https://lore.kernel.org/all/cd409f6c-5d51-482c-8a26-340822754ff1@gmail.com/T/ Comes with OPAL support which feels super tasty to me. Reproducible: Always
--- /storage/gentoo/portage/sys-fs/cryptsetup/cryptsetup-2.6.1.ebuild 2023-10-31 22:12:25.258792554 +0300 +++ /home/rion/projects/rion-overlay/sys-fs/cryptsetup/cryptsetup-2.7.0.ebuild 2024-02-17 11:15:18.713871414 +0300 @@ -19,13 +19,14 @@ CRYPTO_BACKENDS="gcrypt kernel nettle +openssl" # we don't support nss since it doesn't allow cryptsetup to be built statically # and it's missing ripemd160 support so it can't provide full backward compatibility -IUSE="${CRYPTO_BACKENDS} +argon2 fips nls pwquality ssh static static-libs test +udev urandom" +IUSE="${CRYPTO_BACKENDS} +argon2 +hwopal fips gcryptargon2 nls pwquality ssh static static-libs test +udev urandom" RESTRICT="!test? ( test )" # bug #496612, bug #832711, bug #843863 REQUIRED_USE=" ^^ ( ${CRYPTO_BACKENDS//+/} ) static? ( !gcrypt !ssh !udev !fips ) fips? ( !kernel !nettle ) + gcryptargon2? ( gcrypt !argon2 ) " LIB_DEPEND=" @@ -33,10 +34,12 @@ dev-libs/popt[static-libs(+)] >=sys-apps/util-linux-2.31-r1[static-libs(+)] argon2? ( app-crypt/argon2:=[static-libs(+)] ) + hwopal? ( >=sys-kernel/linux-headers-6.4 ) gcrypt? ( dev-libs/libgcrypt:0=[static-libs(+)] dev-libs/libgpg-error[static-libs(+)] ) + gcryptargon2? ( >=dev-libs/libgcrypt-1.11:0=[static-libs(+)] ) nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] ) openssl? ( dev-libs/openssl:0=[static-libs(+)] ) pwquality? ( dev-libs/libpwquality[static-libs(+)] ) @@ -87,6 +90,8 @@ --with-tmpfilesdir="${EPREFIX}/usr/lib/tmpfiles.d" --with-crypto_backend=$(for x in ${CRYPTO_BACKENDS//+/} ; do usev ${x} ; done) $(use_enable argon2 libargon2) + $(use_enable gcryptargon2 gcrypt-argon2) + $(use_enable hwopal hw-opal) $(use_enable nls) $(use_enable pwquality) $(use_enable !static external-tokens)
It's not quite good diff since new gcrypt also not in portage yet. but it's what I came up with after comparing configure.ac
Unfortunately regardless my SSD (Acer Predator GM7000) supports some encryption it's not OPAL. So I didn't test the hardware part..
I had to patch this new version because of an upstream bug diff --git a/configure.ac b/configure.ac index 84cef4b..0b4f034 100644 --- a/configure.ac +++ b/configure.ac @@ -521,7 +521,7 @@ AC_ARG_ENABLE([internal-argon2], AC_ARG_ENABLE([libargon2], AS_HELP_STRING([--enable-libargon2], [enable external libargon2 (PHC) library (disables internal bundled version)])) -if test $use_internal_argon2 = 0 -o "x$enable_internal_argon2" = "xno" ; then +if test $use_internal_argon2 = 0 || ( test "x$enable_internal_argon2" = "xno" && test "x$enable_libargon2" != "xyes" ); then if test "x$enable_internal_argon2" = "xyes" -o "x$enable_libargon" = "xyes"; then AC_MSG_WARN([Argon2 in $with_crypto_backend lib is used; internal Argon2 options are ignored.]) fi @@ -535,6 +535,7 @@ elif test "x$enable_libargon2" = "xyes" ; then AC_CHECK_DECL(Argon2_id,,[AC_MSG_ERROR([You need more recent Argon2 library with support for Argon2id.])], [#include <argon2.h>]) PKG_CHECK_MODULES([LIBARGON2], [libargon2],,[LIBARGON2_LIBS="-largon2"]) enable_internal_argon2=no + use_internal_argon2=0 else AC_MSG_WARN([Argon2 bundled (slow) reference implementation will be used, please consider to use system library with --enable-libargon2.]) Tested it with cryptsetup luksFormat --pbkdf=argon2id --type=luks2 /dev/nvme0n1p4. works well.
pushed to my overlay https://github.com/rion-overlay/rion-overlay/tree/master/sys-fs/cryptsetup
Added upstream PR with the patch https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/611
