search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'pull-loongarch-20241016' of https://gitlab.com/gaosong/qemu into staging
[qemu/armbru.git] / crypto / block-luks.c
blob0926ad28f0cd80a4a38e7a3512d9bd967f605b67
1 /*
2 * QEMU Crypto block device encryption LUKS format
3 *
4 * Copyright (c) 2015-2016 Red Hat, Inc.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "qemu/bswap.h"
24
25 #include "block-luks.h"
26 #include "block-luks-priv.h"
27
28 #include "crypto/hash.h"
29 #include "crypto/afsplit.h"
30 #include "crypto/pbkdf.h"
31 #include "crypto/secret.h"
32 #include "crypto/random.h"
33 #include "qemu/uuid.h"
34
35 #include "qemu/bitmap.h"
36 #include "qemu/range.h"
37
38 /*
39 * Reference for the LUKS format implemented here is
40 *
41 * docs/on-disk-format.pdf
42 *
43 * in 'cryptsetup' package source code
44 *
45 * This file implements the 1.2.1 specification, dated
46 * Oct 16, 2011.
47 */
48
49 typedef struct QCryptoBlockLUKS QCryptoBlockLUKS;
50
51 typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap;
52 struct QCryptoBlockLUKSNameMap {
53 const char *name;
54 int id;
55 };
56
57 typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap;
58 struct QCryptoBlockLUKSCipherSizeMap {
59 uint32_t key_bytes;
60 int id;
61 };
62 typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap;
63 struct QCryptoBlockLUKSCipherNameMap {
64 const char *name;
65 const QCryptoBlockLUKSCipherSizeMap *sizes;
66 };
67
68
69 static const QCryptoBlockLUKSCipherSizeMap
70 qcrypto_block_luks_cipher_size_map_aes[] = {
71 { 16, QCRYPTO_CIPHER_ALGO_AES_128 },
72 { 24, QCRYPTO_CIPHER_ALGO_AES_192 },
73 { 32, QCRYPTO_CIPHER_ALGO_AES_256 },
74 { 0, 0 },
75 };
76
77 static const QCryptoBlockLUKSCipherSizeMap
78 qcrypto_block_luks_cipher_size_map_cast5[] = {
79 { 16, QCRYPTO_CIPHER_ALGO_CAST5_128 },
80 { 0, 0 },
81 };
82
83 static const QCryptoBlockLUKSCipherSizeMap
84 qcrypto_block_luks_cipher_size_map_serpent[] = {
85 { 16, QCRYPTO_CIPHER_ALGO_SERPENT_128 },
86 { 24, QCRYPTO_CIPHER_ALGO_SERPENT_192 },
87 { 32, QCRYPTO_CIPHER_ALGO_SERPENT_256 },
88 { 0, 0 },
89 };
90
91 static const QCryptoBlockLUKSCipherSizeMap
92 qcrypto_block_luks_cipher_size_map_twofish[] = {
93 { 16, QCRYPTO_CIPHER_ALGO_TWOFISH_128 },
94 { 24, QCRYPTO_CIPHER_ALGO_TWOFISH_192 },
95 { 32, QCRYPTO_CIPHER_ALGO_TWOFISH_256 },
96 { 0, 0 },
97 };
98
99 #ifdef CONFIG_CRYPTO_SM4
100 static const QCryptoBlockLUKSCipherSizeMap
101 qcrypto_block_luks_cipher_size_map_sm4[] = {
102 { 16, QCRYPTO_CIPHER_ALGO_SM4},
103 { 0, 0 },
104 };
105 #endif
106
107 static const QCryptoBlockLUKSCipherNameMap
108 qcrypto_block_luks_cipher_name_map[] = {
109 { "aes", qcrypto_block_luks_cipher_size_map_aes },
110 { "cast5", qcrypto_block_luks_cipher_size_map_cast5 },
111 { "serpent", qcrypto_block_luks_cipher_size_map_serpent },
112 { "twofish", qcrypto_block_luks_cipher_size_map_twofish },
113 #ifdef CONFIG_CRYPTO_SM4
114 { "sm4", qcrypto_block_luks_cipher_size_map_sm4},
115 #endif
116 };
117
118 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48);
119 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592);
120
121
122 struct QCryptoBlockLUKS {
123 QCryptoBlockLUKSHeader header;
124
125 /* Main encryption algorithm used for encryption*/
126 QCryptoCipherAlgo cipher_alg;
127
128 /* Mode of encryption for the selected encryption algorithm */
129 QCryptoCipherMode cipher_mode;
130
131 /* Initialization vector generation algorithm */
132 QCryptoIVGenAlgo ivgen_alg;
133
134 /* Hash algorithm used for IV generation*/
135 QCryptoHashAlgo ivgen_hash_alg;
136
137 /*
138 * Encryption algorithm used for IV generation.
139 * Usually the same as main encryption algorithm
140 */
141 QCryptoCipherAlgo ivgen_cipher_alg;
142
143 /* Hash algorithm used in pbkdf2 function */
144 QCryptoHashAlgo hash_alg;
145
146 /* Name of the secret that was used to open the image */
147 char *secret;
148 };
149
150
151 static int qcrypto_block_luks_cipher_name_lookup(const char *name,
152 QCryptoCipherMode mode,
153 uint32_t key_bytes,
154 Error **errp)
155 {
156 const QCryptoBlockLUKSCipherNameMap *map =
157 qcrypto_block_luks_cipher_name_map;
158 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
159 size_t i, j;
160
161 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
162 key_bytes /= 2;
163 }
164
165 for (i = 0; i < maplen; i++) {
166 if (!g_str_equal(map[i].name, name)) {
167 continue;
168 }
169 for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
170 if (map[i].sizes[j].key_bytes == key_bytes) {
171 return map[i].sizes[j].id;
172 }
173 }
174 }
175
176 error_setg(errp, "Algorithm '%s' with key size %d bytes not supported",
177 name, key_bytes);
178 return 0;
179 }
180
181 static const char *
182 qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgo alg,
183 Error **errp)
184 {
185 const QCryptoBlockLUKSCipherNameMap *map =
186 qcrypto_block_luks_cipher_name_map;
187 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
188 size_t i, j;
189 for (i = 0; i < maplen; i++) {
190 for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
191 if (map[i].sizes[j].id == alg) {
192 return map[i].name;
193 }
194 }
195 }
196
197 error_setg(errp, "Algorithm '%s' not supported",
198 QCryptoCipherAlgo_str(alg));
199 return NULL;
200 }
201
202 /* XXX replace with qapi_enum_parse() in future, when we can
203 * make that function emit a more friendly error message */
204 static int qcrypto_block_luks_name_lookup(const char *name,
205 const QEnumLookup *map,
206 const char *type,
207 Error **errp)
208 {
209 int ret = qapi_enum_parse(map, name, -1, NULL);
210
211 if (ret < 0) {
212 error_setg(errp, "%s '%s' not supported", type, name);
213 return 0;
214 }
215 return ret;
216 }
217
218 #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \
219 qcrypto_block_luks_name_lookup(name, \
220 &QCryptoCipherMode_lookup, \
221 "Cipher mode", \
222 errp)
223
224 #define qcrypto_block_luks_hash_name_lookup(name, errp) \
225 qcrypto_block_luks_name_lookup(name, \
226 &QCryptoHashAlgo_lookup, \
227 "Hash algorithm", \
228 errp)
229
230 #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \
231 qcrypto_block_luks_name_lookup(name, \
232 &QCryptoIVGenAlgo_lookup, \
233 "IV generator", \
234 errp)
235
236
237 static bool
238 qcrypto_block_luks_has_format(const uint8_t *buf,
239 size_t buf_size)
240 {
241 const QCryptoBlockLUKSHeader *luks_header = (const void *)buf;
242
243 if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) &&
244 memcmp(luks_header->magic, qcrypto_block_luks_magic,
245 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 &&
246 be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) {
247 return true;
248 } else {
249 return false;
250 }
251 }
252
253
254 /**
255 * Deal with a quirk of dm-crypt usage of ESSIV.
