Version 2.2.2.

Stable libdevampper used changed name for dm task, let's fix it.

AUTHORS

@@ -1,3 +1,4 @@
 Jana Saout <jana@saout.de>
 Clemens Fruhwirth <clemens@endorphin.org>
 Milan Broz <gmazyland@gmail.com>
+Ondrej Kozina <okozina@redhat.com>

Makefile.am

@@ -15,6 +15,8 @@ AM_CPPFLAGS = \
 AM_CFLAGS = -Wall
 AM_LDFLAGS =
 
+LDADD = $(LTLIBINTL) -lm
+
 tmpfilesddir = @DEFAULT_TMPFILESDIR@
 
 noinst_LTLIBRARIES =

README.md

@@ -44,55 +44,22 @@ Download
 --------
 All release tarballs and release notes are hosted on [kernel.org](https://www.kernel.org/pub/linux/utils/cryptsetup/).
 
-**The latest cryptsetup version is 2.2.0**
-  * [cryptsetup-2.2.0.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.0.tar.xz)
-  * Signature [cryptsetup-2.2.0.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.0.tar.sign)
+**The latest cryptsetup version is 2.2.1**
+  * [cryptsetup-2.2.1.tar.xz](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.1.tar.xz)
+  * Signature [cryptsetup-2.2.1.tar.sign](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.1.tar.sign)
     _(You need to decompress file first to check signature.)_
-  * [Cryptsetup 2.2.0 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/v2.2.0-ReleaseNotes).
+  * [Cryptsetup 2.2.1 Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/v2.2.1-ReleaseNotes).
 
 Previous versions
- * [Version 2.1.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.1/cryptsetup-2.1.0.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.1/cryptsetup-2.1.0.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.1/v2.1.0-ReleaseNotes).
+ * [Version 2.2.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.0.tar.xz) -
+   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/cryptsetup-2.2.0.tar.sign) -
+   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.2/v2.2.0-ReleaseNotes).
  * [Version 2.0.6](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.6.tar.xz) -
    [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.6.tar.sign) -
    [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.6-ReleaseNotes).
- * [Version 2.0.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.5.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.5.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.5-ReleaseNotes).
- * [Version 2.0.4](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.4.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.4.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.4-ReleaseNotes).
- * [Version 2.0.3](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.3.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.3.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.3-ReleaseNotes).
- * [Version 2.0.2](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.2.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.2.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.2-ReleaseNotes).
- * [Version 2.0.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.1.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.1.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.1-ReleaseNotes).
- * [Version 2.0.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.0.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/cryptsetup-2.0.0.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.0-ReleaseNotes).
  * [Version 1.7.5](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.xz) -
    [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.5.tar.sign) -
    [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.5-ReleaseNotes).
- * [Version 1.7.4](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.4.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.4.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.4-ReleaseNotes).
- * [Version 1.7.3](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.3.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.3.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.3-ReleaseNotes).
- * [Version 1.7.2](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.2.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.2.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.2-ReleaseNotes).
- * [Version 1.7.1](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.1.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.1.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.1-ReleaseNotes).
- * [Version 1.7.0](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.0.tar.xz) -
-   [Signature](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.0.tar.sign) -
-   [Release Notes](https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/v1.7.0-ReleaseNotes).
 
 Source and API docs
 -------------------

configure.ac

@@ -1,5 +1,5 @@
 AC_PREREQ([2.67])
-AC_INIT([cryptsetup],[2.2.1])
+AC_INIT([cryptsetup],[2.2.2])
 
 dnl library version from <major>.<minor>.<release>[-<suffix>]
 LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
@@ -348,6 +348,7 @@ AC_CHECK_DECLS([dm_task_retry_remove], [], [], [#include <libdevmapper.h>])
 AC_CHECK_DECLS([dm_task_deferred_remove], [], [], [#include <libdevmapper.h>])
 AC_CHECK_DECLS([dm_device_has_mounted_fs], [], [], [#include <libdevmapper.h>])
 AC_CHECK_DECLS([dm_device_has_holders], [], [], [#include <libdevmapper.h>])
+AC_CHECK_DECLS([DM_DEVICE_GET_TARGET_VERSION], [], [], [#include <libdevmapper.h>])
 AC_CHECK_DECLS([DM_UDEV_DISABLE_DISK_RULES_FLAG], [have_cookie=yes], [have_cookie=no], [#include <libdevmapper.h>])
 if test "x$enable_udev" = xyes; then
 	if test "x$have_cookie" = xno; then

docs/v2.2.2-ReleaseNotes

@@ -0,0 +1,56 @@
+Cryptsetup 2.2.2 Release Notes
+==============================
+Stable bug-fix release.
+
+All users of cryptsetup 2.1 and 2.2 should upgrade to this version.
+
+Changes since version 2.2.1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+* Print error message if a keyslot open failed for a different reason
+  than wrong passwords (for example there is not enough memory).
+  Only an exit code was present in this case.
+
+* The progress function switches unit sizes (B/s to GiB/s) according
+  to the actual speed. Also, it properly calculates speed in the case
+  of a resumed reencryption operation.
+
+* The --version now supports short -V short option and better handles
+  common option priorities.
+
+* If cryptsetup wipes signatures during format actions through blkid,
+  it also prints signature device offsets.
+
+* Compilation now properly uses LTLIBINTL gettext setting in Makefiles.
+
+* Device-mapper backend now supports new DM_GET_TARGET_VERSION ioctl
+  (available since Linux kernel 5.4).
+  This should help to detect some kernel/userspace incompatibilities
+  earlier later after a failed device activation.
+
+* Fixes LUKS2 reencryption on systems without kernel keyring.
+
+* Fixes unlocking prompt for partitions mapped through loop devices
+  (to properly show the backing device).
+
+* For LUKS2 decryption, a device is now marked for deferred removal
+  to be automatically deactivated.
+
+* Reencryption now limits hotzone size to be maximal 1 GiB or 1/4
+  system memory (if lower).
+
+* Reencryption now retains activation flags during online reencryption.
+
+* Reencryption now allows LUKS2 device to activate device right after
+  LUKS2 encryption is initialized through optional active device name
+  for cryptsetup reencrypt --encrypt command.
+  This could help with automated encryption during boot.
+
+  NOTE: It means that part of the device is still not encrypted during
+  activation. Use with care!
+
+* Fixes failure in resize and plain format activation if activated device
+  size was not aligned to underlying logical device size.
+
+* Fixes conversion to LUKS2 format with detached header if a detached
+  header size was smaller than the expected aligned LUKS1 header size.

lib/libdevmapper.c

@@ -221,6 +221,39 @@ static void _dm_set_integrity_compat(struct crypt_device *cd,
 	_dm_integrity_checked = true;
 }
 
+/* We use this for loading target module */
+static void _dm_check_target(dm_target_type target_type)
+{
+#if HAVE_DECL_DM_DEVICE_GET_TARGET_VERSION
+	struct dm_task *dmt;
+	const char *target_name = NULL;
+
+	if (!(_dm_flags & DM_GET_TARGET_VERSION_SUPPORTED))
+		return;
+
+	if (target_type == DM_CRYPT)
+		target_name = DM_CRYPT_TARGET;
+	else if (target_type == DM_VERITY)
+		target_name = DM_VERITY_TARGET;
+	else if (target_type == DM_INTEGRITY)
+		target_name = DM_INTEGRITY_TARGET;
+	else
+		return;
+
+	if (!(dmt = dm_task_create(DM_DEVICE_GET_TARGET_VERSION)))
+		goto out;
+
+	if (!dm_task_set_name(dmt, target_name))
+		goto out;
+
+	if (!dm_task_run(dmt))
+		goto out;
+out:
+	if (dmt)
+		dm_task_destroy(dmt);
+#endif
+}
+
 static int _dm_check_versions(struct crypt_device *cd, dm_target_type target_type)
 {
 	struct dm_task *dmt;
@@ -239,6 +272,8 @@ static int _dm_check_versions(struct crypt_device *cd, dm_target_type target_typ
 	/* Shut up DM while checking */
 	_quiet_log = 1;
 
+	_dm_check_target(target_type);
+
 	/* FIXME: add support to DM so it forces crypt target module load here */
 	if (!(dmt = dm_task_create(DM_DEVICE_LIST_VERSIONS)))
 		goto out;
@@ -259,6 +294,10 @@ static int _dm_check_versions(struct crypt_device *cd, dm_target_type target_typ
 #if HAVE_DECL_DM_TASK_DEFERRED_REMOVE
 		if (_dm_satisfies_version(4, 27, 0, dm_maj, dm_min, dm_patch))
 			_dm_flags |= DM_DEFERRED_SUPPORTED;
+#endif
+#if HAVE_DECL_DM_DEVICE_GET_TARGET_VERSION
+		if (_dm_satisfies_version(4, 41, 0, dm_maj, dm_min, dm_patch))
+			_dm_flags |= DM_GET_TARGET_VERSION_SUPPORTED;
 #endif
 	}
 

lib/luks2/luks2.h

@@ -55,6 +55,9 @@
 /* 20 MiBs */
 #define LUKS2_DEFAULT_NONE_REENCRYPTION_LENGTH 0x1400000
 
+/* 1 GiB */
+#define LUKS2_REENCRYPT_MAX_HOTZONE_LENGTH 0x40000000
+
 struct device;
 
 /*
@@ -162,6 +165,7 @@ struct luks2_reenc_context {
 	char *device_name;
 	char *hotzone_name;
 	char *overlay_name;
+	uint32_t flags;
 
 	/* reencryption window persistence attributes */
 	struct reenc_protection rp;

lib/luks2/luks2_keyslot.c

@@ -547,6 +547,11 @@ out:
 	if (r < 0) {
 		crypt_free_volume_key(*vks);
 		*vks = NULL;
+
+		if (r == -ENOMEM)
+			log_err(cd, _("Not enough available memory to open a keyslot."));
+		else if (r != -EPERM)
+			log_err(cd, _("Keyslot open failed."));
 	}
 	return r;
 }
@@ -579,6 +584,13 @@ int LUKS2_keyslot_open(struct crypt_device *cd,
 	} else
 		r = LUKS2_open_and_verify(cd, hdr, keyslot, segment, password, password_len, vk);
 
