Commit ec07927b authored by Milan Broz's avatar Milan Broz

Add cryptsetup options for LUKS2 header size settings.

Also print these area sizes in dump command.

NOTE: since now, the metadata area size in dump command contains
mandatory 4k binary section (to be aligned with API definition).
parent 41c7e4fe
......@@ -1615,7 +1615,8 @@ int LUKS2_hdr_dump(struct crypt_device *cd, struct luks2_hdr *hdr)
log_std(cd, "LUKS header information\n");
log_std(cd, "Version: \t%u\n", hdr->version);
log_std(cd, "Epoch: \t%" PRIu64 "\n", hdr->seqid);
log_std(cd, "Metadata area: \t%zu bytes\n", hdr->hdr_size - LUKS2_HDR_BIN_LEN);
log_std(cd, "Metadata area: \t%" PRIu64 " [bytes]\n", LUKS2_metadata_size(hdr->jobj));
log_std(cd, "Keyslots area: \t%" PRIu64 " [bytes]\n", LUKS2_keyslots_size(hdr->jobj));
log_std(cd, "UUID: \t%s\n", *hdr->uuid ? hdr->uuid : "(no UUID)");
log_std(cd, "Label: \t%s\n", *hdr->label ? hdr->label : "(no label)");
log_std(cd, "Subsystem: \t%s\n", *hdr->subsystem ? hdr->subsystem : "(no subsystem)");
......
......@@ -223,7 +223,8 @@ For LUKS2, additional \fB<options>\fR can be
[\-\-integrity, \-\-integrity\-no\-wipe, \-\-sector\-size,
\-\-label, \-\-subsystem,
\-\-pbkdf, \-\-pbkdf\-memory, \-\-pbkdf\-parallel,
\-\-disable\-locks, \-\-disable\-keyring].
\-\-disable\-locks, \-\-disable\-keyring.
\-\-luks2\-metadata\-size, \-\-luks2\-keyslots\-size].
\fBWARNING:\fR Doing a luksFormat on an existing LUKS container will
make all data the old container permanently irretrievable unless
......@@ -1185,6 +1186,20 @@ in "Cryptographic API" section (CONFIG_CRYPTO_USER_API_AEAD .config option).
For more info, see \fIAUTHENTICATED DISK ENCRYPTION\fR section.
.TP
.B "\-\-luks2\-metadata\-size <size>"
This option can be used to enlarge the LUKS2 metadata (JSON) area.
The size includes 4096 bytes for binary metadata (usable JSON area is smaller
of the binary area).
According to LUKS2 specification, only these values are valid:
16, 32, 64, 128, 256, 512, 1024, 2048 and 4096 kB
The <size> can be specified with unit suffix (for example 128k).
.TP
.B "\-\-luks2\-keyslots\-size <size>"
This option can be used to set specific size of the LUKS2 binary keyslot area
(key material is encrypted there). The value must be aligned to multiple
of 4096 bytes with maximum size 128MB.
The <size> can be specified with unit suffix (for example 128k).
.TP
.B "\-\-integrity\-no\-journal"
Activate device with integrity protection without using data journal (direct
write of data and integrity tags).
......
......@@ -90,6 +90,11 @@ static const char *opt_label = NULL;
static const char *opt_subsystem = NULL;
static int opt_unbound = 0;
static const char *opt_luks2_metadata_size_str = NULL;
static uint64_t opt_luks2_metadata_size = 0;
static const char *opt_luks2_keyslots_size_str = NULL;
static uint64_t opt_luks2_keyslots_size = 0;
static const char **action_argv;
static int action_argc;
static const char *null_action_argv[] = {NULL, NULL};
......@@ -989,6 +994,11 @@ static int action_luksFormat(void)
log_err(_("Integrity option can be used only for LUKS2 format."));
return -EINVAL;
}
if (opt_luks2_keyslots_size || opt_luks2_metadata_size) {
log_err(_("Unsupported LUKS2 metadata size options."));
return -EINVAL;
}
} else
return -EINVAL;
......@@ -1043,6 +1053,14 @@ static int action_luksFormat(void)
return r;
}
if (opt_luks2_keyslots_size || opt_luks2_metadata_size) {
