cryptsetup2 toolstack version bump

cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release
LUKS2 volumes. This is a critical feature for the Qubes OS 4.2 release.

cryptsetup 2.6.1 requires lvm2 2.03.23, which is also included in this PR.
lvm2 in turn requires libaio, which is also included in this PR.
util-linux 2.39 is also included in this PR and a dependency of lvm2.
patches for reproducible builds are included for all packages.
luks-functions is updated to support the new cryptsetup2 version calls
 reencryption happen in direct-io, offline mode and without locking.
  from tests, this is best for performance and reliability in single-user mode

TODO:
- async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out
  - this could be subject to future work
- time to deprecated legacy boards the do not enough space for the new space requirements
  - x230-legacy, x230-legacy-flash, x230-hotp-legacy
  - t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated

Signed-off-by: Thierry Laurion <[email protected]>

Author: tlaurion

initrd/etc/luks-functions

@@ -272,19 +272,17 @@ select_luks_container()
 		DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt"
 		DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)"
 		LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt)
-	else
+	# LUKS variable not exported yet, prompt for LUKS device
+	elif [ -z $LUKS ]; then
 		list_luks_devices > /tmp/luks_devices.txt
 		#if /tmp/luks_devices.txt exists and is not empty
 		if [ -s /tmp/luks_devices.txt ]; then
 			file_selector "/tmp/luks_devices.txt" "Select LUKS container device"
 			if [ "$FILE" == "" ]; then
 				return 1
 			else
+				#TODO: What about BRTFS multi LUKS setup of QubesOS?
 				LUKS=$FILE
-				detect_boot_device
-				mount -o remount,rw /boot
-				echo "$LUKS $(cryptsetup luksUUID $LUKS)" >/boot/kexec_key_devices.txt
-				mount -o remount,ro /boot
 			fi
 		else
 			warn "No encrypted device found"
@@ -303,17 +301,18 @@ test_luks_current_disk_recovery_key_passphrase()
 			echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
 			read -r luks_current_Disk_Recovery_Key_passphrase
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
-			warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..."
-			cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
 		else
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
-			warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..."
-			cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
 		fi
-		#Validate past cryptsetup-reencrypt attempts
-		if [ $? -eq 0 ]; then
+
+		#output test coming and do cryptsetup open call
+		echo -e "\nTesting opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..."
+		cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
+
+		#Validate past cryptsetup reencrypt attempts
+		if [ $? -ne 0 ]; then
 			whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
-				"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
+				"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
 			shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
 			#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round
 			unset luks_current_Disk_Recovery_Key_passphrase
@@ -323,13 +322,21 @@ test_luks_current_disk_recovery_key_passphrase()
 			mount -o remount,rw /boot
 			rm -f /boot/kexec_key_devices.txt
 			mount -o remount,ro /boot
+			unset LUKS
 		else
 			#LuksOpen test was successful. Cleanup should be called only when done
 			#Exporting successfully used passphrase possibly reused by oem-factory-reset
-
+			echo "Success."
+			
 			#We close the volume
 			cryptsetup close test
 			export luks_current_Disk_Recovery_Key_passphrase
+			
+			#We export the LUKS volume the was tested valid with passphrase test
+			export LUKS
+			#TODO what about non-standard BRTFS multi LUKS containers?
+
+			#exit while loop
 			break;
 		fi
 	done
@@ -339,10 +346,6 @@ luks_reencrypt() {
 	TRACE_FUNC
 	while :; do
 		select_luks_container || return 1
-                #If the user just set a new LUKS Disk Recovery Key passphrase
-                if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
-                        luks_current_Disk_Recovery_Key_passphrase="$luks_new_Disk_Recovery_Key_passphrase"
-                fi
 		if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
 			#if no external provisioning provides current LUKS Disk Recovery Key passphrase
 			msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s)
@@ -351,17 +354,20 @@ luks_reencrypt() {
 			echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:"
 			read -r luks_current_Disk_Recovery_Key_passphrase
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
-			warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!"
-			cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
 		else
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
-			warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!"
-			cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
 		fi
-		#Validate past cryptsetup-reencrypt attempts
-		if [ $(echo $?) -ne 0 ]; then
+
+		#Warn and launch actual reencryption
+		echo -e "\nReencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
+		warn "DO NOT POWER DOWN MACHINE, UNPLUG AC OR REMOVE BATTERY DURING REENCRYPTION PROCESS"
+		cryptsetup reencrypt --resilience=none --force-offline-reencrypt --disable-locks \
+			"$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
+
+		#Validate past cryptsetup reencrypt attempts
+		if [ $? -ne 0 ]; then
 			whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
-				"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
+				"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
 			shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
 			#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round
 			unset luks_current_Disk_Recovery_Key_passphrase
@@ -371,11 +377,15 @@ luks_reencrypt() {
 			mount -o remount,rw /boot
 			rm -f /boot/kexec_key_devices.txt
 			mount -o remount,ro /boot
+			unset LUKS
 		else
 			#Reencryption was successful. Cleanup should be called only when done
 			#Exporting successfully used passphrase possibly reused by oem-factory-reset
 			export luks_current_Disk_Recovery_Key_passphrase
-		break;
+			export LUKS
+
+			# we break loop since success
+			break;
 		fi
 	done
 }
@@ -388,7 +398,7 @@ luks_change_passphrase()
 		#if actual or new LUKS Disk Recovery Key is not provisioned by oem-provisioning file
 		if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
 			whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
-				"Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60
+				"Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80
 			if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
 				echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):"
 				while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
@@ -404,21 +414,21 @@ luks_change_passphrase()
 			export luks_new_Disk_Recovery_Key_passphrase
 			echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
-			warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
-			cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
 		else
 			#If current and new LUKS Disk Recovery Key were exported
 			echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
-			warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
-			cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
 		fi
 
