2 * QEMU Crypto block device encryption LUKS format
4 * Copyright (c) 2015-2016 Red Hat, Inc.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "qemu/bswap.h"
25 #include "block-luks.h"
26 #include "block-luks-priv.h"
28 #include "crypto/hash.h"
29 #include "crypto/afsplit.h"
30 #include "crypto/pbkdf.h"
31 #include "crypto/secret.h"
32 #include "crypto/random.h"
33 #include "qemu/uuid.h"
35 #include "qemu/bitmap.h"
38 * Reference for the LUKS format implemented here is
40 * docs/on-disk-format.pdf
42 * in 'cryptsetup' package source code
44 * This file implements the 1.2.1 specification, dated
48 typedef struct QCryptoBlockLUKS QCryptoBlockLUKS
;
50 typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap
;
51 struct QCryptoBlockLUKSNameMap
{
56 typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap
;
57 struct QCryptoBlockLUKSCipherSizeMap
{
61 typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap
;
62 struct QCryptoBlockLUKSCipherNameMap
{
64 const QCryptoBlockLUKSCipherSizeMap
*sizes
;
68 static const QCryptoBlockLUKSCipherSizeMap
69 qcrypto_block_luks_cipher_size_map_aes
[] = {
70 { 16, QCRYPTO_CIPHER_ALG_AES_128
},
71 { 24, QCRYPTO_CIPHER_ALG_AES_192
},
72 { 32, QCRYPTO_CIPHER_ALG_AES_256
},
76 static const QCryptoBlockLUKSCipherSizeMap
77 qcrypto_block_luks_cipher_size_map_cast5
[] = {
78 { 16, QCRYPTO_CIPHER_ALG_CAST5_128
},
82 static const QCryptoBlockLUKSCipherSizeMap
83 qcrypto_block_luks_cipher_size_map_serpent
[] = {
84 { 16, QCRYPTO_CIPHER_ALG_SERPENT_128
},
85 { 24, QCRYPTO_CIPHER_ALG_SERPENT_192
},
86 { 32, QCRYPTO_CIPHER_ALG_SERPENT_256
},
90 static const QCryptoBlockLUKSCipherSizeMap
91 qcrypto_block_luks_cipher_size_map_twofish
[] = {
92 { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128
},
93 { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192
},
94 { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256
},
98 #ifdef CONFIG_CRYPTO_SM4
99 static const QCryptoBlockLUKSCipherSizeMap
100 qcrypto_block_luks_cipher_size_map_sm4
[] = {
101 { 16, QCRYPTO_CIPHER_ALG_SM4
},
106 static const QCryptoBlockLUKSCipherNameMap
107 qcrypto_block_luks_cipher_name_map
[] = {
108 { "aes", qcrypto_block_luks_cipher_size_map_aes
},
109 { "cast5", qcrypto_block_luks_cipher_size_map_cast5
},
110 { "serpent", qcrypto_block_luks_cipher_size_map_serpent
},
111 { "twofish", qcrypto_block_luks_cipher_size_map_twofish
},
112 #ifdef CONFIG_CRYPTO_SM4
113 { "sm4", qcrypto_block_luks_cipher_size_map_sm4
},
117 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot
) != 48);
118 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader
) != 592);
121 struct QCryptoBlockLUKS
{
122 QCryptoBlockLUKSHeader header
;
124 /* Main encryption algorithm used for encryption*/
125 QCryptoCipherAlgorithm cipher_alg
;
127 /* Mode of encryption for the selected encryption algorithm */
128 QCryptoCipherMode cipher_mode
;
130 /* Initialization vector generation algorithm */
131 QCryptoIVGenAlgorithm ivgen_alg
;
133 /* Hash algorithm used for IV generation*/
134 QCryptoHashAlgorithm ivgen_hash_alg
;
137 * Encryption algorithm used for IV generation.
