import cryptsetup-2.2.2-1.el8
This commit is contained in:
parent
cc07955f56
commit
d593ab67c2
@ -1 +1 @@
|
||||
bb89099b839b962a13efacdd52d6ce6e408ca971 SOURCES/cryptsetup-2.2.0.tar.xz
|
||||
135dc2e7b84bc8c74f01447f93d1392485b47a37 SOURCES/cryptsetup-2.2.2.tar.xz
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/cryptsetup-2.2.0.tar.xz
|
||||
SOURCES/cryptsetup-2.2.2.tar.xz
|
||||
|
@ -1,70 +0,0 @@
|
||||
From 4862e22cd0ac9ed8395003c209d048889a009969 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Fri, 23 Aug 2019 16:34:33 +0200
|
||||
Subject: [PATCH 2/5] Add opt-io size parameter to LUKS2 reencrypt test device.
|
||||
|
||||
So that we can test recovery is not broken for optimal io size
|
||||
optimization added to reencryption code.
|
||||
---
|
||||
tests/luks2-reencryption-test | 21 ++++++++++++---------
|
||||
1 file changed, 12 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
|
||||
index f88e7f1..558b8dd 100755
|
||||
--- a/tests/luks2-reencryption-test
|
||||
+++ b/tests/luks2-reencryption-test
|
||||
@@ -244,15 +244,16 @@ function fix_writes() { # $1 dmdev, $2 data dev
|
||||
}
|
||||
|
||||
function prepare_linear_dev() {
|
||||
- if [ "$1" -gt 32 ]; then
|
||||
- preparebig $1
|
||||
+ local _sizemb=$1
|
||||
+ shift
|
||||
+
|
||||
+ if [ "$_sizemb" -gt 32 ]; then
|
||||
+ preparebig $_sizemb
|
||||
else
|
||||
- prepare dev_size_mb=$1
|
||||
+ prepare dev_size_mb=$_sizemb $@
|
||||
fi
|
||||
|
||||
- local _size=$(blockdev --getsz $DEV)
|
||||
-
|
||||
- dmsetup create $OVRDEV --table "0 $_size linear $DEV 0" || fail
|
||||
+ dmsetup create $OVRDEV --table "0 $((_sizemb*1024*2)) linear $DEV 0" || fail
|
||||
|
||||
OLD_DEV=$DEV
|
||||
DEV=/dev/mapper/$OVRDEV
|
||||
@@ -875,7 +876,9 @@ if ! dm_delay_features; then
|
||||
fi
|
||||
|
||||
echo "[6] Reencryption recovery"
|
||||
-prepare_linear_dev 32
|
||||
+# (check opt-io size optimization in reencryption code does not affect recovery)
|
||||
+# device with opt-io size 32k
|
||||
+prepare_linear_dev 32 opt_blks=64 opt_xferlen_exp=6
|
||||
OFFSET=8192
|
||||
|
||||
echo "sector size 512->512"
|
||||
@@ -957,7 +960,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
|
||||
fi
|
||||
|
||||
echo "[8] Reencryption with detached header recovery"
|
||||
-prepare_linear_dev 31
|
||||
+prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6
|
||||
|
||||
echo "sector size 512->512"
|
||||
|
||||
@@ -1076,7 +1079,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
|
||||
fi
|
||||
|
||||
echo "[12] Encryption with detached header recovery"
|
||||
-prepare_linear_dev 31
|
||||
+prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6
|
||||
|
||||
get_error_offsets 31 0
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,158 +0,0 @@
|
||||
From 8f8f0b3258152a260c6a40be89b485f943f81484 Mon Sep 17 00:00:00 2001
|
||||
From: Milan Broz <gmazyland@gmail.com>
|
||||
Date: Mon, 26 Aug 2019 10:01:17 +0200
|
||||
Subject: [PATCH] Fix mapped segments overflow on 32bit architectures.
|
||||
|
||||
All set_segment funcions must use uin64_t everywhere,
|
||||
not size_t that is platform dependent.
|
||||
|
||||
The code later uses it correctly, it is just wrong function
|
||||
prototype definitions.
|
||||
|
||||
Reported in
|
||||
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935702
|
||||
|
||||
(TODO: add a test for other segment types.)
