From 97fb1fc4b10153bac96814c424008939a66507d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gabr=C3=ADel=20Arth=C3=BAr=20P=C3=A9tursson?=
 <gabriel.petursson@marel.com>
Date: Thu, 4 Jan 2024 08:34:40 +0000
Subject: [PATCH] cryptenroll: Lock memory pages before operating on the device

This is what systemd-cryptsetup does. We will be unlocking the device,
working with sensitive cryptographic material as well.
---
 src/cryptenroll/cryptenroll.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index e1fdc3f5f02..0674116ec8c 100644
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include <getopt.h>
+#include <sys/mman.h>
 
 #include "ask-password-api.h"
 #include "build.h"
@@ -706,6 +707,9 @@ static int run(int argc, char *argv[]) {
         if (r <= 0)
                 return r;
 
+        /* A delicious drop of snake oil */
+        (void) mlockall(MCL_FUTURE);
+
         cryptsetup_enable_logging(NULL);
 
         if (arg_enroll_type < 0)