search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hw/mips/gt64xxx_pci: Manage endian bits with the RegisterFields API
[qemu.git] / crypto / block-luks.c
blobff9e3945d1b98ff405bb0f1a57c4e237ae7d4e95
1 /*
2 * QEMU Crypto block device encryption LUKS format
3 *
4 * Copyright (c) 2015-2016 Red Hat, Inc.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "qemu/bswap.h"
24
25 #include "block-luks.h"
26 #include "block-luks-priv.h"
27
28 #include "crypto/hash.h"
29 #include "crypto/afsplit.h"
30 #include "crypto/pbkdf.h"
31 #include "crypto/secret.h"
32 #include "crypto/random.h"
33 #include "qemu/uuid.h"
34
35 #include "qemu/coroutine.h"
36 #include "qemu/bitmap.h"
37
38 /*
39 * Reference for the LUKS format implemented here is
40 *
41 * docs/on-disk-format.pdf
42 *
43 * in 'cryptsetup' package source code
44 *
45 * This file implements the 1.2.1 specification, dated
46 * Oct 16, 2011.
47 */
48
49 typedef struct QCryptoBlockLUKS QCryptoBlockLUKS;
50
51 typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap;
52 struct QCryptoBlockLUKSNameMap {
53 const char *name;
54 int id;
55 };
56
57 typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap;
58 struct QCryptoBlockLUKSCipherSizeMap {
59 uint32_t key_bytes;
60 int id;
61 };
62 typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap;
63 struct QCryptoBlockLUKSCipherNameMap {
64 const char *name;
65 const QCryptoBlockLUKSCipherSizeMap *sizes;
66 };
67
68
69 static const QCryptoBlockLUKSCipherSizeMap
70 qcrypto_block_luks_cipher_size_map_aes[] = {
71 { 16, QCRYPTO_CIPHER_ALG_AES_128 },
72 { 24, QCRYPTO_CIPHER_ALG_AES_192 },
73 { 32, QCRYPTO_CIPHER_ALG_AES_256 },
74 { 0, 0 },
75 };
76
77 static const QCryptoBlockLUKSCipherSizeMap
78 qcrypto_block_luks_cipher_size_map_cast5[] = {
79 { 16, QCRYPTO_CIPHER_ALG_CAST5_128 },
80 { 0, 0 },
81 };
82
83 static const QCryptoBlockLUKSCipherSizeMap
84 qcrypto_block_luks_cipher_size_map_serpent[] = {
85 { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 },
86 { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 },
87 { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 },
88 { 0, 0 },
89 };
90
91 static const QCryptoBlockLUKSCipherSizeMap
92 qcrypto_block_luks_cipher_size_map_twofish[] = {
93 { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 },
94 { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 },
95 { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 },
96 { 0, 0 },
97 };
98
99 static const QCryptoBlockLUKSCipherNameMap
100 qcrypto_block_luks_cipher_name_map[] = {
101 { "aes", qcrypto_block_luks_cipher_size_map_aes },
102 { "cast5", qcrypto_block_luks_cipher_size_map_cast5 },
103 { "serpent", qcrypto_block_luks_cipher_size_map_serpent },
104 { "twofish", qcrypto_block_luks_cipher_size_map_twofish },
105 };
106
107 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48);
108 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592);
109
110
111 struct QCryptoBlockLUKS {
112 QCryptoBlockLUKSHeader header;
113
114 /* Main encryption algorithm used for encryption*/
115 QCryptoCipherAlgorithm cipher_alg;
116
117 /* Mode of encryption for the selected encryption algorithm */
118 QCryptoCipherMode cipher_mode;
119
120 /* Initialization vector generation algorithm */
121 QCryptoIVGenAlgorithm ivgen_alg;
122
123 /* Hash algorithm used for IV generation*/
124 QCryptoHashAlgorithm ivgen_hash_alg;
125
126 /*
127 * Encryption algorithm used for IV generation.
128 * Usually the same as main encryption algorithm
129 */
130 QCryptoCipherAlgorithm ivgen_cipher_alg;
131
132 /* Hash algorithm used in pbkdf2 function */
133 QCryptoHashAlgorithm hash_alg;
134
135 /* Name of the secret that was used to open the image */
136 char *secret;
137 };
138
139
140 static int qcrypto_block_luks_cipher_name_lookup(const char *name,
141 QCryptoCipherMode mode,
142 uint32_t key_bytes,
143 Error **errp)
144 {
145 const QCryptoBlockLUKSCipherNameMap *map =
146 qcrypto_block_luks_cipher_name_map;
147 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
148 size_t i, j;
149
150 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
151 key_bytes /= 2;
152 }
153
154 for (i = 0; i < maplen; i++) {
155 if (!g_str_equal(map[i].name, name)) {
156 continue;
157 }
158 for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
159 if (map[i].sizes[j].key_bytes == key_bytes) {
160 return map[i].sizes[j].id;
161 }
162 }
163 }
164
165 error_setg(errp, "Algorithm '%s' with key size %d bytes not supported",
166 name, key_bytes);
167 return 0;
168 }
169
170 static const char *
171 qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg,
172 Error **errp)
173 {
174 const QCryptoBlockLUKSCipherNameMap *map =
175 qcrypto_block_luks_cipher_name_map;
176 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
177 size_t i, j;
178 for (i = 0; i < maplen; i++) {
179 for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
180 if (map[i].sizes[j].id == alg) {
181 return map[i].name;
182 }
183 }
184 }
185
186 error_setg(errp, "Algorithm '%s' not supported",
187 QCryptoCipherAlgorithm_str(alg));
188 return NULL;
189 }
190
191 /* XXX replace with qapi_enum_parse() in future, when we can
192 * make that function emit a more friendly error message */
193 static int qcrypto_block_luks_name_lookup(const char *name,
194 const QEnumLookup *map,
195 const char *type,
196 Error **errp)
197 {
198 int ret = qapi_enum_parse(map, name, -1, NULL);
199
200 if (ret < 0) {
201 error_setg(errp, "%s '%s' not supported", type, name);
202 return 0;
203 }
204 return ret;
205 }
206
207 #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \
208 qcrypto_block_luks_name_lookup(name, \
209 &QCryptoCipherMode_lookup, \
210 "Cipher mode", \
211 errp)
212
213 #define qcrypto_block_luks_hash_name_lookup(name, errp) \
214 qcrypto_block_luks_name_lookup(name, \
215 &QCryptoHashAlgorithm_lookup, \
216 "Hash algorithm", \
217 errp)
218
219 #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \
220 qcrypto_block_luks_name_lookup(name, \
221 &QCryptoIVGenAlgorithm_lookup, \
222 "IV generator", \
223 errp)
224
225
226 static bool
227 qcrypto_block_luks_has_format(const uint8_t *buf,
228 size_t buf_size)
229 {
230 const QCryptoBlockLUKSHeader *luks_header = (const void *)buf;
231
232 if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) &&
233 memcmp(luks_header->magic, qcrypto_block_luks_magic,
234 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 &&
235 be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) {
236 return true;
237 } else {
238 return false;
239 }
240 }
241
242
243 /**
244 * Deal with a quirk of dm-crypt usage of ESSIV.