+	if (r < 0) {
+		if (r == -ENOMEM)
+			log_err(cd, _("Not enough available memory to open a keyslot."));
+		else if (r != -EPERM)
+			log_err(cd, _("Keyslot open failed."));
+	}
+
 	return r;
 }
 

lib/luks2/luks2_luks1_convert.c

@@ -518,7 +518,7 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
 	int r;
 	json_object *jobj = NULL;
 	size_t buf_size, buf_offset, luks1_size, luks1_shift = 2 * LUKS2_HDR_16K_LEN - LUKS_ALIGN_KEYSLOTS;
-	uint64_t max_size = crypt_get_data_offset(cd) * SECTOR_SIZE;
+	uint64_t required_size, max_size = crypt_get_data_offset(cd) * SECTOR_SIZE;
 
 	/* for detached headers max size == device size */
 	if (!max_size && (r = device_size(crypt_metadata_device(cd), &max_size)))
@@ -539,11 +539,18 @@ int LUKS2_luks1_to_luks2(struct crypt_device *cd, struct luks_phdr *hdr1, struct
 
 	log_dbg(cd, "Max size: %" PRIu64 ", LUKS1 (full) header size %zu , required shift: %zu",
 		max_size, luks1_size, luks1_shift);
-	if ((max_size - luks1_size) < luks1_shift) {
+
+	required_size = luks1_size + luks1_shift;
+
+	if ((max_size < required_size) &&
+	    device_fallocate(crypt_metadata_device(cd), required_size)) {
 		log_err(cd, _("Unable to move keyslot area. Not enough space."));
 		return -EINVAL;
 	}
 
+	if (max_size < required_size)
+		max_size = required_size;
+
 	r = json_luks1_object(hdr1, &jobj, max_size - 2 * LUKS2_HDR_16K_LEN);
 	if (r < 0)
 		return r;

lib/luks2/luks2_reencrypt.c

@@ -824,7 +824,7 @@ static uint64_t reencrypt_length(struct crypt_device *cd,
 		uint64_t length_max)
 {
 	unsigned long dummy, optimal_alignment;
-	uint64_t length;
+	uint64_t length, soft_mem_limit;
 
 	if (rh->rp.type == REENC_PROTECTION_NONE)
 		length = length_max ?: LUKS2_DEFAULT_NONE_REENCRYPTION_LENGTH;
@@ -835,6 +835,16 @@ static uint64_t reencrypt_length(struct crypt_device *cd,
 	else
 		length = keyslot_area_length;
 
+	/* hard limit */
+	if (length > LUKS2_REENCRYPT_MAX_HOTZONE_LENGTH)
+		length = LUKS2_REENCRYPT_MAX_HOTZONE_LENGTH;
+
+	/* soft limit is 1/4 of system memory */
+	soft_mem_limit = crypt_getphysmemory_kb() << 8; /* multiply by (1024/4) */
+
+	if (soft_mem_limit && length > soft_mem_limit)
+		length = soft_mem_limit;
+
 	if (length_max && length > length_max)
 		length = length_max;
 
@@ -940,6 +950,11 @@ static int reencrypt_context_init(struct crypt_device *cd, struct luks2_hdr *hdr
 		rh->fixed_length = false;
 
 	rh->length = reencrypt_length(cd, hdr, rh, area_length, params->max_hotzone_size << SECTOR_SHIFT);
+	if (!rh->length) {
+		log_dbg(cd, "Invalid reencryption length.");
+		return -EINVAL;
+	}
+
 	if (reencrypt_offset(hdr, rh->direction, device_size, &rh->length, &rh->offset)) {
 		log_dbg(cd, "Failed to get reencryption offset.");
 		return -EINVAL;
@@ -1777,14 +1792,15 @@ out:
  * 	2) can't we derive hotzone device name from crypt context? (unlocked name, device uuid, etc?)
  */
 static int reencrypt_load_overlay_device(struct crypt_device *cd, struct luks2_hdr *hdr,
-	const char *overlay, const char *hotzone, struct volume_key *vks, uint64_t size)
+	const char *overlay, const char *hotzone, struct volume_key *vks, uint64_t size,
+	uint32_t flags)
 {
 	char hz_path[PATH_MAX];
 	int r;
 
 	struct device *hz_dev = NULL;
 	struct crypt_dm_active_device dmd = {
-		.flags = CRYPT_ACTIVATE_KEYRING_KEY,
+		.flags = flags,
 	};
 
 	log_dbg(cd, "Loading new table for overlay device %s.", overlay);
@@ -1868,15 +1884,12 @@ err:
 }
 
 static int reencrypt_swap_backing_device(struct crypt_device *cd, const char *name,
-			      const char *new_backend_name, uint32_t flags)
+			      const char *new_backend_name)
 {
 	int r;
 	struct device *overlay_dev = NULL;
 	char overlay_path[PATH_MAX] = { 0 };
-
-	struct crypt_dm_active_device dmd = {
-		.flags = flags,
-	};
+	struct crypt_dm_active_device dmd = {};
 
 	log_dbg(cd, "Redirecting %s mapping to new backing device: %s.", name, new_backend_name);
 
@@ -1902,7 +1915,7 @@ static int reencrypt_swap_backing_device(struct crypt_device *cd, const char *na
 	r = dm_reload_device(cd, name, &dmd, 0, 0);
 	if (!r) {
 		log_dbg(cd, "Resuming device %s", name);
-		r = dm_resume_device(cd, name, dmd.flags);
+		r = dm_resume_device(cd, name, DM_SUSPEND_SKIP_LOCKFS | DM_SUSPEND_NOFLUSH);
 	}
 
 out:
@@ -1971,7 +1984,7 @@ static int reencrypt_init_device_stack(struct crypt_device *cd,
 	}
 
 	/* swap origin mapping to overlay device */
-	r = reencrypt_swap_backing_device(cd, rh->device_name, rh->overlay_name, CRYPT_ACTIVATE_KEYRING_KEY);
+	r = reencrypt_swap_backing_device(cd, rh->device_name, rh->overlay_name);
 	if (r) {
 		log_err(cd, _("Failed to load new mapping for device %s."), rh->device_name);
 		goto err;
@@ -2033,9 +2046,10 @@ static int reencrypt_refresh_overlay_devices(struct crypt_device *cd,
 		const char *overlay,
 		const char *hotzone,
 		struct volume_key *vks,
-		uint64_t device_size)
+		uint64_t device_size,
+		uint32_t flags)
 {
-	int r = reencrypt_load_overlay_device(cd, hdr, overlay, hotzone, vks, device_size);
+	int r = reencrypt_load_overlay_device(cd, hdr, overlay, hotzone, vks, device_size, flags);
 	if (r) {
 		log_err(cd, _("Failed to reload device %s."), overlay);
 		return REENC_ERR;
@@ -2223,8 +2237,9 @@ static int reencrypt_verify_and_upload_keys(struct crypt_device *cd, struct luks
 		else {
 			if (LUKS2_digest_verify_by_digest(cd, hdr, digest_new, vk) != digest_new)
 				return -EINVAL;
-			r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
-			if (r)
+
+			if (crypt_use_keyring_for_vk(cd) &&
+			    (r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk))))
 				return r;
 		}
 	}
@@ -2239,8 +2254,8 @@ static int reencrypt_verify_and_upload_keys(struct crypt_device *cd, struct luks
 				r = -EINVAL;
 				goto err;
 			}
-			r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
-			if (r)
+			if (crypt_use_keyring_for_vk(cd) &&
+			    (r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk))))
 				goto err;
 		}
 	}
@@ -2637,6 +2652,7 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 	uint64_t minimal_size, device_size, mapping_size = 0, required_size = 0;
 	bool dynamic;
 	struct crypt_params_reencrypt rparams = {};
+	uint32_t flags = 0;
 
 	if (params) {
 		rparams = *params;
@@ -2693,6 +2709,7 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 				    DM_ACTIVE_CRYPT_CIPHER, &dmd_target);
 		if (r < 0)
 			goto err;
+		flags = dmd_target.flags;
 
 		r = LUKS2_assembly_multisegment_dmd(cd, hdr, *vks, LUKS2_get_segments_jobj(hdr), &dmd_source);
 		if (!r) {
@@ -2767,6 +2784,8 @@ static int reencrypt_load_by_passphrase(struct crypt_device *cd,
 		}
 	}
 
+	rh->flags = flags;
+
 	MOVE_REF(rh->vks, *vks);
 	MOVE_REF(rh->reenc_lock, reencrypt_lock);
 
