From e28f15788856467c04c34106465e9c202fd61012 Mon Sep 17 00:00:00 2001
From: Kristina Hanicova <khanicov@redhat.com>
Date: Wed, 3 Sep 2025 15:59:23 +0200
Subject: [PATCH] Update to cryptsetup 2.8.1.

Resolves: RHEL-100089
---
 .gitignore                                    |  1 +
 cryptsetup-2.6.0.tar.sign                     | 16 ----
 ....3-bitlk-Ignore-unknown-VMK-entry-24.patch | 43 ----------
 ...encryption-for-misconfigured-devices.patch | 39 ----------
 ...-handle-device-as-suspended-on-error.patch | 35 ---------
 ...-of-direct-io-with-suspended-devices.patch | 78 -------------------
 ...encryption-checks-in-initialization-.patch | 35 ---------
 ...-status-also-for-unknow-target-types.patch | 28 -------
 cryptsetup-2.8.1.tar.sign                     | 16 ++++
 ...ed-error-message-in-keyslot-add-code.patch | 39 +++++-----
 cryptsetup-add-system-library-paths.patch     | 23 ------
 cryptsetup.spec                               | 24 +++---
 sources                                       |  2 +-
 13 files changed, 50 insertions(+), 329 deletions(-)
 delete mode 100644 cryptsetup-2.6.0.tar.sign
 delete mode 100644 cryptsetup-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch
 delete mode 100644 cryptsetup-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch
 delete mode 100644 cryptsetup-2.7.5-Do-not-handle-device-as-suspended-on-error.patch
 delete mode 100644 cryptsetup-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch
 delete mode 100644 cryptsetup-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch
 delete mode 100644 cryptsetup-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch
 create mode 100644 cryptsetup-2.8.1.tar.sign
 delete mode 100644 cryptsetup-add-system-library-paths.patch