245 *
246 * When calculating ESSIV IVs, the cipher length used by ESSIV
247 * may be different from the cipher length used for the block
248 * encryption, becauses dm-crypt uses the hash digest length
249 * as the key size. ie, if you have AES 128 as the block cipher
250 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as
251 * the cipher since that gets a key length matching the digest
252 * size, not AES 128 with truncated digest as might be imagined
253 */
254 static QCryptoCipherAlgorithm
255 qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher,
256 QCryptoHashAlgorithm hash,
257 Error **errp)
258 {
259 size_t digestlen = qcrypto_hash_digest_len(hash);
260 size_t keylen = qcrypto_cipher_get_key_len(cipher);
261 if (digestlen == keylen) {
262 return cipher;
263 }
264
265 switch (cipher) {
266 case QCRYPTO_CIPHER_ALG_AES_128:
267 case QCRYPTO_CIPHER_ALG_AES_192:
268 case QCRYPTO_CIPHER_ALG_AES_256:
269 if (digestlen == qcrypto_cipher_get_key_len(
270 QCRYPTO_CIPHER_ALG_AES_128)) {
271 return QCRYPTO_CIPHER_ALG_AES_128;
272 } else if (digestlen == qcrypto_cipher_get_key_len(
273 QCRYPTO_CIPHER_ALG_AES_192)) {
274 return QCRYPTO_CIPHER_ALG_AES_192;
275 } else if (digestlen == qcrypto_cipher_get_key_len(
276 QCRYPTO_CIPHER_ALG_AES_256)) {
277 return QCRYPTO_CIPHER_ALG_AES_256;
278 } else {
279 error_setg(errp, "No AES cipher with key size %zu available",
280 digestlen);
281 return 0;
282 }
283 break;
284 case QCRYPTO_CIPHER_ALG_SERPENT_128:
285 case QCRYPTO_CIPHER_ALG_SERPENT_192:
286 case QCRYPTO_CIPHER_ALG_SERPENT_256:
287 if (digestlen == qcrypto_cipher_get_key_len(
288 QCRYPTO_CIPHER_ALG_SERPENT_128)) {
289 return QCRYPTO_CIPHER_ALG_SERPENT_128;
290 } else if (digestlen == qcrypto_cipher_get_key_len(
291 QCRYPTO_CIPHER_ALG_SERPENT_192)) {
292 return QCRYPTO_CIPHER_ALG_SERPENT_192;
293 } else if (digestlen == qcrypto_cipher_get_key_len(
294 QCRYPTO_CIPHER_ALG_SERPENT_256)) {
295 return QCRYPTO_CIPHER_ALG_SERPENT_256;
296 } else {
297 error_setg(errp, "No Serpent cipher with key size %zu available",
298 digestlen);
299 return 0;
300 }
301 break;
302 case QCRYPTO_CIPHER_ALG_TWOFISH_128:
303 case QCRYPTO_CIPHER_ALG_TWOFISH_192:
304 case QCRYPTO_CIPHER_ALG_TWOFISH_256:
305 if (digestlen == qcrypto_cipher_get_key_len(
306 QCRYPTO_CIPHER_ALG_TWOFISH_128)) {
307 return QCRYPTO_CIPHER_ALG_TWOFISH_128;
308 } else if (digestlen == qcrypto_cipher_get_key_len(
309 QCRYPTO_CIPHER_ALG_TWOFISH_192)) {
310 return QCRYPTO_CIPHER_ALG_TWOFISH_192;
311 } else if (digestlen == qcrypto_cipher_get_key_len(
312 QCRYPTO_CIPHER_ALG_TWOFISH_256)) {
313 return QCRYPTO_CIPHER_ALG_TWOFISH_256;
314 } else {
315 error_setg(errp, "No Twofish cipher with key size %zu available",
316 digestlen);
317 return 0;
318 }
319 break;
320 default:
321 error_setg(errp, "Cipher %s not supported with essiv",
322 QCryptoCipherAlgorithm_str(cipher));
323 return 0;
324 }
325 }
326
327 /*
328 * Returns number of sectors needed to store the key material
329 * given number of anti forensic stripes
330 */
331 static int
332 qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks,
333 unsigned int header_sectors,
334 unsigned int stripes)
335 {
336 /*
337 * This calculation doesn't match that shown in the spec,
338 * but instead follows the cryptsetup implementation.
339 */
340
341 size_t splitkeylen = luks->header.master_key_len * stripes;
342
343 /* First align the key material size to block size*/
344 size_t splitkeylen_sectors =
345 DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE);
346
347 /* Then also align the key material size to the size of the header */
348 return ROUND_UP(splitkeylen_sectors, header_sectors);
349 }
350
351
352 void
353 qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr)
354 {
355 size_t i;
356
357 /*
358 * Everything on disk uses Big Endian (tm), so flip header fields
359 * before writing them
360 */
361 cpu_to_be16s(&hdr->version);
362 cpu_to_be32s(&hdr->payload_offset_sector);
363 cpu_to_be32s(&hdr->master_key_len);
364 cpu_to_be32s(&hdr->master_key_iterations);
365
366 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
367 cpu_to_be32s(&hdr->key_slots[i].active);
368 cpu_to_be32s(&hdr->key_slots[i].iterations);
369 cpu_to_be32s(&hdr->key_slots[i].key_offset_sector);
370 cpu_to_be32s(&hdr->key_slots[i].stripes);
371 }
372 }
373
374 void
375 qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr)
376 {
377 size_t i;
378
379 /*
380 * The header is always stored in big-endian format, so
381 * convert everything to native
382 */
383 be16_to_cpus(&hdr->version);
384 be32_to_cpus(&hdr->payload_offset_sector);
385 be32_to_cpus(&hdr->master_key_len);
386 be32_to_cpus(&hdr->master_key_iterations);
387
388 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
389 be32_to_cpus(&hdr->key_slots[i].active);
390 be32_to_cpus(&hdr->key_slots[i].iterations);
391 be32_to_cpus(&hdr->key_slots[i].key_offset_sector);
392 be32_to_cpus(&hdr->key_slots[i].stripes);
393 }
394 }
395
396 /*
397 * Stores the main LUKS header, taking care of endianess
398 */
399 static int
400 qcrypto_block_luks_store_header(QCryptoBlock *block,
401 QCryptoBlockWriteFunc writefunc,
402 void *opaque,
403 Error **errp)
404 {
405 const QCryptoBlockLUKS *luks = block->opaque;
406 Error *local_err = NULL;
407 g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL;
408
409 /* Create a copy of the header */
410 hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1);
411 memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader));
412
413 qcrypto_block_luks_to_disk_endian(hdr_copy);
414
415 /* Write out the partition header and key slot headers */
416 writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy),
417 opaque, &local_err);
418
419 if (local_err) {
420 error_propagate(errp, local_err);
421 return -1;
422 }
423 return 0;
424 }
425
426 /*
427 * Loads the main LUKS header,and byteswaps it to native endianess
428 * And run basic sanity checks on it
429 */
430 static int
431 qcrypto_block_luks_load_header(QCryptoBlock *block,
432 QCryptoBlockReadFunc readfunc,
433 void *opaque,
434 Error **errp)
435 {
436 int rv;
437 QCryptoBlockLUKS *luks = block->opaque;
438
439 /*
440 * Read the entire LUKS header, minus the key material from
