rpms/cryptsetup
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS cryptsetup-2.8.1-3.el9

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-03-30 11:19:01 -04:00
parent 606b21aed5
commit ea55214642
18 changed files with 482 additions and 314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cryptsetup.metadata
View File

@ -1 +1 @@
db48bcfaf135b627d9d5f0447d746e253a190843 SOURCES/cryptsetup-2.7.2.tar.xz
d58dc9bd56ae27ff895dfca51712d2f54a29dd9e SOURCES/cryptsetup-2.8.1.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/cryptsetup-2.7.2.tar.xz
SOURCES/cryptsetup-2.8.1.tar.xz

43
SOURCES/cryptsetup-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch
View File

@ -1,43 +0,0 @@
From ef653d00a72b8257819f5ae5d3de9bc9f5039b3c Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Tue, 21 May 2024 10:54:55 +0200
Subject: [PATCH] bitlk: Ignore unknown VMK entry 24
This VMK value looks like a password hint (masked email?)
we can safely ignore it.
Fixes: #886
---
lib/bitlk/bitlk.c | 3 +++
lib/bitlk/bitlk.h | 1 +
2 files changed, 4 insertions(+)
diff --git a/lib/bitlk/bitlk.c b/lib/bitlk/bitlk.c
index ae533e5a..230e7101 100644
--- a/lib/bitlk/bitlk.c
+++ b/lib/bitlk/bitlk.c
@@ -324,6 +324,9 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in
/* unknown timestamps in recovery protected VMK */
} else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) {
;
+ /* optional hint (?) string (masked email?), we can safely ignore it */
+ } else if (key_entry_value == BITLK_ENTRY_VALUE_HINT) {
+ ;
} else if (key_entry_value == BITLK_ENTRY_VALUE_STRING) {
if (key_entry_size < BITLK_ENTRY_HEADER_LEN)
return -EINVAL;
diff --git a/lib/bitlk/bitlk.h b/lib/bitlk/bitlk.h
index 7eb73211..af8f6298 100644
--- a/lib/bitlk/bitlk.h
+++ b/lib/bitlk/bitlk.h
@@ -78,6 +78,7 @@ typedef enum {
BITLK_ENTRY_VALUE_OFFSET_SIZE = 0x000f,
BITLK_ENTRY_VALUE_RECOVERY_TIME = 0x015,
BITLK_ENTRY_VALUE_GUID = 0x0017,
+ BITLK_ENTRY_VALUE_HINT = 0x0018,
} BITLKFVEEntryValue;
struct bitlk_vmk {
--
2.49.0

39
SOURCES/cryptsetup-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch
View File

@ -1,39 +0,0 @@
From 63bb997b41b8e92fe09ce8cb6582e094e00e19a6 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 26 Aug 2024 10:46:52 +0200
Subject: [PATCH 08/10] Abort online reencryption for misconfigured devices.
Hard abort is justified here. The online reencryption on
data devices that do not support O_DIRECT io flag is
dangerous and leads to data corruption. This should be
impossible to hit due to a patch that handles it
in initialization phase. Better safe than sorry.
---
lib/luks2/luks2_reencrypt.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
index 6519c1e3..05f69d18 100644
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -4230,9 +4230,14 @@ int crypt_reencrypt_run(
log_dbg(cd, "Resuming LUKS2 reencryption.");
- if (rh->online && reencrypt_init_device_stack(cd, rh)) {
- log_err(cd, _("Failed to initialize reencryption device stack."));
- return -EINVAL;
+ if (rh->online) {
+ /* This is last resort to avoid data corruption. Abort is justified here. */
+ assert(device_direct_io(crypt_data_device(cd)));
+
+ if (reencrypt_init_device_stack(cd, rh)) {
+ log_err(cd, _("Failed to initialize reencryption device stack."));
+ return -EINVAL;
+ }
}
log_dbg(cd, "Progress %" PRIu64 ", device_size %" PRIu64, rh->progress, rh->device_size);
--
2.46.0