138 * Usually the same as main encryption algorithm
140 QCryptoCipherAlgorithm ivgen_cipher_alg
;
142 /* Hash algorithm used in pbkdf2 function */
143 QCryptoHashAlgorithm hash_alg
;
145 /* Name of the secret that was used to open the image */
150 static int qcrypto_block_luks_cipher_name_lookup(const char *name
,
151 QCryptoCipherMode mode
,
155 const QCryptoBlockLUKSCipherNameMap
*map
=
156 qcrypto_block_luks_cipher_name_map
;
157 size_t maplen
= G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map
);
160 if (mode
== QCRYPTO_CIPHER_MODE_XTS
) {
164 for (i
= 0; i
< maplen
; i
++) {
165 if (!g_str_equal(map
[i
].name
, name
)) {
168 for (j
= 0; j
< map
[i
].sizes
[j
].key_bytes
; j
++) {
169 if (map
[i
].sizes
[j
].key_bytes
== key_bytes
) {
170 return map
[i
].sizes
[j
].id
;
175 error_setg(errp
, "Algorithm '%s' with key size %d bytes not supported",
181 qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg
,
184 const QCryptoBlockLUKSCipherNameMap
*map
=
185 qcrypto_block_luks_cipher_name_map
;
186 size_t maplen
= G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map
);
188 for (i
= 0; i
< maplen
; i
++) {
189 for (j
= 0; j
< map
[i
].sizes
[j
].key_bytes
; j
++) {
190 if (map
[i
].sizes
[j
].id
== alg
) {
196 error_setg(errp
, "Algorithm '%s' not supported",
197 QCryptoCipherAlgorithm_str(alg
));
201 /* XXX replace with qapi_enum_parse() in future, when we can
202 * make that function emit a more friendly error message */
203 static int qcrypto_block_luks_name_lookup(const char *name
,
204 const QEnumLookup
*map
,
208 int ret
= qapi_enum_parse(map
, name
, -1, NULL
);
211 error_setg(errp
, "%s '%s' not supported", type
, name
);
217 #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \
218 qcrypto_block_luks_name_lookup(name, \
219 &QCryptoCipherMode_lookup, \
223 #define qcrypto_block_luks_hash_name_lookup(name, errp) \
224 qcrypto_block_luks_name_lookup(name, \
225 &QCryptoHashAlgorithm_lookup, \
229 #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \
230 qcrypto_block_luks_name_lookup(name, \
231 &QCryptoIVGenAlgorithm_lookup, \
237 qcrypto_block_luks_has_format(const uint8_t *buf
,
240 const QCryptoBlockLUKSHeader
*luks_header
= (const void *)buf
;
242 if (buf_size
>= offsetof(QCryptoBlockLUKSHeader
, cipher_name
) &&
243 memcmp(luks_header
->magic
, qcrypto_block_luks_magic
,
244 QCRYPTO_BLOCK_LUKS_MAGIC_LEN
) == 0 &&
245 be16_to_cpu(luks_header
->version
) == QCRYPTO_BLOCK_LUKS_VERSION
) {
254 * Deal with a quirk of dm-crypt usage of ESSIV.
256 * When calculating ESSIV IVs, the cipher length used by ESSIV
257 * may be different from the cipher length used for the block
258 * encryption, because dm-crypt uses the hash digest length
259 * as the key size. ie, if you have AES 128 as the block cipher
260 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as
261 * the cipher since that gets a key length matching the digest
262 * size, not AES 128 with truncated digest as might be imagined
264 static QCryptoCipherAlgorithm
265 qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher
,
266 QCryptoHashAlgorithm hash
,
269 size_t digestlen
= qcrypto_hash_digest_len(hash
);
270 size_t keylen
= qcrypto_cipher_get_key_len(cipher
);
271 if (digestlen
== keylen
) {
276 case QCRYPTO_CIPHER_ALG_AES_128
:
277 case QCRYPTO_CIPHER_ALG_AES_192
:
278 case QCRYPTO_CIPHER_ALG_AES_256
:
279 if (digestlen
== qcrypto_cipher_get_key_len(
280 QCRYPTO_CIPHER_ALG_AES_128
)) {
281 return QCRYPTO_CIPHER_ALG_AES_128
;
282 } else if (digestlen
== qcrypto_cipher_get_key_len(
283 QCRYPTO_CIPHER_ALG_AES_192
)) {
284 return QCRYPTO_CIPHER_ALG_AES_192
;
285 } else if (digestlen
== qcrypto_cipher_get_key_len(
286 QCRYPTO_CIPHER_ALG_AES_256
)) {
287 return QCRYPTO_CIPHER_ALG_AES_256
;
289 error_setg(errp
, "No AES cipher with key size %zu available",
294 case QCRYPTO_CIPHER_ALG_SERPENT_128
:
295 case QCRYPTO_CIPHER_ALG_SERPENT_192