|
||||
---
|
||||
lib/libdevmapper.c | 12 ++++++------
|
||||
lib/utils_dm.h | 12 ++++++------
|
||||
tests/integrity-compat-test | 26 ++++++++++++++++++++++++++
|
||||
3 files changed, 38 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
|
||||
index e92ceda..9c40bb1 100644
|
||||
--- a/lib/libdevmapper.c
|
||||
+++ b/lib/libdevmapper.c
|
||||
@@ -2759,9 +2759,9 @@ int dm_is_dm_kernel_name(const char *name)
|
||||
return strncmp(name, "dm-", 3) ? 0 : 1;
|
||||
}
|
||||
|
||||
-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
|
||||
+int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
|
||||
struct device *data_device, struct volume_key *vk, const char *cipher,
|
||||
- size_t iv_offset, size_t data_offset, const char *integrity, uint32_t tag_size,
|
||||
+ uint64_t iv_offset, uint64_t data_offset, const char *integrity, uint32_t tag_size,
|
||||
uint32_t sector_size)
|
||||
{
|
||||
int r = -EINVAL;
|
||||
@@ -2800,7 +2800,7 @@ err:
|
||||
return r;
|
||||
}
|
||||
|
||||
-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
|
||||
+int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
|
||||
struct device *data_device, struct device *hash_device, struct device *fec_device,
|
||||
const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
|
||||
uint64_t hash_blocks, struct crypt_params_verity *vp)
|
||||
@@ -2826,7 +2826,7 @@ int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_si
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
|
||||
+int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
|
||||
struct device *meta_device,
|
||||
struct device *data_device, uint64_t tag_size, uint64_t offset,
|
||||
uint32_t sector_size, struct volume_key *vk,
|
||||
@@ -2865,8 +2865,8 @@ int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
|
||||
- struct device *data_device, size_t data_offset)
|
||||
+int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
|
||||
+ struct device *data_device, uint64_t data_offset)
|
||||
{
|
||||
if (!data_device)
|
||||
return -EINVAL;
|
||||
diff --git a/lib/utils_dm.h b/lib/utils_dm.h
|
||||
index 4a1e1d3..124a1c7 100644
|
||||
--- a/lib/utils_dm.h
|
||||
+++ b/lib/utils_dm.h
|
||||
@@ -168,22 +168,22 @@ void dm_backend_exit(struct crypt_device *cd);
|
||||
int dm_targets_allocate(struct dm_target *first, unsigned count);
|
||||
void dm_targets_free(struct crypt_device *cd, struct crypt_dm_active_device *dmd);
|
||||
|
||||
-int dm_crypt_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
|
||||
+int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
|
||||
struct device *data_device, struct volume_key *vk, const char *cipher,
|
||||
- size_t iv_offset, size_t data_offset, const char *integrity,
|
||||
+ uint64_t iv_offset, uint64_t data_offset, const char *integrity,
|
||||
uint32_t tag_size, uint32_t sector_size);
|
||||
-int dm_verity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
|
||||
+int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
|
||||
struct device *data_device, struct device *hash_device, struct device *fec_device,
|
||||
const char *root_hash, uint32_t root_hash_size, uint64_t hash_offset_block,
|
||||
uint64_t hash_blocks, struct crypt_params_verity *vp);
|
||||
-int dm_integrity_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
|
||||
+int dm_integrity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
|
||||
struct device *meta_device,
|
||||
