From ea5521464288a56979b70422090be0202e906b57 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Mon, 30 Mar 2026 11:19:01 -0400 Subject: [PATCH] import CS cryptsetup-2.8.1-3.el9 --- .cryptsetup.metadata | 2 +- .gitignore | 2 +- ....3-bitlk-Ignore-unknown-VMK-entry-24.patch | 43 ------ ...encryption-for-misconfigured-devices.patch | 39 ----- ...-handle-device-as-suspended-on-error.patch | 35 ----- ...-of-direct-io-with-suspended-devices.patch | 78 ---------- ...encryption-checks-in-initialization-.patch | 35 ----- ...-status-also-for-unknow-target-types.patch | 28 ---- ...-status-in-inline-HW-mode-and-detach.patch | 31 ++++ ...ssible-use-of-uninitialized-variable.patch | 29 ++++ ...eck-for-a-function-attribute-support.patch | 97 ++++++++++++ ...y-profile-info-from-top-level-device.patch | 49 ++++++ ...serialization-flag-in-device-activat.patch | 41 +++++ ...rity-flag-if-no-underlying-dm-integr.patch | 38 +++++ ...ce-size-status-reports-in-cryptsetup.patch | 143 ++++++++++++++++++ ...ed-error-message-in-keyslot-add-code.patch | 39 ++--- .../cryptsetup-add-system-library-paths.patch | 23 --- SPECS/cryptsetup.spec | 44 ++++-- 18 files changed, 482 insertions(+), 314 deletions(-) delete mode 100644 SOURCES/cryptsetup-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch delete mode 100644 SOURCES/cryptsetup-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch delete mode 100644 SOURCES/cryptsetup-2.7.5-Do-not-handle-device-as-suspended-on-error.patch delete mode 100644 SOURCES/cryptsetup-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch delete mode 100644 SOURCES/cryptsetup-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch delete mode 100644 SOURCES/cryptsetup-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch create mode 100644 SOURCES/cryptsetup-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch create mode 100644 SOURCES/cryptsetup-2.8.2-Fix-possible-use-of-uninitialized-variable.patch create mode 100644 SOURCES/cryptsetup-2.8.2-Improve-check-for-a-function-attribute-support.patch create mode 100644 SOURCES/cryptsetup-2.8.2-Read-integrity-profile-info-from-top-level-device.patch create mode 100644 SOURCES/cryptsetup-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch create mode 100644 SOURCES/cryptsetup-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch create mode 100644 SOURCES/cryptsetup-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch delete mode 100644 SOURCES/cryptsetup-add-system-library-paths.patch diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata index 36631df..119d474 100644 --- a/.cryptsetup.metadata +++ b/.cryptsetup.metadata @@ -1 +1 @@ -db48bcfaf135b627d9d5f0447d746e253a190843 SOURCES/cryptsetup-2.7.2.tar.xz +d58dc9bd56ae27ff895dfca51712d2f54a29dd9e SOURCES/cryptsetup-2.8.1.tar.xz diff --git a/.gitignore b/.gitignore index 7b770b5..16b03bf 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/cryptsetup-2.7.2.tar.xz +SOURCES/cryptsetup-2.8.1.tar.xz diff --git a/SOURCES/cryptsetup-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch b/SOURCES/cryptsetup-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch deleted file mode 100644 index 05d2bec..0000000 --- a/SOURCES/cryptsetup-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch +++ /dev/null @@ -1,43 +0,0 @@ -From ef653d00a72b8257819f5ae5d3de9bc9f5039b3c Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Tue, 21 May 2024 10:54:55 +0200 -Subject: [PATCH] bitlk: Ignore unknown VMK entry 24 - -This VMK value looks like a password hint (masked email?) -we can safely ignore it. - -Fixes: #886 ---- - lib/bitlk/bitlk.c | 3 +++ - lib/bitlk/bitlk.h | 1 + - 2 files changed, 4 insertions(+) - -diff --git a/lib/bitlk/bitlk.c b/lib/bitlk/bitlk.c -index ae533e5a..230e7101 100644 ---- a/lib/bitlk/bitlk.c -+++ b/lib/bitlk/bitlk.c -@@ -324,6 +324,9 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in - /* unknown timestamps in recovery protected VMK */ - } else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) { - ; -+ /* optional hint (?) string (masked email?), we can safely ignore it */ -+ } else if (key_entry_value == BITLK_ENTRY_VALUE_HINT) { -+ ; - } else if (key_entry_value == BITLK_ENTRY_VALUE_STRING) { - if (key_entry_size < BITLK_ENTRY_HEADER_LEN) - return -EINVAL; -diff --git a/lib/bitlk/bitlk.h b/lib/bitlk/bitlk.h -index 7eb73211..af8f6298 100644 ---- a/lib/bitlk/bitlk.h -+++ b/lib/bitlk/bitlk.h -@@ -78,6 +78,7 @@ typedef enum { - BITLK_ENTRY_VALUE_OFFSET_SIZE = 0x000f, - BITLK_ENTRY_VALUE_RECOVERY_TIME = 0x015, - BITLK_ENTRY_VALUE_GUID = 0x0017, -+ BITLK_ENTRY_VALUE_HINT = 0x0018, - } BITLKFVEEntryValue; - - struct bitlk_vmk { --- -2.49.0 - diff --git a/SOURCES/cryptsetup-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch b/SOURCES/cryptsetup-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch deleted file mode 100644 index d6a80d4..0000000 --- a/SOURCES/cryptsetup-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 63bb997b41b8e92fe09ce8cb6582e094e00e19a6 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Mon, 26 Aug 2024 10:46:52 +0200 -Subject: [PATCH 08/10] Abort online reencryption for misconfigured devices. - -Hard abort is justified here. The online reencryption on -data devices that do not support O_DIRECT io flag is -dangerous and leads to data corruption. This should be -impossible to hit due to a patch that handles it -in initialization phase. Better safe than sorry. ---- - lib/luks2/luks2_reencrypt.