mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
0cef8e1edc
cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release LUKS2 volumes created at installation. This is a critical feature for the Qubes OS 4.2 release for added data at rest protection Cryptsetup 2.6.x internal changes: - Argon2 used externally and internally: requires a lot of RAM and CPU to derivate passphrase to key validated in key slots. - This is used to rate limit efficiently bruteforcing of LUKS key slots, requiring each offline brute force attempt to consume ~15-30 seconds per attempt - OF course, strong passphrases are still recommended, but bruteforcing LUKSv2 containers with Argon2 would require immense time, ram and CPU even to bruteforce low entropy passphrase/PINs. - passphrase change doesn't permit LUKS key slot specification anymore: key slot rotates (new one consusumed per op: then old one wiped internally. EG: LUKS key slot 1 created, then 0 deleted) - reencryption doesn't permit old call arguments. No more direct-io; inadmissively slow through AIO (async) calls, need workarounds for good enough perfs (arguments + newer kernel with cloudfare fixes in tree) cryptsetup 2.6.1 requires: - lvm2 2.03.23, which is also included in this PR. - requires libaio, which is also included in this PR (could be hacked out but deep dependency at first sight: left in) - requires util-linux 2.39 - patches for reproducible builds are included for above 3 packages. luks-functions was updated to support the new cryptsetup2 version calls/changes - reencryption happen in direct-io, offline mode and without locking, requiring linux 5.10.9+ to bypass linux queues - from tests, this is best for performance and reliability in single-user mode - LUKS container ops now validate Disk Recovery Key (DRK) passphrase prior and DRK key slot prior of going forward if needed, failing early. - Heads don't expect DRK to be in static key slot anymore, and finds the DRK key slot dynamically. - If reencrytipn/passphrase change: make sure all LUKS containers on same block device can be unlocked with same DRK - Reencryption: requires to know which key slot to reencrypt. - Find LUKS key slot that unlocks with DRK passphrase unlock prior of reencrypt call - Passphrase change: no slot can be passed, but key slot of DRK rotates. kexec-seal-key - TPM LUKS Disk Unlock Key key slots have changed to be set in max slots per LUKS version (LUKSv1:7 /LUKSv2: 31) - If key slot != default LUKS version's keyslot outside of DRK key slot: prompt the user before wiping that key slot, otherwise wipe automatically - This takes for granted that the DRK key slot alone is needed on the system and Heads controls the LUKS key slots. - If user has something else going on, ie: Using USB Security dongle + TPM DUK, then the user will need to say no when wiping keys. - It was suggested to leave LUKS key slots outside of DRK alone, but then: what to do when all key slots would be used? - Alternative implementation could be to only prompt users to wipe keyslots other then DRK when key slots are all used (LUKSv1: 0-7, LUKSv2: 0-31) - But then cleanup would need to happen prior of operations (LUKS passphrase change, TPM DUK setup) and could be problematic. - LUKS containers now checked to be same LUKS version prior of permitting to set TPM DUK and will refuse to go forward of different versions. TODO: - async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out - this could be subject to future work Notes: - time to deprecated legacy boards the do not enough space for the new space requirements - x230-legacy, x230-legacy-flash, x230-hotp-legacy - t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated Unrelated: - typos fixes found along the way Signed-off-by: Thierry Laurion <insurgo@riseup.net>
151 lines
3.5 KiB
Diff
151 lines
3.5 KiB
Diff
--- ./lib/mm/memlock.c.orig 2023-11-27 13:52:46.281000000 -0500
|
|
