* [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979
@ 2022-08-10 17:39 Joe Slater
2022-08-10 18:03 ` [meta-virtualization] " Bruce Ashfield
0 siblings, 1 reply; 5+ messages in thread
From: Joe Slater @ 2022-08-10 17:39 UTC (permalink / raw)
To: meta-virtualization; +Cc: joe.slater, randy.macleod
Ceph-volume does not properly control key sizes.
Cherry-pick from github.com/ceph/ceph.git.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
.../ceph/ceph/CVE-2021-3979.patch | 158 ++++++++++++++++++
recipes-extended/ceph/ceph_15.2.15.bb | 1 +
2 files changed, 159 insertions(+)
create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch
diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
new file mode 100644
index 00000000..081b32ba
--- /dev/null
+++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
@@ -0,0 +1,158 @@
+From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001
+From: Guillaume Abrioux <gabrioux@redhat.com>
+Date: Tue, 25 Jan 2022 10:25:53 +0100
+Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
+
+ceph-volume doesn't honour osd_dmcrypt_key_size.
+It means the default size is always applied.
+
+It also changes the default value in `get_key_size_from_conf()`
+
+From cryptsetup manpage:
+
+> For XTS mode you can optionally set a key size of 512 bits with the -s option.
+
+Using more than 512bits will end up with the following error message:
+
+```
+Key size in XTS mode must be 256 or 512 bits.
+```
+
+Fixes: https://tracker.ceph.com/issues/54006
+
+Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
+
+Upstream-Status: Backport
+ github.com/ceph/ceph.git
+ equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656
+
+CVE: CVE-2021-3979
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
+ .../ceph_volume/util/encryption.py | 34 ++++++++++-----
+ 2 files changed, 51 insertions(+), 24 deletions(-)
+
+diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+index e1420b440d3..c86dc50b7c7 100644
+--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+@@ -1,5 +1,31 @@
+ from ceph_volume.util import encryption
++import base64
+
++class TestGetKeySize(object):
++ def test_get_size_from_conf_default(self, conf_ceph_stub):
++ conf_ceph_stub('''
++ [global]
++ fsid=asdf
++ ''')
++ assert encryption.get_key_size_from_conf() == '512'
++
++ def test_get_size_from_conf_custom(self, conf_ceph_stub):
++ conf_ceph_stub('''
++ [global]
++ fsid=asdf
++ [osd]
++ osd_dmcrypt_key_size=256
++ ''')
++ assert encryption.get_key_size_from_conf() == '256'
++
++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
++ conf_ceph_stub('''
++ [global]
++ fsid=asdf
++ [osd]
++ osd_dmcrypt_key_size=1024
++ ''')
++ assert encryption.get_key_size_from_conf() == '512'
+
+ class TestStatus(object):
+
+@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
+
+ class TestDmcryptKey(object):
+
+- def test_dmcrypt_with_default_size(self, conf_ceph_stub):
+- conf_ceph_stub('[global]\nfsid=asdf-lkjh')
+- result = encryption.create_dmcrypt_key()
+- assert len(result) == 172
+-
+- def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
+- conf_ceph_stub('''
+- [global]
+- fsid=asdf
+- [osd]
+- osd_dmcrypt_size=8
+- ''')
++ def test_dmcrypt(self):
+ result = encryption.create_dmcrypt_key()
+- assert len(result) == 172
++ assert len(base64.b64decode(result)) == 128
+diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py
+index 72a0ccf121e..2a2c03337b6 100644
+--- a/src/ceph-volume/ceph_volume/util/encryption.py
++++ b/src/ceph-volume/ceph_volume/util/encryption.py
+@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type
+
+ logger = logging.getLogger(__name__)
+
+-
+-def create_dmcrypt_key():
++def get_key_size_from_conf():
+ """
+- Create the secret dm-crypt key used to decrypt a device.
++ Return the osd dmcrypt key size from config file.
++ Default is 512.
+ """
+- # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
+- # to the default of 1024
+- dmcrypt_key_size = conf.ceph.get_safe(
++ default_key_size = '512'
++ key_size = conf.ceph.get_safe(
+ 'osd',
+ 'osd_dmcrypt_key_size',
+- default=1024,
+- )
+- # The size of the key is defined in bits, so we must transform that
+- # value to bytes (dividing by 8) because we read in bytes, not bits
+- random_string = os.urandom(int(dmcrypt_key_size / 8))
++ default='512')
++
++ if key_size not in ['256', '512']:
++ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
++ "Falling back to {}bits".format(key_size, default_key_size)))
++ return default_key_size
++
++ return key_size
++
++def create_dmcrypt_key():
++ """
++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
++ """
++ random_string = os.urandom(128)
+ key = base64.b64encode(random_string).decode('utf-8')
+ return key
+
+@@ -38,6 +46,8 @@ def luks_format(key, device):
+ command = [
+ 'cryptsetup',
+ '--batch-mode', # do not prompt
++ '--key-size',
++ get_key_size_from_conf(),
+ '--key-file', # misnomer, should be key
+ '-', # because we indicate stdin for the key here
+ 'luksFormat',
+@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
+ """
+ command = [
+ 'cryptsetup',
++ '--key-size',
++ get_key_size_from_conf(),
+ '--key-file',
+ '-',
+ '--allow-discards', # allow discards (aka TRIM) requests for device
+--
+2.35.1
+
diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.15.bb
index 17dbcf35..b13ebb70 100644
--- a/recipes-extended/ceph/ceph_15.2.15.bb
+++ b/recipes-extended/ceph/ceph_15.2.15.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
file://ceph.conf \
file://0001-cmake-add-support-for-python3.10.patch \
file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
+ file://CVE-2021-3979.patch \
"
SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
--
2.35.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979
2022-08-10 17:39 [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979 Joe Slater
@ 2022-08-10 18:03 ` Bruce Ashfield
2022-08-10 18:26 ` Slater, Joseph
0 siblings, 1 reply; 5+ messages in thread
From: Bruce Ashfield @ 2022-08-10 18:03 UTC (permalink / raw)
To: Joe Slater; +Cc: meta-virtualization, randy.macleod
What about master ? Does it have the same issue ?