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c -index 6519c1e3..05f69d18 100644 ---- a/lib/luks2/luks2_reencrypt.c -+++ b/lib/luks2/luks2_reencrypt.c -@@ -4230,9 +4230,14 @@ int crypt_reencrypt_run( - - log_dbg(cd, "Resuming LUKS2 reencryption."); - -- if (rh->online && reencrypt_init_device_stack(cd, rh)) { -- log_err(cd, _("Failed to initialize reencryption device stack.")); -- return -EINVAL; -+ if (rh->online) { -+ /* This is last resort to avoid data corruption. Abort is justified here. */ -+ assert(device_direct_io(crypt_data_device(cd))); -+ -+ if (reencrypt_init_device_stack(cd, rh)) { -+ log_err(cd, _("Failed to initialize reencryption device stack.")); -+ return -EINVAL; -+ } - } - - log_dbg(cd, "Progress %" PRIu64 ", device_size %" PRIu64, rh->progress, rh->device_size); --- -2.46.0 - diff --git a/SOURCES/cryptsetup-2.7.5-Do-not-handle-device-as-suspended-on-error.patch b/SOURCES/cryptsetup-2.7.5-Do-not-handle-device-as-suspended-on-error.patch deleted file mode 100644 index 2f92d2c..0000000 --- a/SOURCES/cryptsetup-2.7.5-Do-not-handle-device-as-suspended-on-error.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 53198bdea94e610e1e0378e3aff56e8d9f45ac09 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Thu, 22 Aug 2024 13:39:06 +0200 -Subject: [PATCH 01/10] Do not handle device as suspended on error. - -Consider device is suspended only if dm_status_suspended return code -is true. - -This function returned -EEXIST for dm devices with target types unknown -to libcryptsetup (for example dm-cache) and turned off O_DIRECT flag -for devices unexpectedly. - -Turned out ignoring direct-io was a problem after all :). - -Fixes: 0f51b5bacbf7 (Do not run sector read check on suspended device.) ---- - lib/utils_device.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/utils_device.c b/lib/utils_device.c -index 3e2ac4f3..eccaf048 100644 ---- a/lib/utils_device.c -+++ b/lib/utils_device.c -@@ -178,7 +178,7 @@ static int device_ready(struct crypt_device *cd, struct device *device) - if (devfd >= 0) { - /* skip check for suspended DM devices */ - dm_name = device_dm_name(device); -- if (dm_name && dm_status_suspended(cd, dm_name)) { -+ if (dm_name && dm_status_suspended(cd, dm_name) > 0) { - close(devfd); - devfd = -1; - } else if (device_read_test(devfd) == 0) { --- -2.46.0 - diff --git a/SOURCES/cryptsetup-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch b/SOURCES/cryptsetup-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch deleted file mode 100644 index 3d1ce12..0000000 --- a/SOURCES/cryptsetup-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 4cdd022ba42df17b027be7c35c7028d01b54cecc Mon Sep 17 00:00:00 2001 -From: Milan Broz -Date: Tue, 27 Aug 2024 12:13:54 +0200 -Subject: [PATCH 06/10] Fix detection of direct-io with suspended devices. - -Currently, direct-io is disabled if underlying device is suspended. - -This was an unfortunate change, as it is part of data corruption -problem in online reenryption. - -Let's relax the test to assume that suspended device -(suspended => must be a device-mapper device) supports direct-io. - -The read test is still needed as some network based devices -misbehaves if opened with direct-io flag. ---- - lib/utils_device.c | 20 ++++++++++++-------- - 1 file changed, 12 insertions(+), 8 deletions(-) - -diff --git a/lib/utils_device.c b/lib/utils_device.c -index eccaf048..6b7af6e1 100644 ---- a/lib/utils_device.c -+++ b/lib/utils_device.c -@@ -127,11 +127,19 @@ static size_t device_alignment_fd(int devfd) - return (size_t)alignment; - } - --static int device_read_test(int devfd) -+static int device_read_test(struct crypt_device *cd, int devfd, struct device *device) - { - char buffer[512]; - int r = -EIO; - size_t minsize = 0, blocksize, alignment; -+ const char *dm_name; -+ -+ /* skip check for suspended DM devices */ -+ dm_name = device_dm_name(device); -+ if (dm_name && dm_status_suspended(cd, dm_name) > 0) { -+ log_dbg(cd, "Device %s is suspended, assuming direct-io is supported.", dm_name); -+ return 0; -+ } - - blocksize = device_block_size_fd(devfd, &minsize); - alignment = device_alignment_fd(devfd); -@@ -148,6 +156,8 @@ static int device_read_test(int devfd) - if (read_blockwise(devfd, blocksize, alignment, buffer, minsize) == (ssize_t)minsize) - r = 0; - -+ log_dbg(cd, "Direct-io is supported and works."); -+ - crypt_safe_memzero(buffer, sizeof(buffer)); - return r; - } -@@ -165,7 +175,6 @@ static