libcryptsetup_cflags = libcryptsetup.partial_dependency(includes: true, compile_args: true)
have = libcryptsetup.found()
-foreach ident : ['crypt_set_metadata_size',
- 'crypt_activate_by_signed_key',
- 'crypt_token_max',
- 'crypt_reencrypt_init_by_passphrase',
- 'crypt_reencrypt',
- 'crypt_reencrypt_run',
- 'crypt_set_data_offset',
- 'crypt_set_keyring_to_link',
- 'crypt_resume_by_volume_key',
- 'crypt_token_set_external_path']
+conf.set10('HAVE_LIBCRYPTSETUP', have)
+
+foreach ident : [
+ 'crypt_activate_by_token_pin', # 2.4
+ 'crypt_logf', # 2.4
+ 'crypt_reencrypt_run', # 2.4
+ 'crypt_token_external_path', # 2.4
+ 'crypt_token_max', # 2.4
+ 'crypt_set_keyring_to_link', # 2.7
+ 'crypt_token_set_external_path', # 2.7
+ ]
+
have_ident = have and cc.has_function(
ident,
prefix : '#include <libcryptsetup.h>',
- # crypt_reencrypt() raises a deprecation warning so make sure -Wno-deprecated-declarations is
- # specified otherwise we fail to detect crypt_reencrypt() if -Werror is used.
- args : '-Wno-deprecated-declarations',
dependencies : libcryptsetup)
conf.set10('HAVE_' + ident.to_upper(), have_ident)
endforeach
-conf.set10('HAVE_LIBCRYPTSETUP', have)
-if meson.version().version_compare('>=1.3.0')
- have = (cc.has_function(
- 'crypt_activate_by_token_pin',
- prefix : '#include <libcryptsetup.h>',
- dependencies : libcryptsetup,
- required : libcryptsetup_plugins) and
- cc.has_function(
- 'crypt_token_external_path',
- prefix : '#include <libcryptsetup.h>',
- dependencies : libcryptsetup,
- required : libcryptsetup_plugins))
-else
- if libcryptsetup_plugins.allowed()
- have = (cc.has_function(
- 'crypt_activate_by_token_pin',
- prefix : '#include <libcryptsetup.h>',
- dependencies : libcryptsetup) and
- cc.has_function(
- 'crypt_token_external_path',
- prefix : '#include <libcryptsetup.h>',
- dependencies : libcryptsetup))
- else
- have = false
- endif
-endif
-conf.set10('HAVE_LIBCRYPTSETUP_PLUGINS', have)
+conf.set10('HAVE_LIBCRYPTSETUP_PLUGINS',
+ libcryptsetup_plugins.allowed() and
+ conf.get('HAVE_CRYPT_ACTIVATE_BY_TOKEN_PIN') == 1 and
+ conf.get('HAVE_CRYPT_LOGF') == 1 and
+ conf.get('HAVE_CRYPT_TOKEN_EXTERNAL_PATH') == 1)
libcurl = dependency('libcurl',
version : '>= 7.32.0',
have = get_option('homed').require(
conf.get('HAVE_OPENSSL') == 1 and
conf.get('HAVE_LIBFDISK') == 1 and
- conf.get('HAVE_LIBCRYPTSETUP') == 1 and
- conf.get('HAVE_CRYPT_RESUME_BY_VOLUME_KEY') == 1,
+ conf.get('HAVE_LIBCRYPTSETUP') == 1,
error_message : 'openssl, fdisk and libcryptsetup required').allowed()
conf.set10('ENABLE_HOMED', have)
if (r < 0)
return log_error_errno(r, "Failed to generate volume key: %m");
-#if HAVE_CRYPT_SET_METADATA_SIZE
/* Increase the metadata space to 4M, the largest LUKS2 supports */
r = sym_crypt_set_metadata_size(cd, 4096U*1024U, 0);
if (r < 0)
return log_error_errno(r, "Failed to change LUKS2 metadata size: %m");
-#endif
build_good_pbkdf(&good_pbkdf, hr);
build_minimal_pbkdf(&minimal_pbkdf, hr);
}
static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) {
-#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT)
+#if HAVE_LIBCRYPTSETUP
const char *node = partition_target_path(target);
struct crypt_params_luks2 luks_params = {
.label = strempty(ASSERT_PTR(p)->new_label),
static void *cryptsetup_dl = NULL;
DLSYM_PROTOTYPE(crypt_activate_by_passphrase) = NULL;
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
