Bug #1781912 “Upgrade cryptsetup >= 2.0.3” : Bugs : cryptsetup package : Ubuntu

bugproxy (bugproxy) on 2018-07-16

tags:	added: architecture-s39064 bugnameltc-169758 severity-high targetmilestone-inin1810
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → cryptsetup (Ubuntu)

Revision history for this message

bugproxy (bugproxy) wrote on 2018-07-16: Comment bridged from LTC Bugzilla

#1

------- Comment From <email address hidden> 2018-07-16 07:49 EDT-------
*** Bug 169752 has been marked as a duplicate of this bug. ***

Frank Heimes (fheimes) on 2018-07-16

information type:

Private → Public

Revision history for this message

bugproxy (bugproxy) wrote on 2018-07-16:

#2

------- Comment From <email address hidden> 2018-07-16 08:20 EDT-------
"This should really be available in 18.04 LTS as well, hence an SRU request is needed, too."

Frank Heimes (fheimes) on 2018-07-16

Changed in ubuntu-z-systems:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Canonical Foundations Team (canonical-foundations)

Revision history for this message

bugproxy (bugproxy) wrote on 2018-07-18:

#3

------- Comment From <email address hidden> 2018-07-18 06:41 EDT-------
Following effort was done by IBM for getting this SRUed in 18.04.
Which is mandatory for Pervasive encryption suppot on an LTS release.

Extracted the cryptsetup-2.0.3 sources and copied the debian/ files from cryptsetup-2.0.2 to the -2.0.3 tree and successfully built a cryptsetup-2.0.3 deb without any further modifications (except the debian/changelog for the new version).

From my point of view, it would be possible to apply a debdiff or patch that updates the codebase from 2.0.2 to 2.0.3 but keeping the 2.0.2 package version. Cherry-picking particular commits would be possible but might take some time as they are not done by the BB team and always have the risk that related commits are missed.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-07-18: Re: [18.10 FEAT] Upgrade cryptsetup >= 2.0.3

#4

Download full text (16.0 KiB)

This bug was fixed in the package cryptsetup - 2:2.0.3-6ubuntu1

---------------
cryptsetup (2:2.0.3-6ubuntu1) cosmic; urgency=low

  * Merge from Debian unstable. LP: #1781912.
  * Remaining changes:
    - debian/control:
      + Recommend plymouth.
      + Invert the "busybox | busybox-static" Recommends, as the latter
        is the one we ship in main as part of the ubuntu-standard task.
    - Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
      compatibility. LP: #1651818
  * Dropped changes, included in Debian:
    - Drop explicit libgcrypt20 dependency from libcryptsetup4.
    - Drop the CRYPTSETUP variable warning from the initramfs hook, as
      overlayroot package ships a dropin in conf-hooks.d triggering false
      warnings.
    - Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
    - Drop c99 std, as the default is now higher than that
  * Dropped changes, no longer needed:
    - Add maintscript to drop removed upstart system jobs.

cryptsetup (2:2.0.3-6) unstable; urgency=medium

  * debian/TODO.md: Remove mention of parent device detection for mdadm
    (#629236) as it's fixed since 2:2.0.3-2.
  * debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
    fixes.
  * debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
    add configure flag '--disable-internal-tests'. The internal test suite is
    run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
    variable contains the string "nocheck".
  * debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
    When the 2nd column of a crypttab entry denodes a block special device,
    resolve the device but don't convert it to /dev/block/$major:$minor.
    (Closes: #903246.)
  * debian/initramfs/hooks/cryptroot:
    + Treat null device numbers as invalid in resolve_device(), cf.
      /Documentation/admin-guide/devices.txt in the kernel source tree.
    + generate_initrd_crypttab(): add '\n' to the local IFS since
      get_resume_devno() prints one major:minor pair per line.
  * debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
    + Save process ID of the pcscd daemon at local-top stage, and kill it at
      local-bottom stage. Thanks to Pascal Vibet for the patch.
      (Closes: #903574.)
    + Fix path to the pcscd executable (the fix for #880750 was incomplete).
  * debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
    since 2:2.0.3-2.
  * debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
    $CRYPTTAB_NAME not $crypttarget).

cryptsetup (2:2.0.3-5) unstable; urgency=medium

  [ Jonas Meurer ]
  * debian/askpass.c, debian/scripts/passdev.c, debian/rules:
    + Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
    + Drop c99 std, as the default is now higher than that
  * debian/control:
    + Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
      libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.

  [ Guilhem Moulin ]
  * debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
    disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
    crypttab(5).
  * debian/doc/crypttab...

