From aea524f79f1e0546fe5c8a65dcd9e636e1bbeba2 Mon Sep 17 00:00:00 2001 From: Kristina Hanicova Date: Thu, 18 Dec 2025 15:20:28 +0100 Subject: [PATCH] Additional cryptsetup fixes for 2.8.1 Resolves: RHEL-122297 RHEL-125152 RHEL-125167 RHEL-132585 RHEL-140106 --- ...-status-in-inline-HW-mode-and-detach.patch | 31 ++++ ...ssible-use-of-uninitialized-variable.patch | 29 ++++ ...y-profile-info-from-top-level-device.patch | 49 ++++++ ...serialization-flag-in-device-activat.patch | 41 +++++ ...rity-flag-if-no-underlying-dm-integr.patch | 38 +++++ ...ce-size-status-reports-in-cryptsetup.patch | 143 ++++++++++++++++++ cryptsetup.spec | 17 ++- 7 files changed, 347 insertions(+), 1 deletion(-) create mode 100644 cryptsetup-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch create mode 100644 cryptsetup-2.8.2-Fix-possible-use-of-uninitialized-variable.patch create mode 100644 cryptsetup-2.8.2-Read-integrity-profile-info-from-top-level-device.patch create mode 100644 cryptsetup-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch create mode 100644 cryptsetup-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch create mode 100644 cryptsetup-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch diff --git a/cryptsetup-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch b/cryptsetup-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch new file mode 100644 index 0000000..674a104 --- /dev/null +++ b/cryptsetup-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch @@ -0,0 +1,31 @@ +From 55e0209a4e751e4edb3662827a57cd5d330f30c2 Mon Sep 17 00:00:00 2001 +Message-ID: <55e0209a4e751e4edb3662827a57cd5d330f30c2.1766066332.git.khanicov@redhat.com> +From: Milan Broz +Date: Thu, 11 Dec 2025 23:40:14 +0100 +Subject: [PATCH] Fix LUKS2 device status in inline HW mode and detached header + +Internal type is not set if detached header is not specified, +but inline tag check should be done anyway. +--- + lib/setup.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/setup.c b/lib/setup.c +index 3a411733..1ee02db5 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -5838,8 +5838,12 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name, + if (r < 0) + return r; + +- /* For LUKS2 with integrity we need flags from underlying dm-integrity */ +- if (isLUKS2(cd->type) && crypt_get_integrity_tag_size(cd) && ++ /* ++ * For integrity and LUKS2 (and detached header where context is NULL) ++ * we need flags from underlying dm-integrity device. ++ * This check must be skipped for non-LUKS2 integrity device. ++ */ ++ if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) && + (iname = dm_get_active_iname(cd, name))) { + if (dm_query_device(cd, iname, 0, &dmdi) >= 0) + dmd.flags |= dmdi.flags; diff --git a/cryptsetup-2.8.2-Fix-possible-use-of-uninitialized-variable.patch b/cryptsetup-2.8.2-Fix-possible-use-of-uninitialized-variable.patch new file mode 100644 index 0000000..705f4cf --- /dev/null +++ b/cryptsetup-2.8.2-Fix-possible-use-of-uninitialized-variable.patch @@ -0,0 +1,29 @@ +From a8e8e39007f9a3ab91267ff2b4f0aee45cc48752 Mon Sep 17 00:00:00 2001 +Message-ID: +From: Ondrej Kozina +Date: Thu, 30 Oct 2025 13:59:52 +0100 +Subject: [PATCH] Fix possible use of uninitialized variable. + +device_tag_size variable was not initialized and used +when device_is_nop_dif returned negative error code. +--- + lib/setup.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/setup.c b/lib/setup.c +index 37e6f7d9..48b67ce6 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -3045,7 +3045,11 @@ int crypt_format_inline(struct crypt_device *cd, + iparams->journal_integrity_key_size)) + return -EINVAL; + +- if (!device_is_nop_dif(idevice, &device_tag_size)) { ++ r = device_is_nop_dif(idevice, &device_tag_size); ++ if (r < 0) ++ return r; ++ ++ if (!r) { + log_err(cd, _("Device %s does not provide inline integrity data fields."), mdata_device_path(cd)); + return -EINVAL; + } diff --git a/cryptsetup-2.8.2-Read-integrity-profile-info-from-top-level-device.patch b/cryptsetup-2.8.2-Read-integrity-profile-info-from-top-level-device.patch new file mode 100644 index 0000000..47e4b2c --- /dev/null +++ b/cryptsetup-2.8.2-Read-integrity-profile-info-from-top-level-device.patch @@ -0,0 +1,49 @@ +From 9810c6fb2f24073796aa1482680151ddbc668790 Mon Sep 17 00:00:00 2001 +Message-ID: <9810c6fb2f24073796aa1482680151ddbc668790.1766065092.git.khanicov@redhat.com> +From: Ondrej Kozina +Date: Fri, 17 Oct 2025 15:13:41 +0200 +Subject: [PATCH] Read integrity profile info from top level device. + +When formating device with --integrity-inline option +there's a check if underlying device properly advertise +integrity profile support. The check did not work +properly for partition device nodes. We have to read +integrity profile info from top level block device. + +Fixes: #964. +--- + lib/utils_device.