SOURCES/0002-Add-support-for-creating-and-activating-integrity-de.patch

@@ -0,0 +1,963 @@
+From 77e6a109043e87f88d2bd2b47d1cefce0eb9f5a9 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Mon, 20 Sep 2021 16:38:16 +0200
+Subject: [PATCH 1/3] Add support for creating and activating integrity devices
+
+This adds support for create, open and close actions for standalone
+integrity devices using cryptsetup.
+---
+ configure.ac                        |   2 +-
+ src/lib/plugin_apis/crypto.api      | 157 +++++++++++++++++
+ src/plugins/crypto.c                | 261 +++++++++++++++++++++++++++-
+ src/plugins/crypto.h                |  41 +++++
+ src/python/gi/overrides/BlockDev.py |  24 +++
+ tests/crypto_test.py                |  96 +++++++++-
+ 6 files changed, 573 insertions(+), 8 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 79bd97d8..79bf8045 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -210,7 +210,7 @@ AS_IF([test "x$with_crypto" != "xno"],
+       AS_IF([$PKG_CONFIG --atleast-version=2.0.3 libcryptsetup],
+             [AC_DEFINE([LIBCRYPTSETUP_2])], [])
+       AS_IF([$PKG_CONFIG --atleast-version=2.3.0 libcryptsetup],
+-            [AC_DEFINE([LIBCRYPTSETUP_BITLK])], [])
++            [AC_DEFINE([LIBCRYPTSETUP_23])], [])
+       AS_IF([$PKG_CONFIG --atleast-version=2.4.0 libcryptsetup],
+             [AC_DEFINE([LIBCRYPTSETUP_24])], [])
+       AS_IF([test "x$with_escrow" != "xno"],
+diff --git a/src/lib/plugin_apis/crypto.api b/src/lib/plugin_apis/crypto.api
+index ef0217fe..40e32c89 100644
+--- a/src/lib/plugin_apis/crypto.api
++++ b/src/lib/plugin_apis/crypto.api
+@@ -1,5 +1,6 @@
+ #include <glib.h>
+ #include <blockdev/utils.h>
++#include <libcryptsetup.h>
+ 
+ #define BD_CRYPTO_LUKS_METADATA_SIZE G_GUINT64_CONSTANT (2097152ULL) // 2 MiB
+ 
+@@ -245,6 +246,115 @@ GType bd_crypto_luks_extra_get_type () {
+     return type;
+ }
+ 
++#define BD_CRYPTO_TYPE_INTEGRITY_EXTRA (bd_crypto_integrity_extra_get_type ())
++GType bd_crypto_integrity_extra_get_type();
++
++/**
++ * BDCryptoIntegrityExtra:
++ * @sector_size: integrity sector size
++ * @journal_size: size of journal in bytes
++ * @journal_watermark: journal flush watermark in percents; in bitmap mode sectors-per-bit
++ * @journal_commit_time: journal commit time (or bitmap flush time) in ms
++ * @interleave_sectors: number of interleave sectors (power of two)
++ * @tag_size: tag size per-sector in bytes
++ * @buffer_sectors: number of sectors in one buffer
++ */
++typedef struct BDCryptoIntegrityExtra {
++    guint32 sector_size;
++    guint64 journal_size;
++    guint journal_watermark;
++    guint journal_commit_time;
++    guint32 interleave_sectors;
++    guint32 tag_size;
++    guint32 buffer_sectors;
++} BDCryptoIntegrityExtra;
++
++/**
++ * bd_crypto_integrity_extra_copy: (skip)
++ * @extra: (allow-none): %BDCryptoIntegrityExtra to copy
++ *
++ * Creates a new copy of @extra.
++ */
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_copy (BDCryptoIntegrityExtra *extra) {
++    if (extra == NULL)
++        return NULL;
++
++    BDCryptoIntegrityExtra *new_extra = g_new0 (BDCryptoIntegrityExtra, 1);
++
++    new_extra->sector_size = extra->sector_size;
++    new_extra->journal_size = extra->journal_size;
++    new_extra->journal_watermark = extra->journal_watermark;
++    new_extra->journal_commit_time = extra->journal_commit_time;
++    new_extra->interleave_sectors = extra->interleave_sectors;
++    new_extra->tag_size = extra->tag_size;
++    new_extra->buffer_sectors = extra->buffer_sectors;
++
++    return new_extra;
++}
++
++/**
++ * bd_crypto_integrity_extra_free: (skip)
++ * @extra: (allow-none): %BDCryptoIntegrityExtra to free
++ *
++ * Frees @extra.
++ */
++void bd_crypto_integrity_extra_free (BDCryptoIntegrityExtra *extra) {
++    if (extra == NULL)
++        return;
++
++    g_free (extra);
++}
++
++/**
++ * bd_crypto_integrity_extra_new: (constructor)
++ * @sector_size: integrity sector size, 0 for default (512)
++ * @journal_size: size of journal in bytes
++ * @journal_watermark: journal flush watermark in percents; in bitmap mode sectors-per-bit
++ * @journal_commit_time: journal commit time (or bitmap flush time) in ms
++ * @interleave_sectors: number of interleave sectors (power of two)
++ * @tag_size: tag size per-sector in bytes
++ * @buffer_sectors: number of sectors in one buffer
++ *
++ * Returns: (transfer full): a new Integrity extra argument
++ */
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_new (guint64 sector_size, guint64 journal_size, guint journal_watermark, guint journal_commit_time, guint64 interleave_sectors, guint64 tag_size, guint64 buffer_sectors) {
++    BDCryptoIntegrityExtra *ret = g_new0 (BDCryptoIntegrityExtra, 1);
++    ret->sector_size = sector_size;
++    ret->journal_size = journal_size;
++    ret->journal_watermark = journal_watermark;
++    ret->journal_commit_time = journal_commit_time;
++    ret->interleave_sectors = interleave_sectors;
++    ret->tag_size = tag_size;
++    ret->buffer_sectors = buffer_sectors;
++
++    return ret;
++}
++
++GType bd_crypto_integrity_extra_get_type () {
++    static GType type = 0;
++
++    if (G_UNLIKELY(type == 0)) {
++        type = g_boxed_type_register_static("BDCryptoIntegrityExtra",
++                                            (GBoxedCopyFunc) bd_crypto_integrity_extra_copy,
++                                            (GBoxedFreeFunc) bd_crypto_integrity_extra_free);
++    }
++
++    return type;
++}
++
++typedef enum {
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = CRYPT_ACTIVATE_NO_JOURNAL,
++    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = CRYPT_ACTIVATE_RECOVERY,
++#ifdef CRYPT_ACTIVATE_NO_JOURNAL_BITMAP
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = CRYPT_ACTIVATE_NO_JOURNAL_BITMAP,
++#endif
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = CRYPT_ACTIVATE_RECALCULATE,
++#ifdef CRYPT_ACTIVATE_RECALCULATE_RESET
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = CRYPT_ACTIVATE_RECALCULATE_RESET,
++#endif
++    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = CRYPT_ACTIVATE_ALLOW_DISCARDS,
++} BDCryptoIntegrityOpenFlags;
++
+ #define BD_CRYPTO_TYPE_LUKS_INFO (bd_crypto_luks_info_get_type ())
+ GType bd_crypto_luks_info_get_type();
+ 
+@@ -857,6 +967,53 @@ BDCryptoLUKSInfo* bd_crypto_luks_info (const gchar *luks_device, GError **error)
+  */
+ BDCryptoIntegrityInfo* bd_crypto_integrity_info (const gchar *device, GError **error);
+ 
++/**
++ * bd_crypto_integrity_format:
++ * @device: a device to format as integrity
++ * @algorithm: integrity algorithm specification (e.g. "crc32c" or "sha256") or %NULL to use the default
++ * @wipe: whether to wipe the device after format; a device that is not initially wiped will contain invalid checksums
++ * @key_data: (allow-none) (array length=key_size): integrity key or %NULL if not needed
++ * @key_size: size the integrity key and @key_data
++ * @extra: (allow-none): extra arguments for integrity format creation
++ * @error: (out): place to store error (if any)
++ *
++ * Formats the given @device as integrity according to the other parameters given.
++ *
++ * Returns: whether the given @device was successfully formatted as integrity or not
++ * (the @error) contains the error in such cases)
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_CREATE
++ */
++gboolean bd_crypto_integrity_format (const gchar *device, const gchar *algorithm, gboolean wipe, const guint8* key_data, gsize key_size, BDCryptoIntegrityExtra *extra, GError **error);
++
++/**
++ * bd_crypto_integrity_open:
++ * @device: integrity device to open
++ * @name: name for the opened @device
++ * @algorithm: (allow-none): integrity algorithm specification (e.g. "crc32c" or "sha256") or %NULL to use the default
++ * @key_data: (allow-none) (array length=key_size): integrity key or %NULL if not needed
++ * @key_size: size the integrity key and @key_data
++ * @flags: flags for the integrity device activation
++ * @extra: (allow-none): extra arguments for integrity open
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the @device was successfully opened or not
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
++ */
++gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const gchar *algorithm, const guint8* key_data, gsize key_size, BDCryptoIntegrityOpenFlags flags, BDCryptoIntegrityExtra *extra, GError **error);
++
++/**
++ * bd_crypto_integrity_close:
++ * @integrity_device: integrity device to close
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the given @integrity_device was successfully closed or not
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
++ */
++gboolean bd_crypto_integrity_close (const gchar *integrity_device, GError **error);
++
+ /**
+  * bd_crypto_device_seems_encrypted:
+  * @device: the queried device
+diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
+index 51908140..8549cf23 100644
+--- a/src/plugins/crypto.c
++++ b/src/plugins/crypto.c
+@@ -50,6 +50,18 @@
+ 
+ #define SECTOR_SIZE 512
+ 
++#define DEFAULT_LUKS_KEYSIZE_BITS 256
++#define DEFAULT_LUKS_CIPHER "aes-xts-plain64"
++
++#ifdef LIBCRYPTSETUP_23
++/* 0 for autodetect since 2.3.0 */
++#define DEFAULT_INTEGRITY_TAG_SIZE 0
++#else
++/* we need some sane default for older versions, users should specify tag size when using
++   other algorithms than the default crc32c */
++#define DEFAULT_INTEGRITY_TAG_SIZE 4
++#endif
++
+ #define UNUSED __attribute__((unused))
+ 
+ /**
+@@ -146,6 +158,43 @@ BDCryptoLUKSExtra* bd_crypto_luks_extra_new (guint64 data_alignment, const gchar
+     return ret;
+ }
+ 
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_new (guint64 sector_size, guint64 journal_size, guint journal_watermark, guint journal_commit_time, guint64 interleave_sectors, guint64 tag_size, guint64 buffer_sectors) {
++    BDCryptoIntegrityExtra *ret = g_new0 (BDCryptoIntegrityExtra, 1);
++    ret->sector_size = sector_size;
++    ret->journal_size = journal_size;
++    ret->journal_watermark = journal_watermark;
++    ret->journal_commit_time = journal_commit_time;
++    ret->interleave_sectors = interleave_sectors;
++    ret->tag_size = tag_size;
++    ret->buffer_sectors = buffer_sectors;
++
++    return ret;
++}
++
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_copy (BDCryptoIntegrityExtra *extra) {
++    if (extra == NULL)
++        return NULL;
++
++    BDCryptoIntegrityExtra *new_extra = g_new0 (BDCryptoIntegrityExtra, 1);
++
++    new_extra->sector_size = extra->sector_size;
++    new_extra->journal_size = extra->journal_size;
++    new_extra->journal_watermark = extra->journal_watermark;
++    new_extra->journal_commit_time = extra->journal_commit_time;
++    new_extra->interleave_sectors = extra->interleave_sectors;
++    new_extra->tag_size = extra->tag_size;
++    new_extra->buffer_sectors = extra->buffer_sectors;
++
++    return new_extra;
++}
++
++void bd_crypto_integrity_extra_free (BDCryptoIntegrityExtra *extra) {
++    if (extra == NULL)
++        return;
++
++    g_free (extra);
++}
++
+ void bd_crypto_luks_info_free (BDCryptoLUKSInfo *info) {
+     if (info == NULL)
+         return;
+@@ -346,15 +395,15 @@ gboolean bd_crypto_is_tech_avail (BDCryptoTech tech, guint64 mode, GError **erro
+                          "Integrity technology requires libcryptsetup >= 2.0");
+             return FALSE;
+ #endif
+-            ret = mode & (BD_CRYPTO_TECH_MODE_QUERY);
++            ret = mode & (BD_CRYPTO_TECH_MODE_CREATE|BD_CRYPTO_TECH_MODE_OPEN_CLOSE|BD_CRYPTO_TECH_MODE_QUERY);
+             if (ret != mode) {
+                 g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_TECH_UNAVAIL,
+-                             "Only 'query' supported for Integrity");
++                             "Only 'create', 'open' and 'query' supported for Integrity");
+                 return FALSE;
+             } else
+                 return TRUE;
+         case BD_CRYPTO_TECH_BITLK:
+-#ifndef LIBCRYPTSETUP_BITLK
++#ifndef LIBCRYPTSETUP_23
+             g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_TECH_UNAVAIL,
+                          "BITLK technology requires libcryptsetup >= 2.3.0");
+             return FALSE;
+@@ -2035,6 +2084,208 @@ BDCryptoIntegrityInfo* bd_crypto_integrity_info (const gchar *device, GError **e
+ }
+ #endif
+ 
++static int _wipe_progress (guint64 size, guint64 offset, void *usrptr) {
++    /* "convert" the progress from 0-100 to 50-100 because wipe starts at 50 in bd_crypto_integrity_format */
++    gdouble progress = 50 + (((gdouble) offset / size) * 100) / 2;
++    bd_utils_report_progress (*(guint64 *) usrptr, progress, "Integrity device wipe in progress");
++
++    return 0;
++}
++
++/**
++ * bd_crypto_integrity_format:
++ * @device: a device to format as integrity
++ * @algorithm: integrity algorithm specification (e.g. "crc32c" or "sha256")
++ * @wipe: whether to wipe the device after format; a device that is not initially wiped will contain invalid checksums
++ * @key_data: (allow-none) (array length=key_size): integrity key or %NULL if not needed
++ * @key_size: size the integrity key and @key_data
++ * @extra: (allow-none): extra arguments for integrity format creation
++ * @error: (out): place to store error (if any)
++ *
++ * Formats the given @device as integrity according to the other parameters given.
++ *
++ * Returns: whether the given @device was successfully formatted as integrity or not
++ * (the @error) contains the error in such cases)
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_CREATE
++ */
++gboolean bd_crypto_integrity_format (const gchar *device, const gchar *algorithm, gboolean wipe, const guint8* key_data, gsize key_size, BDCryptoIntegrityExtra *extra, GError **error) {
++    struct crypt_device *cd = NULL;
++    gint ret;
++    guint64 progress_id = 0;
++    gchar *msg = NULL;
++    struct crypt_params_integrity params = ZERO_INIT;
++    g_autofree gchar *tmp_name = NULL;
++    g_autofree gchar *tmp_path = NULL;
++    g_autofree gchar *dev_name = NULL;
++
++    msg = g_strdup_printf ("Started formatting '%s' as integrity device", device);
++    progress_id = bd_utils_report_started (msg);
++    g_free (msg);
++
++    ret = crypt_init (&cd, device);
++    if (ret != 0) {
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                     "Failed to initialize device: %s", strerror_l (-ret, c_locale));
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++    }
++
++    if (extra) {
++        params.sector_size = extra->sector_size;
++        params.journal_size = extra->journal_size;
++        params.journal_watermark = extra->journal_watermark;
++        params.journal_commit_time = extra->journal_commit_time;
++        params.interleave_sectors = extra->interleave_sectors;
++        params.tag_size = extra->tag_size;
++        params.buffer_sectors = extra->buffer_sectors;
++    }
++
++    params.integrity_key_size = key_size;
++    params.integrity = algorithm;
++    params.tag_size = params.tag_size ? params.tag_size : DEFAULT_INTEGRITY_TAG_SIZE;
++
++    ret = crypt_format (cd, CRYPT_INTEGRITY, NULL, NULL, NULL, NULL, 0, &params);
++    if (ret != 0) {
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_FORMAT_FAILED,
++                     "Failed to format device: %s", strerror_l (-ret, c_locale));
++        crypt_free (cd);
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++    }
++
++    if (wipe) {
++        bd_utils_report_progress (progress_id, 50, "Format created");
++
++        dev_name = g_path_get_basename (device);
++        tmp_name = g_strdup_printf ("bd-temp-integrity-%s-%d", dev_name, g_random_int ());
++        tmp_path = g_strdup_printf ("%s/%s", crypt_get_dir (), tmp_name);
++
++        ret = crypt_activate_by_volume_key (cd, tmp_name, (const char *) key_data, key_size,
++                                            CRYPT_ACTIVATE_PRIVATE | CRYPT_ACTIVATE_NO_JOURNAL);
++        if (ret != 0) {
++            g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                         "Failed to activate the newly created integrity device for wiping: %s",
++                         strerror_l (-ret, c_locale));
++            crypt_free (cd);
++            bd_utils_report_finished (progress_id, (*error)->message);
++            return FALSE;
++        }
++
++        bd_utils_report_progress (progress_id, 50, "Starting to wipe the newly created integrity device");
++        ret = crypt_wipe (cd, tmp_path, CRYPT_WIPE_ZERO, 0, 0, 1048576,
++                          0, &_wipe_progress, &progress_id);
++        bd_utils_report_progress (progress_id, 100, "Wipe finished");
++        if (ret != 0) {
++            g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                         "Failed to wipe the newly created integrity device: %s",
++                         strerror_l (-ret, c_locale));
++
++            ret = crypt_deactivate (cd, tmp_name);
++            if (ret != 0)
++                g_warning ("Failed to deactivate temporary device %s", tmp_name);
++
++            crypt_free (cd);
++            bd_utils_report_finished (progress_id, (*error)->message);
++            return FALSE;
++        }
++
++        ret = crypt_deactivate (cd, tmp_name);
++        if (ret != 0)
++            g_warning ("Failed to deactivate temporary device %s", tmp_name);
++
++    } else
++        bd_utils_report_finished (progress_id, "Completed");
++
++    crypt_free (cd);
++
++    return TRUE;
++}
++
++/**
++ * bd_crypto_integrity_open:
++ * @device: integrity device to open
++ * @name: name for the opened @device
++ * @algorithm: (allow-none): integrity algorithm specification (e.g. "crc32c" or "sha256") or %NULL to use the default
++ * @key_data: (allow-none) (array length=key_size): integrity key or %NULL if not needed
++ * @key_size: size the integrity key and @key_data
++ * @flags: flags for the integrity device activation
++ * @extra: (allow-none): extra arguments for integrity open
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the @device was successfully opened or not
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
++ */
++gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const gchar *algorithm, const guint8* key_data, gsize key_size, BDCryptoIntegrityOpenFlags flags, BDCryptoIntegrityExtra *extra, GError **error) {
++    struct crypt_device *cd = NULL;
++    gint ret = 0;
++    guint64 progress_id = 0;
++    gchar *msg = NULL;
++    struct crypt_params_integrity params = ZERO_INIT;
++
++    params.integrity = algorithm;
++    params.integrity_key_size = key_size;
++
++    if (extra) {
++        params.sector_size = extra->sector_size;
++        params.journal_size = extra->journal_size;
++        params.journal_watermark = extra->journal_watermark;
++        params.journal_commit_time = extra->journal_commit_time;
++        params.interleave_sectors = extra->interleave_sectors;
++        params.tag_size = extra->tag_size;
++        params.buffer_sectors = extra->buffer_sectors;
++    }
++
++    msg = g_strdup_printf ("Started opening '%s' integrity device", device);
++    progress_id = bd_utils_report_started (msg);
++    g_free (msg);
++
++    ret = crypt_init (&cd, device);
++    if (ret != 0) {
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                     "Failed to initialize device: %s", strerror_l (-ret, c_locale));
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++    }
++
++    ret = crypt_load (cd, CRYPT_INTEGRITY, &params);
++    if (ret != 0) {
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                     "Failed to load device's parameters: %s", strerror_l (-ret, c_locale));
++        crypt_free (cd);
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++    }
++
++    ret = crypt_activate_by_volume_key (cd, name, (const char *) key_data, key_size, flags);
++    if (ret < 0) {
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                     "Failed to activate device: %s", strerror_l (-ret, c_locale));
++
++        crypt_free (cd);
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++    }
++
++    crypt_free (cd);
++    bd_utils_report_finished (progress_id, "Completed");
++    return TRUE;
++}
++
++/**
++ * bd_crypto_integrity_close:
++ * @integrity_device: integrity device to close
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the given @integrity_device was successfully closed or not
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
++ */
++gboolean bd_crypto_integrity_close (const gchar *integrity_device, GError **error) {
++    return _crypto_close (integrity_device, "integrity", error);
++}
++
+ /**
+  * bd_crypto_device_seems_encrypted:
+  * @device: the queried device
+@@ -2471,7 +2722,7 @@ gboolean bd_crypto_escrow_device (const gchar *device, const gchar *passphrase,
+  *
+  * Tech category: %BD_CRYPTO_TECH_BITLK-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
+  */
+-#ifndef LIBCRYPTSETUP_BITLK
++#ifndef LIBCRYPTSETUP_23
