diff --git a/.circleci/config.yml b/.circleci/config.yml index e30f374a4..81eae7371 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -306,27 +306,6 @@ workflows: requires: - x230-hotp-maximized - - build: - name: x230-legacy-flash - target: x230-legacy-flash - subcommand: "" - requires: - - x230-hotp-maximized - - - build: - name: x230-legacy - target: x230-legacy - subcommand: "" - requires: - - x230-hotp-maximized - - - build: - name: x230-hotp-legacy - target: x230-hotp-legacy - subcommand: "" - requires: - - x230-hotp-maximized - - build: name: x230-hotp-maximized_usb-kb target: x230-hotp-maximized_usb-kb diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 27f927cfd..4bb8f4d97 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -363,7 +363,7 @@ check_gpg_key() option=$(cat /tmp/whiptail) case "$option" in g ) - gpg-gui.sh && BG_COLOR_MAIN_MENU="normnal" + gpg-gui.sh && BG_COLOR_MAIN_MENU="normal" ;; i ) skip_to_menu="true" diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default index c7a4f04fa..828e7d984 100755 --- a/initrd/bin/kexec-save-default +++ b/initrd/bin/kexec-save-default @@ -218,16 +218,17 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ save_key="y" fi else - DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Encryption Key to the TPM" + DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Unlock Key (DUK) to the TPM" read \ -n 1 \ - -p "Do you wish to add a disk encryption to the TPM [y/N]: " \ + -p "Do you wish to add a disk encryption key to the TPM [y/N]: " \ add_key_confirm + #TODO: still not convinced: disk encryption key? decryption key? everywhere TPM Disk Unlock Key. Confusing even more? echo if [ "$add_key_confirm" = "y" \ -o "$add_key_confirm" = "Y" ]; then - DEBUG "User confirmed desire to add a Disk Encryption Key to the TPM" + DEBUG "User confirmed desire to add a Disk Unlock Key (DUK) to the TPM" save_key="y" fi fi diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 0481ebb2a..0765d8b9e 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -1,15 +1,33 @@ #!/bin/bash -# This will generate a disk encryption key and seal / ecncrypt +# This will generate a disk encryption key and seal / encrypt # with the current PCRs and then store it in the TPM NVRAM. # It will then need to be bundled into initrd that is booted. set -e -o pipefail . /etc/functions +find_drk_key_slot() { + local temp_drk_key_slot="" + local keyslot + + for keyslot in "${luks_used_keyslots[@]}"; do + if [ -z "$temp_drk_key_slot" ]; then + DEBUG "Testing LUKS key slot $keyslot against $DISK_RECOVERY_KEY_FILE for Disk Recovery Key slot..." + if DO_WITH_DEBUG cryptsetup open --test-passphrase --key-slot "$keyslot" --key-file "$DISK_RECOVERY_KEY_FILE" "$dev"; then + temp_drk_key_slot="$keyslot" + DEBUG "Disk Recovery key slot is $temp_drk_key_slot" + break + fi + fi + done + + echo "$temp_drk_key_slot" +} + TPM_INDEX=3 TPM_SIZE=312 -KEY_FILE="/tmp/secret/secret.key" +DUK_KEY_FILE="/tmp/secret/secret.key" TPM_SEALED="/tmp/secret/secret.sealed" -RECOVERY_KEY="/tmp/secret/recovery.key" +DISK_RECOVERY_KEY_FILE="/tmp/secret/recovery.key" . /etc/functions . /tmp/config @@ -23,11 +41,12 @@ fi KEY_DEVICES="$paramsdir/kexec_key_devices.txt" KEY_LVM="$paramsdir/kexec_key_lvm.txt" +key_devices=$(cat "$KEY_DEVICES" | cut -d\ -f1 | tr '\n' ' ') if [ ! -r "$KEY_DEVICES" ]; then die "No devices defined for disk encryption" else - DEBUG "Devices defined for disk encryption: $(cat "$KEY_DEVICES" | cut -d\ -f1 | tr '\n' ' ')" + DEBUG "Devices defined for disk encryption: $key_devices" fi if [ -r "$KEY_LVM" ]; then @@ -44,92 +63,160 @@ fi DEBUG "$(pcrs)" -# LUKS Key slot 0 is the manual recovery pass phrase -# that they user entered when they installed OS, -# key slot 1 is the one that we've generated. -read -s -p "Enter LUKS Disk Recovery Key/passphrase: " disk_password -echo -n "$disk_password" >"$RECOVERY_KEY" -echo -read -s -p "New LUKS TPM Disk Unlock Key passphrase for booting: " key_password -echo -read -s -p "Repeat LUKS TPM Disk Unlock Key passphrase for booting: " key_password2 -echo +luks_drk_passphrase_valid=0 +for dev in $key_devices ; do + attempts=0 + while [ $attempts -lt 3 ]; do + if [ "$luks_drk_passphrase_valid" == "0" ]; then + # Ask for the passphrase only once + read -s -p "Enter LUKS Disk Recovery Key (DRK) passphrase that can unlock: $key_devices: " disk_recovery_key_passphrase + #Using he provided passphrase as the DRK "keyfile" for unattended operations + echo -n "$disk_recovery_key_passphrase" >"$DISK_RECOVERY_KEY_FILE" + echo + fi -if [ "$key_password" != "$key_password2" ]; then - die "Key passphrases do not match" -fi + DEBUG "Testing $DISK_RECOVERY_KEY_FILE keyfile created from provided passphrase against $dev individual key slots" + if cryptsetup open $dev --test-passphrase --key-file "$DISK_RECOVERY_KEY_FILE" >/dev/null 2>&1; then + DEBUG "LUKS device $dev unlocked successfully with the DRK passphrase" + luks_drk_passphrase_valid=1 + break + else + attempts=$((attempts + 1)) + if [ "$attempts" == "3" ] && [ "$luks_drk_passphrase_valid" == "0" ]; then + die "Failed to unlock LUKS device $dev with the provided passphrase. Exiting..." + elif [ "$attempts" != "3" ] && [ "$luks_drk_passphrase_valid" == "1" ]; then + #We failed unlocking with DRK passphrase another LUKS container + die "LUKS device $key_devices cannot all be unlocked with same passphrase. Please make $key_devices devices unlockable with the same passphrase. Exiting" + else + warn "Failed to unlock LUKS device $dev with the provided passphrase. Please try again." + fi + fi + done +done + +attempts=0 +while [ $attempts -lt 3 ]; do + read -s -p "New LUKS TPM Disk Unlock Key passphrase (DUK) for booting: " key_password + echo + read -s -p "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password2 + echo + if [ "$key_password" != "$key_password2" ]; then + attempts=$((attempts + 1)) + if [ "$attempts" == "3" ]; then + die "Disk Unlock Key passphrases do not match. Exiting..." + else + warn "Disk Unlock Key passphrases do not match. Please try again." + fi + else + break + fi +done # Generate key file echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by LUKS TPM Disk Unlock Key passphrase" dd \ if=/dev/urandom \ - of="$KEY_FILE" \ + of="$DUK_KEY_FILE" \ bs=1 \ count=128 \ 2>/dev/null || die "Unable to generate 128 random bytes" -# Count the number of slots used on each device -for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do - DEBUG "Checking number of slots used on $dev LUKS header" - #check if the device is a LUKS device with luks[1,2] - # Get the number of key slots used on the LUKS header. - # LUKS1 Format is : - # Slot 0: ENABLED - # Slot 1: ENABLED - # Slot 2: DISABLED - # Slot 3: DISABLED - #... - # Slot 7: DISABLED - # Luks2 only reports on enabled slots. - # luks2 Format is : - # 0: luks2 - # 1: luks2 - # Meaning that the number of slots used is the number of lines returned by a grep on the LUKS2 above format. - # We need to count the number of ENABLED slots for both LUKS1 and LUKS2 - # create regex pattern for both LUKS1 and LUKS2 - regex="Slot [0-9]*: ENABLED" - regex+="\|" - regex+="[0-9]*: luks2" - slots_used=$(cryptsetup luksDump "$dev" | grep -c "$regex" || die "Unable to get number of slots used on $dev") - - DEBUG "Number of slots used on $dev LUKS header: $slots_used" - # If slot1 is the only one used, warn and die with proper messages - if [ "$slots_used" -eq 1 ]; then - # Check if slot 1 is the only one existing - if [ "$(cryptsetup luksDump "$dev" | grep -c "Slot 1: ENABLED")" -eq 1 ] || [ "$(cryptsetup luksDump "$dev" | grep -c "1: luks2")" -eq 1 ]; then - warn "Slot 1 is the only one existing on $dev LUKS header. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key" - warn "Slot 1 should not be the only slot existing on $dev LUKS header. Slot 0 should be used to store LUKS Disk Recovery Key/passphrase" - die "You can safely fix this before continuing through Heads recovery shell: cryptsetup luksAddKey $dev" - fi +previous_luks_header_version=0 +for dev in $key_devices; do + # Check and store LUKS version of the devices to be used later + luks_version=$(cryptsetup luksDump "$dev" | grep "Version" | cut -d: -f2 | tr -d '[:space:]') + if [ "$luks_version" == "2" ] && [ "$previous_luks_header_version" == "1" ]; then + die "$dev: LUKSv2 device detected while LUKSv1 device was detected previously. Exiting..." + fi + + if [ "$luks_version" == "1" ] && [ "$previous_luks_header_version" == "2" ]; then + die "$dev: LUKSv1 device detected while LUKSv2 device was detected previously. Exiting..." + fi + + if [ "$luks_version" == "2" ]; then + # LUKSv2 last key slot is 31 + duk_keyslot=31 + regex="^\s+([0-9]+):\s*luks2" + sed_command="s/^\s\+\([0-9]\+\):\s*luks2/\1/g" + previous_luks_header_version=2 + DEBUG "$dev: LUKSv2 device detected" + elif [ "$luks_version" == "1" ]; then + # LUKSv1 last key slot is 7 + duk_keyslot=7 + regex="Key Slot ([0-9]+): ENABLED" + sed_command='s/Key Slot \([0-9]\+\): ENABLED/\1/' + previous_luks_header_version=1 + DEBUG "$dev: LUKSv1 device detected" else - DEBUG "Slot 1 is not the