rpms/cryptsetup
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Additional cryptsetup fixes for 2.8.1

Browse Source 
Resolves: RHEL-122297 RHEL-125152 RHEL-125167 RHEL-132585 RHEL-140106
This commit is contained in:
Kristina Hanicova 2025-12-18 15:20:28 +01:00
parent 77fc5ab21a
commit aea524f79f
7 changed files with 347 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
cryptsetup-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch Normal file
View File

@ -0,0 +1,31 @@
From 55e0209a4e751e4edb3662827a57cd5d330f30c2 Mon Sep 17 00:00:00 2001
Message-ID: <55e0209a4e751e4edb3662827a57cd5d330f30c2.1766066332.git.khanicov@redhat.com>
From: Milan Broz <gmazyland@gmail.com>
Date: Thu, 11 Dec 2025 23:40:14 +0100
Subject: [PATCH] Fix LUKS2 device status in inline HW mode and detached header
Internal type is not set if detached header is not specified,
but inline tag check should be done anyway.
---
lib/setup.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index 3a411733..1ee02db5 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -5838,8 +5838,12 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
if (r < 0)
return r;
- /* For LUKS2 with integrity we need flags from underlying dm-integrity */
- if (isLUKS2(cd->type) && crypt_get_integrity_tag_size(cd) &&
+ /*
+ * For integrity and LUKS2 (and detached header where context is NULL)
+ * we need flags from underlying dm-integrity device.
+ * This check must be skipped for non-LUKS2 integrity device.
+ */
+ if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) &&
(iname = dm_get_active_iname(cd, name))) {
if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
dmd.flags |= dmdi.flags;

29
cryptsetup-2.8.2-Fix-possible-use-of-uninitialized-variable.patch Normal file
View File

@ -0,0 +1,29 @@
From a8e8e39007f9a3ab91267ff2b4f0aee45cc48752 Mon Sep 17 00:00:00 2001
Message-ID: <a8e8e39007f9a3ab91267ff2b4f0aee45cc48752.1766065101.git.khanicov@redhat.com>
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 30 Oct 2025 13:59:52 +0100
Subject: [PATCH] Fix possible use of uninitialized variable.
device_tag_size variable was not initialized and used
when device_is_nop_dif returned negative error code.
---
lib/setup.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/setup.c b/lib/setup.c
index 37e6f7d9..48b67ce6 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -3045,7 +3045,11 @@ int crypt_format_inline(struct crypt_device *cd,
iparams->journal_integrity_key_size))
return -EINVAL;
- if (!device_is_nop_dif(idevice, &device_tag_size)) {
+ r = device_is_nop_dif(idevice, &device_tag_size);
+ if (r < 0)
+ return r;
+
+ if (!r) {
log_err(cd, _("Device %s does not provide inline integrity data fields."), mdata_device_path(cd));
return -EINVAL;
}

49
cryptsetup-2.8.2-Read-integrity-profile-info-from-top-level-device.patch Normal file
View File

@ -0,0 +1,49 @@
From 9810c6fb2f24073796aa1482680151ddbc668790 Mon Sep 17 00:00:00 2001
Message-ID: <9810c6fb2f24073796aa1482680151ddbc668790.1766065092.git.khanicov@redhat.com>
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 17 Oct 2025 15:13:41 +0200
Subject: [PATCH] Read integrity profile info from top level device.
When formating device with --integrity-inline option
there's a check if underlying device properly advertise
integrity profile support. The check did not work
properly for partition device nodes. We have to read
integrity profile info from top level block device.
Fixes: #964.
---
lib/utils_device.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/lib/utils_device.c b/lib/utils_device.c
index 90ec9de4..1cdbcc65 100644
--- a/lib/utils_device.c
+++ b/lib/utils_device.c
@@ -1004,12 +1004,26 @@ int device_is_zoned(struct device *device)
int device_is_nop_dif(struct device *device, uint32_t *tag_size)
{
+ char *base_device_path;
+ int r;
struct stat st;
if (!device)
return -EINVAL;
- if (stat(device_path(device), &st) < 0)
+ /*
+ * For partition devices, check integrity profile on the base device.
+ * Partition device nodes don't advertise integrity profile directly
+ * via sysfs attributes.
+ */
+ base_device_path = crypt_get_base_device(device_path(device));
+ if (base_device_path) {
+ r = stat(base_device_path, &st);
+ free(base_device_path);
+ } else
+ r = stat(device_path(device), &st);
+
+ if (r < 0)
return -EINVAL;
if (!S_ISBLK(st.st_mode))

41
cryptsetup-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch Normal file
View File

