mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-18 12:46:26 +00:00
0cef8e1edc
cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release LUKS2 volumes created at installation.
This is a critical feature for the Qubes OS 4.2 release for added data at rest protection
Cryptsetup 2.6.x internal changes:
- Argon2 used externally and internally: requires a lot of RAM and CPU to derivate passphrase to key validated in key slots.
- This is used to rate limit efficiently bruteforcing of LUKS key slots, requiring each offline brute force attempt to consume ~15-30 seconds per attempt
- OF course, strong passphrases are still recommended, but bruteforcing LUKSv2 containers with Argon2 would require immense time, ram and CPU even to bruteforce low entropy passphrase/PINs.
- passphrase change doesn't permit LUKS key slot specification anymore: key slot rotates (new one consusumed per op: then old one wiped internally. EG: LUKS key slot 1 created, then 0 deleted)
- reencryption doesn't permit old call arguments. No more direct-io; inadmissively slow through AIO (async) calls, need workarounds for good enough perfs (arguments + newer kernel with cloudfare fixes in tree)
cryptsetup 2.6.1 requires:
- lvm2 2.03.23, which is also included in this PR.
- requires libaio, which is also included in this PR (could be hacked out but deep dependency at first sight: left in)
- requires util-linux 2.39
- patches for reproducible builds are included for above 3 packages.
luks-functions was updated to support the new cryptsetup2 version calls/changes
- reencryption happen in direct-io, offline mode and without locking, requiring linux 5.10.9+ to bypass linux queues
- from tests, this is best for performance and reliability in single-user mode
- LUKS container ops now validate Disk Recovery Key (DRK) passphrase prior and DRK key slot prior of going forward if needed, failing early.
- Heads don't expect DRK to be in static key slot anymore, and finds the DRK key slot dynamically.
- If reencrytipn/passphrase change: make sure all LUKS containers on same block device can be unlocked with same DRK
- Reencryption: requires to know which key slot to reencrypt.
- Find LUKS key slot that unlocks with DRK passphrase unlock prior of reencrypt call
- Passphrase change: no slot can be passed, but key slot of DRK rotates.
kexec-seal-key
- TPM LUKS Disk Unlock Key key slots have changed to be set in max slots per LUKS version (LUKSv1:7 /LUKSv2: 31)
- If key slot != default LUKS version's keyslot outside of DRK key slot: prompt the user before wiping that key slot, otherwise wipe automatically
- This takes for granted that the DRK key slot alone is needed on the system and Heads controls the LUKS key slots.
- If user has something else going on, ie: Using USB Security dongle + TPM DUK, then the user will need to say no when wiping keys.
- It was suggested to leave LUKS key slots outside of DRK alone, but then: what to do when all key slots would be used?
- Alternative implementation could be to only prompt users to wipe keyslots other then DRK when key slots are all used (LUKSv1: 0-7, LUKSv2: 0-31)
- But then cleanup would need to happen prior of operations (LUKS passphrase change, TPM DUK setup) and could be problematic.
- LUKS containers now checked to be same LUKS version prior of permitting to set TPM DUK and will refuse to go forward of different versions.
TODO:
- async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out
- this could be subject to future work
Notes:
- time to deprecated legacy boards the do not enough space for the new space requirements
- x230-legacy, x230-legacy-flash, x230-hotp-legacy
- t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated
Unrelated:
- typos fixes found along the way
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
277 lines
8.5 KiB
Diff
277 lines
8.5 KiB
Diff
--- ./configure.orig 2023-05-17 06:53:16.721284360 -0400
|
|
+++ ./configure 2023-11-28 13:57:50.012000000 -0500
|
|
@@ -16580,7 +16580,7 @@
|
|
version_type=linux # correct to gnu/linux during the next big refactor
|
|
need_lib_prefix=no
|
|
need_version=no
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
if test ia64 = "$host_cpu"; then
|
|
# AIX 5 supports IA64
|
|
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
|
|
@@ -16870,16 +16870,16 @@
|
|
;;
|
|
freebsd3.[01]* | freebsdelf3.[01]*)
|
|
shlibpath_overrides_runpath=yes
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
|
|
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
|
|
shlibpath_overrides_runpath=no
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
*) # from 4.6 on, and DragonFly
|
|
shlibpath_overrides_runpath=yes
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
esac
|
|
;;
|
|
@@ -16894,7 +16894,7 @@
|
|
shlibpath_var=LIBRARY_PATH
|
|
shlibpath_overrides_runpath=no
|
|
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
|
|
hpux9* | hpux10* | hpux11*)
|
|
@@ -16906,7 +16906,7 @@
|
|
case $host_cpu in
|
|
ia64*)
|
|
shrext_cmds='.so'
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
dynamic_linker="$host_os dld.so"
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
|
@@ -16922,7 +16922,7 @@
|
|
;;
|
|
hppa*64*)
|
|
shrext_cmds='.sl'
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
dynamic_linker="$host_os dld.sl"
|
|
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
|
|
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
|
@@ -16955,7 +16955,7 @@
|
|
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=no
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
|
|
irix5* | irix6* | nonstopux*)