only existing slot on $dev LUKS header." - DEBUG "$dev LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with LUKS TPM Disk Unlock Key passphrase" + die "$dev: Unsupported LUKS version $luks_version" fi -done -# Remove all the old keys from slot 1 -for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do - echo "++++++ $dev: Removing old LUKS TPM Disk Unlock Key in LUKS slot 1" - cryptsetup luksKillSlot \ - --key-file "$RECOVERY_KEY" \ - $dev 1 || - warn "$dev: removal of LUKS TPM Disk Unlock Key in LUKS slot 1 failed: might not exist. Continuing" - - echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS slot 1" - cryptsetup luksAddKey \ - --key-file "$RECOVERY_KEY" \ - --key-slot 1 \ - $dev "$KEY_FILE" || - die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS slot 1" + # drk_key_slot will be the slot number where the passphrase was tested against as valid. We will keep that slot + drk_key_slot="-1" + + # Get all the key slots that are used on $dev + luks_used_keyslots=($(cryptsetup luksDump "$dev" | grep -E "$regex" | sed "$sed_command")) + DEBUG "$dev LUKS key slots: ${luks_used_keyslots[*]}" + + #Find the key slot that can be unlocked with the provided passphrase + drk_key_slot=$(find_drk_key_slot) + + # If we didn't find the DRK key slot, we exit (this should never happen) + if [ "$drk_key_slot" == "-1" ]; then + die "$dev: Unable to find a key slot that can be unlocked with provided passphrase. Exiting..." + fi + + # If the key slot is not the expected DUK o FRK key slot, we will ask the user to confirm the wipe + for keyslot in "${luks_used_keyslots[@]}"; do + if [ "$keyslot" != "$drk_key_slot" ]; then + #set wipe_desired to no by default + wipe_desired="no" + + if [ "$keyslot" != "$drk_key_slot" ] && [ "$keyslot" == "1" ]; then + wipe_desired="yes" + DEBUG "LUKS key slot $keyslot not DRK. Will wipe this DUK key slot silently" + elif [ "$keyslot" != "$drk_key_slot" ] && [ "$keyslot" != "$duk_keyslot" ]; then + # Heads expects key slot LUKSv1:7 or LUKSv2:31 to be used for TPM DUK setup. + # Ask user to confirm otherwise + warn "LUKS key slot $keyslot is not typical ($duk_keyslot expected) for TPM Disk Unlock Key setup" + read -p "Are you sure you want to wipe it? [y/N] " -n 1 -r + echo + # If user does not confirm, skip this slot + if [[ $REPLY =~ ^[Yy]$ ]]; then + wipe_desired="yes" + fi + elif [ "$keyslot" == "$duk_keyslot" ]; then + # If key slot is the expected DUK keyslot, we wipe it silently + DEBUG "LUKS key slot $keyslot is the expected DUK key slot. Will wipe this DUK key slot silently" + wipe_desired="yes" + fi + + if [ "$wipe_desired" == "yes" ] && [ "$keyslot" != "$drk_key_slot" ]; then + echo "++++++ $dev: Wiping LUKS key slot $keyslot" + DO_WITH_DEBUG cryptsetup luksKillSlot \ + --key-file "$DISK_RECOVERY_KEY_FILE" \ + $dev $keyslot || + warn "$dev: removal of LUKS slot $keyslot failed: Continuing" + fi + fi + done + + + echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot" + DO_WITH_DEBUG cryptsetup luksAddKey \ + --key-file "$DISK_RECOVERY_KEY_FILE" \ + --new-key-slot $duk_keyslot \ + $dev "$DUK_KEY_FILE" || + die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot" done # Now that we have setup the new keys, measure the PCRs # We don't care what ends up in PCR 6; we just want # to get the /tmp/luksDump.txt file. We use PCR16 # since it should still be zero -cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks || +echo "$key_devices" | xargs /bin/qubes-measure-luks || die "Unable to measure the LUKS headers" pcrf="/tmp/secret/pcrf.bin" @@ -155,13 +242,13 @@ tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf" tpmr pcrread -a 7 "$pcrf" DO_WITH_DEBUG --mask-position 7 \ - tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \ + tpmr seal "$DUK_KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \ "$TPM_SIZE" "$key_password" || die "Unable to write LUKS TPM Disk Unlock Key to NVRAM" # should be okay if this fails shred -n 10 -z -u "$pcrf" 2>/dev/null || warn "Failed to delete pcrf file - continuing" -shred -n 10 -z -u "$KEY_FILE" 2>/dev/null || +shred -n 10 -z -u "$DUK_KEY_FILE" 2>/dev/null || warn "Failed to delete key file - continuing" mount -o rw,remount $paramsdir || warn "Failed to remount $paramsdir in RW - continuing" diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 6ed5a28fb..c09e7b12a 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -44,6 +44,12 @@ GPG_ALGO="RSA" # Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard RSA_KEY_LENGTH=3072 +#Override RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards until canokey fixes +if [[ "$CONFIG_BOARD_NAME" == qemu-* ]]; then + DEBUG "Overriding RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards" + RSA_KEY_LENGTH=2048 +fi + GPG_USER_NAME="OEM Key" GPG_KEY_NAME=$(date +%Y%m%d%H%M%S) GPG_USER_MAIL="oem-${GPG_KEY_NAME}@example.com" @@ -266,20 +272,20 @@ keytocard_subkeys_to_smartcard() { { echo "key 1" #Toggle on Signature key in --edit-key mode on local keyring echo "keytocard" #Move Signature key to smartcard - echo "1" #Select Signature key keyslot on smartcard + echo "1" #Select Signature key key slot on smartcard echo "${ADMIN_PIN}" #Local keyring Subkey PIN echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN echo "0" #No expiration date echo "key 1" #Toggle off Signature key echo "key 2" #Toggle on Encryption key echo "keytocard" #Move Encryption key to smartcard - echo "2" #Select Encryption key keyslot on smartcard + echo "2" #Select Encryption key key slot on smartcard echo "${ADMIN_PIN}" #Local keyring Subkey PIN echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN echo "key 2" #Toggle off Encryption key echo "key 3" #Toggle on Authentication key echo "keytocard" #Move Authentication key to smartcard - echo "3" #Select Authentication key keyslot on smartcard + echo "3" #Select Authentication key slot on smartcard echo "${ADMIN_PIN}" #Local keyring Subkey PIN echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN echo "key 3" #Toggle off Authentication key @@ -383,6 +389,7 @@ export_public_key_to_thumbdrive_public_partition() { #pass non-empty arguments to --pass, --mountpoint, --device, --mode mount-usb --device "$device" --mode "$mode" --mountpoint "$mountpoint" || die "Error mounting thumb drive's public partition" + #TODO: reuse "Obtain GPG key ID" so that pubkey on public thumb drive partition is named after key ID gpg --export --armor "${GPG_USER_MAIL}" >"$mountpoint"/pubkey.asc || die "Error exporting public key to thumb drive's public partition" umount "$mountpoint" || die "Error unmounting thumb drive's public partition" @@ -879,6 +886,7 @@ report_integrity_measurements clear #Prompt user for use of default configuration options +TRACE_FUNC echo -e -n "Would you like to use default configuration options?\nIf N, you will be prompted for each option [Y/n]: " read -n 1 use_defaults @@ -907,6 +915,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then echo if [ "$prompt_output" == "y" \ -o "$prompt_output" == "Y" ]; then + TRACE_FUNC test_luks_current_disk_recovery_key_passphrase luks_new_Disk_Recovery_Key_desired=1 echo -e "\n" @@ -970,8 +979,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then echo if [ "$prompt_output" == "y" \ -o "$prompt_output" == "Y" ]; then - echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" - echo + echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length." while [[ ${#CUSTOM_SINGLE_PASS} -lt 8 ]] || [[ ${#CUSTOM_SINGLE_PASS} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do echo -e -n "Enter the custom password: " read CUSTOM_SINGLE_PASS @@ -999,8 +1007,8 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then read TPM_PASS done fi - while [[ ${#ADMIN_PIN} -lt 8 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do - echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" + while [[ ${#ADMIN_PIN} -lt 6 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do + echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" echo -e -n "Enter desired GPG Admin PIN: " read ADMIN_PIN done @@ -1028,6 +1036,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then } done #We test that current LUKS Disk Recovery Key passphrase is known prior of going further + TRACE_FUNC test_luks_current_disk_recovery_key_passphrase echo -e "\n" fi @@ -1147,8 +1156,8 @@ fi if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then #Reencryption of disk, LUKS Disk Recovery Key and LUKS Disk Recovery Key passphrase change is requested - luks_change_passphrase luks_reencrypt + luks_change_passphrase elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then #Reencryption of disk was requested but not passphrase change luks_reencrypt diff --git a/initrd/etc/gui_functions b/initrd/etc/gui_functions index 5b46acb5e..bb83db27c 100755 --- a/initrd/etc/gui_functions +++ b/initrd/etc/gui_functions @@ -37,6 +37,7 @@ mount_usb() # -- Display related functions -- # Produce a whiptail prompt with 'warning' background, works for fbwhiptail and newt whiptail_warning() { + #TODO: Cannot be called as is under luks_functions with string expension in title: why? if [ -x /bin/fbwhiptail ]; then whiptail $BG_COLOR_WARNING "$@" else @@ -46,6 +47,7 @@ whiptail_warning() { # Produce a whiptail prompt with 'error' background, works for fbwhiptail and newt whiptail_error() { + #TODO: Cannot be called as is under luks_functions with string expension in title: why? if [ -x /bin/fbwhiptail ]; then whiptail $BG_COLOR_ERROR "$@" else @@ -55,6 +57,7 @@ whiptail_error() { # Produce a whiptail prompt of the given type - 'error', 'warning', or 'normal' whiptail_type() { + TRACE_FUNC local TYPE="$1" shift case "$TYPE" in diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index 30e0c4ab9..b7765a7b0 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -7,6 +7,7 @@ #List all LUKS devices on the system list_luks_devices() { + TRACE_FUNC #generate a list of devices to choose from that contain a LUKS header lvm vgscan || true blkid | cut -d ':' -f 1 | while read device; do @@ -267,12 +268,15 @@ prepare_thumb_drive() select_luks_container() { + #TODO: extend logic to prompt for block devices with model if multiple LUKS are found on block device instead of partitions + # Then feed luks with those partitions so that reencrypt and passphrase change can use passphrase to test all selected TRACE_FUNC if [ -s /boot/kexec_key_devices.txt ]; then DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt" - DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)" - LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt) - else + LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt) + DEBUG "LUKS container device: $(echo $LUKS)" + # LUKS variable not exported yet, prompt for LUKS device + elif [ -z "$LUKS" ]; then list_luks_devices > /tmp/luks_devices.txt #if /tmp/luks_devices.txt exists and is not empty if [ -s /tmp/luks_devices.txt ]; then @@ -280,11 +284,21 @@ select_luks_container() if [ "$FILE" == "" ]; then return 1 else - LUKS=$FILE - detect_boot_device - mount -o remount,rw /boot - echo "$LUKS $(cryptsetup luksUUID $LUKS)" >/boot/kexec_key_devices.txt - mount -o remount,ro /boot + #TODO: What about BRTFS multi LUKS setup of QubesOS? + # if multiple LUKS containers are found on same block device + # select all of the luks containers on same block device instead of just one + # note that block devices for example under /dev/sda will be /dev/sda1, /dev/sda2, etc + # so we need to select all of the partitions on the same block device from /tmp/luks_devices.txt + # and then export them to LUKS variable + # then reencrypt and passphrase change functions will loop on all of the LUKS containers + # and test passphrase on all of them + if grep -q "$(echo $FILE | sed 's/[0-9]*$//')" /tmp/luks_devices.txt; then + DEBUG "Multiple LUKS containers found on same block device, selecting them all" + LUKS=$(grep $(echo $FILE | sed 's/[0-9]*$//') /tmp/luks_devices.txt) + else + DEBUG "Single LUKS container found on block device, assigning to LUKS variable" + LUKS=$FILE + fi fi else warn "No encrypted device found" @@ -295,41 +309,79 @@ select_luks_container() test_luks_current_disk_recovery_key_passphrase() { + #TODO: reuse/generalize usage of this function. Tests for LUKS are still done 4 times independently of this helper TRACE_FUNC while :; do select_luks_container || return 1 + + # LUKS contains multiline string of LUKS containers on same block device + # transform it into words of a same string separated by space + PRINTABLE_LUKS=$(echo $LUKS) + + TRACE_FUNC if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - #if no external provisioning provides current LUKS Disk Recovery Key passphrase + # if no external provisioning provides current LUKS Disk Recovery Key passphrase echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..." - cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase else echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..." - cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase fi - #Validate past cryptsetup-reencrypt attempts - if [ $? -eq 0 ]; then - whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ - "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 - shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null - #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round - unset luks_current_Disk_Recovery_Key_passphrase - #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. - #maybe the container was not the right one - detect_boot_device - mount -o remount,rw /boot - rm -f /boot/kexec_key_devices.txt - mount -o remount,ro /boot - else - #LuksOpen test was successful. Cleanup should be called only when done - #Exporting successfully used passphrase possibly reused by oem-factory-reset - #We close the volume - cryptsetup close test - export luks_current_Disk_Recovery_Key_passphrase + # test all LUKS containers on same block device as returned by select_luks_container + echo -e "\n$PRINTABLE_LUKS: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + + # Loop on all LUKS containers on same block device + for luks_container in $LUKS; do + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase + # Validate past cryptsetup reencrypt attempts + if [ $? -ne 0 ]; then + # if we have more than one LUKS container and passphrase test unsuccessful, tell user how to change passphrase + if [ $(echo $LUKS | wc -w) -gt 1 ]; then + #TODO remove this once whiptail_error whiptail_warning can take titles with double quotes + #whiptail_warning --title 'tes' --msgbox 'test' 0 80 + #whiptail_error --title 'error' --msgbox 'error' 0 80 + #Neither work today. Not related to this PR... Using whiptail without coloring. + + msg=$(echo -e "All $PRINTABLE_LUKS must unlock with the same Disk Recovery Key passphrase for the current operation to succeed.\n\nTo change individual LUKS container passphrase, do so from 'Options-> Change LUKS Disk Recovery Key passphrase'\n\nThen retry this operation." | fold -w 70 -s) + whiptail --title "$luks_container"': Wrong current LUKS Disk Recovery Key passphrase?' \ + --msgbox "$msg" 0 80 + + TRACE_FUNC + luks_secrets_cleanup + die "$PRINTABLE_LUKS individual containers NEED to share the same Disk Recovery Key passphrase" + # We exited to caller, LUKS still set. TODO: problem? Should we call all cleaning functions on die? + fi + + whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + TRACE_FUNC + + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + # remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. + # maybe the container was not the right one + unset LUKS + else + # LuksOpen test was successful. Cleanup should be called only when done + # Exporting successfully used passphrase possibly reused by oem-factory-reset + echo "$luks_container: unlocking LUKS container with current Disk Recovery Key passphrase successful" + + # Exporting successfully used passphrase possibly reused by oem-factory-reset + export luks_current_Disk_Recovery_Key_passphrase + fi + done + + # exit while loop if LUKS variable is not empty + if [ -n "$LUKS" ]; then + # We export the LUKS volume(s) that was/were validated via passphrase test + export LUKS + TRACE_FUNC + DEBUG "$LUKS exported to be reused" break; fi done @@ -337,12 +389,16 @@ test_luks_current_disk_recovery_key_passphrase() luks_reencrypt() { TRACE_FUNC - while :; do - select_luks_container || return 1 - #If the user just set a new LUKS Disk Recovery Key passphrase - if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then - luks_current_Disk_Recovery_Key_passphrase="$luks_new_Disk_Recovery_Key_passphrase" - fi + #TODO: REFACTOR This and luks passphrase change function needs to loop on same drive discovered luks containers so that reencrypt/passwd change is done on all luks containers of same drive + # Ideal would be to list luks devices and then try keep and append LUKS devices to a list of devices to reencrypt or change passphrase + # then loop on that list of devices that could be opened and reencrypt/change passphrase for all the devices that could be tested opened with that passphrase + select_luks_container || return 1 + + # Count the number of containers to be reencrypted + num_containers=$(echo "$LUKS" | wc -w) + reencrypted_containers=0 + + while [ $reencrypted_containers -lt $num_containers ]; do if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then #if no external provisioning provides current LUKS Disk Recovery Key passphrase msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s) @@ -351,97 +407,185 @@ luks_reencrypt() { echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!" - cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase else echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!" - cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase fi - #Validate past cryptsetup-reencrypt attempts - if [ $(echo $?) -ne 0 ]; then - whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ - "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 - shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null - #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round - unset luks_current_Disk_Recovery_Key_passphrase - #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. - #maybe the