From a8e8825ee1b7ebb1c8af2bc95c64ed10c056414e Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Sun, 18 Dec 2022 14:02:20 -0800 Subject: cryptsetup: Upgrade to 2.6.0 - Disable documentation as it needs asciidoctor which is not available - Rename cryptsetup-reencrypt packageconfig to luks2-reencryption to match the relevant configure option. - Add a patch to enable 64bit off_t and lfs64 Signed-off-by: Khem Raj --- .../0001-Replace-off64_t-with-off_t.patch | 101 +++++++++++++++++ .../recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb | 116 -------------------- .../recipes-crypto/cryptsetup/cryptsetup_2.6.0.bb | 119 +++++++++++++++++++++ 3 files changed, 220 insertions(+), 116 deletions(-) create mode 100644 meta-oe/recipes-crypto/cryptsetup/cryptsetup/0001-Replace-off64_t-with-off_t.patch delete mode 100644 meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb create mode 100644 meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.6.0.bb (limited to 'meta-oe') diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup/0001-Replace-off64_t-with-off_t.patch b/meta-oe/recipes-crypto/cryptsetup/cryptsetup/0001-Replace-off64_t-with-off_t.patch new file mode 100644 index 0000000000..23aa86c0fb --- /dev/null +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup/0001-Replace-off64_t-with-off_t.patch @@ -0,0 +1,101 @@ +From 683d0c525765415be34c269edf9cc066276f9f65 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Sun, 18 Dec 2022 13:53:51 -0800 +Subject: [PATCH] Replace off64_t with off_t + +AC_SYS_LARGEFILE autoconf macro is in use in configure script which will +add needed feature macros on commandline to enable 64bit off_t. + +Also replace lseek64 with lseek, since it will be same when +_FILE_OFFSET_BITS=64 is defined on relevant platforms via AC_SYS_LARGEFILE + +Upstream-Status: Submitted [https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/467] +Signed-off-by: Khem Raj +--- + lib/utils.c | 4 ++-- + lib/utils_wipe.c | 4 ++-- + src/utils_reencrypt_luks1.c | 12 ++++++------ + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/lib/utils.c b/lib/utils.c +index 9d79ee29..be5f5287 100644 +--- a/lib/utils.c ++++ b/lib/utils.c +@@ -102,9 +102,9 @@ static int keyfile_seek(int fd, uint64_t bytes) + char tmp[BUFSIZ]; + size_t next_read; + ssize_t bytes_r; +- off64_t r; ++ off_t r; + +- r = lseek64(fd, bytes, SEEK_CUR); ++ r = lseek(fd, bytes, SEEK_CUR); + if (r > 0) + return 0; + if (r < 0 && errno != ESPIPE) +diff --git a/lib/utils_wipe.c b/lib/utils_wipe.c +index 285a9e77..0c376f44 100644 +--- a/lib/utils_wipe.c ++++ b/lib/utils_wipe.c +@@ -150,7 +150,7 @@ static int wipe_block(struct crypt_device *cd, int devfd, crypt_wipe_pattern pat + if (blockdev && pattern == CRYPT_WIPE_ZERO && + !wipe_zeroout(cd, devfd, offset, wipe_block_size)) { + /* zeroout ioctl does not move offset */ +- if (lseek64(devfd, offset + wipe_block_size, SEEK_SET) < 0) { ++ if (lseek(devfd, offset + wipe_block_size, SEEK_SET) < 0) { + log_err(cd, _("Cannot seek to device offset.")); + return -EINVAL; + } +@@ -221,7 +221,7 @@ int crypt_wipe_device(struct crypt_device *cd, + if (r) + goto out; + +- if (lseek64(devfd, offset, SEEK_SET) < 0) { ++ if (lseek(devfd, offset, SEEK_SET) < 0) { + log_err(cd, _("Cannot seek to device offset.")); + r = -EINVAL; + goto out; +diff --git a/src/utils_reencrypt_luks1.c b/src/utils_reencrypt_luks1.c +index 96368bdb..d83a1da4 100644 +--- a/src/utils_reencrypt_luks1.c ++++ b/src/utils_reencrypt_luks1.c +@@ -729,8 +729,8 @@ static int copy_data_forward(struct reenc_ctx *rc, int fd_old, int fd_new, + + log_dbg("Reencrypting in forward direction."); + +- if (lseek64(fd_old, rc->device_offset, SEEK_SET) < 0 || +- lseek64(fd_new, rc->device_offset, SEEK_SET) < 0) { ++ if (lseek(fd_old, rc->device_offset, SEEK_SET) < 0 || ++ lseek(fd_new, rc->device_offset, SEEK_SET) < 0) { + log_err(_("Cannot seek to device offset.")); + goto out; + } +@@ -788,7 +788,7 @@ static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new, + size_t block_size, void *buf, uint64_t *bytes) + { + ssize_t s1, s2, working_block; +- off64_t working_offset; ++ off_t working_offset; + int r = -EIO; + char *backing_file = NULL; + struct tools_progress_params prog_parms = { +@@ -827,8 +827,8 @@ static int copy_data_backward(struct reenc_ctx *rc, int fd_old, int fd_new, + working_block = block_size; + } + +- if (lseek64(fd_old, working_offset, SEEK_SET) < 0 || +- lseek64(fd_new, working_offset, SEEK_SET) < 0) { ++ if (lseek(fd_old, working_offset, SEEK_SET) < 0 || ++ lseek(fd_new, working_offset, SEEK_SET) < 0) { + log_err(_("Cannot seek to device offset.")); + goto out; + } +@@ -874,7 +874,7 @@ static void zero_rest_of_device(int fd, size_t block_size, void *buf, + + log_dbg("Zeroing rest of device."); + +- if (lseek64(fd, offset, SEEK_SET) < 0) { ++ if (lseek(fd, offset, SEEK_SET) < 0) { + log_dbg("Cannot seek to device offset."); + return; + } diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb deleted file mode 100644 index 652fd66614..0000000000 --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb +++ /dev/null @@ -1,116 +0,0 @@ -SUMMARY = "Manage plain dm-crypt and LUKS encrypted volumes" -DESCRIPTION = "Cryptsetup is used to conveniently setup dm-crypt managed \ -device-mapper mappings. These include plain dm-crypt volumes and \ -LUKS volumes. The difference is that LUKS uses a metadata header \ -and can hence offer more features than plain dm-crypt. On the other \ -hand, the header is visible and vulnerable to damage." -HOMEPAGE = "https://gitlab.com/cryptsetup/cryptsetup" -SECTION = "console" -LICENSE = "GPL-2.0-with-OpenSSL-exception" -LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326" - -DEPENDS = " \ - json-c \ - libdevmapper \ - popt \ - util-linux-libuuid \ -" - -DEPENDS:append:libc-musl = " argp-standalone" -LDFLAGS:append:libc-musl = " -largp" - -SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz" -SRC_URI[sha256sum] = "fc0df945188172264ec5bf1d0bda08264fadc8a3f856d47eba91f31fe354b507" - -inherit autotools gettext pkgconfig - -# Use openssl because libgcrypt drops root privileges -# if libgcrypt is linked with libcap support -PACKAGECONFIG ??= " \ - keyring \ - cryptsetup \ - veritysetup \ - cryptsetup-reencrypt \ - integritysetup \ - ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ - kernel_crypto \ - internal-argon2 \ - blkid \ - luks-adjust-xts-keysize \ - openssl \ - ssh-token \ -" -PACKAGECONFIG:append:class-target = " \ - udev \ -" - -PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" -PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" -PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality" -PACKAGECONFIG[passwdqc] = "--enable-passwdqc,--disable-passwdqc,passwdqc" -PACKAGECONFIG[cryptsetup] = "--enable-cryptsetup,--disable-cryptsetup" -PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" -PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt" -PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" -PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" -PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" -# gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't -# recognized. -PACKAGECONFIG[gcrypt-pbkdf2] = "--enable-gcrypt-pbkdf2" -PACKAGECONFIG[internal-argon2] = "--enable-internal-argon2,--disable-internal-argon2" -PACKAGECONFIG[internal-sse-argon2] = "--enable-internal-sse-argon2,--disable-internal-sse-argon2" -PACKAGECONFIG[blkid] = "--enable-blkid,--disable-blkid,util-linux" -PACKAGECONFIG[dev-random] = "--enable-dev-random,--disable-dev-random" -PACKAGECONFIG[luks-adjust-xts-keysize] = "--enable-luks-adjust-xts-keysize,--disable-luks-adjust-xts-keysize" -PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" -PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" -PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" -PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" -PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" -PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" -PACKAGECONFIG[ssh-token] = "--enable-ssh-token,--disable-ssh-token,libssh" - -EXTRA_OECONF = "--enable-static" -# Building without largefile is not supported by upstream -EXTRA_OECONF += "--enable-largefile" -# Requires a static popt library -EXTRA_OECONF += "--disable-static-cryptsetup" -# There's no recipe for libargon2 yet -EXTRA_OECONF += "--disable-libargon2" - -# libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB), parallel threads and iteration time (ms) -LUKS2_PBKDF ?= "argon2i" -LUKS2_MEMORYKB ?= "1048576" -LUKS2_PARALLEL_THREADS ?= "4" -LUKS2_ITERTIME ?= "2000" - -EXTRA_OECONF += "--with-luks2-pbkdf=${LUKS2_PBKDF} \ - --with-luks2-memory-kb=${LUKS2_MEMORYKB} \ - --with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS} \ - --with-luks2-iter-time=${LUKS2_ITERTIME}" - -do_install:append() { - # The /usr/lib/cryptsetup directory is always created, even when ssh-token - # is disabled. In that case it is empty and causes a packaging error. Since - # there is no reason to distribute the empty directory, the easiest solution - # is to remove it if it is empty. - rmdir -p --ignore-fail-on-non-empty ${D}${libdir}/${BPN} -} - -FILES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}/lib/tmpfiles.d/cryptsetup.conf', '', d)}" - -RDEPENDS:${PN} = " \ - libdevmapper \ -" - -RRECOMMENDS:${PN}:class-target = " \ - kernel-module-aes-generic \ - kernel-module-dm-crypt \ - kernel-module-md5 \ - kernel-module-cbc \ - kernel-module-sha256-generic \ - kernel-module-xts \ -" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.6.0.