ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

cryptsetup2 toolstack version bump and script fixes to support multi-LUKS containers (BTRFS QubesOS 4.2)

Browse Source 
cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release LUKS2 volumes created at installation.
 This is a critical feature for the Qubes OS 4.2 release for added data at rest protection

Cryptsetup 2.6.x internal changes:
 - Argon2 used externally and internally: requires a lot of RAM and CPU to derivate passphrase to key validated in key slots.
  - This is used to rate limit efficiently bruteforcing of LUKS key slots, requiring each offline brute force attempt to consume ~15-30 seconds per attempt
  - OF course, strong passphrases are still recommended, but bruteforcing LUKSv2 containers with Argon2 would require immense time, ram and CPU even to bruteforce low entropy passphrase/PINs.
 - passphrase change doesn't permit LUKS key slot specification anymore: key slot rotates (new one consusumed per op: then old one wiped internally. EG: LUKS key slot 1 created, then 0 deleted)
 - reencryption doesn't permit old call arguments. No more direct-io; inadmissively slow through AIO (async) calls, need workarounds for good enough perfs (arguments + newer kernel with cloudfare fixes in tree)

cryptsetup 2.6.1 requires:
 - lvm2 2.03.23, which is also included in this PR.
   - requires libaio, which is also included in this PR (could be hacked out but deep dependency at first sight: left in)
   - requires util-linux 2.39
 - patches for reproducible builds are included for above 3 packages.

luks-functions was updated to support the new cryptsetup2 version calls/changes
 - reencryption happen in direct-io, offline mode and without locking, requiring linux 5.10.9+ to bypass linux queues
   - from tests, this is best for performance and reliability in single-user mode
 - LUKS container ops now validate Disk Recovery Key (DRK) passphrase prior and DRK key slot prior of going forward if needed, failing early.
  - Heads don't expect DRK to be in static key slot anymore, and finds the DRK key slot dynamically.
  - If reencrytipn/passphrase change: make sure all LUKS containers on same block device can be unlocked with same DRK
 - Reencryption: requires to know which key slot to reencrypt.
   - Find LUKS key slot that unlocks with DRK passphrase unlock prior of reencrypt call
 - Passphrase change: no slot can be passed, but key slot of DRK rotates.

kexec-seal-key
 - TPM LUKS Disk Unlock Key key slots have changed to be set in max slots per LUKS version (LUKSv1:7 /LUKSv2: 31)
  - If key slot != default LUKS version's keyslot outside of DRK key slot: prompt the user before wiping that key slot, otherwise wipe automatically
    - This takes for granted that the DRK key slot alone is needed on the system and Heads controls the LUKS key slots.
      - If user has something else going on, ie: Using USB Security dongle + TPM DUK, then the user will need to say no when wiping keys.
      - It was suggested to leave LUKS key slots outside of DRK alone, but then: what to do when all key slots would be used?
        - Alternative implementation could be to only prompt users to wipe keyslots other then DRK when key slots are all used (LUKSv1: 0-7, LUKSv2: 0-31)
          - But then cleanup would need to happen prior of operations (LUKS passphrase change, TPM DUK setup) and could be problematic.
  - LUKS containers now checked to be same LUKS version prior of permitting to set TPM DUK and will refuse to go forward of different versions.

TODO:
- async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out
  - this could be subject to future work

Notes:
- time to deprecated legacy boards the do not enough space for the new space requirements
 - x230-legacy, x230-legacy-flash, x230-hotp-legacy
 - t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated

Unrelated:
- typos fixes found along the way

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-08-16 15:20:11 -04:00
parent 0679b75e1d
commit 0cef8e1edc
17 changed files with 1360 additions and 466 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
initrd/bin/kexec-save-default
View File

@ -218,16 +218,17 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
save_key="y"
fi
else
DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Encryption Key to the TPM"
DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Unlock Key (DUK) to the TPM"
read \
-n 1 \
-p "Do you wish to add a disk encryption to the TPM [y/N]: " \
-p "Do you wish to add a disk encryption key to the TPM [y/N]: " \
add_key_confirm
#TODO: still not convinced: disk encryption key? decryption key? everywhere TPM Disk Unlock Key. Confusing even more?
echo
if [ "$add_key_confirm" = "y" \
-o "$add_key_confirm" = "Y" ]; then
DEBUG "User confirmed desire to add a Disk Encryption Key to the TPM"
DEBUG "User confirmed desire to add a Disk Unlock Key (DUK) to the TPM"
save_key="y"
fi
fi