DLSYM_PROTOTYPE(crypt_activate_by_signed_key) = NULL;
-#endif
DLSYM_PROTOTYPE(crypt_activate_by_volume_key) = NULL;
DLSYM_PROTOTYPE(crypt_deactivate_by_name) = NULL;
DLSYM_PROTOTYPE(crypt_format) = NULL;
DLSYM_PROTOTYPE(crypt_keyslot_max) = NULL;
DLSYM_PROTOTYPE(crypt_load) = NULL;
DLSYM_PROTOTYPE(crypt_resize) = NULL;
-#if HAVE_CRYPT_RESUME_BY_VOLUME_KEY
DLSYM_PROTOTYPE(crypt_resume_by_volume_key) = NULL;
-#endif
DLSYM_PROTOTYPE(crypt_set_data_device) = NULL;
DLSYM_PROTOTYPE(crypt_set_debug_level) = NULL;
DLSYM_PROTOTYPE(crypt_set_log_callback) = NULL;
-#if HAVE_CRYPT_SET_METADATA_SIZE
DLSYM_PROTOTYPE(crypt_set_metadata_size) = NULL;
-#endif
DLSYM_PROTOTYPE(crypt_set_pbkdf_type) = NULL;
DLSYM_PROTOTYPE(crypt_suspend) = NULL;
DLSYM_PROTOTYPE(crypt_token_json_get) = NULL;
#endif
DLSYM_PROTOTYPE(crypt_token_status) = NULL;
DLSYM_PROTOTYPE(crypt_volume_key_get) = NULL;
-#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase) = NULL;
-#endif
#if HAVE_CRYPT_REENCRYPT_RUN
DLSYM_PROTOTYPE(crypt_reencrypt_run);
-#elif HAVE_CRYPT_REENCRYPT
+#else
DLSYM_PROTOTYPE(crypt_reencrypt);
#endif
DLSYM_PROTOTYPE(crypt_metadata_locking) = NULL;
-#if HAVE_CRYPT_SET_DATA_OFFSET
DLSYM_PROTOTYPE(crypt_set_data_offset) = NULL;
-#endif
DLSYM_PROTOTYPE(crypt_header_restore) = NULL;
DLSYM_PROTOTYPE(crypt_volume_key_keyring) = NULL;
r = dlopen_many_sym_or_warn(
&cryptsetup_dl, "libcryptsetup.so.12", LOG_DEBUG,
DLSYM_ARG(crypt_activate_by_passphrase),
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
DLSYM_ARG(crypt_activate_by_signed_key),
-#endif
DLSYM_ARG(crypt_activate_by_volume_key),
DLSYM_ARG(crypt_deactivate_by_name),
DLSYM_ARG(crypt_format),
DLSYM_ARG(crypt_keyslot_max),
DLSYM_ARG(crypt_load),
DLSYM_ARG(crypt_resize),
-#if HAVE_CRYPT_RESUME_BY_VOLUME_KEY
DLSYM_ARG(crypt_resume_by_volume_key),
-#endif
DLSYM_ARG(crypt_set_data_device),
DLSYM_ARG(crypt_set_debug_level),
DLSYM_ARG(crypt_set_log_callback),
-#if HAVE_CRYPT_SET_METADATA_SIZE
DLSYM_ARG(crypt_set_metadata_size),
-#endif
DLSYM_ARG(crypt_set_pbkdf_type),
DLSYM_ARG(crypt_suspend),
DLSYM_ARG(crypt_token_json_get),
#endif
DLSYM_ARG(crypt_token_status),
DLSYM_ARG(crypt_volume_key_get),
-#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
-#endif
#if HAVE_CRYPT_REENCRYPT_RUN
DLSYM_ARG(crypt_reencrypt_run),
-#elif HAVE_CRYPT_REENCRYPT
+#else
DLSYM_ARG(crypt_reencrypt),
#endif
DLSYM_ARG(crypt_metadata_locking),
-#if HAVE_CRYPT_SET_DATA_OFFSET
DLSYM_ARG(crypt_set_data_offset),
-#endif
DLSYM_ARG(crypt_header_restore),
DLSYM_ARG(crypt_volume_key_keyring));
if (r <= 0)
#endif
extern DLSYM_PROTOTYPE(crypt_activate_by_passphrase);
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
extern DLSYM_PROTOTYPE(crypt_activate_by_signed_key);
-#endif
extern DLSYM_PROTOTYPE(crypt_activate_by_volume_key);
extern DLSYM_PROTOTYPE(crypt_deactivate_by_name);
extern DLSYM_PROTOTYPE(crypt_format);
extern DLSYM_PROTOTYPE(crypt_keyslot_max);
extern DLSYM_PROTOTYPE(crypt_load);
extern DLSYM_PROTOTYPE(crypt_resize);
-#if HAVE_CRYPT_RESUME_BY_VOLUME_KEY
extern DLSYM_PROTOTYPE(crypt_resume_by_volume_key);
-#endif
extern DLSYM_PROTOTYPE(crypt_set_data_device);
extern DLSYM_PROTOTYPE(crypt_set_debug_level);
extern DLSYM_PROTOTYPE(crypt_set_log_callback);
-#if HAVE_CRYPT_SET_METADATA_SIZE
extern DLSYM_PROTOTYPE(crypt_set_metadata_size);
-#endif
extern DLSYM_PROTOTYPE(crypt_set_pbkdf_type);