35
SOURCES/cryptsetup-2.7.5-Do-not-handle-device-as-suspended-on-error.patch
View File

@ -1,35 +0,0 @@
From 53198bdea94e610e1e0378e3aff56e8d9f45ac09 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 22 Aug 2024 13:39:06 +0200
Subject: [PATCH 01/10] Do not handle device as suspended on error.
Consider device is suspended only if dm_status_suspended return code
is true.
This function returned -EEXIST for dm devices with target types unknown
to libcryptsetup (for example dm-cache) and turned off O_DIRECT flag
for devices unexpectedly.
Turned out ignoring direct-io was a problem after all :).
Fixes: 0f51b5bacbf7 (Do not run sector read check on suspended device.)
---
lib/utils_device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/utils_device.c b/lib/utils_device.c
index 3e2ac4f3..eccaf048 100644
--- a/lib/utils_device.c
+++ b/lib/utils_device.c
@@ -178,7 +178,7 @@ static int device_ready(struct crypt_device *cd, struct device *device)
if (devfd >= 0) {
/* skip check for suspended DM devices */
dm_name = device_dm_name(device);
- if (dm_name && dm_status_suspended(cd, dm_name)) {
+ if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
close(devfd);
devfd = -1;
} else if (device_read_test(devfd) == 0) {
--
2.46.0

78
SOURCES/cryptsetup-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch
View File

@ -1,78 +0,0 @@
From 4cdd022ba42df17b027be7c35c7028d01b54cecc Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Tue, 27 Aug 2024 12:13:54 +0200
Subject: [PATCH 06/10] Fix detection of direct-io with suspended devices.
Currently, direct-io is disabled if underlying device is suspended.
This was an unfortunate change, as it is part of data corruption
problem in online reenryption.
Let's relax the test to assume that suspended device
(suspended => must be a device-mapper device) supports direct-io.
The read test is still needed as some network based devices
misbehaves if opened with direct-io flag.
---
lib/utils_device.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/lib/utils_device.c b/lib/utils_device.c
index eccaf048..6b7af6e1 100644
--- a/lib/utils_device.c
+++ b/lib/utils_device.c
@@ -127,11 +127,19 @@ static size_t device_alignment_fd(int devfd)
return (size_t)alignment;
}
-static int device_read_test(int devfd)
+static int device_read_test(struct crypt_device *cd, int devfd, struct device *device)
{
char buffer[512];
int r = -EIO;
size_t minsize = 0, blocksize, alignment;
+ const char *dm_name;
+
+ /* skip check for suspended DM devices */
+ dm_name = device_dm_name(device);
+ if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
+ log_dbg(cd, "Device %s is suspended, assuming direct-io is supported.", dm_name);
+ return 0;
+ }
blocksize = device_block_size_fd(devfd, &minsize);
alignment = device_alignment_fd(devfd);
@@ -148,6 +156,8 @@ static int device_read_test(int devfd)
if (read_blockwise(devfd, blocksize, alignment, buffer, minsize) == (ssize_t)minsize)
r = 0;
+ log_dbg(cd, "Direct-io is supported and works.");
+
crypt_safe_memzero(buffer, sizeof(buffer));
return r;
}
@@ -165,7 +175,6 @@ static int device_ready(struct crypt_device *cd, struct device *device)
int devfd = -1, r = 0;
struct stat st;
size_t tmp_size;
- const char *dm_name;
if (!device)
return -EINVAL;
@@ -176,12 +185,7 @@ static int device_ready(struct crypt_device *cd, struct device *device)
device->o_direct = 0;
devfd = open(device_path(device), O_RDONLY | O_DIRECT);
if (devfd >= 0) {
- /* skip check for suspended DM devices */
- dm_name = device_dm_name(device);
- if (dm_name && dm_status_suspended(cd, dm_name) > 0) {
- close(devfd);
- devfd = -1;
- } else if (device_read_test(devfd) == 0) {
+ if (device_read_test(cd, devfd, device) == 0) {
device->o_direct = 1;
} else {
close(devfd);
--
2.46.0

