Add global serialization lock for memory hard PBKDF.

This is very ugly workaround for situation when multiple devices are being activated in parallel (systemd crypttab) and system instead of returning ENOMEM use OOM killer to randomly kill processes. This flag is intended to be used only in very specific situations.
2025-12-12 19:30:04 +01:00 · 2019-03-28 12:25:06 +01:00
parent 29b94d6ba3
commit 1b49ea4061
6 changed files with 77 additions and 2 deletions
--- a/lib/luks2/luks2_keyslot_luks2.c
+++ b/lib/luks2/luks2_keyslot_luks2.c
@@ -339,6 +339,12 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 		return -EINVAL;
 	keyslot_key_len = json_object_get_int(jobj2);

+	/*
+	 * If requested, serialize unlocking for memory-hard KDF. Usually NOOP.
+	 */
+	if (pbkdf.max_memory_kb && crypt_serialize_lock(cd))
+		return -EINVAL;
+
 	/*
 	 * Allocate derived key storage space.
 	 */
@@ -361,6 +367,9 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
 			pbkdf.iterations, pbkdf.max_memory_kb,
 			pbkdf.parallel_threads);

+	if (pbkdf.max_memory_kb)
+		crypt_serialize_unlock(cd);
+
 	if (r == 0) {
 		log_dbg(cd, "Reading keyslot area [0x%04x].", (unsigned)area_offset);
 		/* FIXME: sector_offset should be size_t, fix LUKS_decrypt... accordingly */