keyslot_cipher member leaked after existing LUKS2 context reload.
crypt_keyslot_set_encryption may access freed memory if
crypt_keyslot_get_encryption was previously called with
CRYPT_ANY_SLOT parameter.
It's useful to reencrypt only initial device part only.
For example with golden image reencryption it may be useful
to reencrypt only first X bytes of device because we know
the rest of device is empty.
This is very ugly workaround for situation when multiple
devices are being activated in parallel (systemd crypttab)
and system instead of returning ENOMEM use OOM killer
to randomly kill processes.
This flag is intended to be used only in very specific situations.
crypt_drop_keyring_key function allow to drop all keys in keyring
assocatiated with passed volume key list.
crypt_drop_keyring_key_by_description is used to drop independent key.
If passed key matches any existing digest we will not create
new digest but assign the keyslot to already existing one.
Because reencryption should be able to create more than one
keyslot assigned to new key digest.
TODO: Tests for the new feature
When information about original keyslot size is missing (no active
keyslot assigned to default segment) we have to fallback to
default luks2 encryption parameters even though we know default
segment cipher and mode.
Fixes: #442.
This patch makes available LUKS2 per-keyslot encryption settings to user.
In LUKS2, keyslot can use different encryption that data.
We can use new crypt_keyslot_get_encryption and crypt_keyslot_set_encryption
API calls to set/get this encryption.
For cryptsetup new --keyslot-cipher and --keyslot-key-size options are added.
The default keyslot encryption algorithm (if cannot be derived from data encryption)
is now available as configure options (default is aes-xts-plain64 with 512-bits key).
NOTE: default was increased from 256-bits.
Support for multi-segment devices is requirement for online
reencryption to work. Introducing modififed dm backend that
splits data structures describing active device and individual
dm target (or segment).
The new flag is supposed to refresh (reload) active dm-crypt
mapping with new set of activation flags. CRYPT_ACTIVATE_READONLY
can not be switched for already active device.
The flag is silently ignored for tcrypt, verity and integrity
devices. LUKS2 with authenticated encryption support is added in
later commit.
The crypt_set_data_offset sets the data offset for LUKS and LUKS2 devices
to specified value in 512-byte sectors.
This value should replace alignment calculation in LUKS param structures.
Since the kernel 4.18 there is a possibility to speficy external
data device for dm-integrity that stores all integrity tags.
The new option --data-device in integritysetup uses this feature.
