libdevmapper: Support dm-crypt integrity_key_size option

This patch implement support for setting specific integrity key size
option in dm-crypt, available since dm-crypt version 1.28.0.

This can be used for setting non-standard HMAC key length.

Mostly based on code from Ingo Franzki <[email protected]>

lib/bitlk/bitlk.c

@@ -1365,7 +1365,7 @@ static int _activate(struct crypt_device *cd,
 						crypt_get_cipher_spec(cd),
 						segments[i].iv_offset,
 						segments[i].iv_offset,
-						NULL, 0,
+						NULL, 0, 0,
 						params->sector_size);
 		if (r)
 			goto out;

lib/fvault2/fvault2.c

@@ -835,8 +835,7 @@ static int _activate(
 	r = dm_crypt_target_set(&dm_dev.segment, 0, dm_dev.size,
 		crypt_data_device(cd), vol_key, cipher,
 		crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
-		crypt_get_integrity(cd), crypt_get_integrity_tag_size(cd),
-		crypt_get_sector_size(cd));
+		NULL, 0, 0, crypt_get_sector_size(cd));
 
 	if (!r)
 		r = dm_create_device(cd, name, CRYPT_FVAULT2, &dm_dev);

lib/libdevmapper.c

@@ -160,6 +160,9 @@ static void _dm_set_crypt_compat(struct crypt_device *cd,
 	if (_dm_satisfies_version(1, 26, 0, crypt_maj, crypt_min, crypt_patch))
 		_dm_flags |= DM_CRYPT_HIGH_PRIORITY_SUPPORTED;
 
+	if (_dm_satisfies_version(1, 28, 0, crypt_maj, crypt_min, crypt_patch))
+		_dm_flags |= DM_CRYPT_INTEGRITY_KEY_SIZE_OPT_SUPPORTED;
+
 	_dm_crypt_checked = true;
 }
 
@@ -3142,7 +3145,8 @@ int dm_is_dm_kernel_name(const char *name)
 
 int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
 	struct device *data_device, struct volume_key *vk, const char *cipher,
-	uint64_t iv_offset, uint64_t data_offset, const char *integrity, uint32_t tag_size,
+	uint64_t iv_offset, uint64_t data_offset,
+	const char *integrity, uint32_t integrity_key_size, uint32_t tag_size,
 	uint32_t sector_size)
 {
 	char *dm_integrity = NULL;

lib/loopaes/loopaes.c

@@ -213,9 +213,8 @@ int LOOPAES_activate(struct crypt_device *cd,
 		return -ENOMEM;
 
 	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
-			vk, cipher, crypt_get_iv_offset(cd),
-			crypt_get_data_offset(cd), crypt_get_integrity(cd),
-			crypt_get_integrity_tag_size(cd), crypt_get_sector_size(cd));
+			vk, cipher, crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
+			NULL, 0, 0, crypt_get_sector_size(cd));
 
 	if (r) {
 		free(cipher);

lib/luks1/keyencryption.c

@@ -88,7 +88,7 @@ static int LUKS_endec_template(char *src, size_t srcLength,
 
 	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size,
 			crypt_metadata_device(ctx), vk, cipher_spec, 0, sector,
-			NULL, 0, SECTOR_SIZE);
+			NULL, 0, 0, SECTOR_SIZE);
 	if (r)
 		goto out;
 

lib/luks1/keymanage.c

@@ -1204,8 +1204,7 @@ int LUKS1_activate(struct crypt_device *cd,
 
 	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
 			vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
-			crypt_get_data_offset(cd), crypt_get_integrity(cd),
-			crypt_get_integrity_tag_size(cd), crypt_get_sector_size(cd));
+			crypt_get_data_offset(cd), NULL, 0, 0, crypt_get_sector_size(cd));
 	if (!r)
 		r = create_or_reload_device(cd, name, CRYPT_LUKS1, &dmd);
 

lib/luks2/luks2_json_metadata.c

@@ -2519,7 +2519,7 @@ int LUKS2_assembly_multisegment_dmd(struct crypt_device *cd,
 					crypt_data_device(cd), vk,
 					json_segment_get_cipher(jobj),
 					json_segment_get_iv_offset(jobj),
-					segment_offset, "none", 0,
+					segment_offset, "none", 0, 0,
 					json_segment_get_sector_size(jobj));
 			if (r) {
 				log_err(cd, _("Failed to set dm-crypt segment."));
@@ -2715,7 +2715,7 @@ int LUKS2_activate(struct crypt_device *cd,
 					crypt_key, crypt_get_cipher_spec(cd),
 					crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
 					crypt_get_integrity(cd) ?: "none",
-					crypt_get_integrity_tag_size(cd),
+					0 /* FIXME */, crypt_get_integrity_tag_size(cd),
 					crypt_get_sector_size(cd));
 	} else
 		r = dm_linear_target_set(&dmd.segment, 0,

