Move integrity fields in json_segment_create_crypt segment helper.

The integrity is optional parameter of dm-crypt segment definition. Move the low level json code in appropriate json helper. It will make adding new segment easier. The future hw-opal-crypt segment will inherit all crypt fields.
2025-12-05 16:00:05 +01:00 · 2023-04-03 16:39:13 +02:00
parent 926679f7f1
commit fd91de82ad
4 changed files with 31 additions and 21 deletions
--- a/lib/luks2/luks2_internal.h
+++ b/lib/luks2/luks2_internal.h
@@ -302,7 +302,9 @@ unsigned json_segments_count(json_object *jobj_segments);
 void json_segment_remove_flag(json_object *jobj_segment, const char *flag);
 uint64_t json_segments_get_minimal_offset(json_object *jobj_segments, unsigned blockwise);
 json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length, unsigned reencryption);
-json_object *json_segment_create_crypt(uint64_t offset, uint64_t iv_offset, const uint64_t *length, const char *cipher, uint32_t sector_size, unsigned reencryption);
+json_object *json_segment_create_crypt(uint64_t offset, uint64_t iv_offset, const uint64_t *length,
+				       const char *cipher, const char *integrity,
+				       uint32_t sector_size, unsigned reencryption);
 int json_segments_segment_in_reencrypt(json_object *jobj_segments);
 bool json_segment_cmp(json_object *jobj_segment_1, json_object *jobj_segment_2);
 bool json_segment_contains_flag(json_object *jobj_segment, const char *flag_str, size_t len);
--- a/lib/luks2/luks2_json_format.c
+++ b/lib/luks2/luks2_json_format.c
@@ -213,7 +213,7 @@ int LUKS2_generate_hdr(
 	uint64_t metadata_size_bytes,
 	uint64_t keyslots_size_bytes)
 {
-	struct json_object *jobj_segment, *jobj_integrity, *jobj_keyslots, *jobj_segments, *jobj_config;
+	struct json_object *jobj_segment, *jobj_keyslots, *jobj_segments, *jobj_config;
 	char cipher[128];
 	uuid_t partitionUuid;
 	int r, digest;
@@ -293,25 +293,12 @@ int LUKS2_generate_hdr(
 		goto err;
 	}

-	jobj_segment = json_segment_create_crypt(data_offset, 0, NULL, cipher, sector_size, 0);
+	jobj_segment = json_segment_create_crypt(data_offset, 0, NULL, cipher, integrity, sector_size, 0);
 	if (!jobj_segment) {
 		r = -EINVAL;
 		goto err;
 	}

-	if (integrity) {
-		jobj_integrity = json_object_new_object();
-		if (!jobj_integrity) {
-			r = -ENOMEM;
-			goto err;
-		}
-
-		json_object_object_add(jobj_integrity, "type", json_object_new_string(integrity));
-		json_object_object_add(jobj_integrity, "journal_encryption", json_object_new_string("none"));
-		json_object_object_add(jobj_integrity, "journal_integrity", json_object_new_string("none"));
-		json_object_object_add(jobj_segment, "integrity", jobj_integrity);
-	}
-
 	if (json_object_object_add_by_uint(jobj_segments, 0, jobj_segment)) {
 		json_object_put(jobj_segment);
 		r = -ENOMEM;
--- a/lib/luks2/luks2_reencrypt.c
+++ b/lib/luks2/luks2_reencrypt.c
@@ -296,6 +296,7 @@ static json_object *reencrypt_make_hot_segments_encrypt_shift(struct luks2_hdr *
 						      rh->offset >> SECTOR_SHIFT,
 						      &rh->length,
 						      reencrypt_segment_cipher_new(hdr),
+						      NULL, /* integrity */
 						      reencrypt_get_sector_size_new(hdr),
 						      1);

