The project's readme indicates that some parts of the code is covered
by Apache license - add it to the RECIPE accordingly.
Reported-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The below reference clearly states that GPL-2.0-with-OpenSSL-exception
is to be used with GPL 2.0 or GPL3.0 and not as a standalone license.
Therefore, update the correct license.
Reference:
569d72e13e/docs/openssl-exception-gpl-2.0.yml (L7)
Signed-off-by: Sana Kazi <Sana.Kazi@bmwtechworks.in>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
We use veritysetup in our custom initramfs to verify the rootfs before
mounting it. We do not use udev or run systemd as PID1 in that
initramfs. This RDEPENDS on udev and lvm2, and everything that udev
ends up pulling in, thus bloats the initramfs by more than 10MiB.
Removing udev from PACKAGECONFIG is not really an option, because we
do want the udev integration in the real rootfs.
Demote it to a recommendation so that the initramfs recipe can avoid
udev and lvm2 using BAD_RECOMMENDATIONS or NO_RECOMMENDATIONS.
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit removed the lvm2-udevrules package.
[https://git.openembedded.org/meta-openembedded/commit/?h=master-next&id=c37c867e1adddd6fa39cf3f3d4c6688ea6dc825a]
Align accordingly to avoid error at do_rootfs
Error:
Problem 1: package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libbd_utils.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev >= 3.2.0, but none of the providers can be installed
- package gvfs-1.56.0-r0.corei7_64 from oe-repo requires udisks2, but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12()(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.4)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.7)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires cryptsetup >= 2.7.5, but none of the providers can be installed
- conflicting requests
- nothing provides lvm2-udevrules needed by cryptsetup-2.7.5-r0.corei7_64 from oe-repo
Problem 2: package gvfs-1.56.0-r0.corei7_64 from oe-repo requires udisks2, but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libbd_utils.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev >= 3.2.0, but none of the providers can be installed
- package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires libgvfscommon.so()(64bit), but none of the providers can be installed
- package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires libgvfsdaemon.so()(64bit), but none of the providers can be installed
- package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires gvfs >= 1.56.0, but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12()(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.4)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.7)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires cryptsetup >= 2.7.5, but none of the providers can be installed
- conflicting requests
- nothing provides lvm2-udevrules needed by cryptsetup-2.7.5-r0.corei7_64 from oe-repo
(try to add '--skip-broken' to skip uninstallable packages)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
* Do not allow formatting LUKS2 with Opal SED (hardware encryption)
* Fixes to wiping LUKS2 headers after Opal locking area erase.
* Mention the need for possible PSID revert before Opal format for some
drives (man page).
* Fix Bitlocker-compatible code to ignore newly seen metadata entries.
* Fix interactive query retry if LUKS2 unbound keyslot is present.
* Detect unsupported zoned devices for LUKS header devices.
* Allow "capi" cipher format for benchmark command and fix parsing
of plain IV in "capi" format.
* Add support for HCTR2 encryption mode.
* Source code now uses SPDX license identifiers instead of full
license preambles.
* Fix missing includes for cryptographic backend that could cause
compilation errors for some systems.
* Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
* Fix various (mostly false positive) issues detected by Coverity.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Fix activation of OPAL-only encrypted LUKS device with tokens.
* Fix formatting of OPAL devices with 4096-byte sector size.
* Fix incorrect OPAL locking range alignment calculation if used
over an unaligned device partition.
* Add --hw-opal-factory-reset option description to the manual page.
* Do not check the passphrase quality for OPAL Admin PIN,
as this passphrase already exists.
* Update license for FAQ document to CC BY-SA 4.0.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cryptsetup 2.7.1 Release Notes
==============================
Stable bug-fix release with minor extensions.
Changes since version 2.7.0
* Fix interrupted LUKS1 decryption resume.
With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
reencrypt command, resuming the interrupted LUKS1 decryption operation
could fail. LUKS2 was not affected.
* Allow --link-vk-to-keyring with --test-passphrase option.
This option allows uploading the volume key in a user-specified kernel
keyring without activating the device.
* Fix crash when --active-name was used in decryption initialization.
* Updates and changes to man pages, including indentation, sorting options
alphabetically, fixing mistakes in crypt_set_keyring_to_link, and
fixing some typos.
* Fix compilation with libargon2 when --disable-internal-argon2 was used.
* Do not require installed argon2.h header and never compile internal
libargon2 code if the crypto library directly supports Argon2.
* Fixes to regression tests to support older Linux distributions.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Disable documentation as it needs asciidoctor which is not available
- Rename cryptsetup-reencrypt packageconfig to luks2-reencryption to match
the relevant configure option.
- Add a patch to enable 64bit off_t and lfs64
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cryptsetup SSH tokens is the only feature that has a dependency on
libssh. Add a packageconfig to control this dependency.
Change-Id: Iac4f91e099ad2e3a79aab183734108f8bfbff57f
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cryptsetup allows for certain luks2 related defaults to be
set for libcryptsetup, these include the default PBKDF
algorithm, memory limit for Argon2, parallel threads and
iteration time.