diff --git a/.gitignore b/.gitignore
index 3d8f466..05adbbb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 /tests.tar.xz
 /cryptsetup-2.6.0.tar.xz
 /cryptsetup-2.7.2.tar.xz
+/cryptsetup-2.8.1.tar.xz
diff --git a/cryptsetup-2.6.0.tar.sign b/cryptsetup-2.6.0.tar.sign
deleted file mode 100644
index 6b1aae6..0000000
--- a/cryptsetup-2.6.0.tar.sign
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmOEnKwACgkQ2bBXe9k+
-mPxHlg//Wt73l0gBiMwNUQdCtXL37+lWwUz2lxhfcs3Ud/tWb5M8/csw449JnF4c
-MnTMCX8qz51Sxxq4GEvk0L6+gv8d5w5hdIwZIE6ArQIVx0CH2BcG0qlQ53vcFlcr
-wvSVZyiggHsQX0YZgxWwrDX3+WRt+0S+F2tHTwW/1e/XXsb5Tqb2ksQcvFCvM71/
-EhT5BAaEZRC7pfIiDjIXkMGOnjxWpvkiimYzwiFnlt+Veaq4Xie+dWqM/wgrWNpb
-UYnD2ZIbQ3IXDTKUhCKoQHUcO743uB0WJf7I5DVNfWPAFmeSRvHrmgqk+Ijl5rnw
-WMlKU/3l5f3rXp1H46cfBBmpqmnDz2ikuYYgkHBDmpYr7F1SRpz1OV25V4uctah3
-SZ+Q0LpIiJAWOlgP64lRMYRZBsy0Vlx5sN2Y4OLUlPiRMeB0kcAPtoEN1302bzbs
-fGFsFqqImAHnaV+udGH/tHlrjNeJf8Yf3YmMaa46xJgqcLJE+GjIdAQ+IHrzATSg
-W4SLu2SZojeJq5rOMVJlYT6Ywg9hKWls7ltJilPqgBiwsDh9LWEWduTTNTzkXNs0
-sye8ZdTJ5k5aT82mJWhh/opeD5D7nS1+A1kLwskcuUL/8Llp+fZw5nZrVWKLb9Ik
-8NnlB0S90VDaQUh/bDzNRwH8P/EwdZ/W/iUAPONP48zUbxfd0Vk=
-=lIrc
------END PGP SIGNATURE-----
diff --git a/cryptsetup-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch b/cryptsetup-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch
deleted file mode 100644
index 05d2bec..0000000
--- a/cryptsetup-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From ef653d00a72b8257819f5ae5d3de9bc9f5039b3c Mon Sep 17 00:00:00 2001
-From: Milan Broz <gmazyland@gmail.com>
-Date: Tue, 21 May 2024 10:54:55 +0200
-Subject: [PATCH] bitlk: Ignore unknown VMK entry 24
-
-This VMK value looks like a password hint (masked email?)
-we can safely ignore it.
-
-Fixes: #886
----
- lib/bitlk/bitlk.c | 3 +++
- lib/bitlk/bitlk.h | 1 +
- 2 files changed, 4 insertions(+)
-
-diff --git a/lib/bitlk/bitlk.c b/lib/bitlk/bitlk.c
-index ae533e5a..230e7101 100644
---- a/lib/bitlk/bitlk.c
-+++ b/lib/bitlk/bitlk.c
-@@ -324,6 +324,9 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
- 		/* unknown timestamps in recovery protected VMK */
- 		} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
- 			;
-+		/* optional hint (?) string (masked email?), we can safely ignore it */
-+		} else if (key_entry_value == BITLK_ENTRY_VALUE_HINT) {
-+			;
- 		} else if (key_entry_value == BITLK_ENTRY_VALUE_STRING) {
- 			if (key_entry_size < BITLK_ENTRY_HEADER_LEN)
- 				return -EINVAL;
-diff --git a/lib/bitlk/bitlk.h b/lib/bitlk/bitlk.h
-index 7eb73211..af8f6298 100644
---- a/lib/bitlk/bitlk.h
-+++ b/lib/bitlk/bitlk.h
-@@ -78,6 +78,7 @@ typedef enum {
- 	BITLK_ENTRY_VALUE_OFFSET_SIZE = 0x000f,
- 	BITLK_ENTRY_VALUE_RECOVERY_TIME = 0x015,
- 	BITLK_ENTRY_VALUE_GUID = 0x0017,
-+	BITLK_ENTRY_VALUE_HINT = 0x0018,
- } BITLKFVEEntryValue;
- 
- struct bitlk_vmk {
--- 
-2.49.0
-
diff --git a/cryptsetup-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch b/cryptsetup-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch
deleted file mode 100644
index d6a80d4..0000000
--- a/cryptsetup-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 63bb997b41b8e92fe09ce8cb6582e094e00e19a6 Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Mon, 26 Aug 2024 10:46:52 +0200
-Subject: [PATCH 08/10] Abort online reencryption for misconfigured devices.
-
-Hard abort is justified here. The online reencryption on
-data devices that do not support O_DIRECT io flag is
-dangerous and leads to data corruption. This should be
-impossible to hit due to a patch that handles it
-in initialization phase. Better safe than sorry.
----
- lib/luks2/luks2_reencrypt.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
-index 6519c1e3..05f69d18 100644
---- a/lib/luks2/luks2_reencrypt.c
-+++ b/lib/luks2/luks2_reencrypt.c
-@@ -4230,9 +4230,14 @@ int crypt_reencrypt_run(
- 
- 	log_dbg(cd, "Resuming LUKS2 reencryption.");
- 
--	if (rh->online && reencrypt_init_device_stack(cd, rh)) {
--		log_err(cd, _("Failed to initialize reencryption device stack."));
--		return -EINVAL;
-+	if (rh->online) {
-+		/* This is last resort to avoid data corruption. Abort is justified here. */
-+		assert(device_direct_io(crypt_data_device(cd)));
-+
-+		if (reencrypt_init_device_stack(cd, rh)) {
-+			log_err(cd, _("Failed to initialize reencryption device stack."));
-+			return -EINVAL;
-+		}
- 	}
- 
- 	log_dbg(cd, "Progress %" PRIu64 ", device_size %" PRIu64, rh->progress, rh->device_size);
--- 
-2.46.0
-
diff --git a/cryptsetup-2.7.5-Do-not-handle-device-as-suspended-on-error.patch b/cryptsetup-2.7.5-Do-not-handle-device-as-suspended-on-error.patch
deleted file mode 100644
index 2f92d2c..0000000
--- a/cryptsetup-2.7.5-Do-not-handle-device-as-suspended-on-error.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 53198bdea94e610e1e0378e3aff56e8d9f45ac09 Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Thu, 22 Aug 2024 13:39:06 +0200
-Subject: [PATCH 01/10] Do not handle device as suspended on error.
-
-Consider device is suspended only if dm_status_suspended return code
-is true.
-
-This function returned -EEXIST for dm devices with target types unknown
-to libcryptsetup (for example dm-cache) and turned off O_DIRECT flag
-for devices unexpectedly.
-
-Turned out ignoring direct-io was a problem after all :).
-
-Fixes: 0f51b5bacbf7 (Do not run sector read check on suspended device.)
----
- lib/utils_device.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/utils_device.c b/lib/utils_device.c
-index 3e2ac4f3..eccaf048 100644
---- a/lib/utils_device.c
-+++ b/lib/utils_device.c
-@@ -178,7 +178,7 @@ static int device_ready(struct crypt_device *cd, struct device *device)
- 		if (devfd >= 0) {
- 			/* skip check for suspended DM devices */
- 			dm_name = device_dm_name(device);
--			if (dm_name && dm_status_suspended(cd, dm_name)) {
-+			if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
- 				close(devfd);
- 				devfd = -1;
- 			} else if (device_read_test(devfd) == 0) {
--- 
-2.46.0
-
diff --git a/cryptsetup-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch b/cryptsetup-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch
deleted file mode 100644
index 3d1ce12..0000000
--- a/cryptsetup-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 4cdd022ba42df17b027be7c35c7028d01b54cecc Mon Sep 17 00:00:00 2001
-From: Milan Broz <gmazyland@gmail.com>
-Date: Tue, 27 Aug 2024 12:13:54 +0200
-Subject: [PATCH 06/10] Fix detection of direct-io with suspended devices.
-
-Currently, direct-io is disabled if underlying device is suspended.
-