extern DLSYM_PROTOTYPE(crypt_suspend);
extern DLSYM_PROTOTYPE(crypt_token_json_get);
#endif
extern DLSYM_PROTOTYPE(crypt_token_status);
extern DLSYM_PROTOTYPE(crypt_volume_key_get);
-#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
extern DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase);
-#endif
#if HAVE_CRYPT_REENCRYPT_RUN
extern DLSYM_PROTOTYPE(crypt_reencrypt_run);
-#elif HAVE_CRYPT_REENCRYPT
+#else
extern DLSYM_PROTOTYPE(crypt_reencrypt);
#endif
extern DLSYM_PROTOTYPE(crypt_metadata_locking);
-#if HAVE_CRYPT_SET_DATA_OFFSET
extern DLSYM_PROTOTYPE(crypt_set_data_offset);
-#endif
extern DLSYM_PROTOTYPE(crypt_header_restore);
extern DLSYM_PROTOTYPE(crypt_volume_key_keyring);
memcmp(root_hash_existing, verity->root_hash, verity->root_hash_size) != 0)
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Error opening verity device, it already exists but root hashes are different.");
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
/* Ensure that, if signatures are supported, we only reuse the device if the previous mount used the
* same settings, so that a previous unsigned mount will not be reused if the user asks to use
* signing for the new one, and vice versa. */
if (!!verity->root_hash_sig != !!(crypt_params.flags & CRYPT_VERITY_ROOT_HASH_SIGNATURE))
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Error opening verity device, it already exists but signature settings are not the same.");
-#endif
*ret_cd = TAKE_PTR(cd);
return 0;
check_signature = false;
if (check_signature) {
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
/* First, if we have support for signed keys in the kernel, then try that first. */
r = sym_crypt_activate_by_signed_key(
cd,
* -ENOKEY, which means "password required, but I have none". */
if (r == -ENOKEY)
r = -EDESTADDRREQ;
-#else
- log_debug("Activation of verity device with signature requested, but not supported via the kernel by %s due to missing crypt_activate_by_signed_key(), trying userspace validation instead.",
- program_invocation_short_name);
- r = 0; /* Set for the propagation below */
-#endif
/* So this didn't work via the kernel, then let's try userspace validation instead. If that
* works we'll try to activate without telling the kernel the signature. */
else
return false;
- if (!HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY)
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "Activation of verity device with signature requested, but cryptsetup does not support crypt_activate_by_signed_key().");
-
free_and_replace(arg_root_hash_signature, rhs);
arg_root_hash_signature_size = rhss;
arg_root_hash_signature_auto = set_auto;
return log_error_errno(r, "Failed to configure data device: %m");
if (arg_root_hash_signature_size > 0) {
-#if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
r = crypt_activate_by_signed_key(cd, volume, rh, rh_size, arg_root_hash_signature, arg_root_hash_signature_size, arg_activate_flags);
if (r < 0) {
log_info_errno(r, "Unable to activate verity device '%s' with root hash signature (%m), retrying without.", volume);
log_info("Activation of verity device '%s' succeeded without root hash signature.", volume);
}
-#else
- assert_not_reached();
-#endif
} else
r = crypt_activate_by_volume_key(cd, volume, rh, rh_size, arg_activate_flags);
if (r < 0)
projects / thirdparty / systemd.git / commitdiff