35
SOURCES/cryptsetup-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch
View File

@ -1,35 +0,0 @@
From 9991cbc306963c8f03eb6dad82fa6c12f75d3b97 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 26 Aug 2024 10:44:50 +0200
Subject: [PATCH 07/10] Harden online reencryption checks in initialization
phase.
Verify the data device supports O_DIRECT io flag in
the initialization phase. Online reencryption is not
safe unless we can read and write the data in direct
mode.
---
lib/luks2/luks2_reencrypt.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
index c77de3f6..6519c1e3 100644
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -3788,6 +3788,13 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd,
if (flags & CRYPT_REENCRYPT_RECOVERY)
return reencrypt_recovery_by_passphrase(cd, hdr, keyslot_old, keyslot_new, passphrase, passphrase_size);
+ if (name && !device_direct_io(crypt_data_device(cd))) {
+ log_dbg(cd, "Device %s does not support direct I/O.", device_path(crypt_data_device(cd)));
+ /* FIXME: Add more specific error mesage for translation later. */
+ log_err(cd, _("Failed to initialize reencryption device stack."));
+ return -EINVAL;
+ }
+
if (cipher && !crypt_cipher_wrapped_key(cipher, cipher_mode)) {
r = crypt_keyslot_get_key_size(cd, keyslot_new);
if (r < 0)
--
2.46.0

28
SOURCES/cryptsetup-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch
View File

@ -1,28 +0,0 @@
From aeada055d19cddeda68661dc929a78b2bee35e25 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 22 Aug 2024 13:41:03 +0200
Subject: [PATCH 1/9] Return suspended status also for unknow target types.
This patch allows dm_status_suspended() to report if device
is suspended or not also for unknown target types from
libcryptsetup perspective (e.g.: dm-cache).
---
lib/libdevmapper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c
index b8592ffa..a562a2d7 100644
--- a/lib/libdevmapper.c
+++ b/lib/libdevmapper.c
@@ -1911,7 +1911,7 @@ int dm_status_suspended(struct crypt_device *cd, const char *name)
r = dm_status_dmi(name, &dmi, NULL, NULL);
dm_exit_context();
- if (r < 0)
+ if (r < 0 && r != -EEXIST)
return r;
return dmi.suspended ? 1 : 0;
--
2.46.0

31
SOURCES/cryptsetup-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch Normal file
View File

@ -0,0 +1,31 @@
From 55e0209a4e751e4edb3662827a57cd5d330f30c2 Mon Sep 17 00:00:00 2001
Message-ID: <55e0209a4e751e4edb3662827a57cd5d330f30c2.1766066332.git.khanicov@redhat.com>
From: Milan Broz <gmazyland@gmail.com>
Date: Thu, 11 Dec 2025 23:40:14 +0100
Subject: [PATCH] Fix LUKS2 device status in inline HW mode and detached header
Internal type is not set if detached header is not specified,
but inline tag check should be done anyway.
---
lib/setup.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index 3a411733..1ee02db5 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -5838,8 +5838,12 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
if (r < 0)
return r;
- /* For LUKS2 with integrity we need flags from underlying dm-integrity */
- if (isLUKS2(cd->type) && crypt_get_integrity_tag_size(cd) &&
+ /*
+ * For integrity and LUKS2 (and detached header where context is NULL)
+ * we need flags from underlying dm-integrity device.
+ * This check must be skipped for non-LUKS2 integrity device.
+ */
+ if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) &&
(iname = dm_get_active_iname(cd, name))) {
if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
dmd.flags |= dmdi.flags;

29
SOURCES/cryptsetup-2.8.2-Fix-possible-use-of-uninitialized-variable.patch Normal file
View File

@ -0,0 +1,29 @@
From a8e8e39007f9a3ab91267ff2b4f0aee45cc48752 Mon Sep 17 00:00:00 2001
Message-ID: <a8e8e39007f9a3ab91267ff2b4f0aee45cc48752.1766065101.git.khanicov@redhat.com>
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 30 Oct 2025 13:59:52 +0100
Subject: [PATCH] Fix possible use of uninitialized variable.
device_tag_size variable was not initialized and used
when device_is_nop_dif returned negative error code.
---
lib/setup.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/setup.c b/lib/setup.c
index 37e6f7d9..48b67ce6 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -3045,7 +3045,11 @@ int crypt_format_inline(struct crypt_device *cd,
iparams->journal_integrity_key_size))
return -EINVAL;
- if (!device_is_nop_dif(idevice, &device_tag_size)) {
+ r = device_is_nop_dif(idevice, &device_tag_size);
+ if (r < 0)
+ return r;
+
+ if (!r) {
log_err(cd, _("Device %s does not provide inline integrity data fields."), mdata_device_path(cd));
return -EINVAL;
}