:
296 case QCRYPTO_CIPHER_ALG_SERPENT_256
:
297 if (digestlen
== qcrypto_cipher_get_key_len(
298 QCRYPTO_CIPHER_ALG_SERPENT_128
)) {
299 return QCRYPTO_CIPHER_ALG_SERPENT_128
;
300 } else if (digestlen
== qcrypto_cipher_get_key_len(
301 QCRYPTO_CIPHER_ALG_SERPENT_192
)) {
302 return QCRYPTO_CIPHER_ALG_SERPENT_192
;
303 } else if (digestlen
== qcrypto_cipher_get_key_len(
304 QCRYPTO_CIPHER_ALG_SERPENT_256
)) {
305 return QCRYPTO_CIPHER_ALG_SERPENT_256
;
307 error_setg(errp
, "No Serpent cipher with key size %zu available",
312 case QCRYPTO_CIPHER_ALG_TWOFISH_128
:
313 case QCRYPTO_CIPHER_ALG_TWOFISH_192
:
314 case QCRYPTO_CIPHER_ALG_TWOFISH_256
:
315 if (digestlen
== qcrypto_cipher_get_key_len(
316 QCRYPTO_CIPHER_ALG_TWOFISH_128
)) {
317 return QCRYPTO_CIPHER_ALG_TWOFISH_128
;
318 } else if (digestlen
== qcrypto_cipher_get_key_len(
319 QCRYPTO_CIPHER_ALG_TWOFISH_192
)) {
320 return QCRYPTO_CIPHER_ALG_TWOFISH_192
;
321 } else if (digestlen
== qcrypto_cipher_get_key_len(
322 QCRYPTO_CIPHER_ALG_TWOFISH_256
)) {
323 return QCRYPTO_CIPHER_ALG_TWOFISH_256
;
325 error_setg(errp
, "No Twofish cipher with key size %zu available",
331 error_setg(errp
, "Cipher %s not supported with essiv",
332 QCryptoCipherAlgorithm_str(cipher
));
338 * Returns number of sectors needed to store the key material
339 * given number of anti forensic stripes
342 qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS
*luks
,
343 unsigned int header_sectors
,
344 unsigned int stripes
)
347 * This calculation doesn't match that shown in the spec,
348 * but instead follows the cryptsetup implementation.
351 size_t splitkeylen
= luks
->header
.master_key_len
* stripes
;
353 /* First align the key material size to block size*/
354 size_t splitkeylen_sectors
=
355 DIV_ROUND_UP(splitkeylen
, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
);
357 /* Then also align the key material size to the size of the header */
358 return ROUND_UP(splitkeylen_sectors
, header_sectors
);
363 qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader
*hdr
)
368 * Everything on disk uses Big Endian (tm), so flip header fields
369 * before writing them
371 cpu_to_be16s(&hdr
->version
);
372 cpu_to_be32s(&hdr
->payload_offset_sector
);
373 cpu_to_be32s(&hdr
->master_key_len
);
374 cpu_to_be32s(&hdr
->master_key_iterations
);
376 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
377 cpu_to_be32s(&hdr
->key_slots
[i
].active
);
378 cpu_to_be32s(&hdr
->key_slots
[i
].iterations
);
379 cpu_to_be32s(&hdr
->key_slots
[i
].key_offset_sector
);
380 cpu_to_be32s(&hdr
->key_slots
[i
].stripes
);
385 qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader
*hdr
)
390 * The header is always stored in big-endian format, so
391 * convert everything to native
393 be16_to_cpus(&hdr
->version
);
394 be32_to_cpus(&hdr
->payload_offset_sector
);
395 be32_to_cpus(&hdr
->master_key_len
);
396 be32_to_cpus(&hdr
->master_key_iterations
);
398 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
399 be32_to_cpus(&hdr
->key_slots
[i
].active
);
400 be32_to_cpus(&hdr
->key_slots
[i
].iterations
);
401 be32_to_cpus(&hdr
->key_slots
[i
].key_offset_sector
);
402 be32_to_cpus(&hdr
->key_slots
[i
].stripes
);
407 * Stores the main LUKS header, taking care of endianness
410 qcrypto_block_luks_store_header(QCryptoBlock
*block
,
411 QCryptoBlockWriteFunc writefunc
,
415 const QCryptoBlockLUKS
*luks
= block
->opaque
;
416 Error
*local_err
= NULL
;
417 g_autofree QCryptoBlockLUKSHeader
*hdr_copy
= NULL
;
419 /* Create a copy of the header */
420 hdr_copy
= g_new0(QCryptoBlockLUKSHeader
, 1);
421 memcpy(hdr_copy
, &luks
->header
, sizeof(QCryptoBlockLUKSHeader
));
423 qcrypto_block_luks_to_disk_endian(hdr_copy
);
425 /* Write out the partition header and key slot headers */
426 writefunc(block
, 0, (const uint8_t *)hdr_copy
, sizeof(*hdr_copy
),
430 error_propagate(errp
, local_err
);