256 *
257 * When calculating ESSIV IVs, the cipher length used by ESSIV
258 * may be different from the cipher length used for the block
259 * encryption, because dm-crypt uses the hash digest length
260 * as the key size. ie, if you have AES 128 as the block cipher
261 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as
262 * the cipher since that gets a key length matching the digest
263 * size, not AES 128 with truncated digest as might be imagined
264 */
265 static QCryptoCipherAlgo
266 qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgo cipher,
267 QCryptoHashAlgo hash,
268 Error **errp)
269 {
270 size_t digestlen = qcrypto_hash_digest_len(hash);
271 size_t keylen = qcrypto_cipher_get_key_len(cipher);
272 if (digestlen == keylen) {
273 return cipher;
274 }
275
276 switch (cipher) {
277 case QCRYPTO_CIPHER_ALGO_AES_128:
278 case QCRYPTO_CIPHER_ALGO_AES_192:
279 case QCRYPTO_CIPHER_ALGO_AES_256:
280 if (digestlen == qcrypto_cipher_get_key_len(
281 QCRYPTO_CIPHER_ALGO_AES_128)) {
282 return QCRYPTO_CIPHER_ALGO_AES_128;
283 } else if (digestlen == qcrypto_cipher_get_key_len(
284 QCRYPTO_CIPHER_ALGO_AES_192)) {
285 return QCRYPTO_CIPHER_ALGO_AES_192;
286 } else if (digestlen == qcrypto_cipher_get_key_len(
287 QCRYPTO_CIPHER_ALGO_AES_256)) {
288 return QCRYPTO_CIPHER_ALGO_AES_256;
289 } else {
290 error_setg(errp, "No AES cipher with key size %zu available",
291 digestlen);
292 return 0;
293 }
294 break;
295 case QCRYPTO_CIPHER_ALGO_SERPENT_128:
296 case QCRYPTO_CIPHER_ALGO_SERPENT_192:
297 case QCRYPTO_CIPHER_ALGO_SERPENT_256:
298 if (digestlen == qcrypto_cipher_get_key_len(
299 QCRYPTO_CIPHER_ALGO_SERPENT_128)) {
300 return QCRYPTO_CIPHER_ALGO_SERPENT_128;
301 } else if (digestlen == qcrypto_cipher_get_key_len(
302 QCRYPTO_CIPHER_ALGO_SERPENT_192)) {
303 return QCRYPTO_CIPHER_ALGO_SERPENT_192;
304 } else if (digestlen == qcrypto_cipher_get_key_len(
305 QCRYPTO_CIPHER_ALGO_SERPENT_256)) {
306 return QCRYPTO_CIPHER_ALGO_SERPENT_256;
307 } else {
308 error_setg(errp, "No Serpent cipher with key size %zu available",
309 digestlen);
310 return 0;
311 }
312 break;
313 case QCRYPTO_CIPHER_ALGO_TWOFISH_128:
314 case QCRYPTO_CIPHER_ALGO_TWOFISH_192:
315 case QCRYPTO_CIPHER_ALGO_TWOFISH_256:
316 if (digestlen == qcrypto_cipher_get_key_len(
317 QCRYPTO_CIPHER_ALGO_TWOFISH_128)) {
318 return QCRYPTO_CIPHER_ALGO_TWOFISH_128;
319 } else if (digestlen == qcrypto_cipher_get_key_len(
320 QCRYPTO_CIPHER_ALGO_TWOFISH_192)) {
321 return QCRYPTO_CIPHER_ALGO_TWOFISH_192;
322 } else if (digestlen == qcrypto_cipher_get_key_len(
323 QCRYPTO_CIPHER_ALGO_TWOFISH_256)) {
324 return QCRYPTO_CIPHER_ALGO_TWOFISH_256;
325 } else {
326 error_setg(errp, "No Twofish cipher with key size %zu available",
327 digestlen);
328 return 0;
329 }
330 break;
331 default:
332 error_setg(errp, "Cipher %s not supported with essiv",
333 QCryptoCipherAlgo_str(cipher));
334 return 0;
335 }
336 }
337
338 /*
339 * Returns number of sectors needed to store the key material
340 * given number of anti forensic stripes
341 */
342 static int
343 qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks,
344 unsigned int header_sectors,
345 unsigned int stripes)
346 {
347 /*
348 * This calculation doesn't match that shown in the spec,
349 * but instead follows the cryptsetup implementation.
350 */
351
352 size_t splitkeylen = luks->header.master_key_len * stripes;
353
354 /* First align the key material size to block size*/
355 size_t splitkeylen_sectors =
356 DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE);
357
358 /* Then also align the key material size to the size of the header */
359 return ROUND_UP(splitkeylen_sectors, header_sectors);
360 }
361
362
363 void
364 qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr)
365 {
366 size_t i;
367
368 /*
369 * Everything on disk uses Big Endian (tm), so flip header fields
370 * before writing them
371 */
372 cpu_to_be16s(&hdr->version);
373 cpu_to_be32s(&hdr->payload_offset_sector);
374 cpu_to_be32s(&hdr->master_key_len);
375 cpu_to_be32s(&hdr->master_key_iterations);
376
377 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
378 cpu_to_be32s(&hdr->key_slots[i].active);
379 cpu_to_be32s(&hdr->key_slots[i].iterations);
380 cpu_to_be32s(&hdr->key_slots[i].key_offset_sector);
381 cpu_to_be32s(&hdr->key_slots[i].stripes);
382 }
383 }
384
385 void
386 qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr)
387 {
388 size_t i;
389
390 /*
391 * The header is always stored in big-endian format, so
392 * convert everything to native
393 */
394 be16_to_cpus(&hdr->version);
395 be32_to_cpus(&hdr->payload_offset_sector);
396 be32_to_cpus(&hdr->master_key_len);
397 be32_to_cpus(&hdr->master_key_iterations);
398
399 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
400 be32_to_cpus(&hdr->key_slots[i].active);
401 be32_to_cpus(&hdr->key_slots[i].iterations);
402 be32_to_cpus(&hdr->key_slots[i].key_offset_sector);
403 be32_to_cpus(&hdr->key_slots[i].stripes);
404 }
405 }
406
407 /*
408 * Stores the main LUKS header, taking care of endianness
409 */
410 static int
411 qcrypto_block_luks_store_header(QCryptoBlock *block,
412 QCryptoBlockWriteFunc writefunc,
413 void *opaque,
414 Error **errp)
415 {
416 const QCryptoBlockLUKS *luks = block->opaque;
417 Error *local_err = NULL;
418 g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL;
419
420 /* Create a copy of the header */
421 hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1);
422 memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader));
423
424 qcrypto_block_luks_to_disk_endian(hdr_copy);
425
426 /* Write out the partition header and key slot headers */
427 writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy),
428 opaque, &local_err);
429
430 if (local_err) {
431 error_propagate(errp, local_err);
432 return -1;
433 }
434 return 0;
435 }
436
437 /*
438 * Loads the main LUKS header, and byteswaps it to native endianness
439 * And run basic sanity checks on it
440 */
441 static int
442 qcrypto_block_luks_load_header(QCryptoBlock *block,
443 QCryptoBlockReadFunc readfunc,
444 void *opaque,
445 Error **errp)
446 {
447 int rv;
448 QCryptoBlockLUKS *luks = block->opaque;
449
450 /*
451 * Read the entire LUKS header, minus the key material from
452 * the underlying device
453 */
