From: Daan De Meyer Date: Thu, 13 Oct 2022 12:36:06 +0000 (+0200) Subject: repart: Let libcryptsetup calculate the volume key X-Git-Tag: v253-rc1~520^2~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=98e0456ec04c2b210291f41f6d8f8527263e0c67;p=thirdparty%2Fsystemd.git repart: Let libcryptsetup calculate the volume key We also bump the volume key size to 512 bits. --- diff --git a/src/partition/repart.c b/src/partition/repart.c index d0420435761..edc085dc152 100644 --- a/src/partition/repart.c +++ b/src/partition/repart.c @@ -90,6 +90,9 @@ /* LUKS2 takes off 16M of the partition size with its metadata by default */ #define LUKS2_METADATA_SIZE (16ULL*1024ULL*1024ULL) +/* LUKS2 volume key size. */ +#define VOLUME_KEY_SIZE (512ULL/8ULL) + /* Note: When growing and placing new partitions we always align to 4K sector size. It's how newer hard disks * are designed, and if everything is aligned to that performance is best. And for older hard disks with 512B * sector size devices were generally assumed to have an even number of sectors, hence at the worst we'll @@ -2991,9 +2994,7 @@ static int partition_encrypt( int *ret_fd) { #if HAVE_LIBCRYPTSETUP _cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL; - _cleanup_(erase_and_freep) void *volume_key = NULL; _cleanup_free_ char *dm_name = NULL, *vol = NULL; - size_t volume_key_size = 256 / 8; sd_id128_t uuid; int r; @@ -3022,14 +3023,6 @@ static int partition_encrypt( log_info("Encrypting future partition %" PRIu64 "...", p->partno); - volume_key = malloc(volume_key_size); - if (!volume_key) - return log_oom(); - - r = crypto_random_bytes(volume_key, volume_key_size); - if (r < 0) - return log_error_errno(r, "Failed to generate volume key: %m"); - r = sym_crypt_init(&cd, node); if (r < 0) return log_error_errno(r, "Failed to allocate libcryptsetup context: %m"); @@ -3041,8 +3034,8 @@ static int partition_encrypt( "aes", "xts-plain64", SD_ID128_TO_UUID_STRING(uuid), - volume_key, - volume_key_size, + NULL, + VOLUME_KEY_SIZE, &(struct crypt_params_luks2) { .label = strempty(p->new_label), .sector_size = context->sector_size, @@ -3054,8 +3047,8 @@ static int partition_encrypt( r = sym_crypt_keyslot_add_by_volume_key( cd, CRYPT_ANY_SLOT, - volume_key, - volume_key_size, + NULL, + VOLUME_KEY_SIZE, strempty(arg_key), arg_key_size); if (r < 0) @@ -3108,8 +3101,8 @@ static int partition_encrypt( keyslot = sym_crypt_keyslot_add_by_volume_key( cd, CRYPT_ANY_SLOT, - volume_key, - volume_key_size, + NULL, + VOLUME_KEY_SIZE, base64_encoded, strlen(base64_encoded)); if (keyslot < 0) @@ -3141,8 +3134,8 @@ static int partition_encrypt( r = sym_crypt_activate_by_volume_key( cd, dm_name, - volume_key, - volume_key_size, + NULL, + VOLUME_KEY_SIZE, arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0); if (r < 0) return log_error_errno(r, "Failed to activate LUKS superblock: %m");