diff options
-rw-r--r-- | lib/bitlk/bitlk.c | 6 | ||||
-rw-r--r-- | lib/bitlk/bitlk.h | 1 | ||||
-rw-r--r-- | lib/crypto_backend/cipher_generic.c | 3 | ||||
-rw-r--r-- | lib/crypto_backend/crc32.c | 2 | ||||
-rw-r--r-- | lib/crypto_backend/crypto_cipher_kernel.c | 2 | ||||
-rw-r--r-- | lib/crypto_backend/crypto_gcrypt.c | 2 | ||||
-rw-r--r-- | lib/crypto_backend/crypto_kernel.c | 1 | ||||
-rw-r--r-- | lib/crypto_backend/crypto_nettle.c | 1 | ||||
-rw-r--r-- | lib/crypto_backend/crypto_nss.c | 2 | ||||
-rw-r--r-- | lib/crypto_backend/crypto_openssl.c | 3 | ||||
-rw-r--r-- | man/common_options.adoc | 1 | ||||
-rw-r--r-- | man/cryptsetup-luksFormat.8.adoc | 6 | ||||
-rw-r--r-- | tests/api-test-2.c | 26 | ||||
-rw-r--r-- | tests/compatimage2.img.xz | bin | 66356 -> 131316 bytes | |||
-rw-r--r-- | tests/luks2_header_requirements.tar.xz | bin | 134412 -> 134468 bytes |
15 files changed, 44 insertions, 12 deletions
diff --git a/lib/bitlk/bitlk.c b/lib/bitlk/bitlk.c index 303d0c66..64e658d2 100644 --- a/lib/bitlk/bitlk.c +++ b/lib/bitlk/bitlk.c @@ -324,6 +324,9 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in /* unknown timestamps in recovery protected VMK */ } else if (key_entry_value == BITLK_ENTRY_VALUE_RECOVERY_TIME) { ; + /* optional hint (?) string (masked email?), we can safely ignore it */ + } else if (key_entry_value == BITLK_ENTRY_VALUE_HINT) { + ; } else if (key_entry_value == BITLK_ENTRY_VALUE_STRING) { if (key_entry_size < BITLK_ENTRY_HEADER_LEN) return -EINVAL; @@ -353,6 +356,9 @@ static int parse_vmk_entry(struct crypt_device *cd, uint8_t *data, int start, in /* no idea what this is, lets hope it's not important */ } else if (key_entry_value == BITLK_ENTRY_VALUE_USE_KEY && (*vmk)->protection == BITLK_PROTECTION_STARTUP_KEY) { ; + /* quietly ignore unsupported TPM key */ + } else if (key_entry_value == BITLK_ENTRY_VALUE_TPM_KEY && (*vmk)->protection == BITLK_PROTECTION_TPM) { + ; } else { if (supported) { log_err(cd, _("Unexpected metadata entry value '%u' found when parsing supported Volume Master Key."), key_entry_value); diff --git a/lib/bitlk/bitlk.h b/lib/bitlk/bitlk.h index 7eb73211..af8f6298 100644 --- a/lib/bitlk/bitlk.h +++ b/lib/bitlk/bitlk.h @@ -78,6 +78,7 @@ typedef enum { BITLK_ENTRY_VALUE_OFFSET_SIZE = 0x000f, BITLK_ENTRY_VALUE_RECOVERY_TIME = 0x015, BITLK_ENTRY_VALUE_GUID = 0x0017, + BITLK_ENTRY_VALUE_HINT = 0x0018, } BITLKFVEEntryValue; struct bitlk_vmk { diff --git a/lib/crypto_backend/cipher_generic.c b/lib/crypto_backend/cipher_generic.c index 746cfcf2..00aa43f5 100644 --- a/lib/crypto_backend/cipher_generic.c +++ b/lib/crypto_backend/cipher_generic.c @@ -19,9 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include <string.h> -#include <stdbool.h> #include <errno.h> +#include <strings.h> #include "crypto_backend.h" struct cipher_alg { diff --git a/lib/crypto_backend/crc32.c b/lib/crypto_backend/crc32.c index 7a12a8e7..c0025ed4 100644 --- a/lib/crypto_backend/crc32.c +++ b/lib/crypto_backend/crc32.c @@ -38,8 +38,6 @@ * */ -#include <stdio.h> - #include "crypto_backend.h" static