Bruce
On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <joe.slater@windriver.com> wrote:
>
> Ceph-volume does not properly control key sizes.
>
> Cherry-pick from github.com/ceph/ceph.git.
>
> Signed-off-by: Joe Slater <joe.slater@windriver.com>
> ---
> .../ceph/ceph/CVE-2021-3979.patch | 158 ++++++++++++++++++
> recipes-extended/ceph/ceph_15.2.15.bb | 1 +
> 2 files changed, 159 insertions(+)
> create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch
>
> diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> new file mode 100644
> index 00000000..081b32ba
> --- /dev/null
> +++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> @@ -0,0 +1,158 @@
> +From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001
> +From: Guillaume Abrioux <gabrioux@redhat.com>
> +Date: Tue, 25 Jan 2022 10:25:53 +0100
> +Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
> +
> +ceph-volume doesn't honour osd_dmcrypt_key_size.
> +It means the default size is always applied.
> +
> +It also changes the default value in `get_key_size_from_conf()`
> +
> +From cryptsetup manpage:
> +
> +> For XTS mode you can optionally set a key size of 512 bits with the -s option.
> +
> +Using more than 512bits will end up with the following error message:
> +
> +```
> +Key size in XTS mode must be 256 or 512 bits.
> +```
> +
> +Fixes: https://tracker.ceph.com/issues/54006
> +
> +Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
> +
> +Upstream-Status: Backport
> + github.com/ceph/ceph.git
> + equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656
> +
> +CVE: CVE-2021-3979
> +
> +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> +---
> + .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
> + .../ceph_volume/util/encryption.py | 34 ++++++++++-----
> + 2 files changed, 51 insertions(+), 24 deletions(-)
> +
> +diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> +index e1420b440d3..c86dc50b7c7 100644
> +--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> ++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> +@@ -1,5 +1,31 @@
> + from ceph_volume.util import encryption
> ++import base64
> +
> ++class TestGetKeySize(object):
> ++ def test_get_size_from_conf_default(self, conf_ceph_stub):
> ++ conf_ceph_stub('''
> ++ [global]
> ++ fsid=asdf
> ++ ''')
> ++ assert encryption.get_key_size_from_conf() == '512'
> ++
> ++ def test_get_size_from_conf_custom(self, conf_ceph_stub):
> ++ conf_ceph_stub('''
> ++ [global]
> ++ fsid=asdf
> ++ [osd]
> ++ osd_dmcrypt_key_size=256
> ++ ''')
> ++ assert encryption.get_key_size_from_conf() == '256'
> ++
> ++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
> ++ conf_ceph_stub('''
> ++ [global]
> ++ fsid=asdf
> ++ [osd]
> ++ osd_dmcrypt_key_size=1024
> ++ ''')
> ++ assert encryption.get_key_size_from_conf() == '512'
> +
> + class TestStatus(object):
> +
> +@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
> +
> + class TestDmcryptKey(object):
> +
> +- def test_dmcrypt_with_default_size(self, conf_ceph_stub):
> +- conf_ceph_stub('[global]\nfsid=asdf-lkjh')
> +- result = encryption.create_dmcrypt_key()
> +- assert len(result) == 172
> +-
> +- def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
> +- conf_ceph_stub('''
> +- [global]
> +- fsid=asdf
> +- [osd]
> +- osd_dmcrypt_size=8
> +- ''')
> ++ def test_dmcrypt(self):
> + result = encryption.create_dmcrypt_key()
> +- assert len(result) == 172
> ++ assert len(base64.b64decode(result)) == 128
> +diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py
> +index 72a0ccf121e..2a2c03337b6 100644
> +--- a/src/ceph-volume/ceph_volume/util/encryption.py
> ++++ b/src/ceph-volume/ceph_volume/util/encryption.py
> +@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type
> +
> + logger = logging.getLogger(__name__)
> +
> +-
> +-def create_dmcrypt_key():
> ++def get_key_size_from_conf():
> + """
> +- Create the secret dm-crypt key used to decrypt a device.
> ++ Return the osd dmcrypt key size from config file.
> ++ Default is 512.