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/lib/utils_device.c b/lib/utils_device.c +index 90ec9de4..1cdbcc65 100644 +--- a/lib/utils_device.c ++++ b/lib/utils_device.c +@@ -1004,12 +1004,26 @@ int device_is_zoned(struct device *device) + + int device_is_nop_dif(struct device *device, uint32_t *tag_size) + { ++ char *base_device_path; ++ int r; + struct stat st; + + if (!device) + return -EINVAL; + +- if (stat(device_path(device), &st) < 0) ++ /* ++ * For partition devices, check integrity profile on the base device. ++ * Partition device nodes don't advertise integrity profile directly ++ * via sysfs attributes. ++ */ ++ base_device_path = crypt_get_base_device(device_path(device)); ++ if (base_device_path) { ++ r = stat(base_device_path, &st); ++ free(base_device_path); ++ } else ++ r = stat(device_path(device), &st); ++ ++ if (r < 0) + return -EINVAL; + + if (!S_ISBLK(st.st_mode)) diff --git a/cryptsetup-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch b/cryptsetup-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch new file mode 100644 index 0000000..b0ac865 --- /dev/null +++ b/cryptsetup-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch @@ -0,0 +1,41 @@ +From 5d69c34f59dbe7fce07d76057fc39198666ab44e Mon Sep 17 00:00:00 2001 +Message-ID: <5d69c34f59dbe7fce07d76057fc39198666ab44e.1766065109.git.khanicov@redhat.com> +From: Ondrej Kozina +Date: Thu, 27 Nov 2025 10:49:24 +0100 +Subject: [PATCH] Reinstate pbkdf serialization flag in device activation. + +crypt_activate_by_keyslot_context never respected pbkdf serialation +flag (CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF). + +In fact it worked only when device was activated via passphrase or via +passphrase file. It was never respected when device was activated +by a token for example. + +When the internal code was fully switched to activation via keyslot +context the legacy code for passphrase based activation was dropped +and we lost track of serialization flag completely. + +This fixes all of the issues so now the serialization flag will be +respected also with tokens (and all other activation methods unlocking +LUKS2 keyslot with memory hard pbkdf). + +Fixes: 58385d68d8f4 (Allow activation via keyslot context) +Fixes: #968. +--- + lib/setup.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/setup.c b/lib/setup.c +index f1b2033b..367d2d11 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -5450,6 +5450,9 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd, + return _activate_loopaes(cd, name, passphrase, passphrase_size, flags); + } + ++ if (flags & CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF) ++ cd->memory_hard_pbkdf_lock_enabled = true; ++ + /* acquire the volume key(s) */ + r = -EINVAL; + if (isLUKS1(cd->type)) { diff --git a/cryptsetup-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch b/cryptsetup-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch new file mode 100644 index 0000000..9c77b47 --- /dev/null +++ b/cryptsetup-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch @@ -0,0 +1,38 @@ +From cdb6a5626089a56a7a135042be7c157acda70506 Mon Sep 17 00:00:00 2001 +Message-ID: +From: Kristina Hanicova +Date: Wed, 10 Dec 2025 17:58:36 +0100 +Subject: [PATCH] Set inline integrity flag if no underlying dm-integrity + device + +Cryptsetup status does not report when the hw inline integrity is +set without the underlying dm-integrity device. + +Fixes: #965 +--- + lib/setup.