eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-14 12:20:00 +01:00
Code Issues Packages Projects Releases Wiki Activity
4,017 Commits 15 Branches 79 Tags
e1ef5214e788134303c15764ee1ad25b6817c3df
Commit Graph

167 Commits

Author SHA1 Message Date
Milan Broz
5d50617594 Tweak some error messages. 2023-11-29 09:21:01 +01:00
Ondrej Kozina
f623eb2e99 Add more onlyLUKS helpers for convenience. 2023-11-06 14:47:41 +01:00
Ondrej Kozina
6296e8d4f8 Improve debug output for kernel keyring. 
Add more context to possibly failing kernel keyring routines
in log debug output.

Mostly split debug output for errors while trying to search the kernel
key by description and errors while trying to read/unlink the key
by its id.
 2023-09-27 19:37:35 +00:00
Ondrej Kozina
f147c823ea Reduce code duplication in kernel keyring utilities. 2023-09-25 18:59:09 +00:00
Milan Broz
5628de1f65 Fix unused parameter in LUKS2 reencryption handlers. 2023-08-28 12:42:37 +02:00
Milan Broz
e14316f132 Mark unused parameters. 2023-08-28 12:42:37 +02:00
Ondrej Kozina
fd91de82ad Move integrity fields in json_segment_create_crypt segment helper. 
The integrity is optional parameter of dm-crypt segment definition.
Move the low level json code in appropriate json helper.

It will make adding new segment easier. The future hw-opal-crypt
segment will inherit all crypt fields.
 2023-05-29 11:09:04 +02:00
Ondrej Kozina
c81c3d1fc0 Remove unused code in reencryption. 2023-04-19 10:01:51 +02:00
Milan Broz
a617c23ccc Disable reencryption for DAX devices. 
Device-mapper is not capable to stack DAX/non-DAX devices
in mapping table, so online reencryption cannot work.

Fixes: #760
 2023-03-31 10:51:34 +00:00
Milan Broz
a752e571ab reencrypt: fix checking of context name arguments. 2023-03-09 17:06:58 +01:00
Ondrej Kozina
cb177c5076 Improve code clarity a bit. 
It also silences false positive warning with older compilers.
 2023-03-08 15:23:32 +01:00
Ondrej Kozina
4ebc6a1616 Correct error paths in LUKS2 reencryption code path. 2023-03-08 15:23:25 +01:00
Milan Broz
72f799b393 Update Copyright year. 2023-02-09 17:11:18 +01:00
Ondrej Kozina
b0779c6529 Fix --disable-luks2-reencryption configuration option. 2022-11-18 16:40:48 +01:00
Ondrej Kozina
81c56a8395 Move assert include in internal header files. 2022-11-16 16:54:33 +01:00
Milan Broz
f312ba6256 Fix json_object_copy return value check. 
Reported by Coverity scan.
 2022-11-14 13:05:04 +00:00
Milan Broz
82b56300cd Wrap some very long lines. 2022-10-01 22:35:57 +02:00
Ondrej Kozina
01c032df04 Do not reload LUKS2 metadata when not necessary. 
Following API calls trigerred LUKS2 metadata reload
from storage in case of failure:

crypt_convert
crypt_keyslot_add_by_key
crypt_keyslot_add_by_keyfile_device_offset
crypt_keyslot_add_by_passphrase
crypt_keyslot_change_by_passphrase
crypt_reencrypt_init_by_keyring
crypt_reencrypt_init_by_passphrase

This patch replaces LUKS2 metadata reload with
backup LUKS2 metadata copy kept in memory that is updated on
each sucessfull metadata write and rolled back to it whenever
needed in any of those calls listed above.
 2022-08-19 14:46:42 +02:00
Ondrej Kozina
093adfc5f9 Fix user defined moved segment size in LUKS2 decryption. 
--hotzone-size argument was ignored in cases where actual data size
was less than original LUKS2 data offset.
 2022-08-01 07:05:06 +00:00
Ondrej Kozina
25b877a403 Fix bug in reencryption parameters verification. 2022-07-28 07:57:36 +00:00
Ondrej Kozina
13f6dfa61f Add proper version data to reencryption verification digest. 
LUKS2 decryption requires new online-reencrypt version
flag (v3).

The verification digest performs coding
for version suffix in "online-reencrypt-v" flag string
as follows:

'v1' :  unused (no digest)
'v2' :  0x30 + 2   = 0x32 = '2'
'v3' :  0x30 + 3   = 0x33 = '3'
(...)
'v10':  0x30 + 10  = 0x3A = ':'
'v11':  0x30 + 11  = 0x3B = ';'
(...)
'v207': 0x30 + 207 = 0xFF
 2022-07-12 14:03:25 +02:00
Ondrej Kozina
8493f6afd5 Change size of requirement version to 1 byte. 
Mostly due to reencryption verification routine
currently expects only single byte of version
data to create digest from.
 2022-07-12 13:54:24 +02:00
Milan Broz
1a55b69a0f Fix leak of dm target structure. 
The dmd_source need to be cleared with dm_targets_free().
 2022-07-07 09:17:13 +00:00
Milan Broz
4507ced868 Report failure if userspace cannot use specified cipher. 
Reencryption require support both for kernel and userspace library.