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.6.0.bb new file mode 100644 index 0000000000..1d4f440871 --- /dev/null +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.6.0.bb @@ -0,0 +1,119 @@ +SUMMARY = "Manage plain dm-crypt and LUKS encrypted volumes" +DESCRIPTION = "Cryptsetup is used to conveniently setup dm-crypt managed \ +device-mapper mappings. These include plain dm-crypt volumes and \ +LUKS volumes. The difference is that LUKS uses a metadata header \ +and can hence offer more features than plain dm-crypt. On the other \ +hand, the header is visible and vulnerable to damage." +HOMEPAGE = "https://gitlab.com/cryptsetup/cryptsetup" +SECTION = "console" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326" + +DEPENDS = " \ + json-c \ + libdevmapper \ + popt \ + util-linux-libuuid \ +" + +DEPENDS:append:libc-musl = " argp-standalone" +LDFLAGS:append:libc-musl = " -largp" + +SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz \ + file://0001-Replace-off64_t-with-off_t.patch \ + " +SRC_URI[sha256sum] = "44397ba76e75a9cde5b02177bc63cd7af428a785788e3a7067733e7761842735" + +inherit autotools gettext pkgconfig + +# Use openssl because libgcrypt drops root privileges +# if libgcrypt is linked with libcap support +PACKAGECONFIG ??= " \ + keyring \ + cryptsetup \ + veritysetup \ + luks2-reencryption \ + integritysetup \ + ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ + kernel_crypto \ + internal-argon2 \ + blkid \ + luks-adjust-xts-keysize \ + openssl \ + ssh-token \ +" +PACKAGECONFIG:append:class-target = " \ + udev \ +" + +PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" +PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" +PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality" +PACKAGECONFIG[passwdqc] = "--enable-passwdqc,--disable-passwdqc,passwdqc" +PACKAGECONFIG[cryptsetup] = "--enable-cryptsetup,--disable-cryptsetup" +PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" +PACKAGECONFIG[luks2-reencryption] = "--enable-luks2-reencryption,--disable-luks2-reencryption" +PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" +PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" +PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" +# gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't +# recognized. +PACKAGECONFIG[gcrypt-pbkdf2] = "--enable-gcrypt-pbkdf2" +PACKAGECONFIG[internal-argon2] = "--enable-internal-argon2,--disable-internal-argon2" +PACKAGECONFIG[internal-sse-argon2] = "--enable-internal-sse-argon2,--disable-internal-sse-argon2" +PACKAGECONFIG[blkid] = "--enable-blkid,--disable-blkid,util-linux" +PACKAGECONFIG[dev-random] = "--enable-dev-random,--disable-dev-random" +PACKAGECONFIG[luks-adjust-xts-keysize] = "--enable-luks-adjust-xts-keysize,--disable-luks-adjust-xts-keysize" +PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" +PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" +PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" +PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" +PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" +PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" +PACKAGECONFIG[ssh-token] = "--enable-ssh-token,--disable-ssh-token,libssh" + +EXTRA_OECONF = "--enable-static" +# Building without largefile is not supported by upstream +EXTRA_OECONF += "--enable-largefile" +# Requires a static popt library +EXTRA_OECONF += "--disable-static-cryptsetup" +# There's no recipe for libargon2 yet +EXTRA_OECONF += "--disable-libargon2" +# Disable documentation, there is no asciidoctor-native available in OE +EXTRA_OECONF += "--disable-asciidoc" +# libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB), parallel threads and iteration time (ms) +LUKS2_PBKDF ?= "argon2i" +LUKS2_MEMORYKB ?= "1048576" +LUKS2_PARALLEL_THREADS ?= "4" +LUKS2_ITERTIME ?= "2000" + +EXTRA_OECONF += "--with-luks2-pbkdf=${LUKS2_PBKDF} \ + --with-luks2-memory-kb=${LUKS2_MEMORYKB} \ + --with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS} \ + --with-luks2-iter-time=${LUKS2_ITERTIME}" + +do_install:append() { + # The /usr/lib/cryptsetup directory is always created, even when ssh-token + # is disabled. In that case it is empty and causes a packaging error. Since + # there is no reason to distribute the empty directory, the easiest solution + # is to remove it if it is empty. + rmdir -p --ignore-fail-on-non-empty ${D}${libdir}/${BPN} +} + +FILES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}/lib/tmpfiles.d/cryptsetup.conf', '', d)}" + +RDEPENDS:${PN} = " \ + libdevmapper \ +" + +RRECOMMENDS:${PN}:class-target = " \ + kernel-module-aes-generic \ + kernel-module-dm-crypt \ + kernel-module-md5 \ + kernel-module-cbc \ + kernel-module-sha256-generic \ + kernel-module-xts \ +" + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3-54-g00ecf