initial package creation

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>

SOURCES/0001-Fix-comparing-DM-RAID-member-devices-UUID.patch

@@ -0,0 +1,27 @@
+From 2da13152619ee7233650339797657b45088b2219 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Tue, 18 Aug 2020 09:44:29 +0200
+Subject: [PATCH] dm: Fix comparing DM RAID member devices UUID
+
+There is no "UUID" property in UDev we must use the "ID_FS_UUID"
+one.
+This comparison works only because most DM RAID members don't have
+UUID so the check is skipped, but it fails for DDF RAID members
+which have a special GUID/UUID in UDev database.
+---
+ src/plugins/dm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/dm.c b/src/plugins/dm.c
+index a6412028..4ab0d2a4 100644
+--- a/src/plugins/dm.c
++++ b/src/plugins/dm.c
+@@ -482,7 +482,7 @@ static gboolean raid_dev_matches_spec (struct raid_dev *raid_dev, const gchar *n
+ 
+     context = udev_new ();
+     device = udev_device_new_from_subsystem_sysname (context, "block", dev_name);
+-    dev_uuid = udev_device_get_property_value (device, "UUID");
++    dev_uuid = udev_device_get_property_value (device, "ID_FS_UUID");
+     major_str = udev_device_get_property_value (device, "MAJOR");
+     minor_str = udev_device_get_property_value (device, "MINOR");
+ 

SOURCES/0002-Fix-default-key-size-for-non-XTS-ciphers.patch

@@ -0,0 +1,97 @@
+From 5d29bc014a33d9bdc1c5fb4b8add2f38850f46a8 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Wed, 24 Feb 2021 14:44:03 +0100
+Subject: [PATCH] crypto: Fix default key size for non XTS ciphers
+
+512 bits should be default only for AES-XTS which needs two keys,
+default for other modes must be 256 bits.
+
+resolves: rhbz#1931847
+---
+ src/plugins/crypto.c | 11 +++++++++--
+ src/plugins/crypto.h |  2 +-
+ tests/crypto_test.py | 36 ++++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
+index f4a2e8f0..1e7043fa 100644
+--- a/src/plugins/crypto.c
++++ b/src/plugins/crypto.c
+@@ -774,8 +774,15 @@ static gboolean luks_format (const gchar *device, const gchar *cipher, guint64 k
+         return FALSE;
+     }
+ 
+-    /* resolve requested/default key_size (should be in bytes) */
+-    key_size = (key_size != 0) ? (key_size / 8) : (DEFAULT_LUKS_KEYSIZE_BITS / 8);
++    if (key_size == 0) {
++        if (g_str_has_prefix (cipher_specs[1], "xts-"))
++            key_size = DEFAULT_LUKS_KEYSIZE_BITS * 2;
++        else
++            key_size = DEFAULT_LUKS_KEYSIZE_BITS;
++    }
++
++    /* key_size should be in bytes */
++    key_size = key_size / 8;
+ 
+     /* wait for enough random data entropy (if requested) */
+     if (min_entropy > 0) {
+diff --git a/src/plugins/crypto.h b/src/plugins/crypto.h
+index 71a1438d..a38724d9 100644
+--- a/src/plugins/crypto.h
++++ b/src/plugins/crypto.h
+@@ -36,7 +36,7 @@ typedef enum {
+ /* 20 chars * 6 bits per char (64-item charset) = 120 "bits of security" */
+ #define BD_CRYPTO_BACKUP_PASSPHRASE_LENGTH 20
+ 
+-#define DEFAULT_LUKS_KEYSIZE_BITS 512
++#define DEFAULT_LUKS_KEYSIZE_BITS 256
+ #define DEFAULT_LUKS_CIPHER "aes-xts-plain64"
+ #define DEFAULT_LUKS2_SECTOR_SIZE 512
+ 
+diff --git a/tests/crypto_test.py b/tests/crypto_test.py
+index 0609a070..0aecc032 100644
+--- a/tests/crypto_test.py
++++ b/tests/crypto_test.py
+@@ -236,6 +236,42 @@ def test_luks2_format(self):
+             self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err))
+         self.assertEqual(int(m.group(1)), 5)
+ 
++    def _get_luks1_key_size(self, device):
++        _ret, out, err = run_command("cryptsetup luksDump %s" % device)
++        m = re.search(r"MK bits:\s*(\S+)\s*", out)
++        if not m or len(m.groups()) != 1:
++            self.fail("Failed to get key size information from:\n%s %s" % (out, err))
++        key_size = m.group(1)
++        if not key_size.isnumeric():
++            self.fail("Failed to get key size information from: %s" % key_size)
++        return int(key_size)
++
++    @tag_test(TestTags.SLOW, TestTags.CORE)
++    def test_luks_format_key_size(self):
++        """Verify that formating device as LUKS works"""
++
++        # aes-xts: key size should default to 512
++        succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 0, PASSWD, None, 0)
++        self.assertTrue(succ)
++
++        key_size = self._get_luks1_key_size(self.loop_dev)
++        self.assertEqual(key_size, 512)
++
++        # aes-cbc: key size should default to 256
++        succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-cbc-essiv:sha256", 0, PASSWD, None, 0)
++        self.assertTrue(succ)
++
++        key_size = self._get_luks1_key_size(self.loop_dev)
++        self.assertEqual(key_size, 256)
++
++        # try specifying key size for aes-xts
++        succ = BlockDev.crypto_luks_format(self.loop_dev, "aes-xts-plain64", 256, PASSWD, None, 0)
++        self.assertTrue(succ)
++
++        key_size = self._get_luks1_key_size(self.loop_dev)
++        self.assertEqual(key_size, 256)
++
++
+ class CryptoTestResize(CryptoTestCase):
+ 
+     def _get_key_location(self, device):

SOURCES/0003-Memory-leaks-fixes-backport.patch

@@ -0,0 +1,178 @@
+From 98cb3b9cf2046ba6e33db6ff400449c6a4827932 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Thu, 29 Apr 2021 12:38:49 +0200
+Subject: [PATCH 1/8] kbd: Fix memory leak
+
+---
+ src/plugins/kbd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/plugins/kbd.c b/src/plugins/kbd.c
+index a2908ecb..d5ae0ed7 100644
+--- a/src/plugins/kbd.c
++++ b/src/plugins/kbd.c
+@@ -1035,6 +1035,7 @@ gboolean bd_kbd_bcache_destroy (const gchar *bcache_device, GError **error) {
+ 
+     if (c_set_uuid) {
+         path = g_strdup_printf ("/sys/fs/bcache/%s/stop", c_set_uuid);
++        g_free (c_set_uuid);
+         success = bd_utils_echo_str_to_file ("1", path, error);
+         g_free (path);
+         if (!success) {
+
+From c6d226c70996f6006a3f6eff13f8264f03e95c4f Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Fri, 25 Sep 2020 14:22:58 +0200
+Subject: [PATCH 2/8] crypto: Fix memory leak
+
+---
+ src/plugins/crypto.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
+index 1e7043fa..4fad9a85 100644
+--- a/src/plugins/crypto.c
++++ b/src/plugins/crypto.c
+@@ -1275,6 +1275,7 @@ gboolean bd_crypto_luks_add_key (const gchar *device, const gchar *pass, const g
+         success = g_file_get_contents (nkey_file, &nkey_buf, &nbuf_len, error);
+         if (!success) {
+             g_prefix_error (error, "Failed to load key from file '%s': ", nkey_file);
++            g_free (key_buf);
+             return FALSE;
+         }
+     } else
+
+From 41b460fb81cf066e7ddc0bdda7f34db5e90b9f79 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Fri, 25 Sep 2020 14:23:24 +0200
+Subject: [PATCH 3/8] dm: Fix memory leak in the DM plugin and DM logging
+ redirect function
+
+---
+ src/plugins/dm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/dm.c b/src/plugins/dm.c
+index fb4e50b5..c9a735ed 100644
+--- a/src/plugins/dm.c
++++ b/src/plugins/dm.c
+@@ -245,7 +245,8 @@ gchar* bd_dm_name_from_node (const gchar *dm_node, GError **error) {
+     g_free (sys_path);
+ 
+     if (!success) {
+-        /* errror is already populated */
++        /* error is already populated */
++        g_free (ret);
+         return NULL;
+     }
+ 
+
+From 8d085fbb15c18ca91a5eff89192391c5a0b3bb7a Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Fri, 25 Sep 2020 14:24:14 +0200
+Subject: [PATCH 4/8] fs: Fix memory leak
+
+---
+ src/plugins/fs/mount.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/plugins/fs/mount.c b/src/plugins/fs/mount.c
+index 43d64e8c..46e03ca4 100644
+--- a/src/plugins/fs/mount.c
++++ b/src/plugins/fs/mount.c
+@@ -541,6 +541,7 @@ static gboolean run_as_user (MountFunc func, MountArgs *args, uid_t run_as_uid,
+                                        "Unknoen error while reading error.");
+                       g_io_channel_unref (channel);
+                       close (pipefd[0]);
++                      g_free (error_msg);
+                       return FALSE;
+                   }
+ 
+
+From 6c45f4ef1fc898d71cc2f13670adb508a6037c66 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Fri, 25 Sep 2020 14:26:24 +0200
+Subject: [PATCH 5/8] kbd: Fix memory leak
+
+---
+ src/plugins/kbd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/plugins/kbd.c b/src/plugins/kbd.c
+index d5ae0ed7..ff8bde17 100644
+--- a/src/plugins/kbd.c
++++ b/src/plugins/kbd.c
+@@ -1255,6 +1255,7 @@ static gboolean get_cache_size_used (const gchar *cache_dev_sys, guint64 *size,
+     g_io_channel_unref (file);
+ 
+     if (!found) {
++        g_free (line);
+         g_set_error (error, BD_KBD_ERROR, BD_KBD_ERROR_BCACHE_INVAL,
+                      "Failed to get cache usage data");
+         return FALSE;
+
+From 4f4e93dfca36421eb0e0cb2dec5d48df5bc2f363 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Fri, 25 Sep 2020 14:26:37 +0200
+Subject: [PATCH 6/8] lvm-dbus: Fix memory leak
+
+---
+ src/plugins/lvm-dbus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/plugins/lvm-dbus.c b/src/plugins/lvm-dbus.c
+index b7b4480e..144551f5 100644
+--- a/src/plugins/lvm-dbus.c
++++ b/src/plugins/lvm-dbus.c
+@@ -2927,6 +2927,7 @@ gboolean bd_lvm_cache_detach (const gchar *vg_name, const gchar *cached_lv, gboo
+     lv_id = g_strdup_printf ("%s/%s", vg_name, cached_lv);
+     call_lvm_obj_method_sync (lv_id, CACHED_LV_INTF, "DetachCachePool", params, NULL, extra, TRUE, error);
+     g_free (lv_id);
++    g_free (cache_pool_name);
+     return ((*error) == NULL);
+ }
+ 
+
+From 410a10bc2cfceeb550d72456573d4722b4207ddc Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Fri, 25 Sep 2020 14:27:22 +0200
+Subject: [PATCH 7/8] mdraid: Fix memory leak
+
+---
+ src/plugins/mdraid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/plugins/mdraid.c b/src/plugins/mdraid.c
+index 74af744c..b97bc641 100644
+--- a/src/plugins/mdraid.c
++++ b/src/plugins/mdraid.c
+@@ -1332,6 +1332,7 @@ gchar* bd_md_name_from_node (const gchar *node, GError **error) {
+             continue;
+         }
+         node_name = g_path_get_basename (dev_path);
++        g_free (dev_path);
+         if (g_strcmp0 (node_name, node) == 0) {
+             found = TRUE;
+             name = g_path_get_basename (*path_p);
+
+From 0d49e5d190e24fa89ae2795714d0276f24285b19 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Fri, 25 Sep 2020 14:27:54 +0200
+Subject: [PATCH 8/8] swap: Fix memory leak
+
+---
+ src/plugins/swap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/plugins/swap.c b/src/plugins/swap.c
+index 102780a7..115f8fca 100644
+--- a/src/plugins/swap.c
++++ b/src/plugins/swap.c
+@@ -417,6 +417,7 @@ gboolean bd_swap_swapstatus (const gchar *device, GError **error) {
+         if (!real_device) {
+             /* the device doesn't exist and thus is not an active swap */
+             g_clear_error (error);
++            g_free (file_content);
+             return FALSE;
+         }
+     }