+ gboolean bd_crypto_bitlk_open (const gchar *device UNUSED, const gchar *name UNUSED, const guint8* pass_data UNUSED, gsize data_len UNUSED, gboolean read_only UNUSED, GError **error) {
+     /* this will return FALSE and set error, because BITLK technology is not available */
+     return bd_crypto_is_tech_avail (BD_CRYPTO_TECH_BITLK, BD_CRYPTO_TECH_MODE_OPEN_CLOSE, error);
+@@ -2541,7 +2792,7 @@ gboolean bd_crypto_bitlk_open (const gchar *device, const gchar *name, const gui
+  *
+  * Tech category: %BD_CRYPTO_TECH_BITLK-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
+  */
+-#ifndef LIBCRYPTSETUP_BITLK
++#ifndef LIBCRYPTSETUP_23
+ gboolean bd_crypto_bitlk_close (const gchar *bitlk_device UNUSED, GError **error) {
+     /* this will return FALSE and set error, because BITLK technology is not available */
+     return bd_crypto_is_tech_avail (BD_CRYPTO_TECH_BITLK, BD_CRYPTO_TECH_MODE_OPEN_CLOSE, error);
+diff --git a/src/plugins/crypto.h b/src/plugins/crypto.h
+index 1c8f47ea..6c1d40dd 100644
+--- a/src/plugins/crypto.h
++++ b/src/plugins/crypto.h
+@@ -122,6 +122,43 @@ void bd_crypto_luks_extra_free (BDCryptoLUKSExtra *extra);
+ BDCryptoLUKSExtra* bd_crypto_luks_extra_copy (BDCryptoLUKSExtra *extra);
+ BDCryptoLUKSExtra* bd_crypto_luks_extra_new (guint64 data_alignment, const gchar *data_device, const gchar *integrity, guint64 sector_size, const gchar *label, const gchar *subsystem, BDCryptoLUKSPBKDF *pbkdf);
+ 
++/**
++ * BDCryptoIntegrityExtra:
++ * @sector_size: integrity sector size
++ * @journal_size: size of journal in bytes
++ * @journal_watermark: journal flush watermark in percents; in bitmap mode sectors-per-bit
++ * @journal_commit_time: journal commit time (or bitmap flush time) in ms
++ * @interleave_sectors: number of interleave sectors (power of two)
++ * @tag_size: tag size per-sector in bytes
++ * @buffer_sectors: number of sectors in one buffer
++ */
++typedef struct BDCryptoIntegrityExtra {
++    guint32 sector_size;
++    guint64 journal_size;
++    guint journal_watermark;
++    guint journal_commit_time;
++    guint32 interleave_sectors;
++    guint32 tag_size;
++    guint32 buffer_sectors;
++} BDCryptoIntegrityExtra;
++
++void bd_crypto_integrity_extra_free (BDCryptoIntegrityExtra *extra);
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_copy (BDCryptoIntegrityExtra *extra);
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_new (guint64 sector_size, guint64 journal_size, guint journal_watermark, guint journal_commit_time, guint64 interleave_sectors, guint64 tag_size, guint64 buffer_sectors);
++
++typedef enum {
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = CRYPT_ACTIVATE_NO_JOURNAL,
++    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = CRYPT_ACTIVATE_RECOVERY,
++#ifdef CRYPT_ACTIVATE_NO_JOURNAL_BITMAP
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = CRYPT_ACTIVATE_NO_JOURNAL_BITMAP,
++#endif
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = CRYPT_ACTIVATE_RECALCULATE,
++#ifdef CRYPT_ACTIVATE_RECALCULATE_RESET
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = CRYPT_ACTIVATE_RECALCULATE_RESET,
++#endif
++    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = CRYPT_ACTIVATE_ALLOW_DISCARDS,
++} BDCryptoIntegrityOpenFlags;
++
+ /**
+  * BDCryptoLUKSInfo:
+  * @version: LUKS version
+@@ -215,6 +252,10 @@ gboolean bd_crypto_luks_header_restore (const gchar *device, const gchar *backup
+ BDCryptoLUKSInfo* bd_crypto_luks_info (const gchar *luks_device, GError **error);
+ BDCryptoIntegrityInfo* bd_crypto_integrity_info (const gchar *device, GError **error);
+ 
++gboolean bd_crypto_integrity_format (const gchar *device, const gchar *algorithm, gboolean wipe, const guint8* key_data, gsize key_size, BDCryptoIntegrityExtra *extra, GError **error);
++gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const gchar *algorithm, const guint8* key_data, gsize key_size, BDCryptoIntegrityOpenFlags flags, BDCryptoIntegrityExtra *extra, GError **error);
++gboolean bd_crypto_integrity_close (const gchar *integrity_device, GError **error);
++
+ gboolean bd_crypto_device_seems_encrypted (const gchar *device, GError **error);
+ gboolean bd_crypto_tc_open (const gchar *device, const gchar *name, const guint8* pass_data, gsize data_len, gboolean read_only, GError **error);
+ gboolean bd_crypto_tc_open_full (const gchar *device, const gchar *name, const guint8* pass_data, gsize data_len, const gchar **keyfiles, gboolean hidden, gboolean system, gboolean veracrypt, guint32 veracrypt_pim, gboolean read_only, GError **error);
+diff --git a/src/python/gi/overrides/BlockDev.py b/src/python/gi/overrides/BlockDev.py
+index 8574ab04..8bd03cf8 100644
+--- a/src/python/gi/overrides/BlockDev.py
++++ b/src/python/gi/overrides/BlockDev.py
+@@ -276,6 +276,30 @@ def crypto_bitlk_open(device, name, passphrase, read_only=False):
+ __all__.append("crypto_bitlk_open")
+ 
+ 
++class CryptoIntegrityExtra(BlockDev.CryptoIntegrityExtra):
++    def __new__(cls, sector_size=0, journal_size=0, journal_watermark=0, journal_commit_time=0, interleave_sectors=0, tag_size=0, buffer_sectors=0):
++        ret = BlockDev.CryptoIntegrityExtra.new(sector_size, journal_size, journal_watermark, journal_commit_time, interleave_sectors, tag_size, buffer_sectors)
++        ret.__class__ = cls
++        return ret
++    def __init__(self, *args, **kwargs):   # pylint: disable=unused-argument
++        super(CryptoIntegrityExtra, self).__init__()  #pylint: disable=bad-super-call
++CryptoIntegrityExtra = override(CryptoIntegrityExtra)
++__all__.append("CryptoIntegrityExtra")
++
++
++_crypto_integrity_format = BlockDev.crypto_integrity_format
++@override(BlockDev.crypto_integrity_format)
++def crypto_integrity_format(device, algorithm=None, wipe=True, key_data=None, extra=None):
++    return _crypto_integrity_format(device, algorithm, wipe, key_data, extra)
++__all__.append("crypto_integrity_format")
++
++_crypto_integrity_open = BlockDev.crypto_integrity_open
++@override(BlockDev.crypto_integrity_open)
++def crypto_integrity_open(device, name, algorithm, key_data=None, flags=0, extra=None):
++    return _crypto_integrity_open(device, name, algorithm, key_data, flags, extra)
++__all__.append("crypto_integrity_open")
++
++
+ _dm_create_linear = BlockDev.dm_create_linear
+ @override(BlockDev.dm_create_linear)
+ def dm_create_linear(map_name, device, length, uuid=None):
+diff --git a/tests/crypto_test.py b/tests/crypto_test.py
+index 5e02c00d..a8fc8579 100644
+--- a/tests/crypto_test.py
++++ b/tests/crypto_test.py
+@@ -2,6 +2,7 @@ import unittest
+ import os
+ import tempfile
+ import overrides_hack
++import secrets
+ import shutil
+ import subprocess
+ import six
+@@ -34,6 +35,8 @@ class CryptoTestCase(unittest.TestCase):
+ 
+     requested_plugins = BlockDev.plugin_specs_from_names(("crypto", "loop"))
+ 
++    _dm_name = "libblockdevTestLUKS"
++
+     @classmethod
+     def setUpClass(cls):
+         unittest.TestCase.setUpClass()
+@@ -64,7 +67,7 @@ class CryptoTestCase(unittest.TestCase):
+ 
+     def _clean_up(self):
+         try:
+-            BlockDev.crypto_luks_close("libblockdevTestLUKS")
++            BlockDev.crypto_luks_close(self._dm_name)
+         except:
+             pass
+ 
+@@ -1029,7 +1032,7 @@ class CryptoTestLuksSectorSize(CryptoTestCase):
+         self.assertTrue(succ)
+ 
+ 
+-class CryptoTestIntegrity(CryptoTestCase):
++class CryptoTestLUKS2Integrity(CryptoTestCase):
+     @tag_test(TestTags.SLOW)
+     @unittest.skipUnless(HAVE_LUKS2, "LUKS 2 not supported")
+     def test_luks2_integrity(self):
+@@ -1216,3 +1219,92 @@ class CryptoTestBitlk(CryptoTestCase):
+         succ = BlockDev.crypto_bitlk_close("libblockdevTestBitlk")
+         self.assertTrue(succ)
+         self.assertFalse(os.path.exists("/dev/mapper/libblockdevTestBitlk"))
++
++
++class CryptoTestIntegrity(CryptoTestCase):
++
++    _dm_name = "libblockdevTestIntegrity"
++
++    @unittest.skipUnless(HAVE_LUKS2, "Integrity not supported")
++    def test_integrity(self):
++        # basic format+open+close test
++        succ = BlockDev.crypto_integrity_format(self.loop_dev, "sha256", False)
++        self.assertTrue(succ)
++
++        succ = BlockDev.crypto_integrity_open(self.loop_dev, self._dm_name, "sha256")
++        self.assertTrue(succ)
++        self.assertTrue(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        info = BlockDev.crypto_integrity_info(self._dm_name)
++        self.assertEqual(info.algorithm, "sha256")
++
++        succ = BlockDev.crypto_integrity_close(self._dm_name)
++        self.assertTrue(succ)
++        self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        # same now with a keyed algorithm
++        key = list(secrets.token_bytes(64))
++
++        succ = BlockDev.crypto_integrity_format(self.loop_dev, "hmac(sha256)", False, key)
++        self.assertTrue(succ)
++
++        succ = BlockDev.crypto_integrity_open(self.loop_dev, self._dm_name, "hmac(sha256)", key)
++        self.assertTrue(succ)
++        self.assertTrue(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        info = BlockDev.crypto_integrity_info(self._dm_name)
++        self.assertEqual(info.algorithm, "hmac(sha256)")
++
++        succ = BlockDev.crypto_integrity_close(self._dm_name)
++        self.assertTrue(succ)
++        self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        # same with some custom parameters
++        extra = BlockDev.CryptoIntegrityExtra(sector_size=4096, interleave_sectors=65536)
++        succ = BlockDev.crypto_integrity_format(self.loop_dev, "crc32c", wipe=False, extra=extra)
++        self.assertTrue(succ)
++
++        succ = BlockDev.crypto_integrity_open(self.loop_dev, self._dm_name, "crc32c")
++        self.assertTrue(succ)
++        self.assertTrue(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        info = BlockDev.crypto_integrity_info(self._dm_name)
++        self.assertEqual(info.algorithm, "crc32c")
++        self.assertEqual(info.sector_size, 4096)
++        self.assertEqual(info.interleave_sectors, 65536)
++
++        succ = BlockDev.crypto_integrity_close(self._dm_name)
++        self.assertTrue(succ)
++        self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++    @tag_test(TestTags.SLOW)
++    @unittest.skipUnless(HAVE_LUKS2, "Integrity not supported")
++    def test_integrity_wipe(self):
++        # also check that wipe progress reporting works
++        progress_log = []
++
++        def _my_progress_func(_task, _status, completion, msg):
++            progress_log.append((completion, msg))
++
++        succ = BlockDev.utils_init_prog_reporting(_my_progress_func)
++        self.assertTrue(succ)
++        self.addCleanup(BlockDev.utils_init_prog_reporting, None)
++
++        succ = BlockDev.crypto_integrity_format(self.loop_dev, "sha256", True)
++        self.assertTrue(succ)
++
++        # at least one message "Integrity device wipe in progress" should be logged
++        self.assertTrue(any(prog[1] == "Integrity device wipe in progress" for prog in progress_log))
++
++        succ = BlockDev.crypto_integrity_open(self.loop_dev, self._dm_name, "sha256")
++        self.assertTrue(succ)
++        self.assertTrue(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        # check the devices was wiped and the checksums recalculated
++        # (mkfs reads some blocks first so without checksums it would fail)
++        ret, _out, err = run_command("mkfs.ext2 /dev/mapper/%s " % self._dm_name)
++        self.assertEqual(ret, 0, msg="Failed to create ext2 filesystem on integrity: %s" % err)
++
++        succ = BlockDev.crypto_integrity_close(self._dm_name)
++        self.assertTrue(succ)
++        self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
+-- 
+2.37.3
+
+
+From ad4ac36520ec96af2a7b043189bbdf18cc3cffb9 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Thu, 30 Sep 2021 16:01:40 +0200
+Subject: [PATCH 2/3] Create smaller test images for integrity tests
+
+We are going to overwrite the entire device in test_integrity_wipe
+so we need to make sure the sparse actually fits to /tmp which
+can be smaller than 1 GiB.
+---
+ tests/crypto_test.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tests/crypto_test.py b/tests/crypto_test.py
+index a8fc8579..9758bf81 100644
+--- a/tests/crypto_test.py
++++ b/tests/crypto_test.py
+@@ -36,6 +36,7 @@ class CryptoTestCase(unittest.TestCase):
+     requested_plugins = BlockDev.plugin_specs_from_names(("crypto", "loop"))
+ 
+     _dm_name = "libblockdevTestLUKS"
++    _sparse_size = 1024**3
+ 
+     @classmethod
+     def setUpClass(cls):
+@@ -49,8 +50,8 @@ class CryptoTestCase(unittest.TestCase):
+ 
+     def setUp(self):
+         self.addCleanup(self._clean_up)
+-        self.dev_file = create_sparse_tempfile("crypto_test", 1024**3)
+-        self.dev_file2 = create_sparse_tempfile("crypto_test2", 1024**3)
++        self.dev_file = create_sparse_tempfile("crypto_test", self._sparse_size)
++        self.dev_file2 = create_sparse_tempfile("crypto_test2", self._sparse_size)
+         try:
+             self.loop_dev = create_lio_device(self.dev_file)
+         except RuntimeError as e:
+@@ -1224,6 +1225,7 @@ class CryptoTestBitlk(CryptoTestCase):
+ class CryptoTestIntegrity(CryptoTestCase):
+ 
+     _dm_name = "libblockdevTestIntegrity"
++    _sparse_size = 100 * 1024**2
+ 
+     @unittest.skipUnless(HAVE_LUKS2, "Integrity not supported")
+     def test_integrity(self):
+-- 
+2.37.3
+
+
+From 048a803be5186b30c0f0a7e67020486990ba6b81 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Wed, 20 Oct 2021 10:27:41 +0200
+Subject: [PATCH 3/3] crypto: Do not use libcryptsetup flags directly in
+ crypto.h
+
+We can "translate" our flags in the implementation instead to
+avoid including libcryptsetup.h in our header and API files.
+---
+ src/lib/plugin_apis/crypto.api | 17 ++++++-----------
+ src/plugins/crypto.c           | 34 +++++++++++++++++++++++++++++++++-
+ src/plugins/crypto.h           | 16 ++++++----------
+ tests/crypto_test.py           | 14 ++++++++++++++
+ 4 files changed, 59 insertions(+), 22 deletions(-)
+
+diff --git a/src/lib/plugin_apis/crypto.api b/src/lib/plugin_apis/crypto.api
+index 40e32c89..cf87979d 100644
+--- a/src/lib/plugin_apis/crypto.api
++++ b/src/lib/plugin_apis/crypto.api
+@@ -1,6 +1,5 @@
+ #include <glib.h>
+ #include <blockdev/utils.h>
+-#include <libcryptsetup.h>
+ 
+ #define BD_CRYPTO_LUKS_METADATA_SIZE G_GUINT64_CONSTANT (2097152ULL) // 2 MiB
+ 
+@@ -343,16 +342,12 @@ GType bd_crypto_integrity_extra_get_type () {
+ }
+ 
+ typedef enum {
+-    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = CRYPT_ACTIVATE_NO_JOURNAL,
+-    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = CRYPT_ACTIVATE_RECOVERY,
+-#ifdef CRYPT_ACTIVATE_NO_JOURNAL_BITMAP
+-    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = CRYPT_ACTIVATE_NO_JOURNAL_BITMAP,
+-#endif
+-    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = CRYPT_ACTIVATE_RECALCULATE,
+-#ifdef CRYPT_ACTIVATE_RECALCULATE_RESET
+-    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = CRYPT_ACTIVATE_RECALCULATE_RESET,
+-#endif
+-    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = CRYPT_ACTIVATE_ALLOW_DISCARDS,
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = 1 << 0,
++    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = 1 << 1,
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = 1 << 2,
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = 1 << 3,
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = 1 << 4,
++    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = 1 << 5,
+ } BDCryptoIntegrityOpenFlags;
+ 
+ #define BD_CRYPTO_TYPE_LUKS_INFO (bd_crypto_luks_info_get_type ())
+diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
+index 8549cf23..35c38410 100644
+--- a/src/plugins/crypto.c
++++ b/src/plugins/crypto.c
+@@ -2223,6 +2223,7 @@ gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const
+     guint64 progress_id = 0;
+     gchar *msg = NULL;
+     struct crypt_params_integrity params = ZERO_INIT;
++    guint32 activate_flags = 0;
+ 
+     params.integrity = algorithm;
+     params.integrity_key_size = key_size;
+@@ -2237,6 +2238,37 @@ gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const
+         params.buffer_sectors = extra->buffer_sectors;
+     }
+ 
++
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL)
++        activate_flags |= CRYPT_ACTIVATE_NO_JOURNAL;
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_RECOVERY)
++        activate_flags |= CRYPT_ACTIVATE_RECOVERY;
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE)
++        activate_flags |= CRYPT_ACTIVATE_RECALCULATE;
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS)
++        activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP) {
++#ifndef CRYPT_ACTIVATE_NO_JOURNAL_BITMAP
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_TECH_UNAVAIL,
++                     "Cannot activate %s with bitmap, installed version of cryptsetup doesn't support this option.", device);
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++#else
++        activate_flags |= CRYPT_ACTIVATE_NO_JOURNAL_BITMAP;
++#endif
++    }
++
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET) {
++#ifndef CRYPT_ACTIVATE_RECALCULATE_RESET
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_TECH_UNAVAIL,
++                     "Cannot reset integrity recalculation while activating %s, installed version of cryptsetup doesn't support this option.", device);
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++#else
++        activate_flags |= CRYPT_ACTIVATE_RECALCULATE_RESET;
++#endif
++    }
++
+     msg = g_strdup_printf ("Started opening '%s' integrity device", device);
+     progress_id = bd_utils_report_started (msg);
+     g_free (msg);
+@@ -2258,7 +2290,7 @@ gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const
+         return FALSE;
+     }
+ 
+-    ret = crypt_activate_by_volume_key (cd, name, (const char *) key_data, key_size, flags);
++    ret = crypt_activate_by_volume_key (cd, name, (const char *) key_data, key_size, activate_flags);
+     if (ret < 0) {
+         g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
+                      "Failed to activate device: %s", strerror_l (-ret, c_locale));
+diff --git a/src/plugins/crypto.h b/src/plugins/crypto.h
+index 6c1d40dd..536accf9 100644
+--- a/src/plugins/crypto.h
++++ b/src/plugins/crypto.h
+@@ -147,16 +147,12 @@ BDCryptoIntegrityExtra* bd_crypto_integrity_extra_copy (BDCryptoIntegrityExtra *
+ BDCryptoIntegrityExtra* bd_crypto_integrity_extra_new (guint64 sector_size, guint64 journal_size, guint journal_watermark, guint journal_commit_time, guint64 interleave_sectors, guint64 tag_size, guint64 buffer_sectors);
+ 
+ typedef enum {
+-    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = CRYPT_ACTIVATE_NO_JOURNAL,
+-    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = CRYPT_ACTIVATE_RECOVERY,
+-#ifdef CRYPT_ACTIVATE_NO_JOURNAL_BITMAP
+-    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = CRYPT_ACTIVATE_NO_JOURNAL_BITMAP,
+-#endif
+-    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = CRYPT_ACTIVATE_RECALCULATE,
+-#ifdef CRYPT_ACTIVATE_RECALCULATE_RESET
+-    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = CRYPT_ACTIVATE_RECALCULATE_RESET,
+-#endif
+-    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = CRYPT_ACTIVATE_ALLOW_DISCARDS,
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = 1 << 0,
++    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = 1 << 1,
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = 1 << 2,
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = 1 << 3,
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = 1 << 4,
++    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = 1 << 5,
+ } BDCryptoIntegrityOpenFlags;
+ 
+ /**
+diff --git a/tests/crypto_test.py b/tests/crypto_test.py
+index 9758bf81..94b89131 100644
+--- a/tests/crypto_test.py
++++ b/tests/crypto_test.py
+@@ -1279,6 +1279,20 @@ class CryptoTestIntegrity(CryptoTestCase):
+         self.assertTrue(succ)
+         self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
+ 
++        # open with flags
++        succ = BlockDev.crypto_integrity_open(self.loop_dev, self._dm_name, "crc32c",
++                                              flags=BlockDev.CryptoIntegrityOpenFlags.ALLOW_DISCARDS)
++        self.assertTrue(succ)
++        self.assertTrue(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        # check that discard is enabled for the mapped device
++        _ret, out, _err = run_command("dmsetup table %s" % self._dm_name)
++        self.assertIn("allow_discards", out)
++
++        succ = BlockDev.crypto_integrity_close(self._dm_name)
++        self.assertTrue(succ)
++        self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
+     @tag_test(TestTags.SLOW)
+     @unittest.skipUnless(HAVE_LUKS2, "Integrity not supported")
+     def test_integrity_wipe(self):
+-- 
+2.37.3
+

