What about master ? Does it have the same issue ? Bruce
On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <[email protected]> wrote: > > Ceph-volume does not properly control key sizes. > > Cherry-pick from github.com/ceph/ceph.git. > > Signed-off-by: Joe Slater <[email protected]> > --- > .../ceph/ceph/CVE-2021-3979.patch | 158 ++++++++++++++++++ > recipes-extended/ceph/ceph_15.2.15.bb | 1 + > 2 files changed, 159 insertions(+) > create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch > > diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch > b/recipes-extended/ceph/ceph/CVE-2021-3979.patch > new file mode 100644 > index 00000000..081b32ba > --- /dev/null > +++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch > @@ -0,0 +1,158 @@ > +From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001 > +From: Guillaume Abrioux <[email protected]> > +Date: Tue, 25 Jan 2022 10:25:53 +0100 > +Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option > + > +ceph-volume doesn't honour osd_dmcrypt_key_size. > +It means the default size is always applied. > + > +It also changes the default value in `get_key_size_from_conf()` > + > +From cryptsetup manpage: > + > +> For XTS mode you can optionally set a key size of 512 bits with the -s > option. > + > +Using more than 512bits will end up with the following error message: > + > +``` > +Key size in XTS mode must be 256 or 512 bits. > +``` > + > +Fixes: https://tracker.ceph.com/issues/54006 > + > +Signed-off-by: Guillaume Abrioux <[email protected]> > + > +Upstream-Status: Backport > + github.com/ceph/ceph.git > + equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656 > + > +CVE: CVE-2021-3979 > + > +Signed-off-by: Joe Slater <[email protected]> > +--- > + .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------ > + .../ceph_volume/util/encryption.py | 34 ++++++++++----- > + 2 files changed, 51 insertions(+), 24 deletions(-) > + > +diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > +index e1420b440d3..c86dc50b7c7 100644 > +--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > ++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > +@@ -1,5 +1,31 @@ > + from ceph_volume.util import encryption > ++import base64 > + > ++class TestGetKeySize(object): > ++ def test_get_size_from_conf_default(self, conf_ceph_stub): > ++ conf_ceph_stub(''' > ++ [global] > ++ fsid=asdf > ++ ''') > ++ assert encryption.get_key_size_from_conf() == '512' > ++ > ++ def test_get_size_from_conf_custom(self, conf_ceph_stub): > ++ conf_ceph_stub(''' > ++ [global] > ++ fsid=asdf > ++ [osd] > ++ osd_dmcrypt_key_size=256 > ++ ''') > ++ assert encryption.get_key_size_from_conf() == '256' > ++ > ++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub): > ++ conf_ceph_stub(''' > ++ [global] > ++ fsid=asdf > ++ [osd] > ++ osd_dmcrypt_key_size=1024 > ++ ''') > ++ assert encryption.get_key_size_from_conf() == '512' > + > + class TestStatus(object): > + > +@@ -37,17 +63,6 @@ class TestDmcryptClose(object): > + > + class TestDmcryptKey(object): > + > +- def test_dmcrypt_with_default_size(self, conf_ceph_stub): > +- conf_ceph_stub('[global]\nfsid=asdf-lkjh') > +- result = encryption.create_dmcrypt_key() > +- assert len(result) == 172 > +- > +- def test_dmcrypt_with_custom_size(self, conf_ceph_stub): > +- conf_ceph_stub(''' > +- [global] > +- fsid=asdf > +- [osd] > +- osd_dmcrypt_size=8 > +- ''') > ++ def test_dmcrypt(self): > + result = encryption.create_dmcrypt_key() > +- assert len(result) == 172 > ++ assert len(base64.b64decode(result)) == 128 > +diff --git a/src/ceph-volume/ceph_volume/util/encryption.py > b/src/ceph-volume/ceph_volume/util/encryption.py > +index 72a0ccf121e..2a2c03337b6 100644 > +--- a/src/ceph-volume/ceph_volume/util/encryption.py > ++++ b/src/ceph-volume/ceph_volume/util/encryption.py > +@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type > + > + logger = logging.getLogger(__name__) > + > +- > +-def create_dmcrypt_key(): > ++def get_key_size_from_conf(): > + """ > +- Create the secret dm-crypt key used to decrypt a device. > ++ Return the osd dmcrypt key size from config file. > ++ Default is 512. > + """ > +- # get the customizable dmcrypt key size (in bits) from ceph.conf > fallback > +- # to the default of 1024 > +- dmcrypt_key_size = conf.ceph.get_safe( > ++ default_key_size = '512' > ++ key_size = conf.ceph.get_safe( > + 'osd', > + 'osd_dmcrypt_key_size', > +- default=1024, > +- ) > +- # The size of the key is defined in bits, so we must transform that > +- # value to bytes (dividing by 8) because we read in bytes, not bits > +- random_string = os.urandom(int(dmcrypt_key_size / 8)) > ++ default='512') > ++ > ++ if key_size not in ['256', '512']: > ++ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). " > ++ "Falling back to {}bits".format(key_size, > default_key_size))) > ++ return default_key_size > ++ > ++ return key_size > ++ > ++def create_dmcrypt_key(): > ++ """ > ++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume > Key. > ++ """ > ++ random_string = os.urandom(128) > + key = base64.b64encode(random_string).decode('utf-8') > + return key > + > +@@ -38,6 +46,8 @@ def luks_format(key, device): > + command = [ > + 'cryptsetup', > + '--batch-mode', # do not prompt > ++ '--key-size', > ++ get_key_size_from_conf(), > + '--key-file', # misnomer, should be key > + '-', # because we indicate stdin for the key here > + 'luksFormat', > +@@ -83,6 +93,8 @@ def luks_open(key, device, mapping): > + """ > + command = [ > + 'cryptsetup', > ++ '--key-size', > ++ get_key_size_from_conf(), > + '--key-file', > + '-', > + '--allow-discards', # allow discards (aka TRIM) requests for device > +-- > +2.35.1 > + > diff --git a/recipes-extended/ceph/ceph_15.2.15.bb > b/recipes-extended/ceph/ceph_15.2.15.bb > index 17dbcf35..b13ebb70 100644 > --- a/recipes-extended/ceph/ceph_15.2.15.bb > +++ b/recipes-extended/ceph/ceph_15.2.15.bb > @@ -14,6 +14,7 @@ SRC_URI = > "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \ > file://ceph.conf \ > file://0001-cmake-add-support-for-python3.10.patch \ > file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \ > + file://CVE-2021-3979.patch \ > " > > SRC_URI[sha256sum] = > "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf" > -- > 2.35.1 > > > > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7515): https://lists.yoctoproject.org/g/meta-virtualization/message/7515 Mute This Topic: https://lists.yoctoproject.org/mt/92941876/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