437 * Loads the main LUKS header, and byteswaps it to native endianness
438 * And run basic sanity checks on it
441 qcrypto_block_luks_load_header(QCryptoBlock
*block
,
442 QCryptoBlockReadFunc readfunc
,
447 QCryptoBlockLUKS
*luks
= block
->opaque
;
450 * Read the entire LUKS header, minus the key material from
451 * the underlying device
453 rv
= readfunc(block
, 0,
454 (uint8_t *)&luks
->header
,
455 sizeof(luks
->header
),
462 qcrypto_block_luks_from_disk_endian(&luks
->header
);
468 * Does basic sanity checks on the LUKS header
471 qcrypto_block_luks_check_header(const QCryptoBlockLUKS
*luks
,
477 unsigned int header_sectors
= QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET
/
478 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
;
479 bool detached
= flags
& QCRYPTO_BLOCK_OPEN_DETACHED
;
481 if (memcmp(luks
->header
.magic
, qcrypto_block_luks_magic
,
482 QCRYPTO_BLOCK_LUKS_MAGIC_LEN
) != 0) {
483 error_setg(errp
, "Volume is not in LUKS format");
487 if (luks
->header
.version
!= QCRYPTO_BLOCK_LUKS_VERSION
) {
488 error_setg(errp
, "LUKS version %" PRIu32
" is not supported",
489 luks
->header
.version
);
493 if (!memchr(luks
->header
.cipher_name
, '\0',
494 sizeof(luks
->header
.cipher_name
))) {
495 error_setg(errp
, "LUKS header cipher name is not NUL terminated");
499 if (!memchr(luks
->header
.cipher_mode
, '\0',
500 sizeof(luks
->header
.cipher_mode
))) {
501 error_setg(errp
, "LUKS header cipher mode is not NUL terminated");
505 if (!memchr(luks
->header
.hash_spec
, '\0',
506 sizeof(luks
->header
.hash_spec
))) {
507 error_setg(errp
, "LUKS header hash spec is not NUL terminated");
511 if (!detached
&& luks
->header
.payload_offset_sector
<
512 DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET
,
513 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
)) {
514 error_setg(errp
, "LUKS payload is overlapping with the header");
518 if (luks
->header
.master_key_iterations
== 0) {
519 error_setg(errp
, "LUKS key iteration count is zero");
523 /* Check all keyslots for corruption */
524 for (i
= 0 ; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
526 const QCryptoBlockLUKSKeySlot
*slot1
= &luks
->header
.key_slots
[i
];
527 unsigned int start1
= slot1
->key_offset_sector
;
529 qcrypto_block_luks_splitkeylen_sectors(luks
,
533 if (slot1
->stripes
!= QCRYPTO_BLOCK_LUKS_STRIPES
) {
534 error_setg(errp
, "Keyslot %zu is corrupted (stripes %d != %d)",
535 i
, slot1
->stripes
, QCRYPTO_BLOCK_LUKS_STRIPES
);
539 if (slot1
->active
!= QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED
&&
540 slot1
->active
!= QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED
) {
542 "Keyslot %zu state (active/disable) is corrupted", i
);
546 if (slot1
->active
== QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED
&&
547 slot1
->iterations
== 0) {
548 error_setg(errp
, "Keyslot %zu iteration count is zero", i
);
552 if (start1
< DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET
,
553 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
)) {
555 "Keyslot %zu is overlapping with the LUKS header",
560 if (!detached
&& start1
+ len1
> luks
->header
.payload_offset_sector
) {
562 "Keyslot %zu is overlapping with the encrypted payload",
567 for (j
= i
+ 1 ; j
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; j
++) {
568 const QCryptoBlockLUKSKeySlot
*slot2
= &luks
->header
.key_slots
[j
];
569 unsigned int start2
= slot2
->key_offset_sector
;
571 qcrypto_block_luks_splitkeylen_sectors(luks
,
575 if (start1
+ len1
> start2
&& start2
+ len2
> start1
) {
577 "Keyslots %zu and %zu are overlapping in the header",
588 * Parses the crypto parameters that are stored in the LUKS header
592 qcrypto_block_luks_parse_header(QCryptoBlockLUKS
*luks
, Error
**errp
)
594 g_autofree
char *cipher_mode
= g_strdup(luks
->header
.cipher_mode
);
595 char *ivgen_name
, *ivhash_name
;
596 Error
*local_err
= NULL
;