container was not the right one - detect_boot_device - mount -o remount,rw /boot - rm -f /boot/kexec_key_devices.txt - mount -o remount,ro /boot - else - #Reencryption was successful. Cleanup should be called only when done - #Exporting successfully used passphrase possibly reused by oem-factory-reset - export luks_current_Disk_Recovery_Key_passphrase - break; - fi - done -} -luks_change_passphrase() -{ - TRACE_FUNC - while :; do - select_luks_container || return 1 - #if actual or new LUKS Disk Recovery Key is not provisioned by oem-provisioning file - if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then - whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \ - "Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60 - if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then - echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):" - while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do - { - read -r luks_new_Disk_Recovery_Key_passphrase - };done + # Split the $LUKS variable into an array of LUKS containers + luks_containers=($LUKS) + TRACE_FUNC + DEBUG "luks_containers: $luks_containers" + + # Loop through each LUKS container + for luks_container in "${luks_containers[@]}"; do + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + # Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. + # Maybe the container was not the right one + TRACE_FUNC + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + continue fi - if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" - read -r luks_current_Disk_Recovery_Key_passphrase + done + + DEBUG "Test opening ${luks_containers[@]} successful. Now testing key slots to determine which holds master key" + for luks_container in "${luks_containers[@]}"; do + # First obtain which luks1/luks2 key-slot can be unlocked with the key-file + DRK_KEYSLOT=-1 + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + for i in $(seq 0 31); do + if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + DRK_KEYSLOT=$i + DEBUG "$luks_container: Found key-slot $DRK_KEYSLOT that can be unlocked with the current passphrase. breaking loop" + break + fi + done + + # Validate if a key slot was found + if [ $DRK_KEYSLOT -eq -1 ]; then + whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + # Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. + # Maybe the container was not the right one + TRACE_FUNC + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + continue fi - export luks_current_Disk_Recovery_Key_passphrase - export luks_new_Disk_Recovery_Key_passphrase - echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase - echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." - cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase - else - #If current and new LUKS Disk Recovery Key were exported - echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase - echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." - cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase - fi - #Validate past cryptsetup attempts - if [ $(echo $?) -ne 0 ]; then - #Cryptsetup luksChangeKey was unsuccessful - whiptail --title 'Invalid LUKS passphrase?' --msgbox \ - "The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n a secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall the OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of a USB drive,\n and select Boot from USB\n\nHit Enter to continue." 30 60 - unset luks_current_Disk_Recovery_Key_passphrase - unset luks_new_Disk_Recovery_Key_passphrase - #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. - #maybe the container was not the right one - detect_boot_device - mount -o remount,rw /boot - rm -f /boot/kexec_key_devices.txt - mount -o remount,ro /boot - else - #Cryptsetup was successful. - #Cleanup should be called seperately. - #Exporting successfully used passphrase possibly reused by oem-factory-reset - export luks_new_Disk_Recovery_Key_passphrase - break; - fi + # Now reencrypt the LUKS container with the same key slot + # Warn and launch actual reencryption + echo -e "\nReencrypting $luks_container LUKS encrypted drive content with current Recovery Disk Key passphrase..." + warn "DO NOT POWER DOWN MACHINE, UNPLUG AC OR REMOVE BATTERY DURING REENCRYPTION PROCESS" + + # --perf-no_read_workqueue and/or --perf-no_write_workqueue improve encryption/reencrypton performance on kernel 5.10.9+ + # bypassing dm-crypt queues. + # Ref https://github.com/cloudflare/linux/issues/1#issuecomment-729695518 + # --resilience=none disables the resilience feature of cryptsetup, which is enabled by default + # --force-offline-reencrypt forces the reencryption to be done offline (no read/write operations on the device) + # --disable-locks disables the lock feature of cryptsetup, which is enabled by default + + if ! DO_WITH_DEBUG cryptsetup reencrypt \ + --perf-no_read_workqueue --perf-no_write_workqueue \ + --resilience=none --force-offline-reencrypt --disable-locks \ + "$luks_container" --key-slot "$DRK_KEYSLOT" \ + --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase; then + whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + + TRACE_FUNC + + #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. + #maybe the container was not the right one + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + else + #Reencryption was successful. Cleanup should be called only when done + #Exporting successfully used passphrase possibly reused by oem-factory-reset + export luks_current_Disk_Recovery_Key_passphrase + export LUKS + + # Increment the count of reencrypted containers + reencrypted_containers=$((reencrypted_containers + 1)) + fi + done done } +luks_change_passphrase() { + TRACE_FUNC + + select_luks_container || return 1 + + # Count the number of containers to be processed + num_containers=$(echo "$LUKS" | wc -w) + changed_containers=0 + + # Split the $LUKS variable into an array of LUKS containers + IFS=' ' read -ra luks_containers <<< "$LUKS" + + for luks_container in "${luks_containers[@]}"; do + if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then + whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \ + "Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80 + + if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then + echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):" + while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do + read -r luks_new_Disk_Recovery_Key_passphrase + done + fi + + if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then + echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" + read -r luks_current_Disk_Recovery_Key_passphrase + fi + fi + + echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase + echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/luks_new_Disk_Recovery_Key_passphrase + + DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." + if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then + whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ + "If you previously changed it and do not remember it, you will have to\n reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 + TRACE_FUNC + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec_key_devices.txt + mount -o remount,ro /boot + luks_secrets_cleanup + unset LUKS + continue + fi + + echo -e "\nChanging $luks_container LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..." + if ! DO_WITH_DEBUG cryptsetup luksChangeKey "$luks_container" --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase; then + whiptail --title 'Failed to change LUKS passphrase' --msgbox \ + "Failed to change the passphrase for $luks_container.\nPlease try again." 0 80 + continue + fi + + echo "Success changing passphrase for $luks_container." + changed_containers=$((changed_containers + 1)) + done + + if [ $changed_containers -eq $num_containers ]; then + # All containers processed successfully + luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase + export luks_current_Disk_Recovery_Key_passphrase + export luks_new_Disk_Recovery_Key_passphrase + export LUKS + fi +} + luks_secrets_cleanup() { + TRACE_FUNC + #Cleanup shred -n 10 -z -u /tmp/luks_new_Disk_Recovery_Key_passphrase 2>/dev/null || true shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null || true + + #Unset variables (when in same boot) unset luks_current_Disk_Recovery_Key_passphrase unset luks_new_Disk_Recovery_Key_passphrase + + #TODO: refactor logic of selec_luks_conatainer, where to put + #unset LUKS } diff --git a/initrd/init b/initrd/init index 8eccbff0b..b74d5b094 100755 --- a/initrd/init +++ b/initrd/init @@ -103,9 +103,11 @@ fi #Specify whiptail background colors cues under FBWhiptail only if [ -x /bin/fbwhiptail ]; then + DEBUG "fbwhiptail BG_COLOR_* exported" export BG_COLOR_WARNING="${CONFIG_WARNING_BG_COLOR:-"--background-gradient 0 0 0 150 125 0"}" export BG_COLOR_ERROR="${CONFIG_ERROR_BG_COLOR:-"--background-gradient 0 0 0 150 0 0"}" else + DEBUG "whiptail TEXT_BG_COLOR_* exported" export TEXT_BG_COLOR_WARNING="${CONFIG_WARNING_TEXT_BG_COLOR:-"yellow"}" export TEXT_BG_COLOR_ERROR="${CONFIG_ERROR_TEXT_BG_COLOR:-"red"}" fi