225
initrd/bin/kexec-seal-key
View File

@ -1,15 +1,33 @@
#!/bin/bash
# This will generate a disk encryption key and seal / ecncrypt
# This will generate a disk encryption key and seal / encrypt
# with the current PCRs and then store it in the TPM NVRAM.
# It will then need to be bundled into initrd that is booted.
set -e -o pipefail
. /etc/functions
find_drk_key_slot() {
local temp_drk_key_slot=""
local keyslot
for keyslot in "${luks_used_keyslots[@]}"; do
if [ -z "$temp_drk_key_slot" ]; then
DEBUG "Testing LUKS key slot $keyslot against $DISK_RECOVERY_KEY_FILE for Disk Recovery Key slot..."
if DO_WITH_DEBUG cryptsetup open --test-passphrase --key-slot "$keyslot" --key-file "$DISK_RECOVERY_KEY_FILE" "$dev"; then
temp_drk_key_slot="$keyslot"
DEBUG "Disk Recovery key slot is $temp_drk_key_slot"
break
fi
fi
done
echo "$temp_drk_key_slot"
}
TPM_INDEX=3
TPM_SIZE=312
KEY_FILE="/tmp/secret/secret.key"
DUK_KEY_FILE="/tmp/secret/secret.key"
TPM_SEALED="/tmp/secret/secret.sealed"
RECOVERY_KEY="/tmp/secret/recovery.key"
DISK_RECOVERY_KEY_FILE="/tmp/secret/recovery.key"
. /etc/functions
. /tmp/config
@ -23,11 +41,12 @@ fi
KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
KEY_LVM="$paramsdir/kexec_key_lvm.txt"
key_devices=$(cat "$KEY_DEVICES" | cut -d\ -f1 | tr '\n' ' ')
if [ ! -r "$KEY_DEVICES" ]; then
die "No devices defined for disk encryption"
else
DEBUG "Devices defined for disk encryption: $(cat "$KEY_DEVICES" | cut -d\ -f1 | tr '\n' ' ')"
DEBUG "Devices defined for disk encryption: $key_devices"
fi
if [ -r "$KEY_LVM" ]; then
@ -44,92 +63,160 @@ fi
DEBUG "$(pcrs)"
# LUKS Key slot 0 is the manual recovery pass phrase
# that they user entered when they installed OS,
# key slot 1 is the one that we've generated.
read -s -p "Enter LUKS Disk Recovery Key/passphrase: " disk_password
echo -n "$disk_password" >"$RECOVERY_KEY"
echo
read -s -p "New LUKS TPM Disk Unlock Key passphrase for booting: " key_password
echo
read -s -p "Repeat LUKS TPM Disk Unlock Key passphrase for booting: " key_password2
echo
luks_drk_passphrase_valid=0
for dev in $key_devices ; do
attempts=0
while [ $attempts -lt 3 ]; do
if [ "$luks_drk_passphrase_valid" == "0" ]; then
# Ask for the passphrase only once
read -s -p "Enter LUKS Disk Recovery Key (DRK) passphrase that can unlock: $key_devices: " disk_recovery_key_passphrase
#Using he provided passphrase as the DRK "keyfile" for unattended operations
echo -n "$disk_recovery_key_passphrase" >"$DISK_RECOVERY_KEY_FILE"
echo
fi
if [ "$key_password" != "$key_password2" ]; then
die "Key passphrases do not match"
fi
DEBUG "Testing $DISK_RECOVERY_KEY_FILE keyfile created from provided passphrase against $dev individual key slots"
if cryptsetup open $dev --test-passphrase --key-file "$DISK_RECOVERY_KEY_FILE" >/dev/null 2>&1; then
DEBUG "LUKS device $dev unlocked successfully with the DRK passphrase"
luks_drk_passphrase_valid=1
break
else
attempts=$((attempts + 1))
if [ "$attempts" == "3" ] && [ "$luks_drk_passphrase_valid" == "0" ]; then
die "Failed to unlock LUKS device $dev with the provided passphrase. Exiting..."
elif [ "$attempts" != "3" ] && [ "$luks_drk_passphrase_valid" == "1" ]; then
#We failed unlocking with DRK passphrase another LUKS container
die "LUKS device $key_devices cannot all be unlocked with same passphrase. Please make $key_devices devices unlockable with the same passphrase. Exiting"
else
warn "Failed to unlock LUKS device $dev with the provided passphrase. Please try again."
fi
fi
done
done
attempts=0
while [ $attempts -lt 3 ]; do
read -s -p "New LUKS TPM Disk Unlock Key passphrase (DUK) for booting: " key_password
echo
read -s -p "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password2
echo
if [ "$key_password" != "$key_password2" ]; then
attempts=$((attempts + 1))
if [ "$attempts" == "3" ]; then
die "Disk Unlock Key passphrases do not match. Exiting..."
else
warn "Disk Unlock Key passphrases do not match. Please try again."
fi
else
break
fi
done
# Generate key file
echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by LUKS TPM Disk Unlock Key passphrase"
dd \
if=/dev/urandom \
of="$KEY_FILE" \
of="$DUK_KEY_FILE" \
bs=1 \
count=128 \
2>/dev/null ||
die "Unable to generate 128 random bytes"
# Count the number of slots used on each device
for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
DEBUG "Checking number of slots used on $dev LUKS header"
#check if the device is a LUKS device with luks[1,2]
# Get the number of key slots used on the LUKS header.
# LUKS1 Format is :
# Slot 0: ENABLED
# Slot 1: ENABLED
# Slot 2: DISABLED
# Slot 3: DISABLED
#...
# Slot 7: DISABLED
# Luks2 only reports on enabled slots.
# luks2 Format is :
# 0: luks2
# 1: luks2
# Meaning that the number of slots used is the number of lines returned by a grep on the LUKS2 above format.
# We need to count the number of ENABLED slots for both LUKS1 and LUKS2
# create regex pattern for both LUKS1 and LUKS2
regex="Slot [0-9]*: ENABLED"
regex+="\|"
regex+="[0-9]*: luks2"
slots_used=$(cryptsetup luksDump "$dev" | grep -c "$regex" || die "Unable to get number of slots used on $dev")
DEBUG "Number of slots used on $dev LUKS header: $slots_used"
# If slot1 is the only one used, warn and die with proper messages
if [ "$slots_used" -eq 1 ]; then
# Check if slot 1 is the only one existing
if [ "$(cryptsetup luksDump "$dev" | grep -c "Slot 1: ENABLED")" -eq 1 ] || [ "$(cryptsetup luksDump "$dev" | grep -c "1: luks2")" -eq 1 ]; then
warn "Slot 1 is the only one existing on $dev LUKS header. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key"
warn "Slot 1 should not be the only slot existing on $dev LUKS header. Slot 0 should be used to store LUKS Disk Recovery Key/passphrase"
die "You can safely fix this before continuing through Heads recovery shell: cryptsetup luksAddKey $dev"
previous_luks_header_version=0
for dev in $key_devices; do
# Check and store LUKS version of the devices to be used later
luks_version=$(cryptsetup luksDump "$dev" | grep "Version" | cut -d: -f2 | tr -d '[:space:]')
if [ "$luks_version" == "2" ] && [ "$previous_luks_header_version" == "1" ]; then
die "$dev: LUKSv2 device detected while LUKSv1 device was detected previously. Exiting..."
fi
if [ "$luks_version" == "1" ] && [ "$previous_luks_header_version" == "2" ]; then
die "$dev: LUKSv1 device detected while LUKSv2 device was detected previously. Exiting..."
fi
if [ "$luks_version" == "2" ]; then
# LUKSv2 last key slot is 31
duk_keyslot=31
regex="^\s+([0-9]+):\s*luks2"
sed_command="s/^\s\+\([0-9]\+\):\s*luks2/\1/g"
previous_luks_header_version=2
DEBUG "$dev: LUKSv2 device detected"
elif [ "$luks_version" == "1" ]; then
# LUKSv1 last key slot is 7
duk_keyslot=7
regex="Key Slot ([0-9]+): ENABLED"
sed_command='s/Key Slot \([0-9]\+\): ENABLED/\1/'
previous_luks_header_version=1
DEBUG "$dev: LUKSv1 device detected"
else
DEBUG "Slot 1 is not the only existing slot on $dev LUKS header."
DEBUG "$dev LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with LUKS TPM Disk Unlock Key passphrase"
die "$dev: Unsupported LUKS version $luks_version"
fi
done
# Remove all the old keys from slot 1
for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
echo "++++++ $dev: Removing old LUKS TPM Disk Unlock Key in LUKS slot 1"
cryptsetup luksKillSlot \
--key-file "$RECOVERY_KEY" \
$dev 1 ||
warn "$dev: removal of LUKS TPM Disk Unlock Key in LUKS slot 1 failed: might not exist. Continuing"
# drk_key_slot will be the slot number where the passphrase was tested against as valid. We will keep that slot
drk_key_slot="-1"
echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS slot 1"
cryptsetup luksAddKey \
--key-file "$RECOVERY_KEY" \
--key-slot 1 \
$dev "$KEY_FILE" ||
die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS slot 1"
# Get all the key slots that are used on $dev
luks_used_keyslots=($(cryptsetup luksDump "$dev" | grep -E "$regex" | sed "$sed_command"))
DEBUG "$dev LUKS key slots: ${luks_used_keyslots[*]}"
#Find the key slot that can be unlocked with the provided passphrase
drk_key_slot=$(find_drk_key_slot)
# If we didn't find the DRK key slot, we exit (this should never happen)
if [ "$drk_key_slot" == "-1" ]; then
die "$dev: Unable to find a key slot that can be unlocked with provided passphrase. Exiting..."
fi
# If the key slot is not the expected DUK o FRK key slot, we will ask the user to confirm the wipe
for keyslot in "${luks_used_keyslots[@]}"; do
if [ "$keyslot" != "$drk_key_slot" ]; then
#set wipe_desired to no by default
wipe_desired="no"
if [ "$keyslot" != "$drk_key_slot" ] && [ "$keyslot" == "1" ]; then
wipe_desired="yes"
DEBUG "LUKS key slot $keyslot not DRK. Will wipe this DUK key slot silently"
elif [ "$keyslot" != "$drk_key_slot" ] && [ "$keyslot" != "$duk_keyslot" ]; then
# Heads expects key slot LUKSv1:7 or LUKSv2:31 to be used for TPM DUK setup.
# Ask user to confirm otherwise
warn "LUKS key slot $keyslot is not typical ($duk_keyslot expected) for TPM Disk Unlock Key setup"
read -p "Are you sure you want to wipe it? [y/N] " -n 1 -r
echo
# If user does not confirm, skip this slot
if [[ $REPLY =~ ^[Yy]$ ]]; then
wipe_desired="yes"
fi
elif [ "$keyslot" == "$duk_keyslot" ]; then
# If key slot is the expected DUK keyslot, we wipe it silently
DEBUG "LUKS key slot $keyslot is the expected DUK key slot. Will wipe this DUK key slot silently"
wipe_desired="yes"
fi
if [ "$wipe_desired" == "yes" ] && [ "$keyslot" != "$drk_key_slot" ]; then
echo "++++++ $dev: Wiping LUKS key slot $keyslot"
DO_WITH_DEBUG cryptsetup luksKillSlot \
--key-file "$DISK_RECOVERY_KEY_FILE" \
$dev $keyslot ||
warn "$dev: removal of LUKS slot $keyslot failed: Continuing"
fi
fi
done
echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot"
DO_WITH_DEBUG cryptsetup luksAddKey \
--key-file "$DISK_RECOVERY_KEY_FILE" \
--new-key-slot $duk_keyslot \
$dev "$DUK_KEY_FILE" ||
die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot"
done
# Now that we have setup the new keys, measure the PCRs
# We don't care what ends up in PCR 6; we just want
# to get the /tmp/luksDump.txt file. We use PCR16
# since it should still be zero
cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks ||
echo "$key_devices" | xargs /bin/qubes-measure-luks ||
die "Unable to measure the LUKS headers"
pcrf="/tmp/secret/pcrf.bin"
@ -155,13 +242,13 @@ tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf"
tpmr pcrread -a 7 "$pcrf"
DO_WITH_DEBUG --mask-position 7 \
tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
tpmr seal "$DUK_KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
"$TPM_SIZE" "$key_password" || die "Unable to write LUKS TPM Disk Unlock Key to NVRAM"
# should be okay if this fails
shred -n 10 -z -u "$pcrf" 2>/dev/null ||
warn "Failed to delete pcrf file - continuing"
shred -n 10 -z -u "$KEY_FILE" 2>/dev/null ||
shred -n 10 -z -u "$DUK_KEY_FILE" 2>/dev/null ||
warn "Failed to delete key file - continuing"
mount -o rw,remount $paramsdir || warn "Failed to remount $paramsdir in RW - continuing"