int device_ready(struct crypt_device *cd, struct device *device) - int devfd = -1, r = 0; - struct stat st; - size_t tmp_size; -- const char *dm_name; - - if (!device) - return -EINVAL; -@@ -176,12 +185,7 @@ static int device_ready(struct crypt_device *cd, struct device *device) - device->o_direct = 0; - devfd = open(device_path(device), O_RDONLY | O_DIRECT); - if (devfd >= 0) { -- /* skip check for suspended DM devices */ -- dm_name = device_dm_name(device); -- if (dm_name && dm_status_suspended(cd, dm_name) > 0) { -- close(devfd); -- devfd = -1; -- } else if (device_read_test(devfd) == 0) { -+ if (device_read_test(cd, devfd, device) == 0) { - device->o_direct = 1; - } else { - close(devfd); --- -2.46.0 - diff --git a/SOURCES/cryptsetup-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch b/SOURCES/cryptsetup-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch deleted file mode 100644 index b59bb11..0000000 --- a/SOURCES/cryptsetup-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 9991cbc306963c8f03eb6dad82fa6c12f75d3b97 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Mon, 26 Aug 2024 10:44:50 +0200 -Subject: [PATCH 07/10] Harden online reencryption checks in initialization - phase. - -Verify the data device supports O_DIRECT io flag in -the initialization phase. Online reencryption is not -safe unless we can read and write the data in direct -mode. ---- - lib/luks2/luks2_reencrypt.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c -index c77de3f6..6519c1e3 100644 ---- a/lib/luks2/luks2_reencrypt.c -+++ b/lib/luks2/luks2_reencrypt.c -@@ -3788,6 +3788,13 @@ static int reencrypt_init_by_passphrase(struct crypt_device *cd, - if (flags & CRYPT_REENCRYPT_RECOVERY) - return reencrypt_recovery_by_passphrase(cd, hdr, keyslot_old, keyslot_new, passphrase, passphrase_size); - -+ if (name && !device_direct_io(crypt_data_device(cd))) { -+ log_dbg(cd, "Device %s does not support direct I/O.", device_path(crypt_data_device(cd))); -+ /* FIXME: Add more specific error mesage for translation later. */ -+ log_err(cd, _("Failed to initialize reencryption device stack.")); -+ return -EINVAL; -+ } -+ - if (cipher && !crypt_cipher_wrapped_key(cipher, cipher_mode)) { - r = crypt_keyslot_get_key_size(cd, keyslot_new); - if (r < 0) --- -2.46.0 - diff --git a/SOURCES/cryptsetup-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch b/SOURCES/cryptsetup-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch deleted file mode 100644 index f9d7fdc..0000000 --- a/SOURCES/cryptsetup-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch +++ /dev/null @@ -1,28 +0,0 @@ -From aeada055d19cddeda68661dc929a78b2bee35e25 Mon Sep 17 00:00:00 2001 -From: Ondrej Kozina -Date: Thu, 22 Aug 2024 13:41:03 +0200 -Subject: [PATCH 1/9] Return suspended status also for unknow target types. - -This patch allows dm_status_suspended() to report if device -is suspended or not also for unknown target types from -libcryptsetup perspective (e.g.: dm-cache). ---- - lib/libdevmapper.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/libdevmapper.c b/lib/libdevmapper.c -index b8592ffa..a562a2d7 100644 ---- a/lib/libdevmapper.c -+++ b/lib/libdevmapper.c -@@ -1911,7 +1911,7 @@ int dm_status_suspended(struct crypt_device *cd, const char *name) - r = dm_status_dmi(name, &dmi, NULL, NULL); - dm_exit_context(); - -- if (r < 0) -+ if (r < 0 && r != -EEXIST) - return r; - - return dmi.suspended ? 1 : 0; --- -2.46.0 - diff --git a/SOURCES/cryptsetup-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch b/SOURCES/cryptsetup-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch new file mode 100644 index 0000000..674a104 --- /dev/null +++ b/SOURCES/cryptsetup-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch @@ -0,0 +1,31 @@ +From 55e0209a4e751e4edb3662827a57cd5d330f30c2 Mon Sep 17 00:00:00 2001 +Message-ID: <55e0209a4e751e4edb3662827a57cd5d330f30c2.1766066332.git.khanicov@redhat.com> +From: Milan Broz +Date: Thu, 11 Dec 2025 23:40:14 +0100 +Subject: [PATCH] Fix LUKS2 device status in inline HW mode and detached header + +Internal type is not set if detached header is not specified, +but inline tag check should be done anyway. +--- + lib/setup.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/setup.c b/lib/setup.c +index 3a411733..1ee02db5 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -5838,8 +5838,12 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name, + if (r < 0) + return r; + +- /* For LUKS2 with integrity we need flags from underlying dm-integrity */ +- if (isLUKS2(cd->type) && crypt_get_integrity_tag_size(cd) && ++ /* ++ * For integrity and LUKS2 (and detached header where context is NULL) ++ * we need flags from underlying dm-integrity device. ++ * This check must be skipped for non-LUKS2 integrity device. ++ */ ++ if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) && + (iname = dm_get_active_iname(cd, name))) { + if (dm_query_device(cd, iname, 0, &dmdi) >= 0) + dmd.flags |= dmdi.flags; diff --git a/SOURCES/cryptsetup-2.8.2-Fix-possible-use-of-uninitialized-variable.patch b/SOURCES/cryptsetup-2.8.2-Fix-possible-use-of-uninitialized-variable.patch new file mode 100644 index 0000000..705f4cf --- /dev/null +++ b/SOURCES/cryptsetup-2.8.2-Fix-possible-use-of-uninitialized-variable.patch @@ -0,0 +1,29 @@ +From a8e8e39007f9a3ab91267ff2b4f0aee45cc48752 Mon Sep 17 00:00:00 2001 +Message-ID: +From: Ondrej Kozina +Date: Thu, 30 Oct 2025 13:59:52 +0100 +Subject: [PATCH] Fix possible use of uninitialized variable. + +device_tag_size variable was not initialized and used +when device_is_nop_dif returned negative error code. +--- + lib/setup.