97
SOURCES/cryptsetup-2.8.2-Improve-check-for-a-function-attribute-support.patch Normal file
View File

@ -0,0 +1,97 @@
From 3a8feb8be78dabb7024aad2d1c48dcaa145e67dc Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 11 Sep 2025 11:30:25 +0200
Subject: [PATCH] Improve check for a function attribute support.
The compiler may advertise function attribute support
with __has_attribute operator even though it does
not implement the feature on some architecture.
This fixes the issue with GCC 11 on ppc64le with
__attribute__((zero_call_used_regs("used"))).
Fixes: #959.
---
configure.ac | 21 +++++++++++++++++++++
lib/crypto_backend/memutils.c | 4 +---
meson.build | 15 +++++++++++++++
3 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 6a6c4dff5..a7485b541 100644
--- a/configure.ac
+++ b/configure.ac
@@ -680,6 +680,27 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
])
CFLAGS=$saved_CFLAGS
+dnl Force compiler to use zero_call_used_regs("used") to check for the function attribute support.
+dnl Otherwise the compiler may falsely advertise it with __has_attribute operator, even though
+dnl it does not implement it on some archs.
+AC_MSG_CHECKING([for zero_call_used_regs(user)])
+saved_CFLAGS=$CFLAGS
+CFLAGS="-O0 -Werror"
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ void _test_function(void);
+ __attribute__((zero_call_used_regs("used"))) void _test_function(void) {
+ volatile int *i; volatile int j = 0; if (j) *i = 0;
+ }
+]],
+[[ _test_function() ]]
+)],[
+ AC_DEFINE([HAVE_ATTRIBUTE_ZEROCALLUSEDREGS], 1, [Define to 1 to use __attribute__((zero_call_used_regs("used")))])
+ AC_MSG_RESULT([yes])
+], [
+ AC_MSG_RESULT([no])
+])
+CFLAGS=$saved_CFLAGS
+
AC_MSG_CHECKING([for systemd tmpfiles config directory])
if test "x$prefix" != "xNONE"; then
saved_PKG_CONFIG=$PKG_CONFIG
diff --git a/lib/crypto_backend/memutils.c b/lib/crypto_backend/memutils.c
index 4e440136d..a041b3e60 100644
--- a/lib/crypto_backend/memutils.c
+++ b/lib/crypto_backend/memutils.c
@@ -9,11 +9,9 @@
#define ATTR_NOINLINE __attribute__ ((noinline))
#define ATTR_ZERO_REGS
-#if defined __has_attribute
-# if __has_attribute (zero_call_used_regs)
+#if HAVE_ATTRIBUTE_ZEROCALLUSEDREGS
# undef ATTR_ZERO_REGS
# define ATTR_ZERO_REGS __attribute__ ((zero_call_used_regs("used")))
-# endif
#endif
/* Workaround for https://github.com/google/sanitizers/issues/1507 */
diff --git a/meson.build b/meson.build
index 3c17ebca5..2fb6a2492 100644
--- a/meson.build
+++ b/meson.build
@@ -697,6 +697,21 @@ if cc.links(
description: 'Define to 1 to use __attribute__((symver))')
endif
+# ==========================================================================
+# Check compiler support for zero_called_used_regs("used") function attribute
+if cc.links(
+ '''void _test_fn(void);
+
+ __attribute__((zero_call_used_regs("used"))) void _test_fn(void) {
+ volatile int *i; volatile int j = 0; if (j) *i = 0;
+ }
+ int main(void) { _test_fn(); return 0; }''',
+ args: ['-O0', '-Werror' ],
+ name: 'for zero_call_used_regs("used") attribute support')
+ conf.set10('HAVE_ATTRIBUTE_ZEROCALLUSEDREGS', true,
+ description: 'Define to 1 to use __attribute__((zero_call_used_regs("used")))')
+endif
+
# ==========================================================================
if get_option('dev-random')
--
GitLab

