Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1 | /* |
| 2 | * QEMU Crypto block device encryption LUKS format |
| 3 | * |
| 4 | * Copyright (c) 2015-2016 Red Hat, Inc. |
| 5 | * |
| 6 | * This library is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU Lesser General Public |
| 8 | * License as published by the Free Software Foundation; either |
Thomas Huth | b7cbb87 | 2019-02-13 16:54:59 +0100 | [diff] [blame] | 9 | * version 2.1 of the License, or (at your option) any later version. |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 10 | * |
| 11 | * This library is distributed in the hope that it will be useful, |
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 14 | * Lesser General Public License for more details. |
| 15 | * |
| 16 | * You should have received a copy of the GNU Lesser General Public |
| 17 | * License along with this library; if not, see <http://www.gnu.org/licenses/>. |
| 18 | * |
| 19 | */ |
| 20 | |
| 21 | #include "qemu/osdep.h" |
Markus Armbruster | da34e65 | 2016-03-14 09:01:28 +0100 | [diff] [blame] | 22 | #include "qapi/error.h" |
Paolo Bonzini | 58369e2 | 2016-03-15 17:22:36 +0100 | [diff] [blame] | 23 | #include "qemu/bswap.h" |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 24 | |
Michael S. Tsirkin | 986bc8d | 2018-05-03 22:50:23 +0300 | [diff] [blame] | 25 | #include "block-luks.h" |
Daniel P. Berrangé | 36445ac | 2022-05-10 15:19:58 +0100 | [diff] [blame] | 26 | #include "block-luks-priv.h" |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 27 | |
| 28 | #include "crypto/hash.h" |
| 29 | #include "crypto/afsplit.h" |
| 30 | #include "crypto/pbkdf.h" |
| 31 | #include "crypto/secret.h" |
| 32 | #include "crypto/random.h" |
Fam Zheng | 2ef950f | 2016-09-21 12:27:19 +0800 | [diff] [blame] | 33 | #include "qemu/uuid.h" |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 34 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 35 | #include "qemu/bitmap.h" |
Yao Xingtao | 7cd9b9d | 2024-07-22 00:07:40 -0400 | [diff] [blame^] | 36 | #include "qemu/range.h" |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 37 | |
| 38 | /* |
| 39 | * Reference for the LUKS format implemented here is |
| 40 | * |
| 41 | * docs/on-disk-format.pdf |
| 42 | * |
| 43 | * in 'cryptsetup' package source code |
| 44 | * |
| 45 | * This file implements the 1.2.1 specification, dated |
| 46 | * Oct 16, 2011. |
| 47 | */ |
| 48 | |
| 49 | typedef struct QCryptoBlockLUKS QCryptoBlockLUKS; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 50 | |
| 51 | typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap; |
| 52 | struct QCryptoBlockLUKSNameMap { |
| 53 | const char *name; |
| 54 | int id; |
| 55 | }; |
| 56 | |
| 57 | typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap; |
| 58 | struct QCryptoBlockLUKSCipherSizeMap { |
| 59 | uint32_t key_bytes; |
| 60 | int id; |
| 61 | }; |
| 62 | typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap; |
| 63 | struct QCryptoBlockLUKSCipherNameMap { |
| 64 | const char *name; |
| 65 | const QCryptoBlockLUKSCipherSizeMap *sizes; |
| 66 | }; |
| 67 | |
| 68 | |
| 69 | static const QCryptoBlockLUKSCipherSizeMap |
| 70 | qcrypto_block_luks_cipher_size_map_aes[] = { |
| 71 | { 16, QCRYPTO_CIPHER_ALG_AES_128 }, |
| 72 | { 24, QCRYPTO_CIPHER_ALG_AES_192 }, |
| 73 | { 32, QCRYPTO_CIPHER_ALG_AES_256 }, |
| 74 | { 0, 0 }, |
| 75 | }; |
| 76 | |
| 77 | static const QCryptoBlockLUKSCipherSizeMap |
| 78 | qcrypto_block_luks_cipher_size_map_cast5[] = { |
| 79 | { 16, QCRYPTO_CIPHER_ALG_CAST5_128 }, |
| 80 | { 0, 0 }, |
| 81 | }; |
| 82 | |
| 83 | static const QCryptoBlockLUKSCipherSizeMap |
| 84 | qcrypto_block_luks_cipher_size_map_serpent[] = { |
| 85 | { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 }, |
| 86 | { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 }, |
| 87 | { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 }, |
| 88 | { 0, 0 }, |
| 89 | }; |
| 90 | |
| 91 | static const QCryptoBlockLUKSCipherSizeMap |
| 92 | qcrypto_block_luks_cipher_size_map_twofish[] = { |
| 93 | { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 }, |
| 94 | { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 }, |
| 95 | { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 }, |
| 96 | { 0, 0 }, |
| 97 | }; |
| 98 | |
Hyman Huang | 52ed9f4 | 2023-12-07 23:47:35 +0800 | [diff] [blame] | 99 | #ifdef CONFIG_CRYPTO_SM4 |
| 100 | static const QCryptoBlockLUKSCipherSizeMap |
| 101 | qcrypto_block_luks_cipher_size_map_sm4[] = { |
| 102 | { 16, QCRYPTO_CIPHER_ALG_SM4}, |
| 103 | { 0, 0 }, |
| 104 | }; |
| 105 | #endif |
| 106 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 107 | static const QCryptoBlockLUKSCipherNameMap |
| 108 | qcrypto_block_luks_cipher_name_map[] = { |
| 109 | { "aes", qcrypto_block_luks_cipher_size_map_aes }, |
| 110 | { "cast5", qcrypto_block_luks_cipher_size_map_cast5 }, |
| 111 | { "serpent", qcrypto_block_luks_cipher_size_map_serpent }, |
| 112 | { "twofish", qcrypto_block_luks_cipher_size_map_twofish }, |
Hyman Huang | 52ed9f4 | 2023-12-07 23:47:35 +0800 | [diff] [blame] | 113 | #ifdef CONFIG_CRYPTO_SM4 |
| 114 | { "sm4", qcrypto_block_luks_cipher_size_map_sm4}, |
| 115 | #endif |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 116 | }; |
| 117 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 118 | QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 119 | QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592); |
| 120 | |
| 121 | |
| 122 | struct QCryptoBlockLUKS { |
| 123 | QCryptoBlockLUKSHeader header; |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 124 | |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 125 | /* Main encryption algorithm used for encryption*/ |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 126 | QCryptoCipherAlgorithm cipher_alg; |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 127 | |
| 128 | /* Mode of encryption for the selected encryption algorithm */ |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 129 | QCryptoCipherMode cipher_mode; |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 130 | |
| 131 | /* Initialization vector generation algorithm */ |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 132 | QCryptoIVGenAlgorithm ivgen_alg; |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 133 | |
| 134 | /* Hash algorithm used for IV generation*/ |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 135 | QCryptoHashAlgorithm ivgen_hash_alg; |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 136 | |
| 137 | /* |
| 138 | * Encryption algorithm used for IV generation. |
| 139 | * Usually the same as main encryption algorithm |
| 140 | */ |
| 141 | QCryptoCipherAlgorithm ivgen_cipher_alg; |
| 142 | |
| 143 | /* Hash algorithm used in pbkdf2 function */ |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 144 | QCryptoHashAlgorithm hash_alg; |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 145 | |
| 146 | /* Name of the secret that was used to open the image */ |
| 147 | char *secret; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 148 | }; |
| 149 | |
| 150 | |
| 151 | static int qcrypto_block_luks_cipher_name_lookup(const char *name, |
| 152 | QCryptoCipherMode mode, |
| 153 | uint32_t key_bytes, |
| 154 | Error **errp) |
| 155 | { |
| 156 | const QCryptoBlockLUKSCipherNameMap *map = |
| 157 | qcrypto_block_luks_cipher_name_map; |
| 158 | size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); |
| 159 | size_t i, j; |
| 160 | |
| 161 | if (mode == QCRYPTO_CIPHER_MODE_XTS) { |
| 162 | key_bytes /= 2; |
| 163 | } |
| 164 | |
| 165 | for (i = 0; i < maplen; i++) { |
| 166 | if (!g_str_equal(map[i].name, name)) { |
| 167 | continue; |
| 168 | } |
| 169 | for (j = 0; j < map[i].sizes[j].key_bytes; j++) { |
| 170 | if (map[i].sizes[j].key_bytes == key_bytes) { |
| 171 | return map[i].sizes[j].id; |
| 172 | } |
| 173 | } |
| 174 | } |
| 175 | |
Daniel P. Berrangé | 6c19893 | 2022-09-05 12:08:21 +0100 | [diff] [blame] | 176 | error_setg(errp, "Algorithm '%s' with key size %d bytes not supported", |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 177 | name, key_bytes); |
| 178 | return 0; |
| 179 | } |
| 180 | |
| 181 | static const char * |
| 182 | qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg, |
| 183 | Error **errp) |
| 184 | { |
| 185 | const QCryptoBlockLUKSCipherNameMap *map = |
| 186 | qcrypto_block_luks_cipher_name_map; |
| 187 | size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); |
| 188 | size_t i, j; |
| 189 | for (i = 0; i < maplen; i++) { |
| 190 | for (j = 0; j < map[i].sizes[j].key_bytes; j++) { |
| 191 | if (map[i].sizes[j].id == alg) { |
| 192 | return map[i].name; |
| 193 | } |
| 194 | } |
| 195 | } |
| 196 | |
| 197 | error_setg(errp, "Algorithm '%s' not supported", |
Markus Armbruster | 977c736 | 2017-08-24 10:46:08 +0200 | [diff] [blame] | 198 | QCryptoCipherAlgorithm_str(alg)); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 199 | return NULL; |
| 200 | } |
| 201 | |
| 202 | /* XXX replace with qapi_enum_parse() in future, when we can |
| 203 | * make that function emit a more friendly error message */ |
| 204 | static int qcrypto_block_luks_name_lookup(const char *name, |
Marc-André Lureau | f7abe0e | 2017-08-24 10:46:10 +0200 | [diff] [blame] | 205 | const QEnumLookup *map, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 206 | const char *type, |
| 207 | Error **errp) |
| 208 | { |
Markus Armbruster | 9ae3307 | 2017-08-24 10:46:04 +0200 | [diff] [blame] | 209 | int ret = qapi_enum_parse(map, name, -1, NULL); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 210 | |
Markus Armbruster | 9ae3307 | 2017-08-24 10:46:04 +0200 | [diff] [blame] | 211 | if (ret < 0) { |
Daniel P. Berrangé | 6c19893 | 2022-09-05 12:08:21 +0100 | [diff] [blame] | 212 | error_setg(errp, "%s '%s' not supported", type, name); |
Markus Armbruster | 9ae3307 | 2017-08-24 10:46:04 +0200 | [diff] [blame] | 213 | return 0; |
| 214 | } |
| 215 | return ret; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 216 | } |
| 217 | |
| 218 | #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \ |
| 219 | qcrypto_block_luks_name_lookup(name, \ |
Marc-André Lureau | f7abe0e | 2017-08-24 10:46:10 +0200 | [diff] [blame] | 220 | &QCryptoCipherMode_lookup, \ |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 221 | "Cipher mode", \ |
| 222 | errp) |
| 223 | |
| 224 | #define qcrypto_block_luks_hash_name_lookup(name, errp) \ |
| 225 | qcrypto_block_luks_name_lookup(name, \ |
Marc-André Lureau | f7abe0e | 2017-08-24 10:46:10 +0200 | [diff] [blame] | 226 | &QCryptoHashAlgorithm_lookup, \ |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 227 | "Hash algorithm", \ |
| 228 | errp) |
| 229 | |
| 230 | #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \ |
| 231 | qcrypto_block_luks_name_lookup(name, \ |
Marc-André Lureau | f7abe0e | 2017-08-24 10:46:10 +0200 | [diff] [blame] | 232 | &QCryptoIVGenAlgorithm_lookup, \ |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 233 | "IV generator", \ |
| 234 | errp) |
| 235 | |