> + """
> +- # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
> +- # to the default of 1024
> +- dmcrypt_key_size = conf.ceph.get_safe(
> ++ default_key_size = '512'
> ++ key_size = conf.ceph.get_safe(
> + 'osd',
> + 'osd_dmcrypt_key_size',
> +- default=1024,
> +- )
> +- # The size of the key is defined in bits, so we must transform that
> +- # value to bytes (dividing by 8) because we read in bytes, not bits
> +- random_string = os.urandom(int(dmcrypt_key_size / 8))
> ++ default='512')
> ++
> ++ if key_size not in ['256', '512']:
> ++ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
> ++ "Falling back to {}bits".format(key_size, default_key_size)))
> ++ return default_key_size
> ++
> ++ return key_size
> ++
> ++def create_dmcrypt_key():
> ++ """
> ++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
> ++ """
> ++ random_string = os.urandom(128)
> + key = base64.b64encode(random_string).decode('utf-8')
> + return key
> +
> +@@ -38,6 +46,8 @@ def luks_format(key, device):
> + command = [
> + 'cryptsetup',
> + '--batch-mode', # do not prompt
> ++ '--key-size',
> ++ get_key_size_from_conf(),
> + '--key-file', # misnomer, should be key
> + '-', # because we indicate stdin for the key here
> + 'luksFormat',
> +@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
> + """
> + command = [
> + 'cryptsetup',
> ++ '--key-size',
> ++ get_key_size_from_conf(),
> + '--key-file',
> + '-',
> + '--allow-discards', # allow discards (aka TRIM) requests for device
> +--
> +2.35.1
> +
> diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.15.bb
> index 17dbcf35..b13ebb70 100644
> --- a/recipes-extended/ceph/ceph_15.2.15.bb
> +++ b/recipes-extended/ceph/ceph_15.2.15.bb
> @@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
> file://ceph.conf \
> file://0001-cmake-add-support-for-python3.10.patch \
> file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
> + file://CVE-2021-3979.patch \
> "
>
> SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
> --
> 2.35.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7514): https://lists.yoctoproject.org/g/meta-virtualization/message/7514
> Mute This Topic: https://lists.yoctoproject.org/mt/92941876/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979
2022-08-10 18:03 ` [meta-virtualization] " Bruce Ashfield
@ 2022-08-10 18:26 ` Slater, Joseph
2022-08-10 18:34 ` Bruce Ashfield
0 siblings, 1 reply; 5+ messages in thread
From: Slater, Joseph @ 2022-08-10 18:26 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: meta-virtualization, MacLeod, Randy
> -----Original Message-----
> From: Bruce Ashfield <bruce.ashfield@gmail.com>
> Sent: Wednesday, August 10, 2022 11:03 AM
> To: Slater, Joseph <joe.slater@windriver.com>
> Cc: meta-virtualization@lists.yoctoproject.org; MacLeod, Randy
> <Randy.MacLeod@windriver.com>
> Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix
> CVE-1021-3979
>
> What about master ? Does it have the same issue ?
Yes, and I have the patch for that. You cannot cherry-pick between the branches because
recipe context is different. The source patch is the same. I used kirkstone first for internal reasons.
Joe
>
> Bruce
>
> On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <joe.slater@windriver.com> wrote:
> >
> > Ceph-volume does not properly control key sizes.
> >
> > Cherry-pick from github.com/ceph/ceph.git.
> >
> > Signed-off-by: Joe Slater <joe.slater@windriver.com>
> > ---
> > .../ceph/ceph/CVE-2021-3979.patch | 158 ++++++++++++++++++
> > recipes-extended/ceph/ceph_15.2.15.bb | 1 +
> > 2 files changed, 159 insertions(+)
> > create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch
> >
> > diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> > b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> > new file mode 100644
> > index 00000000..081b32ba
> > --- /dev/null
> > +++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> > @@ -0,0 +1,158 @@
> > +From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00
> > +2001
> > +From: Guillaume Abrioux <gabrioux@redhat.com>
> > +Date: Tue, 25 Jan 2022 10:25:53 +0100
> > +Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
> > +
> > +ceph-volume doesn't honour osd_dmcrypt_key_size.
> > +It means the default size is always applied.
> > +
> > +It also changes the default value in `get_key_size_from_conf()`
> > +
> > +From cryptsetup manpage:
> > +
> > +> For XTS mode you can optionally set a key size of 512 bits with the -s
> option.
> > +
> > +Using more than 512bits will end up with the following error message:
> > +
> > +```
> > +Key size in XTS mode must be 256 or 512 bits.