441 * the underlying device
442 */
443 rv = readfunc(block, 0,
444 (uint8_t *)&luks->header,
445 sizeof(luks->header),
446 opaque,
447 errp);
448 if (rv < 0) {
449 return rv;
450 }
451
452 qcrypto_block_luks_from_disk_endian(&luks->header);
453
454 return 0;
455 }
456
457 /*
458 * Does basic sanity checks on the LUKS header
459 */
460 static int
461 qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp)
462 {
463 size_t i, j;
464
465 unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
466 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
467
468 if (memcmp(luks->header.magic, qcrypto_block_luks_magic,
469 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) {
470 error_setg(errp, "Volume is not in LUKS format");
471 return -1;
472 }
473
474 if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) {
475 error_setg(errp, "LUKS version %" PRIu32 " is not supported",
476 luks->header.version);
477 return -1;
478 }
479
480 if (!memchr(luks->header.cipher_name, '\0',
481 sizeof(luks->header.cipher_name))) {
482 error_setg(errp, "LUKS header cipher name is not NUL terminated");
483 return -1;
484 }
485
486 if (!memchr(luks->header.cipher_mode, '\0',
487 sizeof(luks->header.cipher_mode))) {
488 error_setg(errp, "LUKS header cipher mode is not NUL terminated");
489 return -1;
490 }
491
492 if (!memchr(luks->header.hash_spec, '\0',
493 sizeof(luks->header.hash_spec))) {
494 error_setg(errp, "LUKS header hash spec is not NUL terminated");
495 return -1;
496 }
497
498 if (luks->header.payload_offset_sector <
499 DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
500 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
501 error_setg(errp, "LUKS payload is overlapping with the header");
502 return -1;
503 }
504
505 if (luks->header.master_key_iterations == 0) {
506 error_setg(errp, "LUKS key iteration count is zero");
507 return -1;
508 }
509
510 /* Check all keyslots for corruption */
511 for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) {
512
513 const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i];
514 unsigned int start1 = slot1->key_offset_sector;
515 unsigned int len1 =
516 qcrypto_block_luks_splitkeylen_sectors(luks,
517 header_sectors,
518 slot1->stripes);
519
520 if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) {
521 error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)",
522 i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES);
523 return -1;
524 }
525
526 if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED &&
527 slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
528 error_setg(errp,
529 "Keyslot %zu state (active/disable) is corrupted", i);
530 return -1;
531 }
532
533 if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED &&
534 slot1->iterations == 0) {
535 error_setg(errp, "Keyslot %zu iteration count is zero", i);
536 return -1;
537 }
538
539 if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
540 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
541 error_setg(errp,
542 "Keyslot %zu is overlapping with the LUKS header",
543 i);
544 return -1;
545 }
546
547 if (start1 + len1 > luks->header.payload_offset_sector) {
548 error_setg(errp,
549 "Keyslot %zu is overlapping with the encrypted payload",
550 i);
551 return -1;
552 }
553
554 for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) {
555 const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j];
556 unsigned int start2 = slot2->key_offset_sector;
557 unsigned int len2 =
558 qcrypto_block_luks_splitkeylen_sectors(luks,
559 header_sectors,
560 slot2->stripes);
561
562 if (start1 + len1 > start2 && start2 + len2 > start1) {
563 error_setg(errp,
564 "Keyslots %zu and %zu are overlapping in the header",
565 i, j);
566 return -1;
567 }
568 }
569
570 }
571 return 0;
572 }
573
574 /*
575 * Parses the crypto parameters that are stored in the LUKS header
576 */
577
578 static int
579 qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp)
580 {
581 g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode);
582 char *ivgen_name, *ivhash_name;
583 Error *local_err = NULL;
584
585 /*
586 * The cipher_mode header contains a string that we have
587 * to further parse, of the format
588 *
589 * <cipher-mode>-<iv-generator>[:<iv-hash>]
590 *
591 * eg cbc-essiv:sha256, cbc-plain64
592 */
593 ivgen_name = strchr(cipher_mode, '-');
594 if (!ivgen_name) {
595 error_setg(errp, "Unexpected cipher mode string format '%s'",
596 luks->header.cipher_mode);
597 return -1;
598 }
599 *ivgen_name = '\0';
600 ivgen_name++;
601
602 ivhash_name = strchr(ivgen_name, ':');
603 if (!ivhash_name) {
604 luks->ivgen_hash_alg = 0;
605 } else {
606 *ivhash_name = '\0';
607 ivhash_name++;
608
609 luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name,
610 &local_err);
611 if (local_err) {
612 error_propagate(errp, local_err);
613 return -1;
614 }
615 }
616
617 luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode,
618 &local_err);
619 if (local_err) {
620 error_propagate(errp, local_err);
621 return -1;
622 }
623
624 luks->cipher_alg =
625 qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name,
626 luks->cipher_mode,
627 luks->header.master_key_len,
628 &local_err);
629 if (local_err) {
630 error_propagate(errp, local_err);
631 return -1;
632 }
633
634 luks->hash_alg =
635 qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec,
636 &local_err);
637 if (local_err) {
638 error_propagate(errp, local_err);
639 return -1;
640 }
641
642 luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name,
643 &local_err);
644 if (local_err) {
645 error_propagate(errp, local_err);
646 return -1;
647 }
648
649 if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
650 if (!ivhash_name) {
651 error_setg(errp, "Missing IV generator hash specification");
652 return -1;
653 }
654 luks->ivgen_cipher_alg =
655 qcrypto_block_luks_essiv_cipher(luks->cipher_alg,
656 luks->ivgen_hash_alg,
657 &local_err);
658 if (local_err) {
659 error_propagate(errp, local_err);
660 return -1;
661 }
662 } else {
663
664 /*
665 * Note we parsed the ivhash_name earlier in the cipher_mode
666 * spec string even with plain/plain64 ivgens, but we
667 * will ignore it, since it is irrelevant for these ivgens.