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/setup.c b/lib/setup.c +index 37e6f7d9..48b67ce6 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -3045,7 +3045,11 @@ int crypt_format_inline(struct crypt_device *cd, + iparams->journal_integrity_key_size)) + return -EINVAL; + +- if (!device_is_nop_dif(idevice, &device_tag_size)) { ++ r = device_is_nop_dif(idevice, &device_tag_size); ++ if (r < 0) ++ return r; ++ ++ if (!r) { + log_err(cd, _("Device %s does not provide inline integrity data fields."), mdata_device_path(cd)); + return -EINVAL; + } diff --git a/SOURCES/cryptsetup-2.8.2-Improve-check-for-a-function-attribute-support.patch b/SOURCES/cryptsetup-2.8.2-Improve-check-for-a-function-attribute-support.patch new file mode 100644 index 0000000..3456b74 --- /dev/null +++ b/SOURCES/cryptsetup-2.8.2-Improve-check-for-a-function-attribute-support.patch @@ -0,0 +1,97 @@ +From 3a8feb8be78dabb7024aad2d1c48dcaa145e67dc Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Thu, 11 Sep 2025 11:30:25 +0200 +Subject: [PATCH] Improve check for a function attribute support. + +The compiler may advertise function attribute support +with __has_attribute operator even though it does +not implement the feature on some architecture. + +This fixes the issue with GCC 11 on ppc64le with +__attribute__((zero_call_used_regs("used"))). + +Fixes: #959. +--- + configure.ac | 21 +++++++++++++++++++++ + lib/crypto_backend/memutils.c | 4 +--- + meson.build | 15 +++++++++++++++ + 3 files changed, 37 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 6a6c4dff5..a7485b541 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -680,6 +680,27 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + ]) + CFLAGS=$saved_CFLAGS + ++dnl Force compiler to use zero_call_used_regs("used") to check for the function attribute support. ++dnl Otherwise the compiler may falsely advertise it with __has_attribute operator, even though ++dnl it does not implement it on some archs. ++AC_MSG_CHECKING([for zero_call_used_regs(user)]) ++saved_CFLAGS=$CFLAGS ++CFLAGS="-O0 -Werror" ++AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ ++ void _test_function(void); ++ __attribute__((zero_call_used_regs("used"))) void _test_function(void) { ++ volatile int *i; volatile int j = 0; if (j) *i = 0; ++ } ++]], ++[[ _test_function() ]] ++)],[ ++ AC_DEFINE([HAVE_ATTRIBUTE_ZEROCALLUSEDREGS], 1, [Define to 1 to use __attribute__((zero_call_used_regs("used")))]) ++ AC_MSG_RESULT([yes]) ++], [ ++ AC_MSG_RESULT([no]) ++]) ++CFLAGS=$saved_CFLAGS ++ + AC_MSG_CHECKING([for systemd tmpfiles config directory]) + if test "x$prefix" != "xNONE"; then + saved_PKG_CONFIG=$PKG_CONFIG +diff --git a/lib/crypto_backend/memutils.c b/lib/crypto_backend/memutils.c +index 4e440136d..a041b3e60 100644 +--- a/lib/crypto_backend/memutils.c ++++ b/lib/crypto_backend/memutils.c +@@ -9,11 +9,9 @@ + + #define ATTR_NOINLINE __attribute__ ((noinline)) + #define ATTR_ZERO_REGS +-#if defined __has_attribute +-# if __has_attribute (zero_call_used_regs) ++#if HAVE_ATTRIBUTE_ZEROCALLUSEDREGS + # undef ATTR_ZERO_REGS + # define ATTR_ZERO_REGS __attribute__ ((zero_call_used_regs("used"))) +-# endif + #endif + + /* Workaround for https://github.com/google/sanitizers/issues/1507 */ +diff --git a/meson.build b/meson.build +index 3c17ebca5..2fb6a2492 100644 +--- a/meson.build ++++ b/meson.build +@@ -697,6 +697,21 @@ if cc.links( + description: 'Define to 1 to use __attribute__((symver))') + endif + ++# ========================================================================== ++# Check compiler support for zero_called_used_regs("used") function attribute ++if cc.links( ++ '''void _test_fn(void); ++ ++ __attribute__((zero_call_used_regs("used"))) void _test_fn(void) { ++ volatile int *i; volatile int j = 0; if (j) *i = 0; ++ } ++ int main(void) { _test_fn(); return 0; }''', ++ args: ['-O0', '-Werror' ], ++ name: 'for zero_call_used_regs("used") attribute support') ++ conf.set10('HAVE_ATTRIBUTE_ZEROCALLUSEDREGS', true, ++ description: 'Define to 1 to use __attribute__((zero_call_used_regs("used")))') ++endif ++ + # ========================================================================== + + if get_option('dev-random') +-- +GitLab + diff --git a/SOURCES/cryptsetup-2.8.2-Read-integrity-profile-info-from-top-level-device.patch