49
SOURCES/cryptsetup-2.8.2-Read-integrity-profile-info-from-top-level-device.patch Normal file
View File

@ -0,0 +1,49 @@
From 9810c6fb2f24073796aa1482680151ddbc668790 Mon Sep 17 00:00:00 2001
Message-ID: <9810c6fb2f24073796aa1482680151ddbc668790.1766065092.git.khanicov@redhat.com>
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 17 Oct 2025 15:13:41 +0200
Subject: [PATCH] Read integrity profile info from top level device.
When formating device with --integrity-inline option
there's a check if underlying device properly advertise
integrity profile support. The check did not work
properly for partition device nodes. We have to read
integrity profile info from top level block device.
Fixes: #964.
---
lib/utils_device.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/lib/utils_device.c b/lib/utils_device.c
index 90ec9de4..1cdbcc65 100644
--- a/lib/utils_device.c
+++ b/lib/utils_device.c
@@ -1004,12 +1004,26 @@ int device_is_zoned(struct device *device)
int device_is_nop_dif(struct device *device, uint32_t *tag_size)
{
+ char *base_device_path;
+ int r;
struct stat st;
if (!device)
return -EINVAL;
- if (stat(device_path(device), &st) < 0)
+ /*
+ * For partition devices, check integrity profile on the base device.
+ * Partition device nodes don't advertise integrity profile directly
+ * via sysfs attributes.
+ */
+ base_device_path = crypt_get_base_device(device_path(device));
+ if (base_device_path) {
+ r = stat(base_device_path, &st);
+ free(base_device_path);
+ } else
+ r = stat(device_path(device), &st);
+
+ if (r < 0)
return -EINVAL;
if (!S_ISBLK(st.st_mode))

41
SOURCES/cryptsetup-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch Normal file
View File

@ -0,0 +1,41 @@
From 5d69c34f59dbe7fce07d76057fc39198666ab44e Mon Sep 17 00:00:00 2001
Message-ID: <5d69c34f59dbe7fce07d76057fc39198666ab44e.1766065109.git.khanicov@redhat.com>
From: Ondrej Kozina <okozina@redhat.com>
Date: Thu, 27 Nov 2025 10:49:24 +0100
Subject: [PATCH] Reinstate pbkdf serialization flag in device activation.
crypt_activate_by_keyslot_context never respected pbkdf serialation
flag (CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF).
In fact it worked only when device was activated via passphrase or via
passphrase file. It was never respected when device was activated
by a token for example.
When the internal code was fully switched to activation via keyslot
context the legacy code for passphrase based activation was dropped
and we lost track of serialization flag completely.
This fixes all of the issues so now the serialization flag will be
respected also with tokens (and all other activation methods unlocking
LUKS2 keyslot with memory hard pbkdf).
Fixes: 58385d68d8f4 (Allow activation via keyslot context)
Fixes: #968.
---
lib/setup.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/setup.c b/lib/setup.c
index f1b2033b..367d2d11 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -5450,6 +5450,9 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd,
return _activate_loopaes(cd, name, passphrase, passphrase_size, flags);
}
+ if (flags & CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF)
+ cd->memory_hard_pbkdf_lock_enabled = true;
+
/* acquire the volume key(s) */
r = -EINVAL;
if (isLUKS1(cd->type)) {

38
SOURCES/cryptsetup-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch Normal file
View File

@ -0,0 +1,38 @@
From cdb6a5626089a56a7a135042be7c157acda70506 Mon Sep 17 00:00:00 2001
Message-ID: <cdb6a5626089a56a7a135042be7c157acda70506.1766065116.git.khanicov@redhat.com>
From: Kristina Hanicova <khanicov@redhat.com>
Date: Wed, 10 Dec 2025 17:58:36 +0100
Subject: [PATCH] Set inline integrity flag if no underlying dm-integrity
device
Cryptsetup status does not report when the hw inline integrity is
set without the underlying dm-integrity device.
Fixes: #965
---
lib/setup.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/lib/setup.c b/lib/setup.c
index 1ee02db5..93c7ef5f 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -5843,11 +5843,13 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
* we need flags from underlying dm-integrity device.
* This check must be skipped for non-LUKS2 integrity device.
*/
- if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) &&
- (iname = dm_get_active_iname(cd, name))) {
- if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
- dmd.flags |= dmdi.flags;
- free(iname);
+ if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd)) {
+ if ((iname = dm_get_active_iname(cd, name))) {
+ if (dm_query_device(cd, iname, 0, &dmdi) >= 0)
+ dmd.flags |= dmdi.flags;
+ free(iname);
+ } else
+ dmd.flags |= (CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_INLINE_MODE);
}
if (cd && isTCRYPT(cd->type)) {