668 * This is for compat with dm-crypt which will silently
669 * ignore hash names with these ivgens rather than report
670 * an error about the invalid usage
671 */
672 luks->ivgen_cipher_alg = luks->cipher_alg;
673 }
674 return 0;
675 }
676
677 /*
678 * Given a key slot, user password, and the master key,
679 * will store the encrypted master key there, and update the
680 * in-memory header. User must then write the in-memory header
681 *
682 * Returns:
683 * 0 if the keyslot was written successfully
684 * with the provided password
685 * -1 if a fatal error occurred while storing the key
686 */
687 static int
688 qcrypto_block_luks_store_key(QCryptoBlock *block,
689 unsigned int slot_idx,
690 const char *password,
691 uint8_t *masterkey,
692 uint64_t iter_time,
693 QCryptoBlockWriteFunc writefunc,
694 void *opaque,
695 Error **errp)
696 {
697 QCryptoBlockLUKS *luks = block->opaque;
698 QCryptoBlockLUKSKeySlot *slot;
699 g_autofree uint8_t *splitkey = NULL;
700 size_t splitkeylen;
701 g_autofree uint8_t *slotkey = NULL;
702 g_autoptr(QCryptoCipher) cipher = NULL;
703 g_autoptr(QCryptoIVGen) ivgen = NULL;
704 Error *local_err = NULL;
705 uint64_t iters;
706 int ret = -1;
707
708 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
709 slot = &luks->header.key_slots[slot_idx];
710 if (qcrypto_random_bytes(slot->salt,
711 QCRYPTO_BLOCK_LUKS_SALT_LEN,
712 errp) < 0) {
713 goto cleanup;
714 }
715
716 splitkeylen = luks->header.master_key_len * slot->stripes;
717
718 /*
719 * Determine how many iterations are required to
720 * hash the user password while consuming 1 second of compute
721 * time
722 */
723 iters = qcrypto_pbkdf2_count_iters(luks->hash_alg,
724 (uint8_t *)password, strlen(password),
725 slot->salt,
726 QCRYPTO_BLOCK_LUKS_SALT_LEN,
727 luks->header.master_key_len,
728 &local_err);
729 if (local_err) {
730 error_propagate(errp, local_err);
731 goto cleanup;
732 }
733
734 if (iters > (ULLONG_MAX / iter_time)) {
735 error_setg_errno(errp, ERANGE,
736 "PBKDF iterations %llu too large to scale",
737 (unsigned long long)iters);
738 goto cleanup;
739 }
740
741 /* iter_time was in millis, but count_iters reported for secs */
742 iters = iters * iter_time / 1000;
743
744 if (iters > UINT32_MAX) {
745 error_setg_errno(errp, ERANGE,
746 "PBKDF iterations %llu larger than %u",
747 (unsigned long long)iters, UINT32_MAX);
748 goto cleanup;
749 }
750
751 slot->iterations =
752 MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS);
753
754
755 /*
756 * Generate a key that we'll use to encrypt the master
757 * key, from the user's password
758 */
759 slotkey = g_new0(uint8_t, luks->header.master_key_len);
760 if (qcrypto_pbkdf2(luks->hash_alg,
761 (uint8_t *)password, strlen(password),
762 slot->salt,
763 QCRYPTO_BLOCK_LUKS_SALT_LEN,
764 slot->iterations,
765 slotkey, luks->header.master_key_len,
766 errp) < 0) {
767 goto cleanup;
768 }
769
770
771 /*
772 * Setup the encryption objects needed to encrypt the
773 * master key material
774 */
775 cipher = qcrypto_cipher_new(luks->cipher_alg,
776 luks->cipher_mode,
777 slotkey, luks->header.master_key_len,
778 errp);
779 if (!cipher) {
780 goto cleanup;
781 }
782
783 ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
784 luks->ivgen_cipher_alg,
785 luks->ivgen_hash_alg,
786 slotkey, luks->header.master_key_len,
787 errp);
788 if (!ivgen) {
789 goto cleanup;
790 }
791
792 /*
793 * Before storing the master key, we need to vastly
794 * increase its size, as protection against forensic
795 * disk data recovery
796 */
797 splitkey = g_new0(uint8_t, splitkeylen);
798
799 if (qcrypto_afsplit_encode(luks->hash_alg,
800 luks->header.master_key_len,
801 slot->stripes,
802 masterkey,
803 splitkey,
804 errp) < 0) {
805 goto cleanup;
806 }
807
808 /*
809 * Now we encrypt the split master key with the key generated
810 * from the user's password, before storing it
811 */
812 if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen,
813 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
814 0,
815 splitkey,
816 splitkeylen,
817 errp) < 0) {
818 goto cleanup;
819 }
820
821 /* Write out the slot's master key material. */
822 if (writefunc(block,
823 slot->key_offset_sector *
824 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
825 splitkey, splitkeylen,
826 opaque,
827 errp) < 0) {
828 goto cleanup;
829 }
830
831 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
832
833 if (qcrypto_block_luks_store_header(block, writefunc, opaque, errp) < 0) {
834 goto cleanup;
835 }
836
837 ret = 0;
838
839 cleanup:
840 if (slotkey) {
841 memset(slotkey, 0, luks->header.master_key_len);
842 }
843 if (splitkey) {
844 memset(splitkey, 0, splitkeylen);
845 }
846 return ret;
847 }
848
849 /*
850 * Given a key slot, and user password, this will attempt to unlock
851 * the master encryption key from the key slot.
852 *
853 * Returns:
854 * 0 if the key slot is disabled, or key could not be decrypted
855 * with the provided password
856 * 1 if the key slot is enabled, and key decrypted successfully
857 * with the provided password
858 * -1 if a fatal error occurred loading the key
859 */
860 static int
861 qcrypto_block_luks_load_key(QCryptoBlock *block,
862 size_t slot_idx,
863 const char *password,
864 uint8_t *masterkey,
865 QCryptoBlockReadFunc readfunc,
866 void *opaque,
867 Error **errp)
868 {
869 QCryptoBlockLUKS *luks = block->opaque;
870 const QCryptoBlockLUKSKeySlot *slot;
871 g_autofree uint8_t *splitkey = NULL;
872 size_t splitkeylen;
873 g_autofree uint8_t *possiblekey = NULL;
874 int rv;
875 g_autoptr(QCryptoCipher) cipher = NULL;
876 uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
877 g_autoptr(QCryptoIVGen) ivgen = NULL;
878 size_t niv;
879
880 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
881 slot = &luks->header.key_slots[slot_idx];
882 if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
883 return 0;
884 }
885
886 splitkeylen = luks->header.master_key_len * slot->stripes;
887 splitkey = g_new0(uint8_t, splitkeylen);
888 possiblekey = g_new0(uint8_t, luks->header.master_key_len);
889
890 /*
891 * The user password is used to generate a (possible)
892 * decryption key. This may or may not successfully
893 * decrypt the master key - we just blindly assume
894 * the key is correct and validate the results of
895 * decryption later.
896 */
897 if (qcrypto_pbkdf2(luks->hash_alg,
898 (const uint8_t *)password, strlen(password),
899 slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN,
900 slot->iterations,
901 possiblekey, luks->header.master_key_len,
902 errp) < 0) {
903 return -1;
904 }
905
906 /*
907 * We need to read the master key material from the
908 * LUKS key material header. What we're reading is
909 * not the raw master key, but rather the data after
910 * it has been passed through AFSplit and the result
911 * then encrypted.
912 */
913 rv = readfunc(block,
914 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
915 splitkey, splitkeylen,
916 opaque,
917 errp);
918 if (rv < 0) {
919 return -1;
920 }
921
922
923 /* Setup the cipher/ivgen that we'll use to try to decrypt
924 * the split master key material */
925 cipher = qcrypto_cipher_new(luks->cipher_alg,
926 luks->cipher_mode,
927 possiblekey,
928 luks->header.master_key_len,
929 errp);
930 if (!cipher) {
931 return -1;
932 }
933
934 niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
935 luks->cipher_mode);
936
937 ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
938 luks->ivgen_cipher_alg,
939 luks->ivgen_hash_alg,
940 possiblekey,
941 luks->header.master_key_len,
942 errp);
943 if (!ivgen) {
944 return -1;
945 }
946
947
948 /*
949 * The master key needs to be decrypted in the same
950 * way that the block device payload will be decrypted
951 * later. In particular we'll be using the IV generator
952 * to reset the encryption cipher every time the master
953 * key crosses a sector boundary.
954 */
955 if (qcrypto_block_cipher_decrypt_helper(cipher,
956 niv,
957 ivgen,
958 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
959 0,
960 splitkey,
961 splitkeylen,
962 errp) < 0) {
963 return -1;
964 }
965
966 /*
967 * Now we've decrypted the split master key, join
968 * it back together to get the actual master key.