If only kernel supports the copher, the error was quiet.
 2022-07-05 15:07:33 +02:00
Ondrej Kozina
47cb9b0ee2 Fix copy&paste mistake in exclusive open comment. 2022-06-27 16:01:50 +02:00
Ondrej Kozina
0ffd105cb8 Harden LUKS2 decryption with datashift parameters. 
Abort early if detached header is passed in API
by any chance.
 2022-06-27 16:01:50 +02:00
Ondrej Kozina
24d498e393 Add debug message in LUKS2 reencryption initialization. 2022-06-27 16:01:50 +02:00
Milan Broz
62a3954c9d Add a debug message after crypt_load in error path. 2022-06-17 19:30:35 +02:00
Ondrej Kozina
c36f9899cf Add support for LUKS2 decryption with datashift. 
Adds support for LUKS2 decryption of devices with a
header put in the head of data device. During the initialization
header is exported to a file and first data segment
is moved to head of data device in place of original header.

The feature introduces several new resilience modes (combination
of existing modes datashift and "checksum" or "journal").
Where datashift resilience mode is applied for data moved towards
the first segment and first segment is decrypted in-place.

The mode is not backward compatible with prior LUKS2 reencryption
and therefor interrupted operation in progress can not be resumed
using older cryptsetup releases.

Fixes: #669.
 2022-06-17 13:48:12 +02:00
Ondrej Kozina
b84132c140 Wrap some long lines. 2022-06-17 13:48:12 +02:00
Ondrej Kozina
f00d897240 Wipe unused area after reencryption with datashift in forward direction. 2022-06-17 13:48:12 +02:00
Ondrej Kozina
369a18cd3b Rename sector size related variables. 2022-06-14 17:11:25 +02:00
Ondrej Kozina
2240e75bb9 Add proper error message for invalid device_size reencryption argument. 2022-06-14 15:31:52 +02:00
Ondrej Kozina
3a4e38736c Rename variable used to store total reencryption data size. 2022-06-14 15:31:52 +02:00
Ondrej Kozina
dff34a1251 Check datashift value against larger sector size. 
For example it could cause an issue if misaligned to 4K sector
size during decryption.
 2022-06-14 15:31:52 +02:00
Ondrej Kozina
c08aa21a93 Move datashift alignment verification to reencrypt_verify_resilience_params. 2022-06-14 15:31:52 +02:00
Ondrej Kozina
cbf82733ae Clarify error message about invalid datashift value. 2022-06-14 15:31:52 +02:00
Ondrej Kozina
75e429b8d1 Simplify LUKS2 sector_size helpers. 2022-06-14 15:31:52 +02:00
Ondrej Kozina
98ca9c61d6 Add new internal state marking resilience type as not set. 2022-06-09 12:03:14 +02:00
Ondrej Kozina
ee5a7d19c9 Simplify reencrypt_update_flag usage due to version support. 2022-06-09 12:03:14 +02:00
Ondrej Kozina
7b4d5fe067 Provide routine for setting LUKS2 requirement with version. 2022-06-09 12:03:14 +02:00
Ondrej Kozina
99a3d328f0 Harden checksum resilience parameters verification. 2022-06-09 12:03:14 +02:00
Ondrej Kozina
e8ec3e1005 Allocate buffer for checksum resilience on-demand. 2022-06-09 12:03:14 +02:00
Ondrej Kozina
007e56727c Refactor reencrypt_recover_segment. 2022-06-09 12:03:14 +02:00
Ondrej Kozina
4de09ace8f Minor code refactoring in reencryption loop. 2022-06-09 12:03:14 +02:00
Ondrej Kozina
97b88d878e Refactor internal reencrypt_hotzone_protect_final. 
Avoid passing whole reencryption context when not
needed.
 2022-06-09 12:03:14 +02:00
Ondrej Kozina
b43ca18c64 Postpone reencryption dm segments refresh. 
Refresh (and therefore suspend hotzone) reencryption dm
segments in-before actual hotzone reencryption takes place.

This commit shortens time window during which hotzone is
suspended. Also it avoids eventual deadlock if reencryption process
triggers page miss during storage wrapper reinitialization and required
data is stored in (previously) suspended hotzone (corner case).
 2022-06-09 12:03:14 +02:00
Ondrej Kozina
582f2c3449 Replace memset with crypt_safe_memzero where reasonable. 
Better safe than sorry.
 2022-06-09 12:03:14 +02:00
Ondrej Kozina
bf0d0203e8 Add routine for erasing resilience structure. 2022-06-09 12:03:14 +02:00
Ondrej Kozina
cfb54be9a3 Refactor reencrypt_length() function. 2022-06-09 12:03:14 +02:00