lib/luks2/luks2_reencrypt.c

@@ -2114,8 +2114,7 @@ static int reencrypt_make_targets(struct crypt_device *cd,
 						json_segment_get_cipher(jobj),
 						json_segment_get_iv_offset(jobj),
 						segment_offset,
-						"none",
-						0,
+						"none", 0, 0,
 						json_segment_get_sector_size(jobj));
 			if (r) {
 				log_err(cd, _("Failed to set dm-crypt segment."));

lib/setup.c

@@ -609,8 +609,7 @@ int PLAIN_activate(struct crypt_device *cd,
 
 	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, crypt_data_device(cd),
 			vk, crypt_get_cipher_spec(cd), crypt_get_iv_offset(cd),
-			crypt_get_data_offset(cd), crypt_get_integrity(cd),
-			crypt_get_integrity_tag_size(cd), crypt_get_sector_size(cd));
+			crypt_get_data_offset(cd), NULL, 0, 0, crypt_get_sector_size(cd));
 	if (r < 0)
 		return r;
 
@@ -3701,7 +3700,7 @@ int crypt_resize(struct crypt_device *cd, const char *name, uint64_t new_size)
 		r = dm_crypt_target_set(&dmd.segment, 0, new_size, crypt_data_device(cd),
 				tgt->u.crypt.vk, crypt_get_cipher_spec(cd),
 				crypt_get_iv_offset(cd), crypt_get_data_offset(cd),
-				crypt_get_integrity(cd), crypt_get_integrity_tag_size(cd),
+				crypt_get_integrity(cd), 0 /* FIXME */, crypt_get_integrity_tag_size(cd),
 				crypt_get_sector_size(cd));
 		if (r < 0)
 			goto out;

lib/tcrypt/tcrypt.c

@@ -887,10 +887,7 @@ int TCRYPT_activate(struct crypt_device *cd,
 		}
 
 		r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, ptr_dev, vk,
-				cipher_spec, iv_offset, offset,
-				crypt_get_integrity(cd),
-				crypt_get_integrity_tag_size(cd),
-				crypt_get_sector_size(cd));
+				cipher_spec, iv_offset, offset, NULL, 0, 0, crypt_get_sector_size(cd));
 		if (r)
 			break;
 

lib/utils_dm.h

@@ -64,6 +64,7 @@ static inline uint32_t act2dmflags(uint32_t act_flags)
 #define DM_INTEGRITY_RESET_RECALC_SUPPORTED (1 << 27) /* dm-integrity automatic recalculation supported */
 #define DM_VERITY_TASKLETS_SUPPORTED (1 << 28) /* dm-verity tasklets supported */
 #define DM_CRYPT_HIGH_PRIORITY_SUPPORTED (1 << 29) /* dm-crypt high priority workqueue flag supported  */
+#define DM_CRYPT_INTEGRITY_KEY_SIZE_OPT_SUPPORTED (1 << 30) /* dm-crypt support for integrity_key_size option */
 
 typedef enum { DM_CRYPT = 0, DM_VERITY, DM_INTEGRITY, DM_LINEAR, DM_ERROR, DM_ZERO, DM_UNKNOWN } dm_target_type;
 enum tdirection { TARGET_EMPTY = 0, TARGET_SET, TARGET_QUERY };
@@ -109,6 +110,7 @@ struct dm_target {
 		uint64_t iv_offset;	/* IV initialisation sector */
 		uint32_t tag_size;	/* additional on-disk tag size */
 		uint32_t sector_size;	/* encryption sector size */
+		uint32_t integrity_key_size; /* for wrapped key HMAC */
 	} crypt;
 	struct {
 		struct device *hash_device;
@@ -183,8 +185,9 @@ void dm_targets_free(struct crypt_device *cd, struct crypt_dm_active_device *dmd
 
 int dm_crypt_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
 	struct device *data_device, struct volume_key *vk, const char *cipher,
-	uint64_t iv_offset, uint64_t data_offset, const char *integrity,
-	uint32_t tag_size, uint32_t sector_size);
+	uint64_t iv_offset, uint64_t data_offset,
+	const char *integrity, uint32_t integrity_key_size, uint32_t tag_size,
+	uint32_t sector_size);
 int dm_verity_target_set(struct dm_target *tgt, uint64_t seg_offset, uint64_t seg_size,
 	struct device *data_device, struct device *hash_device, struct device *fec_device,
 	const char *root_hash, uint32_t root_hash_size, const char* root_hash_sig_key_desc,

lib/utils_storage_wrappers.c

@@ -106,15 +106,8 @@ static int crypt_storage_dmcrypt_init(
 	if (vk->key_description)
 		dmd.flags |= CRYPT_ACTIVATE_KEYRING_KEY;
 
-	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size,
-			    device,
-			    vk,
-			    cipher_spec,
-			    iv_start,
-			    device_offset,
-			    NULL,
-			    0,
-			    sector_size);
+	r = dm_crypt_target_set(&dmd.segment, 0, dmd.size, device, vk, cipher_spec, iv_start,
+				device_offset, NULL, 0, 0, sector_size);
 	if (r)
 		return r;