Detect kernel version for dm-crypt kernel key bugfix.

When loading first dm-crypt table (or action that triggers dm-crypt module load) we do not know dm-crypt version yet. Let's assume all kernels before 4.15.0 are flawed and reject VK load via kernel keyring service. When dm-crypt is already in kernel, check for correct target version instead (v1.18.1 or later).
2025-12-11 19:00:02 +01:00 · 2018-01-15 16:03:08 +01:00
parent d12fb3d6e1
commit 598dd672bc
3 changed files with 42 additions and 1 deletions
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -4101,6 +4101,15 @@ static int kernel_keyring_support(void)
 	return _kernel_keyring_supported;
 }

+static int dmcrypt_keyring_bug(void)
+{
+	uint64_t kversion;
+
+	if (kernel_version(&kversion))
+		return 1;
+	return kversion < version(4,15,0,0);
+}
+
 int crypt_use_keyring_for_vk(const struct crypt_device *cd)
 {
 	uint32_t dmc_flags;
@@ -4113,7 +4122,7 @@ int crypt_use_keyring_for_vk(const struct crypt_device *cd)
 		return 0;

 	if (dm_flags(DM_CRYPT, &dmc_flags))
-		return 1;
+		return dmcrypt_keyring_bug() ? 0 : 1;

 	return (dmc_flags & DM_KERNEL_KEYRING_SUPPORTED);
 }