No, you didn't miss it. I'll send it in an hour or so. Joe > -----Original Message----- > From: Bruce Ashfield <[email protected]> > Sent: Wednesday, August 10, 2022 11:35 AM > To: Slater, Joseph <[email protected]> > Cc: [email protected]; MacLeod, Randy > <[email protected]> > Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix > CVE-1021-3979 > > On Wed, Aug 10, 2022 at 2:26 PM Slater, Joseph <[email protected]> > wrote: > > > > > > > > > -----Original Message----- > > > From: Bruce Ashfield <[email protected]> > > > Sent: Wednesday, August 10, 2022 11:03 AM > > > To: Slater, Joseph <[email protected]> > > > Cc: [email protected]; MacLeod, Randy > > > <[email protected]> > > > Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] > > > ceph: Fix > > > CVE-1021-3979 > > > > > > What about master ? Does it have the same issue ? > > > > Yes, and I have the patch for that. You cannot cherry-pick between > > the branches because recipe context is different. The source patch is the > same. I used kirkstone first for internal reasons. > > > > In order to merge this to kirkstone, it needs to be on master first. > > So there should be two sends of the patch, one for master and then another for > kirkstone (if it can't be cherry picked). > > If you sent the one to master and I missed it, my apologies ... gmail threads > strangely at times. > > Bruce > > > Joe > > > > > > > > Bruce > > > > > > On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <[email protected]> > wrote: > > > > > > > > Ceph-volume does not properly control key sizes. > > > > > > > > Cherry-pick from github.com/ceph/ceph.git. > > > > > > > > Signed-off-by: Joe Slater <[email protected]> > > > > --- > > > > .../ceph/ceph/CVE-2021-3979.patch | 158 ++++++++++++++++++ > > > > recipes-extended/ceph/ceph_15.2.15.bb | 1 + > > > > 2 files changed, 159 insertions(+) create mode 100644 > > > > recipes-extended/ceph/ceph/CVE-2021-3979.patch > > > > > > > > diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch > > > > b/recipes-extended/ceph/ceph/CVE-2021-3979.patch > > > > new file mode 100644 > > > > index 00000000..081b32ba > > > > --- /dev/null > > > > +++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch > > > > @@ -0,0 +1,158 @@ > > > > +From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 > 00:00:00 > > > > +2001 > > > > +From: Guillaume Abrioux <[email protected]> > > > > +Date: Tue, 25 Jan 2022 10:25:53 +0100 > > > > +Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option > > > > + > > > > +ceph-volume doesn't honour osd_dmcrypt_key_size. > > > > +It means the default size is always applied. > > > > + > > > > +It also changes the default value in `get_key_size_from_conf()` > > > > + > > > > +From cryptsetup manpage: > > > > + > > > > +> For XTS mode you can optionally set a key size of 512 bits with > > > > +> the -s > > > option. > > > > + > > > > +Using more than 512bits will end up with the following error message: > > > > + > > > > +``` > > > > +Key size in XTS mode must be 256 or 512 bits. > > > > +``` > > > > + > > > > +Fixes: https://tracker.ceph.com/issues/54006 > > > > + > > > > +Signed-off-by: Guillaume Abrioux <[email protected]> > > > > + > > > > +Upstream-Status: Backport > > > > + github.com/ceph/ceph.git > > > > + equivalent to cherry-pick of commit > > > > +47c33179f9a15ae95cc1579a421be89378602656 > > > > + > > > > +CVE: CVE-2021-3979 > > > > + > > > > +Signed-off-by: Joe Slater <[email protected]> > > > > +--- > > > > + .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------ > > > > + .../ceph_volume/util/encryption.py | 34 ++++++++++----- > > > > + 2 files changed, 51 insertions(+), 24 deletions(-) > > > > + > > > > +diff --git > > > > +a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > > > > +b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > > > > +index e1420b440d3..c86dc50b7c7 100644 > > > > +--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > > > > ++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > > > > +@@ -1,5 +1,31 @@ > > > > + from ceph_volume.util import encryption > > > > ++import base64 > > > > + > > > > ++class TestGetKeySize(object): > > > > ++ def test_get_size_from_conf_default(self, conf_ceph_stub): > > > > ++ conf_ceph_stub(''' > > > > ++ [global] > > > > ++ fsid=asdf > > > > ++ ''') > > > > ++ assert encryption.get_key_size_from_conf() == '512' > > > > ++ > > > > ++ def test_get_size_from_conf_custom(self, conf_ceph_stub): > > > > ++ conf_ceph_stub(''' > > > > ++ [global] > > > > ++ fsid=asdf > > > > ++ [osd] > > > > ++ osd_dmcrypt_key_size=256 > > > > ++ ''') > > > > ++ assert encryption.get_key_size_from_conf() == '256' > > > > ++ > > > > ++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub): > > > > ++ conf_ceph_stub(''' > > > > ++ [global] > > > > ++ fsid=asdf > > > > ++ [osd] > > > > ++ osd_dmcrypt_key_size=1024 > > > > ++ ''') > > > > ++ assert encryption.get_key_size_from_conf() == '512' > > > > + > > > > + class TestStatus(object): > > > > + > > > > +@@ -37,17 +63,6 @@ class TestDmcryptClose(object): > > > > + > > > > + class TestDmcryptKey(object): > > > > + > > > > +- def test_dmcrypt_with_default_size(self, conf_ceph_stub): > > > > +- conf_ceph_stub('[global]\nfsid=asdf-lkjh') > > > > +- result = encryption.create_dmcrypt_key() > > > > +- assert len(result) == 172 > > > > +- > > > > +- def test_dmcrypt_with_custom_size(self, conf_ceph_stub): > > > > +- conf_ceph_stub(''' > > > > +- [global] > > > > +- fsid=asdf > > > > +- [osd] > > > > +- osd_dmcrypt_size=8 > > > > +- ''') > > > > ++ def test_dmcrypt(self): > > > > + result = encryption.create_dmcrypt_key() > > > > +- assert len(result) == 172 > > > > ++ assert len(base64.b64decode(result)) == 128 > > > > +diff --git a/src/ceph-volume/ceph_volume/util/encryption.py > > > > +b/src/ceph-volume/ceph_volume/util/encryption.py > > > > +index 72a0ccf121e..2a2c03337b6 100644 > > > > +--- a/src/ceph-volume/ceph_volume/util/encryption.py > > > > ++++ b/src/ceph-volume/ceph_volume/util/encryption.py > > > > +@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, > > > > +get_part_entry_type > > > > + > > > > + logger = logging.getLogger(__name__) > > > > + > > > > +- > > > > +-def create_dmcrypt_key(): > > > > ++def get_key_size_from_conf(): > > > > + """ > > > > +- Create the secret dm-crypt key used to decrypt a device. > > > > ++ Return the osd dmcrypt key size from config file. > > > > ++ Default is 512. > > > > + """ > > > > +- # get the customizable dmcrypt key size (in bits) from ceph.conf > fallback > > > > +- # to the default of 1024 > > > > +- dmcrypt_key_size = conf.ceph.get_safe( > > > > ++ default_key_size = '512' > > > > ++ key_size = conf.ceph.get_safe( > > > > + 'osd', > > > > + 'osd_dmcrypt_key_size', > > > > +- default=1024, > > > > +- ) > > > > +- # The size of the key is defined in bits, so we must transform > > > > that > > > > +- # value to bytes (dividing by 8) because we read in bytes, not > > > > bits > > > > +- random_string = os.urandom(int(dmcrypt_key_size / 8)) > > > > ++ default='512') > > > > ++ > > > > ++ if key_size not in ['256', '512']: > > > > ++ logger.warning(("Invalid value set for osd_dmcrypt_key_size > > > > ({}). " > > > > ++ "Falling back to {}bits".format(key_size, > > > > default_key_size))) > > > > ++ return default_key_size > > > > ++ > > > > ++ return key_size > > > > ++ > > > > ++def create_dmcrypt_key(): > > > > ++ """ > > > > ++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt > > > > ++the Volume > > > Key. > > > > ++ """ > > > > ++ random_string = os.urandom(128) > > > > + key = base64.b64encode(random_string).decode('utf-8') > > > > + return key > > > > + > > > > +@@ -38,6 +46,8 @@ def luks_format(key, device): > > > > + command = [ > > > > + 'cryptsetup', > > > > + '--batch-mode', # do not prompt > > > > ++ '--key-size', > > > > ++ get_key_size_from_conf(), > > > > + '--key-file', # misnomer, should be key > > > > + '-', # because we indicate stdin for the key here > > > > + 'luksFormat', > > > > +@@ -83,6 +93,8 @@ def luks_open(key, device, mapping): > > > > + """ > > > > + command = [ > > > > + 'cryptsetup', > > > > ++ '--key-size', > > > > ++ get_key_size_from_conf(), > > > > + '--key-file', > > > > + '-', > > > > + '--allow-discards', # allow discards (aka TRIM) > > > > +requests for device > > > > +-- > > > > +2.35.1 > > > > + > > > > diff --git a/recipes-extended/ceph/ceph_15.2.15.bb > > > > b/recipes-extended/ceph/ceph_15.2.15.bb > > > > index 17dbcf35..b13ebb70 100644 > > > > --- a/recipes-extended/ceph/ceph_15.2.15.bb > > > > +++ b/recipes-extended/ceph/ceph_15.2.15.bb > > > > @@ -14,6 +14,7 @@ SRC_URI = > > > > "http://download.ceph.com/tarballs/ceph- > > > ${PV}.tar.gz \ > > > > file://ceph.conf \ > > > > file://0001-cmake-add-support-for-python3.10.patch \ > > > > > > > > file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \ > > > > + file://CVE-2021-3979.patch \ > > > > " > > > > > > > > SRC_URI[sha256sum] = > > > > "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf" > > > > -- > > > > 2.35.1 > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > - Thou shalt not follow the NULL pointer, for chaos and madness > > > await thee at its end > > > - "Use the force Harry" - Gandalf, Star Trek II > > > > -- > - Thou shalt not follow the NULL pointer, for chaos and madness await thee at > its end > - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7518): https://lists.yoctoproject.org/g/meta-virtualization/message/7518 Mute This Topic: https://lists.yoctoproject.org/mt/92941876/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
