Do not allow dangerous sector size change during reencryption.

By changing encryption sector size during reencryption we may increase effective logical block size for dm-crypt active device. For example if hosted filesystem on encrypted data device has block size set to 512 bytes and we increase dm-crypt logical size durign reencryption to 4096 bytes it breaks the filesystem. Do not allow encryption sector size to be increased over value provided by fs superblock in BLOCK_SIZE property. The check is applied while initialising LUKS2 device encryption (reencrypt --encrypt/--new) or when initialising LUKS2 reencryption on active dm-crypt device. Note that this check cannot be applied on offline device (data device is encrypted).
2026-01-06 07:25:29 +01:00 · 2022-04-13 12:33:43 +02:00
parent 38d1f01b12
commit c9da460b6c
4 changed files with 101 additions and 6 deletions
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -50,6 +50,7 @@ EXTRA_DIST = compatimage.img.xz compatv10image.img.xz \
 	conversion_imgs.tar.xz \
 	luks2_keyslot_unassigned.img.xz \
 	img_fs_ext4.img.xz img_fs_vfat.img.xz img_fs_xfs.img.xz \
+	xfs_512_block_size.img.xz \
 	valid_header_file.xz \
 	luks2_valid_hdr.img.xz \
 	luks2_header_requirements.xz \
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -19,6 +19,7 @@ DEV_NAME2=reenc97682
 IMG=reenc-data
 IMG_HDR=$IMG.hdr
 HEADER_LUKS2_PV=blkid-luks2-pv.img
+IMG_FS=xfs_512_block_size.img
 KEY1=key1
 VKEY1=vkey1
 PWD1="93R4P4pIqAH8"
@@ -99,7 +100,7 @@ function remove_mapping()
 	[ -b /dev/mapper/$OVRDEV-err ] && dmsetup remove --retry $OVRDEV-err 2>/dev/null
 	[ -n "$LOOPDEV" ] && losetup -d $LOOPDEV
 	unset LOOPDEV
-	rm -f $IMG $IMG_HDR $KEY1 $VKEY1 $DEVBIG $DEV_LINK $HEADER_LUKS2_PV >/dev/null 2>&1
+	rm -f $IMG $IMG_HDR $KEY1 $VKEY1 $DEVBIG $DEV_LINK $HEADER_LUKS2_PV $IMG_FS >/dev/null 2>&1
 	rmmod scsi_debug >/dev/null 2>&1
 	scsi_debug_teardown $DEV
 }
@@ -717,6 +718,11 @@ function valgrind_run()
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }

+function bin_check()
+{
+	command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
+}
+
 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
 fips_mode && skip "This test cannot be run in FIPS mode."
@@ -1724,5 +1730,37 @@ $CRYPTSETUP isLuks $HEADER_LUKS2_PV && fail
 echo $PWD1 | $CRYPTSETUP reencrypt -q --header $IMG_HDR $HEADER_LUKS2_PV $FAST_PBKDF_ARGON --encrypt --force-offline-reencrypt --type luks2 2>/dev/null && fail
 test -f $IMG_HDR && fail

+echo "[31] Prevent dangerous sector size increase"
+bin_check blkid
+preparebig 64
+xz -dk $IMG_FS.xz
+blkid $IMG_FS | grep -q BLOCK_SIZE && BLKID_BLOCK_SIZE_SUPPORT=1
+if [ -n "$DM_SECTOR_SIZE" -a -n "$BLKID_BLOCK_SIZE_SUPPORT" ]; then
+	# encryption checks must work in offline mode
+	echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --header $IMG_HDR $IMG_FS $FAST_PBKDF_ARGON --init-only --type luks2 2>/dev/null && fail
+	test -f $IMG_HDR && fail
+
+	echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --header $IMG_HDR $IMG_FS $FAST_PBKDF_ARGON --type luks2 2>/dev/null && fail
+	test -f $IMG_HDR && fail
+
+	echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --reduce-device-size 8m $IMG_FS $FAST_PBKDF_ARGON --init-only --type luks2 2>/dev/null && fail
+	$CRYPTSETUP isLuks $IMG_FS && fail
+	echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --force-offline-reencrypt --sector-size 1024 -q --reduce-device-size 8m $IMG_FS $FAST_PBKDF_ARGON --type luks2 2>/dev/null && fail
+	$CRYPTSETUP isLuks $IMG_FS && fail
+
+	echo $PWD1 | $CRYPTSETUP luksFormat -q --sector-size 512 --type luks2 $FAST_PBKDF_ARGON $DEV || fail
+	echo $PWD1 | $CRYPTSETUP open -q $DEV $DEV_NAME || fail
+	dd if=$IMG_FS of=/dev/mapper/$DEV_NAME bs=1M >/dev/null 2>&1
+
+	echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV 2>/dev/null && fail
+	$CRYPTSETUP status $DEV_NAME | grep -q "reencryption:  in-progress" && fail
+	echo $PWD1 | $CRYPTSETUP reencrypt --init-only -q --sector-size 1024 --active-name $DEV_NAME $FAST_PBKDF_ARGON 2>/dev/null && fail
+	$CRYPTSETUP status $DEV_NAME | grep -q "reencryption:  in-progress" && fail
+	echo $PWD1 | $CRYPTSETUP reencrypt -q --sector-size 1024 $FAST_PBKDF_ARGON $DEV 2>/dev/null && fail
+	$CRYPTSETUP luksDump $DEV | grep -q "sector: 512" || fail
+	echo $PWD1 | $CRYPTSETUP reencrypt -q --sector-size 1024 --active-name $DEV_NAME $FAST_PBKDF_ARGON 2>/dev/null && fail
+	$CRYPTSETUP luksDump $DEV | grep -q "sector: 512" || fail
+fi
+
 remove_mapping
 exit 0
--- a/tests/xfs_512_block_size.img.xz
+++ b/tests/xfs_512_block_size.img.xz