diff --git a/modules/cryptsetup2 b/modules/cryptsetup2 index 6becf6db8..ff98639b6 100644 --- a/modules/cryptsetup2 +++ b/modules/cryptsetup2 @@ -2,11 +2,11 @@ modules-$(CONFIG_CRYPTSETUP2) += cryptsetup2 cryptsetup2_depends := util-linux popt lvm2 json-c $(musl_dep) -cryptsetup2_version := 2.3.3 +cryptsetup2_version := 2.6.1 cryptsetup2_dir := cryptsetup-$(cryptsetup2_version) cryptsetup2_tar := cryptsetup-$(cryptsetup2_version).tar.xz -cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-$(cryptsetup2_version).tar.xz -cryptsetup2_hash := 3bca4ffe39e2f94cef50f6ea65acb873a6dbce5db34fc6bcefe38b6d095e82df +cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-$(cryptsetup2_version).tar.xz +cryptsetup2_hash := 410ded65a1072ab9c8e41added37b9729c087fef4d2db02bb4ef529ad6da4693 # Use an empty prefix so that the executables will not include the # build path. @@ -16,9 +16,15 @@ cryptsetup2_configure := \ ./configure \ --host $(MUSL_ARCH)-elf-linux \ --prefix "/" \ - --disable-gcrypt-pbkdf2 \ + --enable-internal-sse-argon2 \ --disable-rpath \ - --enable-cryptsetup-reencrypt \ + --disable-gcrypt-pbkdf2 \ + --disable-ssh-token \ + --disable-asciidoc \ + --disable-nls \ + --disable-selinux \ + --disable-udev \ + --disable-external-tokens \ --with-crypto_backend=kernel \ --with-tmpfilesdir=$(INSTALL)/lib/tmpfiles.d @@ -33,7 +39,6 @@ cryptsetup2_target := \ cryptsetup2_output := \ .libs/cryptsetup \ - .libs/cryptsetup-reencrypt \ .libs/veritysetup \ cryptsetup2_libraries := \ diff --git a/modules/libaio b/modules/libaio new file mode 100644 index 000000000..bf83fb90a --- /dev/null +++ b/modules/libaio @@ -0,0 +1,19 @@ +modules-$(CONFIG_LVM2) += libaio + +libaio_version := 0.3.113 +libaio_dir := libaio-$(libaio_version) +libaio_tar := libaio_$(libaio_version).orig.tar.gz +libaio_url := https://deb.debian.org/debian/pool/main/liba/libaio/$(libaio_tar) +libaio_hash := 2c44d1c5fd0d43752287c9ae1eb9c023f04ef848ea8d4aafa46e9aedb678200b + +libaio_target := \ + DESTDIR="$(INSTALL)" \ + prefix="/" \ + $(CROSS_TOOLS) \ + install \ + && mv $(build)/$(libaio_dir)/src/libaio.so.1.0.2 $(build)/$(libaio_dir)/src/libaio.so.1 \ + +libaio_libraries:= src/libaio.so.1 + +libaio_depends := $(musl_dep) + diff --git a/modules/lvm2 b/modules/lvm2 index e51292d6d..6df76284e 100644 --- a/modules/lvm2 +++ b/modules/lvm2 @@ -1,37 +1,39 @@ modules-$(CONFIG_LVM2) += lvm2 -lvm2_version := 2.02.168 +lvm2_version := 2.03.23 lvm2_dir := lvm2.$(lvm2_version) lvm2_tar := LVM2.$(lvm2_version).tgz lvm2_url := https://mirrors.kernel.org/sourceware/lvm2/$(lvm2_tar) -lvm2_hash := 23a3d1cddd41b3ef51812ebf83e9fa491f502fe74130d4263be327a91914660d +lvm2_hash := 74e794a9e9dee1bcf8a2065f65b9196c44fdf321e22d63b98ed7de8c9aa17a5d # cross compiling test assumes malloc/realloc aren't glibc compat # so we force it via the configure cache. lvm2_configure := \ $(CROSS_TOOLS) \ - CFLAGS="-Os" \ - PKG_CONFIG=/bin/false \ - MODPROBE_CMD=/bin/false \ ac_cv_func_malloc_0_nonnull=yes \ ac_cv_func_realloc_0_nonnull=yes \ ./configure \ --host $(MUSL_ARCH)-elf-linux \ - --prefix "/" \ - --disable-blkid_wiping \ - --disable-cache_check_needs_check \ - --disable-cmirrord \ + --prefix "" \ + --libexecdir "/bin" \ + --with-optimisation=-Os \ + --enable-devmapper \ + --disable-selinux \ + --without-systemd \ + --disable-lvmimportvdo \ + --disable-realtime \ + --disable-dmfilemapd \ --disable-dmeventd \ - --disable-lvmetad \ --disable-lvmpolld \ - --disable-realtime \ - --disable-selinux \ - --disable-thin_check_needs_check \ - --disable-udev-systemd-background-jobs \ - --disable-use-lvmetad \ + --disable-readline \ + --disable-udev_sync \ + --enable-static_link \ --disable-use-lvmlockd \ --disable-use-lvmpolld \ - --enable-devmapper \ + --disable-dmfilemapd \ + --disable-cmirrord \ + --disable-cache_check_needs_check \ + --disable-thin_check_needs_check \ --with-cluster=none \ --with-thin-check= \ @@ -49,10 +51,10 @@ lvm2_target := \ DESTDIR="$(INSTALL)" \ install_device-mapper \ -lvm2_libraries := libdm/libdevmapper.so.1.02 +lvm2_libraries := libdm/ioctl/libdevmapper.so.1.02 lvm2_output := \ - tools/dmsetup \ + ./libdm/dm-tools/dmsetup \ tools/lvm \ -lvm2_depends := util-linux $(musl_dep) +lvm2_depends := util-linux libaio $(musl_dep) diff --git a/modules/util-linux b/modules/util-linux index 9ab8dae55..bb359d74d 100644 --- a/modules/util-linux +++ b/modules/util-linux @@ -1,10 +1,10 @@ modules-$(CONFIG_UTIL_LINUX) += util-linux -util-linux_version := 2.29.2 +util-linux_version := 2.39 util-linux_dir := util-linux-$(util-linux_version) util-linux_tar := util-linux-$(util-linux_version).tar.xz -util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.29/$(util-linux_tar) -util-linux_hash := accea4d678209f97f634f40a93b7e9fcad5915d1f4749f6c47bee6bf110fe8e3 +util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.39/$(util-linux_tar) +util-linux_hash := 32b30a336cda903182ed61feb3e9b908b762a5e66fe14e43efb88d37162075cb util-linux_configure := \ $(CROSS_TOOLS) \ diff --git a/patches/cryptsetup2-2.3.3.patch b/patches/cryptsetup2-2.6.1.patch similarity index 72% rename from patches/cryptsetup2-2.3.3.patch rename to patches/cryptsetup2-2.6.1.patch index 8a673ef86..036aa007a 100644 --- a/patches/cryptsetup2-2.3.3.patch +++ b/patches/cryptsetup2-2.6.1.patch @@ -1,7 +1,7 @@ -diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ---- cryptsetup-2.3.3-clean/configure 2020-06-10 14:05:45.784925972 +0200 -+++ cryptsetup-2.3.3/configure 2020-06-10 14:12:03.811651237 +0200 -@@ -10206,7 +10206,7 @@ +diff -u -r cryptsetup-2.4.3-clean/configure cryptsetup-2.4.3/configure +--- cryptsetup-2.4.3-clean/configure 2022-01-13 17:24:34.000000000 +0800 ++++ cryptsetup-2.4.3/configure 2022-01-16 14:08:37.088258763 +0800 +@@ -11056,7 +11056,7 @@ hardcode_automatic=no hardcode_direct=no hardcode_direct_absolute=no @@ -10,7 +10,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator= hardcode_minus_L=no hardcode_shlibpath_var=unsupported -@@ -10290,7 +10290,7 @@ +@@ -11140,7 +11140,7 @@ # are reset later if shared libraries are not supported. Putting them # here allows them to be overridden if necessary. runpath_var=LD_RUN_PATH @@ -19,7 +19,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure export_dynamic_flag_spec='$wl--export-dynamic' # ancient GNU ld didn't support --whole-archive et. al. if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then -@@ -10336,7 +10336,7 @@ +@@ -11186,7 +11186,7 @@ ;; m68k) archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' @@ -28,7 +28,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_minus_L=yes ;; esac -@@ -10356,7 +10356,7 @@ +@@ -11206,7 +11206,7 @@ cygwin* | mingw* | pw32* | cegcc*) # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless, # as there is no search path for DLLs. @@ -37,7 +37,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure export_dynamic_flag_spec='$wl--export-all-symbols' allow_undefined_flag=unsupported always_export_symbols=no -@@ -10386,7 +10386,7 @@ +@@ -11236,7 +11236,7 @@ ;; os2*) @@ -46,7 +46,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_minus_L=yes allow_undefined_flag=unsupported shrext_cmds=.dll -@@ -10416,7 +10416,7 @@ +@@ -11266,7 +11266,7 @@ interix[3-9]*) hardcode_direct=no hardcode_shlibpath_var=no @@ -55,7 +55,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure export_dynamic_flag_spec='$wl-E' # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. # Instead, shared libraries are loaded at an image base (0x10000000 by -@@ -10492,7 +10492,7 @@ +@@ -11342,7 +11342,7 @@ xlf* | bgf* | bgxlf* | mpixlf*) # IBM XL Fortran 10.1 on PPC cannot create shared libs itself whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive' @@ -64,7 +64,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' if test yes = "$supports_anon_versioning"; then archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ -@@ -10559,7 +10559,7 @@ +@@ -11409,7 +11409,7 @@ # DT_RUNPATH tag from executables and libraries. But doing so # requires that you compile everything twice, which is a pain. if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then @@ -73,7 +73,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' else -@@ -10588,7 +10588,7 @@ +@@ -11438,7 +11438,7 @@ if test no = "$ld_shlibs"; then runpath_var= @@ -82,7 +82,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure export_dynamic_flag_spec= whole_archive_flag_spec= fi -@@ -10706,7 +10706,7 @@ +@@ -11556,7 +11556,7 @@ # path is not listed in the libpath. Setting hardcode_minus_L # to unsupported forces relinking hardcode_minus_L=yes @@ -91,7 +91,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator= fi ;; -@@ -10790,11 +10790,11 @@ +@@ -11642,11 +11642,11 @@ aix_libpath=$lt_cv_aix_libpath_ fi @@ -105,7 +105,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure allow_undefined_flag="-z nodefs" archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols" else -@@ -10843,7 +10843,7 @@ +@@ -11697,7 +11697,7 @@ aix_libpath=$lt_cv_aix_libpath_ fi @@ -114,7 +114,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure # Warning - without using the other run time loading flags, # -berok will