@@ -2968,7 +2987,7 @@ static reenc_status_t reencrypt_step(struct crypt_device *cd,
 	}
 
 	if (online) {
-		r = reencrypt_refresh_overlay_devices(cd, hdr, rh->overlay_name, rh->hotzone_name, rh->vks, rh->device_size);
+		r = reencrypt_refresh_overlay_devices(cd, hdr, rh->overlay_name, rh->hotzone_name, rh->vks, rh->device_size, rh->flags);
 		/* Teardown overlay devices with dm-error. None bio shall pass! */
 		if (r != REENC_OK)
 			return r;
@@ -3092,6 +3111,7 @@ static int reencrypt_wipe_moved_segment(struct crypt_device *cd, struct luks2_hd
 static int reencrypt_teardown_ok(struct crypt_device *cd, struct luks2_hdr *hdr, struct luks2_reenc_context *rh)
 {
 	int i, r;
+	uint32_t dmt_flags;
 	bool finished = !(rh->device_size > rh->progress);
 
 	if (rh->rp.type == REENC_PROTECTION_NONE &&
@@ -3101,16 +3121,20 @@ static int reencrypt_teardown_ok(struct crypt_device *cd, struct luks2_hdr *hdr,
 	}
 
 	if (rh->online) {
-		r = LUKS2_reload(cd, rh->device_name, rh->vks, rh->device_size, CRYPT_ACTIVATE_KEYRING_KEY | CRYPT_ACTIVATE_SHARED);
+		r = LUKS2_reload(cd, rh->device_name, rh->vks, rh->device_size, rh->flags);
 		if (r)
 			log_err(cd, _("Failed to reload device %s."), rh->device_name);
 		if (!r) {
-			r = dm_resume_device(cd, rh->device_name, 0);
+			r = dm_resume_device(cd, rh->device_name, DM_SUSPEND_SKIP_LOCKFS | DM_SUSPEND_NOFLUSH);
 			if (r)
 				log_err(cd, _("Failed to resume device %s."), rh->device_name);
 		}
 		dm_remove_device(cd, rh->overlay_name, 0);
 		dm_remove_device(cd, rh->hotzone_name, 0);
+
+		if (!r && finished && rh->mode == CRYPT_REENCRYPT_DECRYPT &&
+		    !dm_flags(cd, DM_LINEAR, &dmt_flags) && (dmt_flags & DM_DEFERRED_SUPPORTED))
+		    dm_remove_device(cd, rh->device_name, CRYPT_DEACTIVATE_DEFERRED);
 	}
 
 	if (finished) {
@@ -3342,7 +3366,7 @@ int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
 	uint64_t minimal_size, device_size;
 	int keyslot, r = -EINVAL;
 	struct luks2_hdr *hdr = crypt_get_hdr(cd, CRYPT_LUKS2);
-	struct volume_key *vk, *_vks = NULL;
+	struct volume_key *vk = NULL, *_vks = NULL;
 
 	log_dbg(cd, "Entering reencryption crash recovery.");
 
@@ -3355,7 +3379,9 @@ int LUKS2_reencrypt_locked_recovery_by_passphrase(struct crypt_device *cd,
 		goto err;
 	keyslot = r;
 
-	vk = _vks;
+	if (crypt_use_keyring_for_vk(cd))
+		vk = _vks;
+
 	while (vk) {
 		r = LUKS2_volume_key_load_in_keyring_by_digest(cd, hdr, vk, crypt_volume_key_get_id(vk));
 		if (r < 0)

lib/setup.c

@@ -510,6 +510,11 @@ int PLAIN_activate(struct crypt_device *cd,
 	log_dbg(cd, "Trying to activate PLAIN device %s using cipher %s.",
 		name, crypt_get_cipher_spec(cd));
 
+	if (MISALIGNED(size, device_block_size(cd, crypt_data_device(cd)) >> SECTOR_SHIFT)) {
+		log_err(cd, _("Device size is not aligned to device logical block size."));
+		return -EINVAL;
+	}
+
 	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
 			vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
 			crypt_get_data_offset(cd), crypt_get_integrity(cd),
@@ -659,10 +664,10 @@ int crypt_init_data_device(struct crypt_device **cd, const char *device, const c
 		return -EINVAL;
 
 	r = crypt_init(cd, device);
-	if (r || !data_device)
+	if (r || !data_device || !strcmp(device, data_device))
 		return r;
 
-	log_dbg(NULL, "Setting ciphertext data device to %s.", data_device ?: "(none)");
+	log_dbg(NULL, "Setting ciphertext data device to %s.", data_device);
 	r = _crypt_set_data_device(*cd, data_device);
 	if (r) {
 		crypt_free(*cd);
@@ -2750,6 +2755,12 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
 		goto out;
 	}
 
+	if (MISALIGNED(new_size, device_block_size(cd, crypt_data_device(cd)) >> SECTOR_SHIFT)) {
+		log_err(cd, _("Device size is not aligned to device logical block size."));
+		r = -EINVAL;
+		goto out;
+	}
+
 	dmd.uuid = crypt_get_uuid(cd);
 	dmd.size = new_size;
 	dmd.flags = dmdq.flags | CRYPT_ACTIVATE_REFRESH;

lib/utils_blkid.c

@@ -307,3 +307,17 @@ int blk_supported(void)
 #endif
 	return r;
 }
+
+off_t blk_get_offset(struct blkid_handle *h)
+{
+	const char *offset;
+	off_t offset_value = -1;
+#ifdef HAVE_BLKID
+	if (blk_is_superblock(h)) {
+		if (!blkid_probe_lookup_value(h->pr, "SBMAGIC_OFFSET", &offset, NULL))
+			offset_value = strtoll(offset, NULL, 10);
+	} else if (blk_is_partition(h) && !blkid_probe_lookup_value(h->pr, "PTMAGIC_OFFSET", &offset, NULL))
+		offset_value = strtoll(offset, NULL, 10);
+#endif
+	return offset_value;
+}

lib/utils_blkid.h

@@ -59,4 +59,6 @@ int blk_do_wipe(struct blkid_handle *h);
 
 int blk_supported(void);
 
+off_t blk_get_offset(struct blkid_handle *h);
+
 #endif

lib/utils_dm.h

@@ -63,6 +63,7 @@ static inline uint32_t act2dmflags(uint32_t act_flags)
 #define DM_DEFERRED_SUPPORTED (1 << 15) /* deferred removal of device */
 #define DM_INTEGRITY_RECALC_SUPPORTED (1 << 16) /* dm-integrity automatic recalculation supported */
 #define DM_INTEGRITY_BITMAP_SUPPORTED (1 << 17) /* dm-integrity bitmap mode supported */
+#define DM_GET_TARGET_VERSION_SUPPORTED (1 << 18) /* dm DM_GET_TARGET version ioctl supported */
 
 typedef enum { DM_CRYPT = 0, DM_VERITY, DM_INTEGRITY, DM_LINEAR, DM_ERROR, DM_UNKNOWN } dm_target_type;
 enum tdirection { TARGET_SET = 1, TARGET_QUERY };

lib/utils_loop.c

@@ -252,7 +252,12 @@ static char *_sysfs_backing_file(const char *loop)
 
 char *crypt_loop_backing_file(const char *loop)
 {
-	char *bf = _sysfs_backing_file(loop);
+	char *bf;
+
+	if (!crypt_loop_device(loop))
+		return NULL;
+
+	bf = _sysfs_backing_file(loop);
 	return bf ?: _ioctl_backing_file(loop);
 }
 

man/cryptsetup.8

@@ -161,7 +161,7 @@ above in LUKS2 metadata (only after successful refresh operation).
 in dm-crypt driver.
 
 .PP
-\fIreencrypt\fR <device> or --active-name <name>
+\fIreencrypt\fR <device> or --active-name <name> [<new_name>]
 .IP
 Run resilient reencryption (LUKS2 device only).
 
@@ -191,6 +191,10 @@ If the reencryption process was interrupted abruptly (reencryption process crash
 it may require recovery. The recovery is currently run automatically on next activation (action \fIopen\fR)
 when needed.
 
+Optional parameter <new_name> takes effect only with \-\-encrypt option and it activates device <new_name>
+immediately after encryption initialization gets finished. That's useful when device needs to be ready
+as soon as possible and mounted (used) before full data area encryption is completed.
+
 Action supports following additional \fB<options>\fR [\-\-encrypt, \-\-decrypt, \-\-device\-size,
 \-\-resilience, \-\-resilience-hash, \-\-hotzone-size, \-\-init\-only, \-\-resume\-only,
 \-\-reduce\-device\-size].
@@ -1189,7 +1193,7 @@ with the \-\-header option. Use with care.
 .TP
 .B "\-\-header\-backup\-file <file>"
 Specify file with header backup for \fIluksHeaderBackup\fR or
-\fIluksHeaderBackup\fR actions.
+\fIluksHeaderRestore\fR actions.
 .TP
 .B "\-\-force\-password"
 Do not use password quality checking for new LUKS passwords.

src/Makemodule.am

@@ -13,7 +13,7 @@ cryptsetup_SOURCES =		\
 	src/cryptsetup.c	\
 	src/cryptsetup.h
 
-cryptsetup_LDADD = -lm		\
+cryptsetup_LDADD = $(LDADD)	\
 	libcryptsetup.la	\
 	@POPT_LIBS@		\
 	@PWQUALITY_LIBS@	\
@@ -47,7 +47,7 @@ veritysetup_SOURCES =		\
 	src/veritysetup.c	\
 	src/cryptsetup.h
 
-veritysetup_LDADD = -lm		\
+veritysetup_LDADD = $(LDADD)	\
 	libcryptsetup.la	\
 	@POPT_LIBS@		\
 	@BLKID_LIBS@
@@ -78,7 +78,7 @@ integritysetup_SOURCES =	\
 	src/integritysetup.c	\
 	src/cryptsetup.h
 
-integritysetup_LDADD = -lm	\
+integritysetup_LDADD = $(LDADD)	\
 	libcryptsetup.la	\
 	@POPT_LIBS@		\
 	@UUID_LIBS@		\
@@ -110,7 +110,7 @@ cryptsetup_reencrypt_SOURCES =		\
 	src/cryptsetup_reencrypt.c	\
 	src/cryptsetup.h
 
-cryptsetup_reencrypt_LDADD = -lm	\
+cryptsetup_reencrypt_LDADD = $(LDADD)	\
 	libcryptsetup.la		\
 	@POPT_LIBS@			\
 	@PWQUALITY_LIBS@		\

src/cryptsetup.c

@@ -54,7 +54,6 @@ static uint64_t opt_offset = 0;
 static uint64_t opt_skip = 0;
 static int opt_skip_valid = 0;
 static int opt_readonly = 0;
-static int opt_version_mode = 0;
 static int opt_timeout = 0;
 static int opt_tries = 3;
 static int opt_align_payload = 0;
@@ -736,8 +735,7 @@ static int action_status(void)
 			log_std("  integrity keysize: %d bits\n", ip.integrity_key_size * 8);
 		device = crypt_get_device_name(cd);
 		log_std("  device:  %s\n", device);
-		if (crypt_loop_device(device)) {
-			backing_file = crypt_loop_backing_file(device);
+		if ((backing_file = crypt_loop_backing_file(device))) {
 			log_std("  loop:    %s\n", backing_file);
 			free(backing_file);
 		}
@@ -2591,11 +2589,12 @@ static int action_reencrypt_load(struct crypt_device *cd)
 
 static int action_encrypt_luks2(struct crypt_device **cd)
 {
-	const char *type;
+	const char *type, *activated_name = NULL;
 	int keyslot, r, fd;
 	uuid_t uuid;
 	size_t passwordLen;
 	char *msg, uuid_str[37], header_file[PATH_MAX] = { 0 }, *password = NULL;
+	uint32_t activate_flags = 0;
 	const struct crypt_params_luks2 luks2_params = {
 		.sector_size = opt_sector_size ?: SECTOR_SIZE
 	};
@@ -2729,6 +2728,7 @@ static int action_encrypt_luks2(struct crypt_device **cd)
 		goto err;
 	}
 
