"Fossies" - the Fresh Open Source Software Archive

Member "cryptsetup-2.4.3/docs/v2.4.3-ReleaseNotes" (13 Jan 2022, 4752 Bytes) of package /linux/misc/cryptsetup-2.4.3.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 Cryptsetup 2.4.3 Release Notes
    2 ==============================
    3 Stable security bug-fix release that fixes CVE-2021-4122.
    4 
    5 All users of cryptsetup 2.4.x must upgrade to this version.
    6 
    7 Changes since version 2.4.2
    8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    9 
   10 * Fix possible attacks against data confidentiality through LUKS2 online
   11   reencryption extension crash recovery (CVE-2021-4122).
   12 
   13   An attacker can modify on-disk metadata to simulate decryption in
   14   progress with crashed (unfinished) reencryption step and persistently
   15   decrypt part of the LUKS device.
   16 
   17   This attack requires repeated physical access to the LUKS device but
   18   no knowledge of user passphrases.
   19 
   20   The decryption step is performed after a valid user activates
   21   the device with a correct passphrase and modified metadata.
   22   There are no visible warnings for the user that such recovery happened
   23   (except using the luksDump command). The attack can also be reversed
   24   afterward (simulating crashed encryption from a plaintext) with
   25   possible modification of revealed plaintext.
   26 
   27   The size of possible decrypted data depends on configured LUKS2 header
   28   size (metadata size is configurable for LUKS2).
   29   With the default parameters (16 MiB LUKS2 header) and only one
   30   allocated keyslot (512 bit key for AES-XTS), simulated decryption with
   31   checksum resilience SHA1 (20 bytes checksum for 4096-byte blocks),
   32   the maximal decrypted size can be over 3GiB.
   33 
   34   The attack is not applicable to LUKS1 format, but the attacker can
   35   update metadata in place to LUKS2 format as an additional step.
   36   For such a converted LUKS2 header, the keyslot area is limited to
   37   decrypted size (with SHA1 checksums) over 300 MiB.
   38 
   39   The issue is present in all cryptsetup releases since 2.2.0.
   40   Versions 1.x, 2.0.x, and 2.1.x are not affected, as these do not
   41   contain LUKS2 reencryption extension.
   42 
   43   The problem was caused by reusing a mechanism designed for actual
   44   reencryption operation without reassessing the security impact for new
   45   encryption and decryption operations. While the reencryption requires
   46   calculating and verifying both key digests, no digest was needed to
   47   initiate decryption recovery if the destination is plaintext (no
   48   encryption key). Also, some metadata (like encryption cipher) is not
   49   protected, and an attacker could change it. Note that LUKS2 protects
   50   visible metadata only when a random change occurs. It does not protect
   51   against intentional modification but such modification must not cause
   52   a violation of data confidentiality.
   53 
   54   The fix introduces additional digest protection of reencryption
   55   metadata. The digest is calculated from known keys and critical
   56   reencryption metadata. Now an attacker cannot create correct metadata
   57   digest without knowledge of a passphrase for used keyslots.
   58   For more details, see LUKS2 On-Disk Format Specification version 1.1.0.
   59 
   60   The former reencryption operation (without the additional digest) is no
   61   longer supported (reencryption with the digest is not backward
   62   compatible). You need to finish in-progress reencryption before
   63   updating to new packages. The alternative approach is to perform
   64   a repair command from the updated package to recalculate reencryption
   65   digest and fix metadata.
   66   The reencryption repair operation always require a user passphrase.
   67 
   68   WARNING: Devices with older reencryption in progress can be no longer
   69   activated without performing the action mentioned above.
   70 
   71   Encryption in progress can be detected by running the luksDump command
   72   (output includes reencrypt keyslot with reencryption parameters). Also,
   73   during the active reencryption, no keyslot operations are available
   74   (change of passphrases, etc.).
   75 
   76   The issue was found by Milan Broz as cryptsetup maintainer.
   77 
   78 Other changes
   79 ~~~~~~~~~~~~~
   80 * Add configure option --disable-luks2-reencryption to completely disable
   81   LUKS2 reencryption code.
   82 
   83   When used, the libcryptsetup library can read metadata with
   84   reencryption code, but all reencryption API calls and cryptsetup
   85   reencrypt commands are disabled.
   86 
   87   Devices with online reencryption in progress cannot be activated.
   88   This option can cause some incompatibilities. Please use with care.
   89 
   90 * Improve internal metadata validation code for reencryption metadata.
   91 
   92 * Add updated documentation for LUKS2 On-Disk Format Specification
   93   version 1.1.0 (with reencryption extension description and updated
   94   metadata description). See docs/on-disk-format-luks2.pdf or online
   95   version in https://gitlab.com/cryptsetup/LUKS2-docs repository.
   96 
   97 * Fix support for bitlk (BitLocker compatible) startup key with new
   98   metadata entry introduced in Windows 11.
   99 
  100 * Fix space restriction for LUKS2 reencryption with data shift.
  101   The code required more space than was needed.