|
 |
f67ea7 |
From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001
|
|
|
f67ea7 |
From: Renaud Metrich <rmetrich@redhat.com>
|
|
|
f67ea7 |
Date: Fri, 7 Jan 2022 12:13:03 -0300
|
|
|
f67ea7 |
Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup
|
|
|
f67ea7 |
|
|
|
f67ea7 |
This fixes an Out of memory error when the system has not much memory,
|
|
|
f67ea7 |
such as a VM configured with 2GB currently being installed through the
|
|
|
f67ea7 |
network (hence having ~1GB free memory only).
|
|
|
f67ea7 |
See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
|
|
|
f67ea7 |
---
|
|
|
f67ea7 |
src/luks/clevis-luks-bind.in | 7 +++++--
|
|
|
f67ea7 |
src/luks/clevis-luks-common-functions | 7 ++++++-
|
|
|
f67ea7 |
2 files changed, 11 insertions(+), 3 deletions(-)
|
|
|
f67ea7 |
|
|
|
f67ea7 |
diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
|
|
|
f67ea7 |
index 4748c08..017f762 100755
|
|
|
f67ea7 |
--- a/src/luks/clevis-luks-bind.in
|
|
|
f67ea7 |
+++ b/src/luks/clevis-luks-bind.in
|
|
|
f67ea7 |
@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
|
|
|
f67ea7 |
exit 1
|
|
|
f67ea7 |
fi
|
|
|
f67ea7 |
|
|
|
f67ea7 |
+pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
|
|
f67ea7 |
if [ "$luks_type" == "luks1" ]; then
|
|
|
f67ea7 |
+ pbkdf_args=
|
|
|
f67ea7 |
# In certain circumstances, we may have LUKSMeta slots "not in sync" with
|
|
|
f67ea7 |
# cryptsetup, which means we will try to save LUKSMeta metadata over an
|
|
|
f67ea7 |
# already used or partially used slot -- github issue #70.
|
|
|
f67ea7 |
@@ -184,7 +186,7 @@ fi
|
|
|
f67ea7 |
|
|
|
f67ea7 |
# Add the new key.
|
|
|
f67ea7 |
if [ -n "$SLT" ]; then
|
|
|
f67ea7 |
- cryptsetup luksAddKey --key-slot "$SLT" --key-file \
|
|
|
f67ea7 |
+ cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \
|
|
|
f67ea7 |
<(echo -n "$existing_key") "$DEV"
|
|
|
f67ea7 |
else
|
|
|
f67ea7 |
if [ $luks_type == "luks2" ]; then
|
|
|
f67ea7 |
@@ -194,7 +196,8 @@ else
|
|
|
f67ea7 |
readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
|
|
|
f67ea7 |
| sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
|
|
|
f67ea7 |
fi
|
|
|
f67ea7 |
- cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
|
|
|
f67ea7 |
+ cryptsetup luksAddKey ${pbkdf_args} \
|
|
|
f67ea7 |
+ --key-file <(echo -n "${existing_key}") "$DEV"
|
|
|
f67ea7 |
fi < <(echo -n "${key}")
|
|
|
f67ea7 |
if [ $? -ne 0 ]; then
|
|
|
f67ea7 |
echo "Error while adding new key to LUKS header!" >&2
|
|
|
f67ea7 |
diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
|
|
|
f67ea7 |
index 67ece72..038cc37 100644
|
|
|
f67ea7 |
--- a/src/luks/clevis-luks-common-functions
|
|
|
f67ea7 |
+++ b/src/luks/clevis-luks-common-functions
|
|
|
f67ea7 |
@@ -760,10 +760,12 @@ clevis_luks_add_key() {
|
|
|
f67ea7 |
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
|
|
f67ea7 |
input="$(printf '%s' "${NEWKEY}")"
|
|
|
f67ea7 |
fi
|
|
|
f67ea7 |
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
|
|
f67ea7 |
|
|
|
f67ea7 |
printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
|
|
|
f67ea7 |
--key-slot "${SLT}" \
|
|
|
f67ea7 |
"${DEV}" \
|
|
|
f67ea7 |
+ ${pbkdf_args} \
|
|
|
f67ea7 |
${extra_args}
|
|
|
f67ea7 |
}
|
|
|
f67ea7 |
|
|
|
f67ea7 |
@@ -792,11 +794,14 @@ clevis_luks_update_key() {
|
|
|
f67ea7 |
extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
|
|
|
f67ea7 |
input="$(printf '%s' "${NEWKEY}")"
|
|
|
f67ea7 |
fi
|
|
|
f67ea7 |
+ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
|
|
|
f67ea7 |
|
|
|
f67ea7 |
if [ -n "${in_place}" ]; then
|
|
|
f67ea7 |
printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
|
|
|
f67ea7 |
--key-slot "${SLT}" \
|
|
|
f67ea7 |
- --batch-mode ${extra_args}
|
|
|
f67ea7 |
+ --batch-mode \
|
|
|
f67ea7 |
+ ${pbkdf_args} \
|
|
|
f67ea7 |
+ ${extra_args}
|
|
|
f67ea7 |
return
|
|
|
f67ea7 |
fi
|
|
|
f67ea7 |
|
|
|
f67ea7 |
--
|
|
|
f67ea7 |
2.33.1
|
|
|
f67ea7 |
|