SOURCES/0005-nvme-Fix-namespace-identifiers.patch

@@ -0,0 +1,506 @@
+From b25fd9caca9b2fb34e5a4d7d4bee0031e4758d0a Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Thu, 22 Sep 2022 16:31:28 +0200
+Subject: [PATCH 1/5] nvme: Avoid sending NVME_IDENTIFY_CNS_NS_DESC_LIST on
+ older devices
+
+Turned out this Identify feature was introduced only with the NVMe 1.3
+specification. To find out device supported NVMe revision an extra
+Identify Controller call is needed.
+---
+ src/plugins/nvme/nvme-info.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/nvme/nvme-info.c b/src/plugins/nvme/nvme-info.c
+index fdd90459..112b4054 100644
+--- a/src/plugins/nvme/nvme-info.c
++++ b/src/plugins/nvme/nvme-info.c
+@@ -431,7 +431,7 @@ BDNVMEControllerInfo * bd_nvme_get_controller_info (const gchar *device, GError
+     if (fd < 0)
+         return NULL;
+ 
+-    /* send the NVME_IDENTIFY_CNS_NS + NVME_IDENTIFY_CNS_CTRL ioctl */
++    /* send the NVME_IDENTIFY_CNS_CTRL ioctl */
+     ret = nvme_identify_ctrl (fd, &ctrl_id);
+     if (ret != 0) {
+         _nvme_status_to_error (ret, FALSE, error);
+@@ -539,9 +539,11 @@ BDNVMEControllerInfo * bd_nvme_get_controller_info (const gchar *device, GError
+  */
+ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **error) {
+     int ret;
+-    int ret_desc;
++    int ret_ctrl;
++    int ret_desc = -1;
+     int fd;
+     __u32 nsid = 0;
++    struct nvme_id_ctrl ctrl_id = ZERO_INIT;
+     struct nvme_id_ns ns_info = ZERO_INIT;
+     uint8_t desc[NVME_IDENTIFY_DATA_SIZE] = ZERO_INIT;
+     guint8 flbas;
+@@ -565,7 +567,6 @@ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **e
+     }
+ 
+     /* send the NVME_IDENTIFY_CNS_NS ioctl */
+-    ret_desc = nvme_identify_ns_descs (fd, nsid, (struct nvme_ns_id_desc *) &desc);
+     ret = nvme_identify_ns (fd, nsid, &ns_info);
+     if (ret != 0) {
+         _nvme_status_to_error (ret, FALSE, error);
+@@ -573,6 +574,13 @@ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **e
+         close (fd);
+         return NULL;
+     }
++
++    /* send the NVME_IDENTIFY_CNS_CTRL ioctl */
++    ret_ctrl = nvme_identify_ctrl (fd, &ctrl_id);
++
++    /* send the NVME_IDENTIFY_CNS_NS_DESC_LIST ioctl, NVMe 1.3 */
++    if (ret_ctrl == 0 && GUINT32_FROM_LE (ctrl_id.ver) >= 0x10300)
++        ret_desc = nvme_identify_ns_descs (fd, nsid, (struct nvme_ns_id_desc *) &desc);
+     close (fd);
+ 
+     info = g_new0 (BDNVMENamespaceInfo, 1);
+-- 
+2.39.0
+
+
+From e6f7d0c4562623b03df96dc6b89ab00d8e4d6b90 Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Thu, 22 Sep 2022 16:56:26 +0200
+Subject: [PATCH 2/5] nvme: Add BD_NVME_NS_FEAT_ROTATIONAL
+
+A NVMe 2.0 feature indicating rotational medium on a namespace level.
+Further information can be found in the Rotational Media Information Log
+page (Log Identifier 16h) that is not implemented in libblockdev yet.
+---
+ src/lib/plugin_apis/nvme.api |  2 ++
+ src/plugins/nvme/nvme-info.c | 10 ++++++++++
+ src/plugins/nvme/nvme.h      |  2 ++
+ tests/nvme_test.py           |  1 +
+ 4 files changed, 15 insertions(+)
+
+diff --git a/src/lib/plugin_apis/nvme.api b/src/lib/plugin_apis/nvme.api
+index 79247a01..7bc2cf9e 100644
+--- a/src/lib/plugin_apis/nvme.api
++++ b/src/lib/plugin_apis/nvme.api
+@@ -317,12 +317,14 @@ GType bd_nvme_lba_format_get_type () {
+  *                                    in the NVM subsystem concurrently.
+  * @BD_NVME_NS_FEAT_FORMAT_PROGRESS: indicates the capability to report the percentage of the namespace
+  *                                   that remains to be formatted.
++ * @BD_NVME_NS_FEAT_ROTATIONAL: indicates a rotational medium.
+  */
+ /* BpG-skip-end */
+ typedef enum {
+     BD_NVME_NS_FEAT_THIN             = 1 << 0,
+     BD_NVME_NS_FEAT_MULTIPATH_SHARED = 1 << 1,
+     BD_NVME_NS_FEAT_FORMAT_PROGRESS  = 1 << 2,
++    BD_NVME_NS_FEAT_ROTATIONAL       = 1 << 3,
+ } BDNVMENamespaceFeature;
+ 
+ #define BD_NVME_TYPE_NAMESPACE_INFO (bd_nvme_namespace_info_get_type ())
+diff --git a/src/plugins/nvme/nvme-info.c b/src/plugins/nvme/nvme-info.c
+index 112b4054..c574a6f3 100644
+--- a/src/plugins/nvme/nvme-info.c
++++ b/src/plugins/nvme/nvme-info.c
+@@ -541,10 +541,12 @@ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **e
+     int ret;
+     int ret_ctrl;
+     int ret_desc = -1;
++    int ret_ns_ind = -1;
+     int fd;
+     __u32 nsid = 0;
+     struct nvme_id_ctrl ctrl_id = ZERO_INIT;
+     struct nvme_id_ns ns_info = ZERO_INIT;
++    struct nvme_id_independent_id_ns ns_info_ind = ZERO_INIT;
+     uint8_t desc[NVME_IDENTIFY_DATA_SIZE] = ZERO_INIT;
+     guint8 flbas;
+     guint i;
+@@ -581,6 +583,10 @@ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **e
+     /* send the NVME_IDENTIFY_CNS_NS_DESC_LIST ioctl, NVMe 1.3 */
+     if (ret_ctrl == 0 && GUINT32_FROM_LE (ctrl_id.ver) >= 0x10300)
+         ret_desc = nvme_identify_ns_descs (fd, nsid, (struct nvme_ns_id_desc *) &desc);
++
++    /* send the NVME_IDENTIFY_CNS_CSI_INDEPENDENT_ID_NS ioctl, NVMe 2.0 */
++    if (ret_ctrl == 0 && GUINT32_FROM_LE (ctrl_id.ver) >= 0x20000)
++        ret_ns_ind = nvme_identify_independent_identify_ns (fd, nsid, &ns_info_ind);
+     close (fd);
+ 
+     info = g_new0 (BDNVMENamespaceInfo, 1);
+@@ -627,6 +633,10 @@ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **e
+             }
+         }
+     }
++    if (ret_ns_ind == 0) {
++        if ((ns_info_ind.nsfeat & 1 << 4) == 1 << 4)
++            info->features |= BD_NVME_NS_FEAT_ROTATIONAL;
++    }
+ 
+     /* translate the LBA Format array */
+     ptr_array = g_ptr_array_new ();
+diff --git a/src/plugins/nvme/nvme.h b/src/plugins/nvme/nvme.h
+index a7d30d79..ad456a82 100644
+--- a/src/plugins/nvme/nvme.h
++++ b/src/plugins/nvme/nvme.h
+@@ -202,11 +202,13 @@ typedef struct BDNVMELBAFormat {
+  *                                    in the NVM subsystem concurrently.
+  * @BD_NVME_NS_FEAT_FORMAT_PROGRESS: indicates the capability to report the percentage of the namespace
+  *                                   that remains to be formatted.
++ * @BD_NVME_NS_FEAT_ROTATIONAL: indicates a rotational medium.
+  */
+ typedef enum {
+     BD_NVME_NS_FEAT_THIN             = 1 << 0,
+     BD_NVME_NS_FEAT_MULTIPATH_SHARED = 1 << 1,
+     BD_NVME_NS_FEAT_FORMAT_PROGRESS  = 1 << 2,
++    BD_NVME_NS_FEAT_ROTATIONAL       = 1 << 3,
+ } BDNVMENamespaceFeature;
+ 
+ /**
+diff --git a/tests/nvme_test.py b/tests/nvme_test.py
+index a46f7422..f205e539 100644
+--- a/tests/nvme_test.py
++++ b/tests/nvme_test.py
+@@ -73,6 +73,7 @@ class NVMeTestCase(NVMeTest):
+         self.assertFalse(info.features & BlockDev.NVMENamespaceFeature.THIN)
+         self.assertTrue (info.features & BlockDev.NVMENamespaceFeature.MULTIPATH_SHARED)
+         self.assertFalse(info.features & BlockDev.NVMENamespaceFeature.FORMAT_PROGRESS)
++        self.assertFalse(info.features & BlockDev.NVMENamespaceFeature.ROTATIONAL)
+         self.assertEqual(info.eui64, "0000000000000000")
+         self.assertEqual(info.format_progress_remaining, 0)
+         self.assertEqual(len(info.lba_formats), 1)
+-- 
+2.39.0
+
+
+From 4ff0df937dcd357623e7b7d960c08c476b1deffb Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Fri, 9 Dec 2022 16:13:43 +0100
+Subject: [PATCH 3/5] nvme: Fix namespace identifiers
+
+Use Namespace Identification Descriptor list (CNS 03h) data when available
+and NVM Command Set Identify Namespace Data Structure (CNS 00h) as a fallback.
+
+Also, if the CNS 00h EUI64 or NGUID fields equal to zero, return NULL
+instead of zeroes:
+  "If the controller is not able to provide a ... identifier in this field,
+   then this field shall be cleared to 0h."
+---
+ src/plugins/nvme/nvme-info.c | 26 +++++++++++++++++++-------
+ tests/nvme_test.py           |  2 +-
+ 2 files changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/src/plugins/nvme/nvme-info.c b/src/plugins/nvme/nvme-info.c
+index c574a6f3..ac189abe 100644
+--- a/src/plugins/nvme/nvme-info.c
++++ b/src/plugins/nvme/nvme-info.c
+@@ -603,12 +603,7 @@ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **e
+     info->format_progress_remaining = ns_info.fpi & NVME_NS_FPI_REMAINING;
+     /* TODO: what the ns_info.nvmcap really stands for? */
+     info->write_protected = (ns_info.nsattr & NVME_NS_NSATTR_WRITE_PROTECTED) == NVME_NS_NSATTR_WRITE_PROTECTED;
+-    info->nguid = g_malloc0 (sizeof (ns_info.nguid) * 2 + 1);
+-    for (i = 0; i < G_N_ELEMENTS (ns_info.nguid); i++)
+-        snprintf (info->nguid + i * 2, 3, "%02x", ns_info.nguid[i]);
+-    info->eui64 = g_malloc0 (sizeof (ns_info.eui64) * 2 + 1);
+-    for (i = 0; i < G_N_ELEMENTS (ns_info.eui64); i++)
+-        snprintf (info->eui64 + i * 2, 3, "%02x", ns_info.eui64[i]);
++
+     if (ret_desc == 0) {
+         for (i = 0; i < NVME_IDENTIFY_DATA_SIZE; i += len) {
+             struct nvme_ns_id_desc *d = (void *) desc + i;
+@@ -620,8 +615,14 @@ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **e
+ 
+             switch (d->nidt) {
+                 case NVME_NIDT_EUI64:
++                    info->eui64 = g_malloc0 (d->nidl * 2 + 1);
++                    for (i = 0; i < d->nidl; i++)
++                        snprintf (info->eui64 + i * 2, 3, "%02x", d->nid[i]);
++                    break;
+                 case NVME_NIDT_NGUID:
+-                    /* already have these from nvme_identify_ns() */
++                    info->nguid = g_malloc0 (d->nidl * 2 + 1);
++                    for (i = 0; i < d->nidl; i++)
++                        snprintf (info->nguid + i * 2, 3, "%02x", d->nid[i]);
+                     break;
+                 case NVME_NIDT_UUID:
+                     uuid_unparse (d->nid, uuid_buf);
+@@ -633,6 +634,17 @@ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **e
+             }
+         }
+     }
++
++    if (info->nguid == NULL && ns_info.nguid[G_N_ELEMENTS (ns_info.nguid) - 1] > 0) {
++        info->nguid = g_malloc0 (sizeof (ns_info.nguid) * 2 + 1);
++        for (i = 0; i < G_N_ELEMENTS (ns_info.nguid); i++)
++            snprintf (info->nguid + i * 2, 3, "%02x", ns_info.nguid[i]);
++    }
++    if (info->eui64 == NULL && ns_info.eui64[G_N_ELEMENTS (ns_info.eui64) - 1] > 0) {
++        info->eui64 = g_malloc0 (sizeof (ns_info.eui64) * 2 + 1);
++        for (i = 0; i < G_N_ELEMENTS (ns_info.eui64); i++)
++            snprintf (info->eui64 + i * 2, 3, "%02x", ns_info.eui64[i]);
++    }
+     if (ret_ns_ind == 0) {
+         if ((ns_info_ind.nsfeat & 1 << 4) == 1 << 4)
+             info->features |= BD_NVME_NS_FEAT_ROTATIONAL;
+diff --git a/tests/nvme_test.py b/tests/nvme_test.py
+index f205e539..a1822be6 100644
+--- a/tests/nvme_test.py
++++ b/tests/nvme_test.py
+@@ -74,7 +74,7 @@ class NVMeTestCase(NVMeTest):
+         self.assertTrue (info.features & BlockDev.NVMENamespaceFeature.MULTIPATH_SHARED)
+         self.assertFalse(info.features & BlockDev.NVMENamespaceFeature.FORMAT_PROGRESS)
+         self.assertFalse(info.features & BlockDev.NVMENamespaceFeature.ROTATIONAL)
+-        self.assertEqual(info.eui64, "0000000000000000")
++        self.assertIsNone(info.eui64)
+         self.assertEqual(info.format_progress_remaining, 0)
+         self.assertEqual(len(info.lba_formats), 1)
+         self.assertGreater(len(info.nguid), 0)
+-- 
+2.39.0
+
+
+From cdbb9a37a19d3f388910f68c4c384bafae8901ae Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Wed, 11 Jan 2023 18:19:36 +0100
+Subject: [PATCH 4/5] nvme: Use libnvme-1.2's nvme_uuid_to_string()
+
+This also bumps libnvme dependency to 1.2
+---
+ configure.ac                    |  5 +----
+ src/plugins/nvme/Makefile.am    |  4 ++--
+ src/plugins/nvme/nvme-error.c   |  3 ---
+ src/plugins/nvme/nvme-fabrics.c |  1 -
+ src/plugins/nvme/nvme-info.c    | 17 ++++++++++-------
+ src/plugins/nvme/nvme-op.c      |  1 -
+ src/plugins/nvme/nvme.c         |  1 -
+ 7 files changed, 13 insertions(+), 19 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index ec789c91..fbd70473 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -281,10 +281,7 @@ AS_IF([test "x$with_nvdimm" != "xno"],
+       [])
+ 
+ AS_IF([test "x$with_nvme" != "xno"],
+-      [LIBBLOCKDEV_PKG_CHECK_MODULES([NVME], [libnvme >= 1.0])
+-      AS_IF([$PKG_CONFIG --atleast-version=1.1 libnvme],
+-            [AC_DEFINE([HAVE_LIBNVME_1_1])], [])
+-      ],
++      [LIBBLOCKDEV_PKG_CHECK_MODULES([NVME], [libnvme >= 1.2])],
+       [])
+ 
+ AS_IF([test "x$with_vdo" != "xno"],
+diff --git a/src/plugins/nvme/Makefile.am b/src/plugins/nvme/Makefile.am
+index b4a10ce0..a8a856d4 100644
+--- a/src/plugins/nvme/Makefile.am
++++ b/src/plugins/nvme/Makefile.am
+@@ -2,8 +2,8 @@ AUTOMAKE_OPTIONS = subdir-objects
+ 
+ lib_LTLIBRARIES = libbd_nvme.la
+ 
+-libbd_nvme_la_CFLAGS = $(GLIB_CFLAGS) $(GIO_CFLAGS) $(UUID_CFLAGS) $(NVME_CFLAGS) -Wall -Wextra -Werror
+-libbd_nvme_la_LIBADD = ${builddir}/../../utils/libbd_utils.la $(GLIB_LIBS) $(GIO_LIBS) $(UUID_LIBS) $(NVME_LIBS)
++libbd_nvme_la_CFLAGS = $(GLIB_CFLAGS) $(GIO_CFLAGS) $(NVME_CFLAGS) -Wall -Wextra -Werror
++libbd_nvme_la_LIBADD = ${builddir}/../../utils/libbd_utils.la $(GLIB_LIBS) $(GIO_LIBS) $(NVME_LIBS)
+ libbd_nvme_la_LDFLAGS = -L${srcdir}/../../utils/ -version-info 2:0:0 -Wl,--no-undefined
+ libbd_nvme_la_CPPFLAGS = -I${builddir}/../../../include/ -I${srcdir}/../ -I. -DPACKAGE_SYSCONF_DIR=\""$(sysconfdir)"\"
+ 
+diff --git a/src/plugins/nvme/nvme-error.c b/src/plugins/nvme/nvme-error.c
+index 86f0d6a3..cb95a46d 100644
+--- a/src/plugins/nvme/nvme-error.c
++++ b/src/plugins/nvme/nvme-error.c
+@@ -28,7 +28,6 @@
+ #include <malloc.h>
+ 
+ #include <libnvme.h>
+-#include <uuid/uuid.h>
+ 
+ #include <blockdev/utils.h>
+ #include <check_deps.h>
+@@ -123,7 +122,6 @@ void _nvme_fabrics_errno_to_gerror (int result, int _errno, GError **error)
+             case ENVME_CONNECT_LOOKUP_SUBSYS:
+                 code = BD_NVME_ERROR_CONNECT;
+                 break;
+-#ifdef HAVE_LIBNVME_1_1
+             case ENVME_CONNECT_ALREADY:
+                 code = BD_NVME_ERROR_CONNECT_ALREADY;
+                 break;
+@@ -139,7 +137,6 @@ void _nvme_fabrics_errno_to_gerror (int result, int _errno, GError **error)
+             case ENVME_CONNECT_OPNOTSUPP:
+                 code = BD_NVME_ERROR_CONNECT_OPNOTSUPP;
+                 break;
+-#endif
+             default:
+                 code = BD_NVME_ERROR_CONNECT;
+         }
+diff --git a/src/plugins/nvme/nvme-fabrics.c b/src/plugins/nvme/nvme-fabrics.c
+index 20ed57f5..bba7392d 100644
+--- a/src/plugins/nvme/nvme-fabrics.c
++++ b/src/plugins/nvme/nvme-fabrics.c
+@@ -30,7 +30,6 @@
+ #include <glib/gstdio.h>
+ 
+ #include <libnvme.h>
+-#include <uuid/uuid.h>
+ 
+ #include <blockdev/utils.h>
+ #include <check_deps.h>
+diff --git a/src/plugins/nvme/nvme-info.c b/src/plugins/nvme/nvme-info.c
+index ac189abe..18719d51 100644
+--- a/src/plugins/nvme/nvme-info.c
++++ b/src/plugins/nvme/nvme-info.c
+@@ -28,7 +28,6 @@
+ #include <malloc.h>
+ 
+ #include <libnvme.h>
+-#include <uuid/uuid.h>
+ 
+ #include <blockdev/utils.h>
+ #include <check_deps.h>
+@@ -408,6 +407,14 @@ static gchar *decode_nvme_rev (guint32 ver) {
+         return g_strdup_printf ("%u.%u.%u", mjr, mnr, ter);
+ }
+ 
++static gchar *_uuid_to_str (unsigned char uuid[NVME_UUID_LEN]) {
++    gchar uuid_buf[NVME_UUID_LEN_STRING] = ZERO_INIT;
++
++    if (nvme_uuid_to_string (uuid, uuid_buf) == 0)
++        return g_strdup (uuid_buf);
++    return NULL;
++}
++
+ /**
+  * bd_nvme_get_controller_info:
+  * @device: a NVMe controller device (e.g. `/dev/nvme0`)
+@@ -461,9 +468,7 @@ BDNVMEControllerInfo * bd_nvme_get_controller_info (const gchar *device, GError
+     info->pci_vendor_id = GUINT16_FROM_LE (ctrl_id.vid);
+     info->pci_subsys_vendor_id = GUINT16_FROM_LE (ctrl_id.ssvid);
+     info->ctrl_id = GUINT16_FROM_LE (ctrl_id.cntlid);
+-    /* TODO: decode fguid as 128-bit hex string? */
+-    info->fguid = g_strdup_printf ("%-.*s", (int) sizeof (ctrl_id.fguid), ctrl_id.fguid);
+-    g_strstrip (info->fguid);
++    info->fguid = _uuid_to_str (ctrl_id.fguid);
+     info->model_number = g_strndup (ctrl_id.mn, sizeof (ctrl_id.mn));
+     g_strstrip (info->model_number);
+     info->serial_number = g_strndup (ctrl_id.sn, sizeof (ctrl_id.sn));
+@@ -607,7 +612,6 @@ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **e
+     if (ret_desc == 0) {
+         for (i = 0; i < NVME_IDENTIFY_DATA_SIZE; i += len) {
+             struct nvme_ns_id_desc *d = (void *) desc + i;
+-            gchar uuid_buf[37] = ZERO_INIT;
+ 
+             if (!d->nidl)
+                 break;
+@@ -625,8 +629,7 @@ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **e
+                         snprintf (info->nguid + i * 2, 3, "%02x", d->nid[i]);
+                     break;
+                 case NVME_NIDT_UUID:
+-                    uuid_unparse (d->nid, uuid_buf);
+-                    info->uuid = g_strdup (uuid_buf);
++                    info->uuid = _uuid_to_str (d->nid);
+                     break;
+                 case NVME_NIDT_CSI:
+                     /* unused */
+diff --git a/src/plugins/nvme/nvme-op.c b/src/plugins/nvme/nvme-op.c
+index 4568c453..c9e92697 100644
+--- a/src/plugins/nvme/nvme-op.c
++++ b/src/plugins/nvme/nvme-op.c
+@@ -29,7 +29,6 @@
+ #include <linux/fs.h>
+ 
+ #include <libnvme.h>
+-#include <uuid/uuid.h>
+ 
+ #include <blockdev/utils.h>
+ #include <check_deps.h>
+diff --git a/src/plugins/nvme/nvme.c b/src/plugins/nvme/nvme.c
+index 00f2f76e..4a32ac4e 100644
+--- a/src/plugins/nvme/nvme.c
++++ b/src/plugins/nvme/nvme.c
+@@ -28,7 +28,6 @@
+ #include <malloc.h>
+ 
+ #include <libnvme.h>
+-#include <uuid/uuid.h>
+ 
+ #include <blockdev/utils.h>
+ #include <check_deps.h>
+-- 
+2.39.0
+
+
+From 64263599ec39b6b0f20d8e16c1169afcf66f5d9a Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Thu, 12 Jan 2023 16:01:28 +0100
+Subject: [PATCH 5/5] nvme: Fix zeroed struct fields detection
+
+As often stated in the NVMe specification, fields of features that
+are either not implemented or not valid are typically cleared to zero (0h).
+---
+ src/plugins/nvme/nvme-info.c | 20 +++++++++++++++-----
+ tests/nvme_test.py           |  2 +-
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/src/plugins/nvme/nvme-info.c b/src/plugins/nvme/nvme-info.c
+index 18719d51..85f94a32 100644
+--- a/src/plugins/nvme/nvme-info.c
++++ b/src/plugins/nvme/nvme-info.c
+@@ -415,6 +415,15 @@ static gchar *_uuid_to_str (unsigned char uuid[NVME_UUID_LEN]) {
+     return NULL;
+ }
+ 
++static gboolean _nvme_a_is_zero (const __u8 a[], int len) {
++    int i;
++
++    for (i = 0; i < len; i++)
++        if (a[i] > 0)
++            return FALSE;
++    return TRUE;
++}
++
+ /**
+  * bd_nvme_get_controller_info:
+  * @device: a NVMe controller device (e.g. `/dev/nvme0`)
+@@ -468,7 +477,8 @@ BDNVMEControllerInfo * bd_nvme_get_controller_info (const gchar *device, GError
+     info->pci_vendor_id = GUINT16_FROM_LE (ctrl_id.vid);
+     info->pci_subsys_vendor_id = GUINT16_FROM_LE (ctrl_id.ssvid);
+     info->ctrl_id = GUINT16_FROM_LE (ctrl_id.cntlid);
+-    info->fguid = _uuid_to_str (ctrl_id.fguid);
++    if (!_nvme_a_is_zero (ctrl_id.fguid, sizeof (ctrl_id.fguid)))
++        info->fguid = _uuid_to_str (ctrl_id.fguid);
+     info->model_number = g_strndup (ctrl_id.mn, sizeof (ctrl_id.mn));
+     g_strstrip (info->model_number);
+     info->serial_number = g_strndup (ctrl_id.sn, sizeof (ctrl_id.sn));
+@@ -638,14 +648,14 @@ BDNVMENamespaceInfo *bd_nvme_get_namespace_info (const gchar *device, GError **e
+         }
+     }
+ 
+-    if (info->nguid == NULL && ns_info.nguid[G_N_ELEMENTS (ns_info.nguid) - 1] > 0) {
++    if (info->nguid == NULL && !_nvme_a_is_zero (ns_info.nguid, sizeof (ns_info.nguid))) {
+         info->nguid = g_malloc0 (sizeof (ns_info.nguid) * 2 + 1);
+-        for (i = 0; i < G_N_ELEMENTS (ns_info.nguid); i++)
++        for (i = 0; i < sizeof (ns_info.nguid); i++)
+             snprintf (info->nguid + i * 2, 3, "%02x", ns_info.nguid[i]);
+     }
+-    if (info->eui64 == NULL && ns_info.eui64[G_N_ELEMENTS (ns_info.eui64) - 1] > 0) {
++    if (info->eui64 == NULL && !_nvme_a_is_zero (ns_info.eui64, sizeof (ns_info.eui64))) {
+         info->eui64 = g_malloc0 (sizeof (ns_info.eui64) * 2 + 1);
+-        for (i = 0; i < G_N_ELEMENTS (ns_info.eui64); i++)
++        for (i = 0; i < sizeof (ns_info.eui64); i++)
+             snprintf (info->eui64 + i * 2, 3, "%02x", ns_info.eui64[i]);
+     }
+     if (ret_ns_ind == 0) {
+diff --git a/tests/nvme_test.py b/tests/nvme_test.py
+index a1822be6..a1494d9a 100644
+--- a/tests/nvme_test.py
++++ b/tests/nvme_test.py
+@@ -116,7 +116,7 @@ class NVMeTestCase(NVMeTest):
+         self.assertFalse(info.features & BlockDev.NVMEControllerFeature.ENCLOSURE)
+         self.assertFalse(info.features & BlockDev.NVMEControllerFeature.MGMT_PCIE)
+         self.assertFalse(info.features & BlockDev.NVMEControllerFeature.MGMT_SMBUS)
+-        self.assertEqual(info.fguid, "")
++        self.assertIsNone(info.fguid)
+         self.assertEqual(info.pci_vendor_id, 0)
+         self.assertEqual(info.pci_subsys_vendor_id, 0)
+         self.assertIn("Linux", info.model_number)
+-- 
+2.39.0
+

