From 1660d4b7a65d9ad2ce0deaa19d35579ca4084ac5 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 10:06:26 +0200 Subject: Adding upstream version 2:2.6.1. Signed-off-by: Daniel Baumann --- docs/v1.4.3-ReleaseNotes | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 docs/v1.4.3-ReleaseNotes (limited to 'docs/v1.4.3-ReleaseNotes') diff --git a/docs/v1.4.3-ReleaseNotes b/docs/v1.4.3-ReleaseNotes new file mode 100644 index 0000000..16792a5 --- /dev/null +++ b/docs/v1.4.3-ReleaseNotes @@ -0,0 +1,62 @@ +Cryptsetup 1.4.3 Release Notes +============================== + +Changes since version 1.4.2 + +* Fix readonly activation if underlying device is readonly (1.4.0). + +* Fix loop mapping on readonly file. + +* Include stddef.h in libdevmapper.h (size_t definition). + +* Fix keyslot removal for device with 4k hw block (1.4.0). +(Wipe keyslot failed in this case.) + +* Relax --shared flag to allow mapping even for overlapping segments. + + The --shared flag (and API CRYPT_ACTIVATE_SHARED flag) is now able + to map arbitrary overlapping area. From API it is even usable + for LUKS devices. + It is user responsibility to not cause data corruption though. + + This allows e.g. scubed to work again and also allows some + tricky extensions later. + +* Allow empty cipher (cipher_null) for testing. + + You can now use "null" (or directly cipher_null-ecb) in cryptsetup. + This means no encryption, useful for performance tests + (measure dm-crypt layer overhead). + +* Switch on retry on device remove for libdevmapper. + Device-mapper now retry removal if device is busy. + +* Allow "private" activation (skip some udev global rules) flag. + Cryptsetup library API now allows one to specify CRYPT_ACTIVATE_PRIVATE, + which means that some udev rules are not processed. + (Used for temporary devices, like internal keyslot mappings where + it is not desirable to run any device scans.) + +* This release also includes some Red Hat/Fedora specific extensions +related to FIPS140-2 compliance. + +In fact, all these patches are more formal changes and are just subset +of building blocks for FIPS certification. See FAQ for more details +about FIPS. + +FIPS extensions are enabled by using --enable-fips configure switch. + +In FIPS mode (kernel booted with fips=1 and gcrypt in FIPS mode) + + - it provides library and binary integrity verification using + libfipscheck (requires pre-generated checksums) + + - it uses FIPS approved RNG for encryption key and salt generation + (note that using /dev/random is not formally FIPS compliant RNG). + + - only gcrypt crypto backend is currently supported in FIPS mode. + +The FIPS RNG requirement for salt comes from NIST SP 800-132 recommendation. +(Recommendation for Password-Based Key Derivation. Part 1: Storage Applications. +http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf) +LUKS should be aligned to this recommendation otherwise. -- cgit v1.2.3