Allow activating multi key devices using VKs in keyring.

We already support activation of a device using a volume key in keyring. However, in case of multi-key devices (i.e. device with reencryption running) we need to supply two volume keys.
2025-12-05 16:00:05 +01:00 · 2024-01-09 16:23:05 +01:00
parent 4321992561
commit 7fb98caa79
7 changed files with 301 additions and 23 deletions
--- a/lib/luks2/luks2.h
+++ b/lib/luks2/luks2.h
@@ -472,6 +472,9 @@ int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
 	size_t passphrase_size,
 	struct volume_key **vks);

+int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd,
+	struct volume_key *vks);
+
 void LUKS2_reencrypt_free(struct crypt_device *cd,
 	struct luks2_reencrypt *rh);

@@ -497,6 +500,10 @@ int LUKS2_reencrypt_check_device_size(struct crypt_device *cd,
 	bool device_exclusive_check,
 	bool dynamic);

+void LUKS2_reencrypt_lookup_key_ids(struct crypt_device *cd,
+        struct luks2_hdr *hdr,
+        struct volume_key *vk);
+
 int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	struct volume_key *vks);
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -4434,6 +4434,38 @@ out:

 	return r < 0 ? r : keyslot;
 }
+
+int LUKS2_reencrypt_locked_recovery_by_vks(struct crypt_device *cd,
+	struct volume_key *vks)
+{
+	uint64_t minimal_size, device_size;
+	int r = -EINVAL;
+	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
+	struct volume_key *vk = NULL;
+
+	log_dbg(cd, "Entering reencryption crash recovery.");
+
+	if (LUKS2_get_data_size(hdr, &minimal_size, NULL))
+		return r;
+
+	if (crypt_use_keyring_for_vk(cd))
+		vk = vks;
+	while (vk) {
+		r = LUKS2_volume_key_load_in_keyring_by_digest(cd, vk, crypt_volume_key_get_id(vk));
+		if (r < 0)
+			goto out;
+		vk = crypt_volume_key_next(vk);
+	}
+
+	if (LUKS2_reencrypt_check_device_size(cd, hdr, minimal_size, &device_size, true, false))
+		goto out;
+
+	r = reencrypt_recovery(cd, hdr, device_size, vks);
+
+out:
+	crypt_drop_keyring_key(cd, vks);
+	return r;
+}
 #endif
 crypt_reencrypt_info LUKS2_reencrypt_get_params(struct luks2_hdr *hdr,
 	struct crypt_params_reencrypt *params)
--- a/lib/luks2/luks2_reencrypt_digest.c
+++ b/lib/luks2/luks2_reencrypt_digest.c
@@ -375,6 +375,22 @@ int LUKS2_keyslot_reencrypt_digest_create(struct crypt_device *cd,
 	return LUKS2_digest_assign(cd, hdr, keyslot_reencrypt, digest_reencrypt, 1, 0);
 }

+void LUKS2_reencrypt_lookup_key_ids(struct crypt_device *cd, struct luks2_hdr *hdr, struct volume_key *vk)
+{
+	int digest_old, digest_new;
+
+	digest_old = LUKS2_reencrypt_digest_old(hdr);
+	digest_new = LUKS2_reencrypt_digest_new(hdr);
+
+	while (vk) {
+		if (digest_old >= 0 && LUKS2_digest_verify_by_digest(cd, digest_old, vk) == digest_old)
+			crypt_volume_key_set_id(vk, digest_old);
+		if (digest_new >= 0 && LUKS2_digest_verify_by_digest(cd, digest_new, vk) == digest_new)
+			crypt_volume_key_set_id(vk, digest_new);
+		vk = vk->next;
+	}
+}
+
 int LUKS2_reencrypt_digest_verify(struct crypt_device *cd,
 	struct luks2_hdr *hdr,
 	struct volume_key *vks)