143
SOURCES/cryptsetup-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch Normal file
View File

@ -0,0 +1,143 @@
From 7fa4cd930814073cb8abe997d8fac19a849daecd Mon Sep 17 00:00:00 2001
Message-ID: <7fa4cd930814073cb8abe997d8fac19a849daecd.1767967753.git.khanicov@redhat.com>
From: Milan Broz <gmazyland@gmail.com>
Date: Fri, 2 Jan 2026 20:58:26 +0100
Subject: [PATCH] Fix wrong device size status reports in cryptsetup and
integritysetup
In version 2.8.0 the status output was modified to strictly use
units and also bytes device size was added.
Unfortunately, the size was wrongly calculated if sector size was
different than 512-byte default.
Fixes: #972
---
src/cryptsetup.c | 8 +++-----
src/integritysetup.c | 6 ++----
src/veritysetup.c | 2 +-
tests/compat-test2 | 2 ++
tests/integrity-compat-test | 6 ++++++
tests/verity-compat-test | 4 ++++
6 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index d8b9e508..b9966f84 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -936,7 +936,6 @@ static int action_status(void)
char *backing_file;
const char *device;
int path = 0, r = 0, hw_enc;
- uint64_t sector_size;
/* perhaps a path, not a dm device name */
if (strchr(action_argv[0], '/'))
@@ -1019,10 +1018,9 @@ static int action_status(void)
log_std(" loop: %s\n", backing_file);
free(backing_file);
}
- sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE;
- log_std(" sector size: %" PRIu64 " [bytes]\n", sector_size);
- log_std(" offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * sector_size);
- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size);
+ log_std(" sector size: %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE);
+ log_std(" offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * SECTOR_SIZE);
+ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
if (cad.iv_offset)
log_std(" skipped: %" PRIu64 " [512-byte units]\n", cad.iv_offset);
log_std(" mode: %s%s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
diff --git a/src/integritysetup.c b/src/integritysetup.c
index a1d77855..89c3edd3 100644
--- a/src/integritysetup.c
+++ b/src/integritysetup.c
@@ -424,7 +424,6 @@ static int action_status(void)
char *backing_file;
const char *device, *metadata_device;
int path = 0, r = 0;
- uint64_t sector_size;
/* perhaps a path, not a dm device name */
if (strchr(action_argv[0], '/'))
@@ -482,10 +481,9 @@ static int action_status(void)
free(backing_file);
}
}
- sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE;
- log_std(" sector size: %" PRIu64 " [bytes]\n", sector_size);
+ log_std(" sector size: %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE);
log_std(" interleave sectors: %u\n", ip.interleave_sectors);
- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size);
+ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
log_std(" mode: %s%s\n",
cad.flags & CRYPT_ACTIVATE_READONLY ? "readonly" : "read/write",
cad.flags & CRYPT_ACTIVATE_RECOVERY ? " recovery" : "");
diff --git a/src/veritysetup.c b/src/veritysetup.c
index 8e666e3f..d95db09b 100644
--- a/src/veritysetup.c
+++ b/src/veritysetup.c
@@ -395,7 +395,7 @@ static int action_status(void)
log_std(" data loop: %s\n", backing_file);
free(backing_file);
}
- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * (uint64_t)SECTOR_SIZE);
+ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE);
log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ?
"readonly" : "read/write");
diff --git a/tests/compat-test2 b/tests/compat-test2
index 373461eb..7350455b 100755
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -816,9 +816,11 @@ if dm_crypt_sector_size_support; then
echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail
echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
+ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail
echo $PWD1 | $CRYPTSETUP -q resize --device-size 2049s $DEV_NAME > /dev/null 2>&1 && fail
echo $PWD1 | $CRYPTSETUP -q resize --size 2049 $DEV_NAME > /dev/null 2>&1 && fail
$CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail
+ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail
fi
$CRYPTSETUP close $DEV_NAME || fail
# Resize not aligned to logical block size
diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test
index c40218cd..5aeea5c0 100755
--- a/tests/integrity-compat-test
+++ b/tests/integrity-compat-test
@@ -230,7 +230,13 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize]
status_check "tag size" "$4 [bytes]"
status_check "integrity" $2
status_check "sector size" "$5 [bytes]"
+
+ SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME)
+ SIZE_512S=$(( $SIZE_BYTES / 512 ))
+ status_check " size" "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])"
+
int_check_sum $1 $6 $7 $8
+
echo -n "[REMOVE]"
$INTSETUP close $DEV_NAME || fail "Cannot deactivate device."
echo "[OK]"
diff --git a/tests/verity-compat-test b/tests/verity-compat-test
index 93ac405e..02b3d390 100755
--- a/tests/verity-compat-test
+++ b/tests/verity-compat-test
@@ -188,6 +188,9 @@ check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset]
$VERITYSETUP create $DEV_NAME $DEV_PARAMS $VERIFY_PARAMS $ROOT_HASH >>$DEV_OUT 2>&1 || fail
check_exists
+ SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME)
+ SIZE_512S=$(( $SIZE_BYTES / 512 ))
+ $VERITYSETUP status $DEV_NAME 2>/dev/null | grep " size:" | grep -q -F "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])" || fail
echo -n "[activate]"
dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=$1 2>/dev/null
@@ -474,6 +477,7 @@ export LANG=C
[ -n "$VALG" ] && valgrind_setup && VERITYSETUP=valgrind_run
modprobe dm-verity >/dev/null 2>&1
dmsetup targets | grep verity >/dev/null 2>&1 || skip "Cannot find dm-verity target, test skipped."
+command -v blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped."
# VERITYSETUP tests

