LUKS -当大偏移量时,太大的分离头大小
LUKS -当大偏移量时,太大的分离头大小
提问于 2020-04-01 20:57:14
我发现cryptsetup有一种不一致的处理头的方法,我很想称它为一个bug --我想要实现一个非常大的LUKS偏移,而不会导致一个非常大的分离头--这就是我尝试过的:
$ cryptsetup --version
cryptsetup 2.2.0
$ # First let's establish the default header size
$ cryptsetup --header header_default luksFormat /dev/sdc
$ stat -c '%s' header_default
16777216
$ # it is exactly 16 MiB
$ # I try now with offset zero
$ cryptsetup --header header_0 --offset 0 luksFormat /dev/sdc
$ stat -c '%s' header_0
16777216
$ # very good, all needed data is still stored in a 16 MiB header
$ # Let's see what happens with a very small offset of 1 MiB
$ cryptsetup --header header_1MiB --offset $((2**11)) luksFormat /dev/sdc
WARNING: keyslots area (1015808 bytes) is very small, available LUKS2 keyslot count is very limited.
$ stat -c '%s' header_1MiB
1048576
$ # header size is very small, matching exactly with offset given, but I got a warning
$ # I wish I could set any offset I like without resulting in a detached header with limitations
$ # Let's try again with a slightly larger offset of 4 MiB
$ cryptsetup --header header_4MiB --offset $((2**11*4)) luksFormat /dev/sdc
$ stat -c '%s' header_4MiB
4194304
$ # again header size matches exactly with offset given, cryptsetup exited with no error or warning
$ # it seems that a proper header can be achieved with a size smaller than the default one
$ # Now let's try with a very large offset
$ cryptsetup --header header_1GiB --offset $((2**21)) luksFormat /dev/sdc
$ stat -c '%s' header_1GiB
1073741824
$ # again header size matches exactly with offset given
$ # problem is the header file is too unreasonably bulky !
$ # Let's try something different
$ cryptsetup --header-backup-file header_1GiB_backup luksHeaderBackup header_1GiB
$ stat -c '%s' header_1GiB_backup
134250496
$ # header_1GiB_backup is slightly more than 128 MiB, precisely "$((2**15*4097))"
$ # Let's see what's the difference between header_1GiB and header_1GiB_backup
$ cmp header_1GiB header_1GiB_backup
cmp: EOF on header_1GiB_backup after byte 134250496, in line 523167
$ xxd -s $((134250496-16)) header_1GiB | head -n2
08007ff0: 9d3a e917 4327 f9e5 6dfb bdcb 3890 6168 .:..C'..m...8.ah
08008000: 0000 0000 0000 0000 0000 0000 0000 0000 ................
$ xxd -p -s 134250496 header_1GiB | { grep '[^0]' || echo 'only null bytes found'; }
only null bytes found
$ # As I suspected: header_1GiB = header_1GiB_backup padded with zeros
$ # I've tried to 'luksHeaderBackup' other large headers, the resulting size is always the same: 134250496 bytes
$ # Are other headers padded with zeros? Let's have a look
$ tail -c 32 header_* | cat --show-nonprinting
==> header_0 <==
M-NM-^WM-PM-0M-LM-`M-^^BM-;M-,JM-+M-dM-:g1UM-/`M-"^Con header_1GiB <==
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
==> header_1GiB_backup <==
QM-^HM-^CM-^XM-i^_M-*GM-x~KM-i'M-^NM-^G]M-^]:M-i^WC'M-yM-emM-{M-=M-K8M-^Pah
==> header_1MiB <==
sM-KM-&=`~^FM-^PM-'M-G(AM-jM-_M-&l~>WM-^ZM-a^_M-^^M-qhs^R)M-2M-TM-eS
==> header_4MiB <==
~^@KM--F^U^[M-dM-_M- header_default <==
UM-_V
M-^^+M-z3M-^M-\M-*pM-jM-\M-^@"M-}|^OM-0M-6M-FM-DM-NM-b^ZM-!M-IM-^KM-^MR[
$ # Only 'header_1GiB' is padded with zeros, all others I believe are padded with random bytes默认的标头大小为16 MiB,它似乎足以满足系统设置的需要,应该使用默认大小分离的标头来简化系统的设置。对于任何小于16 MiB的偏移量,也应该给出默认大小的分离头,就像零偏移的情况一样
回答 1
Security用户
发布于 2020-06-29 19:26:28
# losetup --offset 1GiB /dev/loop0 /dev/sdc
# cryptsetup --header header_1GiB --offset $((2**21)) luksFormat /dev/loop0标题大小为16777216字节。
页面原文内容由Security提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://security.stackexchange.com/questions/229092
复制相关文章
相似问题
腾讯云开发者