-This was an unfortunate change, as it is part of data corruption
-problem in online reenryption.
-
-Let's relax the test to assume that suspended device
-(suspended =>  must be a device-mapper device) supports direct-io.
-
-The read test is still needed as some network based devices
-misbehaves if opened with direct-io flag.
----
- lib/utils_device.c | 20 ++++++++++++--------
- 1 file changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/lib/utils_device.c b/lib/utils_device.c
-index eccaf048..6b7af6e1 100644
---- a/lib/utils_device.c
-+++ b/lib/utils_device.c
-@@ -127,11 +127,19 @@ static size_t device_alignment_fd(int devfd)
- 	return (size_t)alignment;
- }
- 
--static int device_read_test(int devfd)
-+static int device_read_test(struct crypt_device *cd, int devfd, struct device *device)
- {
- 	char buffer[512];
- 	int r = -EIO;
- 	size_t minsize = 0, blocksize, alignment;
-+	const char *dm_name;
-+
-+	/* skip check for suspended DM devices */
-+	dm_name = device_dm_name(device);
-+	if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
-+		log_dbg(cd, "Device %s is suspended, assuming direct-io is supported.", dm_name);
-+		return 0;
-+	}
- 
- 	blocksize = device_block_size_fd(devfd, &minsize);
- 	alignment = device_alignment_fd(devfd);
-@@ -148,6 +156,8 @@ static int device_read_test(int devfd)
- 	if (read_blockwise(devfd, blocksize, alignment, buffer, minsize) == (ssize_t)minsize)
- 		r = 0;
- 
-+	log_dbg(cd, "Direct-io is supported and works.");
-+
- 	crypt_safe_memzero(buffer, sizeof(buffer));
- 	return r;
- }
-@@ -165,7 +175,6 @@ static int device_ready(struct crypt_device *cd, struct device *device)
- 	int devfd = -1, r = 0;
- 	struct stat st;
- 	size_t tmp_size;
--	const char *dm_name;
- 
- 	if (!device)
- 		return -EINVAL;
-@@ -176,12 +185,7 @@ static int device_ready(struct crypt_device *cd, struct device *device)
- 		device->o_direct = 0;
- 		devfd = open(device_path(device), O_RDONLY | O_DIRECT);
- 		if (devfd >= 0) {
--			/* skip check for suspended DM devices */
--			dm_name = device_dm_name(device);
--			if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
--				close(devfd);
--				devfd = -1;
--			} else if (device_read_test(devfd) == 0) {
-+			if (device_read_test(cd, devfd, device) == 0) {
- 				device->o_direct = 1;
- 			} else {
- 				close(devfd);
--- 
-2.46.0
-
diff --git a/cryptsetup-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch b/cryptsetup-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch
deleted file mode 100644
index b59bb11..0000000
--- a/cryptsetup-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 9991cbc306963c8f03eb6dad82fa6c12f75d3b97 Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Mon, 26 Aug 2024 10:44:50 +0200
-Subject: [PATCH 07/10] Harden online reencryption checks in initialization
- phase.
-
-Verify the data device supports O_DIRECT io flag in
-the initialization phase. Online reencryption is not
-safe unless we can read and write the data in direct
-mode.
----
- lib/luks2/luks2_reencrypt.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
-index c77de3f6..6519c1e3 100644
---- a/lib/luks2/luks2_reencrypt.c
-+++ b/lib/luks2/luks2_reencrypt.c
-@@ -3788,6 +3788,13 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
- 	if (flags & CRYPT_REENCRYPT_RECOVERY)
- 		return reencrypt_recovery_by_passphrase(cd, hdr, keyslot_old, keyslot_new, passphrase, passphrase_size);
- 
-+	if (name && !device_direct_io(crypt_data_device(cd))) {
-+		log_dbg(cd, "Device %s does not support direct I/O.", device_path(crypt_data_device(cd)));
-+		/* FIXME: Add more specific error mesage for translation later. */
-+		log_err(cd, _("Failed to initialize reencryption device stack."));
-+		return -EINVAL;
-+	}
-+
- 	if (cipher && !crypt_cipher_wrapped_key(cipher, cipher_mode)) {
- 		r = crypt_keyslot_get_key_size(cd, keyslot_new);
- 		if (r < 0)
--- 
-2.46.0
-
diff --git a/cryptsetup-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch b/cryptsetup-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch
deleted file mode 100644
index f9d7fdc..0000000
--- a/cryptsetup-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From aeada055d19cddeda68661dc929a78b2bee35e25 Mon Sep 17 00:00:00 2001
-From: Ondrej Kozina <okozina@redhat.com>
-Date: Thu, 22 Aug 2024 13:41:03 +0200
-Subject: [PATCH 1/9] Return suspended status also for unknow target types.
-
-This patch allows dm_status_suspended() to report if device
-is suspended or not also for unknown target types from
-libcryptsetup perspective (e.g.: dm-cache).
----
- lib/libdevmapper.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
-index b8592ffa..a562a2d7 100644
---- a/lib/libdevmapper.c
-+++ b/lib/libdevmapper.c
-@@ -1911,7 +1911,7 @@ int dm_status_suspended(struct crypt_device *cd, const char *name)
- 	r = dm_status_dmi(name, &dmi, NULL, NULL);
- 	dm_exit_context();
- 
--	if (r < 0)
-+	if (r < 0 && r != -EEXIST)
- 		return r;
- 
- 	return dmi.suspended ? 1 : 0;
--- 
-2.46.0
-
diff --git a/cryptsetup-2.8.1.tar.sign b/cryptsetup-2.8.1.tar.sign
new file mode 100644
index 0000000..4459bed
--- /dev/null
+++ b/cryptsetup-2.8.1.tar.sign
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmikPjAACgkQ2bBXe9k+
+mPzw4hAAqew2XZt7qfeHXNrx4Qx+5fh8J6kNBByMoBBBoNV778MUeE35hZ57L+0G
+fCRJTcWvZX9WUomSY3L/n1h/kGrk/G59clBNXyBo/VlqGy4TnDIyX/5RfN93Ysfr
+XzdZptH7PFLnhf6R9Y6bkRTCVdutW6WSW+CTeB6LnQHR97y2Jz/L+qTpExs9ujk9
+FMuMI2bO+i5QaisvAqS7/z0ba18xdgNqplj8DUFygtuJiUeshtW/RHBr21Y762Ut
+ZaliJbkww/XbI0CVyjoT0OrgRIpqr1tb1AwPNCU81MgCrB5q5pYOdcGkuRGIGKSG
++BC2qrHqlbNIu8SOu6JZ7mq2gkiyzz+Gg7AuKsvV9HPFkFEd40SIE2xNMxgwZtwB
+jW9d07Cg90qGcKLqESwb5bNXRFxw8aBXHaaZraC5mAoYfOXaQAL+FlBtbcsADoFy
+7TJEDyqC47nRB7dC0c8Cd7rqZ7nFWenf7oPXK87wFDIRDdv7OTtwD03fQdhy7j6N
++jX1vVH/xRDpEpcUTQyuo3CO/gN5w2TWPKHYFBkAV3qvQOTLKZXQCxyYNfSBfFmJ
+IyeRPYb/Euk46jX+xpCeoP540YAL6BoLTHyis5wjjM9jTXTMKFa5ZivrMlWaRKS5
+pp4EIpJlxuE8kGmKvMgPO3kgS4w3akjNpfdkeRWAPKaVVMzBY1Y=
+=tRD6
+-----END PGP SIGNATURE-----
diff --git a/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch b/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
index 9c303e4..cfbd204 100644
--- a/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
+++ b/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
@@ -1,23 +1,23 @@
-From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001
+From 48af2c543e4bee3dff9bd95529bbf45106aa457e Mon Sep 17 00:00:00 2001
 From: Ondrej Kozina <okozina@redhat.com>
 Date: Mon, 5 Dec 2022 13:35:24 +0100
-Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code.
+Subject: [PATCH] Add FIPS related error message in keyslot add code.
 