@ -0,0 +1,41 @@
From 5d69c34f59dbe7fce07d76057fc39198666ab44e Mon Sep 17 00:00:00 2001
Message-ID: <5d69c34f59dbe7fce07d76057fc39198666ab44e.1766065109.git.khanicov@redhat.com>
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 27 Nov 2025 10:49:24 +0100
Subject: [PATCH] Reinstate pbkdf serialization flag in device activation.
crypt_activate_by_keyslot_context never respected pbkdf serialation
flag (CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF).
In fact it worked only when device was activated via passphrase or via
passphrase file. It was never respected when device was activated
by a token for example.
When the internal code was fully switched to activation via keyslot
context the legacy code for passphrase based activation was dropped
and we lost track of serialization flag completely.
This fixes all of the issues so now the serialization flag will be
respected also with tokens (and all other activation methods unlocking
LUKS2 keyslot with memory hard pbkdf).
Fixes: 58385d68d8f4 (Allow activation via keyslot context)
Fixes: #968.
---
lib/setup.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/setup.c b/lib/setup.c
index f1b2033b..367d2d11 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -5450,6 +5450,9 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd,
return _activate_loopaes(cd, name, passphrase, passphrase_size, flags);
}
+ if (flags & CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF)
+ cd->memory_hard_pbkdf_lock_enabled = true;
+
/* acquire the volume key(s) */
r = -EINVAL;
if (isLUKS1(cd->type)) {

38
cryptsetup-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch Normal file
View File

@ -0,0 +1,38 @@
From cdb6a5626089a56a7a135042be7c157acda70506 Mon Sep 17 00:00:00 2001
Message-ID: <cdb6a5626089a56a7a135042be7c157acda70506.1766065116.git.khanicov@redhat.com>
From: Kristina Hanicova <khanicov@redhat.com>
Date: Wed, 10 Dec 2025 17:58:36 +0100
Subject: [PATCH] Set inline integrity flag if no underlying dm-integrity
device
Cryptsetup status does not report when the hw inline integrity is
set without the underlying dm-integrity device.
Fixes: #965
---
lib/setup.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index 1ee02db5..93c7ef5f 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -5843,11 +5843,13 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
* we need flags from underlying dm-integrity device.
* This check must be skipped for non-LUKS2 integrity device.
*/
- if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) &&
- (iname = dm_get_active_iname(cd, name))) {
- if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
- dmd.flags |= dmdi.flags;
- free(iname);
+ if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd)) {
+ if ((iname = dm_get_active_iname(cd, name))) {
+ if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
+ dmd.flags |= dmdi.flags;
+ free(iname);
+ } else
+ dmd.flags |= (CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_INLINE_MODE);
}
if (cd && isTCRYPT(cd->type)) {

143
cryptsetup-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch Normal file
View File