969 */
970 if (qcrypto_afsplit_decode(luks->hash_alg,
971 luks->header.master_key_len,
972 slot->stripes,
973 splitkey,
974 masterkey,
975 errp) < 0) {
976 return -1;
977 }
978
979
980 /*
981 * We still don't know that the masterkey we got is valid,
982 * because we just blindly assumed the user's password
983 * was correct. This is where we now verify it. We are
984 * creating a hash of the master key using PBKDF and
985 * then comparing that to the hash stored in the key slot
986 * header
987 */
988 if (qcrypto_pbkdf2(luks->hash_alg,
989 masterkey,
990 luks->header.master_key_len,
991 luks->header.master_key_salt,
992 QCRYPTO_BLOCK_LUKS_SALT_LEN,
993 luks->header.master_key_iterations,
994 keydigest,
995 G_N_ELEMENTS(keydigest),
996 errp) < 0) {
997 return -1;
998 }
999
1000 if (memcmp(keydigest, luks->header.master_key_digest,
1001 QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) {
1002 /* Success, we got the right master key */
1003 return 1;
1004 }
1005
1006 /* Fail, user's password was not valid for this key slot,
1007 * tell caller to try another slot */
1008 return 0;
1009 }
1010
1011
1012 /*
1013 * Given a user password, this will iterate over all key
1014 * slots and try to unlock each active key slot using the
1015 * password until it successfully obtains a master key.
1016 *
1017 * Returns 0 if a key was loaded, -1 if no keys could be loaded
1018 */
1019 static int
1020 qcrypto_block_luks_find_key(QCryptoBlock *block,
1021 const char *password,
1022 uint8_t *masterkey,
1023 QCryptoBlockReadFunc readfunc,
1024 void *opaque,
1025 Error **errp)
1026 {
1027 size_t i;
1028 int rv;
1029
1030 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1031 rv = qcrypto_block_luks_load_key(block,
1032 i,
1033 password,
1034 masterkey,
1035 readfunc,
1036 opaque,
1037 errp);
1038 if (rv < 0) {
1039 goto error;
1040 }
1041 if (rv == 1) {
1042 return 0;
1043 }
1044 }
1045
1046 error_setg(errp, "Invalid password, cannot unlock any keyslot");
1047 error:
1048 return -1;
1049 }
1050
1051 /*
1052 * Returns true if a slot i is marked as active
1053 * (contains encrypted copy of the master key)
1054 */
1055 static bool
1056 qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks,
1057 unsigned int slot_idx)
1058 {
1059 uint32_t val;
1060
1061 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1062 val = luks->header.key_slots[slot_idx].active;
1063 return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1064 }
1065
1066 /*
1067 * Returns the number of slots that are marked as active
1068 * (slots that contain encrypted copy of the master key)
1069 */
1070 static unsigned int
1071 qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks)
1072 {
1073 size_t i = 0;
1074 unsigned int ret = 0;
1075
1076 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1077 if (qcrypto_block_luks_slot_active(luks, i)) {
1078 ret++;
1079 }
1080 }
1081 return ret;
1082 }
1083
1084 /*
1085 * Finds first key slot which is not active
1086 * Returns the key slot index, or -1 if it doesn't exist
1087 */
1088 static int
1089 qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks)
1090 {
1091 size_t i;
1092
1093 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1094 if (!qcrypto_block_luks_slot_active(luks, i)) {
1095 return i;
1096 }
1097 }
1098 return -1;
1099 }
1100
1101 /*
1102 * Erases an keyslot given its index
1103 * Returns:
1104 * 0 if the keyslot was erased successfully
1105 * -1 if a error occurred while erasing the keyslot
1106 *
1107 */
1108 static int
1109 qcrypto_block_luks_erase_key(QCryptoBlock *block,
1110 unsigned int slot_idx,
1111 QCryptoBlockWriteFunc writefunc,
1112 void *opaque,
1113 Error **errp)
1114 {
1115 QCryptoBlockLUKS *luks = block->opaque;
1116 QCryptoBlockLUKSKeySlot *slot;
1117 g_autofree uint8_t *garbagesplitkey = NULL;
1118 size_t splitkeylen;
1119 size_t i;
1120 Error *local_err = NULL;
1121 int ret;
1122
1123 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1124 slot = &luks->header.key_slots[slot_idx];
1125
1126 splitkeylen = luks->header.master_key_len * slot->stripes;
1127 assert(splitkeylen > 0);
1128
1129 garbagesplitkey = g_new0(uint8_t, splitkeylen);
1130
1131 /* Reset the key slot header */
1132 memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN);
1133 slot->iterations = 0;
1134 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1135
1136 ret = qcrypto_block_luks_store_header(block, writefunc,
1137 opaque, &local_err);
1138
1139 if (ret < 0) {
1140 error_propagate(errp, local_err);
1141 }
1142 /*
1143 * Now try to erase the key material, even if the header
1144 * update failed
1145 */
1146 for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) {
1147 if (qcrypto_random_bytes(garbagesplitkey,
1148 splitkeylen, &local_err) < 0) {
1149 /*
1150 * If we failed to get the random data, still write
1151 * at least zeros to the key slot at least once
1152 */
1153 error_propagate(errp, local_err);
1154
1155 if (i > 0) {
1156 return -1;
1157 }
1158 }
1159 if (writefunc(block,
1160 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1161 garbagesplitkey,
1162 splitkeylen,
1163 opaque,
1164 &local_err) < 0) {
1165 error_propagate(errp, local_err);
1166 return -1;
1167 }
1168 }
1169 return ret;
1170 }
1171
1172 static int
1173 qcrypto_block_luks_open(QCryptoBlock *block,
1174 QCryptoBlockOpenOptions *options,
1175 const char *optprefix,
1176 QCryptoBlockReadFunc readfunc,
1177 void *opaque,
1178 unsigned int flags,
1179 size_t n_threads,
1180 Error **errp)
1181 {
1182 QCryptoBlockLUKS *luks = NULL;
1183 g_autofree uint8_t *masterkey = NULL;
1184 g_autofree char *password = NULL;
1185
1186 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1187 if (!options->u.luks.key_secret) {
1188 error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1189 optprefix ? optprefix : "");
1190 return -1;
1191 }
1192 password = qcrypto_secret_lookup_as_utf8(
1193 options->u.luks.key_secret, errp);
1194 if (!password) {
1195 return -1;
1196 }
1197 }
1198
1199 luks = g_new0(QCryptoBlockLUKS, 1);
1200 block->opaque = luks;
1201 luks->secret = g_strdup(options->u.luks.key_secret);
1202
1203 if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) {
1204 goto fail;
1205 }
1206
1207 if (qcrypto_block_luks_check_header(luks, errp) < 0) {
1208 goto fail;
1209 }
1210
1211 if (qcrypto_block_luks_parse_header(luks, errp) < 0) {
1212 goto fail;
1213 }
1214
1215 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1216 /* Try to find which key slot our password is valid for
1217 * and unlock the master key from that slot.