+++ ./lib/mm/memlock.c 2023-11-27 13:56:35.656000000 -0500
|
|
@@ -160,6 +160,7 @@
|
|
|
|
static void _allocate_memory(void)
|
|
{
|
|
+#if 0
|
|
#if defined(__GLIBC__) && !defined(VALGRIND_POOL)
|
|
/* Memory allocation is currently only tested with glibc
|
|
* for different C libraries, some other mechanisms might be needed
|
|
@@ -233,11 +234,14 @@
|
|
for (i = 0; i < area; ++i)
|
|
free(areas[i]);
|
|
#endif
|
|
+#endif
|
|
}
|
|
|
|
static void _release_memory(void)
|
|
{
|
|
+#if 0
|
|
free(_malloc_mem);
|
|
+#endif
|
|
}
|
|
|
|
/*
|
|
@@ -313,7 +317,7 @@
|
|
|
|
if (lock == LVM_MLOCK) {
|
|
if (mlock((const void*)from, sz) < 0) {
|
|
- log_sys_error("mlock", line);
|
|
+ //log_sys_error("mlock", line);
|
|
return 0;
|
|
}
|
|
} else {
|
|
--- ./libdm/libdm-stats.c.orig 2023-11-27 13:59:40.677000000 -0500
|
|
+++ ./libdm/libdm-stats.c 2023-11-27 14:07:28.655000000 -0500
|
|
@@ -18,7 +18,23 @@
|
|
#include "libdm/misc/dmlib.h"
|
|
#include "libdm/misc/kdev_t.h"
|
|
|
|
+#if 0
|
|
#include "math.h" /* log10() */
|
|
+#else
|
|
+static int ilog10(double x)
|
|
+{
|
|
+ int e = 0;
|
|
+
|
|
+ while(x > 10)
|
|
+ {
|
|
+ e++;
|
|
+ x = x / 10;
|
|
+ }
|
|
+
|
|
+ return e;
|
|
+}
|
|
+#endif
|
|
+
|
|
|
|
#include <sys/sysmacros.h>
|
|
#include <sys/ioctl.h>
|
|
@@ -556,7 +572,12 @@
|
|
while(entry >= bins) {
|
|
value = (double) (entry--)->upper;
|
|
/* Use lround to avoid size_t -> double cast warning. */
|
|
+#if 0
|
|
hist_len += 1 + (size_t) lround(log10(value / scale));
|
|
+#else
|
|
+ hist_len += 1 + ilog10(value / scale);
|
|
+#endif
|
|
+
|
|
if (entry != bins)
|
|
hist_len++; /* ',' */
|
|
}
|
|
@@ -1863,7 +1884,12 @@
|
|
i = dm_bit_get_first(regions);
|
|
for (; i >= 0; i = dm_bit_get_next(regions, i)) {
|
|
/* length of region_id or range start in characters */
|
|
+#if 0
|
|
id_len = (i) ? 1 + (size_t) log10(i) : 1;
|
|
+#else
|
|
+ id_len = (i) ? 1 + ilog10(i) : 1;
|
|
+#endif
|
|
+
|
|
buflen += id_len;
|
|
j = i;
|
|
do
|
|
@@ -1878,7 +1904,11 @@
|
|
/* handle range */
|
|
if (i != j) {
|
|
/* j is always > i, which is always >= 0 */
|
|
+#if 0
|
|
id_len = 1 + (size_t) log10(j);
|
|
+#else
|
|
+ id_len = 1 + ilog10(j);
|
|
+#endif
|
|
buflen += id_len + 1; /* range end plus "-" */
|
|
}
|
|
buflen++;
|
|
|
|
--- ./tools/lvmcmdline.c.orig 2023-11-27 14:12:46.649000000 -0500
|
|
+++ ./tools/lvmcmdline.c 2023-11-27 14:15:47.563000000 -0500
|
|
@@ -3438,7 +3438,7 @@
|
|
static int _check_standard_fds(void)
|
|
{
|
|
int err = is_valid_fd(STDERR_FILENO);
|
|
-
|
|
+#if 0
|
|
if (!is_valid_fd(STDIN_FILENO) &&
|
|
!(stdin = fopen(_PATH_DEVNULL, "r"))) {
|
|
if (err)
|
|
@@ -3463,7 +3463,7 @@
|
|
strerror(errno));
|
|
return 0;
|
|
}
|
|
-
|
|
+#endif
|
|
return 1;
|
|
}
|
|
|
|
@@ -3644,7 +3644,7 @@
|
|
*/
|
|
dm_set_name_mangling_mode(DM_STRING_MANGLING_NONE);
|
|
|
|
- if (!(cmd = create_toolcontext(0, NULL, 1, threaded, set_connections, set_filters))) {
|
|
+ if (!(cmd = create_toolcontext(0, NULL, 0, threaded, set_connections, set_filters))) {
|
|
return_NULL;
|
|
}
|
|
|
|
--- ./make.tmpl.orig 2023-11-28 13:29:11.744000000 -0500
|
|
+++ ./make.tmpl.in 2023-11-28 13:29:36.716000000 -0500
|
|
@@ -210,7 +210,7 @@
|
|
M_INSTALL_PROGRAM = -m 555
|
|
M_INSTALL_DATA = -m 444
|
|
endif
|
|
-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP)
|
|
+INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM)
|
|
INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA)
|
|
INSTALL_WDATA = $(INSTALL) -p -m 644
|
|
|
|
--- ./libdm/make.tmpl.orig 2023-11-28 13:29:52.760000000 -0500
|
|
+++ ./libdm/make.tmpl.in 2023-11-28 13:30:22.336000000 -0500
|
|
@@ -173,7 +173,7 @@
|
|
M_INSTALL_PROGRAM = -m 555
|
|
M_INSTALL_DATA = -m 444
|
|
endif
|
|
-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP)
|
|
+INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM)
|
|
INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA)
|
|
INSTALL_WDATA = $(INSTALL) -p -m 644
|
|
|