This bug was fixed in the package cryptsetup - 2:2.0.3-6ubuntu1

---------------
cryptsetup (2:2.0.3-6ubuntu1) cosmic; urgency=low

* Merge from Debian unstable.  LP: #1781912.
  * Remaining changes:
    - debian/control:
      + Recommend plymouth.
      + Invert the "busybox | busybox-static" Recommends, as the latter
        is the one we ship in main as part of the ubuntu-standard task.
    - Apply patch from Trent Nelson to fix cryptroot-unlock for busybox
      compatibility. LP: #1651818
  * Dropped changes, included in Debian:
    - Drop explicit libgcrypt20 dependency from libcryptsetup4.
    - Drop the CRYPTSETUP variable warning from the initramfs hook, as
      overlayroot package ships a dropin in conf-hooks.d triggering false
      warnings.
    - Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
    - Drop c99 std, as the default is now higher than that
  * Dropped changes, no longer needed:
    - Add maintscript to drop removed upstart system jobs.

cryptsetup (2:2.0.3-6) unstable; urgency=medium

* debian/TODO.md: Remove mention of parent device detection for mdadm
    (#629236) as it's fixed since 2:2.0.3-2.
  * debian/README.gnupg, debian/TODO.md, debian/doc/crypttab.xml: minor typo
    fixes.
  * debian/rules, debian/patches/disable-internal-tests.patch: Remove patch to
    add configure flag '--disable-internal-tests'.  The internal test suite is
    run by dh_auto_test(1), and it is skipped if DEB_BUILD_OPTIONS environment
    variable contains the string "nocheck".
  * debian/cryptdisks-functions, debian/initramfs/scripts/local-top/cryptroot:
    When the 2nd column of a crypttab entry denodes a block special device,
    resolve the device but don't convert it to /dev/block/$major:$minor.
    (Closes: #903246.)
  * debian/initramfs/hooks/cryptroot:
    + Treat null device numbers as invalid in resolve_device(), cf.
      /Documentation/admin-guide/devices.txt in the kernel source tree.
    + generate_initrd_crypttab(): add '\n' to the local IFS since
      get_resume_devno() prints one major:minor pair per line.
  * debian/initramfs/scripts/local-{top,bottom}/cryptopensc:
    + Save process ID of the pcscd daemon at local-top stage, and kill it at
      local-bottom stage.  Thanks to Pascal Vibet for the patch.
      (Closes: #903574.)
    + Fix path to the pcscd executable (the fix for #880750 was incomplete).
  * debian/README.opensc: Remove mention of 'README.openct.gz' as it's gone
    since 2:2.0.3-2.
  * debian/scripts/decrypt_opensc: Fix plymouth prompt message (use
    $CRYPTTAB_NAME not $crypttarget).

cryptsetup (2:2.0.3-5) unstable; urgency=medium

[ Jonas Meurer ]
  * debian/askpass.c, debian/scripts/passdev.c, debian/rules:
    + Drop _BSD_SOURCE in favor of _DEFAULT_SOURCE
    + Drop c99 std, as the default is now higher than that
  * debian/control:
    + Drop explicit dependencies on libgcrypt20 and libgpg-error0 from
      libcryptsetup12. They're pulled in by ${shlibs:Depends} automatically.

[ Guilhem Moulin ]
  * debian/initramfs/cryptroot-unlock: Keep looping forever (as long as the
    disk is locked) if the CRYPTTAB_OPTION_tries variable is set to 0, cf.
    crypttab(5).
  * debian/doc/crypttab.xml: Clarify that the 'readonly' flag sets up a
    read-only mapping.  Cf. `cryptsetup --readonly`.
  * debian/initramfs/hooks/cryptroot:
    + Fix generation of initrd crypttab(5) with `update-initramfs -u -v` for
      key files matching $KEYFILE_PATTERN, or when a 'keyscript' is specified
      in the crypttab options.  Regression since 2:2.0.3-2. (Closes: #902733.)
    + Avoid processing entries multiple times in get_crypttab_entry(), which
      could happen with 'keyscript=decrypt_derived' for instance.
    + Don't complain that the sysfs dir can't be found when the hook failed to
      normalize the device (another warning is shown already).
    + If source device is mapped (for instance if it's a logical volume), put
      its dm name into the initrd crypttab.  LVM2's local-block script doesn't
      work with UUIDs, and giving it a VG+LV is better anyway as we avoid to
      activate all volumes at initramfs stage. (Closes: #902943.)
  * debian/initramfs/conf-hook: Clarify that if KEYFILE_PATTERN if null or
    unset then no key file is copied.
  * debian/initramfs/*, debian/functions, debian/cryptdisks-functions:
    + Use major:minor device IDs internally, as this facilitate discovery of
      sysfs directories, and we don't have to take care of the udev mangling.
    + Decode octal sequences when reading /etc/crypttab or /etc/fstab.  This
      means that key files and option values can contain blanks and special
      characters encoded as octal sequences.
    + Refactor crypttab(5) parsing logic, to avoid duplication of boilerplate
      code.
  * debian/functions: If the key file is a symlink, warn about insecure
    permissions of the target, not the link itself.
  * debian/scripts/decrypt_derived: For devices with keys in the kernel
    keyring (e.g., LUKS2 by default), refuse to derive anything.
  * debian/patches/disable-internal-tests.patch: Add configure option
    '--disable-internal-tests' to disable the internal test suite.
  * debian/rules: Don't run upstream's internal test suite if
    $DEB_BUILD_OPTIONS contains the string "skip-internal-tests".  (Tests are
    still run by default.)
  * debian/cryptdisks-functions: Restore support for crypttab(5) entries with
    regular files as source device.  Regression since 2:2.0.3-2.
    (Closes: #902879.)
  * debian/control: Bump Standards-Version to 4.1.5 (no changes necessary).