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/lib/setup.c b/lib/setup.c +index 1ee02db5..93c7ef5f 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -5843,11 +5843,13 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name, + * we need flags from underlying dm-integrity device. + * This check must be skipped for non-LUKS2 integrity device. + */ +- if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) && +- (iname = dm_get_active_iname(cd, name))) { +- if (dm_query_device(cd, iname, 0, &dmdi) >= 0) +- dmd.flags |= dmdi.flags; +- free(iname); ++ if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd)) { ++ if ((iname = dm_get_active_iname(cd, name))) { ++ if (dm_query_device(cd, iname, 0, &dmdi) >= 0) ++ dmd.flags |= dmdi.flags; ++ free(iname); ++ } else ++ dmd.flags |= (CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_INLINE_MODE); + } + + if (cd && isTCRYPT(cd->type)) { diff --git a/cryptsetup-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch b/cryptsetup-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch new file mode 100644 index 0000000..a75e9e6 --- /dev/null +++ b/cryptsetup-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch @@ -0,0 +1,143 @@ +From 7fa4cd930814073cb8abe997d8fac19a849daecd Mon Sep 17 00:00:00 2001 +Message-ID: <7fa4cd930814073cb8abe997d8fac19a849daecd.1767967753.git.khanicov@redhat.com> +From: Milan Broz +Date: Fri, 2 Jan 2026 20:58:26 +0100 +Subject: [PATCH] Fix wrong device size status reports in cryptsetup and + integritysetup + +In version 2.8.0 the status output was modified to strictly use +units and also bytes device size was added. + +Unfortunately, the size was wrongly calculated if sector size was +different than 512-byte default. + +Fixes: #972 +--- + src/cryptsetup.c | 8 +++----- + src/integritysetup.c | 6 ++---- + src/veritysetup.c | 2 +- + tests/compat-test2 | 2 ++ + tests/integrity-compat-test | 6 ++++++ + tests/verity-compat-test | 4 ++++ + 6 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/src/cryptsetup.c b/src/cryptsetup.c +index d8b9e508..b9966f84 100644 +--- a/src/cryptsetup.c ++++ b/src/cryptsetup.c +@@ -936,7 +936,6 @@ static int action_status(void) + char *backing_file; + const char *device; + int path = 0, r = 0, hw_enc; +- uint64_t sector_size; + + /* perhaps a path, not a dm device name */ + if (strchr(action_argv[0], '/')) +@@ -1019,10 +1018,9 @@ static int action_status(void) + log_std(" loop: %s\n", backing_file); + free(backing_file); + } +- sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE; +- log_std(" sector size: %" PRIu64 " [bytes]\n", sector_size); +- log_std(" offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * sector_size); +- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size); ++ log_std(" sector size: %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE); ++ log_std(" offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * SECTOR_SIZE); ++ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE); + if (cad.iv_offset) + log_std(" skipped: %" PRIu64 " [512-byte units]\n", cad.iv_offset); + log_std(" mode: %s%s\n", cad.flags & CRYPT_ACTIVATE_READONLY ? +diff --git a/src/integritysetup.c b/src/integritysetup.c +index a1d77855..89c3edd3 100644 +--- a/src/integritysetup.c ++++ b/src/integritysetup.c +@@ -424,7 +424,6 @@ static int action_status(void) + char *backing_file; + const char *device, *metadata_device; + int path = 0, r = 0; +- uint64_t sector_size; + + /* perhaps a path, not a dm device name */ + if (strchr(action_argv[0], '/')) +@@ -482,10 +481,9 @@ static int action_status(void) + free(backing_file); + } + } +- sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE; +- log_std(" sector size: %" PRIu64 " [bytes]\n", sector_size); ++ log_std(" sector size: %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE); + log_std(" interleave sectors: %u\n", ip.interleave_sectors); +- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size); ++ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE); + log_std(" mode: %s%s\n", + cad.flags & CRYPT_ACTIVATE_READONLY ? "readonly" : "read/write", + cad.flags & CRYPT_ACTIVATE_RECOVERY ? " recovery" : ""); +diff --git a/src/veritysetup.c b/src/veritysetup.c +index 8e666e3f..d95db09b 100644 +--- a/src/veritysetup.c ++++ b/src/veritysetup.c +@@ -395,7 +395,7 @@ static int action_status(void) + log_std(" data loop: %s\n", backing_file); + free(backing_file); + } +- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * (uint64_t)SECTOR_SIZE); ++ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE); + log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ? + "readonly" : "read/write"); + +diff --git a/tests/compat-test2 b/tests/compat-test2 +index 373461eb..7350455b 100755 +--- a/tests/compat-test2 ++++ b/tests/compat-test2 +@@ -816,9 +816,11 @@ if dm_crypt_sector_size_support; then + echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail + echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail + $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail ++ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail + echo $PWD1 | $CRYPTSETUP -q resize --device-size 2049s $DEV_NAME > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP -q resize --size 2049 $DEV_NAME > /dev/null 2>&1 && fail + $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail ++ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail + fi + $CRYPTSETUP close $DEV_NAME || fail + # Resize not aligned to logical block size +diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test +index c40218cd..5aeea5c0 100755 +--- a/tests/integrity-compat-test ++++ b/tests/integrity-compat-test +@@ -230,7 +230,13 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize] + status_check "tag size" "$4 [bytes]" + status_check "integrity" $2 + status_check "sector size" "$5 [bytes]" ++ ++ SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME) ++ SIZE_512S=$(( $SIZE_BYTES / 512 )) ++ status_check " size" "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])" ++ + int_check_sum $1 $6 $7 $8 ++ + echo -n "[REMOVE]" + $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." + echo "[OK]" +diff --git a/tests/verity-compat-test b/tests/verity-compat-test +index 93ac405e..02b3d390 100755 +--- a/tests/verity-compat-test ++++ b/tests/verity-compat-test +@@ -188,6 +188,9 @@ check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset] + + $VERITYSETUP create $DEV_NAME $DEV_PARAMS $VERIFY_PARAMS $ROOT_HASH >>$DEV_OUT 2>&1 || fail + check_exists ++ SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME) ++ SIZE_512S=$(( $SIZE_BYTES / 512 )) ++ $VERITYSETUP status $DEV_NAME 2>/dev/null | grep " size:" | grep -q -F "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])" || fail + echo -n "[activate]" + + dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=$1 2>/dev/null +@@ -474,6 +477,7 @@ export LANG=C + [ -n "$VALG" ] && valgrind_setup && VERITYSETUP=valgrind_run + modprobe dm-verity >/dev/null 2>&1 + dmsetup targets | grep verity >/dev/null 2>&1 || skip "Cannot find dm-verity target, test skipped." ++command -v blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped." + + # VERITYSETUP tests + diff --git a/cryptsetup.spec b/cryptsetup.spec index 1e8ee28..5a9705a 100644 --- a/cryptsetup.spec +++ b/cryptsetup.spec @@ -1,7 +1,7 @@ Summary: Utility for setting up encrypted disks Name: cryptsetup Version: 2.8.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ and LGPLv2+ URL: https://gitlab.com/cryptsetup/cryptsetup BuildRequires: autoconf, automake, libtool, gettext-devel, @@ -22,6 +22,12 @@ Patch0001: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch Patch0002: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch Patch0003: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch Patch0004: %{name}-2.8.2-Improve-check-for-a-function-attribute-support.patch +Patch0005: %{name}-2.8.2-Read-integrity-profile-info-from-top-level-device.patch +Patch0006: %{name}-2.8.2-Fix-possible-use-of-uninitialized-variable.patch +Patch0007: %{name}-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch +Patch0008: %{name}-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch +Patch0009: %{name}-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch +Patch0010: %{name}-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch %description The cryptsetup package contains a utility for setting up @@ -106,6 +112,15 @@ rm -rf %{buildroot}%{_libdir}/*.la %ghost %attr(700, -, -) %dir /run/cryptsetup %changelog +* Thu Dec 18 2025 Kristina Hanicova - 2.8.1-3 +- patch: Read integrity profile info from top level device. +- patch: Fix possible use of uninitialized variable. +- patch: Reinstate pbkdf serialization flag in device activation. +- patch: Fix LUKS2 device status in inline HW mode and detached header. +- patch: Set inline integrity flag if no underlying dm-integrity device. +- patch: Fix wrong device size status reports in cryptsetup and integritysetup. +- Resolves: RHEL-122297 RHEL-125152 RHEL-125167 RHEL-132585 RHEL-140106 + * Fri Sep 12 2025 Kristina Hanicova - 2.8.1-2 - patch: Improve check for a function attribute support. - Resolves: 100089