|
|
@@ -16992,7 +16992,7 @@
|
|
shlibpath_overrides_runpath=no
|
|
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
|
|
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
|
|
# No shared lib support for Linux oldld, aout, or coff.
|
|
@@ -17013,7 +17013,7 @@
|
|
# This implies no fast_install, which is unacceptable.
|
|
# Some rework will be needed to allow for fast_install
|
|
# before this can be enabled.
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
|
|
dynamic_linker='Android linker'
|
|
# Don't embed -rpath directories since the linker doesn't support them.
|
|
@@ -17071,7 +17071,7 @@
|
|
# This implies no fast_install, which is unacceptable.
|
|
# Some rework will be needed to allow for fast_install
|
|
# before this can be enabled.
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
|
|
# Add ABI-specific directories to the system library path.
|
|
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
|
|
@@ -17111,7 +17111,7 @@
|
|
fi
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=yes
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
|
|
newsos6)
|
|
@@ -17129,7 +17129,7 @@
|
|
soname_spec='$libname$release$shared_ext$major'
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=no
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
dynamic_linker='ldqnx.so'
|
|
;;
|
|
|
|
@@ -17201,7 +17201,7 @@
|
|
soname_spec='$libname$release$shared_ext$major'
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=yes
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
# ldd complains unless libraries are executable
|
|
postinstall_cmds='chmod +x $lib'
|
|
;;
|
|
@@ -17258,7 +17258,7 @@
|
|
soname_spec='$libname$release$shared_ext$major'
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=yes
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
if test yes = "$with_gnu_ld"; then
|
|
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
|
|
else
|
|
@@ -17280,7 +17280,7 @@
|
|
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=no
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
|
|
uts4*)
|
|
@@ -20574,7 +20574,7 @@
|
|
version_type=linux # correct to gnu/linux during the next big refactor
|
|
need_lib_prefix=no
|
|
need_version=no
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
if test ia64 = "$host_cpu"; then
|
|
# AIX 5 supports IA64
|
|
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
|
|
@@ -20862,16 +20862,16 @@
|
|
;;
|
|
freebsd3.[01]* | freebsdelf3.[01]*)
|
|
shlibpath_overrides_runpath=yes
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
|
|
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
|
|
shlibpath_overrides_runpath=no
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
*) # from 4.6 on, and DragonFly
|
|
shlibpath_overrides_runpath=yes
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
esac
|
|
;;
|
|
@@ -20886,7 +20886,7 @@
|
|
shlibpath_var=LIBRARY_PATH
|
|
shlibpath_overrides_runpath=no
|
|
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
|
|
hpux9* | hpux10* | hpux11*)
|
|
@@ -20898,7 +20898,7 @@
|
|
case $host_cpu in
|
|
ia64*)
|
|
shrext_cmds='.so'
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
dynamic_linker="$host_os dld.so"
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
|
@@ -20914,7 +20914,7 @@
|
|
;;
|
|
hppa*64*)
|
|
shrext_cmds='.sl'
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
dynamic_linker="$host_os dld.sl"
|
|
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
|
|
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
|
@@ -20947,7 +20947,7 @@
|
|
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=no
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
|
|
irix5* | irix6* | nonstopux*)
|
|
@@ -20984,7 +20984,7 @@
|
|
shlibpath_overrides_runpath=no
|
|
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
|
|
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
|
|
# No shared lib support for Linux oldld, aout, or coff.
|
|
@@ -21005,7 +21005,7 @@
|
|
# This implies no fast_install, which is unacceptable.
|
|
# Some rework will be needed to allow for fast_install
|
|
# before this can be enabled.
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
|
|
dynamic_linker='Android linker'
|
|
# Don't embed -rpath directories since the linker doesn't support them.
|
|
@@ -21063,7 +21063,7 @@
|
|
# This implies no fast_install, which is unacceptable.
|
|
# Some rework will be needed to allow for fast_install
|
|
# before this can be enabled.
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
|
|
# Add ABI-specific directories to the system library path.
|
|
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
|
|
@@ -21103,7 +21103,7 @@
|
|
fi
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=yes
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
|
|
newsos6)
|
|
@@ -21121,7 +21121,7 @@
|
|
soname_spec='$libname$release$shared_ext$major'
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=no
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
dynamic_linker='ldqnx.so'
|
|
;;
|
|
|
|
@@ -21193,7 +21193,7 @@
|
|
soname_spec='$libname$release$shared_ext$major'
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=yes
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
# ldd complains unless libraries are executable
|
|
postinstall_cmds='chmod +x $lib'
|
|
;;
|
|
@@ -21250,7 +21250,7 @@
|
|
soname_spec='$libname$release$shared_ext$major'
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=yes
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
if test yes = "$with_gnu_ld"; then
|
|
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
|
|
else
|
|
@@ -21272,7 +21272,7 @@
|
|
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
|
|
shlibpath_var=LD_LIBRARY_PATH
|
|
shlibpath_overrides_runpath=no
|
|
- hardcode_into_libs=yes
|
|
+ hardcode_into_libs=no
|
|
;;
|
|
|
|
uts4*)
|