454 rv = readfunc(block, 0,
455 (uint8_t *)&luks->header,
456 sizeof(luks->header),
457 opaque,
458 errp);
459 if (rv < 0) {
460 return rv;
461 }
462
463 qcrypto_block_luks_from_disk_endian(&luks->header);
464
465 return 0;
466 }
467
468 /*
469 * Does basic sanity checks on the LUKS header
470 */
471 static int
472 qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks,
473 unsigned int flags,
474 Error **errp)
475 {
476 size_t i, j;
477
478 unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
479 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
480 bool detached = flags & QCRYPTO_BLOCK_OPEN_DETACHED;
481
482 if (memcmp(luks->header.magic, qcrypto_block_luks_magic,
483 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) {
484 error_setg(errp, "Volume is not in LUKS format");
485 return -1;
486 }
487
488 if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) {
489 error_setg(errp, "LUKS version %" PRIu32 " is not supported",
490 luks->header.version);
491 return -1;
492 }
493
494 if (!memchr(luks->header.cipher_name, '\0',
495 sizeof(luks->header.cipher_name))) {
496 error_setg(errp, "LUKS header cipher name is not NUL terminated");
497 return -1;
498 }
499
500 if (!memchr(luks->header.cipher_mode, '\0',
501 sizeof(luks->header.cipher_mode))) {
502 error_setg(errp, "LUKS header cipher mode is not NUL terminated");
503 return -1;
504 }
505
506 if (!memchr(luks->header.hash_spec, '\0',
507 sizeof(luks->header.hash_spec))) {
508 error_setg(errp, "LUKS header hash spec is not NUL terminated");
509 return -1;
510 }
511
512 if (!detached && luks->header.payload_offset_sector <
513 DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
514 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
515 error_setg(errp, "LUKS payload is overlapping with the header");
516 return -1;
517 }
518
519 if (luks->header.master_key_iterations == 0) {
520 error_setg(errp, "LUKS key iteration count is zero");
521 return -1;
522 }
523
524 /* Check all keyslots for corruption */
525 for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) {
526
527 const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i];
528 unsigned int start1 = slot1->key_offset_sector;
529 unsigned int len1 =
530 qcrypto_block_luks_splitkeylen_sectors(luks,
531 header_sectors,
532 slot1->stripes);
533
534 if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) {
535 error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)",
536 i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES);
537 return -1;
538 }
539
540 if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED &&
541 slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
542 error_setg(errp,
543 "Keyslot %zu state (active/disable) is corrupted", i);
544 return -1;
545 }
546
547 if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED &&
548 slot1->iterations == 0) {
549 error_setg(errp, "Keyslot %zu iteration count is zero", i);
550 return -1;
551 }
552
553 if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
554 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
555 error_setg(errp,
556 "Keyslot %zu is overlapping with the LUKS header",
557 i);
558 return -1;
559 }
560
561 if (!detached && start1 + len1 > luks->header.payload_offset_sector) {
562 error_setg(errp,
563 "Keyslot %zu is overlapping with the encrypted payload",
564 i);
565 return -1;
566 }
567
568 for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) {
569 const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j];
570 unsigned int start2 = slot2->key_offset_sector;
571 unsigned int len2 =
572 qcrypto_block_luks_splitkeylen_sectors(luks,
573 header_sectors,
574 slot2->stripes);
575
576 if (ranges_overlap(start1, len1, start2, len2)) {
577 error_setg(errp,
578 "Keyslots %zu and %zu are overlapping in the header",
579 i, j);
580 return -1;
581 }
582 }
583
584 }
585 return 0;
586 }
587
588 /*
589 * Parses the crypto parameters that are stored in the LUKS header
590 */
591
592 static int
593 qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp)
594 {
595 g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode);
596 char *ivgen_name, *ivhash_name;
597 Error *local_err = NULL;
598
599 /*
600 * The cipher_mode header contains a string that we have
601 * to further parse, of the format
602 *
603 * <cipher-mode>-<iv-generator>[:<iv-hash>]
604 *
605 * eg cbc-essiv:sha256, cbc-plain64
606 */
607 ivgen_name = strchr(cipher_mode, '-');
608 if (!ivgen_name) {
609 error_setg(errp, "Unexpected cipher mode string format '%s'",
610 luks->header.cipher_mode);
611 return -1;
612 }
613 *ivgen_name = '\0';
614 ivgen_name++;
615
616 ivhash_name = strchr(ivgen_name, ':');
617 if (!ivhash_name) {
618 luks->ivgen_hash_alg = 0;
619 } else {
620 *ivhash_name = '\0';
621 ivhash_name++;
622
623 luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name,
624 &local_err);
625 if (local_err) {
626 error_propagate(errp, local_err);
627 return -1;
628 }
629 }
630
631 luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode,
632 &local_err);
633 if (local_err) {
634 error_propagate(errp, local_err);
635 return -1;
636 }
637
638 luks->cipher_alg =
639 qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name,
640 luks->cipher_mode,
641 luks->header.master_key_len,
642 &local_err);
643 if (local_err) {
644 error_propagate(errp, local_err);
645 return -1;
646 }
647
648 luks->hash_alg =
649 qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec,
650 &local_err);
651 if (local_err) {
652 error_propagate(errp, local_err);
653 return -1;
654 }
655
656 luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name,
657 &local_err);
658 if (local_err) {
659 error_propagate(errp, local_err);
660 return -1;
661 }
662
663 if (luks->ivgen_alg == QCRYPTO_IV_GEN_ALGO_ESSIV) {
664 if (!ivhash_name) {
665 error_setg(errp, "Missing IV generator hash specification");
666 return -1;
667 }
668 luks->ivgen_cipher_alg =
669 qcrypto_block_luks_essiv_cipher(luks->cipher_alg,
670 luks->ivgen_hash_alg,
671 &local_err);
672 if (local_err) {
673 error_propagate(errp, local_err);
674 return -1;
675 }
676 } else {
677
678 /*
679 * Note we parsed the ivhash_name earlier in the cipher_mode
680 * spec string even with plain/plain64 ivgens, but we
681 * will ignore it, since it is irrelevant for these ivgens.