SOURCES/0006-Allow-resizing-of-inactive-LVs-with-latest-LVM.patch

@@ -0,0 +1,219 @@
+From 08d0ab8b93907ed3e2c7588dcaecb76bc4b26055 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Mon, 27 Feb 2023 11:29:29 +0100
+Subject: [PATCH 1/2] Include LVM cli in the LVM DBus plugin dependencies
+
+Strictly speaking the lvm command is not needed by the plugin, but
+the LVM DBus daemon uses it so it must be present on the system
+and we are already calling "lvm segtypes" from the plugin so if
+the command is not available for us (for example not in $PATH) the
+plugin wouldn't load anyway so an extra check isn't going to
+change anything.
+---
+ src/plugins/lvm-dbus.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/lvm-dbus.c b/src/plugins/lvm-dbus.c
+index d4b542e2..8496a697 100644
+--- a/src/plugins/lvm-dbus.c
++++ b/src/plugins/lvm-dbus.c
+@@ -249,11 +249,14 @@ static volatile guint avail_features = 0;
+ static volatile guint avail_module_deps = 0;
+ static GMutex deps_check_lock;
+ 
+-#define DEPS_LVMDEVICES 0
++#define DEPS_LVM 0
++#define DEPS_LVM_MASK (1 << DEPS_LVM)
++#define DEPS_LVMDEVICES 1
+ #define DEPS_LVMDEVICES_MASK (1 << DEPS_LVMDEVICES)
+-#define DEPS_LAST 1
++#define DEPS_LAST 2
+ 
+ static const UtilDep deps[DEPS_LAST] = {
++    {"lvm", LVM_MIN_VERSION, "version", "LVM version:\\s+([\\d\\.]+)"},
+     {"lvmdevices", NULL, NULL, NULL},
+ };
+ 
+@@ -2121,6 +2124,7 @@ gboolean bd_lvm_lvresize (const gchar *vg_name, const gchar *lv_name, guint64 si
+     GVariantBuilder builder;
+     GVariantType *type = NULL;
+     GVariant *params = NULL;
++    GVariant *extra_params = NULL;
+ 
+     g_variant_builder_init (&builder, G_VARIANT_TYPE_TUPLE);
+     g_variant_builder_add_value (&builder, g_variant_new ("t", size));
+@@ -2130,7 +2134,12 @@ gboolean bd_lvm_lvresize (const gchar *vg_name, const gchar *lv_name, guint64 si
+     params = g_variant_builder_end (&builder);
+     g_variant_builder_clear (&builder);
+ 
+-    call_lv_method_sync (vg_name, lv_name, "Resize", params, NULL, extra, TRUE, error);
++    g_variant_builder_init (&builder, G_VARIANT_TYPE_DICTIONARY);
++    g_variant_builder_add (&builder, "{sv}", "--fs", g_variant_new ("s", "ignore"));
++    extra_params = g_variant_builder_end (&builder);
++    g_variant_builder_clear (&builder);
++
++    call_lv_method_sync (vg_name, lv_name, "Resize", params, extra_params, extra, TRUE, error);
+     return (*error == NULL);
+ }
+ 
+-- 
+2.39.2
+
+
+From cfb23f424c2f318efea7d9fd60ec1bcdb365ee35 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Mon, 27 Feb 2023 14:00:21 +0100
+Subject: [PATCH 2/2] Allow resizing of inactive LVs with latest LVM
+
+Latest LVM doesn't allow resizing of inactive LVs without the
+"--fs ignore" option to protect users from corrupting their
+filesystems. As a low level API we don't really want to offer this
+kind of protection and we should allow to resize an inactive LV.
+---
+ src/plugins/lvm-dbus.c  | 28 ++++++++++++++++++++++++----
+ src/plugins/lvm.c       | 31 ++++++++++++++++++++++++++++---
+ tests/lvm_dbus_tests.py |  4 ++++
+ tests/lvm_test.py       |  4 ++++
+ 4 files changed, 60 insertions(+), 7 deletions(-)
+
+diff --git a/src/plugins/lvm-dbus.c b/src/plugins/lvm-dbus.c
+index 8496a697..28f3bb25 100644
+--- a/src/plugins/lvm-dbus.c
++++ b/src/plugins/lvm-dbus.c
+@@ -32,6 +32,8 @@
+ #define SECTOR_SIZE 512
+ #define VDO_POOL_SUFFIX "vpool"
+ 
++#define LVM_VERSION_FSRESIZE "2.03.19"
++
+ static GMutex global_config_lock;
+ static gchar *global_config_str = NULL;
+ 
+@@ -2125,6 +2127,14 @@ gboolean bd_lvm_lvresize (const gchar *vg_name, const gchar *lv_name, guint64 si
+     GVariantType *type = NULL;
+     GVariant *params = NULL;
+     GVariant *extra_params = NULL;
++    gboolean success = FALSE;
++    BDLVMLVdata *lvinfo = NULL;
++    GError *l_error = NULL;
++
++    lvinfo = bd_lvm_lvinfo (vg_name, lv_name, error);
++    if (!lvinfo)
++        /* error is already populated */
++        return FALSE;
+ 
+     g_variant_builder_init (&builder, G_VARIANT_TYPE_TUPLE);
+     g_variant_builder_add_value (&builder, g_variant_new ("t", size));
+@@ -2134,10 +2144,20 @@ gboolean bd_lvm_lvresize (const gchar *vg_name, const gchar *lv_name, guint64 si
+     params = g_variant_builder_end (&builder);
+     g_variant_builder_clear (&builder);
+ 
+-    g_variant_builder_init (&builder, G_VARIANT_TYPE_DICTIONARY);
+-    g_variant_builder_add (&builder, "{sv}", "--fs", g_variant_new ("s", "ignore"));
+-    extra_params = g_variant_builder_end (&builder);
+-    g_variant_builder_clear (&builder);
++    if (lvinfo->attr[4] != 'a') {
++        /* starting with 2.03.19 we need to add extra option to allow resizing of inactive LVs */
++        success = bd_utils_check_util_version (deps[DEPS_LVM].name, LVM_VERSION_FSRESIZE,
++                                            deps[DEPS_LVM].ver_arg, deps[DEPS_LVM].ver_regexp, &l_error);
++        if (success) {
++            g_variant_builder_init (&builder, G_VARIANT_TYPE_DICTIONARY);
++            g_variant_builder_add (&builder, "{sv}", "--fs", g_variant_new ("s", "ignore"));
++            extra_params = g_variant_builder_end (&builder);
++            g_variant_builder_clear (&builder);
++        } else
++            g_clear_error (&l_error);
++    }
++
++    bd_lvm_lvdata_free (lvinfo);
+ 
+     call_lv_method_sync (vg_name, lv_name, "Resize", params, extra_params, extra, TRUE, error);
+     return (*error == NULL);
+diff --git a/src/plugins/lvm.c b/src/plugins/lvm.c
+index 03211f8a..f1e2941b 100644
+--- a/src/plugins/lvm.c
++++ b/src/plugins/lvm.c
+@@ -31,6 +31,8 @@
+ #define SECTOR_SIZE 512
+ #define VDO_POOL_SUFFIX "vpool"
+ 
++#define LVM_VERSION_FSRESIZE "2.03.19"
++
+ static GMutex global_config_lock;
+ static gchar *global_config_str = NULL;
+ 
+@@ -1606,15 +1608,38 @@ gboolean bd_lvm_lvrename (const gchar *vg_name, const gchar *lv_name, const gcha
+  * Tech category: %BD_LVM_TECH_BASIC-%BD_LVM_TECH_MODE_MODIFY
+  */
+ gboolean bd_lvm_lvresize (const gchar *vg_name, const gchar *lv_name, guint64 size, const BDExtraArg **extra, GError **error) {
+-    const gchar *args[6] = {"lvresize", "--force", "-L", NULL, NULL, NULL};
++    const gchar *args[8] = {"lvresize", "--force", "-L", NULL, NULL, NULL, NULL, NULL};
+     gboolean success = FALSE;
++    guint8 next_arg = 4;
++    g_autofree gchar *lvspec = NULL;
++    BDLVMLVdata *lvinfo = NULL;
++    GError *l_error = NULL;
++
++    lvinfo = bd_lvm_lvinfo (vg_name, lv_name, error);
++    if (!lvinfo)
++        /* error is already populated */
++        return FALSE;
+ 
+     args[3] = g_strdup_printf ("%"G_GUINT64_FORMAT"K", size/1024);
+-    args[4] = g_strdup_printf ("%s/%s", vg_name, lv_name);
++
++    if (lvinfo->attr[4] != 'a') {
++        /* starting with 2.03.19 we need to add extra option to allow resizing of inactive LVs */
++        success = bd_utils_check_util_version (deps[DEPS_LVM].name, LVM_VERSION_FSRESIZE,
++                                               deps[DEPS_LVM].ver_arg, deps[DEPS_LVM].ver_regexp, &l_error);
++        if (success) {
++            args[next_arg++] = "--fs";
++            args[next_arg++] = "ignore";
++        } else
++            g_clear_error (&l_error);
++    }
++
++    bd_lvm_lvdata_free (lvinfo);
++
++    lvspec = g_strdup_printf ("%s/%s", vg_name, lv_name);
++    args[next_arg++] = lvspec;
+ 
+     success = call_lvm_and_report_error (args, extra, TRUE, error);
+     g_free ((gchar *) args[3]);
+-    g_free ((gchar *) args[4]);
+ 
+     return success;
+ }
+diff --git a/tests/lvm_dbus_tests.py b/tests/lvm_dbus_tests.py
+index 61c898c1..fc12b55d 100644
+--- a/tests/lvm_dbus_tests.py
++++ b/tests/lvm_dbus_tests.py
+@@ -944,6 +944,10 @@ class LvmTestLVresize(LvmPVVGLVTestCase):
+         succ = BlockDev.lvm_lvdeactivate("testVG", "testLV", None)
+         self.assertTrue(succ)
+ 
++        # try to resize when deactivated
++        succ = BlockDev.lvm_lvresize("testVG", "testLV", 768 * 1024**2, None)
++        self.assertTrue(succ)
++
+ @unittest.skipUnless(lvm_dbus_running, "LVM DBus not running")
+ class LvmTestLVrename(LvmPVVGLVTestCase):
+     def test_lvrename(self):
+diff --git a/tests/lvm_test.py b/tests/lvm_test.py
+index 36ff10ec..7ede4b59 100644
+--- a/tests/lvm_test.py
++++ b/tests/lvm_test.py
+@@ -877,6 +877,10 @@ class LvmTestLVresize(LvmPVVGLVTestCase):
+         succ = BlockDev.lvm_lvdeactivate("testVG", "testLV", None)
+         self.assertTrue(succ)
+ 
++        # try to resize when deactivated
++        succ = BlockDev.lvm_lvresize("testVG", "testLV", 768 * 1024**2, None)
++        self.assertTrue(succ)
++
+ class LvmTestLVrename(LvmPVVGLVTestCase):
+     def test_lvrename(self):
+         """Verify that it's possible to rename an LV"""
+-- 
+2.39.2
+

SOURCES/0007-tests-Fix-test_swapon_pagesize-on-systems-with-64k-p.patch

@@ -0,0 +1,41 @@
+From 2c59bc22d30ebfc16d5d06b1f31c4d7bbede68e9 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Mon, 31 Oct 2022 12:43:17 +0100
+Subject: [PATCH] tests: Fix test_swapon_pagesize on systems with 64k pages
+
+---
+ tests/swap_test.py | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/tests/swap_test.py b/tests/swap_test.py
+index 0a0f333d..e350f8e8 100644
+--- a/tests/swap_test.py
++++ b/tests/swap_test.py
+@@ -1,5 +1,6 @@
+ import unittest
+ import os
++import resource
+ import overrides_hack
+ 
+ from utils import create_sparse_tempfile, create_lio_device, delete_lio_device, fake_utils, fake_path, run_command, run, TestTags, tag_test
+@@ -102,8 +103,15 @@ class SwapTestCase(SwapTest):
+     def test_swapon_pagesize(self):
+         """Verify that activating swap with different pagesize fails"""
+ 
+-        # create swap with 64k pagesize
+-        ret, out, err = run_command("mkswap --pagesize 65536 %s" % self.loop_dev)
++        # pick some wrong page size: 8k on 64k and 64k everywhere else
++        pagesize = resource.getpagesize()
++        if pagesize == 65536:
++            wrong_pagesize = 8192
++        else:
++            wrong_pagesize = 65536
++
++        # create swap with "wrong" pagesize
++        ret, out, err = run_command("mkswap --pagesize %s %s" % (wrong_pagesize, self.loop_dev))
+         if ret != 0:
+             self.fail("Failed to prepare swap for pagesize test: %s %s" % (out, err))
+ 
+-- 
+2.39.2
+

SOURCES/0008-part-Fix-segfault-when-adding-a-partition-too-big-fo.patch

@@ -0,0 +1,32 @@
+From 9c96e621e9abb0649118d2e1731a09b1fa139579 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Wed, 19 Apr 2023 09:50:38 +0200
+Subject: [PATCH] part: Fix segfault when adding a partition too big for MSDOS
+
+Resolves: rhbz#2185564
+---
+ src/plugins/part.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/plugins/part.c b/src/plugins/part.c
+index 8b2285f5..28e20c28 100644
+--- a/src/plugins/part.c
++++ b/src/plugins/part.c
+@@ -841,6 +841,14 @@ static gboolean resize_part (PedPartition *part, PedDevice *dev, PedDisk *disk,
+         constr = ped_constraint_any (dev);
+ 
+     geom = ped_disk_get_max_partition_geometry (disk, part, constr);
++    if (!geom) {
++        set_parted_error (error, BD_PART_ERROR_FAIL);
++        g_prefix_error (error, "Failed to create geometry for partition on device '%s'", dev->path);
++        ped_constraint_destroy (constr);
++        finish_alignment_constraint (disk, orig_flag_state);
++        return FALSE;
++    }
++
+     if (!ped_geometry_set_start (geom, start)) {
+         set_parted_error (error, BD_PART_ERROR_FAIL);
+         g_prefix_error (error, "Failed to set partition start on device '%s'", dev->path);
+-- 
+2.40.1
+

SOURCES/0009-Fix-issues-in-tests-when-running-in-FIPS-mode.patch

@@ -0,0 +1,70 @@
+From bc8c4fa2b3ba76647de9742c28bae751757dc2dd Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Thu, 18 May 2023 14:45:42 +0200
+Subject: [PATCH 1/2] tests: Use longer passphrase for LUKS in dm_test
+
+The short passphrase doesn't work when running in FIPS mode.
+---
+ tests/dm_test.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/dm_test.py b/tests/dm_test.py
+index 936e3055..3b491d89 100644
+--- a/tests/dm_test.py
++++ b/tests/dm_test.py
+@@ -59,8 +59,8 @@ class DevMapperGetSubsystemFromName(DevMapperTestCase):
+     def test_get_subsystem_from_name_crypt(self):
+         """Verify that it is possible to get luks device subsystem from its name"""
+         self.addCleanup(self._destroy_crypt)
+-        run("echo \"key\" | cryptsetup luksFormat %s -" %self.loop_dev)
+-        run("echo \"key\" | cryptsetup open %s libbd_dm_tests-subsystem_crypt --key-file=-" %self.loop_dev)
++        run("echo \"supersecretkey\" | cryptsetup luksFormat %s -" %self.loop_dev)
++        run("echo \"supersecretkey\" | cryptsetup open %s libbd_dm_tests-subsystem_crypt --key-file=-" %self.loop_dev)
+         subsystem = BlockDev.dm_get_subsystem_from_name("libbd_dm_tests-subsystem_crypt")
+         self.assertEqual(subsystem, "CRYPT")
+ 
+-- 
+2.40.1
+
+
+From b1f6d1484a980885b9870d27d2b113c98400851b Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Thu, 18 May 2023 14:56:32 +0200
+Subject: [PATCH 2/2] tests: Skip crypto tests with argon2 in FIPS mode
+
+argon is not available when running in FIPS mode.
+---
+ tests/crypto_test.py | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/tests/crypto_test.py b/tests/crypto_test.py
+index 94b89131..91ea1f35 100644
+--- a/tests/crypto_test.py
++++ b/tests/crypto_test.py
+@@ -175,6 +175,23 @@ class CryptoTestFormat(CryptoTestCase):
+             self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err))
+         self.assertEqual(m.group(1), "pbkdf2")
+ 
++    def _is_fips_enabled(self):
++        if not os.path.exists("/proc/sys/crypto/fips_enabled"):
++            # if the file doesn't exist, we are definitely not in FIPS mode
++            return False
++
++        with open("/proc/sys/crypto/fips_enabled", "r") as f:
++            enabled = f.read()
++        return enabled.strip() == "1"
++
++    @tag_test(TestTags.SLOW, TestTags.CORE)
++    @unittest.skipUnless(HAVE_LUKS2, "LUKS 2 not supported")
++    def test_luks2_format_pbkdf_options(self):
++        """Verify that formatting device as LUKS 2 works"""
++
++        if self._is_fips_enabled():
++            self.skipTest("FIPS mode is enabled, cannot use argon2, skipping")
++
+         # different options for argon2 -- all parameters set
+         pbkdf = BlockDev.CryptoLUKSPBKDF(type="argon2id", max_memory_kb=100*1024, iterations=10, parallel_threads=1)
+         extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf)
+-- 
+2.40.1
+