struct device *data_device, uint64_t tag_size, uint64_t offset, uint32_t sector_size,
|
||||
struct volume_key *vk,
|
||||
struct volume_key *journal_crypt_key, struct volume_key *journal_mac_key,
|
||||
const struct crypt_params_integrity *ip);
|
||||
-int dm_linear_target_set(struct dm_target *tgt, size_t seg_offset, size_t seg_size,
|
||||
- struct device *data_device, size_t data_offset);
|
||||
+int dm_linear_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
|
||||
+ struct device *data_device, uint64_t data_offset);
|
||||
|
||||
int dm_remove_device(struct crypt_device *cd, const char *name, uint32_t flags);
|
||||
int dm_status_device(struct crypt_device *cd, const char *name);
|
||||
diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test
|
||||
index 5f2c14e..836975d 100755
|
||||
--- a/tests/integrity-compat-test
|
||||
+++ b/tests/integrity-compat-test
|
||||
@@ -9,6 +9,8 @@ INTSETUP_VALGRIND=../.libs/integritysetup
|
||||
INTSETUP_LIB_VALGRIND=../.libs
|
||||
|
||||
DEV_NAME=dmc_test
|
||||
+DEV_NAME_BIG=dmc_fake
|
||||
+DEV_LOOP=""
|
||||
DEV=test123.img
|
||||
DEV2=test124.img
|
||||
KEY_FILE=key.img
|
||||
@@ -20,6 +22,9 @@ dmremove() { # device
|
||||
|
||||
cleanup() {
|
||||
[ -b /dev/mapper/$DEV_NAME ] && dmremove $DEV_NAME
|
||||
+ [ -b /dev/mapper/$DEV_NAME_BIG ] && dmremove $DEV_NAME_BIG
|
||||
+ [ -n "$DEV_LOOP" ] && losetup -d "$DEV_LOOP"
|
||||
+ DEV_LOOP=""
|
||||
rm -f $DEV $DEV2 $KEY_FILE >/dev/null 2>&1
|
||||
}
|
||||
|
||||
@@ -292,6 +297,7 @@ int_mode() # alg tag_size sector_size [keyfile keysize]
|
||||
|
||||
[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
|
||||
[ ! -x "$INTSETUP" ] && skip "Cannot find $INTSETUP, test skipped."
|
||||
+which blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
|
||||
|
||||
[ -n "$VALG" ] && valgrind_setup && INTSETUP=valgrind_run
|
||||
which hexdump >/dev/null 2>&1 || skip "WARNING: hexdump tool required."
|
||||
@@ -389,4 +395,24 @@ else
|
||||
echo "[N/A]"
|
||||
fi
|
||||
|
||||
+echo -n "Big device:"
|
||||
+add_device
|
||||
+DEV_LOOP=$(losetup -f $DEV --show)
|
||||
+if [ -n "$DEV_LOOP" ] ; then
|
||||
+dmsetup create $DEV_NAME_BIG <<EOF
|
||||
+0 16284 linear $DEV_LOOP 0
|
||||
+16284 80000000000 zero
|
||||
+EOF
|
||||
+ [ ! -b /dev/mapper/$DEV_NAME_BIG ] && fail
|
||||
+ $INTSETUP format -q -s 512 --no-wipe /dev/mapper/$DEV_NAME_BIG
|
||||
+ $INTSETUP open /dev/mapper/$DEV_NAME_BIG $DEV_NAME || fail
|
||||
+ D_SIZE=$($INTSETUP dump /dev/mapper/$DEV_NAME_BIG | grep provided_data_sectors | sed -e 's/.*provided_data_sectors\ \+//g')
|
||||
+ A_SIZE=$(blockdev --getsz /dev/mapper/$DEV_NAME)
|
||||
+ # Compare strings (to avoid 64bit integers), not integers
|
||||
+ [ -n "$A_SIZE" -a "$D_SIZE" != "$A_SIZE" ] && fail
|
||||
+ echo "[OK]"
|
||||
+else
|
||||
+ echo "[N/A]"
|
||||
+fi
|
||||
+
|
||||
cleanup
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,65 +0,0 @@
|
||||
From d13a6f7487eb7519bc1e4302085b21ca98afabc0 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kozina <okozina@redhat.com>
|
||||
Date: Thu, 22 Aug 2019 17:05:43 +0200
|
||||
Subject: [PATCH 1/5] Take optimal io size in account with LUKS2 reencryption.
|
||||
|
||||
If device properly exposes optimal io size, let's align
|
||||
reencryption hotzone to it. Otherwise device-mapper driver
|
||||
complaints about misaligned tables and reencryption performance
|
||||
is not optimal.
