eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Create dm-integrity with CRYPT_SUBDEV prefix.

Browse Source 
When activating dm-integrity device underneath dm-crypt
with LUKS2 authenticated encryption mode, annotate the
device correctly with CRYPT_SUBDEV prefix. This will help
us to clearly identify dependent device underneath LUKS2 top
level device and we can unify the deactivation code in future
releases.

We have general code deactivating dependent devices already for
LUKS2 reencrytion.

Deactivating newly created devices with pre 2.8.0 cryptsetup
will issue warning about missing devices but the deactivation
will succeed.
This commit is contained in:
Ondrej Kozina
2025-05-26 10:28:51 +02:00
parent 880bbfab4d
commit 12eb040943
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/luks2/luks2_json_metadata.c
View File

@@ -2923,6 +2923,18 @@ int LUKS2_deactivate(struct crypt_device *cd, const char *name, struct luks2_hdr
ret = 0;
dep = deps;
while (*dep) {
/*
* FIXME: dm-integrity has now proper SUBDEV prefix so
* it would be deactivated here, but due to specific
* dm_remove_device(iname) above the iname device
* is no longer active. This will be fixed when
* we switch to SUBDEV deactivation after 2.8 release.
*/
if (iname && !strcmp(*dep, iname)) {
dep++;
continue;
}
log_dbg(cd, "Deactivating LUKS2 dependent device %s.", *dep);
r = dm_query_device(cd, *dep, DM_ACTIVE_CRYPT_KEY | DM_ACTIVE_CRYPT_KEYSIZE, &dmdc);
if (r < 0) {

12
lib/setup.c
View File

@@ -3269,7 +3269,15 @@ static int _compare_device_types(struct crypt_device *cd,
return -EINVAL;
}
if (isLUKS2(cd->type) && !strncmp("INTEGRITY-", tgt->uuid, strlen("INTEGRITY-"))) {
/*
* FIXME: The CRYPT_SUBDEV prefix should be enough but we need
* to keep INTEGRITY- for dm-integrity subdevices opened with
* cryptsetup version < 2.8.0. Drop the INTEGRITY condition
* in next Y release.
*/
if (isLUKS2(cd->type) &&
(!strncmp("INTEGRITY-", tgt->uuid, strlen("INTEGRITY-")) ||
!strncmp(CRYPT_SUBDEV, tgt->uuid, strlen(CRYPT_SUBDEV)))) {
if (dm_uuid_cmp(tgt->uuid, src->uuid)) {
log_dbg(cd, "LUKS UUID mismatch.");
return -EINVAL;
@@ -4921,7 +4929,7 @@ static int _create_device_with_integrity(struct crypt_device *cd,
device_check = dmd->flags & CRYPT_ACTIVATE_SHARED ? DEV_OK : DEV_EXCL;
r = INTEGRITY_activate_dmd_device(cd, iname, CRYPT_INTEGRITY, dmdi, 0);
r = INTEGRITY_activate_dmd_device(cd, iname, CRYPT_SUBDEV, dmdi, 0);
if (r)
return r;