Add --disable-blkid CLI option.

To be used with luksFormat if blkid fails for unknown reason.

man/common_options.adoc

@@ -775,6 +775,11 @@ Removes a previously configured deferred device removal in _close_
 command.
 endif::[]
 
+ifdef::ACTION_LUKSFORMAT,ACTION_REENCRYPT[]
+*--disable-blkid*::
+Disable use of blkid library for checking and wiping on-disk signatures.
+endif::[]
+
 ifdef::ACTION_OPEN,ACTION_LUKSRESUME,ACTION_RESIZE,ACTION_TOKEN[]
 *--disable-external-tokens*::
 Disable loading of plugins for external LUKS2 tokens.

src/cryptsetup.c

@@ -204,7 +204,7 @@ static int action_open_plain(void)
 			goto out;
 
 		/* Skip blkid scan when activating plain device with offset */
-		if (!ARG_UINT64(OPT_OFFSET_ID)) {
+		if (!ARG_UINT64(OPT_OFFSET_ID) && !ARG_SET(OPT_DISABLE_BLKID_ID)) {
 			/* Print all present signatures in read-only mode */
 			r = tools_detect_signatures(action_argv[0], PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
 			if (r < 0) {
@@ -1305,11 +1305,13 @@ static int action_luksRepair(void)
 		goto out;
 	}
 
-	r = tools_detect_signatures(action_argv[0], PRB_FILTER_LUKS, NULL, ARG_SET(OPT_BATCH_MODE_ID));
-	if (r < 0) {
-		if (r == -EIO)
-			log_err(_("Blkid scan failed for %s."), action_argv[0]);
-		goto out;
+	if (!ARG_SET(OPT_DISABLE_BLKID_ID)) {
+		r = tools_detect_signatures(action_argv[0], PRB_FILTER_LUKS, NULL, ARG_SET(OPT_BATCH_MODE_ID));
+		if (r < 0) {
+			if (r == -EIO)
+				log_err(_("Blkid scan failed for %s."), action_argv[0]);
+			goto out;
+		}
 	}
 
 	if (!ARG_SET(OPT_BATCH_MODE_ID) &&
@@ -1384,7 +1386,7 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 	const char *header_device, *type;
 	char *msg = NULL, *key = NULL, *password = NULL;
 	char cipher [MAX_CIPHER_LEN], cipher_mode[MAX_CIPHER_LEN], integrity[MAX_CIPHER_LEN];
-	size_t passwordLen, signatures;
+	size_t passwordLen, signatures = 0;
 	struct crypt_device *cd = NULL;
 	struct crypt_params_luks1 params1 = {
 		.hash = ARG_STR(OPT_HASH_ID) ?: DEFAULT_LUKS1_HASH,
@@ -1495,11 +1497,13 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 	}
 
 	/* Print all present signatures in read-only mode */
-	r = tools_detect_signatures(header_device, PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
-	if (r < 0) {
-		if (r == -EIO)
-			log_err(_("Blkid scan failed for %s."), header_device);
-		goto out;
+	if (!ARG_SET(OPT_DISABLE_BLKID_ID)) {
+		r = tools_detect_signatures(header_device, PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
+		if (r < 0) {
+			if (r == -EIO)
+				log_err(_("Blkid scan failed for %s."), header_device);
+			goto out;
+		}
 	}
 
 	if (!created && !ARG_SET(OPT_BATCH_MODE_ID)) {
@@ -1559,7 +1563,8 @@ int luksFormat(struct crypt_device **r_cd, char **r_password, size_t *r_password
 	}
 
 	/* Signature candidates found */
-	if (signatures && ((r = tools_wipe_all_signatures(header_device, true, false)) < 0))
+	if (!ARG_SET(OPT_DISABLE_BLKID_ID) && signatures &&
+	    ((r = tools_wipe_all_signatures(header_device, true, false)) < 0))
 		goto out;
 
 	if (ARG_SET(OPT_INTEGRITY_LEGACY_PADDING_ID))

src/cryptsetup_arg_list.h

@@ -43,6 +43,8 @@ ARG(OPT_DEVICE_SIZE, '\0', POPT_ARG_STRING, N_("Use only specified device size (
 
 ARG(OPT_DECRYPT, '\0', POPT_ARG_NONE, N_("Decrypt LUKS2 device (remove encryption)."), NULL, CRYPT_ARG_BOOL, {}, {})
 
+ARG(OPT_DISABLE_BLKID, '\0', POPT_ARG_NONE, N_("Disable blkid on-disk signature detection and wiping"), NULL, CRYPT_ARG_BOOL, {}, OPT_DISABLE_BLKID_ACTIONS)
+
 ARG(OPT_DISABLE_EXTERNAL_TOKENS, '\0', POPT_ARG_NONE, N_("Disable loading of external LUKS2 token plugins"), NULL, CRYPT_ARG_BOOL, {}, {})
 
