diff --git a/0013-Fix-setting-kickstart-data.patch b/0013-Fix-setting-kickstart-data.patch new file mode 100644 index 0000000..040b5c6 --- /dev/null +++ b/0013-Fix-setting-kickstart-data.patch @@ -0,0 +1,68 @@ +From 1af0d3c37a93e431790e641a329a7f34dabf291a Mon Sep 17 00:00:00 2001 +From: Vojtech Trefny +Date: Thu, 2 Mar 2023 12:34:42 +0100 +Subject: [PATCH] Fix setting kickstart data + +When changing our code to PEP8 compliant we also changed some +pykickstart properties like onPart by accident. This PR fixes this. + +Resolves: rhbz#2174296 +--- + blivet/devices/btrfs.py | 4 ++-- + blivet/devices/lvm.py | 2 +- + blivet/devices/partition.py | 6 +++--- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/blivet/devices/btrfs.py b/blivet/devices/btrfs.py +index 1ae6a04d..3f56624e 100644 +--- a/blivet/devices/btrfs.py ++++ b/blivet/devices/btrfs.py +@@ -498,8 +498,8 @@ class BTRFSVolumeDevice(BTRFSDevice, ContainerDevice, RaidDevice): + + def populate_ksdata(self, data): + super(BTRFSVolumeDevice, self).populate_ksdata(data) +- data.data_level = self.data_level.name if self.data_level else None +- data.metadata_level = self.metadata_level.name if self.metadata_level else None ++ data.dataLevel = self.data_level.name if self.data_level else None ++ data.metaDataLevel = self.metadata_level.name if self.metadata_level else None + data.devices = ["btrfs.%d" % p.id for p in self.parents] + data.preexist = self.exists + +diff --git a/blivet/devices/lvm.py b/blivet/devices/lvm.py +index 41358e9b..c3132457 100644 +--- a/blivet/devices/lvm.py ++++ b/blivet/devices/lvm.py +@@ -1161,7 +1161,7 @@ class LVMLogicalVolumeBase(DMDevice, RaidDevice): + + if self.req_grow: + # base size could be literal or percentage +- data.max_size_mb = self.req_max_size.convert_to(MiB) ++ data.maxSizeMB = self.req_max_size.convert_to(MiB) + elif data.resize: + data.size = self.target_size.convert_to(MiB) + +diff --git a/blivet/devices/partition.py b/blivet/devices/partition.py +index 89d907c2..0e9250ce 100644 +--- a/blivet/devices/partition.py ++++ b/blivet/devices/partition.py +@@ -982,14 +982,14 @@ class PartitionDevice(StorageDevice): + data.size = self.req_base_size.round_to_nearest(MiB, rounding=ROUND_DOWN).convert_to(spec=MiB) + data.grow = self.req_grow + if self.req_grow: +- data.max_size_mb = self.req_max_size.convert_to(MiB) ++ data.maxSizeMB = self.req_max_size.convert_to(MiB) + + # data.disk = self.disk.name # by-id + if self.req_disks and len(self.req_disks) == 1: + data.disk = self.disk.name +- data.prim_only = self.req_primary ++ data.primOnly = self.req_primary + else: +- data.on_part = self.name # by-id ++ data.onPart = self.name # by-id + + if data.resize: + # on s390x in particular, fractional sizes are reported, which +-- +2.40.1 + diff --git a/0014-Do-not-set-memory-limit-for-LUKS2-when-running-in-FI.patch b/0014-Do-not-set-memory-limit-for-LUKS2-when-running-in-FI.patch new file mode 100644 index 0000000..8cc0bd5 --- /dev/null +++ b/0014-Do-not-set-memory-limit-for-LUKS2-when-running-in-FI.patch @@ -0,0 +1,133 @@ +From c2b06150df0b876c7d442097b6c9ca90c9ca2ecc Mon Sep 17 00:00:00 