| 236 | |
| 237 | static bool |
| 238 | qcrypto_block_luks_has_format(const uint8_t *buf, |
| 239 | size_t buf_size) |
| 240 | { |
| 241 | const QCryptoBlockLUKSHeader *luks_header = (const void *)buf; |
| 242 | |
| 243 | if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) && |
| 244 | memcmp(luks_header->magic, qcrypto_block_luks_magic, |
| 245 | QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 && |
| 246 | be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) { |
| 247 | return true; |
| 248 | } else { |
| 249 | return false; |
| 250 | } |
| 251 | } |
| 252 | |
| 253 | |
| 254 | /** |
| 255 | * Deal with a quirk of dm-crypt usage of ESSIV. |
| 256 | * |
| 257 | * When calculating ESSIV IVs, the cipher length used by ESSIV |
| 258 | * may be different from the cipher length used for the block |
Michael Tokarev | 0a19d87 | 2023-07-14 14:33:49 +0300 | [diff] [blame] | 259 | * encryption, because dm-crypt uses the hash digest length |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 260 | * as the key size. ie, if you have AES 128 as the block cipher |
| 261 | * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as |
| 262 | * the cipher since that gets a key length matching the digest |
| 263 | * size, not AES 128 with truncated digest as might be imagined |
| 264 | */ |
| 265 | static QCryptoCipherAlgorithm |
| 266 | qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher, |
| 267 | QCryptoHashAlgorithm hash, |
| 268 | Error **errp) |
| 269 | { |
| 270 | size_t digestlen = qcrypto_hash_digest_len(hash); |
| 271 | size_t keylen = qcrypto_cipher_get_key_len(cipher); |
| 272 | if (digestlen == keylen) { |
| 273 | return cipher; |
| 274 | } |
| 275 | |
| 276 | switch (cipher) { |
| 277 | case QCRYPTO_CIPHER_ALG_AES_128: |
| 278 | case QCRYPTO_CIPHER_ALG_AES_192: |
| 279 | case QCRYPTO_CIPHER_ALG_AES_256: |
| 280 | if (digestlen == qcrypto_cipher_get_key_len( |
| 281 | QCRYPTO_CIPHER_ALG_AES_128)) { |
| 282 | return QCRYPTO_CIPHER_ALG_AES_128; |
| 283 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 284 | QCRYPTO_CIPHER_ALG_AES_192)) { |
| 285 | return QCRYPTO_CIPHER_ALG_AES_192; |
| 286 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 287 | QCRYPTO_CIPHER_ALG_AES_256)) { |
| 288 | return QCRYPTO_CIPHER_ALG_AES_256; |
| 289 | } else { |
| 290 | error_setg(errp, "No AES cipher with key size %zu available", |
| 291 | digestlen); |
| 292 | return 0; |
| 293 | } |
| 294 | break; |
| 295 | case QCRYPTO_CIPHER_ALG_SERPENT_128: |
| 296 | case QCRYPTO_CIPHER_ALG_SERPENT_192: |
| 297 | case QCRYPTO_CIPHER_ALG_SERPENT_256: |
| 298 | if (digestlen == qcrypto_cipher_get_key_len( |
| 299 | QCRYPTO_CIPHER_ALG_SERPENT_128)) { |
| 300 | return QCRYPTO_CIPHER_ALG_SERPENT_128; |
| 301 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 302 | QCRYPTO_CIPHER_ALG_SERPENT_192)) { |
| 303 | return QCRYPTO_CIPHER_ALG_SERPENT_192; |
| 304 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 305 | QCRYPTO_CIPHER_ALG_SERPENT_256)) { |
| 306 | return QCRYPTO_CIPHER_ALG_SERPENT_256; |
| 307 | } else { |
| 308 | error_setg(errp, "No Serpent cipher with key size %zu available", |
| 309 | digestlen); |
| 310 | return 0; |
| 311 | } |
| 312 | break; |
| 313 | case QCRYPTO_CIPHER_ALG_TWOFISH_128: |
| 314 | case QCRYPTO_CIPHER_ALG_TWOFISH_192: |
| 315 | case QCRYPTO_CIPHER_ALG_TWOFISH_256: |
| 316 | if (digestlen == qcrypto_cipher_get_key_len( |
| 317 | QCRYPTO_CIPHER_ALG_TWOFISH_128)) { |
| 318 | return QCRYPTO_CIPHER_ALG_TWOFISH_128; |
| 319 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 320 | QCRYPTO_CIPHER_ALG_TWOFISH_192)) { |
| 321 | return QCRYPTO_CIPHER_ALG_TWOFISH_192; |
| 322 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 323 | QCRYPTO_CIPHER_ALG_TWOFISH_256)) { |
| 324 | return QCRYPTO_CIPHER_ALG_TWOFISH_256; |
| 325 | } else { |
| 326 | error_setg(errp, "No Twofish cipher with key size %zu available", |
| 327 | digestlen); |
| 328 | return 0; |
| 329 | } |
| 330 | break; |
| 331 | default: |
| 332 | error_setg(errp, "Cipher %s not supported with essiv", |
Markus Armbruster | 977c736 | 2017-08-24 10:46:08 +0200 | [diff] [blame] | 333 | QCryptoCipherAlgorithm_str(cipher)); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 334 | return 0; |
| 335 | } |
| 336 | } |
| 337 | |
| 338 | /* |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 339 | * Returns number of sectors needed to store the key material |
| 340 | * given number of anti forensic stripes |
| 341 | */ |
| 342 | static int |
| 343 | qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks, |
| 344 | unsigned int header_sectors, |
| 345 | unsigned int stripes) |
| 346 | { |
| 347 | /* |
| 348 | * This calculation doesn't match that shown in the spec, |
| 349 | * but instead follows the cryptsetup implementation. |
| 350 | */ |
| 351 | |
| 352 | size_t splitkeylen = luks->header.master_key_len * stripes; |
| 353 | |
| 354 | /* First align the key material size to block size*/ |
| 355 | size_t splitkeylen_sectors = |
| 356 | DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE); |
| 357 | |
| 358 | /* Then also align the key material size to the size of the header */ |
| 359 | return ROUND_UP(splitkeylen_sectors, header_sectors); |
| 360 | } |
| 361 | |
Daniel P. Berrangé | 98c72df | 2022-05-10 15:40:55 +0100 | [diff] [blame] | 362 | |
| 363 | void |
| 364 | qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr) |
| 365 | { |
| 366 | size_t i; |
| 367 | |
| 368 | /* |
| 369 | * Everything on disk uses Big Endian (tm), so flip header fields |
| 370 | * before writing them |
| 371 | */ |
| 372 | cpu_to_be16s(&hdr->version); |
| 373 | cpu_to_be32s(&hdr->payload_offset_sector); |
| 374 | cpu_to_be32s(&hdr->master_key_len); |
| 375 | cpu_to_be32s(&hdr->master_key_iterations); |
| 376 | |
| 377 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 378 | cpu_to_be32s(&hdr->key_slots[i].active); |
| 379 | cpu_to_be32s(&hdr->key_slots[i].iterations); |
| 380 | cpu_to_be32s(&hdr->key_slots[i].key_offset_sector); |
| 381 | cpu_to_be32s(&hdr->key_slots[i].stripes); |
| 382 | } |
| 383 | } |
| 384 | |
| 385 | void |
| 386 | qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr) |
| 387 | { |
| 388 | size_t i; |
| 389 | |
| 390 | /* |
| 391 | * The header is always stored in big-endian format, so |
| 392 | * convert everything to native |
| 393 | */ |
| 394 | be16_to_cpus(&hdr->version); |
| 395 | be32_to_cpus(&hdr->payload_offset_sector); |
| 396 | be32_to_cpus(&hdr->master_key_len); |
| 397 | be32_to_cpus(&hdr->master_key_iterations); |
| 398 | |
| 399 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 400 | be32_to_cpus(&hdr->key_slots[i].active); |
| 401 | be32_to_cpus(&hdr->key_slots[i].iterations); |
| 402 | be32_to_cpus(&hdr->key_slots[i].key_offset_sector); |
| 403 | be32_to_cpus(&hdr->key_slots[i].stripes); |
| 404 | } |
| 405 | } |
| 406 | |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 407 | /* |
Michael Tokarev | 0a19d87 | 2023-07-14 14:33:49 +0300 | [diff] [blame] | 408 | * Stores the main LUKS header, taking care of endianness |
Maxim Levitsky | dde2c5a | 2019-09-26 00:35:22 +0300 | [diff] [blame] | 409 | */ |
| 410 | static int |
| 411 | qcrypto_block_luks_store_header(QCryptoBlock *block, |
| 412 | QCryptoBlockWriteFunc writefunc, |
| 413 | void *opaque, |
| 414 | Error **errp) |
| 415 | { |
| 416 | const QCryptoBlockLUKS *luks = block->opaque; |
| 417 | Error *local_err = NULL; |
Maxim Levitsky | dde2c5a | 2019-09-26 00:35:22 +0300 | [diff] [blame] | 418 | g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL; |
| 419 | |
| 420 | /* Create a copy of the header */ |
| 421 | hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1); |
| 422 | memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader)); |
| 423 | |
Daniel P. Berrangé | 98c72df | 2022-05-10 15:40:55 +0100 | [diff] [blame] | 424 | qcrypto_block_luks_to_disk_endian(hdr_copy); |
Maxim Levitsky | dde2c5a | 2019-09-26 00:35:22 +0300 | [diff] [blame] | 425 | |
| 426 | /* Write out the partition header and key slot headers */ |
| 427 | writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy), |
| 428 | opaque, &local_err); |
| 429 | |
| 430 | if (local_err) { |
| 431 | error_propagate(errp, local_err); |
| 432 | return -1; |
| 433 | } |
| 434 | return 0; |
| 435 | } |
| 436 | |
| 437 | /* |
Michael Tokarev | 0a19d87 | 2023-07-14 14:33:49 +0300 | [diff] [blame] | 438 | * Loads the main LUKS header, and byteswaps it to native endianness |
Maxim Levitsky | dde2c5a | 2019-09-26 00:35:22 +0300 | [diff] [blame] | 439 | * And run basic sanity checks on it |
| 440 | */ |
| 441 | static int |
| 442 | qcrypto_block_luks_load_header(QCryptoBlock *block, |
| 443 | QCryptoBlockReadFunc readfunc, |
| 444 | void *opaque, |
| 445 | Error **errp) |
| 446 | { |
Alberto Faria | 757dda5 | 2022-06-09 16:27:38 +0100 | [diff] [blame] | 447 | int rv; |
Maxim Levitsky | dde2c5a | 2019-09-26 00:35:22 +0300 | [diff] [blame] | 448 | QCryptoBlockLUKS *luks = block->opaque; |
| 449 | |
| 450 | /* |
| 451 | * Read the entire LUKS header, minus the key material from |
| 452 | * the underlying device |
| 453 | */ |
| 454 | rv = readfunc(block, 0, |
| 455 | (uint8_t *)&luks->header, |
| 456 | sizeof(luks->header), |
| 457 | opaque, |
| 458 | errp); |
| 459 | if (rv < 0) { |
| 460 | return rv; |
| 461 | } |
| 462 | |
Daniel P. Berrangé | 98c72df | 2022-05-10 15:40:55 +0100 | [diff] [blame] | 463 | qcrypto_block_luks_from_disk_endian(&luks->header); |
Maxim Levitsky | dde2c5a | 2019-09-26 00:35:22 +0300 | [diff] [blame] | 464 | |
| 465 | return 0; |
| 466 | } |
| 467 | |
| 468 | /* |
Maxim Levitsky | 9fa9c1c | 2019-09-26 00:35:23 +0300 | [diff] [blame] | 469 | * Does basic sanity checks on the LUKS header |
| 470 | */ |
| 471 | static int |
Hyman Huang | 9ad5c4e | 2024-01-30 13:37:19 +0800 | [diff] [blame] | 472 | qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, |
| 473 | unsigned int flags, |
| 474 | Error **errp) |
Maxim Levitsky | 9fa9c1c | 2019-09-26 00:35:23 +0300 | [diff] [blame] | 475 | { |
Maxim Levitsky | befdba9 | 2019-09-26 00:35:26 +0300 | [diff] [blame] | 476 | size_t i, j; |
| 477 | |
| 478 | unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / |
| 479 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; |
Hyman Huang | 9ad5c4e | 2024-01-30 13:37:19 +0800 | [diff] [blame] | 480 | bool detached = flags & QCRYPTO_BLOCK_OPEN_DETACHED; |
Maxim Levitsky | befdba9 | 2019-09-26 00:35:26 +0300 | [diff] [blame] | 481 | |
Maxim Levitsky | 9fa9c1c | 2019-09-26 00:35:23 +0300 | [diff] [blame] | 482 | if (memcmp(luks->header.magic, qcrypto_block_luks_magic, |
| 483 | QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) { |
| 484 | error_setg(errp, "Volume is not in LUKS format"); |
| 485 | return -1; |
| 486 | } |
| 487 | |
| 488 | if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) { |
| 489 | error_setg(errp, "LUKS version %" PRIu32 " is not supported", |
| 490 | luks->header.version); |
| 491 | return -1; |
| 492 | } |
Maxim Levitsky | befdba9 | 2019-09-26 00:35:26 +0300 | [diff] [blame] | 493 | |