+	/* Restore temporary header in head of data device */
 	if (*header_file) {
 		crypt_free(*cd);
 		*cd = NULL;
@@ -2743,10 +2743,25 @@ static int action_encrypt_luks2(struct crypt_device **cd)
 		}
 	}
 
+	/* activate device */
+	if (action_argc > 1) {
+		activated_name = action_argv[1];
+		_set_activation_flags(&activate_flags);
+		r = crypt_activate_by_passphrase(*cd, activated_name, opt_key_slot, password, passwordLen, activate_flags);
+		if (r >= 0) {
+			log_std(_("%s/%s is now active and ready for online encryption."), crypt_get_dir(), activated_name);
+			/* FIXME: Hotfix for 2.2.2 only. Fix the translated string correctly in next relese. */
+			log_std("\n");
+		}
+	}
+
+	if (r < 0)
+		goto err;
+
 	/* just load reencryption context to continue reencryption */
-	if (r >= 0 && !opt_reencrypt_init_only) {
+	if (!opt_reencrypt_init_only) {
 		params.flags &= ~CRYPT_REENCRYPT_INITIALIZE_ONLY;
-		r = crypt_reencrypt_init_by_passphrase(*cd, NULL, password, passwordLen,
+		r = crypt_reencrypt_init_by_passphrase(*cd, activated_name, password, passwordLen,
 				CRYPT_ANY_SLOT, keyslot, NULL, NULL, &params);
 	}
 err:
@@ -3280,6 +3295,11 @@ static void help(poptContext popt_context,
 #if defined(ENABLE_LUKS_ADJUST_XTS_KEYSIZE) && DEFAULT_LUKS1_KEYBITS != 512
 		log_std(_("\tLUKS: Default keysize with XTS mode (two internal keys) will be doubled.\n"));
 #endif
+		poptFreeContext(popt_context);
+		exit(EXIT_SUCCESS);
+	} else if (key->shortName == 'V') {
+		log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
+		poptFreeContext(popt_context);
 		exit(EXIT_SUCCESS);
 	} else
 		usage(popt_context, EXIT_SUCCESS, NULL, NULL);
@@ -3329,11 +3349,11 @@ int main(int argc, const char **argv)
 		{ NULL,    '\0', POPT_ARG_CALLBACK, help, 0, NULL,                         NULL },
 		{ "help",  '?',  POPT_ARG_NONE,     NULL, 0, N_("Show this help message"), NULL },
 		{ "usage", '\0', POPT_ARG_NONE,     NULL, 0, N_("Display brief usage"),    NULL },
+		{ "version",'V', POPT_ARG_NONE,     NULL, 0, N_("Print package version"),  NULL },
 		POPT_TABLEEND
 	};
 	static struct poptOption popt_options[] = {
 		{ NULL,                '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
-		{ "version",           '\0', POPT_ARG_NONE, &opt_version_mode,          0, N_("Print package version"), NULL },
 		{ "verbose",           'v',  POPT_ARG_NONE, &opt_verbose,               0, N_("Shows more detailed error messages"), NULL },
 		{ "debug",             '\0', POPT_ARG_NONE, &opt_debug,                 0, N_("Show debug messages"), NULL },
 		{ "debug-json",        '\0', POPT_ARG_NONE, &opt_debug_json,            0, N_("Show debug messages including JSON metadata"), NULL },
@@ -3478,12 +3498,6 @@ int main(int argc, const char **argv)
 		usage(popt_context, EXIT_FAILURE, poptStrerror(r),
 		      poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
 
-	if (opt_version_mode) {
-		log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
-		poptFreeContext(popt_context);
-		exit(EXIT_SUCCESS);
-	}
-
 	if (!(aname = poptGetArg(popt_context)))
 		usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
 		      poptGetInvocationName(popt_context));

src/cryptsetup.h

@@ -101,8 +101,6 @@ int tools_is_cipher_null(const char *cipher);
 
 void tools_clear_line(void);
 
-void tools_time_progress(uint64_t device_size, uint64_t bytes,
-			 struct timeval *start_time, struct timeval *end_time);
 int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr);
 int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr);
 

src/cryptsetup_reencrypt.c

@@ -42,7 +42,6 @@ static const char *opt_pbkdf = NULL;
 static long opt_pbkdf_memory = DEFAULT_LUKS2_MEMORY_KB;
 static long opt_pbkdf_parallel = DEFAULT_LUKS2_PARALLEL_THREADS;
 static long opt_pbkdf_iterations = 0;
-static int opt_version_mode = 0;
 static int opt_random = 0;
 static int opt_urandom = 0;
 static int opt_bsize = 4;
@@ -100,7 +99,6 @@ struct reenc_ctx {
 	} p[MAX_SLOT];
 	int keyslot;
 
-	struct timeval start_time, end_time;
 	uint64_t resume_bytes;
 };
 
@@ -938,6 +936,8 @@ static int copy_data_forward(struct reenc_ctx *rc, int fd_old, int fd_new,
 
 	rc->resume_bytes = *bytes = rc->device_offset;
 
+	tools_reencrypt_progress(rc->device_size, *bytes, NULL);
+
 	if (write_log(rc) < 0)
 		return -EIO;
 
@@ -971,8 +971,8 @@ static int copy_data_forward(struct reenc_ctx *rc, int fd_old, int fd_new,
 		}
 
 		*bytes += (uint64_t)s2;
-		tools_time_progress(rc->device_size, *bytes,
-				    &rc->start_time, &rc->end_time);
+
+		tools_reencrypt_progress(rc->device_size, *bytes, NULL);
 	}
 
 	return quit ? -EAGAIN : 0;
@@ -995,6 +995,8 @@ static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new,
 		*bytes = rc->resume_bytes;
 	}
 
+	tools_reencrypt_progress(rc->device_size, *bytes, NULL);
+
 	if (write_log(rc) < 0)
 		return -EIO;
 
@@ -1040,8 +1042,8 @@ static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new,
 		}
 
 		*bytes += (uint64_t)s2;
-		tools_time_progress(rc->device_size, *bytes,
-				    &rc->start_time, &rc->end_time);
+
+		tools_reencrypt_progress(rc->device_size, *bytes, NULL);
 	}
 
 	return quit ? -EAGAIN : 0;
@@ -1128,8 +1130,6 @@ static int copy_data(struct reenc_ctx *rc)
 	}
 
 	set_int_handler(0);
-	tools_time_progress(rc->device_size, bytes,
-			    &rc->start_time, &rc->end_time);
 
 	if (rc->reencrypt_direction == FORWARD)
 		r = copy_data_forward(rc, fd_old, fd_new, block_size, buf, &bytes);
@@ -1146,9 +1146,7 @@ static int copy_data(struct reenc_ctx *rc)
 
 	set_int_block(1);
 
-	if (r == -EAGAIN)
-		 log_err(_("Interrupted by a signal."));
-	else if (r < 0)
+	if (r < 0 && r != -EAGAIN)
 		log_err(_("IO error during reencryption."));
 
 	(void)write_log(rc);
@@ -1576,6 +1574,11 @@ static void help(poptContext popt_context,
 	if (key->shortName == '?') {
 		log_std("%s %s\n", PACKAGE_REENC, PACKAGE_VERSION);
 		poptPrintHelp(popt_context, stdout, 0);
+		poptFreeContext(popt_context);
+		exit(EXIT_SUCCESS);
+	} else if (key->shortName == 'V') {
+		log_std("%s %s\n", PACKAGE_REENC, PACKAGE_VERSION);
+		poptFreeContext(popt_context);
 		exit(EXIT_SUCCESS);
 	} else
 		usage(popt_context, EXIT_SUCCESS, NULL, NULL);
@@ -1587,11 +1590,11 @@ int main(int argc, const char **argv)
 		{ NULL,    '\0', POPT_ARG_CALLBACK, help, 0, NULL,                         NULL },
 		{ "help",  '?',  POPT_ARG_NONE,     NULL, 0, N_("Show this help message"), NULL },
 		{ "usage", '\0', POPT_ARG_NONE,     NULL, 0, N_("Display brief usage"),    NULL },
+		{ "version",'V', POPT_ARG_NONE,     NULL, 0, N_("Print package version"),  NULL },
 		POPT_TABLEEND
 	};
 	static struct poptOption popt_options[] = {
 		{ NULL,                '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
-		{ "version",           '\0', POPT_ARG_NONE, &opt_version_mode,          0, N_("Print package version"), NULL },
 		{ "verbose",           'v',  POPT_ARG_NONE, &opt_verbose,               0, N_("Shows more detailed error messages"), NULL },
 		{ "debug",             '\0', POPT_ARG_NONE, &opt_debug,                 0, N_("Show debug messages"), NULL },
 		{ "block-size",        'B',  POPT_ARG_INT, &opt_bsize,                  0, N_("Reencryption block size"), N_("MiB") },
@@ -1644,12 +1647,6 @@ int main(int argc, const char **argv)
 		usage(popt_context, EXIT_FAILURE, poptStrerror(r),
 		      poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
 
-	if (opt_version_mode) {
-		log_std("%s %s\n", PACKAGE_REENC, PACKAGE_VERSION);
-		poptFreeContext(popt_context);
-		exit(EXIT_SUCCESS);
-	}
-
 	if (!opt_batch_mode)
 		log_verbose(_("Reencryption will change: %s%s%s%s%s%s."),
 			opt_keep_key ? "" :  _("volume key"),

src/integritysetup.c

@@ -61,8 +61,6 @@ static int opt_integrity_bitmap = 0;
 
 static int opt_integrity_recalculate = 0;
 