2001 +From: Vojtech Trefny +Date: Thu, 4 May 2023 11:35:44 +0200 +Subject: [PATCH] Do not set memory limit for LUKS2 when running in FIPS mode + +With FIPS enabled LUKS uses pbkdf and not argon so the memory +limit is not a valid parameter. + +Resolves: rhbz#2193096 +--- + blivet/devicelibs/crypto.py | 11 +++++++ + blivet/formats/luks.py | 12 ++++---- + tests/unit_tests/formats_tests/luks_test.py | 30 +++++++++++++++++++ + .../unit_tests/formats_tests/methods_test.py | 3 +- + 4 files changed, 50 insertions(+), 6 deletions(-) + +diff --git a/blivet/devicelibs/crypto.py b/blivet/devicelibs/crypto.py +index f0caf0f7..68e68db1 100644 +--- a/blivet/devicelibs/crypto.py ++++ b/blivet/devicelibs/crypto.py +@@ -21,6 +21,7 @@ + # + + import hashlib ++import os + + import gi + gi.require_version("BlockDev", "2.0") +@@ -100,3 +101,13 @@ def calculate_integrity_metadata_size(device_size, algorithm=DEFAULT_INTEGRITY_A + jsize = (jsize / SECTOR_SIZE + 1) * SECTOR_SIZE # round up to sector + + return msize + jsize ++ ++ ++def is_fips_enabled(): ++ if not os.path.exists("/proc/sys/crypto/fips_enabled"): ++ # if the file doesn't exist, we are definitely not in FIPS mode ++ return False ++ ++ with open("/proc/sys/crypto/fips_enabled", "r") as f: ++ enabled = f.read() ++ return enabled.strip() == "1" +diff --git a/blivet/formats/luks.py b/blivet/formats/luks.py +index 2637e0c5..adf3c711 100644 +--- a/blivet/formats/luks.py ++++ b/blivet/formats/luks.py +@@ -303,11 +303,13 @@ class LUKS(DeviceFormat): + if luks_data.pbkdf_args: + self.pbkdf_args = luks_data.pbkdf_args + else: +- mem_limit = crypto.calculate_luks2_max_memory() +- if mem_limit: +- self.pbkdf_args = LUKS2PBKDFArgs(max_memory_kb=int(mem_limit.convert_to(KiB))) +- luks_data.pbkdf_args = self.pbkdf_args +- log.info("PBKDF arguments for LUKS2 not specified, using defaults with memory limit %s", mem_limit) ++ # argon is not used with FIPS so we don't need to adjust the memory when in FIPS mode ++ if not crypto.is_fips_enabled(): ++ mem_limit = crypto.calculate_luks2_max_memory() ++ if mem_limit: ++ self.pbkdf_args = LUKS2PBKDFArgs(max_memory_kb=int(mem_limit.convert_to(KiB))) ++ luks_data.pbkdf_args = self.pbkdf_args ++ log.info("PBKDF arguments for LUKS2 not specified, using defaults with memory limit %s", mem_limit) + + if self.pbkdf_args: + pbkdf = blockdev.CryptoLUKSPBKDF(type=self.pbkdf_args.type, +diff --git a/tests/unit_tests/formats_tests/luks_test.py b/tests/unit_tests/formats_tests/luks_test.py +index ec7b7592..1127e968 100644 +--- a/tests/unit_tests/formats_tests/luks_test.py ++++ b/tests/unit_tests/formats_tests/luks_test.py +@@ -6,9 +6,14 @@ except ImportError: + import unittest + + from blivet.formats.luks import LUKS ++from blivet.size import Size ++from blivet.static_data import luks_data + + + class LUKSNodevTestCase(unittest.TestCase): ++ def setUp(self): ++ luks_data.pbkdf_args = None ++ + def test_create_discard_option(self): + # flags.discard_new=False --> no discard + fmt = LUKS(exists=False) +@@ -51,6 +56,31 @@ class LUKSNodevTestCase(unittest.TestCase): + fmt = LUKS(cipher="aes-cbc-plain64") + self.assertEqual(fmt.key_size, 