39
SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch
View File

@ -1,23 +1,23 @@
From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001
From 48af2c543e4bee3dff9bd95529bbf45106aa457e Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Mon, 5 Dec 2022 13:35:24 +0100
Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code.
Subject: [PATCH] Add FIPS related error message in keyslot add code.
Add hints on what went wrong when creating new LUKS
keyslots. The hint is printed only in FIPS mode and
when pbkdf2 failed with passphrase shorter than 8
bytes.
---
lib/luks1/keymanage.c | 5 ++++-
lib/luks1/keymanage.c | 2 ++
lib/luks2/luks2_keyslot_luks2.c | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
2 files changed, 4 insertions(+)
Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
===================================================================
--- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c
+++ cryptsetup-2.7.2/lib/luks1/keymanage.c
@@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex,
derived_key->key, hdr->keyBytes,
diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c
index 37929810..a7ef0a25 100644
--- a/lib/luks1/keymanage.c
+++ b/lib/luks1/keymanage.c
@@ -916,6 +916,8 @@ int LUKS_set_key(unsigned int keyIndex,
derived_key, hdr->keyBytes,
hdr->keyblock[keyIndex].passwordIterations, 0, 0);
if (r < 0) {
+ if (crypt_fips_mode() && passwordLen < 8)
@ -25,16 +25,19 @@ Index: cryptsetup-2.7.2/lib/luks1/keymanage.c
if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) &&
hdr->keyblock[keyIndex].passwordIterations > INT_MAX)
log_err(ctx, _("PBKDF2 iteration value overflow."));
Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
===================================================================
--- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c
+++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c
@@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct
pbkdf.iterations > INT_MAX)
diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
index ec68236c..f309125d 100644
--- a/lib/luks2/luks2_keyslot_luks2.c
+++ b/lib/luks2/luks2_keyslot_luks2.c
@@ -260,6 +260,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
log_err(cd, _("PBKDF2 iteration value overflow."));
crypt_free_volume_key(derived_key);
if (r == -ENOMEM)
log_err(cd, _("Not enough memory for keyslot key derivation."));
+ if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2"))
+ log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode."));
return r;
goto out;
}
--
2.50.1

23
SOURCES/cryptsetup-add-system-library-paths.patch
View File

@ -1,23 +0,0 @@
Index: cryptsetup-2.7.0/configure
===================================================================
--- cryptsetup-2.7.0.orig/configure
+++ cryptsetup-2.7.0/configure
@@ -14161,6 +14161,9 @@ fi
# before this can be enabled.
hardcode_into_libs=yes
+ # Add ABI-specific directories to the system library path.
+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
+
# Ideally, we could use ldconfig to report *all* directores which are
# searched for libraries, however this is still not possible. Aside from not
# being certain /sbin/ldconfig is available, command
@@ -14169,7 +14172,7 @@ fi
# appending ld.so.conf contents (and includes) to the search path.
if test -f /etc/ld.so.conf; then
lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '`
- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
fi
# We used to test for /lib/ld.so.1 and disable shared libraries on