Daniel P. Berrangé | c1d8634 | 2022-05-10 14:17:43 +0100 | [diff] [blame] | 494 | if (!memchr(luks->header.cipher_name, '\0', |
| 495 | sizeof(luks->header.cipher_name))) { |
| 496 | error_setg(errp, "LUKS header cipher name is not NUL terminated"); |
| 497 | return -1; |
| 498 | } |
| 499 | |
| 500 | if (!memchr(luks->header.cipher_mode, '\0', |
| 501 | sizeof(luks->header.cipher_mode))) { |
| 502 | error_setg(errp, "LUKS header cipher mode is not NUL terminated"); |
| 503 | return -1; |
| 504 | } |
| 505 | |
| 506 | if (!memchr(luks->header.hash_spec, '\0', |
| 507 | sizeof(luks->header.hash_spec))) { |
| 508 | error_setg(errp, "LUKS header hash spec is not NUL terminated"); |
| 509 | return -1; |
| 510 | } |
| 511 | |
Hyman Huang | 9ad5c4e | 2024-01-30 13:37:19 +0800 | [diff] [blame] | 512 | if (!detached && luks->header.payload_offset_sector < |
Daniel P. Berrangé | d233fbc | 2022-09-05 13:50:03 +0100 | [diff] [blame] | 513 | DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, |
| 514 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { |
| 515 | error_setg(errp, "LUKS payload is overlapping with the header"); |
| 516 | return -1; |
| 517 | } |
| 518 | |
Daniel P. Berrangé | b57151a | 2022-09-05 13:52:29 +0100 | [diff] [blame] | 519 | if (luks->header.master_key_iterations == 0) { |
| 520 | error_setg(errp, "LUKS key iteration count is zero"); |
| 521 | return -1; |
| 522 | } |
| 523 | |
Maxim Levitsky | befdba9 | 2019-09-26 00:35:26 +0300 | [diff] [blame] | 524 | /* Check all keyslots for corruption */ |
| 525 | for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) { |
| 526 | |
| 527 | const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i]; |
| 528 | unsigned int start1 = slot1->key_offset_sector; |
| 529 | unsigned int len1 = |
| 530 | qcrypto_block_luks_splitkeylen_sectors(luks, |
| 531 | header_sectors, |
| 532 | slot1->stripes); |
| 533 | |
Daniel P. Berrangé | f119596 | 2022-05-10 14:27:33 +0100 | [diff] [blame] | 534 | if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) { |
| 535 | error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)", |
| 536 | i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES); |
Maxim Levitsky | befdba9 | 2019-09-26 00:35:26 +0300 | [diff] [blame] | 537 | return -1; |
| 538 | } |
| 539 | |
| 540 | if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED && |
| 541 | slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { |
| 542 | error_setg(errp, |
| 543 | "Keyslot %zu state (active/disable) is corrupted", i); |
| 544 | return -1; |
| 545 | } |
| 546 | |
Daniel P. Berrangé | b57151a | 2022-09-05 13:52:29 +0100 | [diff] [blame] | 547 | if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED && |
| 548 | slot1->iterations == 0) { |
| 549 | error_setg(errp, "Keyslot %zu iteration count is zero", i); |
| 550 | return -1; |
| 551 | } |
| 552 | |
Daniel P. Berrangé | c5f6962 | 2022-09-05 13:57:01 +0100 | [diff] [blame] | 553 | if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, |
Daniel P. Berrangé | 93569c3 | 2022-05-10 14:35:57 +0100 | [diff] [blame] | 554 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { |
| 555 | error_setg(errp, |
| 556 | "Keyslot %zu is overlapping with the LUKS header", |
| 557 | i); |
| 558 | return -1; |
| 559 | } |
| 560 | |
Hyman Huang | 9ad5c4e | 2024-01-30 13:37:19 +0800 | [diff] [blame] | 561 | if (!detached && start1 + len1 > luks->header.payload_offset_sector) { |
Maxim Levitsky | befdba9 | 2019-09-26 00:35:26 +0300 | [diff] [blame] | 562 | error_setg(errp, |
| 563 | "Keyslot %zu is overlapping with the encrypted payload", |
| 564 | i); |
| 565 | return -1; |
| 566 | } |
| 567 | |
| 568 | for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) { |
| 569 | const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j]; |
| 570 | unsigned int start2 = slot2->key_offset_sector; |
| 571 | unsigned int len2 = |
| 572 | qcrypto_block_luks_splitkeylen_sectors(luks, |
| 573 | header_sectors, |
| 574 | slot2->stripes); |
| 575 | |
Yao Xingtao | 7cd9b9d | 2024-07-22 00:07:40 -0400 | [diff] [blame^] | 576 | if (ranges_overlap(start1, len1, start2, len2)) { |
Maxim Levitsky | befdba9 | 2019-09-26 00:35:26 +0300 | [diff] [blame] | 577 | error_setg(errp, |
| 578 | "Keyslots %zu and %zu are overlapping in the header", |
| 579 | i, j); |
| 580 | return -1; |
| 581 | } |
| 582 | } |
| 583 | |
| 584 | } |
Maxim Levitsky | 9fa9c1c | 2019-09-26 00:35:23 +0300 | [diff] [blame] | 585 | return 0; |
| 586 | } |
| 587 | |
| 588 | /* |
| 589 | * Parses the crypto parameters that are stored in the LUKS header |
| 590 | */ |
| 591 | |
| 592 | static int |
| 593 | qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp) |
| 594 | { |
| 595 | g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode); |
| 596 | char *ivgen_name, *ivhash_name; |
| 597 | Error *local_err = NULL; |
| 598 | |
| 599 | /* |
| 600 | * The cipher_mode header contains a string that we have |
| 601 | * to further parse, of the format |
| 602 | * |
| 603 | * <cipher-mode>-<iv-generator>[:<iv-hash>] |
| 604 | * |
| 605 | * eg cbc-essiv:sha256, cbc-plain64 |
| 606 | */ |
| 607 | ivgen_name = strchr(cipher_mode, '-'); |
| 608 | if (!ivgen_name) { |
Daniel P. Berrangé | 6c19893 | 2022-09-05 12:08:21 +0100 | [diff] [blame] | 609 | error_setg(errp, "Unexpected cipher mode string format '%s'", |
Maxim Levitsky | 9fa9c1c | 2019-09-26 00:35:23 +0300 | [diff] [blame] | 610 | luks->header.cipher_mode); |
| 611 | return -1; |
| 612 | } |
| 613 | *ivgen_name = '\0'; |
| 614 | ivgen_name++; |
| 615 | |
| 616 | ivhash_name = strchr(ivgen_name, ':'); |
| 617 | if (!ivhash_name) { |
| 618 | luks->ivgen_hash_alg = 0; |
| 619 | } else { |
| 620 | *ivhash_name = '\0'; |
| 621 | ivhash_name++; |
| 622 | |
| 623 | luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name, |
| 624 | &local_err); |
| 625 | if (local_err) { |
| 626 | error_propagate(errp, local_err); |
| 627 | return -1; |
| 628 | } |
| 629 | } |
| 630 | |
| 631 | luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode, |
| 632 | &local_err); |
| 633 | if (local_err) { |
| 634 | error_propagate(errp, local_err); |
| 635 | return -1; |
| 636 | } |
| 637 | |
| 638 | luks->cipher_alg = |
| 639 | qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name, |
| 640 | luks->cipher_mode, |
| 641 | luks->header.master_key_len, |
| 642 | &local_err); |
| 643 | if (local_err) { |
| 644 | error_propagate(errp, local_err); |
| 645 | return -1; |
| 646 | } |
| 647 | |
| 648 | luks->hash_alg = |
| 649 | qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec, |
| 650 | &local_err); |
| 651 | if (local_err) { |
| 652 | error_propagate(errp, local_err); |
| 653 | return -1; |
| 654 | } |
| 655 | |
| 656 | luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name, |
| 657 | &local_err); |
| 658 | if (local_err) { |
| 659 | error_propagate(errp, local_err); |
| 660 | return -1; |
| 661 | } |
| 662 | |
| 663 | if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { |
| 664 | if (!ivhash_name) { |
| 665 | error_setg(errp, "Missing IV generator hash specification"); |
| 666 | return -1; |
| 667 | } |
| 668 | luks->ivgen_cipher_alg = |
| 669 | qcrypto_block_luks_essiv_cipher(luks->cipher_alg, |
| 670 | luks->ivgen_hash_alg, |
| 671 | &local_err); |
| 672 | if (local_err) { |
| 673 | error_propagate(errp, local_err); |
| 674 | return -1; |
| 675 | } |
| 676 | } else { |
| 677 | |
| 678 | /* |
| 679 | * Note we parsed the ivhash_name earlier in the cipher_mode |
| 680 | * spec string even with plain/plain64 ivgens, but we |
| 681 | * will ignore it, since it is irrelevant for these ivgens. |
| 682 | * This is for compat with dm-crypt which will silently |
| 683 | * ignore hash names with these ivgens rather than report |
| 684 | * an error about the invalid usage |
| 685 | */ |
| 686 | luks->ivgen_cipher_alg = luks->cipher_alg; |
| 687 | } |
| 688 | return 0; |
| 689 | } |
| 690 | |
| 691 | /* |
Maxim Levitsky | 3994a7c | 2019-09-26 00:35:24 +0300 | [diff] [blame] | 692 | * Given a key slot, user password, and the master key, |
| 693 | * will store the encrypted master key there, and update the |
| 694 | * in-memory header. User must then write the in-memory header |
| 695 | * |
| 696 | * Returns: |
| 697 | * 0 if the keyslot was written successfully |
| 698 | * with the provided password |
| 699 | * -1 if a fatal error occurred while storing the key |
| 700 | */ |
| 701 | static int |
| 702 | qcrypto_block_luks_store_key(QCryptoBlock *block, |
| 703 | unsigned int slot_idx, |
| 704 | const char *password, |
| 705 | uint8_t *masterkey, |
| 706 | uint64_t iter_time, |
| 707 | QCryptoBlockWriteFunc writefunc, |
| 708 | void *opaque, |
| 709 | Error **errp) |
| 710 | { |
| 711 | QCryptoBlockLUKS *luks = block->opaque; |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 712 | QCryptoBlockLUKSKeySlot *slot; |
Maxim Levitsky | 3994a7c | 2019-09-26 00:35:24 +0300 | [diff] [blame] | 713 | g_autofree uint8_t *splitkey = NULL; |
| 714 | size_t splitkeylen; |
| 715 | g_autofree uint8_t *slotkey = NULL; |
| 716 | g_autoptr(QCryptoCipher) cipher = NULL; |
| 717 | g_autoptr(QCryptoIVGen) ivgen = NULL; |
| 718 | Error *local_err = NULL; |
| 719 | uint64_t iters; |
| 720 | int ret = -1; |
| 721 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 722 | assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); |
| 723 | slot = &luks->header.key_slots[slot_idx]; |
Akihiko Odaki | 55a01ca | 2023-05-22 20:47:37 +0900 | [diff] [blame] | 724 | splitkeylen = luks->header.master_key_len * slot->stripes; |
| 725 | |
Maxim Levitsky | 3994a7c | 2019-09-26 00:35:24 +0300 | [diff] [blame] | 726 | if (qcrypto_random_bytes(slot->salt, |
| 727 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 728 | errp) < 0) { |
| 729 | goto cleanup; |
| 730 | } |
| 731 | |
Maxim Levitsky | 3994a7c | 2019-09-26 00:35:24 +0300 | [diff] [blame] | 732 | /* |
| 733 | * Determine how many iterations are required to |
| 734 | * hash the user password while consuming 1 second of compute |
| 735 | * time |
| 736 | */ |
| 737 | iters = qcrypto_pbkdf2_count_iters(luks->hash_alg, |
| 738 | (uint8_t *)password, strlen(password), |
| 739 | slot->salt, |
| 740 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 741 | luks->header.master_key_len, |
| 742 | &local_err); |
| 743 | if (local_err) { |
| 744 | error_propagate(errp, local_err); |
| 745 | goto cleanup; |
| 746 | } |
| 747 | |
| 748 | if (iters > (ULLONG_MAX / iter_time)) { |
| 749 | error_setg_errno(errp, ERANGE, |
| 750 | "PBKDF iterations %llu too large to scale", |
| 751 | (unsigned long long)iters); |
| 752 | goto cleanup; |
| 753 | } |
| 754 | |
| 755 | /* iter_time was in millis, but count_iters reported for secs */ |
| 756 | iters = iters * iter_time / 1000; |
| 757 | |
| 758 | if (iters > UINT32_MAX) { |
| 759 | error_setg_errno(errp, ERANGE, |
| 760 | "PBKDF iterations %llu larger than %u", |
| 761 | (unsigned long long)iters, UINT32_MAX); |
| 762 | goto cleanup; |
| 763 | } |
| 764 | |
| 765 | slot->iterations = |
| 766 | MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS); |