SOURCES/0004-Adapt-to-dosfstools-4.2-changes.patch

@@ -0,0 +1,296 @@
+From cc522ec3717d909370af6181c7859c62fa0167df Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Mon, 22 Feb 2021 15:40:56 +0100
+Subject: [PATCH 1/2] fs: Allow using empty label for vfat with newest
+ dosfstools
+
+---
+ src/plugins/fs/vfat.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/plugins/fs/vfat.c b/src/plugins/fs/vfat.c
+index ff0c35a3..ce13f147 100644
+--- a/src/plugins/fs/vfat.c
++++ b/src/plugins/fs/vfat.c
+@@ -232,10 +232,21 @@ gboolean bd_fs_vfat_repair (const gchar *device, const BDExtraArg **extra, GErro
+  */
+ gboolean bd_fs_vfat_set_label (const gchar *device, const gchar *label, GError **error) {
+     const gchar *args[4] = {"fatlabel", device, label, NULL};
++    UtilDep dep = {"fatlabel", "4.2", "--version", "fatlabel\\s+([\\d\\.]+).+"};
++    gboolean new_vfat = FALSE;
+ 
+     if (!check_deps (&avail_deps, DEPS_FATLABEL_MASK, deps, DEPS_LAST, &deps_check_lock, error))
+         return FALSE;
+ 
++    if (!label || g_strcmp0 (label, "") == 0) {
++        /* fatlabel >= 4.2 refuses to set empty label */
++        new_vfat = bd_utils_check_util_version (dep.name, dep.version,
++                                                dep.ver_arg, dep.ver_regexp,
++                                                NULL);
++        if (new_vfat)
++            args[2] = "--reset";
++    }
++
+     return bd_utils_exec_and_report_error (args, NULL, error);
+ }
+ 
+
+From c3c3583409c8ed8f99a840e0c70cc92ca1dd3c93 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Tue, 27 Apr 2021 14:06:59 +0200
+Subject: [PATCH 2/2] tests: Call fs_vfat_mkfs with "--mbr=n" extra option in
+ tests
+
+Without the option the newest dosfstools 4.2 will create a valid
+MBR partition table with a simgle partition on the disk, see
+dosfstools/dosfstools#95 for details.
+---
+ src/plugins/fs/vfat.c |  5 ++-
+ tests/fs_test.py      | 76 +++++++++++++++++++++++++++++++++----------
+ 2 files changed, 62 insertions(+), 19 deletions(-)
+
+diff --git a/src/plugins/fs/vfat.c b/src/plugins/fs/vfat.c
+index ce13f147..6cb82537 100644
+--- a/src/plugins/fs/vfat.c
++++ b/src/plugins/fs/vfat.c
+@@ -234,6 +234,7 @@ gboolean bd_fs_vfat_set_label (const gchar *device, const gchar *label, GError *
+     const gchar *args[4] = {"fatlabel", device, label, NULL};
+     UtilDep dep = {"fatlabel", "4.2", "--version", "fatlabel\\s+([\\d\\.]+).+"};
+     gboolean new_vfat = FALSE;
++    GError *loc_error = NULL;
+ 
+     if (!check_deps (&avail_deps, DEPS_FATLABEL_MASK, deps, DEPS_LAST, &deps_check_lock, error))
+         return FALSE;
+@@ -242,9 +243,11 @@ gboolean bd_fs_vfat_set_label (const gchar *device, const gchar *label, GError *
+         /* fatlabel >= 4.2 refuses to set empty label */
+         new_vfat = bd_utils_check_util_version (dep.name, dep.version,
+                                                 dep.ver_arg, dep.ver_regexp,
+-                                                NULL);
++                                                &loc_error);
+         if (new_vfat)
+             args[2] = "--reset";
++        else
++            g_clear_error (&loc_error);
+     }
+ 
+     return bd_utils_exec_and_report_error (args, NULL, error);
+diff --git a/tests/fs_test.py b/tests/fs_test.py
+index 239cb47c..2233db4f 100644
+--- a/tests/fs_test.py
++++ b/tests/fs_test.py
+@@ -5,10 +5,13 @@
+ import tempfile
+ from contextlib import contextmanager
+ import utils
+-from utils import run, create_sparse_tempfile, mount, umount, TestTags, tag_test
++from utils import run, create_sparse_tempfile, mount, umount, TestTags, tag_test, run_command
++import re
+ import six
+ import overrides_hack
+ 
++from distutils.version import LooseVersion
++
+ from gi.repository import BlockDev, GLib
+ 
+ 
+@@ -29,9 +32,20 @@ def mounted(device, where, ro=False):
+     yield
+     umount(where)
+ 
++
++def _get_dosfstools_version():
++    _ret, out, _err = run_command("mkfs.vfat --help")
++    # mkfs.fat 4.1 (2017-01-24)
++    m = re.search(r"mkfs\.fat ([\d\.]+)", out)
++    if not m or len(m.groups()) != 1:
++        raise RuntimeError("Failed to determine dosfstools version from: %s" % out)
++    return LooseVersion(m.groups()[0])
++
++
+ class FSTestCase(unittest.TestCase):
+ 
+     requested_plugins = BlockDev.plugin_specs_from_names(("fs", "loop"))
++    _vfat_version = _get_dosfstools_version()
+ 
+     @classmethod
+     def setUpClass(cls):
+@@ -66,6 +80,11 @@ def setUp(self):
+ 
+         self.mount_dir = tempfile.mkdtemp(prefix="libblockdev.", suffix="ext4_test")
+ 
++        if self._vfat_version <= LooseVersion("4.1"):
++            self._mkfs_options = None
++        else:
++            self._mkfs_options = [BlockDev.ExtraArg.new("--mbr=n", "")]
++
+     def _clean_up(self):
+         try:
+             utils.delete_lio_device(self.loop_dev)
+@@ -120,7 +139,10 @@ def test_generic_wipe(self):
+ 
+         # vfat has multiple signatures on the device so it allows us to test the
+         # 'all' argument of fs_wipe()
+-        ret = run("mkfs.vfat -I %s >/dev/null 2>&1" % self.loop_dev)
++        if self._vfat_version >= LooseVersion("4.2"):
++            ret = utils.run("mkfs.vfat -I %s >/dev/null 2>&1 --mbr=n" % self.loop_dev)
++        else:
++            ret = utils.run("mkfs.vfat -I %s >/dev/null 2>&1" % self.loop_dev)
+         self.assertEqual(ret, 0)
+ 
+         time.sleep(0.5)
+@@ -142,7 +164,10 @@ def test_generic_wipe(self):
+         self.assertEqual(fs_type, b"")
+ 
+         # now do the wipe all in a one step
+-        ret = run("mkfs.vfat -I %s >/dev/null 2>&1" % self.loop_dev)
++        if self._vfat_version >= LooseVersion("4.2"):
++            ret = utils.run("mkfs.vfat -I %s >/dev/null 2>&1 --mbr=n" % self.loop_dev)
++        else:
++            ret = utils.run("mkfs.vfat -I %s >/dev/null 2>&1" % self.loop_dev)
+         self.assertEqual(ret, 0)
+ 
+         succ = BlockDev.fs_wipe(self.loop_dev, True)
+@@ -197,7 +222,10 @@ def test_clean(self):
+ 
+         # vfat has multiple signatures on the device so it allows us to test
+         # that clean removes all signatures
+-        ret = run("mkfs.vfat -I %s >/dev/null 2>&1" % self.loop_dev)
++        if self._vfat_version >= LooseVersion("4.2"):
++            ret = utils.run("mkfs.vfat -I %s >/dev/null 2>&1 --mbr=n" % self.loop_dev)
++        else:
++            ret = utils.run("mkfs.vfat -I %s >/dev/null 2>&1" % self.loop_dev)
+         self.assertEqual(ret, 0)
+ 
+         time.sleep(0.5)
+@@ -744,9 +772,9 @@ def test_vfat_mkfs(self):
+         """Verify that it is possible to create a new vfat file system"""
+ 
+         with self.assertRaises(GLib.GError):
+-            BlockDev.fs_vfat_mkfs("/non/existing/device", None)
++            BlockDev.fs_vfat_mkfs("/non/existing/device", self._mkfs_options)
+ 
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, None)
++        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, self._mkfs_options)
+         self.assertTrue(succ)
+ 
+         # just try if we can mount the file system
+@@ -764,7 +792,10 @@ def test_vfat_mkfs_with_label(self):
+         """Verify that it is possible to create an vfat file system with label"""
+ 
+         ea = BlockDev.ExtraArg.new("-n", "TEST_LABEL")
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, [ea])
++        if self._mkfs_options:
++            succ = BlockDev.fs_vfat_mkfs(self.loop_dev, [ea] + self._mkfs_options)
++        else:
++            succ = BlockDev.fs_vfat_mkfs(self.loop_dev, [ea])
+         self.assertTrue(succ)
+ 
+         fi = BlockDev.fs_vfat_get_info(self.loop_dev)
+@@ -775,7 +806,7 @@ class VfatTestWipe(FSTestCase):
+     def test_vfat_wipe(self):
+         """Verify that it is possible to wipe an vfat file system"""
+ 
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, None)
++        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, self._mkfs_options)
+         self.assertTrue(succ)
+ 
+         succ = BlockDev.fs_vfat_wipe(self.loop_dev)
+@@ -805,7 +836,7 @@ class VfatTestCheck(FSTestCase):
+     def test_vfat_check(self):
+         """Verify that it is possible to check an vfat file system"""
+ 
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, None)
++        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, self._mkfs_options)
+         self.assertTrue(succ)
+ 
+         succ = BlockDev.fs_vfat_check(self.loop_dev, None)
+@@ -818,7 +849,7 @@ class VfatTestRepair(FSTestCase):
+     def test_vfat_repair(self):
+         """Verify that it is possible to repair an vfat file system"""
+ 
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, None)
++        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, self._mkfs_options)
+         self.assertTrue(succ)
+ 
+         succ = BlockDev.fs_vfat_repair(self.loop_dev, None)
+@@ -828,7 +859,7 @@ class VfatGetInfo(FSTestCase):
+     def test_vfat_get_info(self):
+         """Verify that it is possible to get info about an vfat file system"""
+ 
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, None)
++        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, self._mkfs_options)
+         self.assertTrue(succ)
+ 
+         fi = BlockDev.fs_vfat_get_info(self.loop_dev)
+@@ -841,7 +872,7 @@ class VfatSetLabel(FSTestCase):
+     def test_vfat_set_label(self):
+         """Verify that it is possible to set label of an vfat file system"""
+ 
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, None)
++        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, self._mkfs_options)
+         self.assertTrue(succ)
+ 
+         fi = BlockDev.fs_vfat_get_info(self.loop_dev)
+@@ -870,7 +901,7 @@ class VfatResize(FSTestCase):
+     def test_vfat_resize(self):
+         """Verify that it is possible to resize an vfat file system"""
+ 
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, None)
++        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, self._mkfs_options)
+         self.assertTrue(succ)
+ 
+         # shrink
+@@ -999,7 +1030,7 @@ def _remove_user(self):
+     def test_mount(self):
+         """ Test basic mounting and unmounting """
+ 
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, None)
++        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, self._mkfs_options)
+         self.assertTrue(succ)
+ 
+         tmp = tempfile.mkdtemp(prefix="libblockdev.", suffix="mount_test")
+@@ -1104,7 +1135,7 @@ def test_mount_fstab(self):
+         fstab = utils.read_file("/etc/fstab")
+         self.addCleanup(utils.write_file, "/etc/fstab", fstab)
+ 
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, None)
++        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, self._mkfs_options)
+         self.assertTrue(succ)
+ 
+         tmp = tempfile.mkdtemp(prefix="libblockdev.", suffix="mount_fstab_test")
+@@ -1139,7 +1170,7 @@ def test_mount_fstab_user(self):
+         fstab = utils.read_file("/etc/fstab")
+         self.addCleanup(utils.write_file, "/etc/fstab", fstab)
+ 
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, None)
++        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, self._mkfs_options)
+         self.assertTrue(succ)
+ 
+         tmp = tempfile.mkdtemp(prefix="libblockdev.", suffix="mount_fstab_user_test")
+@@ -1423,7 +1454,16 @@ def expected_size(fi):
+     @tag_test(TestTags.UNSTABLE)
+     def test_vfat_generic_resize(self):
+         """Test generic resize function with a vfat file system"""
+-        self._test_generic_resize(mkfs_function=BlockDev.fs_vfat_mkfs)
++        def mkfs_vfat(device, options=None):
++            if self._vfat_version >= LooseVersion("4.2"):
++                if options:
++                    return BlockDev.fs_vfat_mkfs(device, options + [BlockDev.ExtraArg.new("--mbr=n", "")])
++                else:
++                    return BlockDev.fs_vfat_mkfs(device, [BlockDev.ExtraArg.new("--mbr=n", "")])
++            else:
++                return BlockDev.fs_vfat_mkfs(device, options)
++
++        self._test_generic_resize(mkfs_function=mkfs_vfat)
+ 
+     def _destroy_lvm(self):
+         run("vgremove --yes libbd_fs_tests >/dev/null 2>&1")
+@@ -1539,7 +1579,7 @@ def test_freeze_xfs(self):
+     def test_freeze_vfat(self):
+         """ Test basic freezing and un-freezing with FAT """
+ 
+-        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, None)
++        succ = BlockDev.fs_vfat_mkfs(self.loop_dev, self._mkfs_options)
+         self.assertTrue(succ)
+ 
+         tmp = tempfile.mkdtemp(prefix="libblockdev.", suffix="freeze_test")