|
||||
---
|
||||
lib/luks2/luks2_reencrypt.c | 23 +++++++++++++++++++++--
|
||||
1 file changed, 21 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
|
||||
index 1d70aaf..1f5eb5f 100644
|
||||
--- a/lib/luks2/luks2_reencrypt.c
|
||||
+++ b/lib/luks2/luks2_reencrypt.c
|
||||
@@ -817,8 +817,13 @@ static int reencrypt_offset(struct luks2_hdr *hdr,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
-static uint64_t reencrypt_length(struct luks2_hdr *hdr, struct luks2_reenc_context *rh, uint64_t keyslot_area_length, uint64_t length_max)
|
||||
+static uint64_t reencrypt_length(struct crypt_device *cd,
|
||||
+ struct luks2_hdr *hdr,
|
||||
+ struct luks2_reenc_context *rh,
|
||||
+ uint64_t keyslot_area_length,
|
||||
+ uint64_t length_max)
|
||||
{
|
||||
+ unsigned long dummy, optimal_alignment;
|
||||
uint64_t length;
|
||||
|
||||
if (rh->rp.type == REENC_PROTECTION_NONE)
|
||||
@@ -835,6 +840,20 @@ static uint64_t reencrypt_length(struct luks2_hdr *hdr, struct luks2_reenc_conte
|
||||
|
||||
length -= (length % rh->alignment);
|
||||
|
||||
+ /* Emits error later */
|
||||
+ if (!length)
|
||||
+ return length;
|
||||
+
|
||||
+ device_topology_alignment(cd, crypt_data_device(cd), &optimal_alignment, &dummy, length);
|
||||
+
|
||||
+ /* we have to stick with encryption sector size alignment */
|
||||
+ if (optimal_alignment % rh->alignment)
|
||||
+ return length;
|
||||
+
|
||||
+ /* align to opt-io size only if remaining size allows it */
|
||||
+ if (length > optimal_alignment)
|
||||
+ length -= (length % optimal_alignment);
|
||||
+
|
||||
return length;
|
||||
}
|
||||
|
||||
@@ -920,7 +939,7 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr
|
||||
} else
|
||||
rh->fixed_length = false;
|
||||
|
||||
- rh->length = reencrypt_length(hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT);
|
||||
+ rh->length = reencrypt_length(cd, hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT);
|
||||
if (reencrypt_offset(hdr, rh->direction, device_size, &rh->length, &rh->offset)) {
|
||||
log_dbg(cd, "Failed to get reencryption offset.");
|
||||
return -EINVAL;
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -4,8 +4,8 @@ Obsoletes: cryptsetup-python3
|
||||
|
||||
Summary: A utility for setting up encrypted disks
|
||||
Name: cryptsetup
|
||||
Version: 2.2.0
|
||||
Release: 2%{?dist}
|
||||
Version: 2.2.2
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: Applications/System
|
||||
URL: https://gitlab.com/cryptsetup/cryptsetup
|
||||
@ -23,9 +23,6 @@ Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-%{ups
|
||||
Patch0: %{name}-add-system-library-paths.patch
|
||||
# Remove the patch when (if ever) osci infrastructure gets stable enough
|
||||
Patch1: %{name}-disable-verity-compat-test.patch
|
||||
Patch2: %{name}-2.2.1-fix-mapped-segments-overflow-on-32bit-architectures.patch
|
||||
Patch3: %{name}-2.2.1-take-optimal-io-size-in-account-with-LUKS2-reencrypt.patch
|
||||
Patch4: %{name}-2.2.1-add-opt-io-size-parameter-to-LUKS2-reencrypt-test-de.patch
|
||||
|
||||
%description
|
||||
The cryptsetup package contains a utility for setting up
|
||||
@ -82,9 +79,6 @@ can be used for offline reencryption of disk in situ.
|
||||
%prep
|
||||
%setup -q -n cryptsetup-%{upstream_version}
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch0 -p1
|
||||
chmod -x misc/dracut_90reencrypt/*
|
||||
|
||||
@ -144,6 +138,14 @@ rm -rf %{buildroot}/%{_libdir}/*.la
|
||||
%clean
|
||||
|
||||
%changelog
|
||||
* Mon Nov 18 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.2-1
|
||||
- Update to cryptsetup 2.2.2
|
||||
- LUKS2 reencryption honors activation flags (one time and persistent).
|
||||
- LUKS2 reencryption works also without volume keys put in kernel
|
||||
keyring service.
|
||||
- Resolves: #1757783 #1750680 #1753597 #1743399
|
||||
|
||||
- Resolves: #1742815 #1746532
|
||||
* Fri Aug 30 2019 Ondrej Kozina <okozina@redhat.com> - 2.2.0-2
|
||||
- patch: Fix mapped segments overflow on 32bit architectures.
|
||||
- patch: Take optimal io size in account with LUKS2 reencryption.
|
||||
|
Loading…
Reference in New Issue
Block a user