diff options
author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2022-10-13 14:36:06 +0200 |
---|---|---|
committer | Daan De Meyer <daan.j.demeyer@gmail.com> | 2022-11-15 20:07:54 +0100 |
commit | 98e0456ec04c2b210291f41f6d8f8527263e0c67 (patch) | |
tree | 054ec2b5c865a6340ea5a29dc90804e1dc5314e4 | |
parent | bf3598befff0137592834465ef728fdaabf1e778 (diff) | |
download | systemd-98e0456ec04c2b210291f41f6d8f8527263e0c67.tar.gz |
repart: Let libcryptsetup calculate the volume key
We also bump the volume key size to 512 bits.
-rw-r--r-- | src/partition/repart.c | 29 |
1 files changed, 11 insertions, 18 deletions
diff --git a/src/partition/repart.c b/src/partition/repart.c index d042043576..edc085dc15 100644 --- a/src/partition/repart.c +++ b/src/partition/repart.c @@ -90,6 +90,9 @@ /* LUKS2 takes off 16M of the partition size with its metadata by default */ #define LUKS2_METADATA_SIZE (16ULL*1024ULL*1024ULL) +/* LUKS2 volume key size. */ +#define VOLUME_KEY_SIZE (512ULL/8ULL) + /* Note: When growing and placing new partitions we always align to 4K sector size. It's how newer hard disks * are designed, and if everything is aligned to that performance is best. And for older hard disks with 512B * sector size devices were generally assumed to have an even number of sectors, hence at the worst we'll @@ -2991,9 +2994,7 @@ static int partition_encrypt( int *ret_fd) { #if HAVE_LIBCRYPTSETUP _cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL; - _cleanup_(erase_and_freep) void *volume_key = NULL; _cleanup_free_ char *dm_name = NULL, *vol = NULL; - size_t volume_key_size = 256 / 8; sd_id128_t uuid; int r; @@ -3022,14 +3023,6 @@ static int partition_encrypt( log_info("Encrypting future partition %" PRIu64 "...", p->partno); - volume_key = malloc(volume_key_size); - if (!volume_key) - return log_oom(); - - r = crypto_random_bytes(volume_key, volume_key_size); - if (r < 0) - return log_error_errno(r, "Failed to generate volume key: %m"); - r = sym_crypt_init(&cd, node); if (r < 0) return log_error_errno(r, "Failed to allocate libcryptsetup context: %m"); @@ -3041,8 +3034,8 @@ static int partition_encrypt( "aes", "xts-plain64", SD_ID128_TO_UUID_STRING(uuid), - volume_key, - volume_key_size, + NULL, + VOLUME_KEY_SIZE, &(struct crypt_params_luks2) { .label = strempty(p->new_label), .sector_size = context->sector_size, @@ -3054,8 +3047,8 @@ static int partition_encrypt( r = sym_crypt_keyslot_add_by_volume_key( cd, CRYPT_ANY_SLOT, - volume_key, - volume_key_size, + NULL, + VOLUME_KEY_SIZE, strempty(arg_key), arg_key_size); if (r < 0) @@ -3108,8 +3101,8 @@ static int partition_encrypt( keyslot = sym_crypt_keyslot_add_by_volume_key( cd, CRYPT_ANY_SLOT, - volume_key, - volume_key_size, + NULL, + VOLUME_KEY_SIZE, base64_encoded, strlen(base64_encoded)); if (keyslot < 0) @@ -3141,8 +3134,8 @@ static int partition_encrypt( r = sym_crypt_activate_by_volume_key( cd, dm_name, - volume_key, - volume_key_size, + NULL, + VOLUME_KEY_SIZE, arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0); if (r < 0) return log_error_errno(r, "Failed to activate LUKS superblock: %m"); |