599 * The cipher_mode header contains a string that we have
600 * to further parse, of the format
602 * <cipher-mode>-<iv-generator>[:<iv-hash>]
604 * eg cbc-essiv:sha256, cbc-plain64
606 ivgen_name
= strchr(cipher_mode
, '-');
608 error_setg(errp
, "Unexpected cipher mode string format '%s'",
609 luks
->header
.cipher_mode
);
615 ivhash_name
= strchr(ivgen_name
, ':');
617 luks
->ivgen_hash_alg
= 0;
622 luks
->ivgen_hash_alg
= qcrypto_block_luks_hash_name_lookup(ivhash_name
,
625 error_propagate(errp
, local_err
);
630 luks
->cipher_mode
= qcrypto_block_luks_cipher_mode_lookup(cipher_mode
,
633 error_propagate(errp
, local_err
);
638 qcrypto_block_luks_cipher_name_lookup(luks
->header
.cipher_name
,
640 luks
->header
.master_key_len
,
643 error_propagate(errp
, local_err
);
648 qcrypto_block_luks_hash_name_lookup(luks
->header
.hash_spec
,
651 error_propagate(errp
, local_err
);
655 luks
->ivgen_alg
= qcrypto_block_luks_ivgen_name_lookup(ivgen_name
,
658 error_propagate(errp
, local_err
);
662 if (luks
->ivgen_alg
== QCRYPTO_IVGEN_ALG_ESSIV
) {
664 error_setg(errp
, "Missing IV generator hash specification");
667 luks
->ivgen_cipher_alg
=
668 qcrypto_block_luks_essiv_cipher(luks
->cipher_alg
,
669 luks
->ivgen_hash_alg
,
672 error_propagate(errp
, local_err
);
678 * Note we parsed the ivhash_name earlier in the cipher_mode
679 * spec string even with plain/plain64 ivgens, but we
680 * will ignore it, since it is irrelevant for these ivgens.
681 * This is for compat with dm-crypt which will silently
682 * ignore hash names with these ivgens rather than report
683 * an error about the invalid usage
685 luks
->ivgen_cipher_alg
= luks
->cipher_alg
;
691 * Given a key slot, user password, and the master key,
692 * will store the encrypted master key there, and update the
693 * in-memory header. User must then write the in-memory header
696 * 0 if the keyslot was written successfully
697 * with the provided password
698 * -1 if a fatal error occurred while storing the key
701 qcrypto_block_luks_store_key(QCryptoBlock
*block
,
702 unsigned int slot_idx
,
703 const char *password
,
706 QCryptoBlockWriteFunc writefunc
,
710 QCryptoBlockLUKS
*luks
= block
->opaque
;
711 QCryptoBlockLUKSKeySlot
*slot
;
712 g_autofree
uint8_t *splitkey
= NULL
;
714 g_autofree
uint8_t *slotkey
= NULL
;
715 g_autoptr(QCryptoCipher
) cipher
= NULL
;
716 g_autoptr(QCryptoIVGen
) ivgen
= NULL
;
717 Error
*local_err
= NULL
;
721 assert(slot_idx
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
);
722 slot
= &luks
->header
.key_slots
[slot_idx
];
723 splitkeylen
= luks
->header
.master_key_len
* slot
->stripes
;
725 if (qcrypto_random_bytes(slot
->salt
,
726 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
732 * Determine how many iterations are required to
733 * hash the user password while consuming 1 second of compute
736 iters
= qcrypto_pbkdf2_count_iters(luks
->hash_alg
,
737 (uint8_t *)password
, strlen(password
),
739 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
740 luks
->header
.master_key_len
,
743 error_propagate(errp
, local_err
);
747 if (iters
> (ULLONG_MAX
/ iter_time
)) {
748 error_setg_errno(errp
, ERANGE
,
749 "PBKDF iterations %llu too large to scale",
750 (unsigned long long)iters
);
754 /* iter_time was in millis, but count_iters reported for secs */
755 iters
= iters
* iter_time
/ 1000;
757 if (iters
> UINT32_MAX
) {
758 error_setg_errno(errp
, ERANGE
,
759 "PBKDF iterations %llu larger than %u",
760 (unsigned long long)iters
, UINT32_MAX
);
765 MAX(iters
, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS
);
769 * Generate a key that we'll use to encrypt the master
770 * key, from the user's password
772 slotkey
= g_new0(uint8_t, luks
->header
.master_key_len
);
773 if (qcrypto_pbkdf2(luks
->hash_alg
,
774 (uint8_t *)password
, strlen(password
),
776 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
778 slotkey