1218 */
1219
1220 masterkey = g_new0(uint8_t, luks->header.master_key_len);
1221
1222 if (qcrypto_block_luks_find_key(block,
1223 password,
1224 masterkey,
1225 readfunc, opaque,
1226 errp) < 0) {
1227 goto fail;
1228 }
1229
1230 /* We have a valid master key now, so can setup the
1231 * block device payload decryption objects
1232 */
1233 block->kdfhash = luks->hash_alg;
1234 block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
1235 luks->cipher_mode);
1236
1237 block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
1238 luks->ivgen_cipher_alg,
1239 luks->ivgen_hash_alg,
1240 masterkey,
1241 luks->header.master_key_len,
1242 errp);
1243 if (!block->ivgen) {
1244 goto fail;
1245 }
1246
1247 if (qcrypto_block_init_cipher(block,
1248 luks->cipher_alg,
1249 luks->cipher_mode,
1250 masterkey,
1251 luks->header.master_key_len,
1252 n_threads,
1253 errp) < 0) {
1254 goto fail;
1255 }
1256 }
1257
1258 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1259 block->payload_offset = luks->header.payload_offset_sector *
1260 block->sector_size;
1261
1262 return 0;
1263
1264 fail:
1265 qcrypto_block_free_cipher(block);
1266 qcrypto_ivgen_free(block->ivgen);
1267 g_free(luks->secret);
1268 g_free(luks);
1269 return -1;
1270 }
1271
1272
1273 static void
1274 qcrypto_block_luks_uuid_gen(uint8_t *uuidstr)
1275 {
1276 QemuUUID uuid;
1277 qemu_uuid_generate(&uuid);
1278 qemu_uuid_unparse(&uuid, (char *)uuidstr);
1279 }
1280
1281 static int
1282 qcrypto_block_luks_create(QCryptoBlock *block,
1283 QCryptoBlockCreateOptions *options,
1284 const char *optprefix,
1285 QCryptoBlockInitFunc initfunc,
1286 QCryptoBlockWriteFunc writefunc,
1287 void *opaque,
1288 Error **errp)
1289 {
1290 QCryptoBlockLUKS *luks;
1291 QCryptoBlockCreateOptionsLUKS luks_opts;
1292 Error *local_err = NULL;
1293 g_autofree uint8_t *masterkey = NULL;
1294 size_t header_sectors;
1295 size_t split_key_sectors;
1296 size_t i;
1297 g_autofree char *password = NULL;
1298 const char *cipher_alg;
1299 const char *cipher_mode;
1300 const char *ivgen_alg;
1301 const char *ivgen_hash_alg = NULL;
1302 const char *hash_alg;
1303 g_autofree char *cipher_mode_spec = NULL;
1304 uint64_t iters;
1305
1306 memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
1307 if (!luks_opts.has_iter_time) {
1308 luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1309 }
1310 if (!luks_opts.has_cipher_alg) {
1311 luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;
1312 }
1313 if (!luks_opts.has_cipher_mode) {
1314 luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS;
1315 }
1316 if (!luks_opts.has_ivgen_alg) {
1317 luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64;
1318 }
1319 if (!luks_opts.has_hash_alg) {
1320 luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256;
1321 }
1322 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1323 if (!luks_opts.has_ivgen_hash_alg) {
1324 luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256;
1325 luks_opts.has_ivgen_hash_alg = true;
1326 }
1327 }
1328
1329 luks = g_new0(QCryptoBlockLUKS, 1);
1330 block->opaque = luks;
1331
1332 luks->cipher_alg = luks_opts.cipher_alg;
1333 luks->cipher_mode = luks_opts.cipher_mode;
1334 luks->ivgen_alg = luks_opts.ivgen_alg;
1335 luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg;
1336 luks->hash_alg = luks_opts.hash_alg;
1337
1338
1339 /* Note we're allowing ivgen_hash_alg to be set even for
1340 * non-essiv iv generators that don't need a hash. It will
1341 * be silently ignored, for compatibility with dm-crypt */
1342
1343 if (!options->u.luks.key_secret) {
1344 error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1345 optprefix ? optprefix : "");
1346 goto error;
1347 }
1348 luks->secret = g_strdup(options->u.luks.key_secret);
1349
1350 password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp);
1351 if (!password) {
1352 goto error;
1353 }
1354
1355
1356 memcpy(luks->header.magic, qcrypto_block_luks_magic,
1357 QCRYPTO_BLOCK_LUKS_MAGIC_LEN);
1358
1359 /* We populate the header in native endianness initially and
1360 * then convert everything to big endian just before writing
1361 * it out to disk
1362 */
1363 luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION;
1364 qcrypto_block_luks_uuid_gen(luks->header.uuid);
1365
1366 cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg,
1367 errp);
1368 if (!cipher_alg) {
1369 goto error;
1370 }
1371
1372 cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode);
1373 ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg);
1374 if (luks_opts.has_ivgen_hash_alg) {
1375 ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg);
1376 cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg,
1377 ivgen_hash_alg);
1378 } else {
1379 cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg);
1380 }
1381 hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg);
1382
1383
1384 if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) {
1385 error_setg(errp, "Cipher name '%s' is too long for LUKS header",
1386 cipher_alg);
1387 goto error;
1388 }
1389 if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) {
1390 error_setg(errp, "Cipher mode '%s' is too long for LUKS header",
1391 cipher_mode_spec);
1392 goto error;
1393 }
1394 if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) {
1395 error_setg(errp, "Hash name '%s' is too long for LUKS header",
1396 hash_alg);
1397 goto error;
1398 }
1399
1400 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1401 luks->ivgen_cipher_alg =
1402 qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg,
1403 luks_opts.ivgen_hash_alg,
1404 &local_err);
1405 if (local_err) {
1406 error_propagate(errp, local_err);
1407 goto error;
1408 }
1409 } else {
1410 luks->ivgen_cipher_alg = luks_opts.cipher_alg;
1411 }
1412
1413 strcpy(luks->header.cipher_name, cipher_alg);
1414 strcpy(luks->header.cipher_mode, cipher_mode_spec);
1415 strcpy(luks->header.hash_spec, hash_alg);
1416
1417 luks->header.master_key_len =
1418 qcrypto_cipher_get_key_len(luks_opts.cipher_alg);
1419
1420 if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) {
1421 luks->header.master_key_len *= 2;
1422 }
1423
1424 /* Generate the salt used for hashing the master key
1425 * with PBKDF later
1426 */
1427 if (qcrypto_random_bytes(luks->header.master_key_salt,
1428 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1429 errp) < 0) {
1430 goto error;
1431 }
1432
1433 /* Generate random master key */
1434 masterkey = g_new0(uint8_t, luks->header.master_key_len);
1435 if (qcrypto_random_bytes(masterkey,
1436 luks->header.master_key_len, errp) < 0) {
1437 goto error;
1438 }
1439
1440
1441 /* Setup the block device payload encryption objects */
1442 if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg,
1443 luks_opts.cipher_mode, masterkey,
1444 luks->header.master_key_len, 1, errp) < 0) {
1445 goto error;
1446 }
1447
1448 block->kdfhash = luks_opts.hash_alg;
1449 block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg,
1450 luks_opts.cipher_mode);
1451 block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
1452 luks->ivgen_cipher_alg,
1453 luks_opts.ivgen_hash_alg,
1454 masterkey, luks->header.master_key_len,
1455 errp);
1456
1457 if (!block->ivgen) {
1458 goto error;
1459 }
1460
1461
1462 /* Determine how many iterations we need to hash the master