| 767 | |
| 768 | |
| 769 | /* |
| 770 | * Generate a key that we'll use to encrypt the master |
| 771 | * key, from the user's password |
| 772 | */ |
| 773 | slotkey = g_new0(uint8_t, luks->header.master_key_len); |
| 774 | if (qcrypto_pbkdf2(luks->hash_alg, |
| 775 | (uint8_t *)password, strlen(password), |
| 776 | slot->salt, |
| 777 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 778 | slot->iterations, |
| 779 | slotkey, luks->header.master_key_len, |
| 780 | errp) < 0) { |
| 781 | goto cleanup; |
| 782 | } |
| 783 | |
| 784 | |
| 785 | /* |
| 786 | * Setup the encryption objects needed to encrypt the |
| 787 | * master key material |
| 788 | */ |
| 789 | cipher = qcrypto_cipher_new(luks->cipher_alg, |
| 790 | luks->cipher_mode, |
| 791 | slotkey, luks->header.master_key_len, |
| 792 | errp); |
| 793 | if (!cipher) { |
| 794 | goto cleanup; |
| 795 | } |
| 796 | |
| 797 | ivgen = qcrypto_ivgen_new(luks->ivgen_alg, |
| 798 | luks->ivgen_cipher_alg, |
| 799 | luks->ivgen_hash_alg, |
| 800 | slotkey, luks->header.master_key_len, |
| 801 | errp); |
| 802 | if (!ivgen) { |
| 803 | goto cleanup; |
| 804 | } |
| 805 | |
| 806 | /* |
| 807 | * Before storing the master key, we need to vastly |
| 808 | * increase its size, as protection against forensic |
| 809 | * disk data recovery |
| 810 | */ |
| 811 | splitkey = g_new0(uint8_t, splitkeylen); |
| 812 | |
| 813 | if (qcrypto_afsplit_encode(luks->hash_alg, |
| 814 | luks->header.master_key_len, |
| 815 | slot->stripes, |
| 816 | masterkey, |
| 817 | splitkey, |
| 818 | errp) < 0) { |
| 819 | goto cleanup; |
| 820 | } |
| 821 | |
| 822 | /* |
| 823 | * Now we encrypt the split master key with the key generated |
| 824 | * from the user's password, before storing it |
| 825 | */ |
| 826 | if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen, |
| 827 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 828 | 0, |
| 829 | splitkey, |
| 830 | splitkeylen, |
| 831 | errp) < 0) { |
| 832 | goto cleanup; |
| 833 | } |
| 834 | |
| 835 | /* Write out the slot's master key material. */ |
| 836 | if (writefunc(block, |
| 837 | slot->key_offset_sector * |
| 838 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 839 | splitkey, splitkeylen, |
| 840 | opaque, |
Alberto Faria | 757dda5 | 2022-06-09 16:27:38 +0100 | [diff] [blame] | 841 | errp) < 0) { |
Maxim Levitsky | 3994a7c | 2019-09-26 00:35:24 +0300 | [diff] [blame] | 842 | goto cleanup; |
| 843 | } |
| 844 | |
| 845 | slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; |
| 846 | |
| 847 | if (qcrypto_block_luks_store_header(block, writefunc, opaque, errp) < 0) { |
| 848 | goto cleanup; |
| 849 | } |
| 850 | |
| 851 | ret = 0; |
| 852 | |
| 853 | cleanup: |
| 854 | if (slotkey) { |
| 855 | memset(slotkey, 0, luks->header.master_key_len); |
| 856 | } |
| 857 | if (splitkey) { |
| 858 | memset(splitkey, 0, splitkeylen); |
| 859 | } |
| 860 | return ret; |
| 861 | } |
| 862 | |
| 863 | /* |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 864 | * Given a key slot, and user password, this will attempt to unlock |
| 865 | * the master encryption key from the key slot. |
| 866 | * |
| 867 | * Returns: |
| 868 | * 0 if the key slot is disabled, or key could not be decrypted |
| 869 | * with the provided password |
| 870 | * 1 if the key slot is enabled, and key decrypted successfully |
| 871 | * with the provided password |
| 872 | * -1 if a fatal error occurred loading the key |
| 873 | */ |
| 874 | static int |
| 875 | qcrypto_block_luks_load_key(QCryptoBlock *block, |
Maxim Levitsky | 7e60a6f | 2019-09-26 00:35:19 +0300 | [diff] [blame] | 876 | size_t slot_idx, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 877 | const char *password, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 878 | uint8_t *masterkey, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 879 | QCryptoBlockReadFunc readfunc, |
| 880 | void *opaque, |
| 881 | Error **errp) |
| 882 | { |
| 883 | QCryptoBlockLUKS *luks = block->opaque; |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 884 | const QCryptoBlockLUKSKeySlot *slot; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 885 | g_autofree uint8_t *splitkey = NULL; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 886 | size_t splitkeylen; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 887 | g_autofree uint8_t *possiblekey = NULL; |
Alberto Faria | 757dda5 | 2022-06-09 16:27:38 +0100 | [diff] [blame] | 888 | int rv; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 889 | g_autoptr(QCryptoCipher) cipher = NULL; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 890 | uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN]; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 891 | g_autoptr(QCryptoIVGen) ivgen = NULL; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 892 | size_t niv; |
| 893 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 894 | assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); |
| 895 | slot = &luks->header.key_slots[slot_idx]; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 896 | if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { |
| 897 | return 0; |
| 898 | } |
| 899 | |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 900 | splitkeylen = luks->header.master_key_len * slot->stripes; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 901 | splitkey = g_new0(uint8_t, splitkeylen); |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 902 | possiblekey = g_new0(uint8_t, luks->header.master_key_len); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 903 | |
| 904 | /* |
| 905 | * The user password is used to generate a (possible) |
| 906 | * decryption key. This may or may not successfully |
| 907 | * decrypt the master key - we just blindly assume |
| 908 | * the key is correct and validate the results of |
| 909 | * decryption later. |
| 910 | */ |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 911 | if (qcrypto_pbkdf2(luks->hash_alg, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 912 | (const uint8_t *)password, strlen(password), |
| 913 | slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 914 | slot->iterations, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 915 | possiblekey, luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 916 | errp) < 0) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 917 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 918 | } |
| 919 | |
| 920 | /* |
| 921 | * We need to read the master key material from the |
| 922 | * LUKS key material header. What we're reading is |
| 923 | * not the raw master key, but rather the data after |
| 924 | * it has been passed through AFSplit and the result |
| 925 | * then encrypted. |
| 926 | */ |
| 927 | rv = readfunc(block, |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 928 | slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 929 | splitkey, splitkeylen, |
Daniel P. Berrange | e4a3507 | 2017-04-24 16:33:15 +0100 | [diff] [blame] | 930 | opaque, |
Fam Zheng | 3750923 | 2017-04-21 20:27:02 +0800 | [diff] [blame] | 931 | errp); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 932 | if (rv < 0) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 933 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 934 | } |
| 935 | |
| 936 | |
| 937 | /* Setup the cipher/ivgen that we'll use to try to decrypt |
| 938 | * the split master key material */ |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 939 | cipher = qcrypto_cipher_new(luks->cipher_alg, |
| 940 | luks->cipher_mode, |
| 941 | possiblekey, |
| 942 | luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 943 | errp); |
| 944 | if (!cipher) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 945 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 946 | } |
| 947 | |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 948 | niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, |
| 949 | luks->cipher_mode); |
| 950 | |
| 951 | ivgen = qcrypto_ivgen_new(luks->ivgen_alg, |
| 952 | luks->ivgen_cipher_alg, |
| 953 | luks->ivgen_hash_alg, |
| 954 | possiblekey, |
| 955 | luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 956 | errp); |
| 957 | if (!ivgen) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 958 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 959 | } |
| 960 | |
| 961 | |
| 962 | /* |
| 963 | * The master key needs to be decrypted in the same |
| 964 | * way that the block device payload will be decrypted |
| 965 | * later. In particular we'll be using the IV generator |
| 966 | * to reset the encryption cipher every time the master |
| 967 | * key crosses a sector boundary. |
| 968 | */ |
Vladimir Sementsov-Ogievskiy | 0270417 | 2018-12-07 19:13:49 +0300 | [diff] [blame] | 969 | if (qcrypto_block_cipher_decrypt_helper(cipher, |
| 970 | niv, |
| 971 | ivgen, |
| 972 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 973 | 0, |
| 974 | splitkey, |
| 975 | splitkeylen, |
| 976 | errp) < 0) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 977 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 978 | } |
| 979 | |
| 980 | /* |
| 981 | * Now we've decrypted the split master key, join |
| 982 | * it back together to get the actual master key. |
| 983 | */ |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 984 | if (qcrypto_afsplit_decode(luks->hash_alg, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 985 | luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 986 | slot->stripes, |
| 987 | splitkey, |
| 988 | masterkey, |
| 989 | errp) < 0) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 990 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 991 | } |
| 992 | |
| 993 | |
| 994 | /* |
| 995 | * We still don't know that the masterkey we got is valid, |
| 996 | * because we just blindly assumed the user's password |
| 997 | * was correct. This is where we now verify it. We are |
| 998 | * creating a hash of the master key using PBKDF and |
| 999 | * then comparing that to the hash stored in the key slot |
| 1000 | * header |
| 1001 | */ |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1002 | if (qcrypto_pbkdf2(luks->hash_alg, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1003 | masterkey, |
| 1004 | luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1005 | luks->header.master_key_salt, |
| 1006 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 1007 | luks->header.master_key_iterations, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1008 | keydigest, |
| 1009 | G_N_ELEMENTS(keydigest), |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1010 | errp) < 0) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1011 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1012 | } |
| 1013 | |
| 1014 | if (memcmp(keydigest, luks->header.master_key_digest, |
| 1015 | QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) { |
| 1016 | /* Success, we got the right master key */ |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1017 | return 1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1018 | } |
