Do not upload vk in keyring for cipher_null segment.

It does not make sense to upload volume keys in kernel keyring if segment cipher is cipher_null. The real volume_key is thrown away and replaced with empty key anyway.
2025-12-05 16:00:05 +01:00 · 2021-02-11 11:15:20 +01:00
parent 03cc8a9ce4
commit bc7511762f
2 changed files with 23 additions and 5 deletions
--- a/lib/luks2/luks2_token.c
+++ b/lib/luks2/luks2_token.c
@@ -476,6 +476,7 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd,
 	uint32_t flags,
 	void *usrptr)
 {
+	bool use_keyring;
 	int keyslot, r;
 	char *buffer;
 	size_t buffer_len;
@@ -497,7 +498,13 @@ int LUKS2_token_open_and_activate(struct crypt_device *cd,

 	keyslot = r;

-	if ((name || (flags & CRYPT_ACTIVATE_KEYRING_KEY)) && crypt_use_keyring_for_vk(cd)) {
+	if (!crypt_use_keyring_for_vk(cd))
+		use_keyring = false;
+	else
+		use_keyring = ((name && !crypt_is_cipher_null(crypt_get_cipher(cd))) ||
+			       (flags & CRYPT_ACTIVATE_KEYRING_KEY));
+
+	if (use_keyring) {
 		if (!(r = LUKS2_volume_key_load_in_keyring_by_keyslot(cd, hdr, vk, keyslot)))
 			flags |= CRYPT_ACTIVATE_KEYRING_KEY;
 	}
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -3909,6 +3909,7 @@ static int _open_and_activate(struct crypt_device *cd,
 	size_t passphrase_size,
 	uint32_t flags)
 {
+	bool use_keyring;
 	int r;
 	struct volume_key *vk = NULL;

@@ -3920,8 +3921,13 @@ static int _open_and_activate(struct crypt_device *cd,
 		return r;
 	keyslot = r;

-	if ((name || (flags & CRYPT_ACTIVATE_KEYRING_KEY)) &&
-	    crypt_use_keyring_for_vk(cd)) {
+	if (!crypt_use_keyring_for_vk(cd))
+		use_keyring = false;
+	else
+		use_keyring = ((name && !crypt_is_cipher_null(crypt_get_cipher(cd))) ||
+			       (flags & CRYPT_ACTIVATE_KEYRING_KEY));
+
+	if (use_keyring) {
 		r = LUKS2_volume_key_load_in_keyring_by_keyslot(cd,
 				&cd->u.luks2.hdr, vk, keyslot);
 		if (r < 0)
@@ -4304,6 +4310,7 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
 	size_t volume_key_size,
 	uint32_t flags)
 {
+	bool use_keyring;
 	struct volume_key *vk = NULL;
 	int r;

@@ -4379,8 +4386,12 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
 		if (r > 0)
 			r = 0;

-		if (!r && (name || (flags & CRYPT_ACTIVATE_KEYRING_KEY)) &&
-		    crypt_use_keyring_for_vk(cd)) {
+		if (!crypt_use_keyring_for_vk(cd))
+			use_keyring = false;
+		else
+			use_keyring = (name && !crypt_is_cipher_null(crypt_get_cipher(cd))) || (flags & CRYPT_ACTIVATE_KEYRING_KEY);
+
+		if (!r && use_keyring) {
 			r = LUKS2_key_description_by_segment(cd,
 				&cd->u.luks2.hdr, vk, CRYPT_DEFAULT_SEGMENT);
 			if (!r)