682 * This is for compat with dm-crypt which will silently
683 * ignore hash names with these ivgens rather than report
684 * an error about the invalid usage
685 */
686 luks->ivgen_cipher_alg = luks->cipher_alg;
687 }
688 return 0;
689 }
690
691 /*
692 * Given a key slot, user password, and the master key,
693 * will store the encrypted master key there, and update the
694 * in-memory header. User must then write the in-memory header
695 *
696 * Returns:
697 * 0 if the keyslot was written successfully
698 * with the provided password
699 * -1 if a fatal error occurred while storing the key
700 */
701 static int
702 qcrypto_block_luks_store_key(QCryptoBlock *block,
703 unsigned int slot_idx,
704 const char *password,
705 uint8_t *masterkey,
706 uint64_t iter_time,
707 QCryptoBlockWriteFunc writefunc,
708 void *opaque,
709 Error **errp)
710 {
711 QCryptoBlockLUKS *luks = block->opaque;
712 QCryptoBlockLUKSKeySlot *slot;
713 g_autofree uint8_t *splitkey = NULL;
714 size_t splitkeylen;
715 g_autofree uint8_t *slotkey = NULL;
716 g_autoptr(QCryptoCipher) cipher = NULL;
717 g_autoptr(QCryptoIVGen) ivgen = NULL;
718 Error *local_err = NULL;
719 uint64_t iters;
720 int ret = -1;
721
722 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
723 slot = &luks->header.key_slots[slot_idx];
724 splitkeylen = luks->header.master_key_len * slot->stripes;
725
726 if (qcrypto_random_bytes(slot->salt,
727 QCRYPTO_BLOCK_LUKS_SALT_LEN,
728 errp) < 0) {
729 goto cleanup;
730 }
731
732 /*
733 * Determine how many iterations are required to
734 * hash the user password while consuming 1 second of compute
735 * time
736 */
737 iters = qcrypto_pbkdf2_count_iters(luks->hash_alg,
738 (uint8_t *)password, strlen(password),
739 slot->salt,
740 QCRYPTO_BLOCK_LUKS_SALT_LEN,
741 luks->header.master_key_len,
742 &local_err);
743 if (local_err) {
744 error_propagate(errp, local_err);
745 goto cleanup;
746 }
747
748 if (iters > (ULLONG_MAX / iter_time)) {
749 error_setg_errno(errp, ERANGE,
750 "PBKDF iterations %llu too large to scale",
751 (unsigned long long)iters);
752 goto cleanup;
753 }
754
755 /* iter_time was in millis, but count_iters reported for secs */
756 iters = iters * iter_time / 1000;
757
758 if (iters > UINT32_MAX) {
759 error_setg_errno(errp, ERANGE,
760 "PBKDF iterations %llu larger than %u",
761 (unsigned long long)iters, UINT32_MAX);
762 goto cleanup;
763 }
764
765 slot->iterations =
766 MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS);
767
768
769 /*
770 * Generate a key that we'll use to encrypt the master
771 * key, from the user's password
772 */
773 slotkey = g_new0(uint8_t, luks->header.master_key_len);
774 if (qcrypto_pbkdf2(luks->hash_alg,
775 (uint8_t *)password, strlen(password),
776 slot->salt,
777 QCRYPTO_BLOCK_LUKS_SALT_LEN,
778 slot->iterations,
779 slotkey, luks->header.master_key_len,
780 errp) < 0) {
781 goto cleanup;
782 }
783
784
785 /*
786 * Setup the encryption objects needed to encrypt the
787 * master key material
788 */
789 cipher = qcrypto_cipher_new(luks->cipher_alg,
790 luks->cipher_mode,
791 slotkey, luks->header.master_key_len,
792 errp);
793 if (!cipher) {
794 goto cleanup;
795 }
796
797 ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
798 luks->ivgen_cipher_alg,
799 luks->ivgen_hash_alg,
800 slotkey, luks->header.master_key_len,
801 errp);
802 if (!ivgen) {
803 goto cleanup;
804 }
805
806 /*
807 * Before storing the master key, we need to vastly
808 * increase its size, as protection against forensic
809 * disk data recovery
810 */
811 splitkey = g_new0(uint8_t, splitkeylen);
812
813 if (qcrypto_afsplit_encode(luks->hash_alg,
814 luks->header.master_key_len,
815 slot->stripes,
816 masterkey,
817 splitkey,
818 errp) < 0) {
819 goto cleanup;
820 }
821
822 /*
823 * Now we encrypt the split master key with the key generated
824 * from the user's password, before storing it
825 */
826 if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen,
827 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
828 0,
829 splitkey,
830 splitkeylen,
831 errp) < 0) {
832 goto cleanup;
833 }
834
835 /* Write out the slot's master key material. */
836 if (writefunc(block,
837 slot->key_offset_sector *
838 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
839 splitkey, splitkeylen,
840 opaque,
841 errp) < 0) {
842 goto cleanup;
843 }
844
845 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
846
847 if (qcrypto_block_luks_store_header(block, writefunc, opaque, errp) < 0) {
848 goto cleanup;
849 }
850
851 ret = 0;
852
853 cleanup:
854 if (slotkey) {
855 memset(slotkey, 0, luks->header.master_key_len);
856 }
857 if (splitkey) {
858 memset(splitkey, 0, splitkeylen);
859 }
860 return ret;
861 }
862
863 /*
864 * Given a key slot, and user password, this will attempt to unlock
865 * the master encryption key from the key slot.
866 *
867 * Returns:
868 * 0 if the key slot is disabled, or key could not be decrypted
869 * with the provided password
870 * 1 if the key slot is enabled, and key decrypted successfully
871 * with the provided password
872 * -1 if a fatal error occurred loading the key
873 */
874 static int
875 qcrypto_block_luks_load_key(QCryptoBlock *block,
876 size_t slot_idx,
877 const char *password,
878 uint8_t *masterkey,
879 QCryptoBlockReadFunc readfunc,
880 void *opaque,
881 Error **errp)
882 {
883 QCryptoBlockLUKS *luks = block->opaque;
884 const QCryptoBlockLUKSKeySlot *slot;
885 g_autofree uint8_t *splitkey = NULL;
886 size_t splitkeylen;
887 g_autofree uint8_t *possiblekey = NULL;
888 int rv;
889 g_autoptr(QCryptoCipher) cipher = NULL;
890 uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
891 g_autoptr(QCryptoIVGen) ivgen = NULL;
892 size_t niv;
893
894 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
895 slot = &luks->header.key_slots[slot_idx];
896 if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
897 return 0;
898 }
899
900 splitkeylen = luks->header.master_key_len * slot->stripes;
901 splitkey = g_new0(uint8_t, splitkeylen);
902 possiblekey = g_new0(uint8_t, luks->header.master_key_len);
903
904 /*
905 * The user password is used to generate a (possible)
906 * decryption key. This may or may not successfully
907 * decrypt the master key - we just blindly assume
908 * the key is correct and validate the results of
909 * decryption later.
910 */
911 if (qcrypto_pbkdf2(luks->hash_alg,
912 (const uint8_t *)password, strlen(password),
913 slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN,
914 slot->iterations,
915 possiblekey, luks->header.master_key_len,
916 errp) < 0) {
917 return -1;
918 }
919
920 /*
921 * We need to read the master key material from the
922 * LUKS key material header. What we're reading is
923 * not the raw master key, but rather the data after
924 * it has been passed through AFSplit and the result
925 * then encrypted.
926 */
927 rv = readfunc(block,
928 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
929 splitkey, splitkeylen,
930 opaque,
931 errp);
932 if (rv < 0) {
933 return -1;
934 }
935
936
937 /* Setup the cipher/ivgen that we'll use to try to decrypt
938 * the split master key material */
939 cipher = qcrypto_cipher_new(luks->cipher_alg,
940 luks->cipher_mode,
941 possiblekey,
942 luks->header.master_key_len,
943 errp);
944 if (!cipher) {
945 return -1;
946 }
947
948 niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
949 luks->cipher_mode);
950
951 ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
952 luks->ivgen_cipher_alg,
953 luks->ivgen_hash_alg,
954 possiblekey,
955 luks->header.master_key_len,
956 errp);
957 if (!ivgen) {
958 return -1;
959 }
960
961
962 /*
963 * The master key needs to be decrypted in the same
964 * way that the block device payload will be decrypted
965 * later. In particular we'll be using the IV generator
966 * to reset the encryption cipher every time the master
967 * key crosses a sector boundary.
968 */
969 if (qcrypto_block_cipher_decrypt_helper(cipher,
970 niv,
971 ivgen,
972 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
973 0,
974 splitkey,
975 splitkeylen,
976 errp) < 0) {
977 return -1;
978 }
979
980 /*
981 * Now we've decrypted the split master key, join
982 * it back together to get the actual master key.