25
initrd/bin/oem-factory-reset
View File

@ -44,6 +44,12 @@ GPG_ALGO="RSA"
# Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard
RSA_KEY_LENGTH=3072
#Override RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards until canokey fixes
if [[ "$CONFIG_BOARD_NAME" == qemu-* ]]; then
DEBUG "Overriding RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards"
RSA_KEY_LENGTH=2048
fi
GPG_USER_NAME="OEM Key"
GPG_KEY_NAME=$(date +%Y%m%d%H%M%S)
GPG_USER_MAIL="oem-${GPG_KEY_NAME}@example.com"
@ -266,20 +272,20 @@ keytocard_subkeys_to_smartcard() {
{
echo "key 1" #Toggle on Signature key in --edit-key mode on local keyring
echo "keytocard" #Move Signature key to smartcard
echo "1" #Select Signature key keyslot on smartcard
echo "1" #Select Signature key key slot on smartcard
echo "${ADMIN_PIN}" #Local keyring Subkey PIN
echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
echo "0" #No expiration date
echo "key 1" #Toggle off Signature key
echo "key 2" #Toggle on Encryption key
echo "keytocard" #Move Encryption key to smartcard
echo "2" #Select Encryption key keyslot on smartcard
echo "2" #Select Encryption key key slot on smartcard
echo "${ADMIN_PIN}" #Local keyring Subkey PIN
echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
echo "key 2" #Toggle off Encryption key
echo "key 3" #Toggle on Authentication key
echo "keytocard" #Move Authentication key to smartcard
echo "3" #Select Authentication key keyslot on smartcard
echo "3" #Select Authentication key slot on smartcard
echo "${ADMIN_PIN}" #Local keyring Subkey PIN
echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
echo "key 3" #Toggle off Authentication key
@ -383,6 +389,7 @@ export_public_key_to_thumbdrive_public_partition() {
#pass non-empty arguments to --pass, --mountpoint, --device, --mode
mount-usb --device "$device" --mode "$mode" --mountpoint "$mountpoint" || die "Error mounting thumb drive's public partition"
#TODO: reuse "Obtain GPG key ID" so that pubkey on public thumb drive partition is named after key ID
gpg --export --armor "${GPG_USER_MAIL}" >"$mountpoint"/pubkey.asc || die "Error exporting public key to thumb drive's public partition"
umount "$mountpoint" || die "Error unmounting thumb drive's public partition"
@ -879,6 +886,7 @@ report_integrity_measurements
clear
#Prompt user for use of default configuration options
TRACE_FUNC
echo -e -n "Would you like to use default configuration options?\nIf N, you will be prompted for each option [Y/n]: "
read -n 1 use_defaults
@ -907,6 +915,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
echo
if [ "$prompt_output" == "y" \
-o "$prompt_output" == "Y" ]; then
TRACE_FUNC
test_luks_current_disk_recovery_key_passphrase
luks_new_Disk_Recovery_Key_desired=1
echo -e "\n"
@ -970,8 +979,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
echo
if [ "$prompt_output" == "y" \
-o "$prompt_output" == "Y" ]; then
echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
echo
echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length."
while [[ ${#CUSTOM_SINGLE_PASS} -lt 8 ]] || [[ ${#CUSTOM_SINGLE_PASS} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do
echo -e -n "Enter the custom password: "
read CUSTOM_SINGLE_PASS
@ -999,8 +1007,8 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
read TPM_PASS
done
fi
while [[ ${#ADMIN_PIN} -lt 8 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do
echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
while [[ ${#ADMIN_PIN} -lt 6 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do
echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
echo -e -n "Enter desired GPG Admin PIN: "
read ADMIN_PIN
done
@ -1028,6 +1036,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
}
done
#We test that current LUKS Disk Recovery Key passphrase is known prior of going further
TRACE_FUNC
test_luks_current_disk_recovery_key_passphrase
echo -e "\n"
fi
@ -1147,8 +1156,8 @@ fi
if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
#Reencryption of disk, LUKS Disk Recovery Key and LUKS Disk Recovery Key passphrase change is requested
luks_change_passphrase
luks_reencrypt
luks_change_passphrase
elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
#Reencryption of disk was requested but not passphrase change
luks_reencrypt

3
initrd/etc/gui_functions
View File

@ -37,6 +37,7 @@ mount_usb()
# -- Display related functions --
# Produce a whiptail prompt with 'warning' background, works for fbwhiptail and newt
whiptail_warning() {
#TODO: Cannot be called as is under luks_functions with string expension in title: why?
if [ -x /bin/fbwhiptail ]; then
whiptail $BG_COLOR_WARNING "$@"
else
@ -46,6 +47,7 @@ whiptail_warning() {
# Produce a whiptail prompt with 'error' background, works for fbwhiptail and newt
whiptail_error() {
#TODO: Cannot be called as is under luks_functions with string expension in title: why?
if [ -x /bin/fbwhiptail ]; then
whiptail $BG_COLOR_ERROR "$@"
else
@ -55,6 +57,7 @@ whiptail_error() {
# Produce a whiptail prompt of the given type - 'error', 'warning', or 'normal'
whiptail_type() {
TRACE_FUNC
local TYPE="$1"
shift
case "$TYPE" in