SOURCES/0005-Add-workarounds-for-some-LVM-test-issues.patch

@@ -0,0 +1,157 @@
+From 7c31cc534f96766dd2e3427b09d0affca66b0745 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Tue, 23 Mar 2021 13:54:02 +0100
+Subject: [PATCH 1/3] tests: Do not try to remove VG before removing the VDO
+ pool
+
+---
+ tests/lvm_dbus_tests.py | 6 +++---
+ tests/lvm_test.py       | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tests/lvm_dbus_tests.py b/tests/lvm_dbus_tests.py
+index 8f2bb95d..b599fdd0 100644
+--- a/tests/lvm_dbus_tests.py
++++ b/tests/lvm_dbus_tests.py
+@@ -1517,14 +1517,14 @@ def setUp(self):
+         self.assertTrue(succ)
+ 
+     def _clean_up(self):
+-        BlockDev.lvm_vgremove("testVDOVG")
+-        BlockDev.lvm_pvremove(self.loop_dev)
+-
+         try:
+             BlockDev.lvm_lvremove("testVDOVG", "vdoPool", True, None)
+         except:
+             pass
+ 
++        BlockDev.lvm_vgremove("testVDOVG")
++        BlockDev.lvm_pvremove(self.loop_dev)
++
+         try:
+             delete_lio_device(self.loop_dev)
+         except RuntimeError:
+diff --git a/tests/lvm_test.py b/tests/lvm_test.py
+index 6f80a3ba..6c04faf9 100644
+--- a/tests/lvm_test.py
++++ b/tests/lvm_test.py
+@@ -1437,14 +1437,14 @@ def setUp(self):
+         self.assertTrue(succ)
+ 
+     def _clean_up(self):
+-        BlockDev.lvm_vgremove("testVDOVG")
+-        BlockDev.lvm_pvremove(self.loop_dev)
+-
+         try:
+             BlockDev.lvm_lvremove("testVDOVG", "vdoPool", True, None)
+         except:
+             pass
+ 
++        BlockDev.lvm_vgremove("testVDOVG")
++        BlockDev.lvm_pvremove(self.loop_dev)
++
+         try:
+             delete_lio_device(self.loop_dev)
+         except RuntimeError:
+
+From 41b9d745b8c1a33221e15683f390bae180d1e960 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Tue, 23 Mar 2021 13:59:24 +0100
+Subject: [PATCH 2/3] tests: Force remove LVM VG /dev/ entry not removed by
+ vgremove
+
+The directory is sometimes not removed. This is a known bug that
+causes subsequent test cases to fail.
+---
+ tests/lvm_dbus_tests.py | 6 ++++++
+ tests/lvm_test.py       | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/tests/lvm_dbus_tests.py b/tests/lvm_dbus_tests.py
+index b599fdd0..3278716e 100644
+--- a/tests/lvm_dbus_tests.py
++++ b/tests/lvm_dbus_tests.py
+@@ -399,6 +399,9 @@ def _clean_up(self):
+         except:
+             pass
+ 
++        # XXX remove lingering /dev entries
++        shutil.rmtree("/dev/testVG", ignore_errors=True)
++
+         LvmPVonlyTestCase._clean_up(self)
+ 
+ @unittest.skipUnless(lvm_dbus_running, "LVM DBus not running")
+@@ -1525,6 +1528,9 @@ def _clean_up(self):
+         BlockDev.lvm_vgremove("testVDOVG")
+         BlockDev.lvm_pvremove(self.loop_dev)
+ 
++        # XXX remove lingering /dev entries
++        shutil.rmtree("/dev/testVDOVG", ignore_errors=True)
++
+         try:
+             delete_lio_device(self.loop_dev)
+         except RuntimeError:
+diff --git a/tests/lvm_test.py b/tests/lvm_test.py
+index 6c04faf9..d7e1f84c 100644
+--- a/tests/lvm_test.py
++++ b/tests/lvm_test.py
+@@ -378,6 +378,9 @@ def _clean_up(self):
+         except:
+             pass
+ 
++        # XXX remove lingering /dev entries
++        shutil.rmtree("/dev/testVG", ignore_errors=True)
++
+         LvmPVonlyTestCase._clean_up(self)
+ 
+ class LvmTestVGcreateRemove(LvmPVVGTestCase):
+@@ -1445,6 +1448,9 @@ def _clean_up(self):
+         BlockDev.lvm_vgremove("testVDOVG")
+         BlockDev.lvm_pvremove(self.loop_dev)
+ 
++        # XXX remove lingering /dev entries
++        shutil.rmtree("/dev/testVDOVG", ignore_errors=True)
++
+         try:
+             delete_lio_device(self.loop_dev)
+         except RuntimeError:
+
+From 4ecf0075cedf3a1d275d34b94ce5bb512c4e970e Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Tue, 23 Mar 2021 14:03:44 +0100
+Subject: [PATCH 3/3] tests: Tag LvmPVVGLVcachePoolCreateRemoveTestCase as
+ unstable
+
+LVM randomly fails to activate the newly created metadata LV.
+Issue is reported to LVM and not yet fixed.
+---
+ tests/lvm_dbus_tests.py | 2 +-
+ tests/lvm_test.py       | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/lvm_dbus_tests.py b/tests/lvm_dbus_tests.py
+index 3278716e..4882da88 100644
+--- a/tests/lvm_dbus_tests.py
++++ b/tests/lvm_dbus_tests.py
+@@ -1213,7 +1213,7 @@ def _clean_up(self):
+ 
+ @unittest.skipUnless(lvm_dbus_running, "LVM DBus not running")
+ class LvmPVVGLVcachePoolCreateRemoveTestCase(LvmPVVGLVcachePoolTestCase):
+-    @tag_test(TestTags.SLOW)
++    @tag_test(TestTags.SLOW, TestTags.UNSTABLE)
+     def test_cache_pool_create_remove(self):
+         """Verify that is it possible to create and remove a cache pool"""
+ 
+diff --git a/tests/lvm_test.py b/tests/lvm_test.py
+index d7e1f84c..eb94c917 100644
+--- a/tests/lvm_test.py
++++ b/tests/lvm_test.py
+@@ -1129,7 +1129,7 @@ def _clean_up(self):
+         LvmPVVGLVTestCase._clean_up(self)
+ 
+ class LvmPVVGLVcachePoolCreateRemoveTestCase(LvmPVVGLVcachePoolTestCase):
+-    @tag_test(TestTags.SLOW)
++    @tag_test(TestTags.SLOW, TestTags.UNSTABLE)
+     def test_cache_pool_create_remove(self):
+         """Verify that is it possible to create and remove a cache pool"""
+ 

SOURCES/0006-Misc-test-fixes-backport.patch

@@ -0,0 +1,144 @@
+From 77b8d17b0baf96a7a552fb8963afdbe8c3b18da7 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Wed, 2 Jun 2021 12:53:24 +0200
+Subject: [PATCH 1/4] tests: Make sure the test temp mount is always unmounted
+
+With try-finally the unmount function will always run even if the
+test case fails.
+---
+ tests/fs_test.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tests/fs_test.py b/tests/fs_test.py
+index 2233db4f..de685b5f 100644
+--- a/tests/fs_test.py
++++ b/tests/fs_test.py
+@@ -29,8 +29,10 @@ def check_output(args, ignore_retcode=True):
+ @contextmanager
+ def mounted(device, where, ro=False):
+     mount(device, where, ro)
+-    yield
+-    umount(where)
++    try:
++        yield
++    finally:
++        utils.umount(where)
+ 
+ 
+ def _get_dosfstools_version():
+
+From aa802b6a2c9038069cfea7f821333367840a43ca Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Wed, 2 Jun 2021 13:05:17 +0200
+Subject: [PATCH 2/4] tests: Do not check that XFS shrink fails with xfsprogs
+ >= 5.12
+
+xfsprogs 5.12 now has experimental support for shrinking, we need
+more changes to support it properly so just skip this check for
+now.
+---
+ tests/fs_test.py | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/tests/fs_test.py b/tests/fs_test.py
+index de685b5f..551b6a7b 100644
+--- a/tests/fs_test.py
++++ b/tests/fs_test.py
+@@ -44,6 +44,14 @@ def _get_dosfstools_version():
+     return LooseVersion(m.groups()[0])
+ 
+ 
++def _get_xfs_version():
++    _ret, out, _err = utils.run_command("mkfs.xfs -V")
++    m = re.search(r"mkfs\.xfs version ([\d\.]+)", out)
++    if not m or len(m.groups()) != 1:
++        raise RuntimeError("Failed to determine xfsprogs version from: %s" % out)
++    return LooseVersion(m.groups()[0])
++
++
+ class FSTestCase(unittest.TestCase):
+ 
+     requested_plugins = BlockDev.plugin_specs_from_names(("fs", "loop"))
+@@ -736,9 +744,11 @@ def test_xfs_resize(self):
+         self.assertEqual(fi.block_size * fi.block_count, 50 * 1024**2)
+ 
+         # (still) impossible to shrink an XFS file system
+-        with mounted(lv, self.mount_dir):
+-            with self.assertRaises(GLib.GError):
+-                succ = BlockDev.fs_xfs_resize(self.mount_dir, 40 * 1024**2 / fi.block_size, None)
++        xfs_version = _get_xfs_version()
++        if xfs_version < LooseVersion("5.1.12"):
++            with mounted(lv, self.mount_dir):
++                with self.assertRaises(GLib.GError):
++                    succ = BlockDev.fs_resize(lv, 40 * 1024**2)
+ 
+         run("lvresize -L70M libbd_fs_tests/xfs_test >/dev/null 2>&1")
+         # should grow
+@@ -1503,9 +1513,11 @@ def test_xfs_generic_resize(self):
+         self.assertEqual(fi.block_size * fi.block_count, 50 * 1024**2)
+ 
+         # (still) impossible to shrink an XFS file system
+-        with mounted(lv, self.mount_dir):
+-            with self.assertRaises(GLib.GError):
+-                succ = BlockDev.fs_resize(lv, 40 * 1024**2)
++        xfs_version = _get_xfs_version()
++        if xfs_version < LooseVersion("5.1.12"):
++            with mounted(lv, self.mount_dir):
++                with self.assertRaises(GLib.GError):
++                    succ = BlockDev.fs_resize(lv, 40 * 1024**2)
+ 
+         run("lvresize -L70M libbd_fs_tests/xfs_test >/dev/null 2>&1")
+         # should grow
+
+From ca01b6021cce3ea6a2318e74de408757f933d947 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Wed, 2 Jun 2021 13:06:41 +0200
+Subject: [PATCH 3/4] tests: Temporarily skip
+ test_snapshotcreate_lvorigin_snapshotmerge
+
+With LVM DBus API the lvconvert job is never finished which means
+the test run never finishes in our CI.
+---
+ tests/skip.yml | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tests/skip.yml b/tests/skip.yml
+index 145d321d..e22e712d 100644
+--- a/tests/skip.yml
++++ b/tests/skip.yml
+@@ -137,3 +137,9 @@
+     - distro: "fedora"
+       version: ["31", "32"]
+       reason: "working with old-style LVM snapshots leads to deadlock in LVM tools"
++
++- test: lvm_dbus_tests.LvmTestLVsnapshots.test_snapshotcreate_lvorigin_snapshotmerge
++  skip_on:
++    - distro: "centos"
++      version: "9"
++      reason: "snapshot merge doesn't work on CentOS 9 Stream with LVM DBus API"
+
+From d0c44cd3d182599433f352901796af7c403239eb Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Wed, 2 Jun 2021 13:08:09 +0200
+Subject: [PATCH 4/4] Fix skipping tests on Debian testing
+
+Testing now identifies itself as "Debian GNU/Linux 11 (bullseye)"
+so the tests that should be skipped on testing needs to be skipped
+on "11" too.
+---
+ tests/skip.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/skip.yml b/tests/skip.yml
+index e22e712d..4134ee87 100644
+--- a/tests/skip.yml
++++ b/tests/skip.yml
+@@ -37,7 +37,7 @@
+ - test: fs_test.MountTest.test_mount_ntfs_ro
+   skip_on:
+     - distro: "debian"
+-      version: ["9", "10", "testing"]
++      version: ["9", "10", "11", "testing"]
+       reason: "NTFS mounting of read-only devices doesn't work as expected on Debian"
+ 
+ - test: kbd_test.KbdZRAM*