, luks
->header
.master_key_len
,
785 * Setup the encryption objects needed to encrypt the
786 * master key material
788 cipher
= qcrypto_cipher_new(luks
->cipher_alg
,
790 slotkey
, luks
->header
.master_key_len
,
796 ivgen
= qcrypto_ivgen_new(luks
->ivgen_alg
,
797 luks
->ivgen_cipher_alg
,
798 luks
->ivgen_hash_alg
,
799 slotkey
, luks
->header
.master_key_len
,
806 * Before storing the master key, we need to vastly
807 * increase its size, as protection against forensic
810 splitkey
= g_new0(uint8_t, splitkeylen
);
812 if (qcrypto_afsplit_encode(luks
->hash_alg
,
813 luks
->header
.master_key_len
,
822 * Now we encrypt the split master key with the key generated
823 * from the user's password, before storing it
825 if (qcrypto_block_cipher_encrypt_helper(cipher
, block
->niv
, ivgen
,
826 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
834 /* Write out the slot's master key material. */
836 slot
->key_offset_sector
*
837 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
838 splitkey
, splitkeylen
,
844 slot
->active
= QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED
;
846 if (qcrypto_block_luks_store_header(block
, writefunc
, opaque
, errp
) < 0) {
854 memset(slotkey
, 0, luks
->header
.master_key_len
);
857 memset(splitkey
, 0, splitkeylen
);
863 * Given a key slot, and user password, this will attempt to unlock
864 * the master encryption key from the key slot.
867 * 0 if the key slot is disabled, or key could not be decrypted
868 * with the provided password
869 * 1 if the key slot is enabled, and key decrypted successfully
870 * with the provided password
871 * -1 if a fatal error occurred loading the key
874 qcrypto_block_luks_load_key(QCryptoBlock
*block
,
876 const char *password
,
878 QCryptoBlockReadFunc readfunc
,
882 QCryptoBlockLUKS
*luks
= block
->opaque
;
883 const QCryptoBlockLUKSKeySlot
*slot
;
884 g_autofree
uint8_t *splitkey
= NULL
;
886 g_autofree
uint8_t *possiblekey
= NULL
;
888 g_autoptr(QCryptoCipher
) cipher
= NULL
;
889 uint8_t keydigest
[QCRYPTO_BLOCK_LUKS_DIGEST_LEN
];
890 g_autoptr(QCryptoIVGen
) ivgen
= NULL
;
893 assert(slot_idx
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
);
894 slot
= &luks
->header
.key_slots
[slot_idx
];
895 if (slot
->active
!= QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED
) {
899 splitkeylen
= luks
->header
.master_key_len
* slot
->stripes
;
900 splitkey
= g_new0(uint8_t, splitkeylen
);
901 possiblekey
= g_new0(uint8_t, luks
->header
.master_key_len
);
904 * The user password is used to generate a (possible)
905 * decryption key. This may or may not successfully
906 * decrypt the master key - we just blindly assume
907 * the key is correct and validate the results of
910 if (qcrypto_pbkdf2(luks
->hash_alg
,
911 (const uint8_t *)password
, strlen(password
),
912 slot
->salt
, QCRYPTO_BLOCK_LUKS_SALT_LEN
,
914 possiblekey
, luks
->header
.master_key_len
,
920 * We need to read the master key material from the
921 * LUKS key material header. What we're reading is
922 * not the raw master key, but rather the data after
923 * it has been passed through AFSplit and the result
927 slot
->key_offset_sector
* QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
928 splitkey
, splitkeylen
,
936 /* Setup the cipher/ivgen that we'll use to try to decrypt
937 * the split master key material */
938 cipher
= qcrypto_cipher_new(luks
->cipher_alg
,
941 luks
->header
.master_key_len
,
947 niv
= qcrypto_cipher_get_iv_len(luks
->cipher_alg
,
950 ivgen
= qcrypto_ivgen_new(luks
->ivgen_alg
,
951 luks
->ivgen_cipher_alg
,
952 luks
->ivgen_hash_alg
,
954 luks
->header
.master_key_len
,
962 * The master key needs to be decrypted in the same
963 * way that the block device payload will be decrypted
964 * later. In particular we'll be using the IV generator
965 * to reset the encryption cipher every time the master
966 * key crosses a sector boundary.