-static int opt_version_mode = 0;
-
 static const char **action_argv;
 static int action_argc;
 
@@ -402,15 +400,13 @@ static int action_status(int arg)
 		device = crypt_get_device_name(cd);
 		metadata_device = crypt_get_metadata_device_name(cd);
 		log_std("  device:  %s%s\n", device, metadata_device ? " (detached)" : "");
-		if (crypt_loop_device(device)) {
-			backing_file = crypt_loop_backing_file(device);
+		if ((backing_file = crypt_loop_backing_file(device))) {
 			log_std("  loop:    %s\n", backing_file);
 			free(backing_file);
 		}
 		if (metadata_device) {
 			log_std("  metadata device:  %s\n", metadata_device);
-			if (crypt_loop_device(metadata_device)) {
-				backing_file = crypt_loop_backing_file(metadata_device);
+			if ((backing_file = crypt_loop_backing_file(metadata_device))) {
 				log_std("  loop:    %s\n", backing_file);
 				free(backing_file);
 			}
@@ -501,6 +497,11 @@ static void help(poptContext popt_context,
 		log_std(_("\nDefault compiled-in dm-integrity parameters:\n"
 			  "\tTag size: %u bytes, Checksum algorithm: %s\n"),
 			  DEFAULT_TAG_SIZE, DEFAULT_ALG_NAME);
+		poptFreeContext(popt_context);
+		exit(EXIT_SUCCESS);
+	} else if (key->shortName == 'V') {
+		log_std("%s %s\n", PACKAGE_INTEGRITY, PACKAGE_VERSION);
+		poptFreeContext(popt_context);
 		exit(EXIT_SUCCESS);
 	} else
 		usage(popt_context, EXIT_SUCCESS, NULL, NULL);
@@ -525,11 +526,11 @@ int main(int argc, const char **argv)
 		{ NULL,    '\0', POPT_ARG_CALLBACK, help, 0, NULL,                         NULL },
 		{ "help",  '?',  POPT_ARG_NONE,     NULL, 0, N_("Show this help message"), NULL },
 		{ "usage", '\0', POPT_ARG_NONE,     NULL, 0, N_("Display brief usage"),    NULL },
+		{ "version",'V', POPT_ARG_NONE,     NULL, 0, N_("Print package version"),  NULL },
 		POPT_TABLEEND
 	};
 	static struct poptOption popt_options[] = {
 		{ NULL,                 '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
-		{ "version",            '\0', POPT_ARG_NONE, &opt_version_mode,       0, N_("Print package version"), NULL },
 		{ "verbose",             'v', POPT_ARG_NONE, &opt_verbose,            0, N_("Shows more detailed error messages"), NULL },
 		{ "debug",              '\0', POPT_ARG_NONE, &opt_debug,              0, N_("Show debug messages"), NULL },
 		{ "batch-mode",          'q', POPT_ARG_NONE, &opt_batch_mode,         0, N_("Do not ask for confirmation"), NULL },
@@ -589,12 +590,6 @@ int main(int argc, const char **argv)
 		usage(popt_context, EXIT_FAILURE, poptStrerror(r),
 		      poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
 
-	if (opt_version_mode) {
-		log_std("%s %s\n", PACKAGE_INTEGRITY, PACKAGE_VERSION);
-		poptFreeContext(popt_context);
-		exit(EXIT_SUCCESS);
-	}
-
 	if (!(aname = poptGetArg(popt_context)))
 		usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
 		      poptGetInvocationName(popt_context));

src/utils_tools.c

@@ -380,14 +380,14 @@ void tools_clear_line(void)
 	log_std("\33[2K\r");
 }
 
-void tools_time_progress(uint64_t device_size, uint64_t bytes,
+static void tools_time_progress(uint64_t device_size, uint64_t bytes, uint64_t *start_bytes,
 			 struct timeval *start_time, struct timeval *end_time)
 {
 	struct timeval now_time;
 	unsigned long long mbytes, eta;
-	double tdiff, mib, frequency;
+	double tdiff, uib, frequency;
 	int final = (bytes == device_size);
-	const char *eol;
+	const char *eol, *ustr = "";
 
 	if (opt_batch_mode)
 		return;
@@ -396,6 +396,7 @@ void tools_time_progress(uint64_t device_size, uint64_t bytes,
 	if (start_time->tv_sec == 0 && start_time->tv_usec == 0) {
 		*start_time = now_time;
 		*end_time = now_time;
+		*start_bytes = bytes;
 		return;
 	}
 
@@ -417,40 +418,50 @@ void tools_time_progress(uint64_t device_size, uint64_t bytes,
 		return;
 
 	mbytes = bytes  / 1024 / 1024;
-	mib = (double)(mbytes) / tdiff;
-	if (!mib)
-		return;
+	uib = (double)(bytes - *start_bytes) / tdiff;
 
-	/* FIXME: calculate this from last minute only and remaining space */
-	eta = (unsigned long long)(device_size / 1024 / 1024 / mib - tdiff);
+	/* FIXME: calculate this from last minute only. */
+	eta = (unsigned long long)(device_size / uib - tdiff);
+
+	if (uib > 1073741824.0f) {
+		uib /= 1073741824.0f;
+		ustr = "Gi";
+	} else if (uib > 1048576.0f) {
+		uib /= 1048576.0f;
+		ustr = "Mi";
+	} else if (uib > 1024.0f) {
+		uib /= 1024.0f;
+		ustr = "Ki";
+	}
 
 	tools_clear_line();
 	if (final)
 		log_std("Finished, time %02llu:%02llu.%03llu, "
-			"%4llu MiB written, speed %5.1f MiB/s\n",
+			"%4llu MiB written, speed %5.1f %sB/s\n",
 			(unsigned long long)tdiff / 60,
 			(unsigned long long)tdiff % 60,
 			(unsigned long long)((tdiff - floor(tdiff)) * 1000.0),
-			mbytes, mib);
+			mbytes, uib, ustr);
 	else
 		log_std("Progress: %5.1f%%, ETA %02llu:%02llu, "
-			"%4llu MiB written, speed %5.1f MiB/s%s",
+			"%4llu MiB written, speed %5.1f %sB/s%s",
 			(double)bytes / device_size * 100,
-			eta / 60, eta % 60, mbytes, mib, eol);
+			eta / 60, eta % 60, mbytes, uib, ustr, eol);
 	fflush(stdout);
 }
 
 int tools_wipe_progress(uint64_t size, uint64_t offset, void *usrptr)
 {
 	static struct timeval start_time = {}, end_time = {};
+	static uint64_t start_offset = 0;
 	int r = 0;
 
-	tools_time_progress(size, offset, &start_time, &end_time);
+	tools_time_progress(size, offset, &start_offset, &start_time, &end_time);
 
 	check_signal(&r);
 	if (r) {
 		tools_clear_line();
-		log_err("\nWipe interrupted.");
+		log_err(_("\nWipe interrupted."));
 	}
 
 	return r;
@@ -563,11 +574,11 @@ int tools_wipe_all_signatures(const char *path)
 
 	while ((pr = blk_probe(h)) < PRB_EMPTY) {
 		if (blk_is_partition(h))
-			log_verbose("Existing '%s' partition signature on device %s will be wiped.",
-				    blk_get_partition_type(h), path);
+			log_verbose(_("Existing '%s' partition signature (offset: %" PRIi64 " bytes) on device %s will be wiped."),
+				    blk_get_partition_type(h), blk_get_offset(h), path);
 		if (blk_is_superblock(h))
-			log_verbose("Existing '%s' superblock signature on device %s will be wiped.",
-				    blk_get_superblock_type(h), path);
+			log_verbose(_("Existing '%s' superblock signature (offset: %" PRIi64 " bytes) on device %s will be wiped."),
+				    blk_get_superblock_type(h), blk_get_offset(h), path);
 		if (blk_do_wipe(h)) {
 			log_err(_("Failed to wipe device signature."));
 			r = -EINVAL;
@@ -607,14 +618,15 @@ int tools_is_stdin(const char *key_file)
 int tools_reencrypt_progress(uint64_t size, uint64_t offset, void *usrptr)
 {
 	static struct timeval start_time = {}, end_time = {};
+	static uint64_t start_offset = 0;
 	int r = 0;
 
-	tools_time_progress(size, offset, &start_time, &end_time);
+	tools_time_progress(size, offset, &start_offset, &start_time, &end_time);
 
 	check_signal(&r);
 	if (r) {
 		tools_clear_line();
-		log_err("\nReencrypt interrupted.");
+		log_err(_("\nReencryption interrupted."));
 	}
 
 	return r;

src/veritysetup.c

@@ -41,8 +41,6 @@ static int opt_ignore_corruption = 0;
 static int opt_ignore_zero_blocks = 0;
 static int opt_check_at_most_once = 0;
 
-static int opt_version_mode = 0;
-
 static const char **action_argv;
 static int action_argc;
 
