From 621dcea8eed386b2c7cb7e9b7b0ffc49f89fed82 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 27 Aug 2021 15:59:33 +0200
Subject: [PATCH] Do not init LUKS2 decryption for devices with data offset.

Currently LUKS2 decryption cannot perform data decryption
with data shift. Even though we can decrypt devices with
data offset > 0 in LUKS2 metadata it does not make much
sense. Such devices cannot be easily mounted after decryption
is finished due to said data offset (fs superblock is moved
typicaly by 16MiBs).
---
 src/cryptsetup.c              |  5 +++--
 tests/luks2-reencryption-test | 12 ++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 180c46d7..e785dc3b 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -3050,8 +3050,9 @@ static int action_decrypt_luks2(struct crypt_device *cd)
 	};
 	size_t passwordLen;
 
-	if (!crypt_get_metadata_device_name(cd) || crypt_header_is_detached(cd) <= 0) {
-		log_err(_("LUKS2 decryption is supported with detached header device only."));
+	if (!crypt_get_metadata_device_name(cd) || crypt_header_is_detached(cd) <= 0 ||
+	    crypt_get_data_offset(cd) > 0) {
+		log_err(_("LUKS2 decryption is supported with detached header device only (with data offset set to 0)."));
 		return -ENOTSUP;
 	}
 
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
index 78c17999..a1be5113 100755
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -961,6 +961,18 @@ echo $PWD1 | $CRYPTSETUP reencrypt --decrypt --active-name $DEV_NAME --header $D
 $CRYPTSETUP status $DEV_NAME | grep -q "reencryption:  in-progress" && fail
 $CRYPTSETUP close $DEV_NAME
 
+# yet another funny idea
+rm -f $IMG_HDR
+$CRYPTSETUP luksHeaderBackup --header-backup-file $IMG_HDR $DEV || fail
+chmod +w $IMG_HDR || fail
+which wipefs >/dev/null 2>&1 && {
+	wipefs -a $DEV >/dev/null 2>&1  || fail
+}
+open_crypt $PWD1 $IMG_HDR
+echo $PWD1 | $CRYPTSETUP reencrypt --active-name $DEV_NAME --decrypt --header $IMG_HDR -q 2>/dev/null && fail
+$CRYPTSETUP status $DEV_NAME | grep -q "reencryption:  in-progress" && fail
+$CRYPTSETUP close $DEV_NAME || fail
+
 if ! dm_delay_features; then
 	echo "dm-delay target is missing, skipping recovery tests."
 	remove_mapping