294
initrd/etc/luks-functions
View File

@ -7,6 +7,7 @@
#List all LUKS devices on the system
list_luks_devices() {
TRACE_FUNC
#generate a list of devices to choose from that contain a LUKS header
lvm vgscan || true
blkid | cut -d ':' -f 1 | while read device; do
@ -267,12 +268,15 @@ prepare_thumb_drive()
select_luks_container()
{
#TODO: extend logic to prompt for block devices with model if multiple LUKS are found on block device instead of partitions
# Then feed luks with those partitions so that reencrypt and passphrase change can use passphrase to test all selected
TRACE_FUNC
if [ -s /boot/kexec_key_devices.txt ]; then
DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt"
DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)"
LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt)
else
DEBUG "LUKS container device: $(echo $LUKS)"
# LUKS variable not exported yet, prompt for LUKS device
elif [ -z "$LUKS" ]; then
list_luks_devices > /tmp/luks_devices.txt
#if /tmp/luks_devices.txt exists and is not empty
if [ -s /tmp/luks_devices.txt ]; then
@ -280,11 +284,21 @@ select_luks_container()
if [ "$FILE" == "" ]; then
return 1
else
#TODO: What about BRTFS multi LUKS setup of QubesOS?
# if multiple LUKS containers are found on same block device
# select all of the luks containers on same block device instead of just one
# note that block devices for example under /dev/sda will be /dev/sda1, /dev/sda2, etc
# so we need to select all of the partitions on the same block device from /tmp/luks_devices.txt
# and then export them to LUKS variable
# then reencrypt and passphrase change functions will loop on all of the LUKS containers
# and test passphrase on all of them
if grep -q "$(echo $FILE | sed 's/[0-9]*$//')" /tmp/luks_devices.txt; then
DEBUG "Multiple LUKS containers found on same block device, selecting them all"
LUKS=$(grep $(echo $FILE | sed 's/[0-9]*$//') /tmp/luks_devices.txt)
else
DEBUG "Single LUKS container found on block device, assigning to LUKS variable"
LUKS=$FILE
detect_boot_device
mount -o remount,rw /boot
echo "$LUKS $(cryptsetup luksUUID $LUKS)" >/boot/kexec_key_devices.txt
mount -o remount,ro /boot
fi
fi
else
warn "No encrypted device found"
@ -295,41 +309,79 @@ select_luks_container()
test_luks_current_disk_recovery_key_passphrase()
{
#TODO: reuse/generalize usage of this function. Tests for LUKS are still done 4 times independently of this helper
TRACE_FUNC
while :; do
select_luks_container || return 1
# LUKS contains multiline string of LUKS containers on same block device
# transform it into words of a same string separated by space
PRINTABLE_LUKS=$(echo $LUKS)
TRACE_FUNC
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current LUKS Disk Recovery Key passphrase
# if no external provisioning provides current LUKS Disk Recovery Key passphrase
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..."
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..."
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
fi
#Validate past cryptsetup-reencrypt attempts
if [ $? -eq 0 ]; then
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round
unset luks_current_Disk_Recovery_Key_passphrase
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one
# test all LUKS containers on same block device as returned by select_luks_container
echo -e "\n$PRINTABLE_LUKS: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
# Loop on all LUKS containers on same block device
for luks_container in $LUKS; do
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
# Validate past cryptsetup reencrypt attempts
if [ $? -ne 0 ]; then
# if we have more than one LUKS container and passphrase test unsuccessful, tell user how to change passphrase
if [ $(echo $LUKS | wc -w) -gt 1 ]; then
#TODO remove this once whiptail_error whiptail_warning can take titles with double quotes
#whiptail_warning --title 'tes' --msgbox 'test' 0 80
#whiptail_error --title 'error' --msgbox 'error' 0 80
#Neither work today. Not related to this PR... Using whiptail without coloring.
msg=$(echo -e "All $PRINTABLE_LUKS must unlock with the same Disk Recovery Key passphrase for the current operation to succeed.\n\nTo change individual LUKS container passphrase, do so from 'Options-> Change LUKS Disk Recovery Key passphrase'\n\nThen retry this operation." | fold -w 70 -s)
whiptail --title "$luks_container"': Wrong current LUKS Disk Recovery Key passphrase?' \
--msgbox "$msg" 0 80
TRACE_FUNC
luks_secrets_cleanup
die "$PRINTABLE_LUKS individual containers NEED to share the same Disk Recovery Key passphrase"
# We exited to caller, LUKS still set. TODO: problem? Should we call all cleaning functions on die?
fi
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
TRACE_FUNC
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
luks_secrets_cleanup
# remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
# maybe the container was not the right one
unset LUKS
else
#LuksOpen test was successful. Cleanup should be called only when done
#Exporting successfully used passphrase possibly reused by oem-factory-reset
# LuksOpen test was successful. Cleanup should be called only when done
# Exporting successfully used passphrase possibly reused by oem-factory-reset
echo "$luks_container: unlocking LUKS container with current Disk Recovery Key passphrase successful"
#We close the volume
cryptsetup close test
# Exporting successfully used passphrase possibly reused by oem-factory-reset
export luks_current_Disk_Recovery_Key_passphrase
fi
done
# exit while loop if LUKS variable is not empty
if [ -n "$LUKS" ]; then
# We export the LUKS volume(s) that was/were validated via passphrase test
export LUKS
TRACE_FUNC
DEBUG "$LUKS exported to be reused"
break;
fi
done
@ -337,12 +389,16 @@ test_luks_current_disk_recovery_key_passphrase()
luks_reencrypt() {
TRACE_FUNC
while :; do
#TODO: REFACTOR This and luks passphrase change function needs to loop on same drive discovered luks containers so that reencrypt/passwd change is done on all luks containers of same drive
# Ideal would be to list luks devices and then try keep and append LUKS devices to a list of devices to reencrypt or change passphrase
# then loop on that list of devices that could be opened and reencrypt/change passphrase for all the devices that could be tested opened with that passphrase
select_luks_container || return 1
#If the user just set a new LUKS Disk Recovery Key passphrase
if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
luks_current_Disk_Recovery_Key_passphrase="$luks_new_Disk_Recovery_Key_passphrase"
fi
# Count the number of containers to be reencrypted
num_containers=$(echo "$LUKS" | wc -w)
reencrypted_containers=0
while [ $reencrypted_containers -lt $num_containers ]; do
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current LUKS Disk Recovery Key passphrase
msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s)
@ -351,97 +407,185 @@ luks_reencrypt() {
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:"
read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!"
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!"
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
fi
#Validate past cryptsetup-reencrypt attempts
if [ $(echo $?) -ne 0 ]; then
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round
unset luks_current_Disk_Recovery_Key_passphrase
# Split the $LUKS variable into an array of LUKS containers
luks_containers=($LUKS)
TRACE_FUNC
DEBUG "luks_containers: $luks_containers"
# Loop through each LUKS container
for luks_container in "${luks_containers[@]}"; do
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
# Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
# Maybe the container was not the right one
TRACE_FUNC
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
luks_secrets_cleanup
unset LUKS
continue
fi
done
DEBUG "Test opening ${luks_containers[@]} successful. Now testing key slots to determine which holds master key"
for luks_container in "${luks_containers[@]}"; do
# First obtain which luks1/luks2 key-slot can be unlocked with the key-file
DRK_KEYSLOT=-1
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
for i in $(seq 0 31); do
if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then
DRK_KEYSLOT=$i
DEBUG "$luks_container: Found key-slot $DRK_KEYSLOT that can be unlocked with the current passphrase. breaking loop"
break
fi
done
# Validate if a key slot was found
if [ $DRK_KEYSLOT -eq -1 ]; then
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
# Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
# Maybe the container was not the right one
TRACE_FUNC
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
luks_secrets_cleanup
unset LUKS
continue
fi
# Now reencrypt the LUKS container with the same key slot
# Warn and launch actual reencryption
echo -e "\nReencrypting $luks_container LUKS encrypted drive content with current Recovery Disk Key passphrase..."
warn "DO NOT POWER DOWN MACHINE, UNPLUG AC OR REMOVE BATTERY DURING REENCRYPTION PROCESS"
# --perf-no_read_workqueue and/or --perf-no_write_workqueue improve encryption/reencrypton performance on kernel 5.10.9+
# bypassing dm-crypt queues.
# Ref https://github.com/cloudflare/linux/issues/1#issuecomment-729695518
# --resilience=none disables the resilience feature of cryptsetup, which is enabled by default
# --force-offline-reencrypt forces the reencryption to be done offline (no read/write operations on the device)
# --disable-locks disables the lock feature of cryptsetup, which is enabled by default
if ! DO_WITH_DEBUG cryptsetup reencrypt \
--perf-no_read_workqueue --perf-no_write_workqueue \
--resilience=none --force-offline-reencrypt --disable-locks \
"$luks_container" --key-slot "$DRK_KEYSLOT" \
--key-file /tmp/luks_current_Disk_Recovery_Key_passphrase; then
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
TRACE_FUNC
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
luks_secrets_cleanup
unset LUKS
else
#Reencryption was successful. Cleanup should be called only when done
#Exporting successfully used passphrase possibly reused by oem-factory-reset
export luks_current_Disk_Recovery_Key_passphrase
break;
export LUKS
# Increment the count of reencrypted containers
reencrypted_containers=$((reencrypted_containers + 1))
fi
done
done
}
luks_change_passphrase()
{
luks_change_passphrase() {
TRACE_FUNC
while :; do
select_luks_container || return 1
#if actual or new LUKS Disk Recovery Key is not provisioned by oem-provisioning file
# Count the number of containers to be processed
num_containers=$(echo "$LUKS" | wc -w)
changed_containers=0
# Split the $LUKS variable into an array of LUKS containers
IFS=' ' read -ra luks_containers <<< "$LUKS"
for luks_container in "${luks_containers[@]}"; do
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
"Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60
"Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80
if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):"
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
{
read -r luks_new_Disk_Recovery_Key_passphrase
};done
done
fi
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase
fi
export luks_current_Disk_Recovery_Key_passphrase
export luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
else
#If current and new LUKS Disk Recovery Key were exported
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
fi
#Validate past cryptsetup attempts
if [ $(echo $?) -ne 0 ]; then
#Cryptsetup luksChangeKey was unsuccessful
whiptail --title 'Invalid LUKS passphrase?' --msgbox \
"The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n a secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall the OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of a USB drive,\n and select Boot from USB\n\nHit Enter to continue." 30 60
unset luks_current_Disk_Recovery_Key_passphrase
unset luks_new_Disk_Recovery_Key_passphrase
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/luks_new_Disk_Recovery_Key_passphrase
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
TRACE_FUNC
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
else
#Cryptsetup was successful.
#Cleanup should be called seperately.
#Exporting successfully used passphrase possibly reused by oem-factory-reset
export luks_new_Disk_Recovery_Key_passphrase
break;
luks_secrets_cleanup
unset LUKS
continue
fi
echo -e "\nChanging $luks_container LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
if ! DO_WITH_DEBUG cryptsetup luksChangeKey "$luks_container" --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase; then
whiptail --title 'Failed to change LUKS passphrase' --msgbox \
"Failed to change the passphrase for $luks_container.\nPlease try again." 0 80
continue
fi
echo "Success changing passphrase for $luks_container."
changed_containers=$((changed_containers + 1))
done
if [ $changed_containers -eq $num_containers ]; then
# All containers processed successfully
luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase
export luks_current_Disk_Recovery_Key_passphrase
export luks_new_Disk_Recovery_Key_passphrase
export LUKS
fi
}
luks_secrets_cleanup()
{
TRACE_FUNC
#Cleanup
shred -n 10 -z -u /tmp/luks_new_Disk_Recovery_Key_passphrase 2>/dev/null || true
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null || true
#Unset variables (when in same boot)
unset luks_current_Disk_Recovery_Key_passphrase
unset luks_new_Disk_Recovery_Key_passphrase
#TODO: refactor logic of selec_luks_conatainer, where to put
#unset LUKS
}

2
initrd/init
View File

@ -103,10 +103,12 @@ fi
#Specify whiptail background colors cues under FBWhiptail only
if [ -x /bin/fbwhiptail ]; then
DEBUG "fbwhiptail BG_COLOR_* exported"
export BG_COLOR_WARNING="${CONFIG_WARNING_BG_COLOR:-"--background-gradient 0 0 0 150 125 0"}"
export BG_COLOR_ERROR="${CONFIG_ERROR_BG_COLOR:-"--background-gradient 0 0 0 150 0 0"}"
export BG_COLOR_MAIN_MENU="normal"
else
DEBUG "whiptail TEXT_BG_COLOR_* exported"
export TEXT_BG_COLOR_WARNING="${CONFIG_WARNING_TEXT_BG_COLOR:-"yellow"}"
export TEXT_BG_COLOR_ERROR="${CONFIG_ERROR_TEXT_BG_COLOR:-"red"}"
export BG_COLOR_MAIN_MENU="normal"

17
modules/cryptsetup2
View File

@ -2,11 +2,11 @@ modules-$(CONFIG_CRYPTSETUP2) += cryptsetup2
cryptsetup2_depends := util-linux popt lvm2 json-c $(musl_dep)
cryptsetup2_version := 2.3.3
cryptsetup2_version := 2.6.1
cryptsetup2_dir := cryptsetup-$(cryptsetup2_version)
cryptsetup2_tar := cryptsetup-$(cryptsetup2_version).tar.xz
cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-$(cryptsetup2_version).tar.xz
cryptsetup2_hash := 3bca4ffe39e2f94cef50f6ea65acb873a6dbce5db34fc6bcefe38b6d095e82df
cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-$(cryptsetup2_version).tar.xz
cryptsetup2_hash := 410ded65a1072ab9c8e41added37b9729c087fef4d2db02bb4ef529ad6da4693
# Use an empty prefix so that the executables will not include the
# build path.
@ -16,9 +16,15 @@ cryptsetup2_configure := \
./configure \
--host $(MUSL_ARCH)-elf-linux \
--prefix "/" \
--disable-gcrypt-pbkdf2 \
--enable-internal-sse-argon2 \
--disable-rpath \
--enable-cryptsetup-reencrypt \
--disable-gcrypt-pbkdf2 \
--disable-ssh-token \
--disable-asciidoc \
--disable-nls \
--disable-selinux \
--disable-udev \
--disable-external-tokens \
--with-crypto_backend=kernel \
--with-tmpfilesdir=$(INSTALL)/lib/tmpfiles.d
@ -33,7 +39,6 @@ cryptsetup2_target := \
cryptsetup2_output := \
.libs/cryptsetup \
.libs/cryptsetup-reencrypt \
.libs/veritysetup \
cryptsetup2_libraries := \

19
modules/libaio Normal file
View File

@ -0,0 +1,19 @@
modules-$(CONFIG_LVM2) += libaio
libaio_version := 0.3.113
libaio_dir := libaio-$(libaio_version)
libaio_tar := libaio_$(libaio_version).orig.tar.gz
libaio_url := https://deb.debian.org/debian/pool/main/liba/libaio/$(libaio_tar)
libaio_hash := 2c44d1c5fd0d43752287c9ae1eb9c023f04ef848ea8d4aafa46e9aedb678200b
libaio_target := \
DESTDIR="$(INSTALL)" \
prefix="/" \
$(CROSS_TOOLS) \
install \
&& mv $(build)/$(libaio_dir)/src/libaio.so.1.0.2 $(build)/$(libaio_dir)/src/libaio.so.1 \
libaio_libraries:= src/libaio.so.1
libaio_depends := $(musl_dep)

