 ++
+ tests/integrity-compat-test | 6 ++++++
+ tests/verity-compat-test    | 4 ++++
+ 6 files changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/src/cryptsetup.c b/src/cryptsetup.c
+index d8b9e508..b9966f84 100644
+--- a/src/cryptsetup.c
++++ b/src/cryptsetup.c
+@@ -936,7 +936,6 @@ static int action_status(void)
+ 	char *backing_file;
+ 	const char *device;
+ 	int path = 0, r = 0, hw_enc;
+-	uint64_t sector_size;
+ 
+ 	/* perhaps a path, not a dm device name */
+ 	if (strchr(action_argv[0], '/'))
+@@ -1019,10 +1018,9 @@ static int action_status(void)
+ 			log_std("  loop:    %s\n", backing_file);
+ 			free(backing_file);
+ 		}
+-		sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE;
+-		log_std("  sector size:  %" PRIu64 " [bytes]\n", sector_size);
+-		log_std("  offset:  %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * sector_size);
+-		log_std("  size:    %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size);
++		log_std("  sector size:  %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE);
++		log_std("  offset:  %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * SECTOR_SIZE);
++		log_std("  size:    %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
+ 		if (cad.iv_offset)
+ 			log_std("  skipped: %" PRIu64 " [512-byte units]\n", cad.iv_offset);
+ 		log_std("  mode:    %s%s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
+diff --git a/src/integritysetup.c b/src/integritysetup.c
+index a1d77855..89c3edd3 100644
+--- a/src/integritysetup.c
++++ b/src/integritysetup.c
+@@ -424,7 +424,6 @@ static int action_status(void)
+ 	char *backing_file;
+ 	const char *device, *metadata_device;
+ 	int path = 0, r = 0;
+-	uint64_t sector_size;
+ 
+ 	/* perhaps a path, not a dm device name */
+ 	if (strchr(action_argv[0], '/'))
+@@ -482,10 +481,9 @@ static int action_status(void)
+ 				free(backing_file);
+ 			}
+ 		}
+-		sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE;
+-		log_std("  sector size:  %" PRIu64 " [bytes]\n", sector_size);
++		log_std("  sector size:  %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE);
+ 		log_std("  interleave sectors: %u\n", ip.interleave_sectors);
+-		log_std("  size:    %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size);
++		log_std("  size:    %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
+ 		log_std("  mode:    %s%s\n",
+ 			cad.flags & CRYPT_ACTIVATE_READONLY ? "readonly" : "read/write",
+ 			cad.flags & CRYPT_ACTIVATE_RECOVERY ? " recovery" : "");
+diff --git a/src/veritysetup.c b/src/veritysetup.c
+index 8e666e3f..d95db09b 100644
+--- a/src/veritysetup.c
++++ b/src/veritysetup.c
+@@ -395,7 +395,7 @@ static int action_status(void)
+ 			log_std("  data loop:   %s\n", backing_file);
+ 			free(backing_file);
+ 		}
+-		log_std("  size:        %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * (uint64_t)SECTOR_SIZE);
++		log_std("  size:        %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
+ 		log_std("  mode:        %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
+ 					   "readonly" : "read/write");
+ 
+diff --git a/tests/compat-test2 b/tests/compat-test2
+index 373461eb..7350455b 100755
+--- a/tests/compat-test2
++++ b/tests/compat-test2
+@@ -816,9 +816,11 @@ if dm_crypt_sector_size_support; then
+ 	echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
+ 	echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
+ 	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
++	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail
+ 	echo $PWD1 | $CRYPTSETUP -q resize --device-size 2049s $DEV_NAME > /dev/null 2>&1 && fail
+ 	echo $PWD1 | $CRYPTSETUP -q resize --size 2049 $DEV_NAME > /dev/null 2>&1 && fail
+ 	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
++	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail
+ fi
+ $CRYPTSETUP close $DEV_NAME || fail
+ # Resize not aligned to logical block size
+diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test
+index c40218cd..5aeea5c0 100755
+--- a/tests/integrity-compat-test
++++ b/tests/integrity-compat-test
+@@ -230,7 +230,13 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
+ 	status_check "tag size" "$4 [bytes]"
+ 	status_check "integrity" $2
+ 	status_check "sector size" "$5 [bytes]"
++
++	SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME)
++	SIZE_512S=$(( $SIZE_BYTES / 512 ))
++	status_check "  size" "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])"
++
+ 	int_check_sum $1 $6 $7 $8
++
+ 	echo -n "[REMOVE]"
+ 	$INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
+ 	echo "[OK]"
+diff --git a/tests/verity-compat-test b/tests/verity-compat-test
+index 93ac405e..02b3d390 100755
+--- a/tests/verity-compat-test
++++ b/tests/verity-compat-test
+@@ -188,6 +188,9 @@ check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset]
+ 
+ 	$VERITYSETUP create $DEV_NAME $DEV_PARAMS $VERIFY_PARAMS $ROOT_HASH  >>$DEV_OUT 2>&1 || fail
+ 	check_exists
++	SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME)
++	SIZE_512S=$(( $SIZE_BYTES / 512 ))
++	$VERITYSETUP status $DEV_NAME 2>/dev/null | grep " size:" | grep -q -F "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])" || fail
+ 	echo -n "[activate]"
+ 
+ 	dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=$1 2>/dev/null
+@@ -474,6 +477,7 @@ export LANG=C
+ [ -n "$VALG" ] && valgrind_setup && VERITYSETUP=valgrind_run
+ modprobe dm-verity >/dev/null 2>&1
+ dmsetup targets | grep verity >/dev/null 2>&1 || skip "Cannot find dm-verity target, test skipped."
++command -v blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
+ 
+ # VERITYSETUP tests
+ 

cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch

@@ -1,23 +1,23 @@
-From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001
+From 48af2c543e4bee3dff9bd95529bbf45106aa457e Mon Sep 17 00:00:00 2001
 From: Ondrej Kozina <okozina@redhat.com>
 Date: Mon, 5 Dec 2022 13:35:24 +0100
-Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code.
+Subject: [PATCH] Add FIPS related error message in keyslot add code.
 
 Add hints on what went wrong when creating new LUKS
 keyslots. The hint is printed only in FIPS mode and
 when pbkdf2 failed with passphrase shorter than 8
 bytes.
 ---
- lib/luks1/keymanage.c           | 5 ++++-
+ lib/luks1/keymanage.c           | 2 ++
  lib/luks2/luks2_keyslot_luks2.c | 2 ++
- 2 files changed, 6 insertions(+), 1 deletion(-)
+ 2 files changed, 4 insertions(+)
 
-Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
-===================================================================
---- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c
-+++ cryptsetup-2.7.2/lib/luks1/keymanage.c
-@@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex,
- 			derived_key->key, hdr->keyBytes,
+diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
+index 37929810..a7ef0a25 100644
+--- a/lib/luks1/keymanage.c
++++ b/lib/luks1/keymanage.c
+@@ -916,6 +916,8 @@ int LUKS_set_key(unsigned int keyIndex,
+ 			derived_key, hdr->keyBytes,
  			hdr->keyblock[keyIndex].passwordIterations, 0, 0);
  	if (r < 0) {
 +		if (crypt_fips_mode() && passwordLen < 8)
@@ -25,16 +25,19 @@ Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
  		if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
  		     hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
  			log_err(ctx, _("PBKDF2 iteration value overflow."));
-Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
-===================================================================
---- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c
-+++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
-@@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct
- 		     pbkdf.iterations > INT_MAX)
+diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
+index ec68236c..f309125d 100644
+--- a/lib/luks2/luks2_keyslot_luks2.c
++++ b/lib/luks2/luks2_keyslot_luks2.c
+@@ -260,6 +260,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
  			log_err(cd, _("PBKDF2 iteration value overflow."));
- 		crypt_free_volume_key(derived_key);
+ 		if (r == -ENOMEM)
+ 			log_err(cd, _("Not enough memory for keyslot key derivation."));
 +		if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
 +			log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
- 		return r;
+ 		goto out;
  	}
  
