eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-10 18:30:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

Properly align LUKS2 keyslots area on conversion.

Browse Source 
If LUKS1 payload offset (data offset) is not aligned to
4KiB we create unaligned keyslots area in LUKS2 metadata
during upconversion. Unaligned keyslots area is not valid
from LUKS2 perspective. Fix it by properly aligning future
keyslots area and also check if LUKS1 keyslots area fit
in the new one.

Fixes: #534.
This commit is contained in:
Ondrej Kozina
2020-02-14 13:38:40 +01:00
committed by Milan Broz
parent d4f4dfb54f
commit ba6e6f051a
2 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/luks2/luks2_luks1_convert.c
View File

@@ -402,6 +402,7 @@ static int json_luks1_object(struct luks_phdr *hdr_v1, struct json_object **luks
json_size = LUKS2_HDR_16K_LEN - LUKS2_HDR_BIN_LEN; json_size = LUKS2_HDR_16K_LEN - LUKS2_HDR_BIN_LEN;
json_object_object_add(field, "json_size", json_object_new_uint64(json_size)); json_object_object_add(field, "json_size", json_object_new_uint64(json_size));
keyslots_size -= (keyslots_size % 4096);
json_object_object_add(field, "keyslots_size", json_object_new_uint64(keyslots_size)); json_object_object_add(field, "keyslots_size", json_object_new_uint64(keyslots_size));
*luks1_object = luks1_obj; *luks1_object = luks1_obj;
@@ -591,6 +592,14 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
// move keyslots 4k -> 32k offset // move keyslots 4k -> 32k offset
buf_offset = 2 * LUKS2_HDR_16K_LEN; buf_offset = 2 * LUKS2_HDR_16K_LEN;
buf_size = luks1_size - LUKS_ALIGN_KEYSLOTS; buf_size = luks1_size - LUKS_ALIGN_KEYSLOTS;
/* check future LUKS2 keyslots area is at least as large as LUKS1 keyslots area */
if (buf_size > LUKS2_keyslots_size(hdr2->jobj)) {
log_err(cd, _("Unable to move keyslot area. LUKS2 keyslots area too small."));
r = -EINVAL;
goto out;
}
if ((r = move_keyslot_areas(cd, 8 * SECTOR_SIZE, buf_offset, buf_size)) < 0) { if ((r = move_keyslot_areas(cd, 8 * SECTOR_SIZE, buf_offset, buf_size)) < 0) {
log_err(cd, _("Unable to move keyslot area.")); log_err(cd, _("Unable to move keyslot area."));
goto out; goto out;

6
tests/compat-test2
View File

@@ -754,6 +754,12 @@ $CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 1024 $LOOPDEV $KEY5 || fail $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 --sector-size 1024 $LOOPDEV $KEY5 || fail
$CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail $CRYPTSETUP -q convert --type luks1 $LOOPDEV >/dev/null 2>&1 && fail
# create LUKS1 with data offset not aligned to 4KiB
$CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV $KEY5 --align-payload 4097 || fail
$CRYPTSETUP -q convert --type luks2 $LOOPDEV || fail
$CRYPTSETUP isLuks --type luks2 $LOOPDEV || fail
$CRYPTSETUP luksOpen $LOOPDEV --test-passphrase --key-slot 0 -d $KEY5 || fail
if dm_crypt_keyring_flawed; then if dm_crypt_keyring_flawed; then
prepare "[32a] LUKS2 keyring dm-crypt bug" wipe prepare "[32a] LUKS2 keyring dm-crypt bug" wipe
echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail echo $PWD1 | $CRYPTSETUP luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --header $HEADER_IMG || fail