SOURCES/0010-lvm-Add-a-function-to-activate-LVs-in-shared-mode.patch

@@ -0,0 +1,300 @@
+From 6bdbafc79e5bcdf2087148c6caa88a6c50c1e94a Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Mon, 24 Apr 2023 11:57:18 +0200
+Subject: [PATCH] lvm: Add a function to activate LVs in shared mode
+
+Needed by the new blivet feature to support shared LVM setups.
+---
+ src/lib/plugin_apis/lvm.api         | 16 +++++++++
+ src/plugins/lvm-dbus.c              | 51 ++++++++++++++++++++-------
+ src/plugins/lvm.c                   | 53 ++++++++++++++++++++++-------
+ src/plugins/lvm.h                   |  1 +
+ src/python/gi/overrides/BlockDev.py |  5 ++-
+ tests/lvm_dbus_tests.py             | 18 +++++++---
+ tests/lvm_test.py                   | 18 +++++++---
+ 7 files changed, 124 insertions(+), 38 deletions(-)
+
+diff --git a/src/lib/plugin_apis/lvm.api b/src/lib/plugin_apis/lvm.api
+index b8cde70b..640eee49 100644
+--- a/src/lib/plugin_apis/lvm.api
++++ b/src/lib/plugin_apis/lvm.api
+@@ -1057,6 +1057,22 @@ gboolean bd_lvm_lvresize (const gchar *vg_name, const gchar *lv_name, guint64 si
+  */
+ gboolean bd_lvm_lvactivate (const gchar *vg_name, const gchar *lv_name, gboolean ignore_skip, const BDExtraArg **extra, GError **error);
+ 
++/**
++ * bd_lvm_lvactivate_shared:
++ * @vg_name: name of the VG containing the to-be-activated LV
++ * @lv_name: name of the to-be-activated LV
++ * @ignore_skip: whether to ignore the skip flag or not
++ * @shared: whether to activate the LV in shared mode
++ * @extra: (allow-none) (array zero-terminated=1): extra options for the LV activation
++ *                                                 (just passed to LVM as is)
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the @vg_name/@lv_name LV was successfully activated or not
++ *
++ * Tech category: %BD_LVM_TECH_BASIC-%BD_LVM_TECH_MODE_MODIFY
++ */
++gboolean bd_lvm_lvactivate_shared (const gchar *vg_name, const gchar *lv_name, gboolean ignore_skip, gboolean shared, const BDExtraArg **extra, GError **error);
++
+ /**
+  * bd_lvm_lvdeactivate:
+  * @vg_name: name of the VG containing the to-be-deactivated LV
+diff --git a/src/plugins/lvm-dbus.c b/src/plugins/lvm-dbus.c
+index 28f3bb25..46e09833 100644
+--- a/src/plugins/lvm-dbus.c
++++ b/src/plugins/lvm-dbus.c
+@@ -2163,6 +2163,27 @@ gboolean bd_lvm_lvresize (const gchar *vg_name, const gchar *lv_name, guint64 si
+     return (*error == NULL);
+ }
+ 
++static gboolean _lvm_lvactivate (const gchar *vg_name, const gchar *lv_name, gboolean ignore_skip, gboolean shared, const BDExtraArg **extra, GError **error) {
++    GVariant *params = NULL;
++    GVariantBuilder builder;
++    GVariant *extra_params = NULL;
++
++    if (shared)
++        params = g_variant_new ("(t)", (guint64) 1 << 6);
++    else
++        params = g_variant_new ("(t)", (guint64) 0);
++
++    if (ignore_skip) {
++        g_variant_builder_init (&builder, G_VARIANT_TYPE_DICTIONARY);
++        g_variant_builder_add (&builder, "{sv}", "-K", g_variant_new ("s", ""));
++        extra_params = g_variant_builder_end (&builder);
++        g_variant_builder_clear (&builder);
++    }
++    call_lv_method_sync (vg_name, lv_name, "Activate", params, extra_params, extra, TRUE, error);
++
++    return (*error == NULL);
++}
++
+ /**
+  * bd_lvm_lvactivate:
+  * @vg_name: name of the VG containing the to-be-activated LV
+@@ -2177,19 +2198,25 @@ gboolean bd_lvm_lvresize (const gchar *vg_name, const gchar *lv_name, guint64 si
+  * Tech category: %BD_LVM_TECH_BASIC-%BD_LVM_TECH_MODE_MODIFY
+  */
+ gboolean bd_lvm_lvactivate (const gchar *vg_name, const gchar *lv_name, gboolean ignore_skip, const BDExtraArg **extra, GError **error) {
+-    GVariant *params = g_variant_new ("(t)", (guint64) 0);
+-    GVariantBuilder builder;
+-    GVariant *extra_params = NULL;
+-
+-    if (ignore_skip) {
+-        g_variant_builder_init (&builder, G_VARIANT_TYPE_DICTIONARY);
+-        g_variant_builder_add (&builder, "{sv}", "-K", g_variant_new ("s", ""));
+-        extra_params = g_variant_builder_end (&builder);
+-        g_variant_builder_clear (&builder);
+-    }
+-    call_lv_method_sync (vg_name, lv_name, "Activate", params, extra_params, extra, TRUE, error);
++    return _lvm_lvactivate (vg_name, lv_name, ignore_skip, FALSE, extra, error);
++}
+ 
+-    return (*error == NULL);
++/**
++ * bd_lvm_lvactivate_shared:
++ * @vg_name: name of the VG containing the to-be-activated LV
++ * @lv_name: name of the to-be-activated LV
++ * @ignore_skip: whether to ignore the skip flag or not
++ * @shared: whether to activate the LV in shared mode
++ * @extra: (allow-none) (array zero-terminated=1): extra options for the LV activation
++ *                                                 (just passed to LVM as is)
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the @vg_name/@lv_name LV was successfully activated or not
++ *
++ * Tech category: %BD_LVM_TECH_BASIC-%BD_LVM_TECH_MODE_MODIFY
++ */
++gboolean bd_lvm_lvactivate_shared (const gchar *vg_name, const gchar *lv_name, gboolean ignore_skip, gboolean shared, const BDExtraArg **extra, GError **error) {
++    return _lvm_lvactivate (vg_name, lv_name, ignore_skip, shared, extra, error);
+ }
+ 
+ /**
+diff --git a/src/plugins/lvm.c b/src/plugins/lvm.c
+index f1e2941b..0db3bf4a 100644
+--- a/src/plugins/lvm.c
++++ b/src/plugins/lvm.c
+@@ -1644,6 +1644,28 @@ gboolean bd_lvm_lvresize (const gchar *vg_name, const gchar *lv_name, guint64 si
+     return success;
+ }
+ 
++static gboolean _lvm_lvactivate (const gchar *vg_name, const gchar *lv_name, gboolean ignore_skip, gboolean shared, const BDExtraArg **extra, GError **error) {
++    const gchar *args[5] = {"lvchange", NULL, NULL, NULL, NULL};
++    guint8 next_arg = 2;
++    gboolean success = FALSE;
++
++    if (shared)
++        args[1] = "-asy";
++    else
++        args[1] = "-ay";
++
++    if (ignore_skip) {
++        args[next_arg] = "-K";
++        next_arg++;
++    }
++    args[next_arg] = g_strdup_printf ("%s/%s", vg_name, lv_name);
++
++    success = call_lvm_and_report_error (args, extra, TRUE, error);
++    g_free ((gchar *) args[next_arg]);
++
++    return success;
++}
++
+ /**
+  * bd_lvm_lvactivate:
+  * @vg_name: name of the VG containing the to-be-activated LV
+@@ -1658,20 +1680,25 @@ gboolean bd_lvm_lvresize (const gchar *vg_name, const gchar *lv_name, guint64 si
+  * Tech category: %BD_LVM_TECH_BASIC-%BD_LVM_TECH_MODE_MODIFY
+  */
+ gboolean bd_lvm_lvactivate (const gchar *vg_name, const gchar *lv_name, gboolean ignore_skip, const BDExtraArg **extra, GError **error) {
+-    const gchar *args[5] = {"lvchange", "-ay", NULL, NULL, NULL};
+-    guint8 next_arg = 2;
+-    gboolean success = FALSE;
+-
+-    if (ignore_skip) {
+-        args[next_arg] = "-K";
+-        next_arg++;
+-    }
+-    args[next_arg] = g_strdup_printf ("%s/%s", vg_name, lv_name);
+-
+-    success = call_lvm_and_report_error (args, extra, TRUE, error);
+-    g_free ((gchar *) args[next_arg]);
++    return _lvm_lvactivate (vg_name, lv_name, ignore_skip, FALSE, extra, error);
++}
+ 
+-    return success;
++/**
++ * bd_lvm_lvactivate_shared:
++ * @vg_name: name of the VG containing the to-be-activated LV
++ * @lv_name: name of the to-be-activated LV
++ * @ignore_skip: whether to ignore the skip flag or not
++ * @shared: whether to activate the LV in shared mode
++ * @extra: (allow-none) (array zero-terminated=1): extra options for the LV activation
++ *                                                 (just passed to LVM as is)
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the @vg_name/@lv_name LV was successfully activated or not
++ *
++ * Tech category: %BD_LVM_TECH_BASIC-%BD_LVM_TECH_MODE_MODIFY
++ */
++gboolean bd_lvm_lvactivate_shared (const gchar *vg_name, const gchar *lv_name, gboolean ignore_skip, gboolean shared, const BDExtraArg **extra, GError **error) {
++    return _lvm_lvactivate (vg_name, lv_name, ignore_skip, shared, extra, error);
+ }
+ 
+ /**
+diff --git a/src/plugins/lvm.h b/src/plugins/lvm.h
+index fabf091f..c85c043d 100644
+--- a/src/plugins/lvm.h
++++ b/src/plugins/lvm.h
+@@ -277,6 +277,7 @@ gboolean bd_lvm_lvremove (const gchar *vg_name, const gchar *lv_name, gboolean f
+ gboolean bd_lvm_lvrename (const gchar *vg_name, const gchar *lv_name, const gchar *new_name, const BDExtraArg **extra, GError **error);
+ gboolean bd_lvm_lvresize (const gchar *vg_name, const gchar *lv_name, guint64 size, const BDExtraArg **extra, GError **error);
+ gboolean bd_lvm_lvactivate (const gchar *vg_name, const gchar *lv_name, gboolean ignore_skip, const BDExtraArg **extra, GError **error);
++gboolean bd_lvm_lvactivate_shared (const gchar *vg_name, const gchar *lv_name, gboolean ignore_skip, gboolean shared, const BDExtraArg **extra, GError **error);
+ gboolean bd_lvm_lvdeactivate (const gchar *vg_name, const gchar *lv_name, const BDExtraArg **extra, GError **error);
+ gboolean bd_lvm_lvsnapshotcreate (const gchar *vg_name, const gchar *origin_name, const gchar *snapshot_name, guint64 size, const BDExtraArg **extra, GError **error);
+ gboolean bd_lvm_lvsnapshotmerge (const gchar *vg_name, const gchar *snapshot_name, const BDExtraArg **extra, GError **error);
+diff --git a/src/python/gi/overrides/BlockDev.py b/src/python/gi/overrides/BlockDev.py
+index 795e0de4..3e074260 100644
+--- a/src/python/gi/overrides/BlockDev.py
++++ b/src/python/gi/overrides/BlockDev.py
+@@ -605,11 +605,10 @@ def lvm_lvresize(vg_name, lv_name, size, extra=None, **kwargs):
+     return _lvm_lvresize(vg_name, lv_name, size, extra)
+ __all__.append("lvm_lvresize")
+ 
+-_lvm_lvactivate = BlockDev.lvm_lvactivate
+ @override(BlockDev.lvm_lvactivate)
+-def lvm_lvactivate(vg_name, lv_name, ignore_skip=False, extra=None, **kwargs):
++def lvm_lvactivate(vg_name, lv_name, ignore_skip=False, shared=False, extra=None, **kwargs):
+     extra = _get_extra(extra, kwargs)
+-    return _lvm_lvactivate(vg_name, lv_name, ignore_skip, extra)
++    return BlockDev.lvm_lvactivate_shared(vg_name, lv_name, ignore_skip, shared, extra)
+ __all__.append("lvm_lvactivate")
+ 
+ _lvm_lvdeactivate = BlockDev.lvm_lvdeactivate
+diff --git a/tests/lvm_dbus_tests.py b/tests/lvm_dbus_tests.py
+index fc12b55d..a821636e 100644
+--- a/tests/lvm_dbus_tests.py
++++ b/tests/lvm_dbus_tests.py
+@@ -873,15 +873,15 @@ class LvmTestLVactivateDeactivate(LvmPVVGLVTestCase):
+         self.assertTrue(succ)
+ 
+         with self.assertRaises(GLib.GError):
+-            BlockDev.lvm_lvactivate("nonexistingVG", "testLV", True, None)
++            BlockDev.lvm_lvactivate("nonexistingVG", "testLV", True)
+ 
+         with self.assertRaises(GLib.GError):
+-            BlockDev.lvm_lvactivate("testVG", "nonexistingLV", True, None)
++            BlockDev.lvm_lvactivate("testVG", "nonexistingLV", True)
+ 
+         with self.assertRaises(GLib.GError):
+-            BlockDev.lvm_lvactivate("nonexistingVG", "nonexistingLV", True, None)
++            BlockDev.lvm_lvactivate("nonexistingVG", "nonexistingLV", True)
+ 
+-        succ = BlockDev.lvm_lvactivate("testVG", "testLV", True, None)
++        succ = BlockDev.lvm_lvactivate("testVG", "testLV", True)
+         self.assertTrue(succ)
+ 
+         with self.assertRaises(GLib.GError):
+@@ -896,7 +896,15 @@ class LvmTestLVactivateDeactivate(LvmPVVGLVTestCase):
+         succ = BlockDev.lvm_lvdeactivate("testVG", "testLV", None)
+         self.assertTrue(succ)
+ 
+-        succ = BlockDev.lvm_lvactivate("testVG", "testLV", True, None)
++        succ = BlockDev.lvm_lvactivate("testVG", "testLV", True)
++        self.assertTrue(succ)
++
++        succ = BlockDev.lvm_lvdeactivate("testVG", "testLV", None)
++        self.assertTrue(succ)
++
++        # try activating in shared mode, unfortunately no way to check whether it really
++        # works or not
++        succ = BlockDev.lvm_lvactivate("testVG", "testLV", True, True)
+         self.assertTrue(succ)
+ 
+         succ = BlockDev.lvm_lvdeactivate("testVG", "testLV", None)
+diff --git a/tests/lvm_test.py b/tests/lvm_test.py
+index 7ede4b59..63f43afb 100644
+--- a/tests/lvm_test.py
++++ b/tests/lvm_test.py
+@@ -807,15 +807,15 @@ class LvmTestLVactivateDeactivate(LvmPVVGLVTestCase):
+         self.assertTrue(succ)
+ 
+         with self.assertRaises(GLib.GError):
+-            BlockDev.lvm_lvactivate("nonexistingVG", "testLV", True, None)
++            BlockDev.lvm_lvactivate("nonexistingVG", "testLV", True)
+ 
+         with self.assertRaises(GLib.GError):
+-            BlockDev.lvm_lvactivate("testVG", "nonexistingLV", True, None)
++            BlockDev.lvm_lvactivate("testVG", "nonexistingLV", True)
+ 
+         with self.assertRaises(GLib.GError):
+-            BlockDev.lvm_lvactivate("nonexistingVG", "nonexistingLV", True, None)
++            BlockDev.lvm_lvactivate("nonexistingVG", "nonexistingLV", True)
+ 
+-        succ = BlockDev.lvm_lvactivate("testVG", "testLV", True, None)