983 */
984 if (qcrypto_afsplit_decode(luks->hash_alg,
985 luks->header.master_key_len,
986 slot->stripes,
987 splitkey,
988 masterkey,
989 errp) < 0) {
990 return -1;
991 }
992
993
994 /*
995 * We still don't know that the masterkey we got is valid,
996 * because we just blindly assumed the user's password
997 * was correct. This is where we now verify it. We are
998 * creating a hash of the master key using PBKDF and
999 * then comparing that to the hash stored in the key slot
1000 * header
1001 */
1002 if (qcrypto_pbkdf2(luks->hash_alg,
1003 masterkey,
1004 luks->header.master_key_len,
1005 luks->header.master_key_salt,
1006 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1007 luks->header.master_key_iterations,
1008 keydigest,
1009 G_N_ELEMENTS(keydigest),
1010 errp) < 0) {
1011 return -1;
1012 }
1013
1014 if (memcmp(keydigest, luks->header.master_key_digest,
1015 QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) {
1016 /* Success, we got the right master key */
1017 return 1;
1018 }
1019
1020 /* Fail, user's password was not valid for this key slot,
1021 * tell caller to try another slot */
1022 return 0;
1023 }
1024
1025
1026 /*
1027 * Given a user password, this will iterate over all key
1028 * slots and try to unlock each active key slot using the
1029 * password until it successfully obtains a master key.
1030 *
1031 * Returns 0 if a key was loaded, -1 if no keys could be loaded
1032 */
1033 static int
1034 qcrypto_block_luks_find_key(QCryptoBlock *block,
1035 const char *password,
1036 uint8_t *masterkey,
1037 QCryptoBlockReadFunc readfunc,
1038 void *opaque,
1039 Error **errp)
1040 {
1041 size_t i;
1042 int rv;
1043
1044 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1045 rv = qcrypto_block_luks_load_key(block,
1046 i,
1047 password,
1048 masterkey,
1049 readfunc,
1050 opaque,
1051 errp);
1052 if (rv < 0) {
1053 goto error;
1054 }
1055 if (rv == 1) {
1056 return 0;
1057 }
1058 }
1059
1060 error_setg(errp, "Invalid password, cannot unlock any keyslot");
1061 error:
1062 return -1;
1063 }
1064
1065 /*
1066 * Returns true if a slot i is marked as active
1067 * (contains encrypted copy of the master key)
1068 */
1069 static bool
1070 qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks,
1071 unsigned int slot_idx)
1072 {
1073 uint32_t val;
1074
1075 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1076 val = luks->header.key_slots[slot_idx].active;
1077 return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1078 }
1079
1080 /*
1081 * Returns the number of slots that are marked as active
1082 * (slots that contain encrypted copy of the master key)
1083 */
1084 static unsigned int
1085 qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks)
1086 {
1087 size_t i = 0;
1088 unsigned int ret = 0;
1089
1090 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1091 if (qcrypto_block_luks_slot_active(luks, i)) {
1092 ret++;
1093 }
1094 }
1095 return ret;
1096 }
1097
1098 /*
1099 * Finds first key slot which is not active
1100 * Returns the key slot index, or -1 if it doesn't exist
1101 */
1102 static int
1103 qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks)
1104 {
1105 size_t i;
1106
1107 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1108 if (!qcrypto_block_luks_slot_active(luks, i)) {
1109 return i;
1110 }
1111 }
1112 return -1;
1113 }
1114
1115 /*
1116 * Erases an keyslot given its index
1117 * Returns:
1118 * 0 if the keyslot was erased successfully
1119 * -1 if a error occurred while erasing the keyslot
1120 *
1121 */
1122 static int
1123 qcrypto_block_luks_erase_key(QCryptoBlock *block,
1124 unsigned int slot_idx,
1125 QCryptoBlockWriteFunc writefunc,
1126 void *opaque,
1127 Error **errp)
1128 {
1129 QCryptoBlockLUKS *luks = block->opaque;
1130 QCryptoBlockLUKSKeySlot *slot;
1131 g_autofree uint8_t *garbagesplitkey = NULL;
1132 size_t splitkeylen;
1133 size_t i;
1134 Error *local_err = NULL;
1135 int ret;
1136
1137 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1138 slot = &luks->header.key_slots[slot_idx];
1139
1140 splitkeylen = luks->header.master_key_len * slot->stripes;
1141 assert(splitkeylen > 0);
1142
1143 garbagesplitkey = g_new0(uint8_t, splitkeylen);
1144
1145 /* Reset the key slot header */
1146 memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN);
1147 slot->iterations = 0;
1148 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1149
1150 ret = qcrypto_block_luks_store_header(block, writefunc,
1151 opaque, &local_err);
1152
1153 if (ret < 0) {
1154 error_propagate(errp, local_err);
1155 }
1156 /*
1157 * Now try to erase the key material, even if the header
1158 * update failed
1159 */
1160 for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) {
1161 if (qcrypto_random_bytes(garbagesplitkey,
1162 splitkeylen, &local_err) < 0) {
1163 /*
1164 * If we failed to get the random data, still write
1165 * at least zeros to the key slot at least once
1166 */
1167 error_propagate(errp, local_err);
1168
1169 if (i > 0) {
1170 return -1;
1171 }
1172 }
1173 if (writefunc(block,
1174 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1175 garbagesplitkey,
1176 splitkeylen,
1177 opaque,
1178 &local_err) < 0) {
1179 error_propagate(errp, local_err);
1180 return -1;
1181 }
1182 }
1183 return ret;
1184 }
1185
1186 static int
1187 qcrypto_block_luks_open(QCryptoBlock *block,
1188 QCryptoBlockOpenOptions *options,
1189 const char *optprefix,
1190 QCryptoBlockReadFunc readfunc,
1191 void *opaque,
1192 unsigned int flags,
1193 Error **errp)
1194 {
1195 QCryptoBlockLUKS *luks = NULL;
1196 g_autofree uint8_t *masterkey = NULL;
1197 g_autofree char *password = NULL;
1198
1199 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1200 if (!options->u.luks.key_secret) {
1201 error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1202 optprefix ? optprefix : "");
1203 return -1;
1204 }
1205 password = qcrypto_secret_lookup_as_utf8(
1206 options->u.luks.key_secret, errp);
1207 if (!password) {
1208 return -1;
1209 }
1210 }
1211
1212 luks = g_new0(QCryptoBlockLUKS, 1);
1213 block->opaque = luks;
1214 luks->secret = g_strdup(options->u.luks.key_secret);
1215
1216 if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) {
1217 goto fail;
1218 }
1219
1220 if (qcrypto_block_luks_check_header(luks, flags, errp) < 0) {
1221 goto fail;
1222 }
1223
1224 if (qcrypto_block_luks_parse_header(luks, errp) < 0) {
1225 goto fail;
1226 }
1227
1228 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1229 /* Try to find which key slot our password is valid for
1230 * and unlock the master key from that slot.