Set default variables defined to the same values currently
coming from cryptsetup upstream, making this change transparent
for the user but allow these values to be customized.
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
Stable security bug-fix release that fixes CVE-2021-4122.
All users of cryptsetup 2.4.x must upgrade to this version.
Changes since version 2.4.2
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Fix possible attacks against data confidentiality through LUKS2 online
reencryption extension crash recovery (CVE-2021-4122).
An attacker can modify on-disk metadata to simulate decryption in
progress with crashed (unfinished) reencryption step and persistently
decrypt part of the LUKS device.
This attack requires repeated physical access to the LUKS device but
no knowledge of user passphrases.
The decryption step is performed after a valid user activates
the device with a correct passphrase and modified metadata.
There are no visible warnings for the user that such recovery happened
(except using the luksDump command). The attack can also be reversed
afterward (simulating crashed encryption from a plaintext) with
possible modification of revealed plaintext.
The size of possible decrypted data depends on configured LUKS2 header
size (metadata size is configurable for LUKS2).
With the default parameters (16 MiB LUKS2 header) and only one
allocated keyslot (512 bit key for AES-XTS), simulated decryption with
checksum resilience SHA1 (20 bytes checksum for 4096-byte blocks),
the maximal decrypted size can be over 3GiB.
The attack is not applicable to LUKS1 format, but the attacker can
update metadata in place to LUKS2 format as an additional step.
For such a converted LUKS2 header, the keyslot area is limited to
decrypted size (with SHA1 checksums) over 300 MiB.
The issue is present in all cryptsetup releases since 2.2.0.
Versions 1.x, 2.0.x, and 2.1.x are not affected, as these do not
contain LUKS2 reencryption extension.
The problem was caused by reusing a mechanism designed for actual
reencryption operation without reassessing the security impact for new
encryption and decryption operations. While the reencryption requires
calculating and verifying both key digests, no digest was needed to
initiate decryption recovery if the destination is plaintext (no
encryption key). Also, some metadata (like encryption cipher) is not
protected, and an attacker could change it. Note that LUKS2 protects
visible metadata only when a random change occurs. It does not protect
against intentional modification but such modification must not cause
a violation of data confidentiality.
The fix introduces additional digest protection of reencryption
metadata. The digest is calculated from known keys and critical
reencryption metadata. Now an attacker cannot create correct metadata
digest without knowledge of a passphrase for used keyslots.
For more details, see LUKS2 On-Disk Format Specification version 1.1.0.
The former reencryption operation (without the additional digest) is no
longer supported (reencryption with the digest is not backward
compatible). You need to finish in-progress reencryption before
updating to new packages. The alternative approach is to perform
a repair command from the updated package to recalculate reencryption
digest and fix metadata.
The reencryption repair operation always require a user passphrase.
WARNING: Devices with older reencryption in progress can be no longer
activated without performing the action mentioned above.
Encryption in progress can be detected by running the luksDump command
(output includes reencrypt keyslot with reencryption parameters). Also,
during the active reencryption, no keyslot operations are available
(change of passphrases, etc.).
The issue was found by Milan Broz as cryptsetup maintainer.
Other changes
~~~~~~~~~~~~~
* Add configure option --disable-luks2-reencryption to completely disable
LUKS2 reencryption code.
When used, the libcryptsetup library can read metadata with
reencryption code, but all reencryption API calls and cryptsetup
reencrypt commands are disabled.
Devices with online reencryption in progress cannot be activated.
This option can cause some incompatibilities. Please use with care.
* Improve internal metadata validation code for reencryption metadata.
* Add updated documentation for LUKS2 On-Disk Format Specification
version 1.1.0 (with reencryption extension description and updated
metadata description). See docs/on-disk-format-luks2.pdf or online
version in https://gitlab.com/cryptsetup/LUKS2-docs repository.
* Fix support for bitlk (BitLocker compatible) startup key with new
metadata entry introduced in Windows 11.
* Fix space restriction for LUKS2 reencryption with data shift.
The code required more space than was needed.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cryptsetup 2.4.1 Release Notes
==============================
Stable bug-fix release with minor extensions.
All users of cryptsetup 2.4.0 should upgrade to this version.
Changes since version 2.4.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Fix compilation for libc implementations without dlvsym().
Some alternative libc implementations (like musl) do not provide
versioned symbols dlvsym function. Code now fallbacks to dlsym
operation for dynamic LUKS2 token load.
It is up to maintainers to ensure that LUKS2 token plugins are
compiled for the supported version.
* Fix compilation and tests on systems with non-standard libraries
(standalone argp library, external gettext library, BusyBox
implementations of standard tools).
* Try to workaround some issues on systems without udev support.
NOTE: non-udev systems cannot provide all functionality for kernel
device-mapper, and some operations can fail.
* Fixes for OpenSSL3 crypto backend (including FIPS mode).
Because cryptsetup still requires some hash functions implemented
in OpenSSL3 legacy provider, crypto backend now uses its library
context and tries to load both default and legacy OpenSSL3 providers.