44
SPECS/cryptsetup.spec
View File

@ -1,9 +1,10 @@
Summary: Utility for setting up encrypted disks
Name: cryptsetup
Version: 2.7.2
Release: 4%{?dist}
Version: 2.8.1
Release: 3%{?dist}
License: GPLv2+ and LGPLv2+
URL: https://gitlab.com/cryptsetup/cryptsetup
BuildRequires: autoconf, automake, libtool, gettext-devel,
BuildRequires: openssl-devel, popt-devel, device-mapper-devel
BuildRequires: libuuid-devel, gcc, json-c-devel
BuildRequires: libpwquality-devel, libblkid-devel
@ -18,16 +19,15 @@ Provides: %{name}-reencrypt = %{version}
Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz
Patch0001: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch
Patch0002: %{name}-2.7.5-Do-not-handle-device-as-suspended-on-error.patch
Patch0003: %{name}-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch
Patch0004: %{name}-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch
Patch0005: %{name}-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch
Patch0006: %{name}-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch
Patch0007: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch
Patch0008: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch
Patch0009: %{name}-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch
# Following patch has to applied last
Patch9999: %{name}-add-system-library-paths.patch
Patch0002: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch
Patch0003: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch
Patch0004: %{name}-2.8.2-Improve-check-for-a-function-attribute-support.patch
Patch0005: %{name}-2.8.2-Read-integrity-profile-info-from-top-level-device.patch
Patch0006: %{name}-2.8.2-Fix-possible-use-of-uninitialized-variable.patch
Patch0007: %{name}-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch
Patch0008: %{name}-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch
Patch0009: %{name}-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch
Patch0010: %{name}-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch
%description
The cryptsetup package contains a utility for setting up
@ -69,6 +69,7 @@ disk integrity protection using dm-integrity kernel module.
%build
rm -f man/*.8
./autogen.sh
%configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc --disable-hw-opal --with-plain-hash=ripemd160 --with-plain-cipher=aes --with-plain-mode=cbc-essiv:sha256
%make_build
@ -104,13 +105,30 @@ rm -rf %{buildroot}%{_libdir}/*.la
%{_libdir}/pkgconfig/libcryptsetup.pc
%files libs -f cryptsetup.lang
%license COPYING COPYING.LGPL
%license COPYING docs/licenses/COPYING.LGPL-2.1-or-later-WITH-cryptsetup-OpenSSL-exception
%{_libdir}/libcryptsetup.so.*
%dir %{_libdir}/%{name}/
%{_tmpfilesdir}/cryptsetup.conf
%ghost %attr(700, -, -) %dir /run/cryptsetup
%changelog
* Thu Dec 18 2025 Kristina Hanicova <khanicov@redhat.com> - 2.8.1-3
- patch: Read integrity profile info from top level device.
- patch: Fix possible use of uninitialized variable.
- patch: Reinstate pbkdf serialization flag in device activation.
- patch: Fix LUKS2 device status in inline HW mode and detached header.
- patch: Set inline integrity flag if no underlying dm-integrity device.
- patch: Fix wrong device size status reports in cryptsetup and integritysetup.
- Resolves: RHEL-122297 RHEL-125152 RHEL-125167 RHEL-132585 RHEL-140106
* Fri Sep 12 2025 Kristina Hanicova <khanicov@redhat.com> - 2.8.1-2
- patch: Improve check for a function attribute support.
- Resolves: 100089
* Wed Sep 03 2025 Kristina Hanicova <khanicov@redhat.com> - 2.8.1-1
- Update to cryptsetup 2.8.1.
- Resolves: 100089
* Wed Jun 04 2025 Ondrej Kozina <okozina@redhat.com> - 2.7.2-4
- patch: Ignore unknown VMK entry 24 in bitlk metadata.
- Resolves: RHEL-94860