b/SOURCES/cryptsetup-2.8.2-Read-integrity-profile-info-from-top-level-device.patch new file mode 100644 index 0000000..47e4b2c --- /dev/null +++ b/SOURCES/cryptsetup-2.8.2-Read-integrity-profile-info-from-top-level-device.patch @@ -0,0 +1,49 @@ +From 9810c6fb2f24073796aa1482680151ddbc668790 Mon Sep 17 00:00:00 2001 +Message-ID: <9810c6fb2f24073796aa1482680151ddbc668790.1766065092.git.khanicov@redhat.com> +From: Ondrej Kozina +Date: Fri, 17 Oct 2025 15:13:41 +0200 +Subject: [PATCH] Read integrity profile info from top level device. + +When formating device with --integrity-inline option +there's a check if underlying device properly advertise +integrity profile support. The check did not work +properly for partition device nodes. We have to read +integrity profile info from top level block device. + +Fixes: #964. +--- + lib/utils_device.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/lib/utils_device.c b/lib/utils_device.c +index 90ec9de4..1cdbcc65 100644 +--- a/lib/utils_device.c ++++ b/lib/utils_device.c +@@ -1004,12 +1004,26 @@ int device_is_zoned(struct device *device) + + int device_is_nop_dif(struct device *device, uint32_t *tag_size) + { ++ char *base_device_path; ++ int r; + struct stat st; + + if (!device) + return -EINVAL; + +- if (stat(device_path(device), &st) < 0) ++ /* ++ * For partition devices, check integrity profile on the base device. ++ * Partition device nodes don't advertise integrity profile directly ++ * via sysfs attributes. ++ */ ++ base_device_path = crypt_get_base_device(device_path(device)); ++ if (base_device_path) { ++ r = stat(base_device_path, &st); ++ free(base_device_path); ++ } else ++ r = stat(device_path(device), &st); ++ ++ if (r < 0) + return -EINVAL; + + if (!S_ISBLK(st.st_mode)) diff --git a/SOURCES/cryptsetup-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch b/SOURCES/cryptsetup-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch new file mode 100644 index 0000000..b0ac865 --- /dev/null +++ b/SOURCES/cryptsetup-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch @@ -0,0 +1,41 @@ +From 5d69c34f59dbe7fce07d76057fc39198666ab44e Mon Sep 17 00:00:00 2001 +Message-ID: <5d69c34f59dbe7fce07d76057fc39198666ab44e.1766065109.git.khanicov@redhat.com> +From: Ondrej Kozina +Date: Thu, 27 Nov 2025 10:49:24 +0100 +Subject: [PATCH] Reinstate pbkdf serialization flag in device activation. + +crypt_activate_by_keyslot_context never respected pbkdf serialation +flag (CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF). + +In fact it worked only when device was activated via passphrase or via +passphrase file. It was never respected when device was activated +by a token for example. + +When the internal code was fully switched to activation via keyslot +context the legacy code for passphrase based activation was dropped +and we lost track of serialization flag completely. + +This fixes all of the issues so now the serialization flag will be +respected also with tokens (and all other activation methods unlocking +LUKS2 keyslot with memory hard pbkdf). + +Fixes: 58385d68d8f4 (Allow activation via keyslot context) +Fixes: #968. +--- + lib/setup.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/setup.c b/lib/setup.c +index f1b2033b..367d2d11 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -5450,6 +5450,9 @@ int crypt_activate_by_keyslot_context(struct crypt_device *cd, + return _activate_loopaes(cd, name, passphrase, passphrase_size, flags); + } + ++ if (flags & CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF) ++ cd->memory_hard_pbkdf_lock_enabled = true; ++ + /* acquire the volume key(s) */ + r = -EINVAL; + if (isLUKS1(cd->type)) { diff --git a/SOURCES/cryptsetup-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch b/SOURCES/cryptsetup-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch new file mode 100644 index 0000000..9c77b47 --- /dev/null +++ b/SOURCES/cryptsetup-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch @@ -0,0 +1,38 @@ +From cdb6a5626089a56a7a135042be7c157acda70506 Mon Sep 17 00:00:00 2001 +Message-ID: +From: Kristina Hanicova +Date: Wed, 10 Dec 2025 17:58:36 +0100 +Subject: [PATCH] Set inline integrity flag if no underlying dm-integrity + device + +Cryptsetup status does not report when the hw inline integrity is +set without the underlying dm-integrity device. + +Fixes: #965 +--- + lib/setup.