| 1019 | |
| 1020 | /* Fail, user's password was not valid for this key slot, |
| 1021 | * tell caller to try another slot */ |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1022 | return 0; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1023 | } |
| 1024 | |
| 1025 | |
| 1026 | /* |
| 1027 | * Given a user password, this will iterate over all key |
| 1028 | * slots and try to unlock each active key slot using the |
| 1029 | * password until it successfully obtains a master key. |
| 1030 | * |
| 1031 | * Returns 0 if a key was loaded, -1 if no keys could be loaded |
| 1032 | */ |
| 1033 | static int |
| 1034 | qcrypto_block_luks_find_key(QCryptoBlock *block, |
| 1035 | const char *password, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1036 | uint8_t *masterkey, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1037 | QCryptoBlockReadFunc readfunc, |
| 1038 | void *opaque, |
| 1039 | Error **errp) |
| 1040 | { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1041 | size_t i; |
| 1042 | int rv; |
| 1043 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1044 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 1045 | rv = qcrypto_block_luks_load_key(block, |
Maxim Levitsky | 7e60a6f | 2019-09-26 00:35:19 +0300 | [diff] [blame] | 1046 | i, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1047 | password, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1048 | masterkey, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1049 | readfunc, |
| 1050 | opaque, |
| 1051 | errp); |
| 1052 | if (rv < 0) { |
| 1053 | goto error; |
| 1054 | } |
| 1055 | if (rv == 1) { |
| 1056 | return 0; |
| 1057 | } |
| 1058 | } |
| 1059 | |
| 1060 | error_setg(errp, "Invalid password, cannot unlock any keyslot"); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1061 | error: |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1062 | return -1; |
| 1063 | } |
| 1064 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1065 | /* |
| 1066 | * Returns true if a slot i is marked as active |
| 1067 | * (contains encrypted copy of the master key) |
| 1068 | */ |
| 1069 | static bool |
| 1070 | qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks, |
| 1071 | unsigned int slot_idx) |
| 1072 | { |
| 1073 | uint32_t val; |
| 1074 | |
| 1075 | assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); |
| 1076 | val = luks->header.key_slots[slot_idx].active; |
| 1077 | return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; |
| 1078 | } |
| 1079 | |
| 1080 | /* |
| 1081 | * Returns the number of slots that are marked as active |
| 1082 | * (slots that contain encrypted copy of the master key) |
| 1083 | */ |
| 1084 | static unsigned int |
| 1085 | qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks) |
| 1086 | { |
| 1087 | size_t i = 0; |
| 1088 | unsigned int ret = 0; |
| 1089 | |
| 1090 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 1091 | if (qcrypto_block_luks_slot_active(luks, i)) { |
| 1092 | ret++; |
| 1093 | } |
| 1094 | } |
| 1095 | return ret; |
| 1096 | } |
| 1097 | |
| 1098 | /* |
| 1099 | * Finds first key slot which is not active |
| 1100 | * Returns the key slot index, or -1 if it doesn't exist |
| 1101 | */ |
| 1102 | static int |
| 1103 | qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks) |
| 1104 | { |
| 1105 | size_t i; |
| 1106 | |
| 1107 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 1108 | if (!qcrypto_block_luks_slot_active(luks, i)) { |
| 1109 | return i; |
| 1110 | } |
| 1111 | } |
| 1112 | return -1; |
| 1113 | } |
| 1114 | |
| 1115 | /* |
| 1116 | * Erases an keyslot given its index |
| 1117 | * Returns: |
| 1118 | * 0 if the keyslot was erased successfully |
| 1119 | * -1 if a error occurred while erasing the keyslot |
| 1120 | * |
| 1121 | */ |
| 1122 | static int |
| 1123 | qcrypto_block_luks_erase_key(QCryptoBlock *block, |
| 1124 | unsigned int slot_idx, |
| 1125 | QCryptoBlockWriteFunc writefunc, |
| 1126 | void *opaque, |
| 1127 | Error **errp) |
| 1128 | { |
| 1129 | QCryptoBlockLUKS *luks = block->opaque; |
| 1130 | QCryptoBlockLUKSKeySlot *slot; |
| 1131 | g_autofree uint8_t *garbagesplitkey = NULL; |
| 1132 | size_t splitkeylen; |
| 1133 | size_t i; |
| 1134 | Error *local_err = NULL; |
| 1135 | int ret; |
| 1136 | |
| 1137 | assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); |
| 1138 | slot = &luks->header.key_slots[slot_idx]; |
| 1139 | |
| 1140 | splitkeylen = luks->header.master_key_len * slot->stripes; |
| 1141 | assert(splitkeylen > 0); |
| 1142 | |
| 1143 | garbagesplitkey = g_new0(uint8_t, splitkeylen); |
| 1144 | |
| 1145 | /* Reset the key slot header */ |
| 1146 | memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN); |
| 1147 | slot->iterations = 0; |
| 1148 | slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; |
| 1149 | |
| 1150 | ret = qcrypto_block_luks_store_header(block, writefunc, |
| 1151 | opaque, &local_err); |
| 1152 | |
| 1153 | if (ret < 0) { |
| 1154 | error_propagate(errp, local_err); |
| 1155 | } |
| 1156 | /* |
| 1157 | * Now try to erase the key material, even if the header |
| 1158 | * update failed |
| 1159 | */ |
| 1160 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) { |
| 1161 | if (qcrypto_random_bytes(garbagesplitkey, |
| 1162 | splitkeylen, &local_err) < 0) { |
| 1163 | /* |
| 1164 | * If we failed to get the random data, still write |
| 1165 | * at least zeros to the key slot at least once |
| 1166 | */ |
| 1167 | error_propagate(errp, local_err); |
| 1168 | |
| 1169 | if (i > 0) { |
| 1170 | return -1; |
| 1171 | } |
| 1172 | } |
| 1173 | if (writefunc(block, |
| 1174 | slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 1175 | garbagesplitkey, |
| 1176 | splitkeylen, |
| 1177 | opaque, |
Alberto Faria | 757dda5 | 2022-06-09 16:27:38 +0100 | [diff] [blame] | 1178 | &local_err) < 0) { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1179 | error_propagate(errp, local_err); |
| 1180 | return -1; |
| 1181 | } |
| 1182 | } |
| 1183 | return ret; |
| 1184 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1185 | |
| 1186 | static int |
| 1187 | qcrypto_block_luks_open(QCryptoBlock *block, |
| 1188 | QCryptoBlockOpenOptions *options, |
Daniel P. Berrange | 1cd9a78 | 2017-06-23 17:24:17 +0100 | [diff] [blame] | 1189 | const char *optprefix, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1190 | QCryptoBlockReadFunc readfunc, |
| 1191 | void *opaque, |
| 1192 | unsigned int flags, |
| 1193 | Error **errp) |
| 1194 | { |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1195 | QCryptoBlockLUKS *luks = NULL; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1196 | g_autofree uint8_t *masterkey = NULL; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1197 | g_autofree char *password = NULL; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1198 | |
| 1199 | if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { |
| 1200 | if (!options->u.luks.key_secret) { |
Daniel P. Berrange | 1cd9a78 | 2017-06-23 17:24:17 +0100 | [diff] [blame] | 1201 | error_setg(errp, "Parameter '%skey-secret' is required for cipher", |
| 1202 | optprefix ? optprefix : ""); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1203 | return -1; |
| 1204 | } |
| 1205 | password = qcrypto_secret_lookup_as_utf8( |
| 1206 | options->u.luks.key_secret, errp); |
| 1207 | if (!password) { |
| 1208 | return -1; |
| 1209 | } |
| 1210 | } |
| 1211 | |
| 1212 | luks = g_new0(QCryptoBlockLUKS, 1); |
| 1213 | block->opaque = luks; |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1214 | luks->secret = g_strdup(options->u.luks.key_secret); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1215 | |
Maxim Levitsky | dde2c5a | 2019-09-26 00:35:22 +0300 | [diff] [blame] | 1216 | if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1217 | goto fail; |
| 1218 | } |
| 1219 | |
Hyman Huang | 9ad5c4e | 2024-01-30 13:37:19 +0800 | [diff] [blame] | 1220 | if (qcrypto_block_luks_check_header(luks, flags, errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1221 | goto fail; |
| 1222 | } |
| 1223 | |
Maxim Levitsky | 9fa9c1c | 2019-09-26 00:35:23 +0300 | [diff] [blame] | 1224 | if (qcrypto_block_luks_parse_header(luks, errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1225 | goto fail; |
| 1226 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1227 | |
| 1228 | if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { |
| 1229 | /* Try to find which key slot our password is valid for |
| 1230 | * and unlock the master key from that slot. |
| 1231 | */ |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1232 | |
| 1233 | masterkey = g_new0(uint8_t, luks->header.master_key_len); |
| 1234 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1235 | if (qcrypto_block_luks_find_key(block, |
| 1236 | password, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1237 | masterkey, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1238 | readfunc, opaque, |
| 1239 | errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1240 | goto fail; |
| 1241 | } |
| 1242 | |
| 1243 | /* We have a valid master key now, so can setup the |
| 1244 | * block device payload decryption objects |
| 1245 | */ |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1246 | block->kdfhash = luks->hash_alg; |
| 1247 | block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, |
| 1248 | luks->cipher_mode); |
| 1249 | |
| 1250 | block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg, |
| 1251 | luks->ivgen_cipher_alg, |
| 1252 | luks->ivgen_hash_alg, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1253 | masterkey, |
| 1254 | luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1255 | errp); |
| 1256 | if (!block->ivgen) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1257 | goto fail; |
| 1258 | } |
| 1259 | |
Maxim Levitsky | 61dd8a9 | 2019-09-26 00:35:21 +0300 | [diff] [blame] | 1260 | if (qcrypto_block_init_cipher(block, |
| 1261 | luks->cipher_alg, |
| 1262 | luks->cipher_mode, |
| 1263 | masterkey, |
| 1264 | luks->header.master_key_len, |
Maxim Levitsky | 61dd8a9 | 2019-09-26 00:35:21 +0300 | [diff] [blame] | 1265 | errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1266 | goto fail; |
| 1267 | } |
| 1268 | } |
| 1269 | |
Daniel P. Berrange | 850f49d | 2017-09-27 13:53:36 +0100 | [diff] [blame] | 1270 | block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1271 | block->payload_offset = luks->header.payload_offset_sector * |
Daniel P. Berrange | 850f49d | 2017-09-27 13:53:36 +0100 | [diff] [blame] | 1272 | block->sector_size; |
Hyman Huang | 0bd779e | 2024-01-30 13:37:24 +0800 | [diff] [blame] | 1273 | block->detached_header = (block->payload_offset == 0) ? true : false; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1274 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1275 | return 0; |
| 1276 | |
| 1277 | fail: |