@@ -351,6 +352,7 @@ static json_object *reencrypt_make_segment_new(struct crypt_device *cd,
 						  crypt_get_iv_offset(cd) + (iv_offset >> SECTOR_SHIFT),
 						  segment_length,
 						  reencrypt_segment_cipher_new(hdr),
+						  NULL, /* integrity */
 						  reencrypt_get_sector_size_new(hdr), 0);
 	case CRYPT_REENCRYPT_DECRYPT:
 		return json_segment_create_linear(data_offset + segment_offset, segment_length, 0);
@@ -462,6 +464,7 @@ static json_object *reencrypt_make_segment_reencrypt(struct crypt_device *cd,
 				crypt_get_iv_offset(cd) + (iv_offset >> SECTOR_SHIFT),
 				segment_length,
 				reencrypt_segment_cipher_new(hdr),
+			        NULL, /* integrity */
 				reencrypt_get_sector_size_new(hdr), 1);
 	case CRYPT_REENCRYPT_DECRYPT:
 		return json_segment_create_linear(data_offset + segment_offset, segment_length, 1);
@@ -486,6 +489,7 @@ static json_object *reencrypt_make_segment_old(struct crypt_device *cd,
 						    crypt_get_iv_offset(cd) + (segment_offset >> SECTOR_SHIFT),
 						    segment_length,
 						    reencrypt_segment_cipher_old(hdr),
+						    NULL, /* integrity */
 						    reencrypt_get_sector_size_old(hdr),
 						    0);
 		break;
@@ -2008,7 +2012,7 @@ static int reencrypt_set_decrypt_shift_segments(struct crypt_device *cd,
 	r = -EINVAL;
 	jobj_segment_first = json_segment_create_crypt(0, crypt_get_iv_offset(cd),
 				&moved_segment_length, crypt_get_cipher_spec(cd),
-				crypt_get_sector_size(cd), 0);
+				NULL, crypt_get_sector_size(cd), 0);

 	if (!jobj_segment_first) {
 		log_dbg(cd, "Failed generate 1st segment.");
@@ -2024,6 +2028,7 @@ static int reencrypt_set_decrypt_shift_segments(struct crypt_device *cd,
 								crypt_get_iv_offset(cd) + (moved_segment_length >> SECTOR_SHIFT),
 								NULL,
 								crypt_get_cipher_spec(cd),
+								NULL, /* integrity */
 								crypt_get_sector_size(cd), 0);
 		if (!jobj_segment_second) {
 			r = -EINVAL;
@@ -2513,6 +2518,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 						json_segment_get_iv_offset(jobj_tmp),
 						device_size ? &device_size : NULL,
 						json_segment_get_cipher(jobj_tmp),
+						NULL, /* integrity */
 						json_segment_get_sector_size(jobj_tmp),
 						0);
 		} else {
@@ -2559,7 +2565,7 @@ static int reencrypt_make_backup_segments(struct crypt_device *cd,
 		}
 		jobj_segment_new = json_segment_create_crypt(segment_offset,
 							crypt_get_iv_offset(cd),
-							NULL, cipher, sector_size, 0);
+							NULL, cipher, NULL, sector_size, 0);
 	} else if (params->mode == CRYPT_REENCRYPT_DECRYPT) {
 		segment_offset = data_offset;
 		if (modify_offset(&segment_offset, data_shift, params->direction)) {
--- a/lib/luks2/luks2_segment.c
+++ b/lib/luks2/luks2_segment.c
@@ -247,16 +247,31 @@ json_object *json_segment_create_linear(uint64_t offset, const uint64_t *length,

 json_object *json_segment_create_crypt(uint64_t offset,
 				  uint64_t iv_offset, const uint64_t *length,
-				  const char *cipher, uint32_t sector_size,
-				  unsigned reencryption)
+				  const char *cipher, const char *integrity,
+				  uint32_t sector_size, unsigned reencryption)
 {
-	json_object *jobj = _segment_create_generic("crypt", offset, length);
+	json_object *jobj_integrity, *jobj = _segment_create_generic("crypt", offset, length);
+
 	if (!jobj)
 		return NULL;

 	json_object_object_add(jobj, "iv_tweak",	crypt_jobj_new_uint64(iv_offset));
 	json_object_object_add(jobj, "encryption",	json_object_new_string(cipher));
 	json_object_object_add(jobj, "sector_size",	json_object_new_int(sector_size));
+
+	if (integrity) {
+		jobj_integrity = json_object_new_object();
+		if (!jobj_integrity) {
+			json_object_put(jobj);
+			return NULL;
+		}
+
+		json_object_object_add(jobj_integrity, "type", json_object_new_string(integrity));
+		json_object_object_add(jobj_integrity, "journal_encryption", json_object_new_string("none"));
+		json_object_object_add(jobj_integrity, "journal_integrity", json_object_new_string("none"));
+		json_object_object_add(jobj, "integrity", jobj_integrity);
+	}
+
 	if (reencryption)
 		LUKS2_segment_set_flag(jobj, "in-reencryption");