 Add hints on what went wrong when creating new LUKS
 keyslots. The hint is printed only in FIPS mode and
 when pbkdf2 failed with passphrase shorter than 8
 bytes.
 ---
- lib/luks1/keymanage.c           | 5 ++++-
+ lib/luks1/keymanage.c           | 2 ++
  lib/luks2/luks2_keyslot_luks2.c | 2 ++
- 2 files changed, 6 insertions(+), 1 deletion(-)
+ 2 files changed, 4 insertions(+)
 
-Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
-===================================================================
---- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c
-+++ cryptsetup-2.7.2/lib/luks1/keymanage.c
-@@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex,
- 			derived_key->key, hdr->keyBytes,
+diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
+index 37929810..a7ef0a25 100644
+--- a/lib/luks1/keymanage.c
++++ b/lib/luks1/keymanage.c
+@@ -916,6 +916,8 @@ int LUKS_set_key(unsigned int keyIndex,
+ 			derived_key, hdr->keyBytes,
  			hdr->keyblock[keyIndex].passwordIterations, 0, 0);
  	if (r < 0) {
 +		if (crypt_fips_mode() && passwordLen < 8)
@@ -25,16 +25,19 @@ Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
  		if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
  		     hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
  			log_err(ctx, _("PBKDF2 iteration value overflow."));
-Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
-===================================================================
---- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c
-+++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
-@@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct
- 		     pbkdf.iterations > INT_MAX)
+diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
+index ec68236c..f309125d 100644
+--- a/lib/luks2/luks2_keyslot_luks2.c
++++ b/lib/luks2/luks2_keyslot_luks2.c
+@@ -260,6 +260,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
  			log_err(cd, _("PBKDF2 iteration value overflow."));
- 		crypt_free_volume_key(derived_key);
+ 		if (r == -ENOMEM)
+ 			log_err(cd, _("Not enough memory for keyslot key derivation."));
 +		if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
 +			log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
- 		return r;
+ 		goto out;
  	}
  