Vladimir Sementsov-Ogievskiy | c972fa1 | 2018-12-07 19:13:51 +0300 | [diff] [blame] | 1278 | qcrypto_block_free_cipher(block); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1279 | qcrypto_ivgen_free(block->ivgen); |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1280 | g_free(luks->secret); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1281 | g_free(luks); |
Maxim Levitsky | 61dd8a9 | 2019-09-26 00:35:21 +0300 | [diff] [blame] | 1282 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1283 | } |
| 1284 | |
| 1285 | |
Fam Zheng | 2ef950f | 2016-09-21 12:27:19 +0800 | [diff] [blame] | 1286 | static void |
| 1287 | qcrypto_block_luks_uuid_gen(uint8_t *uuidstr) |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1288 | { |
Fam Zheng | 2ef950f | 2016-09-21 12:27:19 +0800 | [diff] [blame] | 1289 | QemuUUID uuid; |
| 1290 | qemu_uuid_generate(&uuid); |
| 1291 | qemu_uuid_unparse(&uuid, (char *)uuidstr); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1292 | } |
| 1293 | |
| 1294 | static int |
| 1295 | qcrypto_block_luks_create(QCryptoBlock *block, |
| 1296 | QCryptoBlockCreateOptions *options, |
Daniel P. Berrange | 1cd9a78 | 2017-06-23 17:24:17 +0100 | [diff] [blame] | 1297 | const char *optprefix, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1298 | QCryptoBlockInitFunc initfunc, |
| 1299 | QCryptoBlockWriteFunc writefunc, |
| 1300 | void *opaque, |
| 1301 | Error **errp) |
| 1302 | { |
| 1303 | QCryptoBlockLUKS *luks; |
| 1304 | QCryptoBlockCreateOptionsLUKS luks_opts; |
| 1305 | Error *local_err = NULL; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1306 | g_autofree uint8_t *masterkey = NULL; |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 1307 | size_t header_sectors; |
| 1308 | size_t split_key_sectors; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1309 | size_t i; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1310 | g_autofree char *password = NULL; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1311 | const char *cipher_alg; |
| 1312 | const char *cipher_mode; |
| 1313 | const char *ivgen_alg; |
| 1314 | const char *ivgen_hash_alg = NULL; |
| 1315 | const char *hash_alg; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1316 | g_autofree char *cipher_mode_spec = NULL; |
Daniel P. Berrange | 59b060b | 2016-09-12 12:50:12 +0100 | [diff] [blame] | 1317 | uint64_t iters; |
Hyman Huang | d74523a | 2024-01-30 13:37:21 +0800 | [diff] [blame] | 1318 | uint64_t detached_header_size; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1319 | |
| 1320 | memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts)); |
Daniel P. Berrange | 3bd1889 | 2016-09-06 18:43:00 +0100 | [diff] [blame] | 1321 | if (!luks_opts.has_iter_time) { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1322 | luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; |
Daniel P. Berrange | 3bd1889 | 2016-09-06 18:43:00 +0100 | [diff] [blame] | 1323 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1324 | if (!luks_opts.has_cipher_alg) { |
| 1325 | luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256; |
| 1326 | } |
| 1327 | if (!luks_opts.has_cipher_mode) { |
| 1328 | luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS; |
| 1329 | } |
| 1330 | if (!luks_opts.has_ivgen_alg) { |
| 1331 | luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64; |
| 1332 | } |
| 1333 | if (!luks_opts.has_hash_alg) { |
| 1334 | luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256; |
| 1335 | } |
Daniel P. Berrange | 8b7cdba | 2016-05-20 17:43:44 +0100 | [diff] [blame] | 1336 | if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { |
| 1337 | if (!luks_opts.has_ivgen_hash_alg) { |
| 1338 | luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256; |
| 1339 | luks_opts.has_ivgen_hash_alg = true; |
| 1340 | } |
| 1341 | } |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1342 | |
| 1343 | luks = g_new0(QCryptoBlockLUKS, 1); |
| 1344 | block->opaque = luks; |
| 1345 | |
| 1346 | luks->cipher_alg = luks_opts.cipher_alg; |
| 1347 | luks->cipher_mode = luks_opts.cipher_mode; |
| 1348 | luks->ivgen_alg = luks_opts.ivgen_alg; |
| 1349 | luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg; |
| 1350 | luks->hash_alg = luks_opts.hash_alg; |
| 1351 | |
| 1352 | |
Daniel P. Berrange | 8b7cdba | 2016-05-20 17:43:44 +0100 | [diff] [blame] | 1353 | /* Note we're allowing ivgen_hash_alg to be set even for |
| 1354 | * non-essiv iv generators that don't need a hash. It will |
| 1355 | * be silently ignored, for compatibility with dm-crypt */ |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1356 | |
| 1357 | if (!options->u.luks.key_secret) { |
Daniel P. Berrange | 1cd9a78 | 2017-06-23 17:24:17 +0100 | [diff] [blame] | 1358 | error_setg(errp, "Parameter '%skey-secret' is required for cipher", |
| 1359 | optprefix ? optprefix : ""); |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1360 | goto error; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1361 | } |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1362 | luks->secret = g_strdup(options->u.luks.key_secret); |
| 1363 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1364 | password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp); |
| 1365 | if (!password) { |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1366 | goto error; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1367 | } |
| 1368 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1369 | |
| 1370 | memcpy(luks->header.magic, qcrypto_block_luks_magic, |
| 1371 | QCRYPTO_BLOCK_LUKS_MAGIC_LEN); |
| 1372 | |
| 1373 | /* We populate the header in native endianness initially and |
| 1374 | * then convert everything to big endian just before writing |
| 1375 | * it out to disk |
| 1376 | */ |
| 1377 | luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION; |
Fam Zheng | 2ef950f | 2016-09-21 12:27:19 +0800 | [diff] [blame] | 1378 | qcrypto_block_luks_uuid_gen(luks->header.uuid); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1379 | |
| 1380 | cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg, |
| 1381 | errp); |
| 1382 | if (!cipher_alg) { |
| 1383 | goto error; |
| 1384 | } |
| 1385 | |
Markus Armbruster | 977c736 | 2017-08-24 10:46:08 +0200 | [diff] [blame] | 1386 | cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode); |
| 1387 | ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1388 | if (luks_opts.has_ivgen_hash_alg) { |
Markus Armbruster | 977c736 | 2017-08-24 10:46:08 +0200 | [diff] [blame] | 1389 | ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1390 | cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg, |
| 1391 | ivgen_hash_alg); |
| 1392 | } else { |
| 1393 | cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg); |
| 1394 | } |
Markus Armbruster | 977c736 | 2017-08-24 10:46:08 +0200 | [diff] [blame] | 1395 | hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1396 | |
| 1397 | |
| 1398 | if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) { |
| 1399 | error_setg(errp, "Cipher name '%s' is too long for LUKS header", |
| 1400 | cipher_alg); |
| 1401 | goto error; |
| 1402 | } |
| 1403 | if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) { |
| 1404 | error_setg(errp, "Cipher mode '%s' is too long for LUKS header", |
| 1405 | cipher_mode_spec); |
| 1406 | goto error; |
| 1407 | } |
| 1408 | if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) { |
| 1409 | error_setg(errp, "Hash name '%s' is too long for LUKS header", |
| 1410 | hash_alg); |
| 1411 | goto error; |
| 1412 | } |
| 1413 | |
| 1414 | if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1415 | luks->ivgen_cipher_alg = |
| 1416 | qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg, |
| 1417 | luks_opts.ivgen_hash_alg, |
| 1418 | &local_err); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1419 | if (local_err) { |
| 1420 | error_propagate(errp, local_err); |
| 1421 | goto error; |
| 1422 | } |
| 1423 | } else { |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1424 | luks->ivgen_cipher_alg = luks_opts.cipher_alg; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1425 | } |
| 1426 | |
| 1427 | strcpy(luks->header.cipher_name, cipher_alg); |
| 1428 | strcpy(luks->header.cipher_mode, cipher_mode_spec); |
| 1429 | strcpy(luks->header.hash_spec, hash_alg); |
| 1430 | |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1431 | luks->header.master_key_len = |
| 1432 | qcrypto_cipher_get_key_len(luks_opts.cipher_alg); |
| 1433 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1434 | if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) { |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1435 | luks->header.master_key_len *= 2; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1436 | } |
| 1437 | |
| 1438 | /* Generate the salt used for hashing the master key |
| 1439 | * with PBKDF later |
| 1440 | */ |
| 1441 | if (qcrypto_random_bytes(luks->header.master_key_salt, |
| 1442 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 1443 | errp) < 0) { |
| 1444 | goto error; |
| 1445 | } |
| 1446 | |
| 1447 | /* Generate random master key */ |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1448 | masterkey = g_new0(uint8_t, luks->header.master_key_len); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1449 | if (qcrypto_random_bytes(masterkey, |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1450 | luks->header.master_key_len, errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1451 | goto error; |
| 1452 | } |
| 1453 | |
| 1454 | |
| 1455 | /* Setup the block device payload encryption objects */ |
Vladimir Sementsov-Ogievskiy | c972fa1 | 2018-12-07 19:13:51 +0300 | [diff] [blame] | 1456 | if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg, |
| 1457 | luks_opts.cipher_mode, masterkey, |
Stefan Hajnoczi | af206c2 | 2024-05-27 11:58:50 -0400 | [diff] [blame] | 1458 | luks->header.master_key_len, errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1459 | goto error; |
| 1460 | } |
| 1461 | |
| 1462 | block->kdfhash = luks_opts.hash_alg; |
| 1463 | block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg, |
| 1464 | luks_opts.cipher_mode); |
| 1465 | block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg, |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1466 | luks->ivgen_cipher_alg, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1467 | luks_opts.ivgen_hash_alg, |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1468 | masterkey, luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1469 | errp); |
| 1470 | |
| 1471 | if (!block->ivgen) { |
| 1472 | goto error; |
| 1473 | } |
| 1474 | |
| 1475 | |
| 1476 | /* Determine how many iterations we need to hash the master |
| 1477 | * key, in order to have 1 second of compute time used |
| 1478 | */ |
Daniel P. Berrange | 59b060b | 2016-09-12 12:50:12 +0100 | [diff] [blame] | 1479 | iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg, |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1480 | masterkey, luks->header.master_key_len, |
Daniel P. Berrange | 59b060b | 2016-09-12 12:50:12 +0100 | [diff] [blame] | 1481 | luks->header.master_key_salt, |
| 1482 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