> > +```
> > +
> > +Fixes: https://tracker.ceph.com/issues/54006
> > +
> > +Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
> > +
> > +Upstream-Status: Backport
> > + github.com/ceph/ceph.git
> > + equivalent to cherry-pick of commit
> > +47c33179f9a15ae95cc1579a421be89378602656
> > +
> > +CVE: CVE-2021-3979
> > +
> > +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> > +---
> > + .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
> > + .../ceph_volume/util/encryption.py | 34 ++++++++++-----
> > + 2 files changed, 51 insertions(+), 24 deletions(-)
> > +
> > +diff --git
> > +a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > +b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > +index e1420b440d3..c86dc50b7c7 100644
> > +--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > ++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > +@@ -1,5 +1,31 @@
> > + from ceph_volume.util import encryption
> > ++import base64
> > +
> > ++class TestGetKeySize(object):
> > ++ def test_get_size_from_conf_default(self, conf_ceph_stub):
> > ++ conf_ceph_stub('''
> > ++ [global]
> > ++ fsid=asdf
> > ++ ''')
> > ++ assert encryption.get_key_size_from_conf() == '512'
> > ++
> > ++ def test_get_size_from_conf_custom(self, conf_ceph_stub):
> > ++ conf_ceph_stub('''
> > ++ [global]
> > ++ fsid=asdf
> > ++ [osd]
> > ++ osd_dmcrypt_key_size=256
> > ++ ''')
> > ++ assert encryption.get_key_size_from_conf() == '256'
> > ++
> > ++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
> > ++ conf_ceph_stub('''
> > ++ [global]
> > ++ fsid=asdf
> > ++ [osd]
> > ++ osd_dmcrypt_key_size=1024
> > ++ ''')
> > ++ assert encryption.get_key_size_from_conf() == '512'
> > +
> > + class TestStatus(object):
> > +
> > +@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
> > +
> > + class TestDmcryptKey(object):
> > +
> > +- def test_dmcrypt_with_default_size(self, conf_ceph_stub):
> > +- conf_ceph_stub('[global]\nfsid=asdf-lkjh')
> > +- result = encryption.create_dmcrypt_key()
> > +- assert len(result) == 172
> > +-
> > +- def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
> > +- conf_ceph_stub('''
> > +- [global]
> > +- fsid=asdf
> > +- [osd]
> > +- osd_dmcrypt_size=8
> > +- ''')
> > ++ def test_dmcrypt(self):
> > + result = encryption.create_dmcrypt_key()
> > +- assert len(result) == 172
> > ++ assert len(base64.b64decode(result)) == 128
> > +diff --git a/src/ceph-volume/ceph_volume/util/encryption.py
> > +b/src/ceph-volume/ceph_volume/util/encryption.py
> > +index 72a0ccf121e..2a2c03337b6 100644
> > +--- a/src/ceph-volume/ceph_volume/util/encryption.py
> > ++++ b/src/ceph-volume/ceph_volume/util/encryption.py
> > +@@ -9,21 +9,29 @@ from .disk import lsblk, device_family,
> > +get_part_entry_type
> > +
> > + logger = logging.getLogger(__name__)
> > +
> > +-
> > +-def create_dmcrypt_key():
> > ++def get_key_size_from_conf():
> > + """
> > +- Create the secret dm-crypt key used to decrypt a device.
> > ++ Return the osd dmcrypt key size from config file.
> > ++ Default is 512.
> > + """
> > +- # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
> > +- # to the default of 1024
> > +- dmcrypt_key_size = conf.ceph.get_safe(
> > ++ default_key_size = '512'
> > ++ key_size = conf.ceph.get_safe(
> > + 'osd',
> > + 'osd_dmcrypt_key_size',
> > +- default=1024,
> > +- )
> > +- # The size of the key is defined in bits, so we must transform that
> > +- # value to bytes (dividing by 8) because we read in bytes, not bits
> > +- random_string = os.urandom(int(dmcrypt_key_size / 8))
> > ++ default='512')
> > ++
> > ++ if key_size not in ['256', '512']:
> > ++ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
> > ++ "Falling back to {}bits".format(key_size, default_key_size)))
> > ++ return default_key_size
> > ++
> > ++ return key_size
> > ++
> > ++def create_dmcrypt_key():
> > ++ """
> > ++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume
> Key.
> > ++ """
> > ++ random_string = os.urandom(128)
> > + key = base64.b64encode(random_string).decode('utf-8')
> > + return key
> > +
> > +@@ -38,6 +46,8 @@ def luks_format(key, device):
> > + command = [
> > + 'cryptsetup',
> > + '--batch-mode', # do not prompt
> > ++ '--key-size',
> > ++ get_key_size_from_conf(),
> > + '--key-file', # misnomer, should be key
> > + '-', # because we indicate stdin for the key here
> > + 'luksFormat',
> > +@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
> > + """
> > + command = [
> > + 'cryptsetup',
> > ++ '--key-size',
> > ++ get_key_size_from_conf(),
> > + '--key-file',
> > + '-',
> > + '--allow-discards', # allow discards (aka TRIM) requests
> > +for device
> > +--
> > +2.35.1
> > +
> > diff --git a/recipes-extended/ceph/ceph_15.2.15.bb
> > b/recipes-extended/ceph/ceph_15.2.15.bb
> > index 17dbcf35..b13ebb70 100644
> > --- a/recipes-extended/ceph/ceph_15.2.15.bb
> > +++ b/recipes-extended/ceph/ceph_15.2.15.bb
> > @@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-
> ${PV}.tar.gz \
> > file://ceph.conf \
> > file://0001-cmake-add-support-for-python3.10.patch \
> >
> > file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
> > + file://CVE-2021-3979.patch \
> > "
> >
> > SRC_URI[sha256sum] =
> "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
> > --
> > 2.35.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#7514):
> > https://lists.yoctoproject.org/g/meta-virtualization/message/7514
> > Mute This Topic: https://lists.yoctoproject.org/mt/92941876/1050810
> > Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> > Unsubscribe:
> > https://lists.yoctoproject.org/g/meta-virtualization/unsub
> > [bruce.ashfield@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await thee at
> its end
> - "Use the force Harry" - Gandalf, Star Trek II
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979
2022-08-10 18:26 ` Slater, Joseph
@ 2022-08-10 18:34 ` Bruce Ashfield
2022-08-10 18:54 ` Slater, Joseph
0 siblings, 1 reply; 5+ messages in thread
From: Bruce Ashfield @ 2022-08-10 18:34 UTC (permalink / raw)
To: Slater, Joseph; +Cc: meta-virtualization, MacLeod, Randy
On Wed, Aug 10, 2022 at 2:26 PM Slater, Joseph <joe.slater@windriver.com> wrote:
>
>
>
> > -----Original Message-----
> > From: Bruce Ashfield <bruce.ashfield@gmail.com>
> > Sent: Wednesday, August 10, 2022 11:03 AM
> > To: Slater, Joseph <joe.slater@windriver.com>
> > Cc: meta-virtualization@lists.yoctoproject.org; MacLeod, Randy
> > <Randy.MacLeod@windriver.com>
> > Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix
> > CVE-1021-3979
> >
> > What about master ? Does it have the same issue ?
