From 1b7211f013e2ccaae55f844e07fa2e22aa651bb2 Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Wed, 1 Nov 2023 17:26:45 +0100 Subject: [PATCH] Do not allow decryption on devices with unsupported parameters. Most notably LUKS2 w/ authenticated encryption profile. OPAL restriction will be added in later commits. --- src/utils_reencrypt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/utils_reencrypt.c b/src/utils_reencrypt.c index 9b044118..45f364c2 100644 --- a/src/utils_reencrypt.c +++ b/src/utils_reencrypt.c @@ -1465,6 +1465,8 @@ static int _decrypt(struct crypt_device **cd, enum device_status_info dev_st, co if ((r = reencrypt_luks2_load(*cd, data_device)) < 0) return r; } else if (dev_st == DEVICE_LUKS2) { + if (!luks2_reencrypt_eligible(*cd)) + return -EINVAL; if (!ARG_SET(OPT_HEADER_ID)) { log_err(_("LUKS2 decryption requires --header option.")); return -EINVAL;