Daniel P. Berrange | e74aabc | 2016-09-07 12:43:29 +0100 | [diff] [blame] | 1483 | QCRYPTO_BLOCK_LUKS_DIGEST_LEN, |
Daniel P. Berrange | 59b060b | 2016-09-12 12:50:12 +0100 | [diff] [blame] | 1484 | &local_err); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1485 | if (local_err) { |
| 1486 | error_propagate(errp, local_err); |
| 1487 | goto error; |
| 1488 | } |
| 1489 | |
Daniel P. Berrange | 3bd1889 | 2016-09-06 18:43:00 +0100 | [diff] [blame] | 1490 | if (iters > (ULLONG_MAX / luks_opts.iter_time)) { |
| 1491 | error_setg_errno(errp, ERANGE, |
| 1492 | "PBKDF iterations %llu too large to scale", |
| 1493 | (unsigned long long)iters); |
| 1494 | goto error; |
| 1495 | } |
| 1496 | |
| 1497 | /* iter_time was in millis, but count_iters reported for secs */ |
| 1498 | iters = iters * luks_opts.iter_time / 1000; |
| 1499 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1500 | /* Why /= 8 ? That matches cryptsetup, but there's no |
| 1501 | * explanation why they chose /= 8... Probably so that |
| 1502 | * if all 8 keyslots are active we only spend 1 second |
| 1503 | * in total time to check all keys */ |
Daniel P. Berrange | 59b060b | 2016-09-12 12:50:12 +0100 | [diff] [blame] | 1504 | iters /= 8; |
| 1505 | if (iters > UINT32_MAX) { |
| 1506 | error_setg_errno(errp, ERANGE, |
| 1507 | "PBKDF iterations %llu larger than %u", |
| 1508 | (unsigned long long)iters, UINT32_MAX); |
| 1509 | goto error; |
| 1510 | } |
| 1511 | iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS); |
| 1512 | luks->header.master_key_iterations = iters; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1513 | |
| 1514 | /* Hash the master key, saving the result in the LUKS |
| 1515 | * header. This hash is used when opening the encrypted |
| 1516 | * device to verify that the user password unlocked a |
| 1517 | * valid master key |
| 1518 | */ |
| 1519 | if (qcrypto_pbkdf2(luks_opts.hash_alg, |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1520 | masterkey, luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1521 | luks->header.master_key_salt, |
| 1522 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 1523 | luks->header.master_key_iterations, |
| 1524 | luks->header.master_key_digest, |
| 1525 | QCRYPTO_BLOCK_LUKS_DIGEST_LEN, |
| 1526 | errp) < 0) { |
| 1527 | goto error; |
| 1528 | } |
| 1529 | |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 1530 | /* start with the sector that follows the header*/ |
| 1531 | header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / |
| 1532 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1533 | |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 1534 | split_key_sectors = |
| 1535 | qcrypto_block_luks_splitkeylen_sectors(luks, |
| 1536 | header_sectors, |
| 1537 | QCRYPTO_BLOCK_LUKS_STRIPES); |
| 1538 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1539 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 1540 | QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i]; |
| 1541 | slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1542 | |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 1543 | slot->key_offset_sector = header_sectors + i * split_key_sectors; |
| 1544 | slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1545 | } |
| 1546 | |
Hyman Huang | d74523a | 2024-01-30 13:37:21 +0800 | [diff] [blame] | 1547 | if (block->detached_header) { |
| 1548 | /* |
| 1549 | * For a detached LUKS header image, set the payload_offset_sector |
| 1550 | * to 0 to specify the starting point for read/write |
| 1551 | */ |
| 1552 | luks->header.payload_offset_sector = 0; |
| 1553 | } else { |
| 1554 | /* |
| 1555 | * The total size of the LUKS headers is the partition header + key |
| 1556 | * slot headers, rounded up to the nearest sector, combined with |
| 1557 | * the size of each master key material region, also rounded up |
| 1558 | * to the nearest sector |
| 1559 | */ |
| 1560 | luks->header.payload_offset_sector = header_sectors + |
| 1561 | QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors; |
| 1562 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1563 | |
Daniel P. Berrange | 850f49d | 2017-09-27 13:53:36 +0100 | [diff] [blame] | 1564 | block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1565 | block->payload_offset = luks->header.payload_offset_sector * |
Daniel P. Berrange | 850f49d | 2017-09-27 13:53:36 +0100 | [diff] [blame] | 1566 | block->sector_size; |
Hyman Huang | d74523a | 2024-01-30 13:37:21 +0800 | [diff] [blame] | 1567 | detached_header_size = |
| 1568 | (header_sectors + QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * |
| 1569 | split_key_sectors) * block->sector_size; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1570 | |
| 1571 | /* Reserve header space to match payload offset */ |
Hyman Huang | d74523a | 2024-01-30 13:37:21 +0800 | [diff] [blame] | 1572 | initfunc(block, detached_header_size, opaque, &local_err); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1573 | if (local_err) { |
| 1574 | error_propagate(errp, local_err); |
| 1575 | goto error; |
| 1576 | } |
| 1577 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1578 | |
Maxim Levitsky | 3994a7c | 2019-09-26 00:35:24 +0300 | [diff] [blame] | 1579 | /* populate the slot 0 with the password encrypted master key*/ |
| 1580 | /* This will also store the header */ |
| 1581 | if (qcrypto_block_luks_store_key(block, |
| 1582 | 0, |
| 1583 | password, |
| 1584 | masterkey, |
| 1585 | luks_opts.iter_time, |
| 1586 | writefunc, |
| 1587 | opaque, |
| 1588 | errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1589 | goto error; |
| 1590 | } |
| 1591 | |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1592 | memset(masterkey, 0, luks->header.master_key_len); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1593 | |
| 1594 | return 0; |
| 1595 | |
| 1596 | error: |
| 1597 | if (masterkey) { |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1598 | memset(masterkey, 0, luks->header.master_key_len); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1599 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1600 | |
Vladimir Sementsov-Ogievskiy | c972fa1 | 2018-12-07 19:13:51 +0300 | [diff] [blame] | 1601 | qcrypto_block_free_cipher(block); |
Vladimir Sementsov-Ogievskiy | b640adc | 2018-12-07 19:13:47 +0300 | [diff] [blame] | 1602 | qcrypto_ivgen_free(block->ivgen); |
| 1603 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1604 | g_free(luks->secret); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1605 | g_free(luks); |
| 1606 | return -1; |
| 1607 | } |
| 1608 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1609 | static int |
| 1610 | qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block, |
| 1611 | QCryptoBlockReadFunc readfunc, |
| 1612 | QCryptoBlockWriteFunc writefunc, |
| 1613 | void *opaque, |
| 1614 | QCryptoBlockAmendOptionsLUKS *opts_luks, |
| 1615 | bool force, |
| 1616 | Error **errp) |
| 1617 | { |
| 1618 | QCryptoBlockLUKS *luks = block->opaque; |
| 1619 | uint64_t iter_time = opts_luks->has_iter_time ? |
| 1620 | opts_luks->iter_time : |
| 1621 | QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; |
| 1622 | int keyslot; |
| 1623 | g_autofree char *old_password = NULL; |
| 1624 | g_autofree char *new_password = NULL; |
| 1625 | g_autofree uint8_t *master_key = NULL; |
| 1626 | |
Markus Armbruster | 16110c8 | 2022-11-04 17:06:54 +0100 | [diff] [blame] | 1627 | char *secret = opts_luks->secret ?: luks->secret; |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1628 | |
Markus Armbruster | 16110c8 | 2022-11-04 17:06:54 +0100 | [diff] [blame] | 1629 | if (!opts_luks->new_secret) { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1630 | error_setg(errp, "'new-secret' is required to activate a keyslot"); |
| 1631 | return -1; |
| 1632 | } |
Markus Armbruster | 16110c8 | 2022-11-04 17:06:54 +0100 | [diff] [blame] | 1633 | if (opts_luks->old_secret) { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1634 | error_setg(errp, |
| 1635 | "'old-secret' must not be given when activating keyslots"); |
| 1636 | return -1; |
| 1637 | } |
| 1638 | |
| 1639 | if (opts_luks->has_keyslot) { |
| 1640 | keyslot = opts_luks->keyslot; |
| 1641 | if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { |
| 1642 | error_setg(errp, |
| 1643 | "Invalid keyslot %u specified, must be between 0 and %u", |
| 1644 | keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); |
| 1645 | return -1; |
| 1646 | } |
| 1647 | } else { |
| 1648 | keyslot = qcrypto_block_luks_find_free_keyslot(luks); |
| 1649 | if (keyslot == -1) { |
| 1650 | error_setg(errp, |
| 1651 | "Can't add a keyslot - all keyslots are in use"); |
| 1652 | return -1; |
| 1653 | } |
| 1654 | } |
| 1655 | |
| 1656 | if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) { |
| 1657 | error_setg(errp, |
| 1658 | "Refusing to overwrite active keyslot %i - " |
| 1659 | "please erase it first", |
| 1660 | keyslot); |
| 1661 | return -1; |
| 1662 | } |
| 1663 | |
| 1664 | /* Locate the password that will be used to retrieve the master key */ |
| 1665 | old_password = qcrypto_secret_lookup_as_utf8(secret, errp); |
| 1666 | if (!old_password) { |
| 1667 | return -1; |
| 1668 | } |
| 1669 | |
| 1670 | /* Retrieve the master key */ |
| 1671 | master_key = g_new0(uint8_t, luks->header.master_key_len); |
| 1672 | |
| 1673 | if (qcrypto_block_luks_find_key(block, old_password, master_key, |
| 1674 | readfunc, opaque, errp) < 0) { |
| 1675 | error_append_hint(errp, "Failed to retrieve the master key"); |
| 1676 | return -1; |
| 1677 | } |
| 1678 | |
| 1679 | /* Locate the new password*/ |
| 1680 | new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp); |
| 1681 | if (!new_password) { |
| 1682 | return -1; |
| 1683 | } |
| 1684 | |
| 1685 | /* Now set the new keyslots */ |
| 1686 | if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key, |
| 1687 | iter_time, writefunc, opaque, errp)) { |
| 1688 | error_append_hint(errp, "Failed to write to keyslot %i", keyslot); |
| 1689 | return -1; |
| 1690 | } |
| 1691 | return 0; |
| 1692 | } |
| 1693 | |
| 1694 | static int |
| 1695 | qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block, |
| 1696 | QCryptoBlockReadFunc readfunc, |
| 1697 | QCryptoBlockWriteFunc writefunc, |
| 1698 | void *opaque, |
| 1699 | QCryptoBlockAmendOptionsLUKS *opts_luks, |
| 1700 | bool force, |
| 1701 | Error **errp) |
| 1702 | { |
| 1703 | QCryptoBlockLUKS *luks = block->opaque; |
| 1704 | g_autofree uint8_t *tmpkey = NULL; |
| 1705 | g_autofree char *old_password = NULL; |
| 1706 | |
Markus Armbruster | 16110c8 | 2022-11-04 17:06:54 +0100 | [diff] [blame] | 1707 | if (opts_luks->new_secret) { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1708 | error_setg(errp, |
| 1709 | "'new-secret' must not be given when erasing keyslots"); |
| 1710 | return -1; |
| 1711 | } |
| 1712 | if (opts_luks->has_iter_time) { |
| 1713 | error_setg(errp, |
| 1714 | "'iter-time' must not be given when erasing keyslots"); |
| 1715 | return -1; |
| 1716 | } |