link without error, but may produce a broken library. no_undefined_flag=' $wl-bernotok' -@@ -10883,7 +10883,7 @@ +@@ -11737,7 +11737,7 @@ ;; m68k) archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' @@ -123,25 +123,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_minus_L=yes ;; esac -@@ -10901,7 +10901,7 @@ - case $cc_basename in - cl*) - # Native MSVC -- hardcode_libdir_flag_spec=' ' -+ hardcode_libdir_flag_spec=" " - allow_undefined_flag=unsupported - always_export_symbols=yes - file_list_spec='@' -@@ -10942,7 +10942,7 @@ - ;; - *) - # Assume MSVC wrapper -- hardcode_libdir_flag_spec=' ' -+ hardcode_libdir_flag_spec=" " - allow_undefined_flag=unsupported - # Tell ltmain to make .lib files, not .a files. - libext=lib -@@ -10993,7 +10993,7 @@ +@@ -11847,7 +11847,7 @@ dgux*) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' @@ -150,7 +132,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_shlibpath_var=no ;; -@@ -11003,7 +11003,7 @@ +@@ -11857,7 +11857,7 @@ # extra space). freebsd2.2*) archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' @@ -159,16 +141,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_direct=yes hardcode_shlibpath_var=no ;; -@@ -11019,7 +11019,7 @@ - # FreeBSD 3 and greater uses gcc -shared to do shared libraries. - freebsd* | dragonfly*) - archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' -- hardcode_libdir_flag_spec='-R$libdir' -+ hardcode_libdir_flag_spec=" " - hardcode_direct=yes - hardcode_shlibpath_var=no - ;; -@@ -11030,7 +11030,7 @@ +@@ -11884,7 +11884,7 @@ else archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib' fi @@ -177,7 +150,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: hardcode_direct=yes -@@ -11047,7 +11047,7 @@ +@@ -11901,7 +11901,7 @@ archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' fi if test no = "$with_gnu_ld"; then @@ -186,7 +159,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: hardcode_direct=yes hardcode_direct_absolute=yes -@@ -11124,7 +11124,7 @@ +@@ -11979,7 +11979,7 @@ esac fi if test no = "$with_gnu_ld"; then @@ -195,7 +168,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: case $host_cpu in -@@ -11183,7 +11183,7 @@ +@@ -12040,7 +12040,7 @@ archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib' fi archive_cmds_need_lc='no' @@ -204,7 +177,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: inherit_rpath=yes link_all_deplibs=yes -@@ -11205,7 +11205,7 @@ +@@ -12062,7 +12062,7 @@ else archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF fi @@ -213,7 +186,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_direct=yes hardcode_shlibpath_var=no ;; -@@ -11213,7 +11213,7 @@ +@@ -12070,7 +12070,7 @@ newsos6) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' hardcode_direct=yes @@ -222,7 +195,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: hardcode_shlibpath_var=no ;; -@@ -11229,11 +11229,11 @@ +@@ -12086,11 +12086,11 @@ if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags $wl-retain-symbols-file,$export_symbols' @@ -236,7 +209,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure fi else ld_shlibs=no -@@ -11241,7 +11241,7 @@ +@@ -12098,7 +12098,7 @@ ;; os2*) @@ -245,7 +218,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_minus_L=yes allow_undefined_flag=unsupported shrext_cmds=.dll -@@ -11277,7 +11277,7 @@ +@@ -12134,7 +12134,7 @@ archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' fi archive_cmds_need_lc='no' @@ -254,7 +227,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=: ;; -@@ -11285,7 +11285,7 @@ +@@ -12142,7 +12142,7 @@ if test yes = "$GCC"; then allow_undefined_flag=' $wl-expect_unresolved $wl\*' archive_cmds='$CC -shared$allow_undefined_flag $pic_flag $libobjs $deplibs $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' @@ -263,7 +236,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure else allow_undefined_flag=' -expect_unresolved \*' archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' -@@ -11293,7 +11293,7 @@ +@@ -12150,7 +12150,7 @@ $CC -shared$allow_undefined_flag $wl-input $wl$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~$RM $lib.exp' # Both c and cxx compiler support -rpath directly @@ -272,7 +245,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure fi archive_cmds_need_lc='no' hardcode_libdir_separator=: -@@ -11322,7 +11322,7 @@ +@@ -12179,7 +12179,7 @@ ;; esac fi @@ -281,7 +254,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_shlibpath_var=no case $host_os in solaris2.[0-5] | solaris2.[0-5].*) ;; -@@ -11349,7 +11349,7 @@ +@@ -12206,7 +12206,7 @@ else archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' fi @@ -290,7 +263,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_direct=yes hardcode_minus_L=yes hardcode_shlibpath_var=no -@@ -11419,7 +11419,7 @@ +@@ -12276,7 +12276,7 @@ allow_undefined_flag='$wl-z,nodefs' archive_cmds_need_lc=no hardcode_shlibpath_var=no @@ -299,7 +272,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator=':' link_all_deplibs=yes export_dynamic_flag_spec='$wl-Bexport' -@@ -11436,7 +11436,7 @@ +@@ -12293,7 +12293,7 @@ uts4*) archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' @@ -308,7 +281,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_shlibpath_var=no ;; -@@ -11804,7 +11804,7 @@ +@@ -12662,7 +12662,7 @@ version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -317,7 +290,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure if test ia64 = "$host_cpu"; then # AIX 5 supports IA64 library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' -@@ -12094,16 +12094,16 @@ +@@ -12952,16 +12952,16 @@ ;; freebsd3.[01]* | freebsdelf3.[01]*) shlibpath_overrides_runpath=yes @@ -337,7 +310,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; esac ;; -@@ -12118,7 +12118,7 @@ +@@ -12976,7 +12976,7 @@ shlibpath_var=LIBRARY_PATH shlibpath_overrides_runpath=no sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' @@ -346,7 +319,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; hpux9* | hpux10* | hpux11*) -@@ -12130,7 +12130,7 @@ +@@ -12988,7 +12988,7 @@ case $host_cpu in ia64*) shrext_cmds='.so' @@ -355,7 +328,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure dynamic_linker="$host_os dld.so" shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. -@@ -12146,7 +12146,7 @@ +@@ -13004,7 +13004,7 @@ ;; hppa*64*) shrext_cmds='.sl' @@ -364,7 +337,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure dynamic_linker="$host_os dld.sl" shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. -@@ -12179,7 +12179,7 @@ +@@ -13037,7 +13037,7 @@ dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -373,7 +346,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; irix5* | irix6* | nonstopux*) -@@ -12216,7 +12216,7 @@ +@@ -13074,7 +13074,7 @@ shlibpath_overrides_runpath=no sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" @@ -382,7 +355,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; # No shared lib support for Linux oldld, aout, or coff. -@@ -12237,11 +12237,11 @@ +@@ -13095,11 +13095,11 @@ # This implies no fast_install, which is unacceptable. # Some rework will be needed to allow for fast_install # before this can be enabled. @@ -396,7 +369,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; # This must be glibc/ELF. -@@ -12292,7 +12292,7 @@ +@@ -13153,7 +13153,7 @@ # This implies no fast_install, which is unacceptable. # Some rework will be needed to allow for fast_install # before this can be enabled. @@ -405,7 +378,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure # Ideally, we could use ldconfig to report *all* directores which are # searched for libraries, however this is still not possible. Aside from not -@@ -12322,7 +12322,7 @@ +@@ -13183,7 +13183,7 @@ soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -414,7 +387,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure dynamic_linker='NetBSD ld.elf_so' ;; -@@ -12341,7 +12341,7 @@ +@@ -13202,7 +13202,7 @@ fi shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -423,7 +396,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; newsos6) -@@ -12359,7 +12359,7 @@ +@@ -13220,7 +13220,7 @@ soname_spec='$libname$release$shared_ext$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -432,7 +405,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure dynamic_linker='ldqnx.so' ;; -@@ -12431,7 +12431,7 @@ +@@ -13292,7 +13292,7 @@ soname_spec='$libname$release$shared_ext$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -441,7 +414,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure # ldd complains unless libraries are executable postinstall_cmds='chmod +x $lib' ;; -@@ -12488,7 +12488,7 @@ +@@ -13349,7 +13349,7 @@ soname_spec='$libname$release$shared_ext$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -450,7 +423,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure if test yes = "$with_gnu_ld"; then sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' else -@@ -12510,7 +12510,7 @@ +@@ -13371,7 +13371,7 @@ library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -459,7 +432,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure ;; uts4*) -@@ -13610,7 +13610,7 @@ +@@ -14490,7 +14490,7 @@ acl_shlibext="$acl_cv_shlibext" acl_libname_spec="$acl_cv_libname_spec" acl_library_names_spec="$acl_cv_library_names_spec" @@ -468,7 +441,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure acl_hardcode_libdir_separator="$acl_cv_hardcode_libdir_separator" acl_hardcode_direct="$acl_cv_hardcode_direct" acl_hardcode_minus_L="$acl_cv_hardcode_minus_L" -@@ -21296,7 +21296,7 @@ +@@ -22538,7 +22538,7 @@ with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`' allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`' no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`' @@ -477,7 +450,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`' hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`' hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`' -@@ -21327,7 +21327,7 @@ +@@ -22569,7 +22569,7 @@ postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' @@ -486,7 +459,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' configure_time_dlsearch_path='`$ECHO "$configure_time_dlsearch_path" | $SED "$delay_single_quote_subst"`' configure_time_lt_sys_library_path='`$ECHO "$configure_time_lt_sys_library_path" | $SED "$delay_single_quote_subst"`' -@@ -22485,7 +22485,7 @@ +@@ -23727,7 +23727,7 @@ finish_eval=$lt_finish_eval # Whether we should hardcode library paths into libraries. @@ -495,7 +468,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure # Compile-time system search path for libraries. sys_lib_search_path_spec=$lt_sys_lib_search_path_spec -@@ -22582,7 +22582,7 @@ +@@ -23824,7 +23824,7 @@ # Flag to hardcode \$libdir into a binary during linking. # This must work even if \$libdir does not exist @@ -504,10 +477,10 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure # Whether we need a single "-rpath" flag with a separated argument. hardcode_libdir_separator=$lt_hardcode_libdir_separator -diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in ---- cryptsetup-2.3.3-clean/Makefile.in 2020-06-10 14:05:45.781594282 +0200 -+++ cryptsetup-2.3.3/Makefile.in 2020-06-10 14:30:09.512375745 +0200 -@@ -1032,6 +1032,8 @@ +diff -u -r cryptsetup-2.4.3-clean/Makefile.in cryptsetup-2.4.3/Makefile.in +--- cryptsetup-2.4.3-clean/Makefile.in 2022-01-13 17:24:33.000000000 +0800 ++++ cryptsetup-2.4.3/Makefile.in 2022-01-16 14:08:37.096258854 +0800 +@@ -1115,6 +1115,8 @@ @CRYPTSETUP_TRUE@cryptsetup_LDADD = $(LDADD) \ @CRYPTSETUP_TRUE@ libcryptsetup.la \ @CRYPTSETUP_TRUE@ @POPT_LIBS@ \ @@ -516,31 +489,218 @@ diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in @CRYPTSETUP_TRUE@ @PWQUALITY_LIBS@ \ @CRYPTSETUP_TRUE@ @PASSWDQC_LIBS@ \ @CRYPTSETUP_TRUE@ @UUID_LIBS@ \ -@@ -1060,6 +1062,9 @@ +@@ -1147,6 +1149,9 @@ @VERITYSETUP_TRUE@veritysetup_LDADD = $(LDADD) \ @VERITYSETUP_TRUE@ libcryptsetup.la \ @VERITYSETUP_TRUE@ @POPT_LIBS@ \ -+@VERITYSETUP_TRUE@ @UUID_LIBS@ \ -+@VERITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \ -+@VERITYSETUP_TRUE@ @JSON_C_LIBS@ \ - @VERITYSETUP_TRUE@ @PWQUALITY_LIBS@ \ - @VERITYSETUP_TRUE@ @PASSWDQC_LIBS@ \ ++@VERITYSETUP_TRUE@ @UUID_LIBS@ \ ++@VERITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \ ++@VERITYSETUP_TRUE@ @JSON_C_LIBS@ \ @VERITYSETUP_TRUE@ @BLKID_LIBS@ -@@ -1093,6 +1093,8 @@ + + @STATIC_TOOLS_TRUE@@VERITYSETUP_TRUE@veritysetup_static_SOURCES = $(veritysetup_SOURCES) +@@ -1177,6 +1182,8 @@ @INTEGRITYSETUP_TRUE@ libcryptsetup.la \ @INTEGRITYSETUP_TRUE@ @POPT_LIBS@ \ @INTEGRITYSETUP_TRUE@ @UUID_LIBS@ \ +@INTEGRITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \ +@INTEGRITYSETUP_TRUE@ @JSON_C_LIBS@ \ @INTEGRITYSETUP_TRUE@ @BLKID_LIBS@ - + @INTEGRITYSETUP_TRUE@@STATIC_TOOLS_TRUE@integritysetup_static_SOURCES = $(integritysetup_SOURCES) -@@ -1122,6 +1122,8 @@ - @REENCRYPT_TRUE@ @POPT_LIBS@ \ - @REENCRYPT_TRUE@ @PWQUALITY_LIBS@ \ - @REENCRYPT_TRUE@ @PASSWDQC_LIBS@ \ -+@REENCRYPT_TRUE@ @DEVMAPPER_LIBS@ \ -+@REENCRYPT_TRUE@ @JSON_C_LIBS@ \ - @REENCRYPT_TRUE@ @UUID_LIBS@ \ - @REENCRYPT_TRUE@ @BLKID_LIBS@ +--- ./configure.orig 2023-11-26 14:22:30.912000000 -0500 ++++ ./configure 2023-11-26 14:26:21.714000000 -0500 +@@ -12336,7 +12336,7 @@ + + case $cc_basename in + tcc*) +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec='-rdynamic' + ;; + xlf* | bgf* | bgxlf* | mpixlf*) +@@ -12755,7 +12755,7 @@ + case $cc_basename in + cl* | icl*) + # Native MSVC or ICC +- hardcode_libdir_flag_spec=' ' ++ hardcode_libdir_flag_spec=" " + allow_undefined_flag=unsupported + always_export_symbols=yes + file_list_spec='@' +@@ -12796,7 +12796,7 @@ + ;; + *) + # Assume MSVC and ICC wrapper +- hardcode_libdir_flag_spec=' ' ++ hardcode_libdir_flag_spec=" " + allow_undefined_flag=unsupported + # Tell ltmain to make .lib files, not .a files. + libext=lib +@@ -12873,7 +12873,7 @@ + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. + freebsd* | dragonfly* | midnightbsd*) + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- hardcode_libdir_flag_spec='-R$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; +@@ -13052,7 +13052,7 @@ + # Fabrice Bellard et al's Tiny C Compiler + ld_shlibs=yes + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + ;; + esac + ;; +--- ./configure.mod 2023-11-26 14:46:49.779000000 -0500 ++++ ./configure 2023-11-26 14:47:56.962000000 -0500 +@@ -17670,7 +17670,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test ia64 = "$host_cpu"; then + # AIX 5 supports IA64 + library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' +@@ -17958,16 +17958,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -17982,7 +17982,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=no + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -17994,7 +17994,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -18010,7 +18010,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -18043,7 +18043,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -18080,7 +18080,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" + sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -18101,7 +18101,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -18159,7 +18159,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Ideally, we could use ldconfig to report *all* directores which are + # searched for libraries, however this is still not possible. Aside from not +@@ -18189,7 +18189,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='NetBSD ld.elf_so' + ;; + +@@ -18208,7 +18208,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -18226,7 +18226,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -18298,7 +18298,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -18355,7 +18355,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test yes = "$with_gnu_ld"; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -18377,7 +18377,7 @@ + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) diff --git a/patches/lvm2-2.03.23.patch b/patches/lvm2-2.03.23.patch new file mode 100644 index 000000000..587e1bb69 --- /dev/null +++ b/patches/lvm2-2.03.23.patch @@ -0,0 +1,150 @@ +--- ./lib/mm/memlock.c.orig 2023-11-27 13:52:46.281000000 -0500 ++++ ./lib/mm/memlock.c 2023-11-27 13:56:35.656000000 -0500 +@@ -160,6 +160,7 @@ + + static void _allocate_memory(void) + { ++#if 0 + #if defined(__GLIBC__) && !defined(VALGRIND_POOL) + /* Memory allocation is currently only tested with glibc + * for different C libraries, some other mechanisms might be needed +@@ -233,11 +234,14 @@ + for (i = 0; i < area; ++i) + free(areas[i]); + #endif ++#endif + } + + static void _release_memory(void) + { ++#if 0 + free(_malloc_mem); ++#endif + } + + /* +@@ -313,7 +317,7 @@ + + if (lock == LVM_MLOCK) { + if (mlock((const void*)from, sz) < 0) { +- log_sys_error("mlock", line); ++ //log_sys_error("mlock", line); + return 0; + } + } else { +--- ./libdm/libdm-stats.c.orig 2023-11-27 13:59:40.677000000 -0500 ++++ ./libdm/libdm-stats.c 2023-11-27 14:07:28.655000000 -0500 +@@ -18,7 +18,23 @@ + #include "libdm/misc/dmlib.h" + #include "libdm/misc/kdev_t.h" + ++#if 0 + #include "math.h" /* log10() */ ++#else ++static int ilog10(double x) ++{ ++ int e = 0; ++ ++ while(x > 10) ++ { ++ e++; ++ x = x / 10; ++ } ++ ++ return e; ++} ++#endif ++ + + #include + #include +@@ -556,7 +572,12 @@ + while(entry >= bins) { + value = (double) (entry--)->upper; + /* Use lround to avoid size_t -> double cast warning. */ ++#if 0 + hist_len += 1 + (size_t) lround(log10(value / scale)); ++#else ++ hist_len += 1 + ilog10(value / scale); ++#endif ++ + if (entry != bins) + hist_len++; /* ',' */ + } +@@ -1863,7 +1884,12 @@ + i = dm_bit_get_first(regions); + for (; i >= 0; i = dm_bit_get_next(regions, i)) { + /* length of region_id or range start in characters */ ++#if 0 + id_len = (i) ? 1 + (size_t) log10(i) : 1; ++#else ++ id_len = (i) ? 1 + ilog10(i) : 1; ++#endif ++ + buflen += id_len; + j = i; + do +@@ -1878,7 +1904,11 @@ + /* handle range */ + if (i != j) { + /* j is always > i, which is always >= 0 */ ++#if 0 + id_len = 1 + (size_t) log10(j); ++#else ++ id_len = 1 + ilog10(j); ++#endif + buflen += id_len + 1; /* range end plus "-" */ + } + buflen++; + +--- ./tools/lvmcmdline.c.orig 2023-11-27 14:12:46.649000000 -0500 ++++ ./tools/lvmcmdline.c 2023-11-27 14:15:47.563000000 -0500 +@@ -3438,7 +3438,7 @@ + static int _check_standard_fds(void) + { + int err = is_valid_fd(STDERR_FILENO); +- ++#if 0 + if (!is_valid_fd(STDIN_FILENO) && + !