cryptsetup (2:2.0.3-4) unstable; urgency=low

* debian/initramfs/hooks/cryptroot:
    + Fix typo in warning message. (Closes: #901971.)
    + sysfs_devdir(): don't croak when the normalized device pathname isn't of
      the form /dev/$blk.  This is the case in the Debian installer, where the
      devtmpfs pseudo-filesystem exposes /dev/mapper/$name as a block device
      instead of a symlink to /dev/dm-$index.
    + sysfs_devdir(): return /sys/dev/block/$maj:$min (a symlink pointing the
      sysfs directory corresponding to the device) rather than /sys/block/$blk.
      While the latter is present for mapped devices, it's not present for
      block devices corresponding to disk partitions.  See sysfs(5) for
      details. (Closes: #902183.)
    + get_crypttab_entry(): skip (harmless) warning if blkid_tag() fails to
      get the UUID of a dm-crypt device's slave (it's normal with plain
      dm-crypt devices).
    + get_crypttab_entry(): don't warn that key file doesn't exist if it's
      e.g., an existing character special device.
  * debian/functions:unlock_mapping(): translate crypttab(5) option
    'size=<size>' to `cryptsetup --key-size=<size>`, not `--size` (which
    doesn't set the key size but the size of the device in number of 512 byte
    sectors).  Regression since 2:2.0.3-2. (Closes: #902245.)
  * debian/initramfs/scripts/local-top/cryptroot, debian/cryptdisks-functions,
    debian/initramfs/cryptroot-unlock: Fix off-by-one unlock count.  Some
    keyscripts (such as decrypt_keyctl) don't work properly if on first try
    the CRYPTTAB_TRIED environment variable isn't set to 0.  Regression since
    2:2.0.3-2. (Closes: #902116.)
  * debian/scripts/decrypt_keyctl: replace the source device path with the
    mapped device name in messages, to match the new askpass behavior.

cryptsetup (2:2.0.3-3) unstable; urgency=low

[ Jonas Meurer ]
  * debian/*: run wrap-and-sort(1)
  * debian/control:
    + Add Conflicts and Breaks on 'cryptsetup-bin (<< 2:2.0.3-2)' to
      cryptsetup-run. Needed since we moved luksformat between the
      packages. (Closes: #901773)
    + Remove all traces of package 'cryptsetup-luks' from dependency
      headers. This package has never been part of an official Debian
      release and the time it existed is more than 12 years ago.
    + Remove Conflicts/Breaks headers from the split of cryptsetup into
      cryptsetup/cryptsetup-bin in release 2:1.4.1-3. The conflicting
      version is from Debian Wheezy, which means that there's three
      releases in between. We don't support dist-upgrades with skipped
      releases anyway.
    + Remove obsolete 'Breaks: hashalot (<< 0.3-2)' from cryptsetup-run.
    + Remove versioned depends of libcryptsetup12 on libgcrypt20 and
      libgpg-error0. Both versions are satisfied since more than three
      releases.
    + Remove versioned build-depends on docbook-xsl, dpkg-dev,
      libdevmapper-dev, libgcrypt20-dev and libtool. All versions are
      satisfied since more than three releases.
  * debian/*: Change maintainer contact address to @alioth-lists.debian.net.

[ Guilhem Moulin ]
  * debian/control: Replace 2:2.0.2-2 with 2:2.0.3-1 in Breaks/Replaces/Depends
    fields.  (2:2.0.2-2 was never released, the version we released after the
    package split was 2:2.0.3-1.)
  * debian/initramfs/cryptroot-script: exit immediately when
    /lib/cryptsetup/functions is not present. (Closes: #901830.)
  * debian/cryptsetup-run.prerm: use `dmsetup table --target crypt` to avoid
    manually excluding mapped devices using another subsystem.
  * d/initramfs/hooks/cryptroot:
    + Fix parser for cipher specifications in mapping table of crypt targets.
      In particular, the cipher mode wasn't parsed properly, potentially
      causing missing modules in initrd.img compiled with MODULES=dep.
      Regression introduced in 2:2.0.3-2.  (Closes: #901884.)
    + Print a warning when the mapping table specifies the cipher in kernel
      crypto API format ("capi:" prefix).  We don't support these yet.

cryptsetup (2:2.0.3-2) unstable; urgency=medium

The "nights are long in summer" cryptsetup sprint release :-)

Guilhem and Jonas hacked together for three days (and nights), refactored
  almost all of the cryptsetup packages, squashed (at least) 19 bugs and
  started work on several new features. Yay!