SOURCES/0008-lvm-Fix-reading-statistics-for-VDO-pools-with-VDO-8.patch

@@ -0,0 +1,80 @@
+From e0fcbae856454dba9df3f8df800d74fde66731e5 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Tue, 31 Aug 2021 14:07:23 +0200
+Subject: [PATCH] lvm: Fix reading statistics for VDO pools with VDO 8
+
+The statistics are no longer available in /sys/kvdo, in the latest
+version of kvdo we need to use /sys/block/<pool>/vdo/statistics.
+
+Resolves: rhbz#1994220
+---
+ src/plugins/vdo_stats.c | 42 +++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/src/plugins/vdo_stats.c b/src/plugins/vdo_stats.c
+index ed04b51..2e244aa 100644
+--- a/src/plugins/vdo_stats.c
++++ b/src/plugins/vdo_stats.c
+@@ -133,6 +133,23 @@ static void add_computed_stats (GHashTable *stats) {
+     add_journal_stats (stats);
+ }
+ 
++static gchar* _dm_node_from_name (const gchar *map_name, GError **error) {
++    gchar *dev_path = NULL;
++    gchar *ret = NULL;
++    gchar *dev_mapper_path = g_strdup_printf ("/dev/mapper/%s", map_name);
++
++    dev_path = bd_utils_resolve_device (dev_mapper_path, error);
++    g_free (dev_mapper_path);
++    if (!dev_path)
++        /* error is already populated */
++        return NULL;
++
++    ret = g_path_get_basename (dev_path);
++    g_free (dev_path);
++
++    return ret;
++}
++
+ GHashTable __attribute__ ((visibility ("hidden")))
+ *vdo_get_stats_full (const gchar *name, GError **error) {
+     GHashTable *stats;
+@@ -141,14 +158,31 @@ GHashTable __attribute__ ((visibility ("hidden")))
+     const gchar *direntry;
+     gchar *s;
+     gchar *val = NULL;
++    g_autofree gchar *dm_node = NULL;
+ 
+-    /* TODO: does the `name` need to be escaped? */
+-    stats_dir = g_build_path (G_DIR_SEPARATOR_S, VDO_SYS_PATH, name, "statistics", NULL);
++    /* try "new" (kvdo >= 8) path first -- /sys/block/dm-X/vdo/statistics */
++    dm_node = _dm_node_from_name (name, error);
++    if (dm_node == NULL) {
++        g_prefix_error (error, "Failed to get DM node for %s: ", name);
++        return NULL;
++    }
++
++    stats_dir = g_build_path (G_DIR_SEPARATOR_S, "/sys/block", dm_node, "vdo/statistics", NULL);
+     dir = g_dir_open (stats_dir, 0, error);
+     if (dir == NULL) {
+-        g_prefix_error (error, "Error reading statistics from %s: ", stats_dir);
++        g_debug ("Failed to read VDO stats using the new API, falling back to %s: %s",
++                 VDO_SYS_PATH, (*error)->message);
+         g_free (stats_dir);
+-        return NULL;
++        g_clear_error (error);
++
++        /* lets try /sys/kvdo */
++        stats_dir = g_build_path (G_DIR_SEPARATOR_S, VDO_SYS_PATH, name, "statistics", NULL);
++        dir = g_dir_open (stats_dir, 0, error);
++        if (dir == NULL) {
++            g_prefix_error (error, "Error reading statistics from %s: ", stats_dir);
++            g_free (stats_dir);
++            return NULL;
++        }
+     }
+ 
+     stats = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, g_free);
+-- 
+2.31.1
+

SOURCES/0009-vdo_stats-Default-to-100-savings-for-invalid-savings.patch

@@ -0,0 +1,30 @@
+From 940346f14ee5644f2593817b4196c18de8a713f0 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Mon, 22 Nov 2021 14:16:02 +0100
+Subject: [PATCH] vdo_stats: Default to 100 % savings for invalid savings
+ values
+
+We are currently using "-1" when VDO logical_blocks_used is 0
+which doesn't match the LVM logic which returns 100 so to make
+both values in vdo_info and vdo_stats equal we should return 100
+in this case too.
+---
+ src/plugins/vdo_stats.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/vdo_stats.c b/src/plugins/vdo_stats.c
+index 3ec2d60..f3f0390 100644
+--- a/src/plugins/vdo_stats.c
++++ b/src/plugins/vdo_stats.c
+@@ -96,7 +96,7 @@ static void add_block_stats (GHashTable *stats) {
+     g_hash_table_replace (stats, g_strdup ("oneKBlocksUsed"), g_strdup_printf ("%"G_GINT64_FORMAT, (data_blocks_used + overhead_blocks_used) * block_size / 1024));
+     g_hash_table_replace (stats, g_strdup ("oneKBlocksAvailable"), g_strdup_printf ("%"G_GINT64_FORMAT, (physical_blocks - data_blocks_used - overhead_blocks_used) * block_size / 1024));
+     g_hash_table_replace (stats, g_strdup ("usedPercent"), g_strdup_printf ("%.0f", 100.0 * (gfloat) (data_blocks_used + overhead_blocks_used) / (gfloat) physical_blocks + 0.5));
+-    savings = (logical_blocks_used > 0) ? (gint64) (100.0 * (gfloat) (logical_blocks_used - data_blocks_used) / (gfloat) logical_blocks_used) : -1;
++    savings = (logical_blocks_used > 0) ? (gint64) (100.0 * (gfloat) (logical_blocks_used - data_blocks_used) / (gfloat) logical_blocks_used) : 100;
+     g_hash_table_replace (stats, g_strdup ("savings"), g_strdup_printf ("%"G_GINT64_FORMAT, savings));
+     if (savings >= 0)
+         g_hash_table_replace (stats, g_strdup ("savingPercent"), g_strdup_printf ("%"G_GINT64_FORMAT, savings));
+-- 
+2.31.1
+