1231 */
1232
1233 masterkey = g_new0(uint8_t, luks->header.master_key_len);
1234
1235 if (qcrypto_block_luks_find_key(block,
1236 password,
1237 masterkey,
1238 readfunc, opaque,
1239 errp) < 0) {
1240 goto fail;
1241 }
1242
1243 /* We have a valid master key now, so can setup the
1244 * block device payload decryption objects
1245 */
1246 block->kdfhash = luks->hash_alg;
1247 block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
1248 luks->cipher_mode);
1249
1250 block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
1251 luks->ivgen_cipher_alg,
1252 luks->ivgen_hash_alg,
1253 masterkey,
1254 luks->header.master_key_len,
1255 errp);
1256 if (!block->ivgen) {
1257 goto fail;
1258 }
1259
1260 if (qcrypto_block_init_cipher(block,
1261 luks->cipher_alg,
1262 luks->cipher_mode,
1263 masterkey,
1264 luks->header.master_key_len,
1265 errp) < 0) {
1266 goto fail;
1267 }
1268 }
1269
1270 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1271 block->payload_offset = luks->header.payload_offset_sector *
1272 block->sector_size;
1273 block->detached_header = (block->payload_offset == 0) ? true : false;
1274
1275 return 0;
1276
1277 fail:
1278 qcrypto_block_free_cipher(block);
1279 qcrypto_ivgen_free(block->ivgen);
1280 g_free(luks->secret);
1281 g_free(luks);
1282 return -1;
1283 }
1284
1285
1286 static void
1287 qcrypto_block_luks_uuid_gen(uint8_t *uuidstr)
1288 {
1289 QemuUUID uuid;
1290 qemu_uuid_generate(&uuid);
1291 qemu_uuid_unparse(&uuid, (char *)uuidstr);
1292 }
1293
1294 static int
1295 qcrypto_block_luks_create(QCryptoBlock *block,
1296 QCryptoBlockCreateOptions *options,
1297 const char *optprefix,
1298 QCryptoBlockInitFunc initfunc,
1299 QCryptoBlockWriteFunc writefunc,
1300 void *opaque,
1301 Error **errp)
1302 {
1303 QCryptoBlockLUKS *luks;
1304 QCryptoBlockCreateOptionsLUKS luks_opts;
1305 Error *local_err = NULL;
1306 g_autofree uint8_t *masterkey = NULL;
1307 size_t header_sectors;
1308 size_t split_key_sectors;
1309 size_t i;
1310 g_autofree char *password = NULL;
1311 const char *cipher_alg;
1312 const char *cipher_mode;
1313 const char *ivgen_alg;
1314 const char *ivgen_hash_alg = NULL;
1315 const char *hash_alg;
1316 g_autofree char *cipher_mode_spec = NULL;
1317 uint64_t iters;
1318 uint64_t detached_header_size;
1319
1320 memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
1321 if (!luks_opts.has_iter_time) {
1322 luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1323 }
1324 if (!luks_opts.has_cipher_alg) {
1325 luks_opts.cipher_alg = QCRYPTO_CIPHER_ALGO_AES_256;
1326 }
1327 if (!luks_opts.has_cipher_mode) {
1328 luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS;
1329 }
1330 if (!luks_opts.has_ivgen_alg) {
1331 luks_opts.ivgen_alg = QCRYPTO_IV_GEN_ALGO_PLAIN64;
1332 }
1333 if (!luks_opts.has_hash_alg) {
1334 luks_opts.hash_alg = QCRYPTO_HASH_ALGO_SHA256;
1335 }
1336 if (luks_opts.ivgen_alg == QCRYPTO_IV_GEN_ALGO_ESSIV) {
1337 if (!luks_opts.has_ivgen_hash_alg) {
1338 luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALGO_SHA256;
1339 luks_opts.has_ivgen_hash_alg = true;
1340 }
1341 }
1342
1343 luks = g_new0(QCryptoBlockLUKS, 1);
1344 block->opaque = luks;
1345
1346 luks->cipher_alg = luks_opts.cipher_alg;
1347 luks->cipher_mode = luks_opts.cipher_mode;
1348 luks->ivgen_alg = luks_opts.ivgen_alg;
1349 luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg;
1350 luks->hash_alg = luks_opts.hash_alg;
1351
1352
1353 /* Note we're allowing ivgen_hash_alg to be set even for
1354 * non-essiv iv generators that don't need a hash. It will
1355 * be silently ignored, for compatibility with dm-crypt */
1356
1357 if (!options->u.luks.key_secret) {
1358 error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1359 optprefix ? optprefix : "");
1360 goto error;
1361 }
1362 luks->secret = g_strdup(options->u.luks.key_secret);
1363
1364 password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp);
1365 if (!password) {
1366 goto error;
1367 }
1368
1369
1370 memcpy(luks->header.magic, qcrypto_block_luks_magic,
1371 QCRYPTO_BLOCK_LUKS_MAGIC_LEN);
1372
1373 /* We populate the header in native endianness initially and
1374 * then convert everything to big endian just before writing
1375 * it out to disk
1376 */
1377 luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION;
1378 qcrypto_block_luks_uuid_gen(luks->header.uuid);
1379
1380 cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg,
1381 errp);
1382 if (!cipher_alg) {
1383 goto error;
1384 }
1385
1386 cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode);
1387 ivgen_alg = QCryptoIVGenAlgo_str(luks_opts.ivgen_alg);
1388 if (luks_opts.has_ivgen_hash_alg) {
1389 ivgen_hash_alg = QCryptoHashAlgo_str(luks_opts.ivgen_hash_alg);
1390 cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg,
1391 ivgen_hash_alg);
1392 } else {
1393 cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg);
1394 }
1395 hash_alg = QCryptoHashAlgo_str(luks_opts.hash_alg);
1396
1397
1398 if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) {
1399 error_setg(errp, "Cipher name '%s' is too long for LUKS header",
1400 cipher_alg);
1401 goto error;
1402 }
1403 if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) {
1404 error_setg(errp, "Cipher mode '%s' is too long for LUKS header",
1405 cipher_mode_spec);
1406 goto error;
1407 }
1408 if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) {
1409 error_setg(errp, "Hash name '%s' is too long for LUKS header",
1410 hash_alg);
1411 goto error;
1412 }
1413
1414 if (luks_opts.ivgen_alg == QCRYPTO_IV_GEN_ALGO_ESSIV) {
1415 luks->ivgen_cipher_alg =
1416 qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg,
1417 luks_opts.ivgen_hash_alg,
1418 &local_err);
1419 if (local_err) {
1420 error_propagate(errp, local_err);
1421 goto error;
1422 }
1423 } else {
1424 luks->ivgen_cipher_alg = luks_opts.cipher_alg;
1425 }
1426
1427 strcpy(luks->header.cipher_name, cipher_alg);
1428 strcpy(luks->header.cipher_mode, cipher_mode_spec);
1429 strcpy(luks->header.hash_spec, hash_alg);
1430
1431 luks->header.master_key_len =
1432 qcrypto_cipher_get_key_len(luks_opts.cipher_alg);
1433
1434 if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) {
1435 luks->header.master_key_len *= 2;
1436 }
1437
1438 /* Generate the salt used for hashing the master key
1439 * with PBKDF later
1440 */
1441 if (qcrypto_random_bytes(luks->header.master_key_salt,
1442 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1443 errp) < 0) {
1444 goto error;
1445 }
1446
1447 /* Generate random master key */
1448 masterkey = g_new0(uint8_t, luks->header.master_key_len);
1449 if (qcrypto_random_bytes(masterkey,
1450 luks->header.master_key_len, errp) < 0) {
1451 goto error;
1452 }
1453
1454
1455 /* Setup the block device payload encryption objects */
1456 if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg,
1457 luks_opts.cipher_mode, masterkey,
1458 luks->header.master_key_len, errp) < 0) {
1459 goto error;
1460 }
1461
1462 block->kdfhash = luks_opts.hash_alg;
1463 block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg,
1464 luks_opts.cipher_mode);
1465 block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
1466 luks->ivgen_cipher_alg,
1467 luks_opts.ivgen_hash_alg,
1468 masterkey, luks->header.master_key_len,
1469 errp);
1470
1471 if (!block->ivgen) {
1472 goto error;
1473 }
1474
1475
1476 /* Determine how many iterations we need to hash the master
1477 * key, in order to have 1 second of compute time used
1478 */
1479 iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