const uint32_t crc32_tab[] = { diff --git a/lib/crypto_backend/crypto_cipher_kernel.c b/lib/crypto_backend/crypto_cipher_kernel.c index 50b00317..fcd838a2 100644 --- a/lib/crypto_backend/crypto_cipher_kernel.c +++ b/lib/crypto_backend/crypto_cipher_kernel.c @@ -19,10 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include <string.h> #include <stdlib.h> #include <stdio.h> -#include <stdbool.h> #include <errno.h> #include <unistd.h> #include <sys/socket.h> diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c index 5b12088e..d10ca7cb 100644 --- a/lib/crypto_backend/crypto_gcrypt.c +++ b/lib/crypto_backend/crypto_gcrypt.c @@ -19,9 +19,9 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include <string.h> #include <stdio.h> #include <errno.h> +#include <strings.h> #include <gcrypt.h> #include <pthread.h> #include "crypto_backend_internal.h" diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c index be6051a9..cc23ceb2 100644 --- a/lib/crypto_backend/crypto_kernel.c +++ b/lib/crypto_backend/crypto_kernel.c @@ -19,7 +19,6 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include <string.h> #include <stdlib.h> #include <stdio.h> #include <errno.h> diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c index 837fed8d..d288e698 100644 --- a/lib/crypto_backend/crypto_nettle.c +++ b/lib/crypto_backend/crypto_nettle.c @@ -20,7 +20,6 @@ */ #include <stdlib.h> -#include <string.h> #include <errno.h> #include <nettle/sha.h> #include <nettle/sha3.h> diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c index e394d16c..cfb554f3 100644 --- a/lib/crypto_backend/crypto_nss.c +++ b/lib/crypto_backend/crypto_nss.c @@ -19,7 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include <string.h> +#include <stdio.h> #include <errno.h> #include <nss.h> #include <pk11pub.h> diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c index 8276d561..4cf5a4c9 100644 --- a/lib/crypto_backend/crypto_openssl.c +++ b/lib/crypto_backend/crypto_openssl.c @@ -28,9 +28,10 @@ * for all of the code used other than OpenSSL. */ -#include <string.h> +#include <stdio.h> #include <errno.h> #include <limits.h> +#include <strings.h> #include <openssl/crypto.h> #include <openssl/evp.h> #include <openssl/hmac.h> diff --git a/man/common_options.adoc b/man/common_options.adoc index 42b3e2a3..70c30d99 100644 --- a/man/common_options.adoc +++ b/man/common_options.adoc @@ -337,6 +337,7 @@ ifdef::ACTION_ERASE[] Erase *ALL* data on the OPAL self-encrypted device, regardless of the partition it is ran on, if any, and does not require a valid LUKS2 header to be present on the device to run. After providing correct PSID via interactive prompt or via *--key-file* parameter the device is erased. +PSID is usually printed on the OPAL device label (either directly or as a QR code). endif::[] ifdef::ACTION_LUKSFORMAT[] diff --git a/man/cryptsetup-luksFormat.8.adoc b/man/cryptsetup-luksFormat.8.adoc index c9c3565a..e0e9e2ad 100644 --- a/man/cryptsetup-luksFormat.8.adoc +++ b/man/cryptsetup-luksFormat.8.adoc @@ -29,8 +29,12 @@ in use, e.g., mounted