42
modules/lvm2
View File

@ -1,37 +1,39 @@
modules-$(CONFIG_LVM2) += lvm2
lvm2_version := 2.02.168
lvm2_version := 2.03.23
lvm2_dir := lvm2.$(lvm2_version)
lvm2_tar := LVM2.$(lvm2_version).tgz
lvm2_url := https://mirrors.kernel.org/sourceware/lvm2/$(lvm2_tar)
lvm2_hash := 23a3d1cddd41b3ef51812ebf83e9fa491f502fe74130d4263be327a91914660d
lvm2_hash := 74e794a9e9dee1bcf8a2065f65b9196c44fdf321e22d63b98ed7de8c9aa17a5d
# cross compiling test assumes malloc/realloc aren't glibc compat
# so we force it via the configure cache.
lvm2_configure := \
$(CROSS_TOOLS) \
CFLAGS="-Os" \
PKG_CONFIG=/bin/false \
MODPROBE_CMD=/bin/false \
ac_cv_func_malloc_0_nonnull=yes \
ac_cv_func_realloc_0_nonnull=yes \
./configure \
--host $(MUSL_ARCH)-elf-linux \
--prefix "/" \
--disable-blkid_wiping \
--disable-cache_check_needs_check \
--disable-cmirrord \
--disable-dmeventd \
--disable-lvmetad \
--disable-lvmpolld \
--disable-realtime \
--prefix "" \
--libexecdir "/bin" \
--with-optimisation=-Os \
--enable-devmapper \
--disable-selinux \
--disable-thin_check_needs_check \
--disable-udev-systemd-background-jobs \
--disable-use-lvmetad \
--without-systemd \
--disable-lvmimportvdo \
--disable-realtime \
--disable-dmfilemapd \
--disable-dmeventd \
--disable-lvmpolld \
--disable-readline \
--disable-udev_sync \
--enable-static_link \
--disable-use-lvmlockd \
--disable-use-lvmpolld \
--enable-devmapper \
--disable-dmfilemapd \
--disable-cmirrord \
--disable-cache_check_needs_check \
--disable-thin_check_needs_check \
--with-cluster=none \
--with-thin-check= \
@ -49,10 +51,10 @@ lvm2_target := \
DESTDIR="$(INSTALL)" \
install_device-mapper \
lvm2_libraries := libdm/libdevmapper.so.1.02
lvm2_libraries := libdm/ioctl/libdevmapper.so.1.02
lvm2_output := \
tools/dmsetup \
./libdm/dm-tools/dmsetup \
tools/lvm \
lvm2_depends := util-linux $(musl_dep)
lvm2_depends := util-linux libaio $(musl_dep)

6
modules/util-linux
View File

@ -1,10 +1,10 @@
modules-$(CONFIG_UTIL_LINUX) += util-linux
util-linux_version := 2.29.2
util-linux_version := 2.39
util-linux_dir := util-linux-$(util-linux_version)
util-linux_tar := util-linux-$(util-linux_version).tar.xz
util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.29/$(util-linux_tar)
util-linux_hash := accea4d678209f97f634f40a93b7e9fcad5915d1f4749f6c47bee6bf110fe8e3
util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.39/$(util-linux_tar)
util-linux_hash := 32b30a336cda903182ed61feb3e9b908b762a5e66fe14e43efb88d37162075cb
util-linux_configure := \
$(CROSS_TOOLS) \

