From 1a947a573b8bd9f516de0d77dbcc33f5257b6ca5 Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Sun, 17 Jan 2010 10:20:15 +0000 Subject: [PATCH] If gcrypt compiled with capabilities, document workaround for cryptsetup (see lib/gcrypt.c). git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@180 36d66b0a-2a48-0410-832c-cd162a569da5 --- ChangeLog | 3 +++ lib/gcrypt.c | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/ChangeLog b/ChangeLog index 86a2df0..0590fd8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +2010-01-17 Milan Broz + * If gcrypt compiled with capabilities, document workaround for cryptsetup (see lib/gcrypt.c). + 2010-01-10 Milan Broz * Fix initialisation of gcrypt duting luksFormat. * Convert hash name to lower case in header (fix sha1 backward comatible header) diff --git a/lib/gcrypt.c b/lib/gcrypt.c index 630f18f..269dc52 100644 --- a/lib/gcrypt.c +++ b/lib/gcrypt.c @@ -15,9 +15,20 @@ int init_crypto(void) if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) { if (!gcry_check_version (GCRYPT_REQ_VERSION)) return -ENOSYS; + +/* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities, + * it drops all privileges during secure memory initialisation. + * For now, the only workaround is to disable secure memory in gcrypt. + * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl + * and it locks its memory space anyway. + */ +#if 0 + gcry_control (GCRYCTL_DISABLE_SECMEM); +#else gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); gcry_control (GCRYCTL_RESUME_SECMEM_WARN); +#endif gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); } -- 2.7.4