+-- 
+2.50.1
+

cryptsetup.spec

@@ -1,6 +1,6 @@
 Summary: Utility for setting up encrypted disks
 Name: cryptsetup
-Version: 2.7.5
+Version: 2.8.1
 Release: 2%{?dist}
 License: GPL-2.0-or-later WITH cryptsetup-OpenSSL-exception AND LGPL-2.1-or-later WITH cryptsetup-OpenSSL-exception
 URL: https://gitlab.com/cryptsetup/cryptsetup
@@ -16,12 +16,19 @@ Obsoletes: %{name}-reencrypt <= %{version}
 Provides: %{name}-reencrypt = %{version}
 
 %global upstream_version %{version_no_tilde}
-Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz
+Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.8/cryptsetup-%{upstream_version}.tar.xz
 
 # Following patch has to applied last
 Patch0001: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
 Patch0002: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch
 Patch0003: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch
+Patch0004: %{name}-2.8.2-opal-Submit-PSID-reset-command-to-R-W-file-descripto.patch
+Patch0005: %{name}-2.8.2-Read-integrity-profile-info-from-top-level-device.patch
+Patch0006: %{name}-2.8.2-Fix-possible-use-of-uninitialized-variable.patch
+Patch0007: %{name}-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch
+Patch0008: %{name}-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch
+Patch0009: %{name}-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch
+Patch0010: %{name}-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch
 
 %description
 The cryptsetup package contains a utility for setting up
@@ -102,13 +109,27 @@ rm -rf %{buildroot}%{_libdir}/%{name}/*.la
 %{_libdir}/pkgconfig/libcryptsetup.pc
 
 %files libs -f cryptsetup.lang
-%license COPYING COPYING.LGPL
+%license COPYING docs/licenses/COPYING.LGPL-2.1-or-later-WITH-cryptsetup-OpenSSL-exception
 %{_libdir}/libcryptsetup.so.*
 %dir %{_libdir}/%{name}/
 %{_tmpfilesdir}/cryptsetup.conf
 %ghost %attr(700, -, -) %dir /run/cryptsetup
 
 %changelog
+* Fri Jan 09 2026 Kristina Hanicova <khanicov@redhat.com> - 2.8.1-2
+- patch: opal: Submit PSID reset command to R/W file descriptor.
+- patch: Read integrity profile info from top level device.
+- patch: Fix possible use of uninitialized variable.
+- patch: Reinstate pbkdf serialization flag in device activation.
+- patch: Fix LUKS2 device status in inline HW mode and detached header.
+- patch: Set inline integrity flag if no underlying dm-integrity device.
+- patch: Fix wrong device size status reports in cryptsetup and integritysetup.
+- Resolves: RHEL-122285 RHEL-125150 RHEL-125155 RHEL-125166 RHEL-132584 RHEL-140107
+
+* Wed Sep 03 2025 Kristina Hanicova <khanicov@redhat.com> - 2.8.1-1
+- Update to cryptsetup 2.8.1
+- Resolves: RHEL-96291
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.7.5-2
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018

sources

@@ -1 +1 @@
-SHA512 (cryptsetup-2.7.5.tar.xz) = 13eca93cdb00a143d2ca60b6f66ede5adc4072ca0c4bfebd8454a3541e69d269fcdb4afc97ad799e87a999b2bd46c1f31fa924a3d616d72a3337970b1e718d55
+SHA512 (cryptsetup-2.8.1.tar.xz) = a5171e18c55bfbc57330f2d46ab06b5ac6957392a77aef74c3d1c5295eb39962d1db19ddd3420ea1154d730b361d09e72bf5315c7a3d56eb36cee9c2531bca5d