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/lib/setup.c b/lib/setup.c +index 1ee02db5..93c7ef5f 100644 +--- a/lib/setup.c ++++ b/lib/setup.c +@@ -5843,11 +5843,13 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name, + * we need flags from underlying dm-integrity device. + * This check must be skipped for non-LUKS2 integrity device. + */ +- if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd) && +- (iname = dm_get_active_iname(cd, name))) { +- if (dm_query_device(cd, iname, 0, &dmdi) >= 0) +- dmd.flags |= dmdi.flags; +- free(iname); ++ if ((isLUKS2(cd->type) || !cd->type) && crypt_get_integrity_tag_size(cd)) { ++ if ((iname = dm_get_active_iname(cd, name))) { ++ if (dm_query_device(cd, iname, 0, &dmdi) >= 0) ++ dmd.flags |= dmdi.flags; ++ free(iname); ++ } else ++ dmd.flags |= (CRYPT_ACTIVATE_NO_JOURNAL | CRYPT_ACTIVATE_INLINE_MODE); + } + + if (cd && isTCRYPT(cd->type)) { diff --git a/SOURCES/cryptsetup-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch b/SOURCES/cryptsetup-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch new file mode 100644 index 0000000..a75e9e6 --- /dev/null +++ b/SOURCES/cryptsetup-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch @@ -0,0 +1,143 @@ +From 7fa4cd930814073cb8abe997d8fac19a849daecd Mon Sep 17 00:00:00 2001 +Message-ID: <7fa4cd930814073cb8abe997d8fac19a849daecd.1767967753.git.khanicov@redhat.com> +From: Milan Broz +Date: Fri, 2 Jan 2026 20:58:26 +0100 +Subject: [PATCH] Fix wrong device size status reports in cryptsetup and + integritysetup + +In version 2.8.0 the status output was modified to strictly use +units and also bytes device size was added. + +Unfortunately, the size was wrongly calculated if sector size was +different than 512-byte default. + +Fixes: #972 +--- + src/cryptsetup.c | 8 +++----- + src/integritysetup.c | 6 ++---- + src/veritysetup.c | 2 +- + tests/compat-test2 | 2 ++ + tests/integrity-compat-test | 6 ++++++ + tests/verity-compat-test | 4 ++++ + 6 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/src/cryptsetup.c b/src/cryptsetup.c +index d8b9e508..b9966f84 100644 +--- a/src/cryptsetup.c ++++ b/src/cryptsetup.c +@@ -936,7 +936,6 @@ static int action_status(void) + char *backing_file; + const char *device; + int path = 0, r = 0, hw_enc; +- uint64_t sector_size; + + /* perhaps a path, not a dm device name */ + if (strchr(action_argv[0], '/')) +@@ -1019,10 +1018,9 @@ static int action_status(void) + log_std(" loop: %s\n", backing_file); + free(backing_file); + } +- sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE; +- log_std(" sector size: %" PRIu64 " [bytes]\n", sector_size); +- log_std(" offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * sector_size); +- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size); ++ log_std(" sector size: %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE); ++ log_std(" offset: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.offset, cad.offset * SECTOR_SIZE); ++ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE); + if (cad.iv_offset) + log_std(" skipped: %" PRIu64 " [512-byte units]\n", cad.iv_offset); + log_std(" mode: %s%s\n", cad.flags & CRYPT_ACTIVATE_READONLY ? +diff --git a/src/integritysetup.c b/src/integritysetup.c +index a1d77855..89c3edd3 100644 +--- a/src/integritysetup.c ++++ b/src/integritysetup.c +@@ -424,7 +424,6 @@ static int action_status(void) + char *backing_file; + const char *device, *metadata_device; + int path = 0, r = 0; +- uint64_t sector_size; + + /* perhaps a path, not a dm device name */ + if (strchr(action_argv[0], '/')) +@@ -482,10 +481,9 @@ static int action_status(void) + free(backing_file); + } + } +- sector_size = (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE; +- log_std(" sector size: %" PRIu64 " [bytes]\n", sector_size); ++ log_std(" sector size: %" PRIu64 " [bytes]\n", (uint64_t)crypt_get_sector_size(cd) ?: SECTOR_SIZE); + log_std(" interleave sectors: %u\n", ip.interleave_sectors); +- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * sector_size); ++ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE); + log_std(" mode: %s%s\n", + cad.flags & CRYPT_ACTIVATE_READONLY ? "readonly" : "read/write", + cad.flags & CRYPT_ACTIVATE_RECOVERY ? " recovery" : ""); +diff --git a/src/veritysetup.c b/src/veritysetup.c +index 8e666e3f..d95db09b 100644 +--- a/src/veritysetup.c ++++ b/src/veritysetup.c +@@ -395,7 +395,7 @@ static int action_status(void) + log_std(" data loop: %s\n", backing_file); + free(backing_file); + } +- log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * (uint64_t)SECTOR_SIZE); ++ log_std(" size: %" PRIu64 " [512-byte units] (%" PRIu64 " [bytes])\n", cad.size, cad.size * SECTOR_SIZE); + log_std(" mode: %s\n", cad.flags & CRYPT_ACTIVATE_READONLY ? + "readonly" : "read/write"); + +diff --git a/tests/compat-test2 b/tests/compat-test2 +index 373461eb..7350455b 100755 +--- a/tests/compat-test2 ++++ b/tests/compat-test2 +@@ -816,9 +816,11 @@ if dm_crypt_sector_size_support; then + echo $PWD1 | $CRYPTSETUP luksOpen $LOOPDEV $DEV_NAME || fail + echo $PWD1 | $CRYPTSETUP -q resize --device-size 1M $DEV_NAME || fail + $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail ++ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail + echo $PWD1 | $CRYPTSETUP -q resize --device-size 2049s $DEV_NAME > /dev/null 2>&1 && fail + echo $PWD1 | $CRYPTSETUP -q resize --size 2049 $DEV_NAME > /dev/null 2>&1 && fail + $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "2048 \[512-byte units\]" || fail ++ $CRYPTSETUP -q status $DEV_NAME | grep "size:" | grep -q "1048576 \[bytes\]" || fail + fi + $CRYPTSETUP close $DEV_NAME || fail + # Resize not aligned to logical block size +diff --git a/tests/integrity-compat-test b/tests/integrity-compat-test +index c40218cd..5aeea5c0 100755 +--- a/tests/integrity-compat-test ++++ b/tests/integrity-compat-test +@@ -230,7 +230,13 @@ intformat() # alg alg_out tagsize outtagsize sector_size csum [keyfile keysize] + status_check "tag size" "$4 [bytes]" + status_check "integrity" $2 + status_check "sector size" "$5 [bytes]" ++ ++ SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME) ++ SIZE_512S=$(( $SIZE_BYTES / 512 )) ++ status_check " size" "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])" ++ + int_check_sum $1 $6 $7 $8 ++ + echo -n "[REMOVE]" + $INTSETUP close $DEV_NAME || fail "Cannot deactivate device." + echo "[OK]" +diff --git a/tests/verity-compat-test b/tests/verity-compat-test +index 93ac405e..02b3d390 100755 +--- a/tests/verity-compat-test ++++ b/tests/verity-compat-test +@@ -188,6 +188,9 @@ check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset] + + $VERITYSETUP create $DEV_NAME $DEV_PARAMS $VERIFY_PARAMS $ROOT_HASH >>$DEV_OUT 2>&1 || fail + check_exists ++ SIZE_BYTES=$(blockdev --getsize64 /dev/mapper/$DEV_NAME) ++ SIZE_512S=$(( $SIZE_BYTES / 512 )) ++ $VERITYSETUP status $DEV_NAME 2>/dev/null | grep " size:" | grep -q -F "$SIZE_512S [512-byte units] ($SIZE_BYTES [bytes])" || fail + echo -n "[activate]" + + dd if=/dev/mapper/$DEV_NAME of=/dev/null bs=$1 2>/dev/null +@@ -474,6 +477,7 @@ export LANG=C + [ -n "$VALG" ] && valgrind_setup && VERITYSETUP=valgrind_run + modprobe dm-verity >/dev/null 2>&1 + dmsetup targets | grep verity >/dev/null 2>&1 || skip "Cannot find dm-verity target, test skipped." ++command -v blockdev >/dev/null || skip "Cannot find blockdev utility, test skipped." + + # VERITYSETUP tests + diff --git a/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch b/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch index 9c303e4..cfbd204 100644 --- a/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch +++ b/SOURCES/cryptsetup-Add-FIPS-related-error-message-in-keyslot-add-code.patch @@ -1,23 +1,23 @@ -From 293abb5435e2b4bec7f8333fb11c88d5c1f45800 Mon Sep 17 00:00:00 2001 +From 48af2c543e4bee3dff9bd95529bbf45106aa457e Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Mon, 5 Dec 2022 13:35:24 +0100 -Subject: [PATCH 3/3] Add FIPS related error message in keyslot add code. +Subject: [PATCH] Add FIPS related error message in keyslot add code. Add hints on what went wrong when creating new LUKS keyslots. The hint is printed only in FIPS mode and when pbkdf2 failed with passphrase shorter than 8 bytes. --- - lib/luks1/keymanage.c | 5 ++++- + lib/luks1/keymanage.c | 2 ++ lib/luks2/luks2_keyslot_luks2.c | 2 ++ - 2 files changed, 6 insertions(+), 1 deletion(-) + 2 files changed, 4 insertions(+) -Index: cryptsetup-2.7.2/lib/luks1/keymanage.c -=================================================================== ---- cryptsetup-2.7.2.orig/lib/luks1/keymanage.c -+++ cryptsetup-2.7.2/lib/luks1/keymanage.c -@@ -926,6 +926,8 @@ int LUKS_set_key(unsigned int keyIndex, - derived_key->key, hdr->keyBytes, +diff --git a/lib/luks1/keymanage.c b/lib/luks1/keymanage.c +index 37929810..a7ef0a25 100644 +--- a/lib/luks1/keymanage.c ++++ b/lib/luks1/keymanage.c +@@ -916,6 +916,8 @@ int LUKS_set_key(unsigned int keyIndex, + derived_key, hdr->keyBytes, hdr->keyblock[keyIndex].passwordIterations, 0, 0); if (r < 0) { + if (crypt_fips_mode() && passwordLen < 8) @@ -25,16 +25,19 @@ Index: cryptsetup-2.7.2/lib/luks1/keymanage.c if ((crypt_backend_flags() & CRYPT_BACKEND_PBKDF2_INT) && hdr->keyblock[keyIndex].passwordIterations > INT_MAX) log_err(ctx, _("PBKDF2 iteration value overflow.")); -Index: cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c -=================================================================== ---- cryptsetup-2.7.2.orig/lib/luks2/luks2_keyslot_luks2.c -+++ cryptsetup-2.7.2/lib/luks2/luks2_keyslot_luks2.c -@@ -269,6 +269,8 @@ static int luks2_keyslot_set_key(struct - pbkdf.iterations > INT_MAX) +diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c +index ec68236c..f309125d 100644 +--- a/lib/luks2/luks2_keyslot_luks2.c ++++ b/lib/luks2/luks2_keyslot_luks2.c +@@ -260,6 +260,8 @@ static int luks2_keyslot_set_key(struct crypt_device *cd, log_err(cd, _("PBKDF2 iteration value overflow.")); - crypt_free_volume_key(derived_key); + if (r == -ENOMEM) + log_err(cd, _("Not enough memory for keyslot key derivation.")); + if (crypt_fips_mode() && passwordLen < 8 && !strcmp(pbkdf.type, "pbkdf2")) + log_err(cd, _("Invalid passphrase for PBKDF2 in FIPS mode.")); - return r; + goto out; } +-- +2.50.1 + diff --git a/SOURCES/cryptsetup-add-system-library-paths.patch b/SOURCES/cryptsetup-add-system-library-paths.patch deleted file mode 100644 index 0290c96..0000000 --- a/SOURCES/cryptsetup-add-system-library-paths.patch +++ /dev/null @@ -1,23 +0,0 @@ -Index: cryptsetup-2.7.0/configure -=================================================================== ---- cryptsetup-2.7.0.orig/configure -+++ cryptsetup-2.7.0/configure -@@ -14161,6 +14161,9 @@ fi - # before this can be enabled. - hardcode_into_libs=yes - -+ # Add ABI-specific directories to the system library path. -+ sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" -+ - # Ideally, we could use ldconfig to report *all* directores which are - # searched for libraries, however this is still not possible. Aside from not - # being certain /sbin/ldconfig is available, command -@@ -14169,7 +14172,7 @@ fi - # appending ld.so.conf contents (and includes) to the search path. - if test -f /etc/ld.so.conf; then - lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` -- sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" -+ sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" - fi - - # We used to test for /lib/ld.so.1 and disable shared libraries on diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec index 73d3541..5a9705a 100644 --- a/SPECS/cryptsetup.spec +++ b/SPECS/cryptsetup.spec @@ -1,9 +1,10 @@ Summary: Utility for setting up encrypted disks Name: cryptsetup -Version: 2.7.2 -Release: 4%{?dist} +Version: 2.8.1 +Release: 3%{?dist} License: GPLv2+ and LGPLv2+ URL: https://gitlab.com/cryptsetup/cryptsetup +BuildRequires: autoconf, automake, libtool, gettext-devel, BuildRequires: openssl-devel, popt-devel, device-mapper-devel BuildRequires: libuuid-devel, gcc, json-c-devel BuildRequires: libpwquality-devel, libblkid-devel @@ -18,16 +19,15 @@ Provides: %{name}-reencrypt = %{version} Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v2.7/cryptsetup-%{upstream_version}.tar.xz Patch0001: %{name}-Add-FIPS-related-error-message-in-keyslot-add-code.patch -Patch0002: %{name}-2.7.5-Do-not-handle-device-as-suspended-on-error.patch -Patch0003: %{name}-2.7.5-Return-suspended-status-also-for-unknow-target-types.patch -Patch0004: %{name}-2.7.5-Fix-detection-of-direct-io-with-suspended-devices.patch -Patch0005: %{name}-2.7.5-Harden-online-reencryption-checks-in-initialization-.patch -Patch0006: %{name}-2.7.5-Abort-online-reencryption-for-misconfigured-devices.patch -Patch0007: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch -Patch0008: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch -Patch0009: %{name}-2.7.3-bitlk-Ignore-unknown-VMK-entry-24.patch -# Following patch has to applied last -Patch9999: %{name}-add-system-library-paths.patch +Patch0002: %{name}-Enable-to-use-Argon2-in-FIPS-with-openssl-backend.patch +Patch0003: %{name}-Warn-if-Argon2-keyslot-is-unlocked-in-FIPS-mode.patch +Patch0004: %{name}-2.8.2-Improve-check-for-a-function-attribute-support.patch +Patch0005: %{name}-2.8.2-Read-integrity-profile-info-from-top-level-device.patch +Patch0006: %{name}-2.8.2-Fix-possible-use-of-uninitialized-variable.patch +Patch0007: %{name}-2.8.2-Reinstate-pbkdf-serialization-flag-in-device-activat.patch +Patch0008: %{name}-2.8.2-Fix-LUKS2-device-status-in-inline-HW-mode-and-detach.patch +Patch0009: %{name}-2.8.2-Set-inline-integrity-flag-if-no-underlying-dm-integr.patch +Patch0010: %{name}-2.8.4-Fix-wrong-device-size-status-reports-in-cryptsetup.patch %description The cryptsetup package contains a utility for setting up @@ -69,6 +69,7 @@ disk integrity protection using dm-integrity kernel module. %build rm -f man/*.8 +./autogen.sh %configure --enable-fips --enable-pwquality --enable-internal-sse-argon2 --disable-ssh-token --enable-asciidoc --disable-hw-opal --with-plain-hash=ripemd160 --with-plain-cipher=aes --with-plain-mode=cbc-essiv:sha256 %make_build @@ -104,13 +105,30 @@ rm -rf %{buildroot}%{_libdir}/*.la %{_libdir}/pkgconfig/libcryptsetup.pc %files libs -f cryptsetup.lang -%license COPYING COPYING.LGPL +%license COPYING docs/licenses/COPYING.LGPL-2.1-or-later-WITH-cryptsetup-OpenSSL-exception %{_libdir}/libcryptsetup.so.* %dir %{_libdir}/%{name}/ %{_tmpfilesdir}/cryptsetup.conf %ghost %attr(700, -, -) %dir /run/cryptsetup %changelog +* Thu Dec 18 2025 Kristina Hanicova - 2.8.1-3 +- patch: Read integrity profile info from top level device. +- patch: Fix possible use of uninitialized variable. +- patch: Reinstate pbkdf serialization flag in device activation. +- patch: Fix LUKS2 device status in inline HW mode and detached header. +- patch: Set inline integrity flag if no underlying dm-integrity device. +- patch: Fix wrong device size status reports in cryptsetup and integritysetup. +- Resolves: RHEL-122297 RHEL-125152 RHEL-125167 RHEL-132585 RHEL-140106 + +* Fri Sep 12 2025 Kristina Hanicova - 2.8.1-2 +- patch: Improve check for a function attribute support. +- Resolves: 100089 + +* Wed Sep 03 2025 Kristina Hanicova - 2.8.1-1 +- Update to cryptsetup 2.8.1. +- Resolves: 100089 + * Wed Jun 04 2025 Ondrej Kozina - 2.7.2-4 - patch: Ignore unknown VMK entry 24 in bitlk metadata. - Resolves: RHEL-94860