>
> Yes, and I have the patch for that. You cannot cherry-pick between the branches because
> recipe context is different. The source patch is the same. I used kirkstone first for internal reasons.
>
In order to merge this to kirkstone, it needs to be on master first.
So there should be two sends of the patch, one for master and then
another for kirkstone (if it can't be cherry picked).
If you sent the one to master and I missed it, my apologies ... gmail
threads strangely at times.
Bruce
> Joe
>
> >
> > Bruce
> >
> > On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <joe.slater@windriver.com> wrote:
> > >
> > > Ceph-volume does not properly control key sizes.
> > >
> > > Cherry-pick from github.com/ceph/ceph.git.
> > >
> > > Signed-off-by: Joe Slater <joe.slater@windriver.com>
> > > ---
> > > .../ceph/ceph/CVE-2021-3979.patch | 158 ++++++++++++++++++
> > > recipes-extended/ceph/ceph_15.2.15.bb | 1 +
> > > 2 files changed, 159 insertions(+)
> > > create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch
> > >
> > > diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> > > b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> > > new file mode 100644
> > > index 00000000..081b32ba
> > > --- /dev/null
> > > +++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> > > @@ -0,0 +1,158 @@
> > > +From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00
> > > +2001
> > > +From: Guillaume Abrioux <gabrioux@redhat.com>
> > > +Date: Tue, 25 Jan 2022 10:25:53 +0100
> > > +Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
> > > +
> > > +ceph-volume doesn't honour osd_dmcrypt_key_size.
> > > +It means the default size is always applied.
> > > +
> > > +It also changes the default value in `get_key_size_from_conf()`
> > > +
> > > +From cryptsetup manpage:
> > > +
> > > +> For XTS mode you can optionally set a key size of 512 bits with the -s
> > option.
> > > +
> > > +Using more than 512bits will end up with the following error message:
> > > +
> > > +```
> > > +Key size in XTS mode must be 256 or 512 bits.
> > > +```
> > > +
> > > +Fixes: https://tracker.ceph.com/issues/54006
> > > +
> > > +Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
> > > +
> > > +Upstream-Status: Backport
> > > + github.com/ceph/ceph.git
> > > + equivalent to cherry-pick of commit
> > > +47c33179f9a15ae95cc1579a421be89378602656
> > > +
> > > +CVE: CVE-2021-3979
> > > +
> > > +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> > > +---
> > > + .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
> > > + .../ceph_volume/util/encryption.py | 34 ++++++++++-----
> > > + 2 files changed, 51 insertions(+), 24 deletions(-)
> > > +
> > > +diff --git
> > > +a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > > +b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > > +index e1420b440d3..c86dc50b7c7 100644
> > > +--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > > ++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > > +@@ -1,5 +1,31 @@
> > > + from ceph_volume.util import encryption
> > > ++import base64
> > > +
> > > ++class TestGetKeySize(object):
> > > ++ def test_get_size_from_conf_default(self, conf_ceph_stub):
> > > ++ conf_ceph_stub('''
> > > ++ [global]
> > > ++ fsid=asdf
> > > ++ ''')
> > > ++ assert encryption.get_key_size_from_conf() == '512'
> > > ++
> > > ++ def test_get_size_from_conf_custom(self, conf_ceph_stub):
> > > ++ conf_ceph_stub('''
> > > ++ [global]
> > > ++ fsid=asdf
> > > ++ [osd]
> > > ++ osd_dmcrypt_key_size=256
> > > ++ ''')
> > > ++ assert encryption.get_key_size_from_conf() == '256'
> > > ++
> > > ++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
> > > ++ conf_ceph_stub('''
> > > ++ [global]
> > > ++ fsid=asdf
> > > ++ [osd]
> > > ++ osd_dmcrypt_key_size=1024
> > > ++ ''')
> > > ++ assert encryption.get_key_size_from_conf() == '512'
> > > +
> > > + class TestStatus(object):
> > > +
> > > +@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
> > > +
> > > + class TestDmcryptKey(object):
> > > +
> > > +- def test_dmcrypt_with_default_size(self, conf_ceph_stub):
> > > +- conf_ceph_stub('[global]\nfsid=asdf-lkjh')
> > > +- result = encryption.create_dmcrypt_key()
> > > +- assert len(result) == 172
> > > +-
> > > +- def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
> > > +- conf_ceph_stub('''
> > > +- [global]
> > > +- fsid=asdf
> > > +- [osd]
> > > +- osd_dmcrypt_size=8
> > > +- ''')
> > > ++ def test_dmcrypt(self):
> > > + result = encryption.create_dmcrypt_key()
> > > +- assert len(result) == 172
> > > ++ assert len(base64.b64decode(result)) == 128
> > > +diff --git a/src/ceph-volume/ceph_volume/util/encryption.py
> > > +b/src/ceph-volume/ceph_volume/util/encryption.py
> > > +index 72a0ccf121e..2a2c03337b6 100644
> > > +--- a/src/ceph-volume/ceph_volume/util/encryption.py
> > > ++++ b/src/ceph-volume/ceph_volume/util/encryption.py
> > > +@@ -9,21 +9,29 @@ from .disk import lsblk, device_family,
> > > +get_part_entry_type
> > > +
> > > + logger = logging.getLogger(__name__)
> > > +
> > > +-
> > > +-def create_dmcrypt_key():
> > > ++def get_key_size_from_conf():
> > > + """
> > > +- Create the secret dm-crypt key used to decrypt a device.