++        succ = BlockDev.lvm_lvactivate("testVG", "testLV", True)
+         self.assertTrue(succ)
+ 
+         with self.assertRaises(GLib.GError):
+@@ -830,7 +830,15 @@ class LvmTestLVactivateDeactivate(LvmPVVGLVTestCase):
+         succ = BlockDev.lvm_lvdeactivate("testVG", "testLV", None)
+         self.assertTrue(succ)
+ 
+-        succ = BlockDev.lvm_lvactivate("testVG", "testLV", True, None)
++        succ = BlockDev.lvm_lvactivate("testVG", "testLV", True)
++        self.assertTrue(succ)
++
++        succ = BlockDev.lvm_lvdeactivate("testVG", "testLV", None)
++        self.assertTrue(succ)
++
++        # try activating in shared mode, unfortunately no way to check whether it really
++        # works or not
++        succ = BlockDev.lvm_lvactivate("testVG", "testLV", True, True)
+         self.assertTrue(succ)
+ 
+         succ = BlockDev.lvm_lvdeactivate("testVG", "testLV", None)
+-- 
+2.41.0
+

SOURCES/0012-lvm-Add-support-for-starting-and-stopping-VG-locking.patch

@@ -0,0 +1,299 @@
+From f72ba6aded6093d34d5e8a1666a844ec2b0ee5eb Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Tue, 18 Apr 2023 12:05:35 +0200
+Subject: [PATCH] lvm: Add support for starting and stopping VG locking
+
+---
+ docs/libblockdev-sections.txt |  2 ++
+ src/lib/plugin_apis/lvm.api   | 27 +++++++++++++++++++
+ src/plugins/lvm-dbus.c        | 49 ++++++++++++++++++++++++++++++++++-
+ src/plugins/lvm.c             | 41 +++++++++++++++++++++++++++++
+ src/plugins/lvm.h             |  3 +++
+ tests/lvm_dbus_tests.py       | 33 +++++++++++++++++++++++
+ tests/lvm_test.py             | 32 +++++++++++++++++++++++
+ 7 files changed, 186 insertions(+), 1 deletion(-)
+
+diff --git a/docs/libblockdev-sections.txt b/docs/libblockdev-sections.txt
+index 540e2b96..08ea309c 100644
+--- a/docs/libblockdev-sections.txt
++++ b/docs/libblockdev-sections.txt
+@@ -286,6 +286,8 @@ bd_lvm_vgactivate
+ bd_lvm_vgdeactivate
+ bd_lvm_vgextend
+ bd_lvm_vgreduce
++bd_lvm_vglock_start
++bd_lvm_vglock_stop
+ bd_lvm_vginfo
+ bd_lvm_vgs
+ bd_lvm_lvorigin
+diff --git a/src/lib/plugin_apis/lvm.api b/src/lib/plugin_apis/lvm.api
+index 640eee49..1343fbdb 100644
+--- a/src/lib/plugin_apis/lvm.api
++++ b/src/lib/plugin_apis/lvm.api
+@@ -603,6 +603,7 @@ typedef enum {
+     BD_LVM_TECH_GLOB_CONF,
+     BD_LVM_TECH_VDO,
+     BD_LVM_TECH_DEVICES,
++    BD_LVM_TECH_SHARED,
+ } BDLVMTech;
+ 
+ typedef enum {
+@@ -943,6 +944,32 @@ gboolean bd_lvm_vgextend (const gchar *vg_name, const gchar *device, const BDExt
+  */
+ gboolean bd_lvm_vgreduce (const gchar *vg_name, const gchar *device, const BDExtraArg **extra, GError **error);
+ 
++/**
++ * bd_lvm_vglock_start:
++ * @vg_name: a shared VG to start the lockspace in lvmlockd
++ * @extra: (nullable) (array zero-terminated=1): extra options for the vgchange command
++ *                                               (just passed to LVM as is)
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the lock was successfully started for @vg_name or not
++ *
++ * Tech category: %BD_LVM_TECH_SHARED-%BD_LVM_TECH_MODE_MODIFY
++ */
++gboolean bd_lvm_vglock_start (const gchar *vg_name, const BDExtraArg **extra, GError **error);
++
++/**
++ * bd_lvm_vglock_stop:
++ * @vg_name: a shared VG to stop the lockspace in lvmlockd
++ * @extra: (nullable) (array zero-terminated=1): extra options for the vgchange command
++ *                                               (just passed to LVM as is)
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the lock was successfully stopped for @vg_name or not
++ *
++ * Tech category: %BD_LVM_TECH_SHARED-%BD_LVM_TECH_MODE_MODIFY
++ */
++gboolean bd_lvm_vglock_stop (const gchar *vg_name, const BDExtraArg **extra, GError **error);
++
+ /**
+  * bd_lvm_vginfo:
+  * @vg_name: a VG to get information about
+diff --git a/src/plugins/lvm-dbus.c b/src/plugins/lvm-dbus.c
+index 46e09833..a129d884 100644
+--- a/src/plugins/lvm-dbus.c
++++ b/src/plugins/lvm-dbus.c
+@@ -1872,10 +1872,57 @@ gboolean bd_lvm_vgreduce (const gchar *vg_name, const gchar *device, const BDExt
+     return ((*error) == NULL);
+ }
+ 
++gboolean _vglock_start_stop (const gchar *vg_name, gboolean start, const BDExtraArg **extra, GError **error) {
++    GVariantBuilder builder;
++    GVariant *params = NULL;
++
++    g_variant_builder_init (&builder, G_VARIANT_TYPE_DICTIONARY);
++    if (start)
++        g_variant_builder_add (&builder, "{sv}", "--lockstart", g_variant_new ("s", ""));
++    else
++        g_variant_builder_add (&builder, "{sv}", "--lockstop", g_variant_new ("s", ""));
++    params = g_variant_builder_end (&builder);
++    g_variant_builder_clear (&builder);
++
++    call_lvm_obj_method_sync (vg_name, VG_INTF, "Change", NULL, params, extra, TRUE, error);
++
++    return ((*error) == NULL);
++}
++
++/**
++ * bd_lvm_vglock_start:
++ * @vg_name: a shared VG to start the lockspace in lvmlockd
++ * @extra: (nullable) (array zero-terminated=1): extra options for the vgchange command
++ *                                               (just passed to LVM as is)
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the lock was successfully started for @vg_name or not
++ *
++ * Tech category: %BD_LVM_TECH_BASIC-%BD_LVM_TECH_MODE_MODIFY
++ */
++gboolean bd_lvm_vglock_start (const gchar *vg_name, const BDExtraArg **extra, GError **error) {
++    return _vglock_start_stop (vg_name, TRUE, extra, error);
++}
++
++/**
++ * bd_lvm_vglock_stop:
++ * @vg_name: a shared VG to stop the lockspace in lvmlockd
++ * @extra: (nullable) (array zero-terminated=1): extra options for the vgchange command
++ *                                               (just passed to LVM as is)
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the lock was successfully stopped for @vg_name or not
++ *
++ * Tech category: %BD_LVM_TECH_BASIC-%BD_LVM_TECH_MODE_MODIFY
++ */
++gboolean bd_lvm_vglock_stop (const gchar *vg_name, const BDExtraArg **extra, GError **error) {
++    return _vglock_start_stop (vg_name, FALSE, extra, error);
++}
++
+ /**
+  * bd_lvm_vginfo:
+  * @vg_name: a VG to get information about
+- * @error: (out): place to store error (if any)
++ * @error: (out) (optional): place to store error (if any)
+  *
+  * Returns: (transfer full): information about the @vg_name VG or %NULL in case
+  * of error (the @error) gets populated in those cases)
+diff --git a/src/plugins/lvm.c b/src/plugins/lvm.c
+index 0db3bf4a..b0a71224 100644
+--- a/src/plugins/lvm.c
++++ b/src/plugins/lvm.c
+@@ -1341,6 +1341,47 @@ gboolean bd_lvm_vgreduce (const gchar *vg_name, const gchar *device, const BDExt
+     return call_lvm_and_report_error (args, extra, TRUE, error);
+ }
+ 
++gboolean _vglock_start_stop (const gchar *vg_name, gboolean start, const BDExtraArg **extra, GError **error) {
++    const gchar *args[4] = {"vgchange", NULL, vg_name, NULL};
++
++    if (start)
++        args[1] = "--lockstart";
++    else
++        args[1] = "--lockstop";
++
++    return call_lvm_and_report_error (args, extra, TRUE, error);
++}
++
++/**
++ * bd_lvm_vglock_start:
++ * @vg_name: a shared VG to start the lockspace in lvmlockd
++ * @extra: (nullable) (array zero-terminated=1): extra options for the vgchange command
++ *                                               (just passed to LVM as is)
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the lock was successfully started for @vg_name or not
++ *
++ * Tech category: %BD_LVM_TECH_SHARED-%BD_LVM_TECH_MODE_MODIFY
++ */
++gboolean bd_lvm_vglock_start (const gchar *vg_name, const BDExtraArg **extra, GError **error) {
++    return _vglock_start_stop (vg_name, TRUE, extra, error);
++}
++
++/**
++ * bd_lvm_vglock_stop:
++ * @vg_name: a shared VG to stop the lockspace in lvmlockd
++ * @extra: (nullable) (array zero-terminated=1): extra options for the vgchange command
++ *                                               (just passed to LVM as is)
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the lock was successfully stopped for @vg_name or not
++ *
++ * Tech category: %BD_LVM_TECH_SHARED-%BD_LVM_TECH_MODE_MODIFY
++ */
++gboolean bd_lvm_vglock_stop (const gchar *vg_name, const BDExtraArg **extra, GError **error) {
++    return _vglock_start_stop (vg_name, FALSE, extra, error);
++}
++
+ /**
+  * bd_lvm_vginfo:
+  * @vg_name: a VG to get information about
+diff --git a/src/plugins/lvm.h b/src/plugins/lvm.h
+index c85c043d..2e47b06f 100644
+--- a/src/plugins/lvm.h
++++ b/src/plugins/lvm.h
+@@ -218,6 +218,7 @@ typedef enum {
+     BD_LVM_TECH_GLOB_CONF,
+     BD_LVM_TECH_VDO,
+     BD_LVM_TECH_DEVICES,
++    BD_LVM_TECH_SHARED,
+ } BDLVMTech;
+ 
+ typedef enum {
+@@ -268,6 +269,8 @@ gboolean bd_lvm_vgactivate (const gchar *vg_name, const BDExtraArg **extra, GErr
+ gboolean bd_lvm_vgdeactivate (const gchar *vg_name, const BDExtraArg **extra, GError **error);
+ gboolean bd_lvm_vgextend (const gchar *vg_name, const gchar *device, const BDExtraArg **extra, GError **error);
+ gboolean bd_lvm_vgreduce (const gchar *vg_name, const gchar *device, const BDExtraArg **extra, GError **error);
++gboolean bd_lvm_vglock_start (const gchar *vg_name, const BDExtraArg **extra, GError **error);
++gboolean bd_lvm_vglock_stop (const gchar *vg_name, const BDExtraArg **extra, GError **error);
+ BDLVMVGdata* bd_lvm_vginfo (const gchar *vg_name, GError **error);
+ BDLVMVGdata** bd_lvm_vgs (GError **error);
+ 
+diff --git a/tests/lvm_dbus_tests.py b/tests/lvm_dbus_tests.py
+index a821636e..bc8b3052 100644
+--- a/tests/lvm_dbus_tests.py
++++ b/tests/lvm_dbus_tests.py
+@@ -655,6 +655,39 @@ class LvmTestVGs(LvmPVVGTestCase):
+         succ = BlockDev.lvm_pvremove(self.loop_dev, None)
+         self.assertTrue(succ)
+ 
++@unittest.skipUnless(lvm_dbus_running, "LVM DBus not running")
++class LvmTestVGLocking(LvmPVVGTestCase):
++    @tag_test(TestTags.UNSAFE)
++    def test_vglock_stop_start(self):
++        """Verify that it is possible to start and stop locking on a VG"""
++
++        # better not do anything if lvmlockd is running, shared VGs have
++        # a tendency to wreak havoc on your system if you look at them wrong
++        ret, _out, _err = run_command("systemctl is-active lvmlockd")
++        if ret == 0:
++            self.skipTest("lvmlockd is running, skipping")
++
++        _ret, out, _err = run_command("lvm config 'global/use_lvmlockd'")
++        if "use_lvmlockd=0" not in out:
++            self.skipTest("lvmlockd is enabled, skipping")
++
++        succ = BlockDev.lvm_pvcreate(self.loop_dev, 0, 0, None)
++        self.assertTrue(succ)
++
++        succ = BlockDev.lvm_pvcreate(self.loop_dev2, 0, 0, None)
++        self.assertTrue(succ)
++
++        succ = BlockDev.lvm_vgcreate("testVG", [self.loop_dev, self.loop_dev2], 0, None)
++        self.assertTrue(succ)
++
++        # this actually doesn't "test" anything, the commands will just say lvmlockd is not
++        # running and return 0, but that's good enough for us
++        succ = BlockDev.lvm_vglock_start("testVG")
++        self.assertTrue(succ)
++
++        succ = BlockDev.lvm_vglock_stop("testVG")
++        self.assertTrue(succ)
++
+ @unittest.skipUnless(lvm_dbus_running, "LVM DBus not running")
+ class LvmPVVGLVTestCase(LvmPVVGTestCase):
+     def _clean_up(self):
+diff --git a/tests/lvm_test.py b/tests/lvm_test.py
+index 63f43afb..d517001b 100644
+--- a/tests/lvm_test.py
++++ b/tests/lvm_test.py
+@@ -632,6 +632,38 @@ class LvmTestVGs(LvmPVVGTestCase):
+         succ = BlockDev.lvm_pvremove(self.loop_dev, None)
+         self.assertTrue(succ)
+ 
++class LvmTestVGLocking(LvmPVVGTestCase):
++    @tag_test(TestTags.UNSAFE)
++    def test_vglock_stop_start(self):
++        """Verify that it is possible to start and stop locking on a VG"""
++
++        # better not do anything if lvmlockd is running, shared VGs have
++        # a tendency to wreak havoc on your system if you look at them wrong
++        ret, _out, _err = run_command("systemctl is-active lvmlockd")
++        if ret == 0:
++            self.skipTest("lvmlockd is running, skipping")
++
++        _ret, out, _err = run_command("lvm config 'global/use_lvmlockd'")
++        if "use_lvmlockd=0" not in out:
++            self.skipTest("lvmlockd is enabled, skipping")
++
++        succ = BlockDev.lvm_pvcreate(self.loop_dev, 0, 0, None)
++        self.assertTrue(succ)
++
++        succ = BlockDev.lvm_pvcreate(self.loop_dev2, 0, 0, None)
++        self.assertTrue(succ)
++
++        succ = BlockDev.lvm_vgcreate("testVG", [self.loop_dev, self.loop_dev2], 0, None)
++        self.assertTrue(succ)
++
++        # this actually doesn't "test" anything, the commands will just say lvmlockd is not
++        # running and return 0, but that's good enough for us
++        succ = BlockDev.lvm_vglock_start("testVG")
++        self.assertTrue(succ)
++
++        succ = BlockDev.lvm_vglock_stop("testVG")
++        self.assertTrue(succ)
++
+ class LvmPVVGLVTestCase(LvmPVVGTestCase):
+     def _clean_up(self):
+         try:
+-- 
+2.41.0
+