Markus Armbruster | 16110c8 | 2022-11-04 17:06:54 +0100 | [diff] [blame] | 1717 | if (opts_luks->secret) { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1718 | error_setg(errp, |
| 1719 | "'secret' must not be given when erasing keyslots"); |
| 1720 | return -1; |
| 1721 | } |
| 1722 | |
| 1723 | /* Load the old password if given */ |
Markus Armbruster | 16110c8 | 2022-11-04 17:06:54 +0100 | [diff] [blame] | 1724 | if (opts_luks->old_secret) { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1725 | old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret, |
| 1726 | errp); |
| 1727 | if (!old_password) { |
| 1728 | return -1; |
| 1729 | } |
| 1730 | |
| 1731 | /* |
| 1732 | * Allocate a temporary key buffer that we will need when |
| 1733 | * checking if slot matches the given old password |
| 1734 | */ |
| 1735 | tmpkey = g_new0(uint8_t, luks->header.master_key_len); |
| 1736 | } |
| 1737 | |
| 1738 | /* Erase an explicitly given keyslot */ |
| 1739 | if (opts_luks->has_keyslot) { |
| 1740 | int keyslot = opts_luks->keyslot; |
| 1741 | |
| 1742 | if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { |
| 1743 | error_setg(errp, |
| 1744 | "Invalid keyslot %i specified, must be between 0 and %i", |
| 1745 | keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); |
| 1746 | return -1; |
| 1747 | } |
| 1748 | |
Markus Armbruster | 16110c8 | 2022-11-04 17:06:54 +0100 | [diff] [blame] | 1749 | if (opts_luks->old_secret) { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1750 | int rv = qcrypto_block_luks_load_key(block, |
| 1751 | keyslot, |
| 1752 | old_password, |
| 1753 | tmpkey, |
| 1754 | readfunc, |
| 1755 | opaque, |
| 1756 | errp); |
| 1757 | if (rv == -1) { |
| 1758 | return -1; |
| 1759 | } else if (rv == 0) { |
| 1760 | error_setg(errp, |
| 1761 | "Given keyslot %i doesn't contain the given " |
| 1762 | "old password for erase operation", |
| 1763 | keyslot); |
| 1764 | return -1; |
| 1765 | } |
| 1766 | } |
| 1767 | |
| 1768 | if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) { |
| 1769 | error_setg(errp, |
| 1770 | "Given keyslot %i is already erased (inactive) ", |
| 1771 | keyslot); |
| 1772 | return -1; |
| 1773 | } |
| 1774 | |
| 1775 | if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) { |
| 1776 | error_setg(errp, |
| 1777 | "Attempt to erase the only active keyslot %i " |
| 1778 | "which will erase all the data in the image " |
| 1779 | "irreversibly - refusing operation", |
| 1780 | keyslot); |
| 1781 | return -1; |
| 1782 | } |
| 1783 | |
| 1784 | if (qcrypto_block_luks_erase_key(block, keyslot, |
| 1785 | writefunc, opaque, errp)) { |
| 1786 | error_append_hint(errp, "Failed to erase keyslot %i", keyslot); |
| 1787 | return -1; |
| 1788 | } |
| 1789 | |
| 1790 | /* Erase all keyslots that match the given old password */ |
Markus Armbruster | 16110c8 | 2022-11-04 17:06:54 +0100 | [diff] [blame] | 1791 | } else if (opts_luks->old_secret) { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1792 | |
| 1793 | unsigned long slots_to_erase_bitmap = 0; |
| 1794 | size_t i; |
| 1795 | int slot_count; |
| 1796 | |
| 1797 | assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <= |
| 1798 | sizeof(slots_to_erase_bitmap) * 8); |
| 1799 | |
| 1800 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 1801 | int rv = qcrypto_block_luks_load_key(block, |
| 1802 | i, |
| 1803 | old_password, |
| 1804 | tmpkey, |
| 1805 | readfunc, |
| 1806 | opaque, |
| 1807 | errp); |
| 1808 | if (rv == -1) { |
| 1809 | return -1; |
| 1810 | } else if (rv == 1) { |
| 1811 | bitmap_set(&slots_to_erase_bitmap, i, 1); |
| 1812 | } |
| 1813 | } |
| 1814 | |
| 1815 | slot_count = bitmap_count_one(&slots_to_erase_bitmap, |
| 1816 | QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); |
| 1817 | if (slot_count == 0) { |
| 1818 | error_setg(errp, |
| 1819 | "No keyslots match given (old) password for erase operation"); |
| 1820 | return -1; |
| 1821 | } |
| 1822 | |
| 1823 | if (!force && |
| 1824 | slot_count == qcrypto_block_luks_count_active_slots(luks)) { |
| 1825 | error_setg(errp, |
| 1826 | "All the active keyslots match the (old) password that " |
| 1827 | "was given and erasing them will erase all the data in " |
| 1828 | "the image irreversibly - refusing operation"); |
| 1829 | return -1; |
| 1830 | } |
| 1831 | |
| 1832 | /* Now apply the update */ |
| 1833 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 1834 | if (!test_bit(i, &slots_to_erase_bitmap)) { |
| 1835 | continue; |
| 1836 | } |
| 1837 | if (qcrypto_block_luks_erase_key(block, i, writefunc, |
| 1838 | opaque, errp)) { |
| 1839 | error_append_hint(errp, "Failed to erase keyslot %zu", i); |
| 1840 | return -1; |
| 1841 | } |
| 1842 | } |
| 1843 | } else { |
| 1844 | error_setg(errp, |
| 1845 | "To erase keyslot(s), either explicit keyslot index " |
| 1846 | "or the password currently contained in them must be given"); |
| 1847 | return -1; |
| 1848 | } |
| 1849 | return 0; |
| 1850 | } |
| 1851 | |
| 1852 | static int |
| 1853 | qcrypto_block_luks_amend_options(QCryptoBlock *block, |
| 1854 | QCryptoBlockReadFunc readfunc, |
| 1855 | QCryptoBlockWriteFunc writefunc, |
| 1856 | void *opaque, |
| 1857 | QCryptoBlockAmendOptions *options, |
| 1858 | bool force, |
| 1859 | Error **errp) |
| 1860 | { |
| 1861 | QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks; |
| 1862 | |
| 1863 | switch (opts_luks->state) { |
| 1864 | case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE: |
| 1865 | return qcrypto_block_luks_amend_add_keyslot(block, readfunc, |
| 1866 | writefunc, opaque, |
| 1867 | opts_luks, force, errp); |
| 1868 | case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE: |
| 1869 | return qcrypto_block_luks_amend_erase_keyslots(block, readfunc, |
| 1870 | writefunc, opaque, |
| 1871 | opts_luks, force, errp); |
| 1872 | default: |
| 1873 | g_assert_not_reached(); |
| 1874 | } |
| 1875 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1876 | |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1877 | static int qcrypto_block_luks_get_info(QCryptoBlock *block, |
| 1878 | QCryptoBlockInfo *info, |
| 1879 | Error **errp) |
| 1880 | { |
| 1881 | QCryptoBlockLUKS *luks = block->opaque; |
| 1882 | QCryptoBlockInfoLUKSSlot *slot; |
Eric Blake | c3033fd | 2021-01-13 16:10:12 -0600 | [diff] [blame] | 1883 | QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots; |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1884 | size_t i; |
| 1885 | |
| 1886 | info->u.luks.cipher_alg = luks->cipher_alg; |
| 1887 | info->u.luks.cipher_mode = luks->cipher_mode; |
| 1888 | info->u.luks.ivgen_alg = luks->ivgen_alg; |
| 1889 | if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { |
| 1890 | info->u.luks.has_ivgen_hash_alg = true; |
| 1891 | info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg; |
| 1892 | } |
| 1893 | info->u.luks.hash_alg = luks->hash_alg; |
| 1894 | info->u.luks.payload_offset = block->payload_offset; |
| 1895 | info->u.luks.master_key_iters = luks->header.master_key_iterations; |
| 1896 | info->u.luks.uuid = g_strndup((const char *)luks->header.uuid, |
| 1897 | sizeof(luks->header.uuid)); |
Hyman Huang | 0bd779e | 2024-01-30 13:37:24 +0800 | [diff] [blame] | 1898 | info->u.luks.detached_header = block->detached_header; |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1899 | |
| 1900 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
Eric Blake | c3033fd | 2021-01-13 16:10:12 -0600 | [diff] [blame] | 1901 | slot = g_new0(QCryptoBlockInfoLUKSSlot, 1); |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1902 | slot->active = luks->header.key_slots[i].active == |
| 1903 | QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1904 | slot->key_offset = luks->header.key_slots[i].key_offset_sector |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1905 | * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; |
| 1906 | if (slot->active) { |
| 1907 | slot->has_iters = true; |
| 1908 | slot->iters = luks->header.key_slots[i].iterations; |
| 1909 | slot->has_stripes = true; |
| 1910 | slot->stripes = luks->header.key_slots[i].stripes; |
| 1911 | } |
| 1912 | |
Eric Blake | c3033fd | 2021-01-13 16:10:12 -0600 | [diff] [blame] | 1913 | QAPI_LIST_APPEND(tail, slot); |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1914 | } |
| 1915 | |
| 1916 | return 0; |
| 1917 | } |
| 1918 | |
| 1919 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1920 | static void qcrypto_block_luks_cleanup(QCryptoBlock *block) |
| 1921 | { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1922 | QCryptoBlockLUKS *luks = block->opaque; |
| 1923 | if (luks) { |
| 1924 | g_free(luks->secret); |
| 1925 | g_free(luks); |
| 1926 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1927 | } |
| 1928 | |
| 1929 | |
| 1930 | static int |
| 1931 | qcrypto_block_luks_decrypt(QCryptoBlock *block, |
Daniel P. Berrange | 4609742 | 2017-09-27 13:53:39 +0100 | [diff] [blame] | 1932 | uint64_t offset, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1933 | uint8_t *buf, |
| 1934 | size_t len, |
| 1935 | Error **errp) |
| 1936 | { |
Daniel P. Berrange | 4609742 | 2017-09-27 13:53:39 +0100 | [diff] [blame] | 1937 | assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); |
| 1938 | assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); |
Vladimir Sementsov-Ogievskiy | 0f0d596 | 2018-12-07 19:13:50 +0300 | [diff] [blame] | 1939 | return qcrypto_block_decrypt_helper(block, |
| 1940 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 1941 | offset, buf, len, errp); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1942 | } |
| 1943 | |
| 1944 | |
| 1945 | static int |
| 1946 | qcrypto_block_luks_encrypt(QCryptoBlock *block, |
Daniel P. Berrange | 4609742 | 2017-09-27 13:53:39 +0100 | [diff] [blame] | 1947 | uint64_t offset, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1948 | uint8_t *buf, |
| 1949 | size_t len, |
| 1950 | Error **errp) |
| 1951 | { |
Daniel P. Berrange | 4609742 | 2017-09-27 13:53:39 +0100 | [diff] [blame] | 1952 | assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); |
| 1953 | assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); |
Vladimir Sementsov-Ogievskiy | 0f0d596 | 2018-12-07 19:13:50 +0300 | [diff] [blame] | 1954 | return qcrypto_block_encrypt_helper(block, |
| 1955 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 1956 | offset, buf, len, errp); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1957 | } |
| 1958 | |
| 1959 | |
| 1960 | const QCryptoBlockDriver qcrypto_block_driver_luks = { |
| 1961 | .open = qcrypto_block_luks_open, |
| 1962 | .create = qcrypto_block_luks_create, |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1963 | .amend = qcrypto_block_luks_amend_options, |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1964 | .get_info = qcrypto_block_luks_get_info, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1965 | .cleanup = qcrypto_block_luks_cleanup, |
| 1966 | .decrypt = qcrypto_block_luks_decrypt, |
| 1967 | .encrypt = qcrypto_block_luks_encrypt, |
| 1968 | .has_format = qcrypto_block_luks_has_format, |
| 1969 | }; |