> > > ++ Return the osd dmcrypt key size from config file.
> > > ++ Default is 512.
> > > + """
> > > +- # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
> > > +- # to the default of 1024
> > > +- dmcrypt_key_size = conf.ceph.get_safe(
> > > ++ default_key_size = '512'
> > > ++ key_size = conf.ceph.get_safe(
> > > + 'osd',
> > > + 'osd_dmcrypt_key_size',
> > > +- default=1024,
> > > +- )
> > > +- # The size of the key is defined in bits, so we must transform that
> > > +- # value to bytes (dividing by 8) because we read in bytes, not bits
> > > +- random_string = os.urandom(int(dmcrypt_key_size / 8))
> > > ++ default='512')
> > > ++
> > > ++ if key_size not in ['256', '512']:
> > > ++ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
> > > ++ "Falling back to {}bits".format(key_size, default_key_size)))
> > > ++ return default_key_size
> > > ++
> > > ++ return key_size
> > > ++
> > > ++def create_dmcrypt_key():
> > > ++ """
> > > ++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume
> > Key.
> > > ++ """
> > > ++ random_string = os.urandom(128)
> > > + key = base64.b64encode(random_string).decode('utf-8')
> > > + return key
> > > +
> > > +@@ -38,6 +46,8 @@ def luks_format(key, device):
> > > + command = [
> > > + 'cryptsetup',
> > > + '--batch-mode', # do not prompt
> > > ++ '--key-size',
> > > ++ get_key_size_from_conf(),
> > > + '--key-file', # misnomer, should be key
> > > + '-', # because we indicate stdin for the key here
> > > + 'luksFormat',
> > > +@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
> > > + """
> > > + command = [
> > > + 'cryptsetup',
> > > ++ '--key-size',
> > > ++ get_key_size_from_conf(),
> > > + '--key-file',
> > > + '-',
> > > + '--allow-discards', # allow discards (aka TRIM) requests
> > > +for device
> > > +--
> > > +2.35.1
> > > +
> > > diff --git a/recipes-extended/ceph/ceph_15.2.15.bb
> > > b/recipes-extended/ceph/ceph_15.2.15.bb
> > > index 17dbcf35..b13ebb70 100644
> > > --- a/recipes-extended/ceph/ceph_15.2.15.bb
> > > +++ b/recipes-extended/ceph/ceph_15.2.15.bb
> > > @@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-
> > ${PV}.tar.gz \
> > > file://ceph.conf \
> > > file://0001-cmake-add-support-for-python3.10.patch \
> > >
> > > file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
> > > + file://CVE-2021-3979.patch \
> > > "
> > >
> > > SRC_URI[sha256sum] =
> > "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
> > > --
> > > 2.35.1
> > >
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > > View/Reply Online (#7514):
> > > https://lists.yoctoproject.org/g/meta-virtualization/message/7514
> > > Mute This Topic: https://lists.yoctoproject.org/mt/92941876/1050810
> > > Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> > > Unsubscribe:
> > > https://lists.yoctoproject.org/g/meta-virtualization/unsub
> > > [bruce.ashfield@gmail.com]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > >
> >
> >
> > --
> > - Thou shalt not follow the NULL pointer, for chaos and madness await thee at
> > its end
> > - "Use the force Harry" - Gandalf, Star Trek II
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979
2022-08-10 18:34 ` Bruce Ashfield
@ 2022-08-10 18:54 ` Slater, Joseph
0 siblings, 0 replies; 5+ messages in thread
From: Slater, Joseph @ 2022-08-10 18:54 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: meta-virtualization, MacLeod, Randy
No, you didn't miss it. I'll send it in an hour or so. Joe
> -----Original Message-----
> From: Bruce Ashfield <bruce.ashfield@gmail.com>
> Sent: Wednesday, August 10, 2022 11:35 AM
> To: Slater, Joseph <joe.slater@windriver.com>
> Cc: meta-virtualization@lists.yoctoproject.org; MacLeod, Randy
> <Randy.MacLeod@windriver.com>
> Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix
> CVE-1021-3979
>
> On Wed, Aug 10, 2022 at 2:26 PM Slater, Joseph <joe.slater@windriver.com>
> wrote:
> >
> >
> >
> > > -----Original Message-----
> > > From: Bruce Ashfield <bruce.ashfield@gmail.com>
> > > Sent: Wednesday, August 10, 2022 11:03 AM
> > > To: Slater, Joseph <joe.slater@windriver.com>
> > > Cc: meta-virtualization@lists.yoctoproject.org; MacLeod, Randy
> > > <Randy.MacLeod@windriver.com>
> > > Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1]
> > > ceph: Fix
> > > CVE-1021-3979
> > >
> > > What about master ? Does it have the same issue ?