If FIPS mode is detected, no library context is used, and it is up
to the OpenSSL system-wide policy to load proper providers.
NOTE: We still use some deprecated API in the OpenSSL3 backend,
and there are some known problems in OpenSSL 3.0.0.
* Print error message when assigning a token to an inactive keyslot.
* Fix offset bug in LUKS2 encryption code if --offset option was used.
* Do not allow LUKS2 decryption for devices with data offset.
Such devices cannot be used after decryption.
* Fix LUKS1 cryptsetup repair command for some specific problems.
Repair code can now fix wrongly used initialization vector
specification in ECB mode (that is insecure anyway!) and repair
the upper-case hash specification in the LUKS1 header.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Without the udevrules cryptsetup luksOpen will be hanging with "Udev
cookie 0xd4de0f6 (semid 5) waiting for zero".
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Otherwise cryptsetup-native depends on the target kernel and thus the
target compiler, as can be seen by:
$ bitbake -g cryptsetup-native
$ grep 'cryptsetup.*linux-yocto' task-depends.dot
"cryptsetup-native.do_build" -> "linux-yocto.do_deploy"
"cryptsetup-native.do_build" -> "linux-yocto.do_package_write_rpm"
"cryptsetup-native.do_populate_sysroot" -> "linux-yocto.do_populate_sysroot"
$ grep 'linux-yocto.*gcc-cross' task-depends.dot
"linux-yocto.do_kernel_configme" -> "gcc-cross-x86_64.do_populate_sysroot"
"linux-yocto.do_prepare_recipe_sysroot" -> "gcc-cross-x86_64.do_populate_sysroot"
This also moves the runtime dependencies to near the end of the recipe,
which is more customary.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The util-linux recipe in Poky has been split, and libuuid is separate now:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=d42487bf52310d095178e480b7ddec2666471009
This allows to build util-linux with cryptsetup, for native dm-verity
support.
The main cryptsetup build needs libuuid and not the full util-linux, so
switch the build-dependency over, thus allowing users to enable the
cryptsetup util-linux's PACKAGECONFIG.
The libblkid dependency is handled individually by the crypsetup's
PACKAGECONFIG option.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since commit [libdevmapper/lvm2: force recipe libdevmapper to populate
sysroot only] applied, if recipe DEPENDS on libdevmapper, we have to
add it to packages RDEPENDS to fix [file-rdeps] QA issue
Set PREFERRED_RPROVIDER_libdevmapper = "lvm2" in layer.conf to explicit
RDEPENDS on libdevmapper in cryptsetup
Suggested-by : peter.kjellerstedt@axis.com
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Since commit [libdevmapper/lvm2: force recipe libdevmapper to populate
sysroot only] applied, if recipe DEPENDS on libdevmapper, we have to
add it to packages RDEPENDS to fix [file-rdeps] QA issue
Skip [build-deps] and [file-rdeps] QA checking, add lvm2 to DEPENDS will
triger circular dependencies, use recipe libdevmapper to replace,
ignore the QA checking is fine.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The cryptsetup 2.1 uses LUKS2 format as the default LUKS format. This
change introduced the following issues:
* LUKS2 requires kernel userspace crypto API to be available
(CONFIG_CRYPTO_USER_API and CONFIG_CRYPTO_USER_API_SKCIPHER). But
linux-yocto doesn't enable these options by default. If missing these
kernel modules, the cryptsetup will fall back to using dmcrypt-device
for keyslot processing.
$ cryptsetup --debug --type luks luksFormat /dev/sda3
[snip]
Checking if cipher aes-xts-plain64 is usable.
Userspace crypto wrapper cannot use aes-xts-plain64 (-95).
Using dmcrypt to access keyslot area.
[snip]
* The grub can not decrypt a LUKS2 encrypted boot partition because it
doesn't support LUKS2 now.
See grub bug: https://savannah.gnu.org/bugs/?55093
Add a PACKAGCONFIG for luks format and set the default LUKS format to
LUKS1. The users can specify '--type luks2' in cryptsetup command line
if they want to use LUKS2.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When building cryptsetup-native, don't enable udev support since there
is not a udev-native recipe.
When udev is enabled, change the dependency from a DEPENDS to an
RDEPENDS. The --enable-udev option adds a runtime check for udev before
using udev features of libdevmapper. Because of this, udev isn't needed
at build time, just runtime.
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Reviewed-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Instead of hardcoding the version in SRC_URI,
get the version for the folder of the source
dynamically in SRC_URI.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Update the homepage to https://gitlab.com/cryptsetup/cryptsetup
* Add json-c to DEPENDS as cryptsetup requires the
json-c library for JSON data processing since cryptsetup
2.0.0 per "The LUKS2 format and features" part of
https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.0/v2.0.0-ReleaseNotes
* Add file /usr/lib/tmpfiles.d/cryptsetup.conf to
FILES_${PN} when systemd enabled in DISTRO_FEATURES
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