@@ -287,8 +285,7 @@ static int action_status(int arg)
 		log_std("\n");
 
 		log_std("  data device: %s\n", vp.data_device);
-		if (crypt_loop_device(vp.data_device)) {
-			backing_file = crypt_loop_backing_file(vp.data_device);
+		if ((backing_file = crypt_loop_backing_file(vp.data_device))) {
 			log_std("  data loop:   %s\n", backing_file);
 			free(backing_file);
 		}
@@ -297,8 +294,7 @@ static int action_status(int arg)
 					   "readonly" : "read/write");
 
 		log_std("  hash device: %s\n", vp.hash_device);
-		if (crypt_loop_device(vp.hash_device)) {
-			backing_file = crypt_loop_backing_file(vp.hash_device);
+		if ((backing_file = crypt_loop_backing_file(vp.hash_device))) {
 			log_std("  hash loop:   %s\n", backing_file);
 			free(backing_file);
 		}
@@ -307,8 +303,7 @@ static int action_status(int arg)
 
 		if (vp.fec_device) {
 			log_std("  FEC device:  %s\n", vp.fec_device);
-			if (crypt_loop_device(vp.fec_device)) {
-				backing_file = crypt_loop_backing_file(vp.fec_device);
+			if ((backing_file = crypt_loop_backing_file(vp.fec_device))) {
 				log_std("  FEC loop:    %s\n", backing_file);
 				free(backing_file);
 			}
@@ -395,6 +390,11 @@ static void help(poptContext popt_context,
 			DEFAULT_VERITY_HASH, DEFAULT_VERITY_DATA_BLOCK,
 			DEFAULT_VERITY_HASH_BLOCK, DEFAULT_VERITY_SALT_SIZE,
 			1);
+		poptFreeContext(popt_context);
+		exit(EXIT_SUCCESS);
+	} else if (key->shortName == 'V') {
+		log_std("%s %s\n", PACKAGE_VERITY, PACKAGE_VERSION);
+		poptFreeContext(popt_context);
 		exit(EXIT_SUCCESS);
 	} else
 		usage(popt_context, EXIT_SUCCESS, NULL, NULL);
@@ -420,11 +420,11 @@ int main(int argc, const char **argv)
 		{ NULL,    '\0', POPT_ARG_CALLBACK, help, 0, NULL,                         NULL },
 		{ "help",  '?',  POPT_ARG_NONE,     NULL, 0, N_("Show this help message"), NULL },
 		{ "usage", '\0', POPT_ARG_NONE,     NULL, 0, N_("Display brief usage"),    NULL },
+		{ "version",'V', POPT_ARG_NONE,     NULL, 0, N_("Print package version"),  NULL },
 		POPT_TABLEEND
 	};
 	static struct poptOption popt_options[] = {
 		{ NULL,              '\0', POPT_ARG_INCLUDE_TABLE, popt_help_options, 0, N_("Help options:"), NULL },
-		{ "version",         '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
 		{ "verbose",         'v',  POPT_ARG_NONE, &opt_verbose,      0, N_("Shows more detailed error messages"), NULL },
 		{ "debug",           '\0', POPT_ARG_NONE, &opt_debug,        0, N_("Show debug messages"), NULL },
 		{ "no-superblock",   0,    POPT_ARG_VAL,  &use_superblock,   0, N_("Do not use verity superblock"), NULL },
@@ -492,12 +492,6 @@ int main(int argc, const char **argv)
 		usage(popt_context, EXIT_FAILURE, poptStrerror(r),
 		      poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
 
-	if (opt_version_mode) {
-		log_std("%s %s\n", PACKAGE_VERITY, PACKAGE_VERSION);
-		poptFreeContext(popt_context);
-		exit(EXIT_SUCCESS);
-	}
-
 	if (!(aname = poptGetArg(popt_context)))
 		usage(popt_context, EXIT_FAILURE, _("Argument <action> missing."),
 		      poptGetInvocationName(popt_context));

tests/00modules-test

@@ -13,6 +13,9 @@ function pversion() {
 
 echo "Cryptsetup test environment ($(date))"
 uname -a
+if [ "$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)" = "1" ] ; then
+	echo "Kernel running in FIPS mode."
+fi
 
 if [ -f /etc/os-release ] ; then
 	source /etc/os-release

tests/Makefile.am

@@ -77,13 +77,13 @@ differ_SOURCES = differ.c
 differ_CFLAGS = $(AM_CFLAGS) -Wall -O2
 
 api_test_SOURCES = api-test.c api_test.h test_utils.c
-api_test_LDADD = ../libcryptsetup.la
+api_test_LDADD = $(LDADD) ../libcryptsetup.la
 api_test_LDFLAGS = $(AM_LDFLAGS) -static
 api_test_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1
 api_test_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
 
 api_test_2_SOURCES = api-test-2.c api_test.h test_utils.c
-api_test_2_LDADD = ../libcryptsetup.la
+api_test_2_LDADD = $(LDADD) ../libcryptsetup.la
 api_test_2_LDFLAGS = $(AM_LDFLAGS) -static
 api_test_2_CFLAGS = -g -Wall -O0 $(AM_CFLAGS) -I$(top_srcdir)/lib/ -I$(top_srcdir)/lib/luks1
 api_test_2_CPPFLAGS = $(AM_CPPFLAGS) -include config.h
@@ -109,12 +109,13 @@ compatimage.img:
 	@xz -k -d compatimage.img.xz
 
 valgrind-check: api-test api-test-2 differ
-	@VALG=1 ./compat-test
 	@VALG=1 ./compat-test2
 	@VALG=1 ./luks2-validation-test
 	@VALG=1 ./verity-compat-test
 	@VALG=1 ./integrity-compat-test
 	@INFOSTRING="api-test-000" ./valg-api.sh ./api-test
 	@INFOSTRING="api-test-002" ./valg-api.sh ./api-test-2
+	@VALG=1 ./luks2-reencryption-test
+	@VALG=1 ./compat-test
 
 .PHONY: valgrind-check

tests/api-test-2.c

@@ -67,6 +67,7 @@ typedef int32_t key_serial_t;
 #define IMAGE1 "compatimage2.img"
 #define IMAGE_EMPTY "empty.img"
 #define IMAGE_EMPTY_SMALL "empty_small.img"
+#define IMAGE_EMPTY_SMALL_2 "empty_small2.img"
 #define IMAGE_PV_LUKS2_SEC "blkid-luks2-pv.img"
 
 #define KEYFILE1 "key1.file"
@@ -322,6 +323,7 @@ static void _cleanup(void)
 	remove(IMAGE_PV_LUKS2_SEC);
 	remove(IMAGE_PV_LUKS2_SEC ".bcp");
 	remove(IMAGE_EMPTY_SMALL);
+	remove(IMAGE_EMPTY_SMALL_2);
 
 	_remove_keyfiles();
 
@@ -379,6 +381,8 @@ static int _setup(void)
 
 	_system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL " bs=1M count=7 2>/dev/null", 1);
 
+	_system("dd if=/dev/zero of=" IMAGE_EMPTY_SMALL_2 " bs=512 count=2050 2>/dev/null", 1);
+
 	_system(" [ ! -e " NO_REQS_LUKS2_HEADER " ] && xz -dk " NO_REQS_LUKS2_HEADER ".xz", 1);
 	fd = loop_attach(&DEVICE_4, NO_REQS_LUKS2_HEADER, 0, 0, &ro);
 	close(fd);
@@ -1949,6 +1953,11 @@ static void LuksConvert(void)
 		.time_ms = 1
 	};
 
+	struct crypt_params_luks1 luks1 = {
+		.hash = "sha256",
+		.data_device = DMDIR L_DEVICE_1S
+	};
+
 	struct crypt_params_luks2 luks2 = {
 		.pbkdf = &pbkdf2,
 		.sector_size = 512
@@ -2432,6 +2441,26 @@ static void LuksConvert(void)
 	EQ_(crypt_activate_by_passphrase(cd, NULL, 6, PASS6, strlen(PASS6), 0), 6);
 	CRYPT_FREE(cd);
 
+	// detached LUKS1 header upconversion
+	OK_(create_dmdevice_over_loop(H_DEVICE, 2050)); // default LUKS1 header should fit there
+	OK_(crypt_init(&cd, DMDIR H_DEVICE));
+	crypt_set_iteration_time(cd, 1);
+	//OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
+	OK_(crypt_format(cd, CRYPT_LUKS1, "aes", "xts-plain64", NULL, NULL, 32, &luks1));
+	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 7);
+	FAIL_(crypt_convert(cd, CRYPT_LUKS2, NULL), "Unable to move keyslots. Not enough space.");
+	CRYPT_FREE(cd);
+
+	// 2050 sectors, empty file
+	OK_(crypt_init(&cd, IMAGE_EMPTY_SMALL_2));
+	//OK_(crypt_set_pbkdf_type(cd, &pbkdf2));
+	crypt_set_iteration_time(cd, 1);
+	OK_(crypt_format(cd, CRYPT_LUKS1, "aes", "xts-plain64", NULL, NULL, 32, &luks1));
+	EQ_(crypt_get_data_offset(cd), 0);
+	EQ_(crypt_keyslot_add_by_volume_key(cd, 7, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 7);
+	OK_(crypt_convert(cd, CRYPT_LUKS2, NULL));
+	CRYPT_FREE(cd);
+
 	_cleanup_dmdevices();
 }
 
@@ -4130,7 +4159,11 @@ static void Luks2Reencryption(void)
 	OK_(crypt_set_pbkdf_type(cd, &pbkdf));
 	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, &params2));
 	EQ_(crypt_keyslot_add_by_volume_key(cd, 6, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 6);
-	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, 6, PASSPHRASE, strlen(PASSPHRASE), 0), 6);
+	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_2, 6, PASSPHRASE, strlen(PASSPHRASE), 0), 6);
+	OK_(t_device_size(DMDIR CDEVICE_2, &r_size_1));
+	EQ_(r_size_1, 512);
+	// create placeholder device to block automatic deactivation after decryption
+	OK_(_system("dmsetup create " CDEVICE_1 " --table \"0 1 linear " DMDIR CDEVICE_2 " 0\"", 1));
 	remove(BACKUP_FILE);
 	OK_(crypt_header_backup(cd, CRYPT_LUKS2, BACKUP_FILE));
 	CRYPT_FREE(cd);
@@ -4144,13 +4177,13 @@ static void Luks2Reencryption(void)
 	rparams.direction = CRYPT_REENCRYPT_FORWARD;
 	rparams.resilience = "datashift";
 	rparams.data_shift = r_header_size;
-	OK_(crypt_reencrypt_init_by_passphrase(cd, CDEVICE_1, PASSPHRASE, strlen(PASSPHRASE), 6, CRYPT_ANY_SLOT, NULL, NULL, &rparams));
+	OK_(crypt_reencrypt_init_by_passphrase(cd, CDEVICE_2, PASSPHRASE, strlen(PASSPHRASE), 6, CRYPT_ANY_SLOT, NULL, NULL, &rparams));
 	EQ_(crypt_get_data_offset(cd), 0);
 	OK_(crypt_reencrypt(cd, NULL));
 	remove(BACKUP_FILE);
-	OK_(t_device_size(DMDIR CDEVICE_1, &r_size_1));
+	OK_(t_device_size(DMDIR CDEVICE_2, &r_size_1));
 	EQ_(r_size_1, 512);
-	OK_(crypt_deactivate(cd, CDEVICE_1));
+	OK_(_system("dmsetup remove " DM_RETRY CDEVICE_1 DM_NOSTDERR, 0));
 	CRYPT_FREE(cd);
 
 	_cleanup_dmdevices();
@@ -4230,6 +4263,44 @@ static void Luks2Reencryption(void)
 	CRYPT_FREE(cd2);
 	CRYPT_FREE(cd);
 
+	_cleanup_dmdevices();
+	OK_(create_dmdevice_over_loop(L_DEVICE_OK, r_header_size + 16));
+
+	/* Test LUKS2 reencryption honors flags device was activate with */
+	OK_(crypt_init(&cd, DMDIR L_DEVICE_OK));
+	OK_(crypt_set_pbkdf_type(cd, &pbkdf));
+	params2.sector_size = 512;
+	params2.data_device = NULL;
+	OK_(crypt_format(cd, CRYPT_LUKS2, "aes", "cbc-essiv:sha256", NULL, NULL, 32, &params2));
+	EQ_(crypt_keyslot_add_by_volume_key(cd, 6, NULL, 32, PASSPHRASE, strlen(PASSPHRASE)), 6);
+	OK_(crypt_volume_key_keyring(cd, 0)); /* disable keyring */
+	EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, 6, PASSPHRASE, strlen(PASSPHRASE), CRYPT_ACTIVATE_ALLOW_DISCARDS), 6);
+	OK_(crypt_volume_key_keyring(cd, 1));
+	rparams.mode = CRYPT_REENCRYPT_REENCRYPT;
+	rparams.direction = CRYPT_REENCRYPT_FORWARD,
+	rparams.resilience = "none",
+	rparams.max_hotzone_size = 8;
+	rparams.luks2 = &params2;
+	rparams.flags = 0;
+	EQ_(crypt_keyslot_add_by_key(cd, 1, NULL, 64, PASSPHRASE, strlen(PASSPHRASE), CRYPT_VOLUME_KEY_NO_SEGMENT), 1);
+	OK_(crypt_reencrypt_init_by_passphrase(cd, CDEVICE_1, PASSPHRASE, strlen(PASSPHRASE), 6, 1, "aes", "xts-plain64", &rparams));
+	test_progress_steps = 1;
+	OK_(crypt_reencrypt(cd, &test_progress));
+	EQ_(crypt_reencrypt_status(cd, NULL), CRYPT_REENCRYPT_CLEAN);
+	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+	EQ_(cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS, CRYPT_ACTIVATE_ALLOW_DISCARDS);
+	EQ_(cad.flags & CRYPT_ACTIVATE_KEYRING_KEY, 0);
+	CRYPT_FREE(cd);
+	OK_(crypt_init_by_name(&cd, CDEVICE_1));
+	rparams.flags = CRYPT_REENCRYPT_RESUME_ONLY;
+	OK_(crypt_reencrypt_init_by_passphrase(cd, CDEVICE_1, PASSPHRASE, strlen(PASSPHRASE), 6, 1, "aes", "xts-plain64", &rparams));
+	OK_(crypt_reencrypt(cd, NULL));
+	OK_(crypt_get_active_device(cd, CDEVICE_1, &cad));
+	EQ_(cad.flags & CRYPT_ACTIVATE_ALLOW_DISCARDS, CRYPT_ACTIVATE_ALLOW_DISCARDS);
+	EQ_(cad.flags & CRYPT_ACTIVATE_KEYRING_KEY, 0);
+	OK_(crypt_deactivate(cd, CDEVICE_1));
+	CRYPT_FREE(cd);
+
 	_cleanup_dmdevices();
 #endif
 }

tests/compat-test

@@ -52,6 +52,8 @@ function remove_mapping()
 	[ -b /dev/mapper/$DEV_NAME ] && dmsetup remove --retry $DEV_NAME >/dev/null 2>&1
 	losetup -d $LOOPDEV >/dev/null 2>&1
 	rm -f $ORIG_IMG $IMG $IMG10 $KEY1 $KEY2 $KEY5 $KEYE $HEADER_IMG $VK_FILE missing-file >/dev/null 2>&1
+	rmmod scsi_debug 2> /dev/null
+	scsi_debug_teardown $DEV
 }
 
 function force_uevent()
@@ -157,6 +159,34 @@ function check_exists()
 	check $1
 }
 
+# $1 path to scsi debug bdev
+scsi_debug_teardown() {
+	local _tries=15;
+
+	while [ -b "$1" -a $_tries -gt 0 ]; do
+		rmmod scsi_debug 2> /dev/null
+		if [ -b "$1" ]; then
+			sleep .1
+			_tries=$((_tries-1))
+		fi
+	done
+
+	test ! -b "$1" || rmmod scsi_debug 2> /dev/null
+}
+
+function add_scsi_device() {
+	scsi_debug_teardown $DEV
+        modprobe scsi_debug $@ delay=0
+        if [ $? -ne 0 ] ; then
+                echo "This kernel seems to not support proper scsi_debug module, test skipped."
+                exit 77
+        fi
+
+        sleep 1
+        DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
+        [ -b $DEV ] || fail "Cannot find $DEV."
+}
+
 function valgrind_setup()
 {
 	which valgrind >/dev/null 2>&1 || fail "Cannot find valgrind."
@@ -515,6 +545,18 @@ if [ $? -eq 0 ] ; then
 	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "16 sectors" || fail
 	$CRYPTSETUP -q remove  $DEV_NAME || fail
 fi
+# Resize not aligned to logical block size
+add_scsi_device dev_size_mb=32 sector_size=4096
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV || fail
+OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
+$CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
+dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
+NEW_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
+test $OLD_SIZE -eq $NEW_SIZE || fail
+$CRYPTSETUP close $DEV_NAME || fail
+# Add check for unaligned plain crypt activation
+echo $PWD1 | $CRYPTSETUP create $DEV_NAME --hash sha1 $DEV -b 7 2>/dev/null && fail
+$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
 # verify is ignored on non-tty input
 echo $PWD1 | $CRYPTSETUP create $DEV_NAME $LOOPDEV --hash sha1 --verify-passphrase 2>/dev/null || fail
 $CRYPTSETUP -q remove  $DEV_NAME || fail

tests/compat-test2

@@ -52,6 +52,9 @@ function remove_mapping()
 	# unlink whole test keyring
 	[ -n "$TEST_KEYRING" ] && keyctl unlink $TEST_KEYRING "@u" >/dev/null
 	unset TEST_KEYRING
+
+	rmmod scsi_debug 2> /dev/null
+	scsi_debug_teardown $DEV
 }
 
 function force_uevent()
@@ -241,6 +244,34 @@ function setup_luks2_env() {
 	$CRYPTSETUP close $DEV_NAME || fail
 }
 
+# $1 path to scsi debug bdev
+scsi_debug_teardown() {
+	local _tries=15;
+
+	while [ -b "$1" -a $_tries -gt 0 ]; do
+		rmmod scsi_debug 2> /dev/null
+		if [ -b "$1" ]; then
+			sleep .1
+			_tries=$((_tries-1))
+		fi
+	done
+
+	test ! -b "$1" || rmmod scsi_debug 2> /dev/null
+}
+
+function add_scsi_device() {
+	scsi_debug_teardown $DEV
+        modprobe scsi_debug $@ delay=0
+        if [ $? -ne 0 ] ; then
+                echo "This kernel seems to not support proper scsi_debug module, test skipped."
+                exit 77
+        fi
+
+        sleep 1
+        DEV="/dev/"$(grep -l -e scsi_debug /sys/block/*/device/model | cut -f4 -d /)
+        [ -b $DEV ] || fail "Cannot find $DEV."
+}
+
 export LANG=C
 
 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
@@ -492,6 +523,17 @@ if dm_crypt_sector_size_support; then
 	echo $PWD1 | $CRYPTSETUP -q resize --size 2049 $DEV_NAME > /dev/null 2>&1 && fail
 	$CRYPTSETUP -q status  $DEV_NAME | grep "size:" | grep -q "2048 sectors" || fail
 fi
+$CRYPTSETUP close $DEV_NAME || fail
+# Resize not aligned to logical block size
+add_scsi_device dev_size_mb=32 sector_size=4096
+echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $DEV || fail
+echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
+OLD_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
+echo $PWD1 | $CRYPTSETUP resize $DEV_NAME -b 7 2> /dev/null && fail
+dmsetup info $DEV_NAME | grep -q SUSPENDED && fail
+NEW_SIZE=$($CRYPTSETUP status $DEV_NAME | grep "^ \+size:" | sed 's/.* \([0-9]\+\) .*/\1/')
+test $OLD_SIZE -eq $NEW_SIZE || fail
+$CRYPTSETUP close $DEV_NAME || fail
 
 prepare "[20] Disallow open/create if already mapped." wipe
 $CRYPTSETUP create $DEV_NAME $LOOPDEV -d $KEY1 || fail

tests/luks2-reencryption-test

@@ -227,10 +227,20 @@ function error_writes() { # $1 dmdev, $2 data dev, $3 offset, $4 size
 	local _offset=$(($3+$4))
 	local _size=$((_dev_size-_offset))
 	local _err=$1-err
+	local _table=
 	dmsetup create $_err --table "0 $_dev_size error" || fail
-echo -e "0 $3 linear $2 0\n
-$3 $4 delay $2 $3 0 /dev/mapper/$_err $3 0\n
-$_offset $_size linear $2 $_offset" | dmsetup load $1 || fail
+
+	if [ $3 -ne 0 ]; then
+		_table="0 $3 linear $2 0\n"
+	fi
+
+	_table=$_table"$3 $4 delay $2 $3 0 /dev/mapper/$_err $3 0"
+
+	if [ $_size -ne 0 ]; then
+		_table="$_table\n$_offset $_size linear $2 $_offset"
+	fi
+
+	echo -e "$_table" | dmsetup load $1 || fail
 	dmsetup resume $1 || fail
 	blockdev --setra 0 /dev/mapper/$1
 	blockdev --setra 0 /dev/mapper/$_err
@@ -475,7 +485,7 @@ function decrypt_recover_detached_online() { # $1 sector size, $2 resilience, $3
 		echo $PWD1 | $CRYPTSETUP reencrypt $DEV --header $4 --resilience $2 -q || fail
 	fi
 
