rpms/cryptsetup
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import cryptsetup-2.2.2-1.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-04-28 05:42:23 -04:00 committed by Andrew Lukoshko
parent cc07955f56
commit d593ab67c2
6 changed files with 12 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cryptsetup.metadata
View File

@ -1 +1 @@
bb89099b839b962a13efacdd52d6ce6e408ca971 SOURCES/cryptsetup-2.2.0.tar.xz 135dc2e7b84bc8c74f01447f93d1392485b47a37 SOURCES/cryptsetup-2.2.2.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/cryptsetup-2.2.0.tar.xz SOURCES/cryptsetup-2.2.2.tar.xz

70
SOURCES/cryptsetup-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch
View File

@ -1,70 +0,0 @@
From 4862e22cd0ac9ed8395003c209d048889a009969 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 23 Aug 2019 16:34:33 +0200
Subject: [PATCH 2/5] Add opt-io size parameter to LUKS2 reencrypt test device.
So that we can test recovery is not broken for optimal io size
optimization added to reencryption code.
---
tests/luks2-reencryption-test | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
index f88e7f1..558b8dd 100755
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -244,15 +244,16 @@ function fix_writes() { # $1 dmdev, $2 data dev
}
function prepare_linear_dev() {
- if [ "$1" -gt 32 ]; then
- preparebig $1
+ local _sizemb=$1
+ shift
+
+ if [ "$_sizemb" -gt 32 ]; then
+ preparebig $_sizemb
else
- prepare dev_size_mb=$1
+ prepare dev_size_mb=$_sizemb $@
fi
- local _size=$(blockdev --getsz $DEV)
-
- dmsetup create $OVRDEV --table "0 $_size linear $DEV 0" || fail
+ dmsetup create $OVRDEV --table "0 $((_sizemb*1024*2)) linear $DEV 0" || fail
OLD_DEV=$DEV
DEV=/dev/mapper/$OVRDEV
@@ -875,7 +876,9 @@ if ! dm_delay_features; then
fi
echo "[6] Reencryption recovery"
-prepare_linear_dev 32
+# (check opt-io size optimization in reencryption code does not affect recovery)
+# device with opt-io size 32k
+prepare_linear_dev 32 opt_blks=64 opt_xferlen_exp=6
OFFSET=8192
echo "sector size 512->512"
@@ -957,7 +960,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
fi
echo "[8] Reencryption with detached header recovery"
-prepare_linear_dev 31
+prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6
echo "sector size 512->512"
@@ -1076,7 +1079,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
fi
echo "[12] Encryption with detached header recovery"
-prepare_linear_dev 31
+prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6
get_error_offsets 31 0
--
1.8.3.1