[ Guilhem Moulin ]
  * cryptsetup-initramfs: Demote "Depends: console-setup, kbd" to Recommends:
    (Closes: #901641.)
  * debian/initramfs/*-hook: complete refactoring. Common functions are now in
    /lib/cryptsetup/functions (source-able from shell scripts).
    (Closes: #784881.)
  * debian/initramfs/cryptroot-hook:
    + Use sysfs(5) block (resp. fs) hierarchies to detect slave dm-crypt
      devices such as LVM2 on top of LUKS (resp. multiple device filesystems
      such as btrfs).  This approach is more robust than parsing the output of
      `lvs` or `btrfs filesystem`.
    + Export relevant crypttab(5) snippet (for devices that need to be
      unlocked at initramfs stage) to the initramfs' /cryptroot/crypttab.
    + Print a warning inviting the user to uninstall 'cryptsetup-initramfs'
      if 1/ the CRYPTSETUP configuration option is unset or null (the
      default), and 2/ the hook didn't detect any device to be unlocked at
      initramfs stage.  The benefit is two-fold: it guides users through the
      package split, and warns them that their system might not reboot if the
      hook script didn't work properly.
  * Remove the 'decrypt_openct' keyscript since openct was last seen in
    oldoldstable, cf. #760258 (ROM).
  * debian/initramfs/cryptroot-script: refactoring, using functions from
    /lib/cryptsetup/functions. (Closes: #720952, #826124.)
    + One can disable the cryptsetup initramfs scripts for a particular boot
      by passing "cryptopts=" as kernel boot argument. (Closes: #873840.)
    + No longer sleep for a full minute after exceeding the maximum number of
      unlocking tries.  (This was added in 2:1.7.3-2 as an attempt to mitigate
      CVE-2016-4484.)  Instead, the script sleeps for 1 second after each failed
      attempt in order to defeat online brute-force attacks. (Closes: #898495.)
  * debian/README.initramfs: Remove mention that the initramfs scripts and the
    crypsetup binary are using a different hash algorithm for plain dm-crypt
    volumes.  This is no longer true since 2:1.0.6~pre1+svn45-1, cf. #406317.
  * debian/cryptdisks.functions:
    + Refactoring, using functions from /lib/cryptsetup/functions.
      (Closes: #859953, #891219.)
    + Install to /lib/cryptsetup/cryptdisks-functions.
  * crypttab(5):
    + Remove support for the 'precheck' option.  The precheck for LUKS devices
      is still hardcoded to `cryptsetup isLuks`; the script refuses to unlock
      non-LUKS devices (plain dm-crypt and tcrypt devices) containing a known
      filesystem (other that swap).
    + Don't ignore the 'plain' option: disable auto-detection and treat the
      device as a plain dm-crypt device. (Closes: #886007.)
    + Add support for some option aliases to unify with systemd's crypttab(5)
      options.  Namely, 'read-only' is an alias for 'readonly', 'key-slot=' is
      an alias for 'keyslot=', 'tcrypt-hidden' is an alias for 'tcrypthidden',
      and 'tcrypt-veracrypt' is an alias for 'veracrypt'.
    + Add support for 'keyfile-size=' and 'keyfile-offset=' options.
      (Closes: #849335.)
    + Source devices can now be specified using their PARTUUID or PARTLABEL,
      similar to fstab(5).
  * debian/scripts/cryptdisks_start: Add support for '-r'/'--readonly' switch
    to setup readonly mappings. (Closes: #782843.)
  * debian/scripts/cryptdisks_stop: Add support for closing multiple disks at
    once.  (Closes: #783194.)

[ Jonas Meurer ]
  * debian/doc/crypttab.xml:
    + Add a section about the different crypttab formats of our package and
      the systemd cryptsetup wrapper.
    + Document, which options are ignored by the initramfs scripts and which
      are unsupported by the systemd implementation. (Closes: #714380)
    + Clarify documentation of option 'tries'. It also applies when using
      keyscripts, not only with interactive passphrases. (Closes: #826127)
    + Make it obvious that in case a keyscript is configured, the third option
      is passed as argument to the keyscript. Mention the optional requirement
      to quote the value. (Closes: #826122)
    + Some minor wording improvements.
  * debian/control, debian/combat: Bump debhelper compatibility level to 11.
  * debian/rules:
    + Completely refactor the rules file, adapt to debhelper 11 style.
      (Closes: #901713)
    + Run the upstream build-time testsuite thanks to dh_auto_test.
    + Move the luksformat script from cryptsetup-bin to cryptsetup-run.
    + Install the bug-script into all packages.
    + No longer install the sysvinit initscripts into cryptsetup-udeb.
    + Remove many old build and compile flags, debhelper takes care of most of
      them nowadays.