+		#output and do cryptsetup luksChangeKey op
+		echo -e "\nChanging "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
+		cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
+
 		#Validate past cryptsetup attempts
-		if [ $(echo $?) -ne 0 ]; then
+		if [ $? -ne 0 ]; then
 			#Cryptsetup luksChangeKey was unsuccessful
 			whiptail --title 'Invalid LUKS passphrase?' --msgbox \
-				"The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n a secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall the OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of a USB drive,\n and select Boot from USB\n\nHit Enter to continue." 30 60
+				"The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n a secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall the OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of a USB drive,\n and select Boot from USB\n\nHit Enter to continue." 0 80
 			unset luks_current_Disk_Recovery_Key_passphrase
 			unset luks_new_Disk_Recovery_Key_passphrase
 			#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
@@ -429,10 +439,20 @@ luks_change_passphrase()
 			mount -o remount,ro /boot
 		else
 			#Cryptsetup was successful.
+			echo "Success."
+
 			#Cleanup should be called seperately.
 			#Exporting successfully used passphrase possibly reused by oem-factory-reset
+			luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase
+			export luks_current_Disk_Recovery_Key_passphrase
 			export luks_new_Disk_Recovery_Key_passphrase
-	break;		
+			
+			#Export chosen LUKS volume
+			export LUKS
+			
+			#break loop
+			#TODO: What about QubesSOS multi LUKS BRTFS deployment?			
+			break;		
 		fi
 	done
 }
@@ -442,6 +462,9 @@ luks_secrets_cleanup()
 	#Cleanup
 	shred -n 10 -z -u /tmp/luks_new_Disk_Recovery_Key_passphrase 2>/dev/null || true
 	shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null || true
+
+	#Unset variables if launched in same boot
 	unset luks_current_Disk_Recovery_Key_passphrase
 	unset luks_new_Disk_Recovery_Key_passphrase
+	unset LUKS
 }

modules/cryptsetup2

@@ -2,11 +2,11 @@ modules-$(CONFIG_CRYPTSETUP2) += cryptsetup2
 
 cryptsetup2_depends := util-linux popt lvm2 json-c $(musl_dep)
 
-cryptsetup2_version := 2.3.3
+cryptsetup2_version := 2.6.1
 cryptsetup2_dir := cryptsetup-$(cryptsetup2_version)
 cryptsetup2_tar := cryptsetup-$(cryptsetup2_version).tar.xz
-cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-$(cryptsetup2_version).tar.xz
-cryptsetup2_hash := 3bca4ffe39e2f94cef50f6ea65acb873a6dbce5db34fc6bcefe38b6d095e82df
+cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-$(cryptsetup2_version).tar.xz
+cryptsetup2_hash := 410ded65a1072ab9c8e41added37b9729c087fef4d2db02bb4ef529ad6da4693
 
 # Use an empty prefix so that the executables will not include the
 # build path.
@@ -16,9 +16,15 @@ cryptsetup2_configure := \
 	./configure \
 	--host $(MUSL_ARCH)-elf-linux \
 	--prefix "/" \
+	--enable-internal-sse-argon2 \
 	--disable-rpath \
 	--disable-gcrypt-pbkdf2 \
-	--enable-cryptsetup-reencrypt \
+	--disable-ssh-token \
+	--disable-asciidoc \
+	--disable-nls \
+	--disable-selinux \
+	--disable-udev \
+	--disable-external-tokens \
 	--with-crypto_backend=kernel \
 	--with-tmpfilesdir=$(INSTALL)/lib/tmpfiles.d
 
