Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 924513

Summary: sys-fs/cryptsetup-2.7.1 version bump
Product: Gentoo Linux Reporter: Sergey Ilinykh <rion4ik>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: enhancement CC: gmazyland, jerzy, rion4ik
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.com/cryptsetup/cryptsetup/-/tree/v2.7.0
Whiteboard:
Package list:
Runtime testing required: ---

Description Sergey Ilinykh 2024-02-14 09:37:45 UTC 
https://lore.kernel.org/all/cd409f6c-5d51-482c-8a26-340822754ff1@gmail.com/T/

Comes with OPAL support which feels super tasty to me.

Reproducible: Always
Comment 1 Sergey Ilinykh 2024-02-20 15:28:19 UTC 
--- /storage/gentoo/portage/sys-fs/cryptsetup/cryptsetup-2.6.1.ebuild   2023-10-31 22:12:25.258792554 +0300
+++ /home/rion/projects/rion-overlay/sys-fs/cryptsetup/cryptsetup-2.7.0.ebuild  2024-02-17 11:15:18.713871414 +0300
@@ -19,13 +19,14 @@
 CRYPTO_BACKENDS="gcrypt kernel nettle +openssl"
 # we don't support nss since it doesn't allow cryptsetup to be built statically
 # and it's missing ripemd160 support so it can't provide full backward compatibility
-IUSE="${CRYPTO_BACKENDS} +argon2 fips nls pwquality ssh static static-libs test +udev urandom"
+IUSE="${CRYPTO_BACKENDS} +argon2 +hwopal fips gcryptargon2 nls pwquality ssh static static-libs test +udev urandom"
 RESTRICT="!test? ( test )"
 # bug #496612, bug #832711, bug #843863
 REQUIRED_USE="
        ^^ ( ${CRYPTO_BACKENDS//+/} )
        static? ( !gcrypt !ssh !udev !fips )
        fips? ( !kernel !nettle )
+       gcryptargon2? ( gcrypt !argon2 )
 "
 
 LIB_DEPEND="
@@ -33,10 +34,12 @@
        dev-libs/popt[static-libs(+)]
        >=sys-apps/util-linux-2.31-r1[static-libs(+)]
        argon2? ( app-crypt/argon2:=[static-libs(+)] )
+       hwopal? ( >=sys-kernel/linux-headers-6.4 )
        gcrypt? (
                dev-libs/libgcrypt:0=[static-libs(+)]
                dev-libs/libgpg-error[static-libs(+)]
        )
+       gcryptargon2? ( >=dev-libs/libgcrypt-1.11:0=[static-libs(+)] )
        nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] )
        openssl? ( dev-libs/openssl:0=[static-libs(+)] )
        pwquality? ( dev-libs/libpwquality[static-libs(+)] )
@@ -87,6 +90,8 @@
                --with-tmpfilesdir="${EPREFIX}/usr/lib/tmpfiles.d"
                --with-crypto_backend=$(for x in ${CRYPTO_BACKENDS//+/} ; do usev ${x} ; done)
                $(use_enable argon2 libargon2)
+               $(use_enable gcryptargon2 gcrypt-argon2)
+               $(use_enable hwopal hw-opal)
                $(use_enable nls)
                $(use_enable pwquality)
                $(use_enable !static external-tokens)
Comment 2 Sergey Ilinykh 2024-02-20 15:30:46 UTC 
It's not quite good diff since new gcrypt also not in portage yet. 
but it's what I came up with after comparing configure.ac
Comment 3 Sergey Ilinykh 2024-02-20 15:32:51 UTC 
Unfortunately regardless my SSD (Acer Predator GM7000) supports some encryption it's not OPAL. So I didn't test the hardware part..
Comment 4 Sergey Ilinykh 2024-02-21 20:16:45 UTC 
I had to patch this new version because of an upstream bug


diff --git a/configure.ac b/configure.ac
index 84cef4b..0b4f034 100644
--- a/configure.ac
+++ b/configure.ac
@@ -521,7 +521,7 @@ AC_ARG_ENABLE([internal-argon2],
 AC_ARG_ENABLE([libargon2],
        AS_HELP_STRING([--enable-libargon2], [enable external libargon2 (PHC) library (disables internal bundled version)]))
 
-if test $use_internal_argon2 = 0 -o "x$enable_internal_argon2" = "xno" ; then
+if test $use_internal_argon2 = 0 || ( test "x$enable_internal_argon2" = "xno" && test "x$enable_libargon2" != "xyes" ); then
        if test "x$enable_internal_argon2" = "xyes" -o "x$enable_libargon" = "xyes"; then
                AC_MSG_WARN([Argon2 in $with_crypto_backend lib is used; internal Argon2 options are ignored.])
        fi
@@ -535,6 +535,7 @@ elif test "x$enable_libargon2" = "xyes" ; then
        AC_CHECK_DECL(Argon2_id,,[AC_MSG_ERROR([You need more recent Argon2 library with support for Argon2id.])], [#include <argon2.h>])
        PKG_CHECK_MODULES([LIBARGON2], [libargon2],,[LIBARGON2_LIBS="-largon2"])
        enable_internal_argon2=no
+       use_internal_argon2=0
 else
        AC_MSG_WARN([Argon2 bundled (slow) reference implementation will be used, please consider to use system library with --enable-libargon2.])



Tested it with cryptsetup luksFormat --pbkdf=argon2id --type=luks2 /dev/nvme0n1p4. works well.
Comment 5 Sergey Ilinykh 2024-02-21 20:20:54 UTC 
pushed to my overlay https://github.com/rion-overlay/rion-overlay/tree/master/sys-fs/cryptsetup
Comment 6 Sergey Ilinykh 2024-02-21 20:48:44 UTC 
Added upstream PR with the patch https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/611
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-06-24 02:20:12 UTC 
Sorry, I hadn't seen the bug.

commit f08a00d3f8093a6e91deb6a2749b42607f1c36bd
Author: Sam James <sam@gentoo.org>
Date:   Fri Jun 7 15:20:07 2024 +0100

    sys-fs/cryptsetup: add 2.7.2

    Signed-off-by: Sam James <sam@gentoo.org>

Would you mind giving a new diff now that new libgcrypt is out & in ::gentoo, in a new bug? Thank you.