cryptsetup (2:2.0.3-1) unstable; urgency=medium

[ Guilhem Moulin ]
  * Split cryptsetup package into cryptsetup-run (init scripts and libraries)
    and cryptsetup-initramfs (initramfs integration).  The 'cryptsetup'
    package is now a transitional dummy package.  (Closes: #783297.)
  * debian/cryptsetup-run.preinst: remove logic for rm_conffile
    /etc/udev/rules.d/z60_cryptsetup.rules, which was added for #493151 in
    2:1.0.6-5.
  * debian/cryptdisks.bash_completion: only complete cryptdisks_stop arguments
    with crypttab(5) targets that already exist, and only complete
    cryptdisks_start targets with crypttab(5) targets that don't exist yet.
    (Closes: #827200.)
  * debian/initramfs/cryptroot-hook:
    + use copy_file() from hook-functions to copy key files to the initrd.
      This ensures that relevant messages are printed in verbose mode.
      (Closes: #898516.)
    + remove backward compatibility support for setting CRYPTSETUP and
      KEYFILE_PATTERN in /etc/initramfs-tools/initramfs.conf.  Since 2:1.7.2-1
      they should be set in /etc/cryptsetup-initramfs/conf-hook.
    + add 'algif_skcipher' kernel module to large initramfs (if the MODULES
      variable isn't "dep").  That module is required for unlocking LUKS2
      devices.

[ Jonas Meurer ]
  * New upstream release 2.0.3
  * debian/control:
    - Bump standards-version to 4.1.4, no changes required
    - Change my mail address to 'jonas@freesources.org'
    - Change Vcs links to the new repository on salsa.debian.org
  * debian/README.source: minor improvements
  * debian/doc/crypttab.xml: Fix typo in manpage

-- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 16 Jul 2018 08:27:58 -0400

Changed in cryptsetup (Ubuntu):
status:	New → Fix Released

Revision history for this message

Frank Heimes (fheimes) wrote on 2018-07-18:

#5

It looks like the best (if not even the only feasible) way to get the required functionality from cryptsetup 2.0.3 that is needed for 'Pervasive encryption support' back to the bionic package is by specifying the a list of the needed commits - sorry to say that...

Frank Heimes (fheimes) on 2018-07-19

Changed in ubuntu-z-systems:
status:	Triaged → Fix Released

Revision history for this message

bugproxy (bugproxy) wrote on 2018-07-23: Comment bridged from LTC Bugzilla

#6

Download full text (6.2 KiB)

------- Comment From <email address hidden> 2018-07-23 03:56 EDT-------
These are the changes with 2.0.3

f34158250a Update Readme.md.
b7c2465887 Add link to ABI tracker.
a22a24bc98 Support detached header for cryptsetup-reencrypt.
fe058e2c27 Update reencrypt test to use option --type only when really needed.
fa8d5d1769 Remove losetup handling from reencrypt2 test.
2d2acda404 Add crypto backend vectors test.
4e19bc01d5 Fix test vectors test link.
5e0db46f17 Add Reed-Solomon user-space decoding lib.
dc58985ac6 Enable userspace FEC decoding in veritysetup.
5b7b1596a2 Add tests for veritysetup FEC userspace decoding.
3cf2da877f Refactor crypt_activate_by_keyfile_device_offset.
761a472b45 Remove missing digest condition from LUKS2 digest verification.
303fe886b7 Fix misleading param name in prototype.
7bee66fe36 Add new luks2 keyslot validation condition.
1e2ad19d68 Validate LUKS2 keyslot json before opening it.
8d1fb88a20 Fix return code and retry count for bad passphrase and non-tty input.
610c7858d6 Add explicit key conversion command
af0887fb48 Remove no passphrase error message from library.
86f4f4440a Reformat crypt_resize function.
c84983f91e Add simple luksConvertKey test.
fef5121cee veritysetup: add support for --check-at-most-once option.
ed2968e3e8 Add paes to ciphers that cannot be used for LUKS2 keyslot encryption.
103d75f773 configure.ac: fix bashisms
f7ad64a3d3 Move absolute path helper to m4 macro.
187170ec51 Check cipher before writing metadata (LUKS2).
f6f00b98a7 Always convert the whole last keyslot (including alignment).
f21ebaf839 Check LUKS2 conversion for luksmeta header.
23b01621ff Print better debug message for open with write mode.
869767a5cf Move general i/o code to stand-alone utility file.
fee1d659cf Fix wrong digest assignment to new LUKS2 (volume key) keyslot.
35d29b22c0 Move CRYPT_ANY_DIGEST definition.
622763b240 Fix memory leak on error path in cryptsetup-reencrypt.
4caef0dec7 Add new volume key flag to crypt_keyslot_add_by_key.
965e0237a3 Add basic test for CRYPT_VOLUME_KEY_SET flag.
169d45fbdb Move reading master key in command line utilities.
a63db4ab24 Add --master-key-file parameter to cryptsetup-reencrypt.
0891e84bf8 Add reencrypt tests for --master-key-file option.
255c8e8ff4 Avoid pbkdf benchmark on LUKS2 header down conversion.
3616ee50c0 Fix off by one bug in LUKS2 keyslot max id allocation.
48bf08922c Make all LUKS2 key size helpers return negative value on error.
fbf2d64f34 Allow crypt_volume_key_get for unbound keyslots.
eed682c529 Add fixme in luks2->luks1 convert code.
70077db07d Abort conversion when LUKS2 header contains tokens.
b11b11f9b0 Add test for LUKS2 conversion with tokens.
e5f72a0d4f Remove duplicate CRYPT_ANY_TOKEN define.
4eb75f3c80 Add debug message for failed external token validation.
d97302f351 Extend suspend tests for missing header case.
9a72ec366d Move generic ciper backend utilities to separate file.
6f6e1efbc8 Abort conversion when wrapped key cipher is used.
34b8a48252 Add stand-alone device suspend.
0b849985b2 Do not wipe keys for wrapped key enabled ciphers.
09842ce46f Update docs for crypt_keyslot_add_by_key.
f8a7ab1752 Add crypt_get_pbkdf_default() function to get...