SOURCES/libblockdev-gcc11.patch

@@ -0,0 +1,15 @@
+diff --git a/src/plugins/kbd.c b/src/plugins/kbd.c
+index a2908ec..97abd3b 100644
+--- a/src/plugins/kbd.c
++++ b/src/plugins/kbd.c
+@@ -732,6 +732,10 @@ static gboolean wait_for_file (const char *filename) {
+  *
+  * Tech category: %BD_KBD_TECH_BCACHE-%BD_KBD_TECH_MODE_CREATE
+  */
++/* This triggers a known false positive warning in gcc-11.  It's being
++   addressed upstream, but until the fix is available, this works around
++   the false positive.  */
++__attribute__ ((optimize ("-O1")))
+ gboolean bd_kbd_bcache_create (const gchar *backing_device, const gchar *cache_device, const BDExtraArg **extra, const gchar **bcache_device, GError **error) {
+     const gchar *argv[6] = {"make-bcache", "-B", backing_device, "-C", cache_device, NULL};
+     gboolean success = FALSE;

SPECS/libblockdev.spec

@@ -15,11 +15,12 @@
 %define with_part 1
 %define with_fs 1
 %define with_nvdimm 1
-%define with_vdo 1
+%define with_vdo 0
 %define with_gi 1
 %define with_escrow 1
-%define with_dmraid 0
+%define with_dmraid 1
 %define with_tools 1
+%define with_nvme 1
 
 # python2 is not available on RHEL > 7 and not needed on Fedora > 29
 %if 0%{?rhel} > 7 || 0%{?fedora} > 29 || %{with_python2} == 0
@@ -47,7 +48,7 @@
 
 # vdo is not available on non-x86_64 on older RHEL
 %if (0%{?rhel} && 0%{?rhel} <= 7)
-%ifnarch x86_64 aarch64 s390x ppc64le
+%ifnarch x86_64
 %define with_vdo 0
 %define vdo_copts --without-vdo
 %endif
@@ -120,17 +121,32 @@
 %if %{with_gi} != 1
 %define gi_copts --disable-introspection
 %endif
+%if %{with_nvme} != 1
+%define nvme_copts --without-nvme
+%endif
 
-%define configure_opts %{?python2_copts} %{?python3_copts} %{?bcache_copts} %{?lvm_dbus_copts} %{?btrfs_copts} %{?crypto_copts} %{?dm_copts} %{?loop_copts} %{?lvm_copts} %{?lvm_dbus_copts} %{?mdraid_copts} %{?mpath_copts} %{?swap_copts} %{?kbd_copts} %{?part_copts} %{?fs_copts} %{?nvdimm_copts} %{?vdo_copts} %{?tools_copts} %{?gi_copts}
+%define configure_opts %{?python2_copts} %{?python3_copts} %{?bcache_copts} %{?lvm_dbus_copts} %{?btrfs_copts} %{?crypto_copts} %{?dm_copts} %{?loop_copts} %{?lvm_copts} %{?lvm_dbus_copts} %{?mdraid_copts} %{?mpath_copts} %{?swap_copts} %{?kbd_copts} %{?part_copts} %{?fs_copts} %{?nvdimm_copts} %{?nvme_copts} %{?vdo_copts} %{?tools_copts} %{?gi_copts}
 
 Name:        libblockdev
 Version:     2.28
-Release:     2%{?dist}
+Release:     10%{?dist}
 Summary:     A library for low-level manipulation with block devices
 License:     LGPLv2+
 URL:         https://github.com/storaged-project/libblockdev
 Source0:     https://github.com/storaged-project/libblockdev/releases/download/%{version}-%{release}/%{name}-%{version}.tar.gz
-Patch0:      0001-crypto-Fix-GError-overwrite-from-libvolume_key.patch
+Patch0:      libblockdev-gcc11.patch
+Patch1:      0001-lvm-devices-file-support.patch
+Patch2:      0002-Add-support-for-creating-and-activating-integrity-de.patch
+Patch3:      0003-NVMe-plugin-backport.patch
+Patch4:      0004-Fix-double-free-in-write_escrow_data_file.patch
+Patch5:      0005-nvme-Fix-namespace-identifiers.patch
+Patch6:      0006-Allow-resizing-of-inactive-LVs-with-latest-LVM.patch
+Patch7:      0007-tests-Fix-test_swapon_pagesize-on-systems-with-64k-p.patch
+Patch8:      0008-part-Fix-segfault-when-adding-a-partition-too-big-fo.patch
+Patch9:      0009-Fix-issues-in-tests-when-running-in-FIPS-mode.patch
+Patch10:     0010-lvm-Add-a-function-to-activate-LVs-in-shared-mode.patch
+Patch11:     0011-nvme_libblockdev-3.0.4_backport.patch
+Patch12:     0012-lvm-Add-support-for-starting-and-stopping-VG-locking.patch
 
 BuildRequires: make
 BuildRequires: glib2-devel
@@ -502,6 +518,29 @@ with the libblockdev-nvdimm plugin/library.
 %endif
 
 
+%if %{with_nvme}
+%package nvme
+BuildRequires: libnvme-devel
+BuildRequires: libuuid-devel
+Summary:     The NVMe plugin for the libblockdev library
+Requires: %{name}-utils%{?_isa} = %{version}-%{release}
+
+%description nvme
+The libblockdev library plugin (and in the same time a standalone library)
+providing the functionality related to operations with NVMe devices.
+
+%package nvme-devel
+Summary:     Development files for the libblockdev-nvme plugin/library
+Requires: %{name}-nvme%{?_isa} = %{version}-%{release}
+Requires: %{name}-utils-devel%{?_isa} = %{version}-%{release}
+Requires: glib2-devel
+
+%description nvme-devel
+This package contains header files and pkg-config files needed for development
+with the libblockdev-nvme plugin/library.
+%endif
+
+
 %if %{with_part}
 %package part
 BuildRequires: parted-devel
@@ -662,6 +701,10 @@ Requires: %{name}-mpath%{?_isa} = %{version}-%{release}
 Requires: %{name}-nvdimm%{?_isa} = %{version}-%{release}
 %endif
 
+%if %{with_nvme}
+Requires: %{name}-nvme%{?_isa} = %{version}-%{release}
+%endif
+
 %if %{with_part}
 Requires: %{name}-part%{?_isa} = %{version}-%{release}
 %endif
@@ -683,8 +726,7 @@ A meta-package that pulls all the libblockdev plugins as dependencies.
 
 
 %prep
-%setup -q -n %{name}-%{version}
-%patch0 -p1
+%autosetup -n %{name}-%{version} -p1
 
 %build
 autoreconf -ivf
@@ -739,6 +781,10 @@ find %{buildroot} -type f -name "*.la" | xargs %{__rm}
 %ldconfig_scriptlets nvdimm
 %endif
 
+%if %{with_nvme}
+%ldconfig_scriptlets nvme
+%endif
+
 %if %{with_part}
 %ldconfig_scriptlets part
 %endif
@@ -938,6 +984,17 @@ find %{buildroot} -type f -name "*.la" | xargs %{__rm}
 %endif
 
 
+%if %{with_nvme}
+%files nvme
+%{_libdir}/libbd_nvme.so.*
+
+%files nvme-devel
+%{_libdir}/libbd_nvme.so
+%dir %{_includedir}/blockdev
+%{_includedir}/blockdev/nvme.h
+%endif
+
+
 %if %{with_part}
 %files part
 %{_libdir}/libbd_part.so.*
@@ -988,105 +1045,344 @@ find %{buildroot} -type f -name "*.la" | xargs %{__rm}
 %files plugins-all
 
 %changelog
-* Wed Nov 30 2022 Vojtech Trefny <vtrefny@redhat.com> - 2.28-2
+* Wed Nov 08 2023 Vojtech Trefny <vtrefny@redhat.com> - 2.28-10
+- lvm: Add support for starting and stopping VG locking
+  Resolves: RHEL-15921
+
+* Wed Nov 01 2023 Tomas Bzatek <tbzatek@redhat.com> - 2.28-9
+- nvme: HostID fixes for TP4126
+  Resolves: RHEL-1375
+- nvme: Stack smashing fixes
+  Resolves: RHEL-13127
+  Resolves: RHEL-8037
+
+* Tue Oct 17 2023 Vojtech Trefny <vtrefny@redhat.com> - 2.28-8
+- lvm: Add a function to activate LVs in shared mode
+  Resolves: RHEL-14018
+
+* Wed May 24 2023 Vojtech Trefny <vtrefny@redhat.com> - 2.28-7
+- Fix issues in tests when running in FIPS mode
+  Resolves: rhbz#2188749
+  Resolves: rhbz#2188603
+
+* Tue May 16 2023 Vojtech Trefny <vtrefny@redhat.com> - 2.28-6
+- Fix segfault when adding a partition too big for MSDOS
+  Resolves: rhbz#2185564
+
+* Mon Apr 03 2023 Vojtech Trefny <vtrefny@redhat.com> - 2.28-5
+- Allow resizing of inactive LVs with latest LVM
+  Resolves: rhbz#2161181
+- Fix test_swapon_pagesize on systems with 64k pages
+  Resolves: rhbz#2168220
+
+* Thu Jan 05 2023 Vojtech Trefny <vtrefny@redhat.com> - 2.28-4
+- nvme: Fix namespace identifiers
+  Resolves: rhbz#2151535
+- nvme: Avoid sending NVME_IDENTIFY_CNS_NS_DESC_LIST on older devices
+  Related: rhbz#2151535
+
+* Mon Nov 28 2022 Vojtech Trefny <vtrefny@redhat.com> - 2.28-3
 - Fix double free in write_escrow_data_file
-  Resolves: rhbz#2142660
+  Resolves: rhbz#2143226
+
+* Thu Sep 22 2022 Vojtech Trefny <vtrefny@redhat.com> - 2.28-2
+- NVMe plugin backport
+  Resolves: rhbz#2123338
 
 * Wed Sep 14 2022 Vojtech Trefny <vtrefny@redhat.com> - 2.28-1
 - Rebase to the latest upstream release 2.28
-  Resolves: rhbz#2123347
+  Resolves: rhbz#2123346
+- Add dependency on device-mapper-multipath to libblockdev-mpath
+  Resolves: rhbz#2121072
+- Fix spec issues found by rpminspect
+  Resolves: rhbz#2116544
 
-* Mon Aug 08 2022 Vojtech Trefny <vtrefny@redhat.com> - 2.24-11
-- mdraid: Fix use after free
-  Related: rhbz#2078815
-
-* Mon Aug 08 2022 Vojtech Trefny <vtrefny@redhat.com> - 2.24-10
+* Mon Aug 08 2022 Vojtech Trefny <vtrefny@redhat.com> - 2.25-14
+- tests: Fix expected extended partition flags with new parted
+  Related: rhbz#2109026
 - mdraid: Fix copy-paste error when checking return value
-  Related: rhbz#2078815
+  Related: rhbz#2109026
 
-* Fri Aug 05 2022 Vojtech Trefny <vtrefny@redhat.com> - 2.24-9
+* Mon Aug 08 2022 Vojtech Trefny <vtrefny@redhat.com> - 2.25-13
 - Fix getting UUID for DDF containers
-  Resolves: rhbz#2078815
+  Resolves: rhbz#2109026
 
-* Tue Dec 07 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.24-8
-- Fix vdo stats calculation
-  Resolves: rhbz#2023883
+* Wed May 11 2022 Vojtech Trefny <vtrefny@redhat.com> - 2.25-12
+- tests: Lower expected free space on newly created Ext filesystems
+  Resolves: rhbz#2065943
 
-* Wed Jun 30 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.24-7
+* Mon Jan 10 2022 Vojtech Trefny <vtrefny@redhat.com> - 2.25-11
+- tests: Wait for raid and mirrored LVs to be synced before removing
+  Resolves: rhbz#2030647
+- spec: Require the same version of utils for lvm-devel and lvm-dbus-devel
+  Resolves: rhbz#2028113
+
+* Wed Dec 08 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.25-10
+- Fix reading statistics for VDO pools with VDO 8
+  Resolves: rhbz#1994220
+- vdo_stats: Default to 100 % savings for invalid savings values
+  Resolves: rhbz#2025880
+- Add support for creating and unlocking standalone integrity devices
+  Resolves: rhbz#2011365
+
+* Tue Nov 30 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.25-9
+- Fix patch for 'Add support LVM devices file management'
+  Resolves: rhbz#1983705
+
+* Tue Nov 30 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.25-8
+- Add support LVM devices file management
+  Resolves: rhbz#1983705
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.25-7
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Tue Jun 29 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.25-6
 - Add workarounds for some LVM test issues
-  Resolves: rhbz#1974352
+  Resolves: rhbz#1976174
+- Adapt tests to xfsprogs 5.12 changes
+  Resolves: rhbz#1976176
 
-* Fri May 14 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.24-6
+* Tue May 18 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.25-5
+- Adapt to dosfstools 4.2 changes
+  Resolves: rhbz#1960624
+
+* Thu May 13 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.25-4
+- Memory leaks fixes backport
+  Resolves: rhbz#1938757
 - Fix default key size for non XTS ciphers
-  Resolves: rhbz#1931847
+  Resolves: rhbz#1954005
 