(stdin = fopen(_PATH_DEVNULL, "r"))) { + if (err) +@@ -3463,7 +3463,7 @@ + strerror(errno)); + return 0; + } +- ++#endif + return 1; + } + +@@ -3644,7 +3644,7 @@ + */ + dm_set_name_mangling_mode(DM_STRING_MANGLING_NONE); + +- if (!(cmd = create_toolcontext(0, NULL, 1, threaded, set_connections, set_filters))) { ++ if (!(cmd = create_toolcontext(0, NULL, 0, threaded, set_connections, set_filters))) { + return_NULL; + } + +--- ./make.tmpl.orig 2023-11-28 13:29:11.744000000 -0500 ++++ ./make.tmpl.in 2023-11-28 13:29:36.716000000 -0500 +@@ -210,7 +210,7 @@ + M_INSTALL_PROGRAM = -m 555 + M_INSTALL_DATA = -m 444 + endif +-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP) ++INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) + INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA) + INSTALL_WDATA = $(INSTALL) -p -m 644 + +--- ./libdm/make.tmpl.orig 2023-11-28 13:29:52.760000000 -0500 ++++ ./libdm/make.tmpl.in 2023-11-28 13:30:22.336000000 -0500 +@@ -173,7 +173,7 @@ + M_INSTALL_PROGRAM = -m 555 + M_INSTALL_DATA = -m 444 + endif +-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP) ++INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) + INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA) + INSTALL_WDATA = $(INSTALL) -p -m 644 + diff --git a/patches/util-linux-2.29.2.patch b/patches/util-linux-2.29.2.patch deleted file mode 100644 index 5a54b26ff..000000000 --- a/patches/util-linux-2.29.2.patch +++ /dev/null @@ -1,139 +0,0 @@ ---- ./configure 2017-02-22 07:07:46.595740152 -0500 -+++ ./configure 2023-02-27 13:34:27.068000000 -0500 -@@ -13408,7 +13408,7 @@ - version_type=linux # correct to gnu/linux during the next big refactor - need_lib_prefix=no - need_version=no -- hardcode_into_libs=yes -+ hardcode_into_libs=no - if test ia64 = "$host_cpu"; then - # AIX 5 supports IA64 - library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' -@@ -13698,16 +13698,16 @@ - ;; - freebsd3.[01]* | freebsdelf3.[01]*) - shlibpath_overrides_runpath=yes -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ - freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) - shlibpath_overrides_runpath=no -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - *) # from 4.6 on, and DragonFly - shlibpath_overrides_runpath=yes -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - esac - ;; -@@ -13722,7 +13722,7 @@ - shlibpath_var=LIBRARY_PATH - shlibpath_overrides_runpath=no - sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - - hpux9* | hpux10* | hpux11*) -@@ -13734,7 +13734,7 @@ - case $host_cpu in - ia64*) - shrext_cmds='.so' -- hardcode_into_libs=yes -+ hardcode_into_libs=no - dynamic_linker="$host_os dld.so" - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. -@@ -13750,7 +13750,7 @@ - ;; - hppa*64*) - shrext_cmds='.sl' -- hardcode_into_libs=yes -+ hardcode_into_libs=no - dynamic_linker="$host_os dld.sl" - shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH - shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. -@@ -13783,7 +13783,7 @@ - dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - - irix5* | irix6* | nonstopux*) -@@ -13820,7 +13820,7 @@ - shlibpath_overrides_runpath=no - sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" - sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - - # No shared lib support for Linux oldld, aout, or coff. -@@ -13841,7 +13841,7 @@ - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. -- hardcode_into_libs=yes -+ hardcode_into_libs=no - - dynamic_linker='Android linker' - # Don't embed -rpath directories since the linker doesn't support them. -@@ -13896,7 +13896,7 @@ - # This implies no fast_install, which is unacceptable. - # Some rework will be needed to allow for fast_install - # before this can be enabled. -- hardcode_into_libs=yes -+ hardcode_into_libs=no - - # Add ABI-specific directories to the system library path. - sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" -@@ -13936,7 +13936,7 @@ - fi - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - - newsos6) -@@ -13954,7 +13954,7 @@ - soname_spec='$libname$release$shared_ext$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no -- hardcode_into_libs=yes -+ hardcode_into_libs=no - dynamic_linker='ldqnx.so' - ;; - -@@ -14026,7 +14026,7 @@ - soname_spec='$libname$release$shared_ext$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes -- hardcode_into_libs=yes -+ hardcode_into_libs=no - # ldd complains unless libraries are executable - postinstall_cmds='chmod +x $lib' - ;; -@@ -14083,7 +14083,7 @@ - soname_spec='$libname$release$shared_ext$major' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=yes -- hardcode_into_libs=yes -+ hardcode_into_libs=no - if test yes = "$with_gnu_ld"; then - sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' - else -@@ -14105,7 +14105,7 @@ - library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' - shlibpath_var=LD_LIBRARY_PATH - shlibpath_overrides_runpath=no -- hardcode_into_libs=yes -+ hardcode_into_libs=no - ;; - - uts4*) diff --git a/patches/util-linux-2.39.patch b/patches/util-linux-2.39.patch new file mode 100644 index 000000000..e39fcfc58 --- /dev/null +++ b/patches/util-linux-2.39.patch @@ -0,0 +1,276 @@ +--- ./configure.orig 2023-05-17 06:53:16.721284360 -0400 ++++ ./configure 2023-11-28 13:57:50.012000000 -0500 +@@ -16580,7 +16580,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test ia64 = "$host_cpu"; then + # AIX 5 supports IA64 + library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' +@@ -16870,16 +16870,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -16894,7 +16894,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=no + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -16906,7 +16906,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -16922,7 +16922,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -16955,7 +16955,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -16992,7 +16992,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" + sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -17013,7 +17013,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -17071,7 +17071,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Add ABI-specific directories to the system library path. + sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" +@@ -17111,7 +17111,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -17129,7 +17129,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -17201,7 +17201,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -17258,7 +17258,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test yes = "$with_gnu_ld"; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -17280,7 +17280,7 @@ + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) +@@ -20574,7 +20574,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test ia64 = "$host_cpu"; then + # AIX 5 supports IA64 + library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' +@@ -20862,16 +20862,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -20886,7 +20886,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=no + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -20898,7 +20898,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -20914,7 +20914,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -20947,7 +20947,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -20984,7 +20984,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" + sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -21005,7 +21005,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -21063,7 +21063,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Add ABI-specific directories to the system library path. + sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" +@@ -21103,7 +21103,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -21121,7 +21121,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -21193,7 +21193,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -21250,7 +21250,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test yes = "$with_gnu_ld"; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -21272,7 +21272,7 @@ + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) diff --git a/boards/x230-hotp-legacy/x230-hotp-legacy.config b/unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config similarity index 100% rename from boards/x230-hotp-legacy/x230-hotp-legacy.config rename to unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config diff --git a/boards/x230-legacy-flash/x230-legacy-flash.config b/unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config similarity index 100% rename from boards/x230-legacy-flash/x230-legacy-flash.config rename to unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config diff --git a/boards/x230-legacy/x230-legacy.config b/unmaintained_boards/x230-legacy/x230-legacy.config similarity index 100% rename from boards/x230-legacy/x230-legacy.config rename to unmaintained_boards/x230-legacy/x230-legacy.config