SOURCES/0010-Add-support-for-creating-and-activating-integrity-de.patch

@@ -0,0 +1,966 @@
+From 37f1aff5f5f967d6a4440d176f3de877aab789ac Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Mon, 20 Sep 2021 16:38:16 +0200
+Subject: [PATCH 1/3] Add support for creating and activating integrity devices
+
+This adds support for create, open and close actions for standalone
+integrity devices using cryptsetup.
+---
+ configure.ac                        |   4 +-
+ src/lib/plugin_apis/crypto.api      | 157 +++++++++++++++++
+ src/plugins/crypto.c                | 261 +++++++++++++++++++++++++++-
+ src/plugins/crypto.h                |  41 +++++
+ src/python/gi/overrides/BlockDev.py |  24 +++
+ tests/crypto_test.py                |  97 ++++++++++-
+ 6 files changed, 576 insertions(+), 8 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index abe1412..13830ae 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -210,7 +210,9 @@ AS_IF([test "x$with_crypto" != "xno"],
+       AS_IF([$PKG_CONFIG --atleast-version=2.0.3 libcryptsetup],
+             [AC_DEFINE([LIBCRYPTSETUP_2])], [])
+       AS_IF([$PKG_CONFIG --atleast-version=2.3.0 libcryptsetup],
+-            [AC_DEFINE([LIBCRYPTSETUP_BITLK])], [])
++            [AC_DEFINE([LIBCRYPTSETUP_23])], [])
++      AS_IF([$PKG_CONFIG --atleast-version=2.4.0 libcryptsetup],
++            [AC_DEFINE([LIBCRYPTSETUP_24])], [])
+       AS_IF([test "x$with_escrow" != "xno"],
+             [LIBBLOCKDEV_PKG_CHECK_MODULES([NSS], [nss >= 3.18.0])
+              LIBBLOCKDEV_CHECK_HEADER([volume_key/libvolume_key.h], [$GLIB_CFLAGS $NSS_CFLAGS], [libvolume_key.h not available])],
+diff --git a/src/lib/plugin_apis/crypto.api b/src/lib/plugin_apis/crypto.api
+index ef0217f..40e32c8 100644
+--- a/src/lib/plugin_apis/crypto.api
++++ b/src/lib/plugin_apis/crypto.api
+@@ -1,5 +1,6 @@
+ #include <glib.h>
+ #include <blockdev/utils.h>
++#include <libcryptsetup.h>
+ 
+ #define BD_CRYPTO_LUKS_METADATA_SIZE G_GUINT64_CONSTANT (2097152ULL) // 2 MiB
+ 
+@@ -245,6 +246,115 @@ GType bd_crypto_luks_extra_get_type () {
+     return type;
+ }
+ 
++#define BD_CRYPTO_TYPE_INTEGRITY_EXTRA (bd_crypto_integrity_extra_get_type ())
++GType bd_crypto_integrity_extra_get_type();
++
++/**
++ * BDCryptoIntegrityExtra:
++ * @sector_size: integrity sector size
++ * @journal_size: size of journal in bytes
++ * @journal_watermark: journal flush watermark in percents; in bitmap mode sectors-per-bit
++ * @journal_commit_time: journal commit time (or bitmap flush time) in ms
++ * @interleave_sectors: number of interleave sectors (power of two)
++ * @tag_size: tag size per-sector in bytes
++ * @buffer_sectors: number of sectors in one buffer
++ */
++typedef struct BDCryptoIntegrityExtra {
++    guint32 sector_size;
++    guint64 journal_size;
++    guint journal_watermark;
++    guint journal_commit_time;
++    guint32 interleave_sectors;
++    guint32 tag_size;
++    guint32 buffer_sectors;
++} BDCryptoIntegrityExtra;
++
++/**
++ * bd_crypto_integrity_extra_copy: (skip)
++ * @extra: (allow-none): %BDCryptoIntegrityExtra to copy
++ *
++ * Creates a new copy of @extra.
++ */
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_copy (BDCryptoIntegrityExtra *extra) {
++    if (extra == NULL)
++        return NULL;
++
++    BDCryptoIntegrityExtra *new_extra = g_new0 (BDCryptoIntegrityExtra, 1);
++
++    new_extra->sector_size = extra->sector_size;
++    new_extra->journal_size = extra->journal_size;
++    new_extra->journal_watermark = extra->journal_watermark;
++    new_extra->journal_commit_time = extra->journal_commit_time;
++    new_extra->interleave_sectors = extra->interleave_sectors;
++    new_extra->tag_size = extra->tag_size;
++    new_extra->buffer_sectors = extra->buffer_sectors;
++
++    return new_extra;
++}
++
++/**
++ * bd_crypto_integrity_extra_free: (skip)
++ * @extra: (allow-none): %BDCryptoIntegrityExtra to free
++ *
++ * Frees @extra.
++ */
++void bd_crypto_integrity_extra_free (BDCryptoIntegrityExtra *extra) {
++    if (extra == NULL)
++        return;
++
++    g_free (extra);
++}
++
++/**
++ * bd_crypto_integrity_extra_new: (constructor)
++ * @sector_size: integrity sector size, 0 for default (512)
++ * @journal_size: size of journal in bytes
++ * @journal_watermark: journal flush watermark in percents; in bitmap mode sectors-per-bit
++ * @journal_commit_time: journal commit time (or bitmap flush time) in ms
++ * @interleave_sectors: number of interleave sectors (power of two)
++ * @tag_size: tag size per-sector in bytes
++ * @buffer_sectors: number of sectors in one buffer
++ *
++ * Returns: (transfer full): a new Integrity extra argument
++ */
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_new (guint64 sector_size, guint64 journal_size, guint journal_watermark, guint journal_commit_time, guint64 interleave_sectors, guint64 tag_size, guint64 buffer_sectors) {
++    BDCryptoIntegrityExtra *ret = g_new0 (BDCryptoIntegrityExtra, 1);
++    ret->sector_size = sector_size;
++    ret->journal_size = journal_size;
++    ret->journal_watermark = journal_watermark;
++    ret->journal_commit_time = journal_commit_time;
++    ret->interleave_sectors = interleave_sectors;
++    ret->tag_size = tag_size;
++    ret->buffer_sectors = buffer_sectors;
++
++    return ret;
++}
++
++GType bd_crypto_integrity_extra_get_type () {
++    static GType type = 0;
++
++    if (G_UNLIKELY(type == 0)) {
++        type = g_boxed_type_register_static("BDCryptoIntegrityExtra",
++                                            (GBoxedCopyFunc) bd_crypto_integrity_extra_copy,
++                                            (GBoxedFreeFunc) bd_crypto_integrity_extra_free);
++    }
++
++    return type;
++}
++
++typedef enum {
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = CRYPT_ACTIVATE_NO_JOURNAL,
++    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = CRYPT_ACTIVATE_RECOVERY,
++#ifdef CRYPT_ACTIVATE_NO_JOURNAL_BITMAP
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = CRYPT_ACTIVATE_NO_JOURNAL_BITMAP,
++#endif
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = CRYPT_ACTIVATE_RECALCULATE,
++#ifdef CRYPT_ACTIVATE_RECALCULATE_RESET
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = CRYPT_ACTIVATE_RECALCULATE_RESET,
++#endif
++    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = CRYPT_ACTIVATE_ALLOW_DISCARDS,
++} BDCryptoIntegrityOpenFlags;
++
+ #define BD_CRYPTO_TYPE_LUKS_INFO (bd_crypto_luks_info_get_type ())
+ GType bd_crypto_luks_info_get_type();
+ 
+@@ -857,6 +967,53 @@ BDCryptoLUKSInfo* bd_crypto_luks_info (const gchar *luks_device, GError **error)
+  */
+ BDCryptoIntegrityInfo* bd_crypto_integrity_info (const gchar *device, GError **error);
+ 
++/**
++ * bd_crypto_integrity_format:
++ * @device: a device to format as integrity
++ * @algorithm: integrity algorithm specification (e.g. "crc32c" or "sha256") or %NULL to use the default
++ * @wipe: whether to wipe the device after format; a device that is not initially wiped will contain invalid checksums
++ * @key_data: (allow-none) (array length=key_size): integrity key or %NULL if not needed
++ * @key_size: size the integrity key and @key_data
++ * @extra: (allow-none): extra arguments for integrity format creation
++ * @error: (out): place to store error (if any)
++ *
++ * Formats the given @device as integrity according to the other parameters given.
++ *
++ * Returns: whether the given @device was successfully formatted as integrity or not
++ * (the @error) contains the error in such cases)
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_CREATE
++ */
++gboolean bd_crypto_integrity_format (const gchar *device, const gchar *algorithm, gboolean wipe, const guint8* key_data, gsize key_size, BDCryptoIntegrityExtra *extra, GError **error);
++
++/**
++ * bd_crypto_integrity_open:
++ * @device: integrity device to open
++ * @name: name for the opened @device
++ * @algorithm: (allow-none): integrity algorithm specification (e.g. "crc32c" or "sha256") or %NULL to use the default
++ * @key_data: (allow-none) (array length=key_size): integrity key or %NULL if not needed
++ * @key_size: size the integrity key and @key_data
++ * @flags: flags for the integrity device activation
++ * @extra: (allow-none): extra arguments for integrity open
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the @device was successfully opened or not
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
++ */
++gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const gchar *algorithm, const guint8* key_data, gsize key_size, BDCryptoIntegrityOpenFlags flags, BDCryptoIntegrityExtra *extra, GError **error);
++
++/**
++ * bd_crypto_integrity_close:
++ * @integrity_device: integrity device to close
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the given @integrity_device was successfully closed or not
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
++ */
++gboolean bd_crypto_integrity_close (const gchar *integrity_device, GError **error);
++
+ /**
+  * bd_crypto_device_seems_encrypted:
+  * @device: the queried device
+diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
+index 4fad9a8..b1b0700 100644
+--- a/src/plugins/crypto.c
++++ b/src/plugins/crypto.c
+@@ -50,6 +50,18 @@
+ 
+ #define SECTOR_SIZE 512
+ 
++#define DEFAULT_LUKS_KEYSIZE_BITS 256
++#define DEFAULT_LUKS_CIPHER "aes-xts-plain64"
++
++#ifdef LIBCRYPTSETUP_23
++/* 0 for autodetect since 2.3.0 */
++#define DEFAULT_INTEGRITY_TAG_SIZE 0
++#else
++/* we need some sane default for older versions, users should specify tag size when using
++   other algorithms than the default crc32c */
++#define DEFAULT_INTEGRITY_TAG_SIZE 4
++#endif
++
+ #define UNUSED __attribute__((unused))
+ 
+ /**
+@@ -146,6 +158,43 @@ BDCryptoLUKSExtra* bd_crypto_luks_extra_new (guint64 data_alignment, const gchar
+     return ret;
+ }
+ 
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_new (guint64 sector_size, guint64 journal_size, guint journal_watermark, guint journal_commit_time, guint64 interleave_sectors, guint64 tag_size, guint64 buffer_sectors) {
++    BDCryptoIntegrityExtra *ret = g_new0 (BDCryptoIntegrityExtra, 1);
++    ret->sector_size = sector_size;
++    ret->journal_size = journal_size;
++    ret->journal_watermark = journal_watermark;
++    ret->journal_commit_time = journal_commit_time;
++    ret->interleave_sectors = interleave_sectors;
++    ret->tag_size = tag_size;
++    ret->buffer_sectors = buffer_sectors;
++
++    return ret;
++}
++
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_copy (BDCryptoIntegrityExtra *extra) {
++    if (extra == NULL)
++        return NULL;
++
++    BDCryptoIntegrityExtra *new_extra = g_new0 (BDCryptoIntegrityExtra, 1);
++
++    new_extra->sector_size = extra->sector_size;
++    new_extra->journal_size = extra->journal_size;
++    new_extra->journal_watermark = extra->journal_watermark;
++    new_extra->journal_commit_time = extra->journal_commit_time;
++    new_extra->interleave_sectors = extra->interleave_sectors;
++    new_extra->tag_size = extra->tag_size;
++    new_extra->buffer_sectors = extra->buffer_sectors;
++
++    return new_extra;
++}
++
++void bd_crypto_integrity_extra_free (BDCryptoIntegrityExtra *extra) {
++    if (extra == NULL)
++        return;
++
++    g_free (extra);
++}
++
+ void bd_crypto_luks_info_free (BDCryptoLUKSInfo *info) {
+     if (info == NULL)
+         return;
+@@ -346,15 +395,15 @@ gboolean bd_crypto_is_tech_avail (BDCryptoTech tech, guint64 mode, GError **erro
+                          "Integrity technology requires libcryptsetup >= 2.0");
+             return FALSE;
+ #endif
+-            ret = mode & (BD_CRYPTO_TECH_MODE_QUERY);
++            ret = mode & (BD_CRYPTO_TECH_MODE_CREATE|BD_CRYPTO_TECH_MODE_OPEN_CLOSE|BD_CRYPTO_TECH_MODE_QUERY);
+             if (ret != mode) {
+                 g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_TECH_UNAVAIL,
+-                             "Only 'query' supported for Integrity");
++                             "Only 'create', 'open' and 'query' supported for Integrity");
+                 return FALSE;
+             } else
+                 return TRUE;
+         case BD_CRYPTO_TECH_BITLK:
+-#ifndef LIBCRYPTSETUP_BITLK
++#ifndef LIBCRYPTSETUP_23
+             g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_TECH_UNAVAIL,
+                          "BITLK technology requires libcryptsetup >= 2.3.0");
+             return FALSE;
+@@ -2035,6 +2084,208 @@ BDCryptoIntegrityInfo* bd_crypto_integrity_info (const gchar *device, GError **e
+ }
+ #endif
+ 
++static int _wipe_progress (guint64 size, guint64 offset, void *usrptr) {
++    /* "convert" the progress from 0-100 to 50-100 because wipe starts at 50 in bd_crypto_integrity_format */
++    gdouble progress = 50 + (((gdouble) offset / size) * 100) / 2;
++    bd_utils_report_progress (*(guint64 *) usrptr, progress, "Integrity device wipe in progress");
++
++    return 0;
++}
++
++/**
++ * bd_crypto_integrity_format:
++ * @device: a device to format as integrity
++ * @algorithm: integrity algorithm specification (e.g. "crc32c" or "sha256")
++ * @wipe: whether to wipe the device after format; a device that is not initially wiped will contain invalid checksums
++ * @key_data: (allow-none) (array length=key_size): integrity key or %NULL if not needed
++ * @key_size: size the integrity key and @key_data
++ * @extra: (allow-none): extra arguments for integrity format creation
++ * @error: (out): place to store error (if any)
++ *
++ * Formats the given @device as integrity according to the other parameters given.
++ *
++ * Returns: whether the given @device was successfully formatted as integrity or not
++ * (the @error) contains the error in such cases)
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_CREATE
++ */
++gboolean bd_crypto_integrity_format (const gchar *device, const gchar *algorithm, gboolean wipe, const guint8* key_data, gsize key_size, BDCryptoIntegrityExtra *extra, GError **error) {
++    struct crypt_device *cd = NULL;
++    gint ret;
++    guint64 progress_id = 0;
++    gchar *msg = NULL;
++    struct crypt_params_integrity params = ZERO_INIT;
++    g_autofree gchar *tmp_name = NULL;
