Bug 1653383

Summary: cryptsetup is unable to handle LUKS2 devices with non-default metadata size
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Kozina <okozina>
Component: cryptsetupAssignee: Ondrej Kozina <okozina>
Status: CLOSED CURRENTRELEASE QA Contact: Release Test Team <release-test-team-automation>
Severity: high Docs Contact:
Priority: high    
Version: 8.0CC: agk, mbroz, okozina, pholica, pkotvan, prajnoha, rhandlin
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cryptsetup-2.0.6-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1653388 (view as bug list) Environment:
Last Closed: 2019-06-14 01:46:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1653388    
Attachments:
Description Flags
Archive containing all LUKS2 metadata variants none

Description Ondrej Kozina 2018-11-26 17:02:23 UTC 
LUKS2 specification [1] defines limited set of valid LUKS2 metadata sizes (see chapter 2.1 and 2.2 of the specification). Currently cryptsetup creates only 16 KiB variant of LUKS2 metadata (4KiB binary header + 12KiB json area). This applies also to LUKS2 containers created via up-conversion from LUKS1 format.

Unfortunately current cryptsetup (any upstream version < cryptsetup-2.0.6) rejects any non-default LUKS2 metadata size (32KiB and larger) as invalid LUKS2 format. This is bug in internal validation code but format (metadata itself) is not affected in any way.

Even though current cryptsetup in RHEL8 does not support creating LUKS2 containers with non-default metadata size, it must be able to parse, validate, load and modify any LUKS2 metadata size specified in LUKS2 format documentation [1].

[1] https://gitlab.com/cryptsetup/cryptsetup/blob/master/docs/on-disk-format-luks2.pdf
Comment 1 Ondrej Kozina 2018-11-26 17:03:39 UTC 
Fixed upstream by:

https://gitlab.com/cryptsetup/cryptsetup/commit/7713df9e411fc2572cded9053886bbfe9712c784
Comment 3 Ondrej Kozina 2018-11-29 09:23:41 UTC 
Created attachment 1509759 [details]
Archive containing all LUKS2 metadata variants

All images have single active keyslot 0 that can be unlocked with passphrase: Qx3qn46vq0v
Comment 4 Ondrej Kozina 2018-11-29 09:27:17 UTC 
To verify this bug, fixed cryptsetup must unlock all metadata variants (and also be able to perform any metadata modifying operation). Current cryptsetup-2.0.4-2.el8 can unlock/handle only test_image_16 (16KiB LUKS2 metadata).
Comment 7 Peter Kotvan 2019-02-05 11:43:10 UTC 
Hi Ondrej,

there is no reproducer to verify this bug. Are you able to verify it yourself or provide a reproducer?
Comment 8 Ondrej Kozina 2019-02-05 12:21:39 UTC 
I don't have better reproducer than one desribed in comment #3 (test images) and comment #4. To test unlock capability just run cryptsetup open command, to test write capability you may try to add new keyslot (cryptsetup luksAddKey). To test it on real drive just dd the test image in head of your test block device.
Comment 9 Peter Kotvan 2019-02-06 08:56:10 UTC 
Thanks Ondrej,

I was able to reproduce this issue on RHEL-8.0-20181120.0 and verify the fix on RHEL-8.0.0-20190129.1. Moving to verified.