352
patches/cryptsetup2-2.3.3.patch → patches/cryptsetup2-2.6.1.patch
View File

@ -1,7 +1,7 @@
diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
--- cryptsetup-2.3.3-clean/configure 2020-06-10 14:05:45.784925972 +0200
+++ cryptsetup-2.3.3/configure 2020-06-10 14:12:03.811651237 +0200
@@ -10206,7 +10206,7 @@
diff -u -r cryptsetup-2.4.3-clean/configure cryptsetup-2.4.3/configure
--- cryptsetup-2.4.3-clean/configure 2022-01-13 17:24:34.000000000 +0800
+++ cryptsetup-2.4.3/configure 2022-01-16 14:08:37.088258763 +0800
@@ -11056,7 +11056,7 @@
hardcode_automatic=no
hardcode_direct=no
hardcode_direct_absolute=no
@ -10,7 +10,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=
hardcode_minus_L=no
hardcode_shlibpath_var=unsupported
@@ -10290,7 +10290,7 @@
@@ -11140,7 +11140,7 @@
# are reset later if shared libraries are not supported. Putting them
# here allows them to be overridden if necessary.
runpath_var=LD_RUN_PATH
@ -19,7 +19,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
export_dynamic_flag_spec='$wl--export-dynamic'
# ancient GNU ld didn't support --whole-archive et. al.
if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
@@ -10336,7 +10336,7 @@
@@ -11186,7 +11186,7 @@
;;
m68k)
archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
@ -28,7 +28,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_minus_L=yes
;;
esac
@@ -10356,7 +10356,7 @@
@@ -11206,7 +11206,7 @@
cygwin* | mingw* | pw32* | cegcc*)
# _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
# as there is no search path for DLLs.
@ -37,7 +37,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
export_dynamic_flag_spec='$wl--export-all-symbols'
allow_undefined_flag=unsupported
always_export_symbols=no
@@ -10386,7 +10386,7 @@
@@ -11236,7 +11236,7 @@
;;
os2*)
@ -46,7 +46,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_minus_L=yes
allow_undefined_flag=unsupported
shrext_cmds=.dll
@@ -10416,7 +10416,7 @@
@@ -11266,7 +11266,7 @@
interix[3-9]*)
hardcode_direct=no
hardcode_shlibpath_var=no
@ -55,7 +55,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
export_dynamic_flag_spec='$wl-E'
# Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
# Instead, shared libraries are loaded at an image base (0x10000000 by
@@ -10492,7 +10492,7 @@
@@ -11342,7 +11342,7 @@
xlf* | bgf* | bgxlf* | mpixlf*)
# IBM XL Fortran 10.1 on PPC cannot create shared libs itself
whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive'
@ -64,7 +64,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
if test yes = "$supports_anon_versioning"; then
archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
@@ -10559,7 +10559,7 @@
@@ -11409,7 +11409,7 @@
# DT_RUNPATH tag from executables and libraries. But doing so
# requires that you compile everything twice, which is a pain.
if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
@ -73,7 +73,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
else
@@ -10588,7 +10588,7 @@
@@ -11438,7 +11438,7 @@
if test no = "$ld_shlibs"; then
runpath_var=
@ -82,7 +82,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
export_dynamic_flag_spec=
whole_archive_flag_spec=
fi
@@ -10706,7 +10706,7 @@
@@ -11556,7 +11556,7 @@
# path is not listed in the libpath. Setting hardcode_minus_L
# to unsupported forces relinking
hardcode_minus_L=yes
@ -91,7 +91,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=
fi
;;
@@ -10790,11 +10790,11 @@
@@ -11642,11 +11642,11 @@
aix_libpath=$lt_cv_aix_libpath_
fi
@ -105,7 +105,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
allow_undefined_flag="-z nodefs"
archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols"
else
@@ -10843,7 +10843,7 @@
@@ -11697,7 +11697,7 @@
aix_libpath=$lt_cv_aix_libpath_
fi
@ -114,7 +114,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
# Warning - without using the other run time loading flags,
# -berok will link without error, but may produce a broken library.
no_undefined_flag=' $wl-bernotok'
@@ -10883,7 +10883,7 @@
@@ -11737,7 +11737,7 @@
;;
m68k)
archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
@ -123,25 +123,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_minus_L=yes
;;
esac
@@ -10901,7 +10901,7 @@
case $cc_basename in
cl*)
# Native MSVC
- hardcode_libdir_flag_spec=' '
+ hardcode_libdir_flag_spec=" "
allow_undefined_flag=unsupported
always_export_symbols=yes
file_list_spec='@'
@@ -10942,7 +10942,7 @@
;;
*)
# Assume MSVC wrapper
- hardcode_libdir_flag_spec=' '
+ hardcode_libdir_flag_spec=" "
allow_undefined_flag=unsupported
# Tell ltmain to make .lib files, not .a files.
libext=lib
@@ -10993,7 +10993,7 @@
@@ -11847,7 +11847,7 @@
dgux*)
archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
@ -150,7 +132,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_shlibpath_var=no
;;
@@ -11003,7 +11003,7 @@
@@ -11857,7 +11857,7 @@
# extra space).
freebsd2.2*)
archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
@ -159,16 +141,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_direct=yes
hardcode_shlibpath_var=no
;;
@@ -11019,7 +11019,7 @@
# FreeBSD 3 and greater uses gcc -shared to do shared libraries.
freebsd* | dragonfly*)
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
- hardcode_libdir_flag_spec='-R$libdir'
+ hardcode_libdir_flag_spec=" "
hardcode_direct=yes
hardcode_shlibpath_var=no
;;
@@ -11030,7 +11030,7 @@
@@ -11884,7 +11884,7 @@
else
archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib'
fi
@ -177,7 +150,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
hardcode_direct=yes
@@ -11047,7 +11047,7 @@
@@ -11901,7 +11901,7 @@
archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
fi
if test no = "$with_gnu_ld"; then
@ -186,7 +159,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
hardcode_direct=yes
hardcode_direct_absolute=yes
@@ -11124,7 +11124,7 @@
@@ -11979,7 +11979,7 @@
esac
fi
if test no = "$with_gnu_ld"; then
@ -195,7 +168,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
case $host_cpu in
@@ -11183,7 +11183,7 @@
@@ -12040,7 +12040,7 @@
archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
fi
archive_cmds_need_lc='no'
@ -204,7 +177,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
inherit_rpath=yes
link_all_deplibs=yes
@@ -11205,7 +11205,7 @@
@@ -12062,7 +12062,7 @@
else
archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF
fi
@ -213,7 +186,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_direct=yes
hardcode_shlibpath_var=no
;;
@@ -11213,7 +11213,7 @@
@@ -12070,7 +12070,7 @@
newsos6)
archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
hardcode_direct=yes
@ -222,7 +195,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
hardcode_shlibpath_var=no
;;
@@ -11229,11 +11229,11 @@
@@ -12086,11 +12086,11 @@
if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags $wl-retain-symbols-file,$export_symbols'
@ -236,7 +209,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
fi
else
ld_shlibs=no
@@ -11241,7 +11241,7 @@
@@ -12098,7 +12098,7 @@
;;
os2*)
@ -245,7 +218,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_minus_L=yes
allow_undefined_flag=unsupported
shrext_cmds=.dll
@@ -11277,7 +11277,7 @@
@@ -12134,7 +12134,7 @@
archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
fi
archive_cmds_need_lc='no'
@ -254,7 +227,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
;;
@@ -11285,7 +11285,7 @@
@@ -12142,7 +12142,7 @@
if test yes = "$GCC"; then
allow_undefined_flag=' $wl-expect_unresolved $wl\*'
archive_cmds='$CC -shared$allow_undefined_flag $pic_flag $libobjs $deplibs $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
@ -263,7 +236,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
else
allow_undefined_flag=' -expect_unresolved \*'
archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
@@ -11293,7 +11293,7 @@
@@ -12150,7 +12150,7 @@
$CC -shared$allow_undefined_flag $wl-input $wl$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~$RM $lib.exp'
# Both c and cxx compiler support -rpath directly
@ -272,7 +245,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
fi
archive_cmds_need_lc='no'
hardcode_libdir_separator=:
@@ -11322,7 +11322,7 @@
@@ -12179,7 +12179,7 @@
;;
esac
fi
@ -281,7 +254,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_shlibpath_var=no
case $host_os in
solaris2.[0-5] | solaris2.[0-5].*) ;;
@@ -11349,7 +11349,7 @@
@@ -12206,7 +12206,7 @@
else
archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
fi
@ -290,7 +263,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_direct=yes
hardcode_minus_L=yes
hardcode_shlibpath_var=no
@@ -11419,7 +11419,7 @@
@@ -12276,7 +12276,7 @@
allow_undefined_flag='$wl-z,nodefs'
archive_cmds_need_lc=no
hardcode_shlibpath_var=no
@ -299,7 +272,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=':'
link_all_deplibs=yes
export_dynamic_flag_spec='$wl-Bexport'
@@ -11436,7 +11436,7 @@
@@ -12293,7 +12293,7 @@
uts4*)
archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
@ -308,7 +281,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_shlibpath_var=no
;;
@@ -11804,7 +11804,7 @@
@@ -12662,7 +12662,7 @@
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
@ -317,7 +290,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
if test ia64 = "$host_cpu"; then
# AIX 5 supports IA64
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
@@ -12094,16 +12094,16 @@
@@ -12952,16 +12952,16 @@
;;
freebsd3.[01]* | freebsdelf3.[01]*)
shlibpath_overrides_runpath=yes
@ -337,7 +310,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
esac
;;
@@ -12118,7 +12118,7 @@
@@ -12976,7 +12976,7 @@
shlibpath_var=LIBRARY_PATH
shlibpath_overrides_runpath=no
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
@ -346,7 +319,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
hpux9* | hpux10* | hpux11*)
@@ -12130,7 +12130,7 @@
@@ -12988,7 +12988,7 @@
case $host_cpu in
ia64*)
shrext_cmds='.so'
@ -355,7 +328,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
dynamic_linker="$host_os dld.so"
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -12146,7 +12146,7 @@
@@ -13004,7 +13004,7 @@
;;
hppa*64*)
shrext_cmds='.sl'
@ -364,7 +337,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
dynamic_linker="$host_os dld.sl"
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -12179,7 +12179,7 @@
@@ -13037,7 +13037,7 @@
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
@ -373,7 +346,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
irix5* | irix6* | nonstopux*)
@@ -12216,7 +12216,7 @@
@@ -13074,7 +13074,7 @@
shlibpath_overrides_runpath=no
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
@ -382,7 +355,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
# No shared lib support for Linux oldld, aout, or coff.
@@ -12237,11 +12237,11 @@
@@ -13095,11 +13095,11 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
@ -396,7 +369,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
# This must be glibc/ELF.
@@ -12292,7 +12292,7 @@
@@ -13153,7 +13153,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
@ -405,7 +378,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
# Ideally, we could use ldconfig to report *all* directores which are
# searched for libraries, however this is still not possible. Aside from not
@@ -12322,7 +12322,7 @@
@@ -13183,7 +13183,7 @@
soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
@ -414,7 +387,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
dynamic_linker='NetBSD ld.elf_so'
;;
@@ -12341,7 +12341,7 @@
@@ -13202,7 +13202,7 @@
fi
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
@ -423,7 +396,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
newsos6)
@@ -12359,7 +12359,7 @@
@@ -13220,7 +13220,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
@ -432,7 +405,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
dynamic_linker='ldqnx.so'
;;
@@ -12431,7 +12431,7 @@
@@ -13292,7 +13292,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
@ -441,7 +414,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
# ldd complains unless libraries are executable
postinstall_cmds='chmod +x $lib'
;;
@@ -12488,7 +12488,7 @@
@@ -13349,7 +13349,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
@ -450,7 +423,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
if test yes = "$with_gnu_ld"; then
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
else
@@ -12510,7 +12510,7 @@
@@ -13371,7 +13371,7 @@
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
@ -459,7 +432,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
uts4*)
@@ -13610,7 +13610,7 @@
@@ -14490,7 +14490,7 @@
acl_shlibext="$acl_cv_shlibext"
acl_libname_spec="$acl_cv_libname_spec"
acl_library_names_spec="$acl_cv_library_names_spec"
@ -468,7 +441,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
acl_hardcode_libdir_separator="$acl_cv_hardcode_libdir_separator"
acl_hardcode_direct="$acl_cv_hardcode_direct"
acl_hardcode_minus_L="$acl_cv_hardcode_minus_L"
@@ -21296,7 +21296,7 @@
@@ -22538,7 +22538,7 @@
with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`'
allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`'
no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`'
@ -477,7 +450,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`'
hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`'
hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`'
@@ -21327,7 +21327,7 @@
@@ -22569,7 +22569,7 @@
postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`'
finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`'
@ -486,7 +459,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`'
configure_time_dlsearch_path='`$ECHO "$configure_time_dlsearch_path" | $SED "$delay_single_quote_subst"`'
configure_time_lt_sys_library_path='`$ECHO "$configure_time_lt_sys_library_path" | $SED "$delay_single_quote_subst"`'
@@ -22485,7 +22485,7 @@
@@ -23727,7 +23727,7 @@
finish_eval=$lt_finish_eval
# Whether we should hardcode library paths into libraries.
@ -495,7 +468,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
# Compile-time system search path for libraries.
sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
@@ -22582,7 +22582,7 @@
@@ -23824,7 +23824,7 @@
# Flag to hardcode \$libdir into a binary during linking.
# This must work even if \$libdir does not exist
@ -504,10 +477,10 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
# Whether we need a single "-rpath" flag with a separated argument.
hardcode_libdir_separator=$lt_hardcode_libdir_separator
diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in
--- cryptsetup-2.3.3-clean/Makefile.in 2020-06-10 14:05:45.781594282 +0200
+++ cryptsetup-2.3.3/Makefile.in 2020-06-10 14:30:09.512375745 +0200
@@ -1032,6 +1032,8 @@
diff -u -r cryptsetup-2.4.3-clean/Makefile.in cryptsetup-2.4.3/Makefile.in
--- cryptsetup-2.4.3-clean/Makefile.in 2022-01-13 17:24:33.000000000 +0800
+++ cryptsetup-2.4.3/Makefile.in 2022-01-16 14:08:37.096258854 +0800
@@ -1115,6 +1115,8 @@
@CRYPTSETUP_TRUE@cryptsetup_LDADD = $(LDADD) \
@CRYPTSETUP_TRUE@ libcryptsetup.la \
@CRYPTSETUP_TRUE@ @POPT_LIBS@ \
@ -516,17 +489,17 @@ diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in
@CRYPTSETUP_TRUE@ @PWQUALITY_LIBS@ \
@CRYPTSETUP_TRUE@ @PASSWDQC_LIBS@ \
@CRYPTSETUP_TRUE@ @UUID_LIBS@ \
@@ -1060,6 +1062,9 @@
@@ -1147,6 +1149,9 @@
@VERITYSETUP_TRUE@veritysetup_LDADD = $(LDADD) \
@VERITYSETUP_TRUE@ libcryptsetup.la \
@VERITYSETUP_TRUE@ @POPT_LIBS@ \
+@VERITYSETUP_TRUE@ @UUID_LIBS@ \
+@VERITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \
+@VERITYSETUP_TRUE@ @JSON_C_LIBS@ \
@VERITYSETUP_TRUE@ @PWQUALITY_LIBS@ \
@VERITYSETUP_TRUE@ @PASSWDQC_LIBS@ \
@VERITYSETUP_TRUE@ @BLKID_LIBS@
@@ -1093,6 +1093,8 @@
@STATIC_TOOLS_TRUE@@VERITYSETUP_TRUE@veritysetup_static_SOURCES = $(veritysetup_SOURCES)
@@ -1177,6 +1182,8 @@
@INTEGRITYSETUP_TRUE@ libcryptsetup.la \
@INTEGRITYSETUP_TRUE@ @POPT_LIBS@ \
@INTEGRITYSETUP_TRUE@ @UUID_LIBS@ \
@ -535,12 +508,199 @@ diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in
@INTEGRITYSETUP_TRUE@ @BLKID_LIBS@
@INTEGRITYSETUP_TRUE@@STATIC_TOOLS_TRUE@integritysetup_static_SOURCES = $(integritysetup_SOURCES)
@@ -1122,6 +1122,8 @@
@REENCRYPT_TRUE@ @POPT_LIBS@ \
@REENCRYPT_TRUE@ @PWQUALITY_LIBS@ \
@REENCRYPT_TRUE@ @PASSWDQC_LIBS@ \
+@REENCRYPT_TRUE@ @DEVMAPPER_LIBS@ \
+@REENCRYPT_TRUE@ @JSON_C_LIBS@ \
@REENCRYPT_TRUE@ @UUID_LIBS@ \
@REENCRYPT_TRUE@ @BLKID_LIBS@
--- ./configure.orig 2023-11-26 14:22:30.912000000 -0500
+++ ./configure 2023-11-26 14:26:21.714000000 -0500
@@ -12336,7 +12336,7 @@
case $cc_basename in
tcc*)
- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
+ hardcode_libdir_flag_spec=" "
export_dynamic_flag_spec='-rdynamic'
;;
xlf* | bgf* | bgxlf* | mpixlf*)
@@ -12755,7 +12755,7 @@
case $cc_basename in
cl* | icl*)
# Native MSVC or ICC
- hardcode_libdir_flag_spec=' '
+ hardcode_libdir_flag_spec=" "
allow_undefined_flag=unsupported
always_export_symbols=yes
file_list_spec='@'
@@ -12796,7 +12796,7 @@
;;
*)
# Assume MSVC and ICC wrapper
- hardcode_libdir_flag_spec=' '
+ hardcode_libdir_flag_spec=" "
allow_undefined_flag=unsupported
# Tell ltmain to make .lib files, not .a files.
libext=lib
@@ -12873,7 +12873,7 @@
# FreeBSD 3 and greater uses gcc -shared to do shared libraries.
freebsd* | dragonfly* | midnightbsd*)
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
- hardcode_libdir_flag_spec='-R$libdir'
+ hardcode_libdir_flag_spec=" "
hardcode_direct=yes
hardcode_shlibpath_var=no
;;
@@ -13052,7 +13052,7 @@
# Fabrice Bellard et al's Tiny C Compiler
ld_shlibs=yes
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
+ hardcode_libdir_flag_spec=" "
;;
esac
;;
--- ./configure.mod 2023-11-26 14:46:49.779000000 -0500
+++ ./configure 2023-11-26 14:47:56.962000000 -0500
@@ -17670,7 +17670,7 @@
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test ia64 = "$host_cpu"; then
# AIX 5 supports IA64
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
@@ -17958,16 +17958,16 @@
;;
freebsd3.[01]* | freebsdelf3.[01]*)
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
*) # from 4.6 on, and DragonFly
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
esac
;;
@@ -17982,7 +17982,7 @@
shlibpath_var=LIBRARY_PATH
shlibpath_overrides_runpath=no
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
hpux9* | hpux10* | hpux11*)
@@ -17994,7 +17994,7 @@
case $host_cpu in
ia64*)
shrext_cmds='.so'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.so"
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -18010,7 +18010,7 @@
;;
hppa*64*)
shrext_cmds='.sl'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.sl"
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -18043,7 +18043,7 @@
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
irix5* | irix6* | nonstopux*)
@@ -18080,7 +18080,7 @@
shlibpath_overrides_runpath=no
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
# No shared lib support for Linux oldld, aout, or coff.
@@ -18101,7 +18101,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='Android linker'
# Don't embed -rpath directories since the linker doesn't support them.
@@ -18159,7 +18159,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# Ideally, we could use ldconfig to report *all* directores which are
# searched for libraries, however this is still not possible. Aside from not
@@ -18189,7 +18189,7 @@
soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='NetBSD ld.elf_so'
;;
@@ -18208,7 +18208,7 @@
fi
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
newsos6)
@@ -18226,7 +18226,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='ldqnx.so'
;;
@@ -18298,7 +18298,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# ldd complains unless libraries are executable
postinstall_cmds='chmod +x $lib'
;;
@@ -18355,7 +18355,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test yes = "$with_gnu_ld"; then
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
else
@@ -18377,7 +18377,7 @@
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
uts4*)

