Patchwork [meta-oe,V2] cryptsetup: Update to latest version and use openssl as crypto backend

login
register
mail settings
Submitter Stefan Herbrechtsmeier
Date April 9, 2013, 9:11 p.m.
Message ID <1365541861-10672-1-git-send-email-stefan@herbrechtsmeier.net>
Download mbox | patch
Permalink /patch/47801/
State Accepted, archived
Headers show

Comments

Stefan Herbrechtsmeier - April 9, 2013, 9:11 p.m.
Cryptsetup with the command luksOpen failed with the error message:
device-mapper: status ioctl failed: Permission denied

The error comes from libgcrypt with drops root privileges if it is
linked with libcap support [1]. Update cryptsetup to latest version,
add PACKAGECONFIG for crypto backend selection (openssl / gcrypt)
and change the default crypto backend to openssl as libgcrypt states
the drop root privileges behaviour as a feature [2].

The license was updated to GPLv2 with OpenSSL exception.

Update the RRECOMMENDS to be conistent with the package names.

[1] http://code.google.com/p/cryptsetup/issues/detail?id=47
[2] https://bugs.g10code.com/gnupg/issue1181

Signed-off-by: Stefan Herbrechtsmeier <stefan@herbrechtsmeier.net>
---
 .../{cryptsetup_1.1.3.bb => cryptsetup_1.6.1.bb}   |   37 +++++++++++++-------
 1 file changed, 25 insertions(+), 12 deletions(-)
 rename meta-oe/recipes-support/cryptsetup/{cryptsetup_1.1.3.bb => cryptsetup_1.6.1.bb} (21%)
Martin Jansa - April 11, 2013, 2:16 p.m.
On Tue, Apr 09, 2013 at 11:11:01PM +0200, Stefan Herbrechtsmeier wrote:
> Cryptsetup with the command luksOpen failed with the error message:
> device-mapper: status ioctl failed: Permission denied
> 
> The error comes from libgcrypt with drops root privileges if it is
> linked with libcap support [1]. Update cryptsetup to latest version,
> add PACKAGECONFIG for crypto backend selection (openssl / gcrypt)
> and change the default crypto backend to openssl as libgcrypt states
> the drop root privileges behaviour as a feature [2].
> 
> The license was updated to GPLv2 with OpenSSL exception.
> 
> Update the RRECOMMENDS to be conistent with the package names.

Looks good to me, will apply it in later this week if nobody objects.
 
> [1] http://code.google.com/p/cryptsetup/issues/detail?id=47
> [2] https://bugs.g10code.com/gnupg/issue1181
> 
> Signed-off-by: Stefan Herbrechtsmeier <stefan@herbrechtsmeier.net>
> ---
>  .../{cryptsetup_1.1.3.bb => cryptsetup_1.6.1.bb}   |   37 +++++++++++++-------
>  1 file changed, 25 insertions(+), 12 deletions(-)
>  rename meta-oe/recipes-support/cryptsetup/{cryptsetup_1.1.3.bb => cryptsetup_1.6.1.bb} (21%)
> 
> diff --git a/meta-oe/recipes-support/cryptsetup/cryptsetup_1.1.3.bb b/meta-oe/recipes-support/cryptsetup/cryptsetup_1.6.1.bb
> similarity index 21%
> rename from meta-oe/recipes-support/cryptsetup/cryptsetup_1.1.3.bb
> rename to meta-oe/recipes-support/cryptsetup/cryptsetup_1.6.1.bb
> index 254f563..438d394 100644
> --- a/meta-oe/recipes-support/cryptsetup/cryptsetup_1.1.3.bb
> +++ b/meta-oe/recipes-support/cryptsetup/cryptsetup_1.6.1.bb
> @@ -1,18 +1,31 @@
> -DESCRIPTION = "Setup virtual encryption devices under dm-crypt Linux"
> +SUMMARY = "Manage plain dm-crypt and LUKS encrypted volumes"
> +DESCRIPTION = "Cryptsetup is used to conveniently setup dm-crypt managed \
> +device-mapper mappings. These include plain dm-crypt volumes and \
> +LUKS volumes. The difference is that LUKS uses a metadata header \
> +and can hence offer more features than plain dm-crypt. On the other \
> +hand, the header is visible and vulnerable to damage."
>  HOMEPAGE = "http://code.google.com/p/cryptsetup/"
>  SECTION = "console"
> -LICENSE = "GPLv2"
> -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
> +LICENSE = "GPL-2.0-with-OpenSSL-exception"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326"
> +
> +DEPENDS = "util-linux lvm2 popt"
>  
> -DEPENDS = "util-linux lvm2 libgcrypt popt"
> -RRECOMMENDS_${PN} = "kernel-module-aes \
> -                     kernel-module-dm-crypt \
> -                     kernel-module-md5 \
> -                     kernel-module-cbc \
> -                     kernel-module-sha256 \
> -                    "
>  SRC_URI = "http://cryptsetup.googlecode.com/files/cryptsetup-${PV}.tar.bz2"
> -SRC_URI[md5sum] = "318a64470861ea5b92a52f2014f1e7c1"
> -SRC_URI[sha256sum] = "9c8e68a272f6d9cfb6cd65cc0743f4c44a2096c61f74e0602bf40208b5e69c0a"
> +SRC_URI[md5sum] = "f374d11e3b0e7ca0f805756fd02e34ff"
> +SRC_URI[sha256sum] = "baf36e663c03eb6440482d91c486d61ed47ce5c9268ad04c18ca09082755149c"
>  
>  inherit autotools gettext
> +
> +# Use openssl because libgcrypt drops root privileges
> +# if libgcrypt is linked with libcap support
> +PACKAGECONFIG ??= "openssl"
> +PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl"
> +PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt"
> +
> +RRECOMMENDS_${PN} = "kernel-module-aes-generic \
> +                     kernel-module-dm-crypt \
> +                     kernel-module-md5 \
> +                     kernel-module-cbc \
> +                     kernel-module-sha256-generic \
> +                     "
> -- 
> 1.7.9.5
> 
> 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel

Patch

diff --git a/meta-oe/recipes-support/cryptsetup/cryptsetup_1.1.3.bb b/meta-oe/recipes-support/cryptsetup/cryptsetup_1.6.1.bb
similarity index 21%
rename from meta-oe/recipes-support/cryptsetup/cryptsetup_1.1.3.bb
rename to meta-oe/recipes-support/cryptsetup/cryptsetup_1.6.1.bb
index 254f563..438d394 100644
--- a/meta-oe/recipes-support/cryptsetup/cryptsetup_1.1.3.bb
+++ b/meta-oe/recipes-support/cryptsetup/cryptsetup_1.6.1.bb
@@ -1,18 +1,31 @@ 
-DESCRIPTION = "Setup virtual encryption devices under dm-crypt Linux"
+SUMMARY = "Manage plain dm-crypt and LUKS encrypted volumes"
+DESCRIPTION = "Cryptsetup is used to conveniently setup dm-crypt managed \
+device-mapper mappings. These include plain dm-crypt volumes and \
+LUKS volumes. The difference is that LUKS uses a metadata header \
+and can hence offer more features than plain dm-crypt. On the other \
+hand, the header is visible and vulnerable to damage."
 HOMEPAGE = "http://code.google.com/p/cryptsetup/"
 SECTION = "console"
-LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+LICENSE = "GPL-2.0-with-OpenSSL-exception"
+LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326"
+
+DEPENDS = "util-linux lvm2 popt"
 
-DEPENDS = "util-linux lvm2 libgcrypt popt"
-RRECOMMENDS_${PN} = "kernel-module-aes \
-                     kernel-module-dm-crypt \
-                     kernel-module-md5 \
-                     kernel-module-cbc \
-                     kernel-module-sha256 \
-                    "
 SRC_URI = "http://cryptsetup.googlecode.com/files/cryptsetup-${PV}.tar.bz2"
-SRC_URI[md5sum] = "318a64470861ea5b92a52f2014f1e7c1"
-SRC_URI[sha256sum] = "9c8e68a272f6d9cfb6cd65cc0743f4c44a2096c61f74e0602bf40208b5e69c0a"
+SRC_URI[md5sum] = "f374d11e3b0e7ca0f805756fd02e34ff"
+SRC_URI[sha256sum] = "baf36e663c03eb6440482d91c486d61ed47ce5c9268ad04c18ca09082755149c"
 
 inherit autotools gettext
+
+# Use openssl because libgcrypt drops root privileges
+# if libgcrypt is linked with libcap support
+PACKAGECONFIG ??= "openssl"
+PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl"
+PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt"
+
+RRECOMMENDS_${PN} = "kernel-module-aes-generic \
+                     kernel-module-dm-crypt \
+                     kernel-module-md5 \
+                     kernel-module-cbc \
+                     kernel-module-sha256-generic \
+                     "