From: Yu Watanabe Date: Sun, 17 Aug 2025 12:22:16 +0000 (+0900) Subject: Bump required minimum version of cryptsetup to 2.4.0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23c82484e7f91c7088bfa29581ed42f851bfdc57;p=thirdparty%2Fsystemd.git Bump required minimum version of cryptsetup to 2.4.0 Major distributions already have cryptsetup newer than 2.4.0. Let's bump the minimal required version. Note, cryptsetup 2.4.0 was released on 2021-08-18. See also #38608. --- diff --git a/README b/README index a75f4175e90..9492d717dec 100644 --- a/README +++ b/README @@ -219,8 +219,7 @@ REQUIREMENTS: libblkid >= 2.37 (from util-linux) (optional) libkmod >= 15 (optional) PAM >= 1.1.2 (optional) - libcryptsetup >= 2.0.1 (optional), - >= 2.3.0 is required for signed Verity images support + libcryptsetup >= 2.4.0 (optional), libaudit (optional) libacl (optional) libbpf >= 0.1.0 (optional), diff --git a/meson.build b/meson.build index 96197002d1c..26b6fea22ca 100644 --- a/meson.build +++ b/meson.build @@ -1276,19 +1276,16 @@ if libcryptsetup_plugins.enabled() endif libcryptsetup = dependency('libcryptsetup', - version : libcryptsetup_plugins.enabled() ? '>= 2.4.0' : '>= 2.0.1', + version : '>= 2.4.0', required : libcryptsetup) libcryptsetup_cflags = libcryptsetup.partial_dependency(includes: true, compile_args: true) have = libcryptsetup.found() conf.set10('HAVE_LIBCRYPTSETUP', have) +conf.set10('HAVE_LIBCRYPTSETUP_PLUGINS', + libcryptsetup_plugins.allowed() and have) foreach ident : [ - 'crypt_activate_by_token_pin', # 2.4 - 'crypt_logf', # 2.4 - 'crypt_reencrypt_run', # 2.4 - 'crypt_token_external_path', # 2.4 - 'crypt_token_max', # 2.4 'crypt_set_keyring_to_link', # 2.7 'crypt_token_set_external_path', # 2.7 ] @@ -1300,12 +1297,6 @@ foreach ident : [ conf.set10('HAVE_' + ident.to_upper(), have_ident) endforeach -conf.set10('HAVE_LIBCRYPTSETUP_PLUGINS', - libcryptsetup_plugins.allowed() and - conf.get('HAVE_CRYPT_ACTIVATE_BY_TOKEN_PIN') == 1 and - conf.get('HAVE_CRYPT_LOGF') == 1 and - conf.get('HAVE_CRYPT_TOKEN_EXTERNAL_PATH') == 1) - libcurl = dependency('libcurl', version : '>= 7.32.0', required : get_option('libcurl')) diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index eb545fd0234..e61f4b4606a 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -331,11 +331,8 @@ static int parse_one_option(const char *option) { arg_no_write_workqueue = true; else if (streq(option, "luks")) arg_type = ANY_LUKS; -/* since cryptsetup 2.3.0 (Feb 2020) */ -#ifdef CRYPT_BITLK else if (streq(option, "bitlk")) arg_type = CRYPT_BITLK; -#endif else if (streq(option, "tcrypt")) arg_type = CRYPT_TCRYPT; else if (STR_IN_SET(option, "tcrypt-hidden", "tcrypthidden")) { @@ -2492,11 +2489,9 @@ static uint32_t determine_flags(void) { if (arg_no_write_workqueue) flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE; -#ifdef CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF /* Try to decrease the risk of OOM event if memory hard key derivation function is in use */ /* https://gitlab.com/cryptsetup/cryptsetup/issues/446/ */ flags |= CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF; -#endif return flags; } @@ -2672,14 +2667,11 @@ static int verb_attach(int argc, char *argv[], void *userdata) { } } -/* since cryptsetup 2.3.0 (Feb 2020) */ -#ifdef CRYPT_BITLK if (streq_ptr(arg_type, CRYPT_BITLK)) { r = crypt_load(cd, CRYPT_BITLK, NULL); if (r < 0) return log_error_errno(r, "Failed to load Bitlocker superblock on device %s: %m", crypt_get_device_name(cd)); } -#endif bool use_cached_passphrase = true, try_discover_key = !key_file; const char *discovered_key_fn = strjoina(volume, ".key"); diff --git a/src/repart/repart.c b/src/repart/repart.c index e3a6e7efafe..706349a2cf4 100644 --- a/src/repart/repart.c +++ b/src/repart/repart.c @@ -5442,11 +5442,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta if (r < 0) return log_error_errno(r, "Failed to load reencryption context: %m"); -#if HAVE_CRYPT_REENCRYPT_RUN r = sym_crypt_reencrypt_run(cd, NULL, NULL); -#else - r = sym_crypt_reencrypt(cd, NULL); -#endif if (r < 0) return log_error_errno(r, "Failed to encrypt %s: %m", node); } else { @@ -5507,7 +5503,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta return 0; #else return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), - "libcryptsetup is not supported or is missing required symbols, cannot encrypt."); + "libcryptsetup is not supported, cannot encrypt."); #endif } diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c index 90e98c1b837..5d99edd52d1 100644 --- a/src/shared/cryptsetup-util.c +++ b/src/shared/cryptsetup-util.c @@ -39,11 +39,7 @@ DLSYM_PROTOTYPE(crypt_keyslot_max) = NULL; DLSYM_PROTOTYPE(crypt_load) = NULL; DLSYM_PROTOTYPE(crypt_metadata_locking) = NULL; DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase) = NULL; -#if HAVE_CRYPT_REENCRYPT_RUN DLSYM_PROTOTYPE(crypt_reencrypt_run); -#else -DLSYM_PROTOTYPE(crypt_reencrypt); -#endif DLSYM_PROTOTYPE(crypt_resize) = NULL; DLSYM_PROTOTYPE(crypt_resume_by_volume_key) = NULL; DLSYM_PROTOTYPE(crypt_set_data_device) = NULL; @@ -55,15 +51,7 @@ DLSYM_PROTOTYPE(crypt_set_pbkdf_type) = NULL; DLSYM_PROTOTYPE(crypt_suspend) = NULL; DLSYM_PROTOTYPE(crypt_token_json_get) = NULL; DLSYM_PROTOTYPE(crypt_token_json_set) = NULL; -#if HAVE_CRYPT_TOKEN_MAX DLSYM_PROTOTYPE(crypt_token_max) = NULL; -#else -int crypt_token_max(_unused_ const char *type) { - assert(streq(type, CRYPT_LUKS2)); - - return 32; -} -#endif #if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH DLSYM_PROTOTYPE(crypt_token_set_external_path) = NULL; #endif @@ -252,11 +240,7 @@ int dlopen_cryptsetup(void) { DLSYM_ARG(crypt_load), DLSYM_ARG(crypt_metadata_locking), DLSYM_ARG(crypt_reencrypt_init_by_passphrase), -#if HAVE_CRYPT_REENCRYPT_RUN DLSYM_ARG(crypt_reencrypt_run), -#else - DLSYM_ARG(crypt_reencrypt), -#endif DLSYM_ARG(crypt_resize), DLSYM_ARG(crypt_resume_by_volume_key), DLSYM_ARG(crypt_set_data_device), @@ -268,9 +252,7 @@ int dlopen_cryptsetup(void) { DLSYM_ARG(crypt_suspend), DLSYM_ARG(crypt_token_json_get), DLSYM_ARG(crypt_token_json_set), -#if HAVE_CRYPT_TOKEN_MAX DLSYM_ARG(crypt_token_max), -#endif #if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH DLSYM_ARG(crypt_token_set_external_path), #endif diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h index 7c520497967..e42debeeb46 100644 --- a/src/shared/cryptsetup-util.h +++ b/src/shared/cryptsetup-util.h @@ -7,14 +7,6 @@ #if HAVE_LIBCRYPTSETUP #include /* IWYU pragma: export */ -/* These next two are defined in libcryptsetup.h from cryptsetup version 2.3.4 forwards. */ -#ifndef CRYPT_ACTIVATE_NO_READ_WORKQUEUE -#define CRYPT_ACTIVATE_NO_READ_WORKQUEUE (1 << 24) -#endif -#ifndef CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE -#define CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE (1 << 25) -#endif - extern DLSYM_PROTOTYPE(crypt_activate_by_passphrase); extern DLSYM_PROTOTYPE(crypt_activate_by_signed_key); extern DLSYM_PROTOTYPE(crypt_activate_by_volume_key); @@ -39,11 +31,7 @@ extern DLSYM_PROTOTYPE(crypt_keyslot_max); extern DLSYM_PROTOTYPE(crypt_load); extern DLSYM_PROTOTYPE(crypt_metadata_locking); extern DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase); -#if HAVE_CRYPT_REENCRYPT_RUN extern DLSYM_PROTOTYPE(crypt_reencrypt_run); -#else -extern DLSYM_PROTOTYPE(crypt_reencrypt); -#endif extern DLSYM_PROTOTYPE(crypt_resize); extern DLSYM_PROTOTYPE(crypt_resume_by_volume_key); extern DLSYM_PROTOTYPE(crypt_set_data_device); @@ -55,13 +43,7 @@ extern DLSYM_PROTOTYPE(crypt_set_pbkdf_type); extern DLSYM_PROTOTYPE(crypt_suspend); extern DLSYM_PROTOTYPE(crypt_token_json_get); extern DLSYM_PROTOTYPE(crypt_token_json_set); -#if HAVE_CRYPT_TOKEN_MAX extern DLSYM_PROTOTYPE(crypt_token_max); -#else -/* As a fallback, use the same hard-coded value libcryptsetup uses internally. */ -int crypt_token_max(_unused_ const char *type); -#define sym_crypt_token_max(type) crypt_token_max(type) -#endif #if HAVE_CRYPT_TOKEN_SET_EXTERNAL_PATH extern DLSYM_PROTOTYPE(crypt_token_set_external_path); #endif diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c index 586af5c6238..91b5bcaaa28 100644 --- a/src/veritysetup/veritysetup.c +++ b/src/veritysetup/veritysetup.c @@ -161,14 +161,10 @@ static int parse_options(const char *options) { arg_activate_flags |= CRYPT_ACTIVATE_RESTART_ON_CORRUPTION; else if (streq(word, "ignore-zero-blocks")) arg_activate_flags |= CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS; -#ifdef CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE else if (streq(word, "check-at-most-once")) arg_activate_flags |= CRYPT_ACTIVATE_CHECK_AT_MOST_ONCE; -#endif -#ifdef CRYPT_ACTIVATE_PANIC_ON_CORRUPTION else if (streq(word, "panic-on-corruption")) arg_activate_flags |= CRYPT_ACTIVATE_PANIC_ON_CORRUPTION; -#endif else if ((val = startswith(word, "superblock="))) { r = parse_boolean(val);