+-- 
+2.50.1
+
diff --git a/cryptsetup-add-system-library-paths.patch b/cryptsetup-add-system-library-paths.patch
deleted file mode 100644
index 0290c96..0000000
--- a/cryptsetup-add-system-library-paths.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Index: cryptsetup-2.7.0/configure
-===================================================================
---- cryptsetup-2.7.0.orig/configure
-+++ cryptsetup-2.7.0/configure
-@@ -14161,6 +14161,9 @@ fi
-   # before this can be enabled.
-   hardcode_into_libs=yes
- 
-+  # Add ABI-specific directories to the system library path.
-+  sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
-+
-   # Ideally, we could use ldconfig to report *all* directores which are
-   # searched for libraries, however this is still not possible.  Aside from not
-   # being certain /sbin/ldconfig is available, command
-@@ -14169,7 +14172,7 @@ fi
-   # appending ld.so.conf contents (and includes) to the search path.
-   if test -f /etc/ld.so.conf; then
-     lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[	 ]*hwcap[	 ]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
--    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-+    sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
-   fi
- 
-   # We used to test for /lib/ld.so.1 and disable shared libraries on
diff --git a/cryptsetup.spec b/cryptsetup.spec
index 73d3541..322205a 100644
--- a/cryptsetup.spec
+++ b/cryptsetup.spec
@@ -1,9 +1,10 @@
 Summary: Utility for setting up encrypted disks
 Name: cryptsetup
-Version: 2.7.2
-Release: 4%{?dist}
+Version: 2.8.1
+Release: 1%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://gitlab.com/cryptsetup/cryptsetup
+BuildRequires: autoconf, automake, libtool, gettext-devel,
 BuildRequires: openssl-devel, popt-devel, device-mapper-devel
 BuildRequires: libuuid-devel, gcc, json-c-devel
 BuildRequires: libpwquality-devel, libblkid-devel
@@ -18,16 +19,8 @@ Provides: %{name}-reencrypt = %{version}
 Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz
 