++    g_autofree gchar *tmp_path = NULL;
++    g_autofree gchar *dev_name = NULL;
++
++    msg = g_strdup_printf ("Started formatting '%s' as integrity device", device);
++    progress_id = bd_utils_report_started (msg);
++    g_free (msg);
++
++    ret = crypt_init (&cd, device);
++    if (ret != 0) {
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                     "Failed to initialize device: %s", strerror_l (-ret, c_locale));
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++    }
++
++    if (extra) {
++        params.sector_size = extra->sector_size;
++        params.journal_size = extra->journal_size;
++        params.journal_watermark = extra->journal_watermark;
++        params.journal_commit_time = extra->journal_commit_time;
++        params.interleave_sectors = extra->interleave_sectors;
++        params.tag_size = extra->tag_size;
++        params.buffer_sectors = extra->buffer_sectors;
++    }
++
++    params.integrity_key_size = key_size;
++    params.integrity = algorithm;
++    params.tag_size = params.tag_size ? params.tag_size : DEFAULT_INTEGRITY_TAG_SIZE;
++
++    ret = crypt_format (cd, CRYPT_INTEGRITY, NULL, NULL, NULL, NULL, 0, &params);
++    if (ret != 0) {
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_FORMAT_FAILED,
++                     "Failed to format device: %s", strerror_l (-ret, c_locale));
++        crypt_free (cd);
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++    }
++
++    if (wipe) {
++        bd_utils_report_progress (progress_id, 50, "Format created");
++
++        dev_name = g_path_get_basename (device);
++        tmp_name = g_strdup_printf ("bd-temp-integrity-%s-%d", dev_name, g_random_int ());
++        tmp_path = g_strdup_printf ("%s/%s", crypt_get_dir (), tmp_name);
++
++        ret = crypt_activate_by_volume_key (cd, tmp_name, (const char *) key_data, key_size,
++                                            CRYPT_ACTIVATE_PRIVATE | CRYPT_ACTIVATE_NO_JOURNAL);
++        if (ret != 0) {
++            g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                         "Failed to activate the newly created integrity device for wiping: %s",
++                         strerror_l (-ret, c_locale));
++            crypt_free (cd);
++            bd_utils_report_finished (progress_id, (*error)->message);
++            return FALSE;
++        }
++
++        bd_utils_report_progress (progress_id, 50, "Starting to wipe the newly created integrity device");
++        ret = crypt_wipe (cd, tmp_path, CRYPT_WIPE_ZERO, 0, 0, 1048576,
++                          0, &_wipe_progress, &progress_id);
++        bd_utils_report_progress (progress_id, 100, "Wipe finished");
++        if (ret != 0) {
++            g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                         "Failed to wipe the newly created integrity device: %s",
++                         strerror_l (-ret, c_locale));
++
++            ret = crypt_deactivate (cd, tmp_name);
++            if (ret != 0)
++                g_warning ("Failed to deactivate temporary device %s", tmp_name);
++
++            crypt_free (cd);
++            bd_utils_report_finished (progress_id, (*error)->message);
++            return FALSE;
++        }
++
++        ret = crypt_deactivate (cd, tmp_name);
++        if (ret != 0)
++            g_warning ("Failed to deactivate temporary device %s", tmp_name);
++
++    } else
++        bd_utils_report_finished (progress_id, "Completed");
++
++    crypt_free (cd);
++
++    return TRUE;
++}
++
++/**
++ * bd_crypto_integrity_open:
++ * @device: integrity device to open
++ * @name: name for the opened @device
++ * @algorithm: (allow-none): integrity algorithm specification (e.g. "crc32c" or "sha256") or %NULL to use the default
++ * @key_data: (allow-none) (array length=key_size): integrity key or %NULL if not needed
++ * @key_size: size the integrity key and @key_data
++ * @flags: flags for the integrity device activation
++ * @extra: (allow-none): extra arguments for integrity open
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the @device was successfully opened or not
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
++ */
++gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const gchar *algorithm, const guint8* key_data, gsize key_size, BDCryptoIntegrityOpenFlags flags, BDCryptoIntegrityExtra *extra, GError **error) {
++    struct crypt_device *cd = NULL;
++    gint ret = 0;
++    guint64 progress_id = 0;
++    gchar *msg = NULL;
++    struct crypt_params_integrity params = ZERO_INIT;
++
++    params.integrity = algorithm;
++    params.integrity_key_size = key_size;
++
++    if (extra) {
++        params.sector_size = extra->sector_size;
++        params.journal_size = extra->journal_size;
++        params.journal_watermark = extra->journal_watermark;
++        params.journal_commit_time = extra->journal_commit_time;
++        params.interleave_sectors = extra->interleave_sectors;
++        params.tag_size = extra->tag_size;
++        params.buffer_sectors = extra->buffer_sectors;
++    }
++
++    msg = g_strdup_printf ("Started opening '%s' integrity device", device);
++    progress_id = bd_utils_report_started (msg);
++    g_free (msg);
++
++    ret = crypt_init (&cd, device);
++    if (ret != 0) {
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                     "Failed to initialize device: %s", strerror_l (-ret, c_locale));
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++    }
++
++    ret = crypt_load (cd, CRYPT_INTEGRITY, &params);
++    if (ret != 0) {
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                     "Failed to load device's parameters: %s", strerror_l (-ret, c_locale));
++        crypt_free (cd);
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++    }
++
++    ret = crypt_activate_by_volume_key (cd, name, (const char *) key_data, key_size, flags);
++    if (ret < 0) {
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
++                     "Failed to activate device: %s", strerror_l (-ret, c_locale));
++
++        crypt_free (cd);
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++    }
++
++    crypt_free (cd);
++    bd_utils_report_finished (progress_id, "Completed");
++    return TRUE;
++}
++
++/**
++ * bd_crypto_integrity_close:
++ * @integrity_device: integrity device to close
++ * @error: (out): place to store error (if any)
++ *
++ * Returns: whether the given @integrity_device was successfully closed or not
++ *
++ * Tech category: %BD_CRYPTO_TECH_INTEGRITY-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
++ */
++gboolean bd_crypto_integrity_close (const gchar *integrity_device, GError **error) {
++    return _crypto_close (integrity_device, "integrity", error);
++}
++
+ /**
+  * bd_crypto_device_seems_encrypted:
+  * @device: the queried device
+@@ -2472,7 +2723,7 @@ gboolean bd_crypto_escrow_device (const gchar *device, const gchar *passphrase,
+  *
+  * Tech category: %BD_CRYPTO_TECH_BITLK-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
+  */
+-#ifndef LIBCRYPTSETUP_BITLK
++#ifndef LIBCRYPTSETUP_23
+ gboolean bd_crypto_bitlk_open (const gchar *device UNUSED, const gchar *name UNUSED, const guint8* pass_data UNUSED, gsize data_len UNUSED, gboolean read_only UNUSED, GError **error) {
+     /* this will return FALSE and set error, because BITLK technology is not available */
+     return bd_crypto_is_tech_avail (BD_CRYPTO_TECH_BITLK, BD_CRYPTO_TECH_MODE_OPEN_CLOSE, error);
+@@ -2542,7 +2793,7 @@ gboolean bd_crypto_bitlk_open (const gchar *device, const gchar *name, const gui
+  *
+  * Tech category: %BD_CRYPTO_TECH_BITLK-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE
+  */
+-#ifndef LIBCRYPTSETUP_BITLK
++#ifndef LIBCRYPTSETUP_23
+ gboolean bd_crypto_bitlk_close (const gchar *bitlk_device UNUSED, GError **error) {
+     /* this will return FALSE and set error, because BITLK technology is not available */
+     return bd_crypto_is_tech_avail (BD_CRYPTO_TECH_BITLK, BD_CRYPTO_TECH_MODE_OPEN_CLOSE, error);
+diff --git a/src/plugins/crypto.h b/src/plugins/crypto.h
+index a38724d..166e558 100644
+--- a/src/plugins/crypto.h
++++ b/src/plugins/crypto.h
+@@ -116,6 +116,43 @@ void bd_crypto_luks_extra_free (BDCryptoLUKSExtra *extra);
+ BDCryptoLUKSExtra* bd_crypto_luks_extra_copy (BDCryptoLUKSExtra *extra);
+ BDCryptoLUKSExtra* bd_crypto_luks_extra_new (guint64 data_alignment, const gchar *data_device, const gchar *integrity, guint64 sector_size, const gchar *label, const gchar *subsystem, BDCryptoLUKSPBKDF *pbkdf);
+ 
++/**
++ * BDCryptoIntegrityExtra:
++ * @sector_size: integrity sector size
++ * @journal_size: size of journal in bytes
++ * @journal_watermark: journal flush watermark in percents; in bitmap mode sectors-per-bit
++ * @journal_commit_time: journal commit time (or bitmap flush time) in ms
++ * @interleave_sectors: number of interleave sectors (power of two)
++ * @tag_size: tag size per-sector in bytes
++ * @buffer_sectors: number of sectors in one buffer
++ */
++typedef struct BDCryptoIntegrityExtra {
++    guint32 sector_size;
++    guint64 journal_size;
++    guint journal_watermark;
++    guint journal_commit_time;
++    guint32 interleave_sectors;
++    guint32 tag_size;
++    guint32 buffer_sectors;
++} BDCryptoIntegrityExtra;
++
++void bd_crypto_integrity_extra_free (BDCryptoIntegrityExtra *extra);
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_copy (BDCryptoIntegrityExtra *extra);
++BDCryptoIntegrityExtra* bd_crypto_integrity_extra_new (guint64 sector_size, guint64 journal_size, guint journal_watermark, guint journal_commit_time, guint64 interleave_sectors, guint64 tag_size, guint64 buffer_sectors);
++
++typedef enum {
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = CRYPT_ACTIVATE_NO_JOURNAL,
++    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = CRYPT_ACTIVATE_RECOVERY,
++#ifdef CRYPT_ACTIVATE_NO_JOURNAL_BITMAP
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = CRYPT_ACTIVATE_NO_JOURNAL_BITMAP,
++#endif
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = CRYPT_ACTIVATE_RECALCULATE,
++#ifdef CRYPT_ACTIVATE_RECALCULATE_RESET
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = CRYPT_ACTIVATE_RECALCULATE_RESET,
++#endif
++    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = CRYPT_ACTIVATE_ALLOW_DISCARDS,
++} BDCryptoIntegrityOpenFlags;
++
+ /**
+  * BDCryptoLUKSInfo:
+  * @version: LUKS version
+@@ -209,6 +246,10 @@ gboolean bd_crypto_luks_header_restore (const gchar *device, const gchar *backup
+ BDCryptoLUKSInfo* bd_crypto_luks_info (const gchar *luks_device, GError **error);
+ BDCryptoIntegrityInfo* bd_crypto_integrity_info (const gchar *device, GError **error);
+ 
++gboolean bd_crypto_integrity_format (const gchar *device, const gchar *algorithm, gboolean wipe, const guint8* key_data, gsize key_size, BDCryptoIntegrityExtra *extra, GError **error);
++gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const gchar *algorithm, const guint8* key_data, gsize key_size, BDCryptoIntegrityOpenFlags flags, BDCryptoIntegrityExtra *extra, GError **error);
++gboolean bd_crypto_integrity_close (const gchar *integrity_device, GError **error);
++
+ gboolean bd_crypto_device_seems_encrypted (const gchar *device, GError **error);
+ gboolean bd_crypto_tc_open (const gchar *device, const gchar *name, const guint8* pass_data, gsize data_len, gboolean read_only, GError **error);
+ gboolean bd_crypto_tc_open_full (const gchar *device, const gchar *name, const guint8* pass_data, gsize data_len, const gchar **keyfiles, gboolean hidden, gboolean system, gboolean veracrypt, guint32 veracrypt_pim, gboolean read_only, GError **error);
+diff --git a/src/python/gi/overrides/BlockDev.py b/src/python/gi/overrides/BlockDev.py
+index 715a262..71bcd31 100644
+--- a/src/python/gi/overrides/BlockDev.py
++++ b/src/python/gi/overrides/BlockDev.py
+@@ -276,6 +276,30 @@ def crypto_bitlk_open(device, name, passphrase, read_only=False):
+ __all__.append("crypto_bitlk_open")
+ 
+ 
++class CryptoIntegrityExtra(BlockDev.CryptoIntegrityExtra):
++    def __new__(cls, sector_size=0, journal_size=0, journal_watermark=0, journal_commit_time=0, interleave_sectors=0, tag_size=0, buffer_sectors=0):
++        ret = BlockDev.CryptoIntegrityExtra.new(sector_size, journal_size, journal_watermark, journal_commit_time, interleave_sectors, tag_size, buffer_sectors)
++        ret.__class__ = cls
++        return ret
++    def __init__(self, *args, **kwargs):   # pylint: disable=unused-argument
++        super(CryptoIntegrityExtra, self).__init__()  #pylint: disable=bad-super-call
++CryptoIntegrityExtra = override(CryptoIntegrityExtra)
++__all__.append("CryptoIntegrityExtra")
++
++
++_crypto_integrity_format = BlockDev.crypto_integrity_format
++@override(BlockDev.crypto_integrity_format)
++def crypto_integrity_format(device, algorithm=None, wipe=True, key_data=None, extra=None):
++    return _crypto_integrity_format(device, algorithm, wipe, key_data, extra)
++__all__.append("crypto_integrity_format")
++
++_crypto_integrity_open = BlockDev.crypto_integrity_open
++@override(BlockDev.crypto_integrity_open)
++def crypto_integrity_open(device, name, algorithm, key_data=None, flags=0, extra=None):
++    return _crypto_integrity_open(device, name, algorithm, key_data, flags, extra)
++__all__.append("crypto_integrity_open")
++
++
+ _dm_create_linear = BlockDev.dm_create_linear
+ @override(BlockDev.dm_create_linear)
+ def dm_create_linear(map_name, device, length, uuid=None):
+diff --git a/tests/crypto_test.py b/tests/crypto_test.py
+index 0aecc03..1c6832e 100644
+--- a/tests/crypto_test.py
++++ b/tests/crypto_test.py
+@@ -2,6 +2,7 @@ import unittest
+ import os
+ import tempfile
+ import overrides_hack
++import secrets
+ import shutil
+ import subprocess
+ import six
+@@ -42,6 +43,8 @@ class CryptoTestCase(unittest.TestCase):
+ 
+     requested_plugins = BlockDev.plugin_specs_from_names(("crypto", "loop"))
+ 
++    _dm_name = "libblockdevTestLUKS"
++
+     @classmethod
+     def setUpClass(cls):
+         unittest.TestCase.setUpClass()
+@@ -72,7 +75,7 @@ class CryptoTestCase(unittest.TestCase):
+ 
+     def _clean_up(self):