filesystem, used in LVM, active RAID member, etc. The device or filesystem has to be un-mounted in order to call luksFormat. To use specific version of LUKS format, use _--type luks1_ or _type luks2_. + To use OPAL hardware encryption on a self-encrypting drive, use -_--hw-opal_ or _--hw-opal-only_. +_--hw-opal_ or _--hw-opal-only_. Note that some OPAL drives can require +a PSID reset (with possible deletion of data) before using the LUKS format +with OPAL options. +See _--hw-opal-factory-reset_ option in cryptsetup _erase_ command. *<options>* can be [--hash, --cipher, --verify-passphrase, --key-size, --key-slot, --key-file (takes precedence over optional second argument), diff --git a/tests/api-test-2.c b/tests/api-test-2.c index 9442c63f..5b0711d6 100644 --- a/tests/api-test-2.c +++ b/tests/api-test-2.c @@ -687,6 +687,17 @@ static void UseLuks2Device(void) OK_(crypt_deactivate(cd, CDEVICE_1)); FAIL_(crypt_deactivate(cd, CDEVICE_1), "no such device"); + if (!_fips_mode) { + /* keyslot 0 is PBKDF2, keyslot 1 is Argon2id */ + OK_(crypt_activate_by_passphrase(cd, NULL, 0, KEY1, strlen(KEY1), 0)); + EQ_(crypt_activate_by_passphrase(cd, NULL, 1, KEY2, strlen(KEY2), 0), 1); + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, 1, KEY2, strlen(KEY2), 0), 1); + FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, 1, KEY2, strlen(KEY2), 0), "already open"); + GE_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE); + OK_(crypt_deactivate(cd, CDEVICE_1)); + FAIL_(crypt_deactivate(cd, CDEVICE_1), "no such device"); + } + #if KERNEL_KEYRING // repeat previous tests and check kernel keyring is released when not needed if (t_dm_crypt_keyring_support()) { @@ -701,6 +712,21 @@ static void UseLuks2Device(void) OK_(crypt_activate_by_passphrase(cd, NULL, CRYPT_ANY_SLOT, KEY1, strlen(KEY1), 0)); OK_(crypt_deactivate(cd, CDEVICE_1)); FAIL_(_volume_key_in_keyring(cd, 0), ""); + + if (!_fips_mode) { + /* keyslot 0 is PBKDF2, keyslot 1 is Argon2id */ + EQ_(crypt_activate_by_passphrase(cd, NULL, 1, KEY2, strlen(KEY2), 0), 1); + FAIL_(_drop_keyring_key(cd, 0), ""); + EQ_(crypt_activate_by_passphrase(cd, NULL, 1, KEY2, strlen(KEY2), CRYPT_ACTIVATE_KEYRING_KEY), 1); + OK_(_drop_keyring_key(cd, 0)); + EQ_(crypt_activate_by_passphrase(cd, CDEVICE_1, 1, KEY2, strlen(KEY2), 0), 1); + OK_(_drop_keyring_key(cd, 0)); + FAIL_(crypt_activate_by_passphrase(cd, CDEVICE_1, 1, KEY2, strlen(KEY2), 0), "already open"); + FAIL_(_volume_key_in_keyring(cd, 0), ""); + EQ_(crypt_activate_by_passphrase(cd, NULL, 1, KEY2, strlen(KEY2), 0), 1); + OK_(crypt_deactivate(cd, CDEVICE_1)); + FAIL_(_volume_key_in_keyring(cd, 0), ""); + } } #endif diff --git a/tests/compatimage2.img.xz b/tests/compatimage2.img.xz Binary files differindex ceaeafce..d965af8e 100644 --- a/tests/compatimage2.img.xz +++ b/tests/compatimage2.img.xz diff --git a/tests/luks2_header_requirements.tar.xz b/tests/luks2_header_requirements.tar.xz Binary files differindex b198fd57..caded7f7 100644 --- a/tests/luks2_header_requirements.tar.xz +++ b/tests/luks2_header_requirements.tar.xz |