1480 masterkey, luks->header.master_key_len,
1481 luks->header.master_key_salt,
1482 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1483 QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1484 &local_err);
1485 if (local_err) {
1486 error_propagate(errp, local_err);
1487 goto error;
1488 }
1489
1490 if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
1491 error_setg_errno(errp, ERANGE,
1492 "PBKDF iterations %llu too large to scale",
1493 (unsigned long long)iters);
1494 goto error;
1495 }
1496
1497 /* iter_time was in millis, but count_iters reported for secs */
1498 iters = iters * luks_opts.iter_time / 1000;
1499
1500 /* Why /= 8 ? That matches cryptsetup, but there's no
1501 * explanation why they chose /= 8... Probably so that
1502 * if all 8 keyslots are active we only spend 1 second
1503 * in total time to check all keys */
1504 iters /= 8;
1505 if (iters > UINT32_MAX) {
1506 error_setg_errno(errp, ERANGE,
1507 "PBKDF iterations %llu larger than %u",
1508 (unsigned long long)iters, UINT32_MAX);
1509 goto error;
1510 }
1511 iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS);
1512 luks->header.master_key_iterations = iters;
1513
1514 /* Hash the master key, saving the result in the LUKS
1515 * header. This hash is used when opening the encrypted
1516 * device to verify that the user password unlocked a
1517 * valid master key
1518 */
1519 if (qcrypto_pbkdf2(luks_opts.hash_alg,
1520 masterkey, luks->header.master_key_len,
1521 luks->header.master_key_salt,
1522 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1523 luks->header.master_key_iterations,
1524 luks->header.master_key_digest,
1525 QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1526 errp) < 0) {
1527 goto error;
1528 }
1529
1530 /* start with the sector that follows the header*/
1531 header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
1532 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1533
1534 split_key_sectors =
1535 qcrypto_block_luks_splitkeylen_sectors(luks,
1536 header_sectors,
1537 QCRYPTO_BLOCK_LUKS_STRIPES);
1538
1539 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1540 QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i];
1541 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1542
1543 slot->key_offset_sector = header_sectors + i * split_key_sectors;
1544 slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES;
1545 }
1546
1547 if (block->detached_header) {
1548 /*
1549 * For a detached LUKS header image, set the payload_offset_sector
1550 * to 0 to specify the starting point for read/write
1551 */
1552 luks->header.payload_offset_sector = 0;
1553 } else {
1554 /*
1555 * The total size of the LUKS headers is the partition header + key
1556 * slot headers, rounded up to the nearest sector, combined with
1557 * the size of each master key material region, also rounded up
1558 * to the nearest sector
1559 */
1560 luks->header.payload_offset_sector = header_sectors +
1561 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors;
1562 }
1563
1564 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1565 block->payload_offset = luks->header.payload_offset_sector *
1566 block->sector_size;
1567 detached_header_size =
1568 (header_sectors + QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS *
1569 split_key_sectors) * block->sector_size;
1570
1571 /* Reserve header space to match payload offset */
1572 initfunc(block, detached_header_size, opaque, &local_err);
1573 if (local_err) {
1574 error_propagate(errp, local_err);
1575 goto error;
1576 }
1577
1578
1579 /* populate the slot 0 with the password encrypted master key*/
1580 /* This will also store the header */
1581 if (qcrypto_block_luks_store_key(block,
1582 0,
1583 password,
1584 masterkey,
1585 luks_opts.iter_time,
1586 writefunc,
1587 opaque,
1588 errp) < 0) {
1589 goto error;
1590 }
1591
1592 memset(masterkey, 0, luks->header.master_key_len);
1593
1594 return 0;
1595
1596 error:
1597 if (masterkey) {
1598 memset(masterkey, 0, luks->header.master_key_len);
1599 }
1600
1601 qcrypto_block_free_cipher(block);
1602 qcrypto_ivgen_free(block->ivgen);
1603
1604 g_free(luks->secret);
1605 g_free(luks);
1606 return -1;
1607 }
1608
1609 static int
1610 qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block,
1611 QCryptoBlockReadFunc readfunc,
1612 QCryptoBlockWriteFunc writefunc,
1613 void *opaque,
1614 QCryptoBlockAmendOptionsLUKS *opts_luks,
1615 bool force,
1616 Error **errp)
1617 {
1618 QCryptoBlockLUKS *luks = block->opaque;
1619 uint64_t iter_time = opts_luks->has_iter_time ?
1620 opts_luks->iter_time :
1621 QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1622 int keyslot;
1623 g_autofree char *old_password = NULL;
1624 g_autofree char *new_password = NULL;
1625 g_autofree uint8_t *master_key = NULL;
1626
1627 char *secret = opts_luks->secret ?: luks->secret;
1628
1629 if (!opts_luks->new_secret) {
1630 error_setg(errp, "'new-secret' is required to activate a keyslot");
1631 return -1;
1632 }
1633 if (opts_luks->old_secret) {
1634 error_setg(errp,
1635 "'old-secret' must not be given when activating keyslots");
1636 return -1;
1637 }
1638
1639 if (opts_luks->has_keyslot) {
1640 keyslot = opts_luks->keyslot;
1641 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1642 error_setg(errp,
1643 "Invalid keyslot %u specified, must be between 0 and %u",
1644 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1645 return -1;
1646 }
1647 } else {
1648 keyslot = qcrypto_block_luks_find_free_keyslot(luks);
1649 if (keyslot == -1) {
1650 error_setg(errp,
1651 "Can't add a keyslot - all keyslots are in use");
1652 return -1;
1653 }
1654 }
1655
1656 if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) {
1657 error_setg(errp,
1658 "Refusing to overwrite active keyslot %i - "
1659 "please erase it first",
1660 keyslot);
1661 return -1;
1662 }
1663
1664 /* Locate the password that will be used to retrieve the master key */
1665 old_password = qcrypto_secret_lookup_as_utf8(secret, errp);
1666 if (!old_password) {
1667 return -1;
1668 }
1669
1670 /* Retrieve the master key */
1671 master_key = g_new0(uint8_t, luks->header.master_key_len);
1672
1673 if (qcrypto_block_luks_find_key(block, old_password, master_key,
1674 readfunc, opaque, errp) < 0) {
1675 error_append_hint(errp, "Failed to retrieve the master key");
1676 return -1;
1677 }
1678
1679 /* Locate the new password*/
1680 new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp);
1681 if (!new_password) {
1682 return -1;
1683 }
1684
1685 /* Now set the new keyslots */
1686 if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key,
1687 iter_time, writefunc, opaque, errp)) {
1688 error_append_hint(errp, "Failed to write to keyslot %i", keyslot);
1689 return -1;
1690 }
1691 return 0;
1692 }
1693
1694 static int
1695 qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block,
1696 QCryptoBlockReadFunc readfunc,
1697 QCryptoBlockWriteFunc writefunc,
1698 void *opaque,
1699 QCryptoBlockAmendOptionsLUKS *opts_luks,
1700 bool force,
1701 Error **errp)
1702 {
1703 QCryptoBlockLUKS *luks = block->opaque;
1704 g_autofree uint8_t *tmpkey = NULL;
1705 g_autofree char *old_password = NULL;
1706
1707 if (opts_luks->new_secret) {
1708 error_setg(errp,
1709 "'new-secret' must not be given when erasing keyslots");
1710 return -1;
1711 }
1712 if (opts_luks->has_iter_time) {
1713 error_setg(errp,
1714 "'iter-time' must not be given when erasing keyslots");
1715 return -1;
1716 }
1717 if (opts_luks->secret) {
1718 error_setg(errp,