968 if (qcrypto_block_cipher_decrypt_helper(cipher
,
971 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
980 * Now we've decrypted the split master key, join
981 * it back together to get the actual master key.
983 if (qcrypto_afsplit_decode(luks
->hash_alg
,
984 luks
->header
.master_key_len
,
994 * We still don't know that the masterkey we got is valid,
995 * because we just blindly assumed the user's password
996 * was correct. This is where we now verify it. We are
997 * creating a hash of the master key using PBKDF and
998 * then comparing that to the hash stored in the key slot
1001 if (qcrypto_pbkdf2(luks
->hash_alg
,
1003 luks
->header
.master_key_len
,
1004 luks
->header
.master_key_salt
,
1005 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
1006 luks
->header
.master_key_iterations
,
1008 G_N_ELEMENTS(keydigest
),
1013 if (memcmp(keydigest
, luks
->header
.master_key_digest
,
1014 QCRYPTO_BLOCK_LUKS_DIGEST_LEN
) == 0) {
1015 /* Success, we got the right master key */
1019 /* Fail, user's password was not valid for this key slot,
1020 * tell caller to try another slot */
1026 * Given a user password, this will iterate over all key
1027 * slots and try to unlock each active key slot using the
1028 * password until it successfully obtains a master key.
1030 * Returns 0 if a key was loaded, -1 if no keys could be loaded
1033 qcrypto_block_luks_find_key(QCryptoBlock
*block
,
1034 const char *password
,
1036 QCryptoBlockReadFunc readfunc
,
1043 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1044 rv
= qcrypto_block_luks_load_key(block
,
1059 error_setg(errp
, "Invalid password, cannot unlock any keyslot");
1065 * Returns true if a slot i is marked as active
1066 * (contains encrypted copy of the master key)
1069 qcrypto_block_luks_slot_active(const QCryptoBlockLUKS
*luks
,
1070 unsigned int slot_idx
)
1074 assert(slot_idx
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
);
1075 val
= luks
->header
.key_slots
[slot_idx
].active
;
1076 return val
== QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED
;
1080 * Returns the number of slots that are marked as active
1081 * (slots that contain encrypted copy of the master key)
1084 qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS
*luks
)
1087 unsigned int ret
= 0;
1089 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1090 if (qcrypto_block_luks_slot_active(luks
, i
)) {
1098 * Finds first key slot which is not active
1099 * Returns the key slot index, or -1 if it doesn't exist
1102 qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS
*luks
)
1106 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1107 if (!qcrypto_block_luks_slot_active(luks
, i
)) {
1115 * Erases an keyslot given its index
1117 * 0 if the keyslot was erased successfully
1118 * -1 if a error occurred while erasing the keyslot
1122 qcrypto_block_luks_erase_key(QCryptoBlock
*block
,
1123 unsigned int slot_idx
,
1124 QCryptoBlockWriteFunc writefunc
,
1128 QCryptoBlockLUKS
*luks
= block
->opaque
;
1129 QCryptoBlockLUKSKeySlot
*slot
;
1130 g_autofree
uint8_t *garbagesplitkey
= NULL
;
1133 Error
*local_err
= NULL
;
1136 assert(slot_idx
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
);
1137 slot
= &luks
->header
.key_slots
[slot_idx
];