+         try:
+-            BlockDev.crypto_luks_close("libblockdevTestLUKS")
++            BlockDev.crypto_luks_close(self._dm_name)
+         except:
+             pass
+ 
+@@ -964,7 +967,8 @@ class CryptoTestInfo(CryptoTestCase):
+         succ = BlockDev.crypto_luks_close("libblockdevTestLUKS")
+         self.assertTrue(succ)
+ 
+-class CryptoTestIntegrity(CryptoTestCase):
++
++class CryptoTestLUKS2Integrity(CryptoTestCase):
+     @tag_test(TestTags.SLOW)
+     @unittest.skipUnless(HAVE_LUKS2, "LUKS 2 not supported")
+     def test_luks2_integrity(self):
+@@ -1151,3 +1155,92 @@ class CryptoTestBitlk(CryptoTestCase):
+         succ = BlockDev.crypto_bitlk_close("libblockdevTestBitlk")
+         self.assertTrue(succ)
+         self.assertFalse(os.path.exists("/dev/mapper/libblockdevTestBitlk"))
++
++
++class CryptoTestIntegrity(CryptoTestCase):
++
++    _dm_name = "libblockdevTestIntegrity"
++
++    @unittest.skipUnless(HAVE_LUKS2, "Integrity not supported")
++    def test_integrity(self):
++        # basic format+open+close test
++        succ = BlockDev.crypto_integrity_format(self.loop_dev, "sha256", False)
++        self.assertTrue(succ)
++
++        succ = BlockDev.crypto_integrity_open(self.loop_dev, self._dm_name, "sha256")
++        self.assertTrue(succ)
++        self.assertTrue(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        info = BlockDev.crypto_integrity_info(self._dm_name)
++        self.assertEqual(info.algorithm, "sha256")
++
++        succ = BlockDev.crypto_integrity_close(self._dm_name)
++        self.assertTrue(succ)
++        self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        # same now with a keyed algorithm
++        key = list(secrets.token_bytes(64))
++
++        succ = BlockDev.crypto_integrity_format(self.loop_dev, "hmac(sha256)", False, key)
++        self.assertTrue(succ)
++
++        succ = BlockDev.crypto_integrity_open(self.loop_dev, self._dm_name, "hmac(sha256)", key)
++        self.assertTrue(succ)
++        self.assertTrue(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        info = BlockDev.crypto_integrity_info(self._dm_name)
++        self.assertEqual(info.algorithm, "hmac(sha256)")
++
++        succ = BlockDev.crypto_integrity_close(self._dm_name)
++        self.assertTrue(succ)
++        self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        # same with some custom parameters
++        extra = BlockDev.CryptoIntegrityExtra(sector_size=4096, interleave_sectors=65536)
++        succ = BlockDev.crypto_integrity_format(self.loop_dev, "crc32c", wipe=False, extra=extra)
++        self.assertTrue(succ)
++
++        succ = BlockDev.crypto_integrity_open(self.loop_dev, self._dm_name, "crc32c")
++        self.assertTrue(succ)
++        self.assertTrue(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        info = BlockDev.crypto_integrity_info(self._dm_name)
++        self.assertEqual(info.algorithm, "crc32c")
++        self.assertEqual(info.sector_size, 4096)
++        self.assertEqual(info.interleave_sectors, 65536)
++
++        succ = BlockDev.crypto_integrity_close(self._dm_name)
++        self.assertTrue(succ)
++        self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++    @tag_test(TestTags.SLOW)
++    @unittest.skipUnless(HAVE_LUKS2, "Integrity not supported")
++    def test_integrity_wipe(self):
++        # also check that wipe progress reporting works
++        progress_log = []
++
++        def _my_progress_func(_task, _status, completion, msg):
++            progress_log.append((completion, msg))
++
++        succ = BlockDev.utils_init_prog_reporting(_my_progress_func)
++        self.assertTrue(succ)
++        self.addCleanup(BlockDev.utils_init_prog_reporting, None)
++
++        succ = BlockDev.crypto_integrity_format(self.loop_dev, "sha256", True)
++        self.assertTrue(succ)
++
++        # at least one message "Integrity device wipe in progress" should be logged
++        self.assertTrue(any(prog[1] == "Integrity device wipe in progress" for prog in progress_log))
++
++        succ = BlockDev.crypto_integrity_open(self.loop_dev, self._dm_name, "sha256")
++        self.assertTrue(succ)
++        self.assertTrue(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        # check the devices was wiped and the checksums recalculated
++        # (mkfs reads some blocks first so without checksums it would fail)
++        ret, _out, err = run_command("mkfs.ext2 /dev/mapper/%s " % self._dm_name)
++        self.assertEqual(ret, 0, msg="Failed to create ext2 filesystem on integrity: %s" % err)
++
++        succ = BlockDev.crypto_integrity_close(self._dm_name)
++        self.assertTrue(succ)
++        self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
+-- 
+2.31.1
+
+
+From 4dcb7a42a2cb33f7a63021d72889c9a9688adfd3 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Thu, 30 Sep 2021 16:01:40 +0200
+Subject: [PATCH 2/3] Create smaller test images for integrity tests
+
+We are going to overwrite the entire device in test_integrity_wipe
+so we need to make sure the sparse actually fits to /tmp which
+can be smaller than 1 GiB.
+---
+ tests/crypto_test.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tests/crypto_test.py b/tests/crypto_test.py
+index 1c6832e..b7ec251 100644
+--- a/tests/crypto_test.py
++++ b/tests/crypto_test.py
+@@ -44,6 +44,7 @@ class CryptoTestCase(unittest.TestCase):
+     requested_plugins = BlockDev.plugin_specs_from_names(("crypto", "loop"))
+ 
+     _dm_name = "libblockdevTestLUKS"
++    _sparse_size = 1024**3
+ 
+     @classmethod
+     def setUpClass(cls):
+@@ -57,8 +58,8 @@ class CryptoTestCase(unittest.TestCase):
+ 
+     def setUp(self):
+         self.addCleanup(self._clean_up)
+-        self.dev_file = create_sparse_tempfile("crypto_test", 1024**3)
+-        self.dev_file2 = create_sparse_tempfile("crypto_test2", 1024**3)
++        self.dev_file = create_sparse_tempfile("crypto_test", self._sparse_size)
++        self.dev_file2 = create_sparse_tempfile("crypto_test2", self._sparse_size)
+         try:
+             self.loop_dev = create_lio_device(self.dev_file)
+         except RuntimeError as e:
+@@ -1160,6 +1161,7 @@ class CryptoTestBitlk(CryptoTestCase):
+ class CryptoTestIntegrity(CryptoTestCase):
+ 
+     _dm_name = "libblockdevTestIntegrity"
++    _sparse_size = 100 * 1024**2
+ 
+     @unittest.skipUnless(HAVE_LUKS2, "Integrity not supported")
+     def test_integrity(self):
+-- 
+2.31.1
+
+
+From 3b82f9085c0df2e58b673716cdefd747495738e2 Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Wed, 20 Oct 2021 10:27:41 +0200
+Subject: [PATCH 3/3] crypto: Do not use libcryptsetup flags directly in
+ crypto.h
+
+We can "translate" our flags in the implementation instead to
+avoid including libcryptsetup.h in our header and API files.
+---
+ src/lib/plugin_apis/crypto.api | 17 ++++++-----------
+ src/plugins/crypto.c           | 34 +++++++++++++++++++++++++++++++++-
+ src/plugins/crypto.h           | 16 ++++++----------
+ tests/crypto_test.py           | 14 ++++++++++++++
+ 4 files changed, 59 insertions(+), 22 deletions(-)
+
+diff --git a/src/lib/plugin_apis/crypto.api b/src/lib/plugin_apis/crypto.api
+index 40e32c8..cf87979 100644
+--- a/src/lib/plugin_apis/crypto.api
++++ b/src/lib/plugin_apis/crypto.api
+@@ -1,6 +1,5 @@
+ #include <glib.h>
+ #include <blockdev/utils.h>
+-#include <libcryptsetup.h>
+ 
+ #define BD_CRYPTO_LUKS_METADATA_SIZE G_GUINT64_CONSTANT (2097152ULL) // 2 MiB
+ 
+@@ -343,16 +342,12 @@ GType bd_crypto_integrity_extra_get_type () {
+ }
+ 
+ typedef enum {
+-    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = CRYPT_ACTIVATE_NO_JOURNAL,
+-    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = CRYPT_ACTIVATE_RECOVERY,
+-#ifdef CRYPT_ACTIVATE_NO_JOURNAL_BITMAP
+-    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = CRYPT_ACTIVATE_NO_JOURNAL_BITMAP,
+-#endif
+-    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = CRYPT_ACTIVATE_RECALCULATE,
+-#ifdef CRYPT_ACTIVATE_RECALCULATE_RESET
+-    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = CRYPT_ACTIVATE_RECALCULATE_RESET,
+-#endif
+-    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = CRYPT_ACTIVATE_ALLOW_DISCARDS,
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = 1 << 0,
++    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = 1 << 1,
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = 1 << 2,
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = 1 << 3,
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = 1 << 4,
++    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = 1 << 5,
+ } BDCryptoIntegrityOpenFlags;
+ 
+ #define BD_CRYPTO_TYPE_LUKS_INFO (bd_crypto_luks_info_get_type ())
+diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
+index b1b0700..8a4d64a 100644
+--- a/src/plugins/crypto.c
++++ b/src/plugins/crypto.c
+@@ -2223,6 +2223,7 @@ gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const
+     guint64 progress_id = 0;
+     gchar *msg = NULL;
+     struct crypt_params_integrity params = ZERO_INIT;
++    guint32 activate_flags = 0;
+ 
+     params.integrity = algorithm;
+     params.integrity_key_size = key_size;
+@@ -2237,6 +2238,37 @@ gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const
+         params.buffer_sectors = extra->buffer_sectors;
+     }
+ 
++
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL)
++        activate_flags |= CRYPT_ACTIVATE_NO_JOURNAL;
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_RECOVERY)
++        activate_flags |= CRYPT_ACTIVATE_RECOVERY;
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE)
++        activate_flags |= CRYPT_ACTIVATE_RECALCULATE;
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS)
++        activate_flags |= CRYPT_ACTIVATE_ALLOW_DISCARDS;
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP) {
++#ifndef CRYPT_ACTIVATE_NO_JOURNAL_BITMAP
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_TECH_UNAVAIL,
++                     "Cannot activate %s with bitmap, installed version of cryptsetup doesn't support this option.", device);
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++#else
++        activate_flags |= CRYPT_ACTIVATE_NO_JOURNAL_BITMAP;
++#endif
++    }
++
++    if (flags & BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET) {
++#ifndef CRYPT_ACTIVATE_RECALCULATE_RESET
++        g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_TECH_UNAVAIL,
++                     "Cannot reset integrity recalculation while activating %s, installed version of cryptsetup doesn't support this option.", device);
++        bd_utils_report_finished (progress_id, (*error)->message);
++        return FALSE;
++#else
++        activate_flags |= CRYPT_ACTIVATE_RECALCULATE_RESET;
++#endif
++    }
++
+     msg = g_strdup_printf ("Started opening '%s' integrity device", device);
+     progress_id = bd_utils_report_started (msg);
+     g_free (msg);
+@@ -2258,7 +2290,7 @@ gboolean bd_crypto_integrity_open (const gchar *device, const gchar *name, const
+         return FALSE;
+     }
+ 
+-    ret = crypt_activate_by_volume_key (cd, name, (const char *) key_data, key_size, flags);
++    ret = crypt_activate_by_volume_key (cd, name, (const char *) key_data, key_size, activate_flags);
+     if (ret < 0) {
+         g_set_error (error, BD_CRYPTO_ERROR, BD_CRYPTO_ERROR_DEVICE,
+                      "Failed to activate device: %s", strerror_l (-ret, c_locale));
+diff --git a/src/plugins/crypto.h b/src/plugins/crypto.h
+index 166e558..b5f133c 100644
+--- a/src/plugins/crypto.h
++++ b/src/plugins/crypto.h
+@@ -141,16 +141,12 @@ BDCryptoIntegrityExtra* bd_crypto_integrity_extra_copy (BDCryptoIntegrityExtra *
+ BDCryptoIntegrityExtra* bd_crypto_integrity_extra_new (guint64 sector_size, guint64 journal_size, guint journal_watermark, guint journal_commit_time, guint64 interleave_sectors, guint64 tag_size, guint64 buffer_sectors);
+ 
+ typedef enum {
+-    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = CRYPT_ACTIVATE_NO_JOURNAL,
+-    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = CRYPT_ACTIVATE_RECOVERY,
+-#ifdef CRYPT_ACTIVATE_NO_JOURNAL_BITMAP
+-    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = CRYPT_ACTIVATE_NO_JOURNAL_BITMAP,
+-#endif
+-    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = CRYPT_ACTIVATE_RECALCULATE,
+-#ifdef CRYPT_ACTIVATE_RECALCULATE_RESET
+-    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = CRYPT_ACTIVATE_RECALCULATE_RESET,
+-#endif
+-    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = CRYPT_ACTIVATE_ALLOW_DISCARDS,
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL         = 1 << 0,
++    BD_CRYPTO_INTEGRITY_OPEN_RECOVERY           = 1 << 1,
++    BD_CRYPTO_INTEGRITY_OPEN_NO_JOURNAL_BITMAP  = 1 << 2,
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE        = 1 << 3,
++    BD_CRYPTO_INTEGRITY_OPEN_RECALCULATE_RESET  = 1 << 4,
++    BD_CRYPTO_INTEGRITY_OPEN_ALLOW_DISCARDS     = 1 << 5,
+ } BDCryptoIntegrityOpenFlags;
+ 
+ /**
+diff --git a/tests/crypto_test.py b/tests/crypto_test.py
+index b7ec251..673d8b8 100644
+--- a/tests/crypto_test.py
++++ b/tests/crypto_test.py
+@@ -1215,6 +1215,20 @@ class CryptoTestIntegrity(CryptoTestCase):
+         self.assertTrue(succ)
+         self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
+ 
++        # open with flags
++        succ = BlockDev.crypto_integrity_open(self.loop_dev, self._dm_name, "crc32c",
++                                              flags=BlockDev.CryptoIntegrityOpenFlags.ALLOW_DISCARDS)
++        self.assertTrue(succ)
++        self.assertTrue(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
++        # check that discard is enabled for the mapped device
++        _ret, out, _err = run_command("dmsetup table %s" % self._dm_name)
++        self.assertIn("allow_discards", out)
++
++        succ = BlockDev.crypto_integrity_close(self._dm_name)
++        self.assertTrue(succ)
++        self.assertFalse(os.path.exists("/dev/mapper/%s" % self._dm_name))
++
+     @tag_test(TestTags.SLOW)
+     @unittest.skipUnless(HAVE_LUKS2, "Integrity not supported")
+     def test_integrity_wipe(self):
+-- 
+2.31.1
+

