crypttab: Support for VeraCrypt PIM and detached headers for TrueCrypt/VeraCrypt (#27548)

* Added veracrypt-pim=<PIM> LUKS option for crypttab
2025-01-09 01:18:19 +03:00 · 2023-05-06 22:55:05 +02:00 · 2023-05-06 22:55:05 +02:00 · 703902400d
commit 703902400d
parent 3be6943e07
2 changed files with 43 additions and 8 deletions
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@ -172,12 +172,11 @@
      <varlistentry>
        <term><option>header=</option></term>

-        <listitem><para>Use a detached (separated) metadata device or
-        file where the LUKS header is stored. This option is only
-        relevant for LUKS devices. See
+        <listitem><para>Use a detached (separated) metadata device or file
+        where the header containing the master key(s) is stored. This
+        option is only relevant for LUKS and TrueCrypt/VeraCrypt devices. See
        <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-        for possible values and the default value of this
-        option.</para>
+        for possible values and the default value of this option.</para>

        <para>Optionally, the path may be followed by <literal>:</literal> and an
        <filename>/etc/fstab</filename> device specification (e.g. starting with <literal>UUID=</literal> or
@ -483,6 +482,25 @@
        option implies <option>tcrypt</option>.</para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><option>veracrypt-pim=</option></term>
+
+        <listitem><para>Specifies a custom Personal Iteration Multiplier (PIM)
+        value, which can range from 0..2147468 for standard veracrypt volumes
+        and 0..65535 for veracrypt system volumes. A value of 0 will imply the
+        VeraCrypt default.
+
+        This option is only effective when <option>tcrypt-veracrypt</option> is
+        set.</para>
+
+        <para>Note that VeraCrypt enforces a minimal allowed PIM value depending on the
+        password strength and the hash algorithm used for key derivation, however
+        <option>veracrypt-pim=</option> is not checked against these bounds.
+        <ulink url="https://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html">See
+        documentation</ulink> for more information.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><option>timeout=</option></term>

--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@ -81,6 +81,7 @@ static bool arg_no_write_workqueue = false;
 static bool arg_tcrypt_hidden = false;
 static bool arg_tcrypt_system = false;
 static bool arg_tcrypt_veracrypt = false;
+static uint32_t arg_tcrypt_veracrypt_pim = 0;
 static char **arg_tcrypt_keyfiles = NULL;
 static uint64_t arg_offset = 0;
 static uint64_t arg_skip = 0;
@ -233,7 +234,8 @@ static int parse_one_option(const char *option) {
                        return log_oom();

        } else if ((val = startswith(option, "header="))) {
-                arg_type = ANY_LUKS;
+                if (!STR_IN_SET(arg_type, ANY_LUKS, CRYPT_LUKS1, CRYPT_LUKS2, CRYPT_TCRYPT))
+                        arg_type = ANY_LUKS;

                if (!path_is_absolute(val))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
@ -298,6 +300,13 @@ static int parse_one_option(const char *option) {
        } else if (STR_IN_SET(option, "tcrypt-veracrypt", "veracrypt")) {
                arg_type = CRYPT_TCRYPT;
                arg_tcrypt_veracrypt = true;
+        } else if ((val = startswith(option, "veracrypt-pim="))) {
+
+                r = safe_atou32(val, &arg_tcrypt_veracrypt_pim);
+                if (r < 0) {
+                        log_warning_errno(r, "Failed to parse %s, ignoring: %m", option);
+                        return 0;
+                }
        } else if (STR_IN_SET(option, "plain", "swap", "tmp") ||
                   startswith(option, "tmp="))
                arg_type = CRYPT_PLAIN;
@ -981,6 +990,9 @@ static int attach_tcrypt(

        if (arg_tcrypt_veracrypt)
                params.flags |= CRYPT_TCRYPT_VERA_MODES;
+        
+        if (arg_tcrypt_veracrypt && arg_tcrypt_veracrypt_pim != 0)
+                params.veracrypt_pim = arg_tcrypt_veracrypt_pim;

        if (key_data) {
                params.passphrase = key_data;
@ -2157,8 +2169,13 @@ static int run(int argc, char *argv[]) {
                        destroy_key_file = key_file; /* let's get this baby erased when we leave */

                if (arg_header) {
-                        log_debug("LUKS header: %s", arg_header);
-                        r = crypt_init(&cd, arg_header);
+                        if (streq_ptr(arg_type, CRYPT_TCRYPT)){
+                            log_debug("tcrypt header: %s", arg_header);
+                            r = crypt_init_data_device(&cd, arg_header, source);
+                        } else {
+                            log_debug("LUKS header: %s", arg_header);
+                            r = crypt_init(&cd, arg_header);
+                        }
                } else
                        r = crypt_init(&cd, source);
                if (r < 0)