 ARG(OPT_DISABLE_KEYRING, '\0', POPT_ARG_NONE, N_("Disable loading volume keys via kernel keyring"), NULL, CRYPT_ARG_BOOL, {}, {})

src/cryptsetup_args.h

@@ -58,6 +58,7 @@
 #define OPT_ALLOW_DISCARDS_ACTIONS		{ OPEN_ACTION }
 #define OPT_DEFERRED_ACTIONS			{ CLOSE_ACTION }
 #define OPT_DEVICE_SIZE_ACTIONS			{ OPEN_ACTION, RESIZE_ACTION, REENCRYPT_ACTION }
+#define OPT_DISABLE_BLKID_ACTIONS		{ FORMAT_ACTION, REENCRYPT_ACTION }
 #define OPT_DISABLE_VERACRYPT_ACTIONS		{ OPEN_ACTION, TCRYPTDUMP_ACTION }
 #define OPT_ERASE_ACTIONS			{ ERASE_ACTION }
 #define OPT_HOTZONE_SIZE_ACTIONS		{ REENCRYPT_ACTION }

src/integritysetup.c

@@ -190,16 +190,18 @@ static int action_format(void)
 			goto out;
 	}
 
-	r = tools_detect_signatures(action_argv[0], PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
-	if (r < 0) {
-		if (r == -EIO)
-			log_err(_("Blkid scan failed for %s."), action_argv[0]);
-		goto out;
-	}
+	if (!ARG_SET(OPT_DISABLE_BLKID_ID)) {
+		r = tools_detect_signatures(action_argv[0], PRB_FILTER_NONE, &signatures, ARG_SET(OPT_BATCH_MODE_ID));
+		if (r < 0) {
+			if (r == -EIO)
+				log_err(_("Blkid scan failed for %s."), action_argv[0]);
+			goto out;
+		}
 
-	/* Signature candidates found */
-	if (signatures && ((r = tools_wipe_all_signatures(action_argv[0], true, false)) < 0))
-		goto out;
+		/* Signature candidates found */
+		if (signatures && ((r = tools_wipe_all_signatures(action_argv[0], true, false)) < 0))
+			goto out;
+	}
 
 	if (ARG_SET(OPT_INTEGRITY_LEGACY_PADDING_ID))
 		crypt_set_compatibility(cd, CRYPT_COMPAT_LEGACY_INTEGRITY_PADDING);

src/integritysetup_arg_list.h

@@ -35,6 +35,8 @@ ARG(OPT_CANCEL_DEFERRED, '\0', POPT_ARG_NONE, N_("Cancel a previously set deferr
 
 ARG(OPT_DATA_DEVICE, '\0', POPT_ARG_STRING, N_("Path to data device (if separated)"), N_("path"), CRYPT_ARG_STRING, {}, {})
 
+ARG(OPT_DISABLE_BLKID, '\0', POPT_ARG_NONE, N_("Disable blkid on-disk signature detection and wiping"), NULL, CRYPT_ARG_BOOL, {}, OPT_DISABLE_BLKID_ACTIONS)
+
 ARG(OPT_DEBUG, '\0', POPT_ARG_NONE, N_("Show debug messages"), NULL, CRYPT_ARG_BOOL, {}, {})
 
 ARG(OPT_DEFERRED, '\0', POPT_ARG_NONE, N_("Device removal is deferred until the last user closes it"), NULL, CRYPT_ARG_BOOL, {}, OPT_DEFERRED_ACTIONS)

src/integritysetup_args.h

@@ -34,6 +34,7 @@
 
 #define OPT_ALLOW_DISCARDS_ACTIONS		{ OPEN_ACTION }
 #define OPT_DEFERRED_ACTIONS			{ CLOSE_ACTION }
+#define OPT_DISABLE_BLKID_ACTIONS		{ FORMAT_ACTION }
 #define OPT_INTEGRITY_RECALCULATE_ACTIONS	{ OPEN_ACTION }
 #define OPT_JOURNAL_SIZE_ACTIONS		{ FORMAT_ACTION }
 #define OPT_NO_WIPE_ACTIONS			{ FORMAT_ACTION }

src/utils_arg_names.h

@@ -41,6 +41,7 @@
 #define OPT_DEFERRED			"deferred"
 #define OPT_DEVICE_SIZE			"device-size"
 #define OPT_DECRYPT			"decrypt"
+#define OPT_DISABLE_BLKID		"disable-blkid"
 #define OPT_DISABLE_EXTERNAL_TOKENS	"disable-external-tokens"
 #define OPT_DISABLE_KEYRING		"disable-keyring"
 #define OPT_DISABLE_LOCKS		"disable-locks"

src/utils_reencrypt.c

@@ -1328,6 +1328,9 @@ static int check_broken_luks_signature(const char *device)
 	int r;
 	size_t count;
 
+	if (ARG_SET(OPT_DISABLE_BLKID_ID))
+		return 0;
+
 	r = tools_detect_signatures(device, PRB_ONLY_LUKS, &count, ARG_SET(OPT_BATCH_MODE_ID));
 	if (r < 0) {
 		if (r == -EIO)

tests/compat-test2

@@ -1316,5 +1316,14 @@ if [ $HAVE_KEYRING -gt 0 -a -d /proc/sys/kernel/keys ]; then
 	echo $PWD1 | $CRYPTSETUP open $LOOPDEV $DEV_NAME --volume-key-type userlogon > /dev/null 2>&1 && fail
 fi
 
+prepare "[45] Blkid disable check" wipe
+if [ "$HAVE_BLKID" -gt 0 ]; then
+	xz -dkf $HEADER_LUKS2_PV.xz
+	# batch mode disables blkid print, use --debug to check it
+	echo $PWD1 | $CRYPTSETUP -q --debug luksFormat $FAST_PBKDF_OPT --type luks2 $HEADER_LUKS2_PV 2>&1 | grep -q "LVM2_member" || fail
+	xz -dkf $HEADER_LUKS2_PV.xz
+	echo $PWD1 | $CRYPTSETUP -q --debug --disable-blkid luksFormat $FAST_PBKDF_OPT --type luks2 $HEADER_LUKS2_PV 2>&1 | grep -q "LVM2_member" && fail
+fi
+
 remove_mapping
 exit 0