1719 "'secret' must not be given when erasing keyslots");
1720 return -1;
1721 }
1722
1723 /* Load the old password if given */
1724 if (opts_luks->old_secret) {
1725 old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret,
1726 errp);
1727 if (!old_password) {
1728 return -1;
1729 }
1730
1731 /*
1732 * Allocate a temporary key buffer that we will need when
1733 * checking if slot matches the given old password
1734 */
1735 tmpkey = g_new0(uint8_t, luks->header.master_key_len);
1736 }
1737
1738 /* Erase an explicitly given keyslot */
1739 if (opts_luks->has_keyslot) {
1740 int keyslot = opts_luks->keyslot;
1741
1742 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1743 error_setg(errp,
1744 "Invalid keyslot %i specified, must be between 0 and %i",
1745 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1746 return -1;
1747 }
1748
1749 if (opts_luks->old_secret) {
1750 int rv = qcrypto_block_luks_load_key(block,
1751 keyslot,
1752 old_password,
1753 tmpkey,
1754 readfunc,
1755 opaque,
1756 errp);
1757 if (rv == -1) {
1758 return -1;
1759 } else if (rv == 0) {
1760 error_setg(errp,
1761 "Given keyslot %i doesn't contain the given "
1762 "old password for erase operation",
1763 keyslot);
1764 return -1;
1765 }
1766 }
1767
1768 if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) {
1769 error_setg(errp,
1770 "Given keyslot %i is already erased (inactive) ",
1771 keyslot);
1772 return -1;
1773 }
1774
1775 if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) {
1776 error_setg(errp,
1777 "Attempt to erase the only active keyslot %i "
1778 "which will erase all the data in the image "
1779 "irreversibly - refusing operation",
1780 keyslot);
1781 return -1;
1782 }
1783
1784 if (qcrypto_block_luks_erase_key(block, keyslot,
1785 writefunc, opaque, errp)) {
1786 error_append_hint(errp, "Failed to erase keyslot %i", keyslot);
1787 return -1;
1788 }
1789
1790 /* Erase all keyslots that match the given old password */
1791 } else if (opts_luks->old_secret) {
1792
1793 unsigned long slots_to_erase_bitmap = 0;
1794 size_t i;
1795 int slot_count;
1796
1797 assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <=
1798 sizeof(slots_to_erase_bitmap) * 8);
1799
1800 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1801 int rv = qcrypto_block_luks_load_key(block,
1802 i,
1803 old_password,
1804 tmpkey,
1805 readfunc,
1806 opaque,
1807 errp);
1808 if (rv == -1) {
1809 return -1;
1810 } else if (rv == 1) {
1811 bitmap_set(&slots_to_erase_bitmap, i, 1);
1812 }
1813 }
1814
1815 slot_count = bitmap_count_one(&slots_to_erase_bitmap,
1816 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1817 if (slot_count == 0) {
1818 error_setg(errp,
1819 "No keyslots match given (old) password for erase operation");
1820 return -1;
1821 }
1822
1823 if (!force &&
1824 slot_count == qcrypto_block_luks_count_active_slots(luks)) {
1825 error_setg(errp,
1826 "All the active keyslots match the (old) password that "
1827 "was given and erasing them will erase all the data in "
1828 "the image irreversibly - refusing operation");
1829 return -1;
1830 }
1831
1832 /* Now apply the update */
1833 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1834 if (!test_bit(i, &slots_to_erase_bitmap)) {
1835 continue;
1836 }
1837 if (qcrypto_block_luks_erase_key(block, i, writefunc,
1838 opaque, errp)) {
1839 error_append_hint(errp, "Failed to erase keyslot %zu", i);
1840 return -1;
1841 }
1842 }
1843 } else {
1844 error_setg(errp,
1845 "To erase keyslot(s), either explicit keyslot index "
1846 "or the password currently contained in them must be given");
1847 return -1;
1848 }
1849 return 0;
1850 }
1851
1852 static int
1853 qcrypto_block_luks_amend_options(QCryptoBlock *block,
1854 QCryptoBlockReadFunc readfunc,
1855 QCryptoBlockWriteFunc writefunc,
1856 void *opaque,
1857 QCryptoBlockAmendOptions *options,
1858 bool force,
1859 Error **errp)
1860 {
1861 QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks;
1862
1863 switch (opts_luks->state) {
1864 case QCRYPTO_BLOCK_LUKS_KEYSLOT_STATE_ACTIVE:
1865 return qcrypto_block_luks_amend_add_keyslot(block, readfunc,
1866 writefunc, opaque,
1867 opts_luks, force, errp);
1868 case QCRYPTO_BLOCK_LUKS_KEYSLOT_STATE_INACTIVE:
1869 return qcrypto_block_luks_amend_erase_keyslots(block, readfunc,
1870 writefunc, opaque,
1871 opts_luks, force, errp);
1872 default:
1873 g_assert_not_reached();
1874 }
1875 }
1876
1877 static int qcrypto_block_luks_get_info(QCryptoBlock *block,
1878 QCryptoBlockInfo *info,
1879 Error **errp)
1880 {
1881 QCryptoBlockLUKS *luks = block->opaque;
1882 QCryptoBlockInfoLUKSSlot *slot;
1883 QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots;
1884 size_t i;
1885
1886 info->u.luks.cipher_alg = luks->cipher_alg;
1887 info->u.luks.cipher_mode = luks->cipher_mode;
1888 info->u.luks.ivgen_alg = luks->ivgen_alg;
1889 if (info->u.luks.ivgen_alg == QCRYPTO_IV_GEN_ALGO_ESSIV) {
1890 info->u.luks.has_ivgen_hash_alg = true;
1891 info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg;
1892 }
1893 info->u.luks.hash_alg = luks->hash_alg;
1894 info->u.luks.payload_offset = block->payload_offset;
1895 info->u.luks.master_key_iters = luks->header.master_key_iterations;
1896 info->u.luks.uuid = g_strndup((const char *)luks->header.uuid,
1897 sizeof(luks->header.uuid));
1898 info->u.luks.detached_header = block->detached_header;
1899
1900 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1901 slot = g_new0(QCryptoBlockInfoLUKSSlot, 1);
1902 slot->active = luks->header.key_slots[i].active ==
1903 QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1904 slot->key_offset = luks->header.key_slots[i].key_offset_sector
1905 * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1906 if (slot->active) {
1907 slot->has_iters = true;
1908 slot->iters = luks->header.key_slots[i].iterations;
1909 slot->has_stripes = true;
1910 slot->stripes = luks->header.key_slots[i].stripes;
1911 }
1912
1913 QAPI_LIST_APPEND(tail, slot);
1914 }
1915
1916 return 0;
1917 }
1918
1919
1920 static void qcrypto_block_luks_cleanup(QCryptoBlock *block)
1921 {
1922 QCryptoBlockLUKS *luks = block->opaque;
1923 if (luks) {
1924 g_free(luks->secret);
1925 g_free(luks);
1926 }
1927 }
1928
1929
1930 static int
1931 qcrypto_block_luks_decrypt(QCryptoBlock *block,
1932 uint64_t offset,
1933 uint8_t *buf,
1934 size_t len,
1935 Error **errp)
1936 {
1937 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1938 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1939 return qcrypto_block_decrypt_helper(block,
1940 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1941 offset, buf, len, errp);
1942 }
1943
1944
1945 static int
1946 qcrypto_block_luks_encrypt(QCryptoBlock *block,
1947 uint64_t offset,
1948 uint8_t *buf,
1949 size_t len,
1950 Error **errp)
1951 {
1952 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1953 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1954 return qcrypto_block_encrypt_helper(block,
1955 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1956 offset, buf, len, errp);
1957 }
1958
1959
1960 const QCryptoBlockDriver qcrypto_block_driver_luks = {
1961 .open = qcrypto_block_luks_open,
1962 .create = qcrypto_block_luks_create,
1963 .amend = qcrypto_block_luks_amend_options,
1964 .get_info = qcrypto_block_luks_get_info,
1965 .cleanup = qcrypto_block_luks_cleanup,
1966 .decrypt = qcrypto_block_luks_decrypt,
1967 .encrypt = qcrypto_block_luks_encrypt,
1968 .has_format = qcrypto_block_luks_has_format,
1969 };
armbru's QEMU hackery