r = crypt_set_metadata_size(cd, opt_luks2_metadata_size, opt_luks2_keyslots_size);
if (r < 0) {
log_err(_("Unsupported LUKS2 metadata size options."));
goto out;
}
}
if (opt_offset) {
r = crypt_set_data_offset(cd, opt_offset);
if (r < 0)
......@@ -2406,6 +2424,8 @@ int main(int argc, const char **argv)
{ "subsystem", '\0', POPT_ARG_STRING, &opt_subsystem, 0, N_("Set subsystem label for the LUKS2 device"), NULL },
{ "unbound", '\0', POPT_ARG_NONE, &opt_unbound, 0, N_("Create unbound (no assigned data segment) LUKS2 keyslot"), NULL },
{ "json-file", '\0', POPT_ARG_STRING, &opt_json_file, 0, N_("Read or write the json from or to a file"), NULL },
{ "luks2-metadata-size",'\0',POPT_ARG_STRING,&opt_luks2_metadata_size_str,0,N_("LUKS2 header metadata area size"), N_("bytes") },
{ "luks2-keyslots-size",'\0',POPT_ARG_STRING,&opt_luks2_keyslots_size_str,0,N_("LUKS2 header keyslots area size"), N_("bytes") },
POPT_TABLEEND
};
poptContext popt_context;
......@@ -2644,6 +2664,19 @@ int main(int argc, const char **argv)
usage(popt_context, EXIT_FAILURE, _("Option --align-payload is allowed only for luksFormat."),
poptGetInvocationName(popt_context));
if ((opt_luks2_metadata_size_str || opt_luks2_keyslots_size_str) && strcmp(aname, "luksFormat"))
usage(popt_context, EXIT_FAILURE, _("Options --luks2-metadata-size and --opt-luks2-keyslots-size "
"are allowed only for luksFormat with LUKS2."),
poptGetInvocationName(popt_context));
if (opt_luks2_metadata_size_str &&
tools_string_to_size(NULL, opt_luks2_metadata_size_str, &opt_luks2_metadata_size))
usage(popt_context, EXIT_FAILURE, _("Invalid LUKS2 metadata size specification."),
poptGetInvocationName(popt_context));
if (opt_luks2_keyslots_size_str &&
tools_string_to_size(NULL, opt_luks2_keyslots_size_str, &opt_luks2_keyslots_size))
usage(popt_context, EXIT_FAILURE, _("Invalid LUKS2 keyslots size specification."),
poptGetInvocationName(popt_context));
if (opt_align_payload && opt_offset)
usage(popt_context, EXIT_FAILURE, _("Option --align-payload and --offset cannot be combined."),
poptGetInvocationName(popt_context));
......
......@@ -881,5 +881,20 @@ for mda in 16 32 64 128 256 512 1024 2048 4096 ; do
done
echo
prepare "[40] LUKS2 metadata areas" wipe
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks1 $LOOPDEV --luks2-metadata-size=128k --luks2-keyslots-size=128k 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --luks2-metadata-size=128k --luks2-keyslots-size=127k 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --luks2-metadata-size=127k --luks2-keyslots-size=128k 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --luks2-metadata-size=128k --luks2-keyslots-size=128M 2> /dev/null && fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --luks2-metadata-size=128k --luks2-keyslots-size=128k || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --key-size 256 --luks2-metadata-size=128k || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "131072 \[bytes\]" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "4161536 \[bytes\]" || fail
echo $PWD1 | $CRYPTSETUP -q luksFormat $FAST_PBKDF_OPT --type luks2 $LOOPDEV --luks2-keyslots-size=128k || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Metadata area:" | grep -q "16384 \[bytes\]" || fail
$CRYPTSETUP luksDump $LOOPDEV | grep "Keyslots area:" | grep -q "131072 \[bytes\]" || fail
remove_mapping
exit 0
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment