ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 12:46:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
heads/modules/cryptsetup2
Thierry Laurion 0cef8e1edc cryptsetup2 toolstack version bump and script fixes to support multi-LUKS containers (BTRFS QubesOS 4.2) 
cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release LUKS2 volumes created at installation.
 This is a critical feature for the Qubes OS 4.2 release for added data at rest protection

Cryptsetup 2.6.x internal changes:
 - Argon2 used externally and internally: requires a lot of RAM and CPU to derivate passphrase to key validated in key slots.
  - This is used to rate limit efficiently bruteforcing of LUKS key slots, requiring each offline brute force attempt to consume ~15-30 seconds per attempt
  - OF course, strong passphrases are still recommended, but bruteforcing LUKSv2 containers with Argon2 would require immense time, ram and CPU even to bruteforce low entropy passphrase/PINs.
 - passphrase change doesn't permit LUKS key slot specification anymore: key slot rotates (new one consusumed per op: then old one wiped internally. EG: LUKS key slot 1 created, then 0 deleted)
 - reencryption doesn't permit old call arguments. No more direct-io; inadmissively slow through AIO (async) calls, need workarounds for good enough perfs (arguments + newer kernel with cloudfare fixes in tree)

cryptsetup 2.6.1 requires:
 - lvm2 2.03.23, which is also included in this PR.
   - requires libaio, which is also included in this PR (could be hacked out but deep dependency at first sight: left in)
   - requires util-linux 2.39
 - patches for reproducible builds are included for above 3 packages.

luks-functions was updated to support the new cryptsetup2 version calls/changes
 - reencryption happen in direct-io, offline mode and without locking, requiring linux 5.10.9+ to bypass linux queues
   - from tests, this is best for performance and reliability in single-user mode
 - LUKS container ops now validate Disk Recovery Key (DRK) passphrase prior and DRK key slot prior of going forward if needed, failing early.
  - Heads don't expect DRK to be in static key slot anymore, and finds the DRK key slot dynamically.
  - If reencrytipn/passphrase change: make sure all LUKS containers on same block device can be unlocked with same DRK
 - Reencryption: requires to know which key slot to reencrypt.
   - Find LUKS key slot that unlocks with DRK passphrase unlock prior of reencrypt call
 - Passphrase change: no slot can be passed, but key slot of DRK rotates.

kexec-seal-key
 - TPM LUKS Disk Unlock Key key slots have changed to be set in max slots per LUKS version (LUKSv1:7 /LUKSv2: 31)
  - If key slot != default LUKS version's keyslot outside of DRK key slot: prompt the user before wiping that key slot, otherwise wipe automatically
    - This takes for granted that the DRK key slot alone is needed on the system and Heads controls the LUKS key slots.
      - If user has something else going on, ie: Using USB Security dongle + TPM DUK, then the user will need to say no when wiping keys.
      - It was suggested to leave LUKS key slots outside of DRK alone, but then: what to do when all key slots would be used?
        - Alternative implementation could be to only prompt users to wipe keyslots other then DRK when key slots are all used (LUKSv1: 0-7, LUKSv2: 0-31)
          - But then cleanup would need to happen prior of operations (LUKS passphrase change, TPM DUK setup) and could be problematic.
  - LUKS containers now checked to be same LUKS version prior of permitting to set TPM DUK and will refuse to go forward of different versions.

TODO:
- async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out
  - this could be subject to future work

Notes:
- time to deprecated legacy boards the do not enough space for the new space requirements
 - x230-legacy, x230-legacy-flash, x230-hotp-legacy
 - t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated

Unrelated:
- typos fixes found along the way

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-10-30 14:18:20 -04:00

47 lines
1.3 KiB
Makefile
Raw Permalink Blame History

modules-$(CONFIG_CRYPTSETUP2) += cryptsetup2
cryptsetup2_depends := util-linux popt lvm2 json-c $(musl_dep)
cryptsetup2_version := 2.6.1
cryptsetup2_dir := cryptsetup-$(cryptsetup2_version)
cryptsetup2_tar := cryptsetup-$(cryptsetup2_version).tar.xz
cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-$(cryptsetup2_version).tar.xz
cryptsetup2_hash := 410ded65a1072ab9c8e41added37b9729c087fef4d2db02bb4ef529ad6da4693
# Use an empty prefix so that the executables will not include the
# build path.
cryptsetup2_configure := \
$(CROSS_TOOLS) \
CFLAGS="-Os" \
./configure \
--host $(MUSL_ARCH)-elf-linux \
--prefix "/" \
--enable-internal-sse-argon2 \
--disable-rpath \
--disable-gcrypt-pbkdf2 \
--disable-ssh-token \
--disable-asciidoc \
--disable-nls \
--disable-selinux \
--disable-udev \
--disable-external-tokens \
--with-crypto_backend=kernel \
--with-tmpfilesdir=$(INSTALL)/lib/tmpfiles.d
# but after building, replace prefix so that they will be installed
# in the correct directory.
cryptsetup2_target := \
$(MAKE_JOBS) \
&& $(MAKE) \
-C $(build)/$(cryptsetup2_dir) \
prefix="$(INSTALL)" \
install
cryptsetup2_output := \
.libs/cryptsetup \
.libs/veritysetup \
cryptsetup2_libraries := \
.libs/libcryptsetup.so.12 \
Reference in New Issue View Git Blame Copy Permalink