158
SOURCES/cryptsetup-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch
View File

@ -1,158 +0,0 @@
From 8f8f0b3258152a260c6a40be89b485f943f81484 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 26 Aug 2019 10:01:17 +0200
Subject: [PATCH] Fix mapped segments overflow on 32bit architectures.
All set_segment funcions must use uin64_t everywhere,
not size_t that is platform dependent.
The code later uses it correctly, it is just wrong function
prototype definitions.
Reported in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935702
(TODO: add a test for other segment types.)
---
lib/libdevmapper.c | 12 ++++++------
lib/utils_dm.h | 12 ++++++------
tests/integrity-compat-test | 26 ++++++++++++++++++++++++++
3 files changed, 38 insertions(+), 12 deletions(-)
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
index e92ceda..9c40bb1 100644
--- a/lib/libdevmapper.c
+++ b/lib/libdevmapper.c
@@ -2759,9 +2759,9 @@ int dm_is_dm_kernel_name(const char *name)
return strncmp(name, "dm-", 3) ? 0 : 1;
}
-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
struct device *data_device, struct volume_key *vk, const char *cipher,
- size_t iv_offset, size_t data_offset, const char *integrity, uint32_t tag_size,
+ uint64_t iv_offset, uint64_t data_offset, const char *integrity, uint32_t tag_size,
uint32_t sector_size)
{
int r = -EINVAL;
@@ -2800,7 +2800,7 @@ err:
return r;
}
-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
struct device *data_device, struct device *hash_device, struct device *fec_device,
const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
uint64_t hash_blocks, struct crypt_params_verity *vp)
@@ -2826,7 +2826,7 @@ int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_si
return 0;
}
-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
struct device *meta_device,
struct device *data_device, uint64_t tag_size, uint64_t offset,
uint32_t sector_size, struct volume_key *vk,
@@ -2865,8 +2865,8 @@ int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg
return 0;
}
-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
- struct device *data_device, size_t data_offset)
+int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ struct device *data_device, uint64_t data_offset)
{
if (!data_device)
return -EINVAL;
diff --git a/lib/utils_dm.h b/lib/utils_dm.h
index 4a1e1d3..124a1c7 100644
--- a/lib/utils_dm.h
+++ b/lib/utils_dm.h
@@ -168,22 +168,22 @@ void dm_backend_exit(struct crypt_device *cd);
int dm_targets_allocate(struct dm_target *first, unsigned count);
void dm_targets_free(struct crypt_device *cd, struct crypt_dm_active_device *dmd);
-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
struct device *data_device, struct volume_key *vk, const char *cipher,
- size_t iv_offset, size_t data_offset, const char *integrity,
+ uint64_t iv_offset, uint64_t data_offset, const char *integrity,
uint32_t tag_size, uint32_t sector_size);
-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
struct device *data_device, struct device *hash_device, struct device *fec_device,
const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
uint64_t hash_blocks, struct crypt_params_verity *vp);
-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
+int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
struct device *meta_device,
struct device *data_device, uint64_t tag_size, uint64_t offset, uint32_t sector_size,
struct volume_key *vk,
struct volume_key *journal_crypt_key, struct volume_key *journal_mac_key,
const struct crypt_params_integrity *ip);
-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
- struct device *data_device, size_t data_offset);
+int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
+ struct device *data_device, uint64_t data_offset);
int dm_remove_device(struct crypt_device *cd, const char *name, uint32_t flags);
int dm_status_device(struct crypt_device *cd, const char *name);
diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test
index 5f2c14e..836975d 100755
--- a/tests/integrity-compat-test
+++ b/tests/integrity-compat-test
@@ -9,6 +9,8 @@ INTSETUP_VALGRIND=../.libs/integritysetup
INTSETUP_LIB_VALGRIND=../.libs
DEV_NAME=dmc_test
+DEV_NAME_BIG=dmc_fake
+DEV_LOOP=""
DEV=test123.img
DEV2=test124.img
KEY_FILE=key.img
@@ -20,6 +22,9 @@ dmremove() { # device
cleanup() {
[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
+ [ -b /dev/mapper/$DEV_NAME_BIG ] && dmremove $DEV_NAME_BIG
+ [ -n "$DEV_LOOP" ] && losetup -d "$DEV_LOOP"
+ DEV_LOOP=""
rm -f $DEV $DEV2 $KEY_FILE >/dev/null 2>&1
}
@@ -292,6 +297,7 @@ int_mode() # alg tag_size sector_size [keyfile keysize]
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
[ ! -x "$INTSETUP" ] && skip "Cannot find $INTSETUP, test skipped."
+which blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
[ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run
which hexdump >/dev/null 2>&1 || skip "WARNING: hexdump tool required."
@@ -389,4 +395,24 @@ else
echo "[N/A]"
fi
+echo -n "Big device:"
+add_device
+DEV_LOOP=$(losetup -f $DEV --show)
+if [ -n "$DEV_LOOP" ] ; then
+dmsetup create $DEV_NAME_BIG <<EOF
+0 16284 linear $DEV_LOOP 0
+16284 80000000000 zero
+EOF
+ [ ! -b /dev/mapper/$DEV_NAME_BIG ] && fail
+ $INTSETUP format -q -s 512 --no-wipe /dev/mapper/$DEV_NAME_BIG
+ $INTSETUP open /dev/mapper/$DEV_NAME_BIG $DEV_NAME || fail
+ D_SIZE=$($INTSETUP dump /dev/mapper/$DEV_NAME_BIG | grep provided_data_sectors | sed -e 's/.*provided_data_sectors\ \+//g')
+ A_SIZE=$(blockdev --getsz /dev/mapper/$DEV_NAME)
+ # Compare strings (to avoid 64bit integers), not integers
+ [ -n "$A_SIZE" -a "$D_SIZE" != "$A_SIZE" ] && fail
+ echo "[OK]"
+else
+ echo "[N/A]"
+fi
+
cleanup
--
1.8.3.1