@@ -33,7 +39,6 @@ cryptsetup2_target := \
 
 cryptsetup2_output := \
 	.libs/cryptsetup \
-	.libs/cryptsetup-reencrypt \
 	.libs/veritysetup \
 
 cryptsetup2_libraries := \

modules/libaio

@@ -0,0 +1,19 @@
+modules-$(CONFIG_LVM2) += libaio
+
+libaio_version := 0.3.113
+libaio_dir := libaio-$(libaio_version)
+libaio_tar := libaio_$(libaio_version).orig.tar.gz
+libaio_url := https://deb.debian.org/debian/pool/main/liba/libaio/$(libaio_tar)
+libaio_hash := 2c44d1c5fd0d43752287c9ae1eb9c023f04ef848ea8d4aafa46e9aedb678200b
+
+libaio_target := \
+	DESTDIR="$(INSTALL)" \
+	prefix="/" \
+	$(CROSS_TOOLS) \
+	install \
+	&& mv $(build)/$(libaio_dir)/src/libaio.so.1.0.2 $(build)/$(libaio_dir)/src/libaio.so.1 \
+
+libaio_libraries:= src/libaio.so.1
+
+libaio_depends := $(musl_dep)
+

modules/lvm2

@@ -1,34 +1,36 @@
 modules-$(CONFIG_LVM2) += lvm2
 
-lvm2_version := 2.02.168
+lvm2_version := 2.03.23
 lvm2_dir := lvm2.$(lvm2_version)
 lvm2_tar := LVM2.$(lvm2_version).tgz
 lvm2_url := https://mirrors.kernel.org/sourceware/lvm2/$(lvm2_tar)
-lvm2_hash := 23a3d1cddd41b3ef51812ebf83e9fa491f502fe74130d4263be327a91914660d
+lvm2_hash := 74e794a9e9dee1bcf8a2065f65b9196c44fdf321e22d63b98ed7de8c9aa17a5d
 
 # cross compiling test assumes malloc/realloc aren't glibc compat
 # so we force it via the configure cache.
 lvm2_configure := \
 	$(CROSS_TOOLS) \
-	CFLAGS="-Os"  \
-	PKG_CONFIG=/bin/false \
-	MODPROBE_CMD=/bin/false \
 	ac_cv_func_malloc_0_nonnull=yes \
 	ac_cv_func_realloc_0_nonnull=yes \
 	./configure \
 	--host $(MUSL_ARCH)-elf-linux \
-	--prefix "/" \
+	--prefix "" \
+	--libexecdir "/bin" \
+	--with-optimisation=-Os \
 	--enable-devmapper \
 	--disable-selinux \
-	--disable-udev-systemd-background-jobs \
+	--without-systemd \
+	--disable-lvmimportvdo \
 	--disable-realtime \
+	--disable-dmfilemapd \
 	--disable-dmeventd \
-	--disable-lvmetad \
 	--disable-lvmpolld \
+	--disable-readline \
+	--disable-udev_sync \
+	--enable-static_link \
 	--disable-use-lvmlockd \
-	--disable-use-lvmetad \
 	--disable-use-lvmpolld \
-	--disable-blkid_wiping \
+	--disable-dmfilemapd \
 	--disable-cmirrord \
 	--disable-cache_check_needs_check \
 	--disable-thin_check_needs_check \
@@ -49,10 +51,10 @@ lvm2_target := \
 	DESTDIR="$(INSTALL)" \
 	install_device-mapper \
 
-lvm2_libraries := libdm/libdevmapper.so.1.02
+lvm2_libraries := libdm/ioctl/libdevmapper.so.1.02
 
 lvm2_output := \
-	tools/dmsetup \
+	./libdm/dm-tools/dmsetup \
 	tools/lvm \
 
-lvm2_depends := util-linux $(musl_dep)
+lvm2_depends := util-linux libaio $(musl_dep)

modules/util-linux

@@ -1,10 +1,10 @@
 modules-$(CONFIG_UTIL_LINUX) += util-linux
 
-util-linux_version := 2.29.2
+util-linux_version := 2.39
 util-linux_dir := util-linux-$(util-linux_version)
 util-linux_tar := util-linux-$(util-linux_version).tar.xz
-util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.29/$(util-linux_tar)
-util-linux_hash := accea4d678209f97f634f40a93b7e9fcad5915d1f4749f6c47bee6bf110fe8e3
+util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.39/$(util-linux_tar)
+util-linux_hash := 32b30a336cda903182ed61feb3e9b908b762a5e66fe14e43efb88d37162075cb
 
 util-linux_configure := \
 	$(CROSS_TOOLS) \