Add --disable-blkid CLI option.

To be used with luksFormat if blkid fails for unknown reason.
2025-12-17 05:40:13 +01:00 · 2023-09-12 15:39:25 +02:00
parent 1969b6be2f
commit 1c31b93e5c
10 changed files with 53 additions and 22 deletions
--- a/man/common_options.adoc
+++ b/man/common_options.adoc
@@ -775,6 +775,11 @@ Removes a previously configured deferred device removal in _close_
 command.
 endif::[]

+ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
+*--disable-blkid*::
+Disable use of blkid library for checking and wiping on-disk signatures.
+endif::[]
+
 ifdef::ACTION_OPEN,ACTION_LUKSRESUME,ACTION_RESIZE,ACTION_TOKEN[]
 *--disable-external-tokens*::
 Disable loading of plugins for external LUKS2 tokens.
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -204,7 +204,7 @@ static int action_open_plain(void)
 			goto out;

 		/* Skip blkid scan when activating plain device with offset */
-		if (!ARG_UINT64(OPT_OFFSET_ID)) {
+		if (!ARG_UINT64(OPT_OFFSET_ID) && !ARG_SET(OPT_DISABLE_BLKID_ID)) {
 			/* Print all present signatures in read-only mode */
 			r = tools_detect_signatures(action_argv[0], PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
 			if (r < 0) {
@@ -1305,12 +1305,14 @@ static int action_luksRepair(void)
 		goto out;
 	}

+	if (!ARG_SET(OPT_DISABLE_BLKID_ID)) {
 		r = tools_detect_signatures(action_argv[0], PRB_FILTER_LUKS, NULL, ARG_SET(OPT_BATCH_MODE_ID));
 		if (r < 0) {
 			if (r == -EIO)
 				log_err(_("Blkid scan failed for %s."), action_argv[0]);
 			goto out;
 		}
+	}

 	if (!ARG_SET(OPT_BATCH_MODE_ID) &&
 	    !yesDialog(_("Really try to repair LUKS device header?"),
@@ -1384,7 +1386,7 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 	const char *header_device, *type;
 	char *msg = NULL, *key = NULL, *password = NULL;
 	char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN], integrity[MAX_CIPHER_LEN];
-	size_t passwordLen, signatures;
+	size_t passwordLen, signatures = 0;
 	struct crypt_device *cd = NULL;
 	struct crypt_params_luks1 params1 = {
 		.hash = ARG_STR(OPT_HASH_ID) ?: DEFAULT_LUKS1_HASH,
@@ -1495,12 +1497,14 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 	}

 	/* Print all present signatures in read-only mode */
+	if (!ARG_SET(OPT_DISABLE_BLKID_ID)) {
 		r = tools_detect_signatures(header_device, PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
 		if (r < 0) {
 			if (r == -EIO)
 				log_err(_("Blkid scan failed for %s."), header_device);
 			goto out;
 		}
+	}

 	if (!created && !ARG_SET(OPT_BATCH_MODE_ID)) {
 		r = asprintf(&msg, _("This will overwrite data on %s irrevocably."), header_device);
@@ -1559,7 +1563,8 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 	}

 	/* Signature candidates found */
-	if (signatures && ((r = tools_wipe_all_signatures(header_device, true, false)) < 0))
+	if (!ARG_SET(OPT_DISABLE_BLKID_ID) && signatures &&
+	    ((r = tools_wipe_all_signatures(header_device, true, false)) < 0))
 		goto out;

 	if (ARG_SET(OPT_INTEGRITY_LEGACY_PADDING_ID))
--- a/src/cryptsetup_arg_list.h
+++ b/src/cryptsetup_arg_list.h
@@ -43,6 +43,8 @@ ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (

 ARG(OPT_DECRYPT, '\0', POPT_ARG_NONE, N_("Decrypt LUKS2 device (remove encryption)."), NULL, CRYPT_ARG_BOOL, {}, {})

+ARG(OPT_DISABLE_BLKID, '\0', POPT_ARG_NONE, N_("Disable blkid on-disk signature detection and wiping"), NULL, CRYPT_ARG_BOOL, {}, OPT_DISABLE_BLKID_ACTIONS)
+
 ARG(OPT_DISABLE_EXTERNAL_TOKENS, '\0', POPT_ARG_NONE, N_("Disable loading of external LUKS2 token plugins"), NULL, CRYPT_ARG_BOOL, {}, {})

 ARG(OPT_DISABLE_KEYRING, '\0', POPT_ARG_NONE, N_("Disable loading volume keys via kernel keyring"), NULL, CRYPT_ARG_BOOL, {}, {})
--- a/src/cryptsetup_args.h
+++ b/src/cryptsetup_args.h
@@ -58,6 +58,7 @@
 #define OPT_ALLOW_DISCARDS_ACTIONS		{ OPEN_ACTION }
 #define OPT_DEFERRED_ACTIONS			{ CLOSE_ACTION }
 #define OPT_DEVICE_SIZE_ACTIONS			{ OPEN_ACTION, RESIZE_ACTION, REENCRYPT_ACTION }
+#define OPT_DISABLE_BLKID_ACTIONS		{ FORMAT_ACTION, REENCRYPT_ACTION }
 #define OPT_DISABLE_VERACRYPT_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
 #define OPT_ERASE_ACTIONS			{ ERASE_ACTION }
 #define OPT_HOTZONE_SIZE_ACTIONS		{ REENCRYPT_ACTION }
--- a/src/integritysetup.c
+++ b/src/integritysetup.c
@@ -190,6 +190,7 @@ static int action_format(void)
 			goto out;
 	}