@ -0,0 +1,143 @@
From 7fa4cd930814073cb8abe997d8fac19a849daecd Mon Sep 17 00:00:00 2001
Message-ID: <7fa4cd930814073cb8abe997d8fac19a849daecd.1767967753.git.khanicov@redhat.com>
From: Milan Broz <gmazyland@gmail.com>
Date: Fri, 2 Jan 2026 20:58:26 +0100
Subject: [PATCH] Fix wrong device size status reports in cryptsetup and
integritysetup
In version 2.8.0 the status output was modified to strictly use
units and also bytes device size was added.
Unfortunately, the size was wrongly calculated if sector size was
different than 512-byte default.
Fixes: #972
---
src/cryptsetup.c | 8 +++-----
src/integritysetup.c | 6 ++----
src/veritysetup.c | 2 +-
tests/compat-test2 | 2 ++
tests/integrity-compat-test | 6 ++++++
tests/verity-compat-test | 4 ++++
6 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index d8b9e508..b9966f84 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -936,7 +936,6 @@ static int action_status(void)
char *backing_file;
const char *device;
int path = 0, r = 0, hw_enc;
- uint64_t sector_size;
/* perhaps a path, not a dm device name */
if (strchr(action_argv[0], '/'))
@@ -1019,10 +1018,9 @@ static int action_status(void)
log_std(" loop: %s\n", backing_file);
free(backing_file);
}
- sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE;
- log_std(" sector size: %" PRIu64 " [bytes]\n", sector_size);
- log_std(" offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * sector_size);
- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size);
+ log_std(" sector size: %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE);
+ log_std(" offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * SECTOR_SIZE);
+ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
if (cad.iv_offset)
log_std(" skipped: %" PRIu64 " [512-byte units]\n", cad.iv_offset);
log_std(" mode: %s%s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
diff --git a/src/integritysetup.c b/src/integritysetup.c
index a1d77855..89c3edd3 100644
--- a/src/integritysetup.c
+++ b/src/integritysetup.c
@@ -424,7 +424,6 @@ static int action_status(void)
char *backing_file;
const char *device, *metadata_device;
int path = 0, r = 0;
- uint64_t sector_size;
/* perhaps a path, not a dm device name */
if (strchr(action_argv[0], '/'))
@@ -482,10 +481,9 @@ static int action_status(void)
free(backing_file);
}
}
- sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE;
- log_std(" sector size: %" PRIu64 " [bytes]\n", sector_size);
+ log_std(" sector size: %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE);
log_std(" interleave sectors: %u\n", ip.interleave_sectors);
- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size);
+ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
log_std(" mode: %s%s\n",
cad.flags & CRYPT_ACTIVATE_READONLY ? "readonly" : "read/write",
cad.flags & CRYPT_ACTIVATE_RECOVERY ? " recovery" : "");
diff --git a/src/veritysetup.c b/src/veritysetup.c
index 8e666e3f..d95db09b 100644
--- a/src/veritysetup.c
+++ b/src/veritysetup.c
@@ -395,7 +395,7 @@ static int action_status(void)
log_std(" data loop: %s\n", backing_file);
free(backing_file);
}
- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * (uint64_t)SECTOR_SIZE);
+ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
"readonly" : "read/write");
diff --git a/tests/compat-test2 b/tests/compat-test2
index 373461eb..7350455b 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -816,9 +816,11 @@ if dm_crypt_sector_size_support; then
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
+ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail
echo $PWD1 | $CRYPTSETUP -q resize --device-size 2049s $DEV_NAME > /dev/null 2>&1 && fail
echo $PWD1 | $CRYPTSETUP -q resize --size 2049 $DEV_NAME > /dev/null 2>&1 && fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
+ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail
fi
$CRYPTSETUP close $DEV_NAME || fail
# Resize not aligned to logical block size
diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test
index c40218cd..5aeea5c0 100755
--- a/tests/integrity-compat-test
+++ b/tests/integrity-compat-test
@@ -230,7 +230,13 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
status_check "tag size" "$4 [bytes]"
status_check "integrity" $2
status_check "sector size" "$5 [bytes]"
+
+ SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME)
+ SIZE_512S=$(( $SIZE_BYTES / 512 ))
+ status_check " size" "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])"
+
int_check_sum $1 $6 $7 $8
+
echo -n "[REMOVE]"
$INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
echo "[OK]"
diff --git a/tests/verity-compat-test b/tests/verity-compat-test
index 93ac405e..02b3d390 100755
--- a/tests/verity-compat-test
+++ b/tests/verity-compat-test
@@ -188,6 +188,9 @@ check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset]
$VERITYSETUP create $DEV_NAME $DEV_PARAMS $VERIFY_PARAMS $ROOT_HASH >>$DEV_OUT 2>&1 || fail
check_exists
+ SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME)
+ SIZE_512S=$(( $SIZE_BYTES / 512 ))
+ $VERITYSETUP status $DEV_NAME 2>/dev/null | grep " size:" | grep -q -F "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])" || fail
echo -n "[activate]"
dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=$1 2>/dev/null
@@ -474,6 +477,7 @@ export LANG=C
[ -n "$VALG" ] && valgrind_setup && VERITYSETUP=valgrind_run
modprobe dm-verity >/dev/null 2>&1
dmsetup targets | grep verity >/dev/null 2>&1 || skip "Cannot find dm-verity target, test skipped."
+command -v blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
# VERITYSETUP tests

17
cryptsetup.spec
View File

@ -1,7 +1,7 @@
Summary: Utility for setting up encrypted disks
Name: cryptsetup
Version: 2.8.1
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2+ and LGPLv2+
URL: https://gitlab.com/cryptsetup/cryptsetup
BuildRequires: autoconf, automake, libtool, gettext-devel,
@ -22,6 +22,12 @@ Patch0001: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
Patch0002: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch
Patch0003: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch
Patch0004: %{name}-2.8.2-Improve-check-for-a-function-attribute-support.patch
Patch0005: %{name}-2.8.2-Read-integrity-profile-info-from-top-level-device.patch
Patch0006: %{name}-2.8.2-Fix-possible-use-of-uninitialized-variable.patch
Patch0007: %{name}-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch
Patch0008: %{name}-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch
Patch0009: %{name}-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch
Patch0010: %{name}-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch
%description
The cryptsetup package contains a utility for setting up
@ -106,6 +112,15 @@ rm -rf %{buildroot}%{_libdir}/*.la
%ghost %attr(700, -, -) %dir /run/cryptsetup
%changelog
* Thu Dec 18 2025 Kristina Hanicova <khanicov@redhat.com> - 2.8.1-3
- patch: Read integrity profile info from top level device.
- patch: Fix possible use of uninitialized variable.
- patch: Reinstate pbkdf serialization flag in device activation.
- patch: Fix LUKS2 device status in inline HW mode and detached header.
- patch: Set inline integrity flag if no underlying dm-integrity device.
- patch: Fix wrong device size status reports in cryptsetup and integritysetup.
- Resolves: RHEL-122297 RHEL-125152 RHEL-125167 RHEL-132585 RHEL-140106
* Fri Sep 12 2025 Kristina Hanicova <khanicov@redhat.com> - 2.8.1-2
- patch: Improve check for a function attribute support.
- Resolves: 100089