From 6e9d281889cbd5e75308421155eff56f8f72b11b Mon Sep 17 00:00:00 2001 From: wangmy Date: Mon, 25 Oct 2021 22:37:20 +0800 Subject: cryptsetup: upgrade 2.3.6 -> 2.4.1 Cryptsetup 2.4.1 Release Notes ============================== Stable bug-fix release with minor extensions. All users of cryptsetup 2.4.0 should upgrade to this version. Changes since version 2.4.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Fix compilation for libc implementations without dlvsym(). Some alternative libc implementations (like musl) do not provide versioned symbols dlvsym function. Code now fallbacks to dlsym operation for dynamic LUKS2 token load. It is up to maintainers to ensure that LUKS2 token plugins are compiled for the supported version. * Fix compilation and tests on systems with non-standard libraries (standalone argp library, external gettext library, BusyBox implementations of standard tools). * Try to workaround some issues on systems without udev support. NOTE: non-udev systems cannot provide all functionality for kernel device-mapper, and some operations can fail. * Fixes for OpenSSL3 crypto backend (including FIPS mode). Because cryptsetup still requires some hash functions implemented in OpenSSL3 legacy provider, crypto backend now uses its library context and tries to load both default and legacy OpenSSL3 providers. If FIPS mode is detected, no library context is used, and it is up to the OpenSSL system-wide policy to load proper providers. NOTE: We still use some deprecated API in the OpenSSL3 backend, and there are some known problems in OpenSSL 3.0.0. * Print error message when assigning a token to an inactive keyslot. * Fix offset bug in LUKS2 encryption code if --offset option was used. * Do not allow LUKS2 decryption for devices with data offset. Such devices cannot be used after decryption. * Fix LUKS1 cryptsetup repair command for some specific problems. Repair code can now fix wrongly used initialization vector specification in ECB mode (that is insecure anyway!) and repair the upper-case hash specification in the LUKS1 header. Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj --- .../recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb | 93 --------------------- .../recipes-crypto/cryptsetup/cryptsetup_2.4.1.bb | 96 ++++++++++++++++++++++ 2 files changed, 96 insertions(+), 93 deletions(-) delete mode 100644 meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb create mode 100644 meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.1.bb diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb deleted file mode 100644 index 806a05e8f2..0000000000 --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb +++ /dev/null @@ -1,93 +0,0 @@ -SUMMARY = "Manage plain dm-crypt and LUKS encrypted volumes" -DESCRIPTION = "Cryptsetup is used to conveniently setup dm-crypt managed \ -device-mapper mappings. These include plain dm-crypt volumes and \ -LUKS volumes. The difference is that LUKS uses a metadata header \ -and can hence offer more features than plain dm-crypt. On the other \ -hand, the header is visible and vulnerable to damage." -HOMEPAGE = "https://gitlab.com/cryptsetup/cryptsetup" -SECTION = "console" -LICENSE = "GPL-2.0-with-OpenSSL-exception" -LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326" - -DEPENDS = " \ - json-c \ - libdevmapper \ - popt \ - util-linux-libuuid \ -" - -SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz" -SRC_URI[md5sum] = "504d1ab22cbc4d1a59a8d8c7ee5ed3bf" -SRC_URI[sha256sum] = "b296b7a21ea576c2b180611ccb19d06aec8dddaedf7c704b0c6a81210c25635f" - -inherit autotools gettext pkgconfig - -# Use openssl because libgcrypt drops root privileges -# if libgcrypt is linked with libcap support -PACKAGECONFIG ??= " \ - keyring \ - cryptsetup \ - veritysetup \ - cryptsetup-reencrypt \ - integritysetup \ - ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ - kernel_crypto \ - internal-argon2 \ - blkid \ - luks-adjust-xts-keysize \ - openssl \ -" -PACKAGECONFIG:append:class-target = " \ - udev \ -" - -PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" -PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" -PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality" -PACKAGECONFIG[passwdqc] = "--enable-passwdqc,--disable-passwdqc,passwdqc" -PACKAGECONFIG[cryptsetup] = "--enable-cryptsetup,--disable-cryptsetup" -PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" -PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt" -PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" -PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" -PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" -# gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't -# recognized. -PACKAGECONFIG[gcrypt-pbkdf2] = "--enable-gcrypt-pbkdf2" -PACKAGECONFIG[internal-argon2] = "--enable-internal-argon2,--disable-internal-argon2" -PACKAGECONFIG[internal-sse-argon2] = "--enable-internal-sse-argon2,--disable-internal-sse-argon2" -PACKAGECONFIG[blkid] = "--enable-blkid,--disable-blkid,util-linux" -PACKAGECONFIG[dev-random] = "--enable-dev-random,--disable-dev-random" -PACKAGECONFIG[luks-adjust-xts-keysize] = "--enable-luks-adjust-xts-keysize,--disable-luks-adjust-xts-keysize" -PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" -PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" -PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" -PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" -PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" -PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" - -EXTRA_OECONF = "--enable-static" -# Building without largefile is not supported by upstream -EXTRA_OECONF += "--enable-largefile" -# Requires a static popt library -EXTRA_OECONF += "--disable-static-cryptsetup" -# There's no recipe for libargon2 yet -EXTRA_OECONF += "--disable-libargon2" - -FILES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}/lib/tmpfiles.d/cryptsetup.conf', '', d)}" - -RDEPENDS:${PN} = " \ - libdevmapper \ -" - -RRECOMMENDS:${PN}:class-target = " \ - kernel-module-aes-generic \ - kernel-module-dm-crypt \ - kernel-module-md5 \ - kernel-module-cbc \ - kernel-module-sha256-generic \ - kernel-module-xts \ -" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.1.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.1.bb new file mode 100644 index 0000000000..7f7c350a63 --- /dev/null +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.1.bb @@ -0,0 +1,96 @@ +SUMMARY = "Manage plain dm-crypt and LUKS encrypted volumes" +DESCRIPTION = "Cryptsetup is used to conveniently setup dm-crypt managed \ +device-mapper mappings. These include plain dm-crypt volumes and \ +LUKS volumes. The difference is that LUKS uses a metadata header \ +and can hence offer more features than plain dm-crypt. On the other \ +hand, the header is visible and vulnerable to damage." +HOMEPAGE = "https://gitlab.com/cryptsetup/cryptsetup" +SECTION = "console" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326" + +DEPENDS = " \ + json-c \ + libdevmapper \ + popt \ + util-linux-libuuid \ + libssh \ +" + +DEPENDS:append:libc-musl = " argp-standalone" +LDFLAGS:append:libc-musl = " -largp" + +SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz" +SRC_URI[sha256sum] = "a356a727a83a464ade566e95239622a22dbe4e0f482b198fdb04ab0d3a5a9c5f" + +inherit autotools gettext pkgconfig + +# Use openssl because libgcrypt drops root privileges +# if libgcrypt is linked with libcap support +PACKAGECONFIG ??= " \ + keyring \ + cryptsetup \ + veritysetup \ + cryptsetup-reencrypt \ + integritysetup \ + ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ + kernel_crypto \ + internal-argon2 \ + blkid \ + luks-adjust-xts-keysize \ + openssl \ +" +PACKAGECONFIG:append:class-target = " \ + udev \ +" + +PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" +PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" +PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality" +PACKAGECONFIG[passwdqc] = "--enable-passwdqc,--disable-passwdqc,passwdqc" +PACKAGECONFIG[cryptsetup] = "--enable-cryptsetup,--disable-cryptsetup" +PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" +PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt" +PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" +PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" +PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" +# gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't +# recognized. +PACKAGECONFIG[gcrypt-pbkdf2] = "--enable-gcrypt-pbkdf2" +PACKAGECONFIG[internal-argon2] = "--enable-internal-argon2,--disable-internal-argon2" +PACKAGECONFIG[internal-sse-argon2] = "--enable-internal-sse-argon2,--disable-internal-sse-argon2" +PACKAGECONFIG[blkid] = "--enable-blkid,--disable-blkid,util-linux" +PACKAGECONFIG[dev-random] = "--enable-dev-random,--disable-dev-random" +PACKAGECONFIG[luks-adjust-xts-keysize] = "--enable-luks-adjust-xts-keysize,--disable-luks-adjust-xts-keysize" +PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" +PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" +PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" +PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" +PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" +PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" + +EXTRA_OECONF = "--enable-static" +# Building without largefile is not supported by upstream +EXTRA_OECONF += "--enable-largefile" +# Requires a static popt library +EXTRA_OECONF += "--disable-static-cryptsetup" +# There's no recipe for libargon2 yet +EXTRA_OECONF += "--disable-libargon2" + +FILES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}/lib/tmpfiles.d/cryptsetup.conf', '', d)}" + +RDEPENDS:${PN} = " \ + libdevmapper \ +" + +RRECOMMENDS:${PN}:class-target = " \ + kernel-module-aes-generic \ + kernel-module-dm-crypt \ + kernel-module-md5 \ + kernel-module-cbc \ + kernel-module-sha256-generic \ + kernel-module-xts \ +" + +BBCLASSEXTEND = "native nativesdk" -- cgit 1.2.3-korg