150
patches/lvm2-2.03.23.patch Normal file
View File

@ -0,0 +1,150 @@
--- ./lib/mm/memlock.c.orig 2023-11-27 13:52:46.281000000 -0500
+++ ./lib/mm/memlock.c 2023-11-27 13:56:35.656000000 -0500
@@ -160,6 +160,7 @@
static void _allocate_memory(void)
{
+#if 0
#if defined(__GLIBC__) && !defined(VALGRIND_POOL)
/* Memory allocation is currently only tested with glibc
* for different C libraries, some other mechanisms might be needed
@@ -233,11 +234,14 @@
for (i = 0; i < area; ++i)
free(areas[i]);
#endif
+#endif
}
static void _release_memory(void)
{
+#if 0
free(_malloc_mem);
+#endif
}
/*
@@ -313,7 +317,7 @@
if (lock == LVM_MLOCK) {
if (mlock((const void*)from, sz) < 0) {
- log_sys_error("mlock", line);
+ //log_sys_error("mlock", line);
return 0;
}
} else {
--- ./libdm/libdm-stats.c.orig 2023-11-27 13:59:40.677000000 -0500
+++ ./libdm/libdm-stats.c 2023-11-27 14:07:28.655000000 -0500
@@ -18,7 +18,23 @@
#include "libdm/misc/dmlib.h"
#include "libdm/misc/kdev_t.h"
+#if 0
#include "math.h" /* log10() */
+#else
+static int ilog10(double x)
+{
+ int e = 0;
+
+ while(x > 10)
+ {
+ e++;
+ x = x / 10;
+ }
+
+ return e;
+}
+#endif
+
#include <sys/sysmacros.h>
#include <sys/ioctl.h>
@@ -556,7 +572,12 @@
while(entry >= bins) {
value = (double) (entry--)->upper;
/* Use lround to avoid size_t -> double cast warning. */
+#if 0
hist_len += 1 + (size_t) lround(log10(value / scale));
+#else
+ hist_len += 1 + ilog10(value / scale);
+#endif
+
if (entry != bins)
hist_len++; /* ',' */
}
@@ -1863,7 +1884,12 @@
i = dm_bit_get_first(regions);
for (; i >= 0; i = dm_bit_get_next(regions, i)) {
/* length of region_id or range start in characters */
+#if 0
id_len = (i) ? 1 + (size_t) log10(i) : 1;
+#else
+ id_len = (i) ? 1 + ilog10(i) : 1;
+#endif
+
buflen += id_len;
j = i;
do
@@ -1878,7 +1904,11 @@
/* handle range */
if (i != j) {
/* j is always > i, which is always >= 0 */
+#if 0
id_len = 1 + (size_t) log10(j);
+#else
+ id_len = 1 + ilog10(j);
+#endif
buflen += id_len + 1; /* range end plus "-" */
}
buflen++;
--- ./tools/lvmcmdline.c.orig 2023-11-27 14:12:46.649000000 -0500
+++ ./tools/lvmcmdline.c 2023-11-27 14:15:47.563000000 -0500
@@ -3438,7 +3438,7 @@
static int _check_standard_fds(void)
{
int err = is_valid_fd(STDERR_FILENO);
-
+#if 0
if (!is_valid_fd(STDIN_FILENO) &&
!(stdin = fopen(_PATH_DEVNULL, "r"))) {
if (err)
@@ -3463,7 +3463,7 @@
strerror(errno));
return 0;
}
-
+#endif
return 1;
}
@@ -3644,7 +3644,7 @@
*/
dm_set_name_mangling_mode(DM_STRING_MANGLING_NONE);
- if (!(cmd = create_toolcontext(0, NULL, 1, threaded, set_connections, set_filters))) {
+ if (!(cmd = create_toolcontext(0, NULL, 0, threaded, set_connections, set_filters))) {
return_NULL;
}
--- ./make.tmpl.orig 2023-11-28 13:29:11.744000000 -0500
+++ ./make.tmpl.in 2023-11-28 13:29:36.716000000 -0500
@@ -210,7 +210,7 @@
M_INSTALL_PROGRAM = -m 555
M_INSTALL_DATA = -m 444
endif
-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP)
+INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM)
INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA)
INSTALL_WDATA = $(INSTALL) -p -m 644
--- ./libdm/make.tmpl.orig 2023-11-28 13:29:52.760000000 -0500
+++ ./libdm/make.tmpl.in 2023-11-28 13:30:22.336000000 -0500
@@ -173,7 +173,7 @@
M_INSTALL_PROGRAM = -m 555
M_INSTALL_DATA = -m 444
endif
-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP)
+INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM)
INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA)
INSTALL_WDATA = $(INSTALL) -p -m 644