1463 * key, in order to have 1 second of compute time used
1464 */
1465 iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
1466 masterkey, luks->header.master_key_len,
1467 luks->header.master_key_salt,
1468 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1469 QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1470 &local_err);
1471 if (local_err) {
1472 error_propagate(errp, local_err);
1473 goto error;
1474 }
1475
1476 if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
1477 error_setg_errno(errp, ERANGE,
1478 "PBKDF iterations %llu too large to scale",
1479 (unsigned long long)iters);
1480 goto error;
1481 }
1482
1483 /* iter_time was in millis, but count_iters reported for secs */
1484 iters = iters * luks_opts.iter_time / 1000;
1485
1486 /* Why /= 8 ? That matches cryptsetup, but there's no
1487 * explanation why they chose /= 8... Probably so that
1488 * if all 8 keyslots are active we only spend 1 second
1489 * in total time to check all keys */
1490 iters /= 8;
1491 if (iters > UINT32_MAX) {
1492 error_setg_errno(errp, ERANGE,
1493 "PBKDF iterations %llu larger than %u",
1494 (unsigned long long)iters, UINT32_MAX);
1495 goto error;
1496 }
1497 iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS);
1498 luks->header.master_key_iterations = iters;
1499
1500 /* Hash the master key, saving the result in the LUKS
1501 * header. This hash is used when opening the encrypted
1502 * device to verify that the user password unlocked a
1503 * valid master key
1504 */
1505 if (qcrypto_pbkdf2(luks_opts.hash_alg,
1506 masterkey, luks->header.master_key_len,
1507 luks->header.master_key_salt,
1508 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1509 luks->header.master_key_iterations,
1510 luks->header.master_key_digest,
1511 QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1512 errp) < 0) {
1513 goto error;
1514 }
1515
1516 /* start with the sector that follows the header*/
1517 header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
1518 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1519
1520 split_key_sectors =
1521 qcrypto_block_luks_splitkeylen_sectors(luks,
1522 header_sectors,
1523 QCRYPTO_BLOCK_LUKS_STRIPES);
1524
1525 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1526 QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i];
1527 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1528
1529 slot->key_offset_sector = header_sectors + i * split_key_sectors;
1530 slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES;
1531 }
1532
1533 /* The total size of the LUKS headers is the partition header + key
1534 * slot headers, rounded up to the nearest sector, combined with
1535 * the size of each master key material region, also rounded up
1536 * to the nearest sector */
1537 luks->header.payload_offset_sector = header_sectors +
1538 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors;
1539
1540 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1541 block->payload_offset = luks->header.payload_offset_sector *
1542 block->sector_size;
1543
1544 /* Reserve header space to match payload offset */
1545 initfunc(block, block->payload_offset, opaque, &local_err);
1546 if (local_err) {
1547 error_propagate(errp, local_err);
1548 goto error;
1549 }
1550
1551
1552 /* populate the slot 0 with the password encrypted master key*/
1553 /* This will also store the header */
1554 if (qcrypto_block_luks_store_key(block,
1555 0,
1556 password,
1557 masterkey,
1558 luks_opts.iter_time,
1559 writefunc,
1560 opaque,
1561 errp) < 0) {
1562 goto error;
1563 }
1564
1565 memset(masterkey, 0, luks->header.master_key_len);
1566
1567 return 0;
1568
1569 error:
1570 if (masterkey) {
1571 memset(masterkey, 0, luks->header.master_key_len);
1572 }
1573
1574 qcrypto_block_free_cipher(block);
1575 qcrypto_ivgen_free(block->ivgen);
1576
1577 g_free(luks->secret);
1578 g_free(luks);
1579 return -1;
1580 }
1581
1582 static int
1583 qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block,
1584 QCryptoBlockReadFunc readfunc,
1585 QCryptoBlockWriteFunc writefunc,
1586 void *opaque,
1587 QCryptoBlockAmendOptionsLUKS *opts_luks,
1588 bool force,
1589 Error **errp)
1590 {
1591 QCryptoBlockLUKS *luks = block->opaque;
1592 uint64_t iter_time = opts_luks->has_iter_time ?
1593 opts_luks->iter_time :
1594 QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1595 int keyslot;
1596 g_autofree char *old_password = NULL;
1597 g_autofree char *new_password = NULL;
1598 g_autofree uint8_t *master_key = NULL;
1599
1600 char *secret = opts_luks->secret ?: luks->secret;
1601
1602 if (!opts_luks->new_secret) {
1603 error_setg(errp, "'new-secret' is required to activate a keyslot");
1604 return -1;
1605 }
1606 if (opts_luks->old_secret) {
1607 error_setg(errp,
1608 "'old-secret' must not be given when activating keyslots");
1609 return -1;
1610 }
1611
1612 if (opts_luks->has_keyslot) {
1613 keyslot = opts_luks->keyslot;
1614 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1615 error_setg(errp,
1616 "Invalid keyslot %u specified, must be between 0 and %u",
1617 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1618 return -1;
1619 }
1620 } else {
1621 keyslot = qcrypto_block_luks_find_free_keyslot(luks);
1622 if (keyslot == -1) {
1623 error_setg(errp,
1624 "Can't add a keyslot - all keyslots are in use");
1625 return -1;
1626 }
1627 }
1628
1629 if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) {
1630 error_setg(errp,
1631 "Refusing to overwrite active keyslot %i - "
1632 "please erase it first",
1633 keyslot);
1634 return -1;
1635 }
1636
1637 /* Locate the password that will be used to retrieve the master key */
1638 old_password = qcrypto_secret_lookup_as_utf8(secret, errp);
1639 if (!old_password) {
1640 return -1;
1641 }
1642
1643 /* Retrieve the master key */
1644 master_key = g_new0(uint8_t, luks->header.master_key_len);
1645
1646 if (qcrypto_block_luks_find_key(block, old_password, master_key,
1647 readfunc, opaque, errp) < 0) {
1648 error_append_hint(errp, "Failed to retrieve the master key");
1649 return -1;
1650 }
1651
1652 /* Locate the new password*/
1653 new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp);
1654 if (!new_password) {
1655 return -1;
1656 }
1657
1658 /* Now set the new keyslots */
1659 if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key,
1660 iter_time, writefunc, opaque, errp)) {
1661 error_append_hint(errp, "Failed to write to keyslot %i", keyslot);
1662 return -1;
1663 }
1664 return 0;
1665 }
1666
1667 static int
1668 qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block,
1669 QCryptoBlockReadFunc readfunc,
1670 QCryptoBlockWriteFunc writefunc,
1671 void *opaque,
1672 QCryptoBlockAmendOptionsLUKS *opts_luks,
1673 bool force,
1674 Error **errp)
1675 {
1676 QCryptoBlockLUKS *luks = block->opaque;
1677 g_autofree uint8_t *tmpkey = NULL;
1678 g_autofree char *old_password = NULL;
1679
1680 if (opts_luks->new_secret) {
1681 error_setg(errp,
1682 "'new-secret' must not be given when erasing keyslots");
1683 return -1;
1684 }
1685 if (opts_luks->has_iter_time) {
1686 error_setg(errp,
1687 "'iter-time' must not be given when erasing keyslots");
1688 return -1;
1689 }
1690 if (opts_luks->secret) {
1691 error_setg(errp,
1692 "'secret' must not be given when erasing keyslots");
1693 return -1;
1694 }
1695
1696 /* Load the old password if given */