SOURCES/0011-tests-Wait-for-raid-and-mirrored-LVs-to-be-synced-be.patch

@@ -0,0 +1,278 @@
+From d0ba031e679d480855bea61060acea597d5ffbbd Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Wed, 15 Dec 2021 14:14:19 +0100
+Subject: [PATCH 1/2] tests: Wait for raid and mirrored LVs to be synced before
+ removing
+
+Resolves: rhbz#2030647
+---
+ tests/lvm_dbus_tests.py | 31 +++++++++++++++++++++++++------
+ tests/lvm_test.py       | 31 +++++++++++++++++++++++++------
+ 2 files changed, 50 insertions(+), 12 deletions(-)
+
+diff --git a/tests/lvm_dbus_tests.py b/tests/lvm_dbus_tests.py
+index 5516afe..5ce653e 100644
+--- a/tests/lvm_dbus_tests.py
++++ b/tests/lvm_dbus_tests.py
+@@ -7,6 +7,8 @@ import six
+ import re
+ import shutil
+ import subprocess
++import time
++from contextlib import contextmanager
+ from distutils.version import LooseVersion
+ from itertools import chain
+ 
+@@ -18,6 +20,21 @@ sb = dbus.SystemBus()
+ lvm_dbus_running = any("lvmdbus" in name for name in chain(sb.list_names(), sb.list_activatable_names()))
+ 
+ 
++@contextmanager
++def wait_for_sync(vg_name, lv_name):
++    try:
++        yield
++    finally:
++        time.sleep(2)
++        while True:
++            ret, out, _err = run_command("LC_ALL=C lvs -o copy_percent --noheadings %s/%s" % (vg_name, lv_name))
++            if ret != 0:
++                break
++            if int(float(out)) == 100:
++                break
++            time.sleep(1)
++
++
+ class LVMTestCase(unittest.TestCase):
+     @classmethod
+     def setUpClass(cls):
+@@ -801,9 +818,10 @@ class LvmTestLVcreateType(LvmPVVGLVTestCase):
+         succ = BlockDev.lvm_lvremove("testVG", "testLV", True, None)
+         self.assertTrue(succ)
+ 
+-        # try to create a mirrored LV
+-        succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "mirror", [self.loop_dev, self.loop_dev2], None)
+-        self.assertTrue(succ)
++        with wait_for_sync("testVG", "testLV"):
++            # try to create a mirrored LV
++            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "mirror", [self.loop_dev, self.loop_dev2], None)
++            self.assertTrue(succ)
+ 
+         # verify that the LV has the requested segtype
+         info = BlockDev.lvm_lvinfo("testVG", "testLV")
+@@ -812,9 +830,10 @@ class LvmTestLVcreateType(LvmPVVGLVTestCase):
+         succ = BlockDev.lvm_lvremove("testVG", "testLV", True, None)
+         self.assertTrue(succ)
+ 
+-        # try to create a raid1 LV
+-        succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "raid1", [self.loop_dev, self.loop_dev2], None)
+-        self.assertTrue(succ)
++        with wait_for_sync("testVG", "testLV"):
++            # try to create a raid1 LV
++            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "raid1", [self.loop_dev, self.loop_dev2], None)
++            self.assertTrue(succ)
+ 
+         # verify that the LV has the requested segtype
+         info = BlockDev.lvm_lvinfo("testVG", "testLV")
+diff --git a/tests/lvm_test.py b/tests/lvm_test.py
+index e349817..12b78ca 100644
+--- a/tests/lvm_test.py
++++ b/tests/lvm_test.py
+@@ -7,12 +7,29 @@ import six
+ import re
+ import shutil
+ import subprocess
++import time
++from contextlib import contextmanager
+ from distutils.version import LooseVersion
+ 
+ from utils import create_sparse_tempfile, create_lio_device, delete_lio_device, fake_utils, fake_path, TestTags, tag_test, run_command, read_file
+ from gi.repository import BlockDev, GLib
+ 
+ 
++@contextmanager
++def wait_for_sync(vg_name, lv_name):
++    try:
++        yield
++    finally:
++        time.sleep(2)
++        while True:
++            info = BlockDev.lvm_lvinfo(vg_name, lv_name)
++            if not info:
++                break
++            if info.copy_percent == 100:
++                break
++            time.sleep(1)
++
++
+ class LVMTestCase(unittest.TestCase):
+ 
+     @classmethod
+@@ -737,9 +754,10 @@ class LvmTestLVcreateType(LvmPVVGLVTestCase):
+         succ = BlockDev.lvm_lvremove("testVG", "testLV", True, None)
+         self.assertTrue(succ)
+ 
+-        # try to create a mirrored LV
+-        succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "mirror", [self.loop_dev, self.loop_dev2], None)
+-        self.assertTrue(succ)
++        with wait_for_sync("testVG", "testLV"):
++            # try to create a mirrored LV
++            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "mirror", [self.loop_dev, self.loop_dev2], None)
++            self.assertTrue(succ)
+ 
+         # verify that the LV has the requested segtype
+         info = BlockDev.lvm_lvinfo("testVG", "testLV")
+@@ -748,9 +766,10 @@ class LvmTestLVcreateType(LvmPVVGLVTestCase):
+         succ = BlockDev.lvm_lvremove("testVG", "testLV", True, None)
+         self.assertTrue(succ)
+ 
+-        # try to create a raid1 LV
+-        succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "raid1", [self.loop_dev, self.loop_dev2], None)
+-        self.assertTrue(succ)
++        with wait_for_sync("testVG", "testLV"):
++            # try to create a raid1 LV
++            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "raid1", [self.loop_dev, self.loop_dev2], None)
++            self.assertTrue(succ)
+ 
+         # verify that the LV has the requested segtype
+         info = BlockDev.lvm_lvinfo("testVG", "testLV")
+-- 
+2.31.1
+
+
+From 36dbac970bc4a052dbd97f51eb47379036d15b6e Mon Sep 17 00:00:00 2001
+From: Vojtech Trefny <vtrefny@redhat.com>
+Date: Thu, 16 Dec 2021 12:27:33 +0100
+Subject: [PATCH 2/2] tests: Make smaller images for test_lvcreate_type
+
+We are now waiting for the initial resync for the RAID/mirror LVs
+which means we are trying to overwrite the entire 1 GB image which
+doesn't fit in /tmp on our CI machines.
+---
+ tests/lvm_dbus_tests.py | 16 +++++++++++-----
+ tests/lvm_test.py       | 15 ++++++++++-----
+ 2 files changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/tests/lvm_dbus_tests.py b/tests/lvm_dbus_tests.py
+index 5ce653e..723aabb 100644
+--- a/tests/lvm_dbus_tests.py
++++ b/tests/lvm_dbus_tests.py
+@@ -313,14 +313,17 @@ class LvmNoDevTestCase(LVMTestCase):
+ 
+ @unittest.skipUnless(lvm_dbus_running, "LVM DBus not running")
+ class LvmPVonlyTestCase(LVMTestCase):
++
++    _sparse_size = 1024**3
++
+     # :TODO:
+     #     * test pvmove (must create two PVs, a VG, a VG and some data in it
+     #       first)
+     #     * some complex test for pvs, vgs, lvs, pvinfo, vginfo and lvinfo
+     def setUp(self):
+         self.addCleanup(self._clean_up)
+-        self.dev_file = create_sparse_tempfile("lvm_test", 1024**3)
+-        self.dev_file2 = create_sparse_tempfile("lvm_test", 1024**3)
++        self.dev_file = create_sparse_tempfile("lvm_test", self._sparse_size)
++        self.dev_file2 = create_sparse_tempfile("lvm_test", self._sparse_size)
+         try:
+             self.loop_dev = create_lio_device(self.dev_file)
+         except RuntimeError as e:
+@@ -795,6 +798,9 @@ class LvmTestLVcreateWithExtra(LvmPVVGLVTestCase):
+ 
+ @unittest.skipUnless(lvm_dbus_running, "LVM DBus not running")
+ class LvmTestLVcreateType(LvmPVVGLVTestCase):
++
++    _sparse_size = 200 * 1024**2
++
+     def test_lvcreate_type(self):
+         """Verify it's possible to create LVs with various types"""
+ 
+@@ -808,7 +814,7 @@ class LvmTestLVcreateType(LvmPVVGLVTestCase):
+         self.assertTrue(succ)
+ 
+         # try to create a striped LV
+-        succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "striped", [self.loop_dev, self.loop_dev2], None)
++        succ = BlockDev.lvm_lvcreate("testVG", "testLV", 100 * 1024**2, "striped", [self.loop_dev, self.loop_dev2], None)
+         self.assertTrue(succ)
+ 
+         # verify that the LV has the requested segtype
+@@ -820,7 +826,7 @@ class LvmTestLVcreateType(LvmPVVGLVTestCase):
+ 
+         with wait_for_sync("testVG", "testLV"):
+             # try to create a mirrored LV
+-            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "mirror", [self.loop_dev, self.loop_dev2], None)
++            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 100 * 1024**2, "mirror", [self.loop_dev, self.loop_dev2], None)
+             self.assertTrue(succ)
+ 
+         # verify that the LV has the requested segtype
+@@ -832,7 +838,7 @@ class LvmTestLVcreateType(LvmPVVGLVTestCase):
+ 
+         with wait_for_sync("testVG", "testLV"):
+             # try to create a raid1 LV
+-            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "raid1", [self.loop_dev, self.loop_dev2], None)
++            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 100 * 1024**2, "raid1", [self.loop_dev, self.loop_dev2], None)
+             self.assertTrue(succ)
+ 
+         # verify that the LV has the requested segtype
+diff --git a/tests/lvm_test.py b/tests/lvm_test.py
+index 12b78ca..97f6c69 100644
+--- a/tests/lvm_test.py
++++ b/tests/lvm_test.py
+@@ -302,14 +302,17 @@ class LvmNoDevTestCase(LVMTestCase):
+             BlockDev.lvm_cache_get_mode_from_str("bla")
+ 
+ class LvmPVonlyTestCase(LVMTestCase):
++
++    _sparse_size = 1024**3
++
+     # :TODO:
+     #     * test pvmove (must create two PVs, a VG, a VG and some data in it
+     #       first)
+     #     * some complex test for pvs, vgs, lvs, pvinfo, vginfo and lvinfo
+     def setUp(self):
+         self.addCleanup(self._clean_up)
+-        self.dev_file = create_sparse_tempfile("lvm_test", 1024**3)
+-        self.dev_file2 = create_sparse_tempfile("lvm_test", 1024**3)
++        self.dev_file = create_sparse_tempfile("lvm_test", self._sparse_size)
++        self.dev_file2 = create_sparse_tempfile("lvm_test", self._sparse_size)
+         try:
+             self.loop_dev = create_lio_device(self.dev_file)
+         except RuntimeError as e:
+@@ -731,6 +734,8 @@ class LvmTestLVcreateWithExtra(LvmPVVGLVTestCase):
+         self.assertTrue(succ)
+ 
+ class LvmTestLVcreateType(LvmPVVGLVTestCase):
++    _sparse_size = 200 * 1024**2
++
+     def test_lvcreate_type(self):
+         """Verify it's possible to create LVs with various types"""
+ 
+@@ -744,7 +749,7 @@ class LvmTestLVcreateType(LvmPVVGLVTestCase):
+         self.assertTrue(succ)
+ 
+         # try to create a striped LV
+-        succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "striped", [self.loop_dev, self.loop_dev2], None)
++        succ = BlockDev.lvm_lvcreate("testVG", "testLV", 100 * 1024**2, "striped", [self.loop_dev, self.loop_dev2], None)
+         self.assertTrue(succ)
+ 
+         # verify that the LV has the requested segtype
+@@ -756,7 +761,7 @@ class LvmTestLVcreateType(LvmPVVGLVTestCase):
+ 
+         with wait_for_sync("testVG", "testLV"):
+             # try to create a mirrored LV
+-            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "mirror", [self.loop_dev, self.loop_dev2], None)
++            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 100 * 1024**2, "mirror", [self.loop_dev, self.loop_dev2], None)
+             self.assertTrue(succ)
+ 
+         # verify that the LV has the requested segtype
+@@ -768,7 +773,7 @@ class LvmTestLVcreateType(LvmPVVGLVTestCase):
+ 
+         with wait_for_sync("testVG", "testLV"):
+             # try to create a raid1 LV
+-            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 512 * 1024**2, "raid1", [self.loop_dev, self.loop_dev2], None)
++            succ = BlockDev.lvm_lvcreate("testVG", "testLV", 100 * 1024**2, "raid1", [self.loop_dev, self.loop_dev2], None)
+             self.assertTrue(succ)
+ 
+         # verify that the LV has the requested segtype
+-- 
+2.31.1
+

SOURCES/libblockdev-gcc11.patch

@@ -0,0 +1,15 @@
+diff --git a/src/plugins/kbd.c b/src/plugins/kbd.c
+index a2908ec..97abd3b 100644
+--- a/src/plugins/kbd.c
++++ b/src/plugins/kbd.c
+@@ -732,6 +732,10 @@ static gboolean wait_for_file (const char *filename) {
+  *
+  * Tech category: %BD_KBD_TECH_BCACHE-%BD_KBD_TECH_MODE_CREATE
+  */
++/* This triggers a known false positive warning in gcc-11.  It's being
++   addressed upstream, but until the fix is available, this works around
++   the false positive.  */
++__attribute__ ((optimize ("-O1")))
+ gboolean bd_kbd_bcache_create (const gchar *backing_device, const gchar *cache_device, const BDExtraArg **extra, const gchar **bcache_device, GError **error) {
+     const gchar *argv[6] = {"make-bcache", "-B", backing_device, "-C", cache_device, NULL};
+     gboolean success = FALSE;