65
SOURCES/cryptsetup-2.2.1-take-optimal-io-size-in-account-with-LUKS2-reencrypt.patch
View File

@ -1,65 +0,0 @@
From d13a6f7487eb7519bc1e4302085b21ca98afabc0 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 22 Aug 2019 17:05:43 +0200
Subject: [PATCH 1/5] Take optimal io size in account with LUKS2 reencryption.
If device properly exposes optimal io size, let's align
reencryption hotzone to it. Otherwise device-mapper driver
complaints about misaligned tables and reencryption performance
is not optimal.
---
lib/luks2/luks2_reencrypt.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
index 1d70aaf..1f5eb5f 100644
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -817,8 +817,13 @@ static int reencrypt_offset(struct luks2_hdr *hdr,
return -EINVAL;
}
-static uint64_t reencrypt_length(struct luks2_hdr *hdr, struct luks2_reenc_context *rh, uint64_t keyslot_area_length, uint64_t length_max)
+static uint64_t reencrypt_length(struct crypt_device *cd,
+ struct luks2_hdr *hdr,
+ struct luks2_reenc_context *rh,
+ uint64_t keyslot_area_length,
+ uint64_t length_max)
{
+ unsigned long dummy, optimal_alignment;
uint64_t length;
if (rh->rp.type == REENC_PROTECTION_NONE)
@@ -835,6 +840,20 @@ static uint64_t reencrypt_length(struct luks2_hdr *hdr, struct luks2_reenc_conte
length -= (length % rh->alignment);
+ /* Emits error later */
+ if (!length)
+ return length;
+
+ device_topology_alignment(cd, crypt_data_device(cd), &optimal_alignment, &dummy, length);
+
+ /* we have to stick with encryption sector size alignment */
+ if (optimal_alignment % rh->alignment)
+ return length;
+
+ /* align to opt-io size only if remaining size allows it */
+ if (length > optimal_alignment)
+ length -= (length % optimal_alignment);
+
return length;
}
@@ -920,7 +939,7 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr
} else
rh->fixed_length = false;
- rh->length = reencrypt_length(hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT);
+ rh->length = reencrypt_length(cd, hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT);
if (reencrypt_offset(hdr, rh->direction, device_size, &rh->length, &rh->offset)) {
log_dbg(cd, "Failed to get reencryption offset.");
return -EINVAL;
--
1.8.3.1

18
SPECS/cryptsetup.spec
View File

@ -4,8 +4,8 @@ Obsoletes: cryptsetup-python3
Summary: A utility for setting up encrypted disks Summary: A utility for setting up encrypted disks
Name: cryptsetup Name: cryptsetup
Version: 2.2.0 Version: 2.2.2
Release: 2%{?dist} Release: 1%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
Group: Applications/System Group: Applications/System
URL: https://gitlab.com/cryptsetup/cryptsetup URL: https://gitlab.com/cryptsetup/cryptsetup
@ -23,9 +23,6 @@ Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{ups
Patch0: %{name}-add-system-library-paths.patch Patch0: %{name}-add-system-library-paths.patch
# Remove the patch when (if ever) osci infrastructure gets stable enough # Remove the patch when (if ever) osci infrastructure gets stable enough
Patch1: %{name}-disable-verity-compat-test.patch Patch1: %{name}-disable-verity-compat-test.patch
Patch2: %{name}-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch
Patch3: %{name}-2.2.1-take-optimal-io-size-in-account-with-LUKS2-reencrypt.patch
Patch4: %{name}-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch
%description %description
The cryptsetup package contains a utility for setting up The cryptsetup package contains a utility for setting up
@ -82,9 +79,6 @@ can be used for offline reencryption of disk in situ.
%prep %prep
%setup -q -n cryptsetup-%{upstream_version} %setup -q -n cryptsetup-%{upstream_version}
%patch1 -p1 %patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch0 -p1 %patch0 -p1
chmod -x misc/dracut_90reencrypt/* chmod -x misc/dracut_90reencrypt/*
@ -144,6 +138,14 @@ rm -rf %{buildroot}/%{_libdir}/*.la
%clean %clean
%changelog %changelog
* Mon Nov 18 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.2-1
- Update to cryptsetup 2.2.2
- LUKS2 reencryption honors activation flags (one time and persistent).
- LUKS2 reencryption works also without volume keys put in kernel
keyring service.
- Resolves: #1757783 #1750680 #1753597 #1743399
- Resolves: #1742815 #1746532
* Fri Aug 30 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-2 * Fri Aug 30 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-2
- patch: Fix mapped segments overflow on 32bit architectures. - patch: Fix mapped segments overflow on 32bit architectures.
- patch: Take optimal io size in account with LUKS2 reencryption. - patch: Take optimal io size in account with LUKS2 reencryption.