------- Comment From heinz-werner_seeck@de.ibm.com 2018-07-23 03:56 EDT-------
These are the changes with  2.0.3

f34158250a Update Readme.md.
b7c2465887 Add link to ABI tracker.
a22a24bc98 Support detached header for cryptsetup-reencrypt.
fe058e2c27 Update reencrypt test to use option --type only when really needed.
fa8d5d1769 Remove losetup handling from reencrypt2 test.
2d2acda404 Add crypto backend vectors test.
4e19bc01d5 Fix test vectors test link.
5e0db46f17 Add Reed-Solomon user-space decoding lib.
dc58985ac6 Enable userspace FEC decoding in veritysetup.
5b7b1596a2 Add tests for veritysetup FEC userspace decoding.
3cf2da877f Refactor crypt_activate_by_keyfile_device_offset.
761a472b45 Remove missing digest condition from LUKS2 digest verification.
303fe886b7 Fix misleading param name in prototype.
7bee66fe36 Add new luks2 keyslot validation condition.
1e2ad19d68 Validate LUKS2 keyslot json before opening it.
8d1fb88a20 Fix return code and retry count for bad passphrase and non-tty input.
610c7858d6 Add explicit key conversion command
af0887fb48 Remove no passphrase error message from library.
86f4f4440a Reformat crypt_resize function.
c84983f91e Add simple luksConvertKey test.
fef5121cee veritysetup: add support for --check-at-most-once option.
ed2968e3e8 Add paes to ciphers that cannot be used for LUKS2 keyslot encryption.
103d75f773 configure.ac: fix bashisms
f7ad64a3d3 Move absolute path helper to m4 macro.
187170ec51 Check cipher before writing metadata (LUKS2).
f6f00b98a7 Always convert the whole last keyslot (including alignment).
f21ebaf839 Check LUKS2 conversion for luksmeta header.
23b01621ff Print better debug message for open with write mode.
869767a5cf Move general i/o code to stand-alone utility file.
fee1d659cf Fix wrong digest assignment to new LUKS2 (volume key) keyslot.
35d29b22c0 Move CRYPT_ANY_DIGEST definition.
622763b240 Fix memory leak on error path in cryptsetup-reencrypt.
4caef0dec7 Add new volume key flag to crypt_keyslot_add_by_key.
965e0237a3 Add basic test for CRYPT_VOLUME_KEY_SET flag.
169d45fbdb Move reading master key in command line utilities.
a63db4ab24 Add --master-key-file parameter to cryptsetup-reencrypt.
0891e84bf8 Add reencrypt tests for --master-key-file option.
255c8e8ff4 Avoid pbkdf benchmark on LUKS2 header down conversion.
3616ee50c0 Fix off by one bug in LUKS2 keyslot max id allocation.
48bf08922c Make all LUKS2 key size helpers return negative value on error.
fbf2d64f34 Allow crypt_volume_key_get for unbound keyslots.
eed682c529 Add fixme in luks2->luks1 convert code.
70077db07d Abort conversion when LUKS2 header contains tokens.
b11b11f9b0 Add test for LUKS2 conversion with tokens.
e5f72a0d4f Remove duplicate CRYPT_ANY_TOKEN define.
4eb75f3c80 Add debug message for failed external token validation.
d97302f351 Extend suspend tests for missing header case.
9a72ec366d Move generic ciper backend utilities to separate file.
6f6e1efbc8 Abort conversion when wrapped key cipher is used.
34b8a48252 Add stand-alone device suspend.
0b849985b2 Do not wipe keys for wrapped key enabled ciphers.
09842ce46f Update docs for crypt_keyslot_add_by_key.
f8a7ab1752 Add crypt_get_pbkdf_default() function to get per-type PBKDF default.
1f01754ea6 Update FIPS restrictions on crypt_volume_key_get
0c6129c54e Allow volume key store in a file with cryptsetup.
53dcee6176 Test dump of volume key in a file.
103fa8fa2c Remove redundant check for key file.
38d83c27b4 Add --unbound keyslot option to cryptsetup.
6ddf765d8d Remove example covered by cryptsetup already.
879403a172 Add tests for cryptsetup luksAddKey --unbound.
aa1551c6e8 Introduce CRYPT_SLOT_UNBOUND keyslot status for LUKS2.
08ee50403d Move reading keyslot pbkdf params in helper.
45356f5e12 Split keyslot update in separate functions.
790fdc0aa6 Add crypt_volume_key_get tests for unbound key.
22f10dd8d2 Remove custom made 'contains' helper from keyslot validation.
172af5465d Harden LUKS2 keyslot kdf section validation.
9b635a3e90 Cleanup LUKS2 keyslot specific validation.
6f83822b6e Validate all keyslot implementations after load and before write.
5b6f06b2ac Hide luks2 specific keyslot allocation from internal api.
a054206d25 Suppress useless slash escaping in json lib
dddd30bef8 Add paranoid check for accidental volume key length change.
f6be62ac5f Add repair for known glitches in LUKS2 json.
a702b7ccc5 Add new validation test for keyslot digest bond
7c70e6ce74 Add repair test for keyslot with kdf leftover params.
30754473fc Add API to get integrity current failure count for dm-integrity.
f049f719f8 Fix keyslot validation.
f63e1cfbfc Rename contains() to json_contains().
874c573bd4 Do not allow used block size larger than page size.
487965dc8a Fix LUKS convert on trimmed headers in file.
5a71c6f2eb Set devel version.
181f621a90 urlencode brackets in URL to VeraCrypt PIM docs
6002099288 tcryptDump: fix support for --veracrypt-pim
ef045f9f65 adjust KDF preference to VeraCrypt order
cac84abdd9 Merge branch 'urlencode-veracrypt-docs-link' into 'master'
f97eba6539 Merge branch 'tcryptDump-pim-support' into 'master'
487acbb573 Merge branch 'veracrypt-kdf-preference' into 'master'
1a6183d0c4 Fix non-translated string with default integrity algorithm macro.
0279d8f466 Update po files.
480c7178a8 Do not use trailing period in options help texts.
6997506bb9 Fix error messages and include benchmark string for translators.
10bb78458d Move EOL in tool verbose and error messages to log wrapper.
13796ee4c7 Add --with-default-luks-format configure time option.
19ac1dd393 Fix Veracrypt PIM iteration calculation for system volumes
321e840c1c Fix some signed/unsigned warnings.
e58883c183 Hide return code check fot fallocate (that can silenty fail in this context).
aee55b0595 Use fixed buffer in log function.
b00a87d8fa Remove trailing EOL for verbose and error messages.
daba04d54b Update po files.
a387557970 Introduce crypt_keyslot_get_key_size()
abcd3511bf Fix memory leak in luksKillSlot action.
7fede3ee45 Update po files.
2a1a773777 Fixes and workarounds for some Coverity scan reports.
f87ee5112a Fix check for AEAD cipher.
ddb844226d Run PBKDF2 benchmark always.
14f81cb275 Fix few typos in cryptsetup-reencrypt man page.
6b8e553ecc Remove subcondition for reencryption --keep-key parameter.
2565fedeb7 Add test for stand-alone --keep-key parameter.
1763260578 Update po files.