> >
> > Yes, and I have the patch for that. You cannot cherry-pick between
> > the branches because recipe context is different. The source patch is the
> same. I used kirkstone first for internal reasons.
> >
>
> In order to merge this to kirkstone, it needs to be on master first.
>
> So there should be two sends of the patch, one for master and then another for
> kirkstone (if it can't be cherry picked).
>
> If you sent the one to master and I missed it, my apologies ... gmail threads
> strangely at times.
>
> Bruce
>
> > Joe
> >
> > >
> > > Bruce
> > >
> > > On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <joe.slater@windriver.com>
> wrote:
> > > >
> > > > Ceph-volume does not properly control key sizes.
> > > >
> > > > Cherry-pick from github.com/ceph/ceph.git.
> > > >
> > > > Signed-off-by: Joe Slater <joe.slater@windriver.com>
> > > > ---
> > > > .../ceph/ceph/CVE-2021-3979.patch | 158 ++++++++++++++++++
> > > > recipes-extended/ceph/ceph_15.2.15.bb | 1 +
> > > > 2 files changed, 159 insertions(+) create mode 100644
> > > > recipes-extended/ceph/ceph/CVE-2021-3979.patch
> > > >
> > > > diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> > > > b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> > > > new file mode 100644
> > > > index 00000000..081b32ba
> > > > --- /dev/null
> > > > +++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> > > > @@ -0,0 +1,158 @@
> > > > +From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17
> 00:00:00
> > > > +2001
> > > > +From: Guillaume Abrioux <gabrioux@redhat.com>
> > > > +Date: Tue, 25 Jan 2022 10:25:53 +0100
> > > > +Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
> > > > +
> > > > +ceph-volume doesn't honour osd_dmcrypt_key_size.
> > > > +It means the default size is always applied.
> > > > +
> > > > +It also changes the default value in `get_key_size_from_conf()`
> > > > +
> > > > +From cryptsetup manpage:
> > > > +
> > > > +> For XTS mode you can optionally set a key size of 512 bits with
> > > > +> the -s
> > > option.
> > > > +
> > > > +Using more than 512bits will end up with the following error message:
> > > > +
> > > > +```
> > > > +Key size in XTS mode must be 256 or 512 bits.
> > > > +```
> > > > +
> > > > +Fixes: https://tracker.ceph.com/issues/54006
> > > > +
> > > > +Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
> > > > +
> > > > +Upstream-Status: Backport
> > > > + github.com/ceph/ceph.git
> > > > + equivalent to cherry-pick of commit
> > > > +47c33179f9a15ae95cc1579a421be89378602656
> > > > +
> > > > +CVE: CVE-2021-3979
> > > > +
> > > > +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> > > > +---
> > > > + .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
> > > > + .../ceph_volume/util/encryption.py | 34 ++++++++++-----
> > > > + 2 files changed, 51 insertions(+), 24 deletions(-)
> > > > +
> > > > +diff --git
> > > > +a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > > > +b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > > > +index e1420b440d3..c86dc50b7c7 100644
> > > > +--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > > > ++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> > > > +@@ -1,5 +1,31 @@
> > > > + from ceph_volume.util import encryption
> > > > ++import base64
> > > > +
> > > > ++class TestGetKeySize(object):
> > > > ++ def test_get_size_from_conf_default(self, conf_ceph_stub):
> > > > ++ conf_ceph_stub('''
> > > > ++ [global]
> > > > ++ fsid=asdf
> > > > ++ ''')
> > > > ++ assert encryption.get_key_size_from_conf() == '512'
> > > > ++
> > > > ++ def test_get_size_from_conf_custom(self, conf_ceph_stub):
> > > > ++ conf_ceph_stub('''
> > > > ++ [global]
> > > > ++ fsid=asdf
> > > > ++ [osd]
> > > > ++ osd_dmcrypt_key_size=256
> > > > ++ ''')
> > > > ++ assert encryption.get_key_size_from_conf() == '256'
> > > > ++
> > > > ++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
> > > > ++ conf_ceph_stub('''
> > > > ++ [global]
> > > > ++ fsid=asdf
> > > > ++ [osd]
> > > > ++ osd_dmcrypt_key_size=1024
> > > > ++ ''')
> > > > ++ assert encryption.get_key_size_from_conf() == '512'
> > > > +
> > > > + class TestStatus(object):
> > > > +
> > > > +@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
> > > > +
> > > > + class TestDmcryptKey(object):
> > > > +
> > > > +- def test_dmcrypt_with_default_size(self, conf_ceph_stub):
> > > > +- conf_ceph_stub('[global]\nfsid=asdf-lkjh')
> > > > +- result = encryption.create_dmcrypt_key()
> > > > +- assert len(result) == 172
> > > > +-
> > > > +- def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
> > > > +- conf_ceph_stub('''
> > > > +- [global]
> > > > +- fsid=asdf
> > > > +- [osd]
> > > > +- osd_dmcrypt_size=8
> > > > +- ''')
> > > > ++ def test_dmcrypt(self):
> > > > + result = encryption.create_dmcrypt_key()
> > > > +- assert len(result) == 172
> > > > ++ assert len(base64.b64decode(result)) == 128
> > > > +diff --git a/src/ceph-volume/ceph_volume/util/encryption.py
> > > > +b/src/ceph-volume/ceph_volume/util/encryption.py
> > > > +index 72a0ccf121e..2a2c03337b6 100644
> > > > +--- a/src/ceph-volume/ceph_volume/util/encryption.py
> > > > ++++ b/src/ceph-volume/ceph_volume/util/encryption.py
> > > > +@@ -9,21 +9,29 @@ from .disk import lsblk, device_family,
> > > > +get_part_entry_type
> > > > +
> > > > + logger = logging.getLogger(__name__)
> > > > +
> > > > +-
> > > > +-def create_dmcrypt_key():
> > > > ++def get_key_size_from_conf():
> > > > + """
> > > > +- Create the secret dm-crypt key used to decrypt a device.
> > > > ++ Return the osd dmcrypt key size from config file.
> > > > ++ Default is 512.
> > > > + """
> > > > +- # get the customizable dmcrypt key size (in bits) from ceph.conf
> fallback
> > > > +- # to the default of 1024
> > > > +- dmcrypt_key_size = conf.ceph.get_safe(
> > > > ++ default_key_size = '512'
> > > > ++ key_size = conf.ceph.get_safe(
> > > > + 'osd',
> > > > + 'osd_dmcrypt_key_size',
> > > > +- default=1024,
> > > > +- )
> > > > +- # The size of the key is defined in bits, so we must transform that
> > > > +- # value to bytes (dividing by 8) because we read in bytes, not bits
> > > > +- random_string = os.urandom(int(dmcrypt_key_size / 8))
> > > > ++ default='512')
> > > > ++
> > > > ++ if key_size not in ['256', '512']:
> > > > ++ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
> > > > ++ "Falling back to {}bits".format(key_size, default_key_size)))
> > > > ++ return default_key_size
> > > > ++
> > > > ++ return key_size
> > > > ++
> > > > ++def create_dmcrypt_key():
> > > > ++ """
> > > > ++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt
> > > > ++the Volume
> > > Key.
> > > > ++ """
> > > > ++ random_string = os.urandom(128)
> > > > + key = base64.b64encode(random_string).decode('utf-8')
> > > > + return key
> > > > +
> > > > +@@ -38,6 +46,8 @@ def luks_format(key, device):
> > > > + command = [
> > > > + 'cryptsetup',
> > > > + '--batch-mode', # do not prompt
> > > > ++ '--key-size',
> > > > ++ get_key_size_from_conf(),
> > > > + '--key-file', # misnomer, should be key
> > > > + '-', # because we indicate stdin for the key here
> > > > + 'luksFormat',
> > > > +@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
> > > > + """
> > > > + command = [
> > > > + 'cryptsetup',
> > > > ++ '--key-size',
> > > > ++ get_key_size_from_conf(),
> > > > + '--key-file',
> > > > + '-',
> > > > + '--allow-discards', # allow discards (aka TRIM)
> > > > +requests for device
> > > > +--
> > > > +2.35.1
> > > > +
> > > > diff --git a/recipes-extended/ceph/ceph_15.2.15.bb
> > > > b/recipes-extended/ceph/ceph_15.2.15.bb
> > > > index 17dbcf35..b13ebb70 100644
> > > > --- a/recipes-extended/ceph/ceph_15.2.15.bb
> > > > +++ b/recipes-extended/ceph/ceph_15.2.15.bb
> > > > @@ -14,6 +14,7 @@ SRC_URI =
> > > > "http://download.ceph.com/tarballs/ceph-
> > > ${PV}.tar.gz \
> > > > file://ceph.conf \
> > > > file://0001-cmake-add-support-for-python3.10.patch \
> > > >
> > > > file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
> > > > + file://CVE-2021-3979.patch \
> > > > "
> > > >
> > > > SRC_URI[sha256sum] =
> > >
> "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
> > > > --
> > > > 2.35.1
> > > >
> > > >
> > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > > Links: You receive all messages sent to this group.
> > > > View/Reply Online (#7514):
> > > > https://lists.yoctoproject.org/g/meta-virtualization/message/7514
> > > > Mute This Topic:
> > > > https://lists.yoctoproject.org/mt/92941876/1050810
> > > > Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> > > > Unsubscribe:
> > > > https://lists.yoctoproject.org/g/meta-virtualization/unsub
> > > > [bruce.ashfield@gmail.com]
> > > > -=-=-=-=-=-=-=-=-=-=-=-
> > > >
> > >
> > >
> > > --
> > > - Thou shalt not follow the NULL pointer, for chaos and madness
> > > await thee at its end
> > > - "Use the force Harry" - Gandalf, Star Trek II
>
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await thee at
> its end
> - "Use the force Harry" - Gandalf, Star Trek II
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-08-10 18:54 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-10 17:39 [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979 Joe Slater
2022-08-10 18:03 ` [meta-virtualization] " Bruce Ashfield
2022-08-10 18:26 ` Slater, Joseph
2022-08-10 18:34 ` Bruce Ashfield
2022-08-10 18:54 ` Slater, Joseph
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).