-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
luks_device: add built-in signature wiper to work around older wipefs versions with LUKS2 containers #327
Conversation
Hmm, for whatever reason, this doesn't seem to suffice :/ |
On my machine, wipefs wipes two 6-byte blocks, one at offset 0 and one at offset 16384. On the RHEL 7.9 VM, it only wipes a 6-byte block at offset 0. If I use Preparation: dd if=/dev/zero of=/tmp/t bs=1M count=32
losetup -f /tmp/t
DEVICE=$(losetup -j /tmp/t --output name | head -2 | tail -1) Reproducer: echo hunter1324 | /sbin/cryptsetup luksFormat --type luks2 --iter-time 100 --pbkdf argon2i --pbkdf-memory 1000 --pbkdf-parallel 1 --sector-size 1024 -q ${DEVICE}
/sbin/cryptsetup isLuks ${DEVICE} ; echo $? # expected and got: 0
/sbin/cryptsetup erase ${DEVICE} -q
wipefs -a ${DEVICE}
/sbin/cryptsetup isLuks ${DEVICE} ; echo $? # expected 1, but got 0!
dd if=/dev/zero of=${DEVICE} count=6 bs=1 seek=0
dd if=/dev/zero of=${DEVICE} count=6 bs=1 seek=16384
/sbin/cryptsetup isLuks ${DEVICE} ; echo $? # expected got On my machine, the middle Interestingly, the RHEL 7.9 tests with ansible-core 2.11 seem to work since the order in which the tests are run is different. I guess the different order is because in one case (2.11), the controller runs on RHEL 7.9 as well (with Python 2), while in the other case (devel), the controller runs in a docker container (with Python 3). If I try this directly on the RHEL 7.9 VM used by ansible-core 2.11, it shows the exact same behvaior with the reproducer from above (i.e. wipefs doesn't properly work). Another interesting thing: if I put another Anyway, the result isn't that surprising; the LUKS header is version 2, and wipefs is part of util-linux, RHEL 7.9 has util-linux 2.23.2, and support for LUKS2 has only been added in util-linux 2.32, and a bug ("Check for a secondary LUKS2 header.") was fixed in util-linux 2.33. (If you wonder where 16384 = 0x4000 comes from: https://github.com/util-linux/util-linux/blob/master/libblkid/src/superblocks/luks.c#L36-L38) |
(I find it somehow more worrying that |
The easiest way to 'fix' this might be to simply implement a wiping scheme ourselves (https://gitlab.com/cryptsetup/LUKS2-docs/-/blob/master/luks2_doc_wip.pdf shows how this should work). Or to simply avoid LUKS2 tests on RHEL 7.9. Though that doesn't really fix that |
(We can potentially drop the |
ready_for_review I'm wondering whether I should remove |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, not sure I know enough about LUKS
to make recommendations, but I would remove cryptsetup
if it's redundant and inconsistent across platforms.
I've removed the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Backport to stable-1: 💚 backport PR created✅ Backport PR branch: Backported as #330 🤖 @patchback |
@Ajpantuso thanks a lot for reviewing this! |
… versions with LUKS2 containers (#327) (#330) * Use 'cryptsetup erase' to kill LUKS signature. * Adjust unit test. * Use own wiper for LUKS headers. * Add comments. * Fix tests. * Update changelog. * Remove 'cryptsetup erase'. * Improve error messages. (cherry picked from commit ebbfd7c) Co-authored-by: Felix Fontein <[email protected]>
SUMMARY
Fixes #326.
In the end I decided to keepwipefs
, in casecryptsetup erase
fails for some reason.ISSUE TYPE
COMPONENT NAME
luks_device