Andrew Cloke (andrew-cloke) on 2018-07-25

summary:

- [18.10 FEAT] Upgrade cryptsetup >= 2.0.3
+ Upgrade cryptsetup >= 2.0.3

Revision history for this message

Frank Heimes (fheimes) wrote on 2018-07-25:

#7

That seems to be a pretty long list of commit IDs, which is probably close to the entire diff between 2.0.2 and 2.0.3.
So please let me ask which *features* of cryptsetup 2.0.3 (and their corresponding commit IDs) are really required by IBM and 'Pervasive Encryption' for 18.04/bionic.
While looking into this again, please also keeping in mind that not all 2.0.3 features can simply be used and exploited by such an updated cryptsetup on bionic, because further needed infrastructure or components might be missing (like some tools that are only available in newer s390-tools versions).
We are obviously looking for a smaller set of commit IDs (actually for the smallest possible set).
Thx

Revision history for this message

bugproxy (bugproxy) wrote on 2018-08-06:

#8

------- Comment From <email address hidden> 2018-08-06 04:59 EDT-------
A new version of cryptsetup is avaiable 2.04. Does it make sense to create a new LP entry for this version, due to the fact, that this one is fix released, Or is it possible to upgrade the this new version..? Many thx in advance

Revision history for this message

Steve Langasek (vorlon) wrote on 2018-08-06: Re: [Bug 1781912] Comment bridged from LTC Bugzilla

#9

On Mon, Aug 06, 2018 at 09:09:56AM -0000, bugproxy wrote:
> ------- Comment From <email address hidden> 2018-08-06 04:59 EDT-------

