Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame^] | 1 | SUMMARY = "Manage plain dm-crypt and LUKS encrypted volumes" |
| 2 | DESCRIPTION = "Cryptsetup is used to conveniently setup dm-crypt managed \ |
| 3 | device-mapper mappings. These include plain dm-crypt volumes and \ |
| 4 | LUKS volumes. The difference is that LUKS uses a metadata header \ |
| 5 | and can hence offer more features than plain dm-crypt. On the other \ |
| 6 | hand, the header is visible and vulnerable to damage." |
| 7 | HOMEPAGE = "https://gitlab.com/cryptsetup/cryptsetup" |
| 8 | SECTION = "console" |
| 9 | LICENSE = "GPL-2.0-with-OpenSSL-exception" |
| 10 | LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326" |
| 11 | |
| 12 | DEPENDS = " \ |
| 13 | json-c \ |
| 14 | libdevmapper \ |
| 15 | popt \ |
| 16 | util-linux-libuuid \ |
| 17 | " |
| 18 | |
| 19 | DEPENDS:append:libc-musl = " argp-standalone" |
| 20 | LDFLAGS:append:libc-musl = " -largp" |
| 21 | |
| 22 | SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz \ |
| 23 | file://0001-Replace-off64_t-with-off_t.patch \ |
| 24 | " |
| 25 | SRC_URI[sha256sum] = "44397ba76e75a9cde5b02177bc63cd7af428a785788e3a7067733e7761842735" |
| 26 | |
| 27 | inherit autotools gettext pkgconfig |
| 28 | |
| 29 | # Use openssl because libgcrypt drops root privileges |
| 30 | # if libgcrypt is linked with libcap support |
| 31 | PACKAGECONFIG ??= " \ |
| 32 | keyring \ |
| 33 | cryptsetup \ |
| 34 | veritysetup \ |
| 35 | luks2-reencryption \ |
| 36 | integritysetup \ |
| 37 | ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ |
| 38 | kernel_crypto \ |
| 39 | internal-argon2 \ |
| 40 | blkid \ |
| 41 | luks-adjust-xts-keysize \ |
| 42 | openssl \ |
| 43 | ssh-token \ |
| 44 | " |
| 45 | PACKAGECONFIG:append:class-target = " \ |
| 46 | udev \ |
| 47 | " |
| 48 | |
| 49 | PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" |
| 50 | PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" |
| 51 | PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality" |
| 52 | PACKAGECONFIG[passwdqc] = "--enable-passwdqc,--disable-passwdqc,passwdqc" |
| 53 | PACKAGECONFIG[cryptsetup] = "--enable-cryptsetup,--disable-cryptsetup" |
| 54 | PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" |
| 55 | PACKAGECONFIG[luks2-reencryption] = "--enable-luks2-reencryption,--disable-luks2-reencryption" |
| 56 | PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" |
| 57 | PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" |
| 58 | PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" |
| 59 | PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" |
| 60 | # gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't |
| 61 | # recognized. |
| 62 | PACKAGECONFIG[gcrypt-pbkdf2] = "--enable-gcrypt-pbkdf2" |
| 63 | PACKAGECONFIG[internal-argon2] = "--enable-internal-argon2,--disable-internal-argon2" |
| 64 | PACKAGECONFIG[internal-sse-argon2] = "--enable-internal-sse-argon2,--disable-internal-sse-argon2" |
| 65 | PACKAGECONFIG[blkid] = "--enable-blkid,--disable-blkid,util-linux" |
| 66 | PACKAGECONFIG[dev-random] = "--enable-dev-random,--disable-dev-random" |
| 67 | PACKAGECONFIG[luks-adjust-xts-keysize] = "--enable-luks-adjust-xts-keysize,--disable-luks-adjust-xts-keysize" |
| 68 | PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" |
| 69 | PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" |
| 70 | PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" |
| 71 | PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" |
| 72 | PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" |
| 73 | PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" |
| 74 | PACKAGECONFIG[ssh-token] = "--enable-ssh-token,--disable-ssh-token,libssh" |
| 75 | |
| 76 | EXTRA_OECONF = "--enable-static" |
| 77 | # Building without largefile is not supported by upstream |
| 78 | EXTRA_OECONF += "--enable-largefile" |
| 79 | # Requires a static popt library |
| 80 | EXTRA_OECONF += "--disable-static-cryptsetup" |
| 81 | # There's no recipe for libargon2 yet |
| 82 | EXTRA_OECONF += "--disable-libargon2" |
| 83 | # Disable documentation, there is no asciidoctor-native available in OE |
| 84 | EXTRA_OECONF += "--disable-asciidoc" |
| 85 | # libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB), parallel threads and iteration time (ms) |
| 86 | LUKS2_PBKDF ?= "argon2i" |
| 87 | LUKS2_MEMORYKB ?= "1048576" |
| 88 | LUKS2_PARALLEL_THREADS ?= "4" |
| 89 | LUKS2_ITERTIME ?= "2000" |
| 90 | |
| 91 | EXTRA_OECONF += "--with-luks2-pbkdf=${LUKS2_PBKDF} \ |
| 92 | --with-luks2-memory-kb=${LUKS2_MEMORYKB} \ |
| 93 | --with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS} \ |
| 94 | --with-luks2-iter-time=${LUKS2_ITERTIME}" |
| 95 | |
| 96 | do_install:append() { |
| 97 | # The /usr/lib/cryptsetup directory is always created, even when ssh-token |
| 98 | # is disabled. In that case it is empty and causes a packaging error. Since |
| 99 | # there is no reason to distribute the empty directory, the easiest solution |
| 100 | # is to remove it if it is empty. |
| 101 | rmdir -p --ignore-fail-on-non-empty ${D}${libdir}/${BPN} |
| 102 | } |
| 103 | |
| 104 | FILES:${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}/lib/tmpfiles.d/cryptsetup.conf', '', d)}" |
| 105 | |
| 106 | RDEPENDS:${PN} = " \ |
| 107 | libdevmapper \ |
| 108 | " |
| 109 | |
| 110 | RRECOMMENDS:${PN}:class-target = " \ |
| 111 | kernel-module-aes-generic \ |
| 112 | kernel-module-dm-crypt \ |
| 113 | kernel-module-md5 \ |
| 114 | kernel-module-cbc \ |
| 115 | kernel-module-sha256-generic \ |
| 116 | kernel-module-xts \ |
| 117 | " |
| 118 | |
| 119 | BBCLASSEXTEND = "native nativesdk" |