1697 if (opts_luks->old_secret) {
1698 old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret,
1699 errp);
1700 if (!old_password) {
1701 return -1;
1702 }
1703
1704 /*
1705 * Allocate a temporary key buffer that we will need when
1706 * checking if slot matches the given old password
1707 */
1708 tmpkey = g_new0(uint8_t, luks->header.master_key_len);
1709 }
1710
1711 /* Erase an explicitly given keyslot */
1712 if (opts_luks->has_keyslot) {
1713 int keyslot = opts_luks->keyslot;
1714
1715 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1716 error_setg(errp,
1717 "Invalid keyslot %i specified, must be between 0 and %i",
1718 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1719 return -1;
1720 }
1721
1722 if (opts_luks->old_secret) {
1723 int rv = qcrypto_block_luks_load_key(block,
1724 keyslot,
1725 old_password,
1726 tmpkey,
1727 readfunc,
1728 opaque,
1729 errp);
1730 if (rv == -1) {
1731 return -1;
1732 } else if (rv == 0) {
1733 error_setg(errp,
1734 "Given keyslot %i doesn't contain the given "
1735 "old password for erase operation",
1736 keyslot);
1737 return -1;
1738 }
1739 }
1740
1741 if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) {
1742 error_setg(errp,
1743 "Given keyslot %i is already erased (inactive) ",
1744 keyslot);
1745 return -1;
1746 }
1747
1748 if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) {
1749 error_setg(errp,
1750 "Attempt to erase the only active keyslot %i "
1751 "which will erase all the data in the image "
1752 "irreversibly - refusing operation",
1753 keyslot);
1754 return -1;
1755 }
1756
1757 if (qcrypto_block_luks_erase_key(block, keyslot,
1758 writefunc, opaque, errp)) {
1759 error_append_hint(errp, "Failed to erase keyslot %i", keyslot);
1760 return -1;
1761 }
1762
1763 /* Erase all keyslots that match the given old password */
1764 } else if (opts_luks->old_secret) {
1765
1766 unsigned long slots_to_erase_bitmap = 0;
1767 size_t i;
1768 int slot_count;
1769
1770 assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <=
1771 sizeof(slots_to_erase_bitmap) * 8);
1772
1773 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1774 int rv = qcrypto_block_luks_load_key(block,
1775 i,
1776 old_password,
1777 tmpkey,
1778 readfunc,
1779 opaque,
1780 errp);
1781 if (rv == -1) {
1782 return -1;
1783 } else if (rv == 1) {
1784 bitmap_set(&slots_to_erase_bitmap, i, 1);
1785 }
1786 }
1787
1788 slot_count = bitmap_count_one(&slots_to_erase_bitmap,
1789 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1790 if (slot_count == 0) {
1791 error_setg(errp,
1792 "No keyslots match given (old) password for erase operation");
1793 return -1;
1794 }
1795
1796 if (!force &&
1797 slot_count == qcrypto_block_luks_count_active_slots(luks)) {
1798 error_setg(errp,
1799 "All the active keyslots match the (old) password that "
1800 "was given and erasing them will erase all the data in "
1801 "the image irreversibly - refusing operation");
1802 return -1;
1803 }
1804
1805 /* Now apply the update */
1806 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1807 if (!test_bit(i, &slots_to_erase_bitmap)) {
1808 continue;
1809 }
1810 if (qcrypto_block_luks_erase_key(block, i, writefunc,
1811 opaque, errp)) {
1812 error_append_hint(errp, "Failed to erase keyslot %zu", i);
1813 return -1;
1814 }
1815 }
1816 } else {
1817 error_setg(errp,
1818 "To erase keyslot(s), either explicit keyslot index "
1819 "or the password currently contained in them must be given");
1820 return -1;
1821 }
1822 return 0;
1823 }
1824
1825 static int
1826 qcrypto_block_luks_amend_options(QCryptoBlock *block,
1827 QCryptoBlockReadFunc readfunc,
1828 QCryptoBlockWriteFunc writefunc,
1829 void *opaque,
1830 QCryptoBlockAmendOptions *options,
1831 bool force,
1832 Error **errp)
1833 {
1834 QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks;
1835
1836 switch (opts_luks->state) {
1837 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE:
1838 return qcrypto_block_luks_amend_add_keyslot(block, readfunc,
1839 writefunc, opaque,
1840 opts_luks, force, errp);
1841 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE:
1842 return qcrypto_block_luks_amend_erase_keyslots(block, readfunc,
1843 writefunc, opaque,
1844 opts_luks, force, errp);
1845 default:
1846 g_assert_not_reached();
1847 }
1848 }
1849
1850 static int qcrypto_block_luks_get_info(QCryptoBlock *block,
1851 QCryptoBlockInfo *info,
1852 Error **errp)
1853 {
1854 QCryptoBlockLUKS *luks = block->opaque;
1855 QCryptoBlockInfoLUKSSlot *slot;
1856 QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots;
1857 size_t i;
1858
1859 info->u.luks.cipher_alg = luks->cipher_alg;
1860 info->u.luks.cipher_mode = luks->cipher_mode;
1861 info->u.luks.ivgen_alg = luks->ivgen_alg;
1862 if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1863 info->u.luks.has_ivgen_hash_alg = true;
1864 info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg;
1865 }
1866 info->u.luks.hash_alg = luks->hash_alg;
1867 info->u.luks.payload_offset = block->payload_offset;
1868 info->u.luks.master_key_iters = luks->header.master_key_iterations;
1869 info->u.luks.uuid = g_strndup((const char *)luks->header.uuid,
1870 sizeof(luks->header.uuid));
1871
1872 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1873 slot = g_new0(QCryptoBlockInfoLUKSSlot, 1);
1874 slot->active = luks->header.key_slots[i].active ==
1875 QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1876 slot->key_offset = luks->header.key_slots[i].key_offset_sector
1877 * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1878 if (slot->active) {
1879 slot->has_iters = true;
1880 slot->iters = luks->header.key_slots[i].iterations;
1881 slot->has_stripes = true;
1882 slot->stripes = luks->header.key_slots[i].stripes;
1883 }
1884
1885 QAPI_LIST_APPEND(tail, slot);
1886 }
1887
1888 return 0;
1889 }
1890
1891
1892 static void qcrypto_block_luks_cleanup(QCryptoBlock *block)
1893 {
1894 QCryptoBlockLUKS *luks = block->opaque;
1895 if (luks) {
1896 g_free(luks->secret);
1897 g_free(luks);
1898 }
1899 }
1900
1901
1902 static int
1903 qcrypto_block_luks_decrypt(QCryptoBlock *block,
1904 uint64_t offset,
1905 uint8_t *buf,
1906 size_t len,
1907 Error **errp)
1908 {
1909 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1910 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1911 return qcrypto_block_decrypt_helper(block,
1912 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1913 offset, buf, len, errp);
1914 }
1915
1916
1917 static int
1918 qcrypto_block_luks_encrypt(QCryptoBlock *block,
1919 uint64_t offset,
1920 uint8_t *buf,
1921 size_t len,
1922 Error **errp)
1923 {
1924 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1925 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1926 return qcrypto_block_encrypt_helper(block,
1927 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1928 offset, buf, len, errp);
1929 }
1930
1931
1932 const QCryptoBlockDriver qcrypto_block_driver_luks = {
1933 .open = qcrypto_block_luks_open,
1934 .create = qcrypto_block_luks_create,
1935 .amend = qcrypto_block_luks_amend_options,
1936 .get_info = qcrypto_block_luks_get_info,
1937 .cleanup = qcrypto_block_luks_cleanup,
1938 .decrypt = qcrypto_block_luks_decrypt,
1939 .encrypt = qcrypto_block_luks_encrypt,
1940 .has_format = qcrypto_block_luks_has_format,
1941 };
QEmu