> A new version of cryptsetup is avaiable 2.04. Does it make sense to
> create a new LP entry for this version, due to the fact, that this one is
> fix released, Or is it possible to upgrade the this new version..? Many
> thx in advance

If you are asking for an update to cryptsetup 2.0.4 in Ubuntu 18.10, please
file this as a separate bug report. Let's please reserve this one for the
question of what changes are needed in Ubuntu 18.04 for z protected keys.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
<email address hidden> <email address hidden>

Revision history for this message

bugproxy (bugproxy) wrote on 2018-08-20: Comment bridged from LTC Bugzilla

#10

------- Comment From <email address hidden> 2018-08-20 05:46 EDT-------
================================
== Request for Ubuntu 18.04 ===
================================

Prerequisites:
- pkey kernel module -> kernel 4.11
- paes cipher kernel module -> kernel 4.12

s390-tools
- zkey tool (first version) -> s390-tools-1.39.0
- zkey enhancements for secure key store -> s390-tools-2.4.0

- zkey-cryptsetup support for HSM master key change with LUKS2
this need to be backported due to -> s390-tools-2.6.0

- dm-crypt with protected keys (LUKS2 part in cryptsetup ) -> cryptsetup 2.0.3

/ect/crypttab Sector Size Support
Ubuntu: support f?r sector size parameter in Debian/Ubuntu crypttab parser shipped in distro specific cryptsetup package

-> not available yet , need to be done by Distro or crypttab parser maintainers

Installer support
The Ubuntu installer when suggesting to use encrypted disks on IBM Z the installer should support the option to use the PAES cipher using the paes-xts-plain64 cipher mode (with key sizes 512 bits or 1024 bits).

Before offering the the usage of the PAES cipher the installer should check whether a CCA adapter (CEX4C, CEX5C, CEX6X, ...) is available on the system.

For Ubuntu 18.04.x the following upgrades/backports are required
cryptsetup: upgrade version 2.0.2 to version >= 2.0.3
s390tools: backport
zkey as of version >= 2.4.0
zkey-cryptsetup as of version 2.6.0 (requires cryptsetup >= 2.0.3)
upgrade /etc/crypttab support

The Ubuntu 18.10 outlook is good wrt to protected key dm-crypt (PE for data at-rest).

Revision history for this message

Andrew Cloke (andrew-cloke) wrote on 2018-08-20:

#11

Please note that this comment has been posted against a bug that has been closed. If additional action is required, would it be possible to raise a new bug referencing this one if necessary?
Thanks.

Revision history for this message

bugproxy (bugproxy) wrote on 2018-08-20:

#12

------- Comment From <email address hidden> 2018-08-20 07:04 EDT-------
@Andrew. I used this bugzilla, due to the commend from Steve...

If you are asking for an update to cryptsetup 2.0.4 in Ubuntu 18.10, please
file this as a separate bug report.
!!!!!
Let's please reserve this one for the
question of what changes are needed in Ubuntu 18.04 for z protected keys.
!!!!!
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
<email address hidden> <email address hidden>

Please let me know, how Canonical would like to proceed here.
Many thanks in advance

Andrew Cloke (andrew-cloke) on 2018-08-20

Changed in ubuntu-z-systems:
status:	Fix Released → New

Revision history for this message

bugproxy (bugproxy) wrote on 2018-08-31:

#13

------- Comment From <email address hidden> 2018-08-31 07:47 EDT-------
*** Bug 169752 has been marked as a duplicate of this bug. ***

Revision history for this message

Frank Heimes (fheimes) wrote on 2018-09-20:

#14

Since there are some discussions going on about bringing cryptsetup 2.0.3 features back to bionic I'm changing the ubuntu-z-systems entry to 'Opinion' - for now.

Changed in ubuntu-z-systems:
status:	New → Opinion

Frank Heimes (fheimes) on 2019-08-15

Changed in ubuntu-z-systems:
status:	Opinion → Won't Fix

Revision history for this message

bugproxy (bugproxy) wrote on 2019-08-15:

#15

------- Comment From <email address hidden> 2019-08-15 09:16 EDT-------
This feature was made available with Cosmic (18.10). The request of having it in 18.04 need to be driven by a dedicated customer. Currently, no officail request know from my side. Therefore we can close, the feature request.
If new information will come up, a new LP will be created.
Once you close it on LP side. I will close it here..
Many thanks in advance

Revision history for this message

bugproxy (bugproxy) wrote on 2019-08-15:

#16

------- Comment From <email address hidden> 2019-08-15 09:28 EDT-------
IBM Bugzilla status -> closed, Fix Released for Cosmic....

Ubuntu
cryptsetup package

Upgrade cryptsetup >= 2.0.3

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu on IBM z Systems	Won't Fix	High	Canonical Foundations Team
	cryptsetup (Ubuntu)	Fix Released	Undecided	Skipper Bug Screeners

Ubuntucryptsetup package

Upgrade cryptsetup >= 2.0.3

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
cryptsetup package