-* Mon Jan 11 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.24-5
-- Fix LVM thin metadata calculation fix
-  Resolves: rhbz#1901714
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.25-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Mon Dec 14 2020 Vojtech Trefny <vtrefny@redhat.com> - 2.24-4
-- LVM thin metadata calculation fix
-  Resolves: rhbz#1901714
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.25-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Wed Nov 18 2020 Vojtech Trefny <vtrefny@redhat.com> - 2.24-3
-- exec: Polling fixes
-  Resolves: rhbz#1884689
+* Mon Jan 11 2021 Vojtech Trefny <vtrefny@redhat.com> - 2.25-1
+- loop: Retry LOOP_SET_STATUS64 on EAGAIN (vtrefny)
+- Fix max size limit for LVM thinpool metadata (vtrefny)
+- lvm: Use the UNUSED macro instead of __attribute__((unused)) (vtrefny)
+- lvm: Do not use thin_metadata_size to recommend thin metadata size (vtrefny)
+- lvm: Set thin metadata limits to match limits LVM uses in lvcreate (vtrefny)
+- Mark all GIR file constants as guint64 (vtrefny)
+- lvm: Fix bd_lvm_vdopooldata_* symbols (tbzatek)
+- fs: Fix compile error in ext_repair caused by cherry pick from master (vtrefny)
+- README: Use CI status image for 2.x-branch on 2.x (vtrefny)
+- fs: Do not report error when errors were fixed by e2fsck (vtrefny)
+- tests: Add null-byte exec tests (tbzatek)
+- tests: Add bufferbloat exec tests (tbzatek)
+- exec: Clarify the BDUtilsProgExtract callback documentation (tbzatek)
+- exec: Use non-blocking read and process the buffer manually (tbzatek)
+- exec: Fix polling for stdout and stderr (tbzatek)
+- exec: Fix setting locale for util calls (vtrefny)
 
-* Mon Nov 09 2020 Vojtech Trefny <vtrefny@redhat.com> - 2.24-2
+* Thu Oct 01 2020 Vojtech Trefny <vtrefny@redhat.com> - 2.24-7
+- Do not build VDO plugin
+
+* Thu Sep 17 2020 Vojtech Trefny <vtrefny@redhat.com> - 2.24-6
 - exec: Fix setting locale for util calls
-  Resolves: rhbz#1880031
+
+* Thu Aug 20 2020 Vojtech Trefny <vtrefny@redhat.com> - 2.24-5
+- dm: Fix comparing DM RAID member devices UUID
+
+* Wed Aug 19 2020 Jeff Law <law@redhat.com> - 2.24-4
+- Work around gcc-11 false positive warning
+
+* Mon Jul 27 2020 Hans de Goede <hdegoede@redhat.com> - 2.24-3
+- Change -mpath subpackage Requires: device-mapper-multipath into Recommends
+- Related: rhbz#1857393
+
+* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.24-2
+- Rebuilt for Python 3.9
 
 * Fri May 22 2020 Vojtech Trefny <vtrefny@redhat.com> - 2.24-1
-- Rebased to the latest upstream release 2.24
-  Resolves: rhbz#1824153
+- Mark VDO plugin as deprecated since 2.24 (vtrefny)
+- Fix multiple uninitialized values discovered by coverity (vtrefny)
+- fs: Fix potential NULL pointer dereference in mount.c (vtrefny)
+- utils: Remove deadcode in exec.c (vtrefny)
+- Do not check VDO saving percent value in LVM DBus tests (vtrefny)
+- Use libblkid to get label and UUID for XFS filesystems (vtrefny)
+- Do not open devices as read-write for read-only fs operations (vtrefny)
+- Create a common function to get label and uuid of a filesystem (vtrefny)
+- lvm: Fix getting cache stats for cache thinpools (vtrefny)
+- Do not skip LVM VDO tests when the kvdo module is already loaded (vtrefny)
+- tests: Skip LVM VDO tests if kvdo module cannot be loaded (vtrefny)
+- lvm-dbus: Add LVM VDO pools to bd_lvm_lvs (vtrefny)
+- lvm: Add a function to get VDO pool name for a VDO LV (vtrefny)
+- lvm-dbus: Get data LV name for LVM VDO pools too (vtrefny)
+- Add functions to get VDO stats for LVM VDO volumes (vtrefny)
+- Move VDO statistics code to a separate file (vtrefny)
+- Fix copy-paste bug in lvm.api (vtrefny)
+- exec: Disable encoding when reading data from stdout/stderr (vtrefny)
+- Add function to get LVM VDO write policy from a string (vtrefny)
+- Add extra parameters for creating LVM VDO volumes (vtrefny)
+- Allow calling LVM functions without locking global_config_lock (vtrefny)
+- Fix getting VDO data in the LVM DBus plugin (vtrefny)
+- Fix getting string representation of unknown VDO state index (vtrefny)
+- Add write policy and index size to LVM VDO data (vtrefny)
+- Fix converting to VDO pool without name for the VDO LV (vtrefny)
+- Add some helper functions to get LVM VDO mode and state strings (vtrefny)
+- Add support for creating and managing VDO LVs with LVM (vtrefny)
+- Fix LVM plugin so names in tests (vtrefny)
+- Do not hardcode pylint executable name in Makefile (vtrefny)
+- Add a function to check if a tool supports given feature (vtrefny)
+- configure.ac: Avoid more bashisms (gentoo)
+- mount: Fix a memleak (tbzatek)
+- exec: Fix a memleak (tbzatek)
+- vdo: Fix a memleak (tbzatek)
+- configure.ac: Avoid bashisms (polynomial-c)
+- tests: Specify loader for yaml.load in VDO tests (vtrefny)
+- lvm-dbus: Fix memory leak in bd_lvm_thlvpoolname (vtrefny)
+- lvm-dbus: Do not activate LVs during pvscan --cache (vtrefny)
+- vdo: Run "vdo create" with "--force" (vtrefny)
+- Fix typo in (un)mount error messages (vtrefny)
+- utils: Add functions to get and check current linux kernel version (tbzatek)
+- ext: Return empty string instead of "<none>" for empty UUID (vtrefny)
+- Add support for BitLocker encrypted devices using cryptsetup (vtrefny)
+- Add a helper function for closing an active crypto device (vtrefny)
+- Manually remove symlinks not removed by udev in tests (vtrefny)
+- Fix memory leak in LVM DBus plugin (vtrefny)
+- Fix expected cache pool name with newest LVM (vtrefny)
+- fs: Fix checking for UID/GID == 0 (vtrefny)
+- Fixed a number of memory leaks in lvm-dbus plugin (mthompson)
+- exec.c: Fix reading outputs with null bytes (vtrefny)
+- Fix linking against utils on Debian (vtrefny)
+- Add new function 'bd_fs_wipe_force' to control force wipe (vtrefny)
+- Use 'explicit_bzero' to erase passphrases from key files (vtrefny)
+- Sync spec with downstream (vtrefny)
 
-* Mon Dec 02 2019 Vojtech Trefny <vtrefny@redhat.com> - 2.19-12
-- Use cryptsetup to check LUKS2 label
-  Resolves: rhbz#1778689
-- Fix expected cache pool name with newest LVM
-  Related: rhbz#1778689
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.23-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
-* Thu Jun 06 2019 Vojtech Trefny <vtrefny@redhat.com> - 2.19-11
-- Fix checking swap status on lvm/md (vtrefny)
-  Resolves: rhbz#1649815
+* Mon Sep 09 2019 Vojtech Trefny <vtrefny@redhat.com> - 2.23-1
+- Fix how we get process exit code from g_spawn_sync (vtrefny)
+- Skip tests for old-style LVM snapshots on recent Fedora (vtrefny)
+- Fix skipping NTFS read-only test case on systems without NTFS (vtrefny)
+- Fix LVM_MAX_LV_SIZE in the GIR file (vtrefny)
+- Print skipped test "results" to stderr instead of stdout (vtrefny)
+- Move the NTFS read-only device test to a separate test case (vtrefny)
+- Fix parsing distro version from CPE name (vtrefny)
+- Use 'kmod_module_probe_insert_module' function for loading modules (vtrefny)
+- Hide filesystem-specific is_tech_available functions (vtrefny)
+- Mark LVM global config locks as static (vtrefny)
+- Remove unused 'get_PLUGIN_num_functions' and 'get_PLUGIN_functions' functions (vtrefny)
+- Mark 'private' plugin management functions as static (vtrefny)
+- Ignore coverity deadcode warning in 'bd_fs_is_tech_avail' (vtrefny)
+- Ignore coverity deadcode warnings in the generated code (vtrefny)
+- Use the new config file for skipping tests (vtrefny)
+- Skip bcache tests if make-bcache is not installed (vtrefny)
+- Add ability to read tests to skip from a config file (vtrefny)
+- Mark 'test_set_bitmap_location' as unstable (vtrefny)
+- Force LVM cli plugin in lvm_test (vtrefny)
+- Add a special test tag for library tests that recompile plugins (vtrefny)
+- Allow running tests against installed libblockdev (vtrefny)
+- Remove duplicate test case (vtrefny)
+- Use the new test tags in tests (vtrefny)
+- Use test tags for skipping tests (vtrefny)
+- Add a decorator for "tagging" tests (vtrefny)
+- Add function for (un)freezing filesystems (vtrefny)
+- Add a function to check whether a path is a mounpoint or not (vtrefny)
+- Skip bcache tests on all Debian versions (vtrefny)
 
-* Thu May 30 2019 Tomas Bzatek <tbzatek@redhat.com> - 2.19-10
-- Memory leak fixes (tbzatek)
-  Resolves: rhbz#1714276
+* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.22-3
+- Rebuilt for Python 3.8
 
-* Mon May 06 2019 Vojtech Trefny <vtrefny@redhat.com> - 2.19-9
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.22-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Jun 12 2019 Vojtech Trefny <vtrefny@redhat.com> - 2.22-1
+- tests: Fix Debian testing "version" for skipping (vtrefny)
+- module: Fix libkmod related leak (tbzatek)
+- btrfs: Fix number of memory leaks (tbzatek)
+- mdraid: Fix leaking BDMDExamineData.metadata (tbzatek)
+- mdraid: Fix leaking error (tbzatek)
+- part: Fix leaking string in args (tbzatek)
+- ext: Fix leaking string (tbzatek)
+- part: Fix leaking objects (tbzatek)
+- kbd: Fix g_match_info_fetch() leaks (tbzatek)
+- ext: Fix g_match_info_fetch() leaks (tbzatek)
+- ext: Fix g_strsplit() leaks (tbzatek)
+- s390: Fix g_strsplit() leaks (tbzatek)
+- mdraid: Fix g_strsplit() leaks (tbzatek)
+- exec: Fix some memory leaks (tbzatek)
+- lvm: Fix leaking BDLVMPVdata.vg_uuid (tbzatek)
+- lvm: Use g_ptr_array_free() for creating lists (tbzatek)
+- lvm: Fix some obvious memory leaks (tbzatek)
 - Remove device-mapper-multipath dependency from fs and part plugins (vtrefny)
-  Resolves: rhbz#1700297
+- bd_fs_xfs_get_info: Allow passing error == NULL (tbzatek)
+- tests: Fix removing targetcli lun (vtrefny)
+- Use existing cryptsetup API for changing keyslot passphrase (vtrefny)
+- New function to get supported sector sizes for NVDIMM namespaces (vtrefny)
+- Allow skiping tests only based on architecture (vtrefny)
+- Sync spec file with python2 obsoletion added downstream (awilliam)
+- Sync spec with downstream (vtrefny)
 
-* Mon Apr 08 2019 Vojtech Trefny <vtrefny@redhat.com> - 2.19-8
-- Allow running tests against installed version of libblockdev (vtrefny)
-  Related: rhbz#1679668
+* Tue Apr 16 2019 Vojtech Trefny <vtrefny@redhat.com> - 2.21-3
+- Remove device-mapper-multipath dependency from fs and part plugins
 
-* Mon Jan 07 2019 Vojtech Trefny <vtrefny@redhat.com> - 2.19-7
+* Thu Feb 28 2019 Adam Williamson <awilliam@redhat.com> - 2.21-2
+- Obsolete the python2 subpackage if we're not building it
+
+* Thu Feb 21 2019 Vojtech Trefny <vtrefny@redhat.com> - 2.21-1
+- Fix checking swap status on lvm/md (vtrefny)
+- tests: Stop skipping some tests on Debian testing (vtrefny)
+- tests: Remove some old/irrelevant skips (vtrefny)
+- Use 512bit keys in LUKS by default (vratislav.podzimek)
+- Add 'autoconf-archive' to build requires (vtrefny)
+- vagrant: remove F27 and add F29 (vtrefny)
+- vagrant: install 'autoconf-archive' on Ubuntu (vtrefny)
+- Enable cryptsetup debug messages when compiled using --enable-debug (vtrefny)
+- lvm-dbus: Do not pass extra arguments enclosed in a tuple (vtrefny)
+- crypto: Do not try to use keyring on systems without keyring support (vtrefny)
+- Fix LUKS2 resize password test (vtrefny)
+- Use cryptsetup to check LUKS2 label (vtrefny)
+- Skip LUKS2+integrity test on systems without dm-integrity module (vtrefny)
+- Add custom error message for wrong passphrase for open (vtrefny)
 - Use major/minor macros from sys/sysmacros.h instead of linux/kdev_t.h (vtrefny)
-  Resolves: rhbz#1644825
-
-* Tue Oct 16 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.19-6
-- Fix 'Require exact version of the utils subpackage' (vtrefny)
-  Related: rhbz#1614328
-
-* Tue Oct 16 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.19-5
-- Require exact version of the utils subpackage (vtrefny)
-  Related: rhbz#1614328
-
-* Mon Oct 08 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.19-4
-- Use libblkid to check swap status before swapon (vtrefny)
-  Related: rhbz#1634016
+- crypto_test.py: Use blkid instead of lsblk to check luks label (vtrefny)
+- Skip VDO grow physical test (vtrefny)
+- Add libblkid-devel as a build dependency for the swap plugin (vtrefny)
 - Add error codes and Python exceptions for swapon fails (vtrefny)
-  Resolves: rhbz#1634016
+- Use libblkid to check swap status before swapon (vtrefny)
+- Add a new subpackage with the tool(s) (v.podzimek)
+- Document what the 'tools' directory contains (v.podzimek)
+- Make building tools optional (v.podzimek)
+- Add a tool for getting cached LVM statistics (v.podzimek)
+- Discard messages from libdevmapper in the LVM plugins (v.podzimek)
 
-* Mon Aug 13 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.19-3
-- Build VDO plugin on all architectures with VDO support (vtrefny)
-  Related: rhbz#1614328
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.20-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
-* Mon Aug 13 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.19-2
-- Do not require 'dmraid' package (vtrefny)
-  Related: rhbz#1589861
+* Mon Oct 08 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.20-2
+- Use libblkid to check swap status before swapon (vtrefny)
+- Add error codes and Python exceptions for swapon fails (vtrefny)
+
+* Wed Sep 26 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.20-1
+- Use unsafe caching for storage for devel/testing VMs (v.podzimek)
+- Require newer version of cryptsetup for LUKS2 tests (vtrefny)
+- Skip nvdimm tests on systems without ndctl (vtrefny)
+- Add Ubuntu 18.04 VM configuration to the vagrant template (vtrefny)
+- Add some missing test dependencies to the vagrant template (vtrefny)
+- Fix how/where the bcache tests are skipped (v.podzimek)
+- Document what the 'misc' directory contains (v.podzimek)
+- Add a Vagrantfile template (v.podzimek)
+- Fix the error message when deleting partition fails (vpodzime)
+- Fix build of plugins by changing linking order (devurandom)
+- Fix how we check zram stats from /sys/block/zram0/stat (vtrefny)
+- lvm-dbus: Fix parsing extra arguments for LVM methods calls (vtrefny)
+- Skip MDTestAddRemove on Debian (vtrefny)
+- Skip NTFS mount test on Debian testing (vtrefny)
+- Skip bcache tests on Debian testing (vtrefny)
+- tests: Try harder to get distribution version (vtrefny)
+- Mark the function stubs as static (v.podzimek)
+- Build the dm plugin without dmraid support on newer RHEL (vtrefny)
+- Fix skipping zram tests on Fedora 27 (vtrefny)
+- kbd: Check for zram module availability in 'bd_kbd_is_tech_avail' (vtrefny)
+- Always build the VDO plugin (vtrefny)
+- Do not require 'dmraid' package if built without dmraid support (vtrefny)
+- Fix licence header in dbus.c (vtrefny)
+- Fix spacing in NEWS.rst (vtrefny)
 
 * Fri Aug 10 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.19-1
 - Use python interpreter explicitly when running boilerplate_generator.py (vtrefny)
@@ -1136,11 +1432,41 @@ find %{buildroot} -type f -name "*.la" | xargs %{__rm}
 - Do not build VDO plugin on non-x86_64 architectures (vtrefny)
 - Sync spec with downstream (vtrefny)
 
-* Thu Jun 28 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.17-3
-- Build kbd plugin withou bcache support
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.18-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
-* Fri Jun 22 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.17-2
-- Do not build btrs plugin on RHEL 8
+* Mon Jul 09 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.18-3
+- Reitroduce python2 support for Fedora 29
+
+* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2.18-2
+- Rebuilt for Python 3.7
+
+* Wed Jun 20 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.18-1
+- Add VDO to features.rst (vtrefny)
+- Remove roadmap.rst (vtrefny)
+- vdo: Add tests for bd_vdo_grow_physical() (tbzatek)
+- Do not try to build VDO plugin on Fedora (vtrefny)
+- Introduce reporting function per thread (kailueke)
+- vdo: Implement bd_vdo_grow_physical() (tbzatek)
+- Correct arguments for ext4 repair with progress (kailueke)
+- Clarify that checking an RW-mounted XFS file system is impossible (v.podzimek)
+- vdo: Resolve real device file path (tbzatek)
+- Adjust to new NVDIMM namespace modes (vtrefny)
+- Use xfs_repair instead of xfs_db in bd_fs_xfs_check() (v.podzimek)
+- Allow compiling libblockdev without libdmraid (vtrefny)
+- Only require plugins we really need in LVM dbus tests (vtrefny)
+- Add tests for VDO plugin (vtrefny)
+- Add decimal units definition to utils/sizes.h (vtrefny)
+- Add basic VDO plugin functionality (vtrefny)
+- Add the VDO plugin (vtrefny)
+- Always check for error when (un)mounting (vtrefny)
+- Fix off-by-one error when counting TCRYPT keyfiles (segfault)
+- Add 'bd_dm_is_tech_avail' to header file (vtrefny)
+- Fix release number in NEWS.rst (vtrefny)
+- Update specs.rst and features.rst (vtrefny)
+
+* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.17-2
+- Rebuilt for Python 3.7
 
 * Tue Apr 24 2018 Vojtech Trefny <vtrefny@redhat.com> - 2.17-1
 - Redirect cryptsetup log to libblockdev log (vtrefny)