-	$CRYPTSETUP close $DEV_NAME || fail
+	$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
 	check_hash_dev $DEV $3
 
 	echo "[OK]"
@@ -649,18 +659,6 @@ function valgrind_run()
 	INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
 }
 
-function setup_luks2_env() {
-	echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_ARGON $DEV || fail
-	echo $PWD1 | $CRYPTSETUP open $DEV $DEV_NAME || fail
-	HAVE_KEYRING=$($CRYPTSETUP status $DEV_NAME | grep "keyring")
-	if [ -n "$HAVE_KEYRING" ]; then
-		HAVE_KEYRING=1
-	else
-		HAVE_KEYRING=0
-	fi
-	$CRYPTSETUP close $DEV_NAME || fail
-}
-
 [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
 [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
 fips_mode && skip "This test cannot be run in FIPS mode."
@@ -669,10 +667,13 @@ modprobe dm-crypt || fail "dm-crypt failed to load"
 modprobe dm-delay > /dev/null 2>&1
 dm_crypt_features
 
-prepare dev_size_mb=32
-setup_luks2_env
+if [ -n "$DM_SECTOR_SIZE" ]; then
+	TEST_SECTORS="512 4096"
+else
+	TEST_SECTORS="512"
+fi
 
-[ "$HAVE_KEYRING" -eq 1 ] || skip "cryptsetup compiled without kernel keyring support."
+modinfo scsi_debug -p | grep -q opt_xferlen_exp && OPT_XFERLEN_EXP="opt_xferlen_exp=6"
 
 export LANG=C
 
@@ -813,6 +814,26 @@ check_hash $PWD1 $HASH6 $IMG_HDR
 $CRYPTSETUP luksHeaderRestore --header-backup-file $IMG_HDR $DEV -q || fail
 check_hash $PWD1 $HASH6
 
+# Device activation after encryption initialization
+wipe_dev $DEV
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
+$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH5
+echo $PWD1 | $CRYPTSETUP reencrypt --resume-only $DEV -q || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH5
+
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP close $DEV_NAME
+check_hash_head $PWD1 $((56*1024*2)) $HASH5
+
+# Device activation using key file
+wipe_dev $DEV
+echo -n $PWD1 > $KEY1
+$CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
+$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
+$CRYPTSETUP close $DEV_NAME
+echo $PWD1 | $CRYPTSETUP open $DEV --test-passphrase || fail
+
 echo "[3] Encryption with detached header"
 preparebig 256
 wipe_dev $DEV
@@ -828,6 +849,25 @@ wipe_dev $DEV
 echo $PWD1 | $CRYPTSETUP reencrypt --encrypt -c serpent-xts-plain --resilience checksum --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
 check_hash $PWD1 $HASH3 $IMG_HDR
 
+# Device activation after encryption initialization
+wipe_dev $DEV
+echo $PWD1 | $CRYPTSETUP reencrypt --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV $DEV_NAME >/dev/null || fail
+$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH3
+echo $PWD1 | $CRYPTSETUP reencrypt --resume-only --header $IMG_HDR --active-name $DEV_NAME -q || fail
+check_hash_dev /dev/mapper/$DEV_NAME $HASH3
+echo $PWD1 | $CRYPTSETUP reencrypt $DEV --encrypt -c aes-cbc-essiv:sha256 -s 128 --reduce-device-size 8M -q $FAST_PBKDF_ARGON $DEV_NAME 2>/dev/null && fail
+$CRYPTSETUP close $DEV_NAME
+check_hash $PWD1 $HASH3 $IMG_HDR
+
+# Device activation using key file
+wipe_dev $DEV
+echo -n $PWD1 > $KEY1
+$CRYPTSETUP reencrypt $DEV --encrypt --init-only -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR --key-file $KEY1 -q $FAST_PBKDF_ARGON $DEV_NAME >/dev/null || fail
+$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 || fail
+$CRYPTSETUP close $DEV_NAME
+echo $PWD1 | $CRYPTSETUP open --header $IMG_HDR $DEV --test-passphrase || fail
+
 echo "[4] Reencryption with detached header"
 wipe $PWD1 $IMG_HDR
 echo $PWD1 | $CRYPTSETUP reencrypt -c aes-cbc-essiv:sha256 -s 128 --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
@@ -869,6 +909,15 @@ wipe $PWD1 $IMG_HDR
 echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience checksum --header $IMG_HDR $DEV || fail
 check_hash_dev $DEV $HASH3
 
+# check deferred remove works as expected after decryption
+echo $PWD1 | $CRYPTSETUP luksFormat --type luks2 -c serpent-xts-plain --header $IMG_HDR -q $FAST_PBKDF_ARGON $DEV || fail
+open_crypt $PWD1 $IMG_HDR
+dmsetup create $DEV_NAME2 --table "0 1 linear /dev/mapper/$DEV_NAME 0" || fail
+echo $PWD1 | $CRYPTSETUP reencrypt -q --decrypt --resilience checksum --header $IMG_HDR --active-name $DEV_NAME || fail
+$CRYPTSETUP status $DEV_NAME >/dev/null || fail
+dmsetup remove --retry $DEV_NAME2
+$CRYPTSETUP status $DEV_NAME >/dev/null 2>&1 && fail
+
 if ! dm_delay_features; then
 	echo "dm-delay target is missing, skipping recovery tests."
 	remove_mapping
@@ -878,7 +927,7 @@ fi
 echo "[6] Reencryption recovery"
 # (check opt-io size optimization in reencryption code does not affect recovery)
 # device with opt-io size 32k
-prepare_linear_dev 32 opt_blks=64 opt_xferlen_exp=6
+prepare_linear_dev 32 opt_blks=64 $OPT_XFERLEN_EXP
 OFFSET=8192
 
 echo "sector size 512->512"
@@ -960,7 +1009,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
 fi
 
 echo "[8] Reencryption with detached header recovery"
-prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6
+prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP
 
 echo "sector size 512->512"
 
@@ -1079,7 +1128,7 @@ if [ -n "$DM_SECTOR_SIZE" ]; then
 fi
 
 echo "[12] Encryption with detached header recovery"
-prepare_linear_dev 31 opt_blks=64 opt_xferlen_exp=6
+prepare_linear_dev 31 opt_blks=64 $OPT_XFERLEN_EXP
 
 get_error_offsets 31 0
 
@@ -1169,7 +1218,7 @@ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --offset 16384 $FAST_PBKDF_A
 wipe $PWD1
 check_hash $PWD1 $HASH8
 
-for test_ss in 512 4096; do
+for test_ss in $TEST_SECTORS; do
 printf "sector size %4s: " $test_ss
 for test_res in checksum journal none; do
 	echo -n "[$test_res]"
@@ -1182,7 +1231,7 @@ echo ""
 done
 
 echo "[17] Online reencryption with fixed device size."
-for test_ss in 512 4096; do
+for test_ss in $TEST_SECTORS; do
 printf "sector size %4s: " $test_ss
 for test_res in checksum journal none; do
 	echo -n "[$test_res]"
@@ -1200,7 +1249,7 @@ echo $PWD1 | $CRYPTSETUP -q luksFormat --type luks2 --header $IMG_HDR $FAST_PBKD
 wipe $PWD1 $IMG_HDR
 check_hash $PWD1 $HASH8 $IMG_HDR
 
-for test_ss in 512 4096; do
+for test_ss in $TEST_SECTORS; do
 printf "sector size %4s: " $test_ss
 for test_res in checksum journal none; do
 	echo -n "[$test_res]"
@@ -1213,7 +1262,7 @@ echo ""
 done
 
 echo "[19] Online reencryption with fixed device size (detached header)."
-for test_ss in 512 4096; do
+for test_ss in $TEST_SECTORS; do
 printf "sector size %4s: " $test_ss
 for test_res in checksum journal none; do
 	echo -n "[$test_res]"
@@ -1226,7 +1275,7 @@ echo ""
 done
 
 echo "[20] Offline encryption with fixed device size (detached header)."
-for test_ss in 512 4096; do
+for test_ss in $TEST_SECTORS; do
 printf "sector size %4s: " $test_ss
 for test_res in checksum journal none; do
 	echo -n "[$test_res]"
@@ -1240,7 +1289,7 @@ done
 
 echo "[21] Offline decryption with fixed device size (detached header)."
 prepare_linear_dev 60
-for test_ss in 512 4096; do
+for test_ss in $TEST_SECTORS; do
 printf "sector size %4s: " $test_ss
 for test_res in checksum journal none; do
 	echo -n "[$test_res]"

tests/reencryption-compat-test

@@ -282,7 +282,7 @@ wipe_dev $LOOPDEV1
 dmsetup create $DEV_NAME2 --table "0 $(($SIZE - $OFFSET)) linear $LOOPDEV1 0" || fail
 check_hash_dev /dev/mapper/$DEV_NAME2 $HASH5
 dmsetup remove --retry $DEV_NAME2 || fail
-echo $PWD1 | $REENC $LOOPDEV1 -c aes-cbc-essiv:sha256 -s 128 --new --type luks1 --reduce-device-size "$OFFSET"S $FAST_PBKDF || fail
+echo $PWD1 | $REENC $LOOPDEV1 -c aes-cbc-essiv:sha256 -s 128 --new --type luks1 --reduce-device-size "$OFFSET"S -q $FAST_PBKDF || fail
 check_hash $PWD1 $HASH5
 $CRYPTSETUP --type luks1 luksDump $LOOPDEV1 > /dev/null || fail
 prepare 8192