0) + ++ def test_luks2_pbkdf_memory_fips(self): ++ fmt = LUKS() ++ with patch("blivet.formats.luks.blockdev.crypto") as bd: ++ # fips enabled, pbkdf memory should not be set ++ with patch("blivet.formats.luks.crypto") as crypto: ++ attrs = {"is_fips_enabled.return_value": True, ++ "get_optimal_luks_sector_size.return_value": 0, ++ "calculate_luks2_max_memory.return_value": Size("256 MiB")} ++ crypto.configure_mock(**attrs) ++ ++ fmt._create() ++ crypto.calculate_luks2_max_memory.assert_not_called() ++ self.assertEqual(bd.luks_format.call_args[1]["extra"].pbkdf.max_memory_kb, 0) ++ ++ # fips disabled, pbkdf memory should be set ++ with patch("blivet.formats.luks.crypto") as crypto: ++ attrs = {"is_fips_enabled.return_value": False, ++ "get_optimal_luks_sector_size.return_value": 0, ++ "calculate_luks2_max_memory.return_value": Size("256 MiB")} ++ crypto.configure_mock(**attrs) ++ ++ fmt._create() ++ crypto.calculate_luks2_max_memory.assert_called() ++ self.assertEqual(bd.luks_format.call_args[1]["extra"].pbkdf.max_memory_kb, 256 * 1024) ++ + def test_sector_size(self): + fmt = LUKS() + self.assertEqual(fmt.luks_sector_size, 512) +diff --git a/tests/unit_tests/formats_tests/methods_test.py b/tests/unit_tests/formats_tests/methods_test.py +index 2743b7db..5d30c260 100644 +--- a/tests/unit_tests/formats_tests/methods_test.py ++++ b/tests/unit_tests/formats_tests/methods_test.py +@@ -366,7 +366,8 @@ class LUKSMethodsTestCase(FormatMethodsTestCase): + + def _test_create_backend(self): + self.format.exists = False +- self.format.create() ++ with patch("blivet.devicelibs.crypto.is_fips_enabled", return_value=False): ++ self.format.create() + self.assertTrue(self.patches["blockdev"].crypto.luks_format.called) # pylint: disable=no-member + + def _test_setup_backend(self): +-- +2.40.1 + diff --git a/python-blivet.spec b/python-blivet.spec index af8dd80..ae30496 100644 --- a/python-blivet.spec +++ b/python-blivet.spec @@ -23,7 +23,7 @@ Version: 3.6.0 #%%global prerelease .b2 # prerelease, if defined, should be something like .a1, .b1, .b2.dev1, or .c2 -Release: 6%{?prerelease}%{?dist} +Release: 7%{?prerelease}%{?dist} Epoch: 1 License: LGPLv2+ %global realname blivet @@ -42,6 +42,8 @@ Patch8: 0009-Catch-BlockDevNotImplementedError-for-btrfs-plugin-c.patch Patch9: 0010-Add-basic-support-for-NVMe-and-NVMe-Fabrics-devices.patch Patch10: 0011-Default-to-encryption-sector-size-512-for-LUKS-devic.patch Patch11: 0012-Add-support-for-specifying-stripe-size-for-RAID-LVs.patch +Patch12: 0013-Fix-setting-kickstart-data.patch +Patch13: 0014-Do-not-set-memory-limit-for-LUKS2-when-running-in-FI.patch # Versions of required components (done so we make sure the buildrequires # match the requires versions of things). @@ -205,6 +207,12 @@ configuration. %endif %changelog +* Thu May 18 2023 Vojtech Trefny - 3.6.0-7 +- Fix setting kickstart data + Resolves: rhbz#2174296 +- Do not set memory limit for LUKS2 when running in FIPS mode + Resolves: rhbz#2193096 + * Tue May 02 2023 Vojtech Trefny - 3.6.0-6 - Add support for specifying stripe size for RAID LVs Resolves: RHEL-327