 Patch0001: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
-Patch0002: %{name}-2.7.5-Do-not-handle-device-as-suspended-on-error.patch
-Patch0003: %{name}-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch
-Patch0004: %{name}-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch
-Patch0005: %{name}-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch
-Patch0006: %{name}-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch
-Patch0007: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch
-Patch0008: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch
-Patch0009: %{name}-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch
-# Following patch has to applied last
-Patch9999: %{name}-add-system-library-paths.patch
+Patch0002: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch
+Patch0003: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch
 
 %description
 The cryptsetup package contains a utility for setting up
@@ -69,6 +62,7 @@ disk integrity protection using dm-integrity kernel module.
 
 %build
 rm -f man/*.8
+./autogen.sh
 %configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc --disable-hw-opal --with-plain-hash=ripemd160 --with-plain-cipher=aes --with-plain-mode=cbc-essiv:sha256
 %make_build
 
@@ -104,13 +98,17 @@ rm -rf %{buildroot}%{_libdir}/*.la
 %{_libdir}/pkgconfig/libcryptsetup.pc
 
 %files libs -f cryptsetup.lang
-%license COPYING COPYING.LGPL
+%license COPYING docs/licenses/COPYING.LGPL-2.1-or-later-WITH-cryptsetup-OpenSSL-exception
 %{_libdir}/libcryptsetup.so.*
 %dir %{_libdir}/%{name}/
 %{_tmpfilesdir}/cryptsetup.conf
 %ghost %attr(700, -, -) %dir /run/cryptsetup
 
 %changelog
+* Wed Sep 03 2025 Kristina Hanicova <khanicov@redhat.com> - 2.8.1-1
+- Update to cryptsetup 2.8.1.
+- Resolves: 100089
+
 * Wed Jun 04 2025 Ondrej Kozina <okozina@redhat.com> - 2.7.2-4
 - patch: Ignore unknown VMK entry 24 in bitlk metadata.
 - Resolves: RHEL-94860
diff --git a/sources b/sources
index feb0483..9832dc9 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (cryptsetup-2.7.2.tar.xz) = 06f42f443b91d1f8af8af999dfedd4051ecb12ba5ef291cf2b44b6a5676e2c5cf1e686e19687f5cb6b1fd524dfc1a208cd25a3798367a480d80eac954aa8d6d4
+SHA512 (cryptsetup-2.8.1.tar.xz) = a5171e18c55bfbc57330f2d46ab06b5ac6957392a77aef74c3d1c5295eb39962d1db19ddd3420ea1154d730b361d09e72bf5315c7a3d56eb36cee9c2531bca5d