+	if (!ARG_SET(OPT_DISABLE_BLKID_ID)) {
 		r = tools_detect_signatures(action_argv[0], PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
 		if (r < 0) {
 			if (r == -EIO)
@@ -200,6 +201,7 @@ static int action_format(void)
 		/* Signature candidates found */
 		if (signatures && ((r = tools_wipe_all_signatures(action_argv[0], true, false)) < 0))
 			goto out;
+	}

 	if (ARG_SET(OPT_INTEGRITY_LEGACY_PADDING_ID))
 		crypt_set_compatibility(cd, CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING);
--- a/src/integritysetup_arg_list.h
+++ b/src/integritysetup_arg_list.h
@@ -35,6 +35,8 @@ ARG(OPT_CANCEL_DEFERRED, '\0', POPT_ARG_NONE, N_("Cancel a previously set deferr

 ARG(OPT_DATA_DEVICE, '\0', POPT_ARG_STRING, N_("Path to data device (if separated)"), N_("path"), CRYPT_ARG_STRING, {}, {})

+ARG(OPT_DISABLE_BLKID, '\0', POPT_ARG_NONE, N_("Disable blkid on-disk signature detection and wiping"), NULL, CRYPT_ARG_BOOL, {}, OPT_DISABLE_BLKID_ACTIONS)
+
 ARG(OPT_DEBUG, '\0', POPT_ARG_NONE, N_("Show debug messages"), NULL, CRYPT_ARG_BOOL, {}, {})

 ARG(OPT_DEFERRED, '\0', POPT_ARG_NONE, N_("Device removal is deferred until the last user closes it"), NULL, CRYPT_ARG_BOOL, {}, OPT_DEFERRED_ACTIONS)
--- a/src/integritysetup_args.h
+++ b/src/integritysetup_args.h
@@ -34,6 +34,7 @@

 #define OPT_ALLOW_DISCARDS_ACTIONS		{ OPEN_ACTION }
 #define OPT_DEFERRED_ACTIONS			{ CLOSE_ACTION }
+#define OPT_DISABLE_BLKID_ACTIONS		{ FORMAT_ACTION }
 #define OPT_INTEGRITY_RECALCULATE_ACTIONS	{ OPEN_ACTION }
 #define OPT_JOURNAL_SIZE_ACTIONS		{ FORMAT_ACTION }
 #define OPT_NO_WIPE_ACTIONS			{ FORMAT_ACTION }
--- a/src/utils_arg_names.h
+++ b/src/utils_arg_names.h
@@ -41,6 +41,7 @@
 #define OPT_DEFERRED			"deferred"
 #define OPT_DEVICE_SIZE			"device-size"
 #define OPT_DECRYPT			"decrypt"
+#define OPT_DISABLE_BLKID		"disable-blkid"
 #define OPT_DISABLE_EXTERNAL_TOKENS	"disable-external-tokens"
 #define OPT_DISABLE_KEYRING		"disable-keyring"
 #define OPT_DISABLE_LOCKS		"disable-locks"
--- a/src/utils_reencrypt.c
+++ b/src/utils_reencrypt.c
@@ -1328,6 +1328,9 @@ static int check_broken_luks_signature(const char *device)
 	int r;
 	size_t count;

+	if (ARG_SET(OPT_DISABLE_BLKID_ID))
+		return 0;
+
 	r = tools_detect_signatures(device, PRB_ONLY_LUKS, &count, ARG_SET(OPT_BATCH_MODE_ID));
 	if (r < 0) {
 		if (r == -EIO)
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -1316,5 +1316,14 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
 	echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-type userlogon > /dev/null 2>&1 && fail
 fi

+prepare "[45] Blkid disable check" wipe
+if [ "$HAVE_BLKID" -gt 0 ]; then
+	xz -dkf $HEADER_LUKS2_PV.xz
+	# batch mode disables blkid print, use --debug to check it
+	echo $PWD1 | $CRYPTSETUP -q --debug luksFormat $FAST_PBKDF_OPT --type luks2 $HEADER_LUKS2_PV 2>&1 | grep -q "LVM2_member" || fail
+	xz -dkf $HEADER_LUKS2_PV.xz
+	echo $PWD1 | $CRYPTSETUP -q --debug --disable-blkid luksFormat $FAST_PBKDF_OPT --type luks2 $HEADER_LUKS2_PV 2>&1 | grep -q "LVM2_member" && fail
+fi
+
 remove_mapping
 exit 0