139
patches/util-linux-2.29.2.patch
View File

@ -1,139 +0,0 @@
--- ./configure 2017-02-22 07:07:46.595740152 -0500
+++ ./configure 2023-02-27 13:34:27.068000000 -0500
@@ -13408,7 +13408,7 @@
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test ia64 = "$host_cpu"; then
# AIX 5 supports IA64
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
@@ -13698,16 +13698,16 @@
;;
freebsd3.[01]* | freebsdelf3.[01]*)
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
*) # from 4.6 on, and DragonFly
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
esac
;;
@@ -13722,7 +13722,7 @@
shlibpath_var=LIBRARY_PATH
shlibpath_overrides_runpath=no
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
hpux9* | hpux10* | hpux11*)
@@ -13734,7 +13734,7 @@
case $host_cpu in
ia64*)
shrext_cmds='.so'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.so"
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -13750,7 +13750,7 @@
;;
hppa*64*)
shrext_cmds='.sl'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.sl"
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -13783,7 +13783,7 @@
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
irix5* | irix6* | nonstopux*)
@@ -13820,7 +13820,7 @@
shlibpath_overrides_runpath=no
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
# No shared lib support for Linux oldld, aout, or coff.
@@ -13841,7 +13841,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='Android linker'
# Don't embed -rpath directories since the linker doesn't support them.
@@ -13896,7 +13896,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# Add ABI-specific directories to the system library path.
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
@@ -13936,7 +13936,7 @@
fi
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
newsos6)
@@ -13954,7 +13954,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='ldqnx.so'
;;
@@ -14026,7 +14026,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# ldd complains unless libraries are executable
postinstall_cmds='chmod +x $lib'
;;
@@ -14083,7 +14083,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test yes = "$with_gnu_ld"; then
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
else
@@ -14105,7 +14105,7 @@
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
uts4*)

276
patches/util-linux-2.39.patch Normal file
View File

@ -0,0 +1,276 @@
--- ./configure.orig 2023-05-17 06:53:16.721284360 -0400
+++ ./configure 2023-11-28 13:57:50.012000000 -0500
@@ -16580,7 +16580,7 @@
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test ia64 = "$host_cpu"; then
# AIX 5 supports IA64
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
@@ -16870,16 +16870,16 @@
;;
freebsd3.[01]* | freebsdelf3.[01]*)
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
*) # from 4.6 on, and DragonFly
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
esac
;;
@@ -16894,7 +16894,7 @@
shlibpath_var=LIBRARY_PATH
shlibpath_overrides_runpath=no
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
hpux9* | hpux10* | hpux11*)
@@ -16906,7 +16906,7 @@
case $host_cpu in
ia64*)
shrext_cmds='.so'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.so"
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -16922,7 +16922,7 @@
;;
hppa*64*)
shrext_cmds='.sl'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.sl"
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -16955,7 +16955,7 @@
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
irix5* | irix6* | nonstopux*)
@@ -16992,7 +16992,7 @@
shlibpath_overrides_runpath=no
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
# No shared lib support for Linux oldld, aout, or coff.
@@ -17013,7 +17013,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='Android linker'
# Don't embed -rpath directories since the linker doesn't support them.
@@ -17071,7 +17071,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# Add ABI-specific directories to the system library path.
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
@@ -17111,7 +17111,7 @@
fi
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
newsos6)
@@ -17129,7 +17129,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='ldqnx.so'
;;
@@ -17201,7 +17201,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# ldd complains unless libraries are executable
postinstall_cmds='chmod +x $lib'
;;
@@ -17258,7 +17258,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test yes = "$with_gnu_ld"; then
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
else
@@ -17280,7 +17280,7 @@
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
uts4*)
@@ -20574,7 +20574,7 @@
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test ia64 = "$host_cpu"; then
# AIX 5 supports IA64
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
@@ -20862,16 +20862,16 @@
;;
freebsd3.[01]* | freebsdelf3.[01]*)
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
*) # from 4.6 on, and DragonFly
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
esac
;;
@@ -20886,7 +20886,7 @@
shlibpath_var=LIBRARY_PATH
shlibpath_overrides_runpath=no
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
hpux9* | hpux10* | hpux11*)
@@ -20898,7 +20898,7 @@
case $host_cpu in
ia64*)
shrext_cmds='.so'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.so"
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -20914,7 +20914,7 @@
;;
hppa*64*)
shrext_cmds='.sl'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.sl"
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -20947,7 +20947,7 @@
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
irix5* | irix6* | nonstopux*)
@@ -20984,7 +20984,7 @@
shlibpath_overrides_runpath=no
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
# No shared lib support for Linux oldld, aout, or coff.
@@ -21005,7 +21005,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='Android linker'
# Don't embed -rpath directories since the linker doesn't support them.
@@ -21063,7 +21063,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# Add ABI-specific directories to the system library path.
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
@@ -21103,7 +21103,7 @@
fi
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
newsos6)
@@ -21121,7 +21121,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='ldqnx.so'
;;
@@ -21193,7 +21193,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# ldd complains unless libraries are executable
postinstall_cmds='chmod +x $lib'
;;
@@ -21250,7 +21250,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test yes = "$with_gnu_ld"; then
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
else
@@ -21272,7 +21272,7 @@
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
uts4*)

73
unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config Normal file
View File

@ -0,0 +1,73 @@
# Configuration for a x230 with HOTP (Nitrokey/Purism USB Security dongle enabled HOTP support)
# running Qubes 4.1 and other OSes.
#
# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 :
# dropbear support(ssh client/server)
# e1000e (ethernet driver)
#
# Addition vs standard x230 board config:
# HOTP_KEY: HOTP challenge for currently supported USB Security dongles
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=24.02.01
export CONFIG_LINUX_VERSION=5.10.5
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-legacy.config
CONFIG_LINUX_CONFIG=config/linux-x230-legacy.config
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=n
CONFIG_CRYPTSETUP2=y
CONFIG_FLASHPROG=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
CONFIG_HOTPKEY=y
export CONFIG_AUTO_BOOT_TIMEOUT=5
#Nitrokey Storage admin tool
CONFIG_NKSTORECLI=n
#GUI Support
#Console based Whiptail support(Console based, no FB):
CONFIG_SLANG=y
CONFIG_NEWT=y
#FBWhiptail based (Graphical):
#CONFIG_CAIRO=y
#CONFIG_FBWHIPTAIL=y
#Additional tools:
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
#Ethernet driver (Heads only)
CONFIG_LINUX_E1000E=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_KERNEL_ADD=""
export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOARD_NAME="Thinkpad X230-hotp-legacy"
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios"
# This board has two SPI flash chips, an 8 MB that holds the IFD,
# the ME image and part of the coreboot image, and a 4 MB one that
# has the rest of the coreboot and the reset vector.
#
# Only flashing to the bios region is safe to do. The easiest is to
# flash internally when the IFD is unlocked for writing, and x230-flash
# is installed first.

36
unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config Normal file
View File

@ -0,0 +1,36 @@
# Minimal configuration for a x230 to support flashrom and USB
# This top SPI flash image needed to flash legacy board counterpart internally
# This image can be flashed through 1vyrain and skulls
# IDEALLY you should flash maximized top and bottom rom images exteranlly once instead.
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=24.02.01
export CONFIG_LINUX_VERSION=5.10.5
CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy-flash.config
CONFIG_LINUX_CONFIG=config/linux-x230-flash.config
#Add bare minimal tools for flashing boards
CONFIG_BASH=n
CONFIG_FLASHPROG=y
CONFIG_ZSTD=n
#CONFIG_GPG=y
#CONFIG_FLASHTOOLS=y
CONFIG_PCIUTILS=y
#CONFIG_MBEDTLS=y
#CONFIG_QRENCODE=y
#CONFIG_TPMTOTP=y
#CONFIG_DROPBEAR=y
#Additional hardware support
CONFIG_LINUX_USB=y
#CONFIG_LINUX_E1000E=y
export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init
export CONFIG_BOARD_NAME="ThinkPad X230-legacy-flash"
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios"
CONFIG_LEGACY_FLASH=y
BOARD_TARGETS := legacy_flash

66
unmaintained_boards/x230-legacy/x230-legacy.config Normal file
View File

@ -0,0 +1,66 @@
# Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec)
#
# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 :
# dropbear support(ssh client/server)
# e1000e (ethernet driver)
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=24.02.01
export CONFIG_LINUX_VERSION=5.10.5
CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy.config
CONFIG_LINUX_CONFIG=config/linux-UNMAINTAINED_x230-legacy.config
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=n
CONFIG_CRYPTSETUP2=y
CONFIG_FLASHPROG=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
CONFIG_HOTPKEY=n
#Nitrokey Storage admin tool
CONFIG_NKSTORECLI=n
#GUI Support
#Console based Whiptail support(Console based, no FB):
CONFIG_SLANG=y
CONFIG_NEWT=y
#FBWhiptail based (Graphical):
#CONFIG_CAIRO=y
#CONFIG_FBWHIPTAIL=y
#Additional tools:
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_KERNEL_ADD=""
export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOARD_NAME="Thinkpad X230-legacy"
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios"
# This board has two SPI flash chips, an 8 MB that holds the IFD,
# the ME image and part of the coreboot image, and a 4 MB one that
# has the rest of the coreboot and the reset vector.
#
# Only flashing to the bios region is safe to do. The easiest is to
# flash internally when the IFD is unlocked for writing, and x230-flash
# is installed first.