1139 splitkeylen
= luks
->header
.master_key_len
* slot
->stripes
;
1140 assert(splitkeylen
> 0);
1142 garbagesplitkey
= g_new0(uint8_t, splitkeylen
);
1144 /* Reset the key slot header */
1145 memset(slot
->salt
, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN
);
1146 slot
->iterations
= 0;
1147 slot
->active
= QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED
;
1149 ret
= qcrypto_block_luks_store_header(block
, writefunc
,
1150 opaque
, &local_err
);
1153 error_propagate(errp
, local_err
);
1156 * Now try to erase the key material, even if the header
1159 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS
; i
++) {
1160 if (qcrypto_random_bytes(garbagesplitkey
,
1161 splitkeylen
, &local_err
) < 0) {
1163 * If we failed to get the random data, still write
1164 * at least zeros to the key slot at least once
1166 error_propagate(errp
, local_err
);
1172 if (writefunc(block
,
1173 slot
->key_offset_sector
* QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
1178 error_propagate(errp
, local_err
);
1186 qcrypto_block_luks_open(QCryptoBlock
*block
,
1187 QCryptoBlockOpenOptions
*options
,
1188 const char *optprefix
,
1189 QCryptoBlockReadFunc readfunc
,
1194 QCryptoBlockLUKS
*luks
= NULL
;
1195 g_autofree
uint8_t *masterkey
= NULL
;
1196 g_autofree
char *password
= NULL
;
1198 if (!(flags
& QCRYPTO_BLOCK_OPEN_NO_IO
)) {
1199 if (!options
->u
.luks
.key_secret
) {
1200 error_setg(errp
, "Parameter '%skey-secret' is required for cipher",
1201 optprefix
? optprefix
: "");
1204 password
= qcrypto_secret_lookup_as_utf8(
1205 options
->u
.luks
.key_secret
, errp
);
1211 luks
= g_new0(QCryptoBlockLUKS
, 1);
1212 block
->opaque
= luks
;
1213 luks
->secret
= g_strdup(options
->u
.luks
.key_secret
);
1215 if (qcrypto_block_luks_load_header(block
, readfunc
, opaque
, errp
) < 0) {
1219 if (qcrypto_block_luks_check_header(luks
, flags
, errp
) < 0) {
1223 if (qcrypto_block_luks_parse_header(luks
, errp
) < 0) {
1227 if (!(flags
& QCRYPTO_BLOCK_OPEN_NO_IO
)) {
1228 /* Try to find which key slot our password is valid for
1229 * and unlock the master key from that slot.
1232 masterkey
= g_new0(uint8_t, luks
->header
.master_key_len
);
1234 if (qcrypto_block_luks_find_key(block
,
1242 /* We have a valid master key now, so can setup the
1243 * block device payload decryption objects
1245 block
->kdfhash
= luks
->hash_alg
;
1246 block
->niv
= qcrypto_cipher_get_iv_len(luks
->cipher_alg
,
1249 block
->ivgen
= qcrypto_ivgen_new(luks
->ivgen_alg
,
1250 luks
->ivgen_cipher_alg
,
1251 luks
->ivgen_hash_alg
,
1253 luks
->header
.master_key_len
,
1255 if (!block
->ivgen
) {
1259 if (qcrypto_block_init_cipher(block
,
1263 luks
->header
.master_key_len
,
1269 block
->sector_size
= QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
;
1270 block
->payload_offset
= luks
->header
.payload_offset_sector
*
1272 block
->detached_header
= (block
->payload_offset
== 0) ? true : false;
1277 qcrypto_block_free_cipher(block
);
1278 qcrypto_ivgen_free(block
->ivgen
);
1279 g_free(luks
->secret
);
1286 qcrypto_block_luks_uuid_gen(uint8_t *uuidstr
)
1289 qemu_uuid_generate(&uuid
);
1290 qemu_uuid_unparse(&uuid
, (char *)uuidstr
);
1294 qcrypto_block_luks_create(QCryptoBlock
*block
,
1295 QCryptoBlockCreateOptions
*options
,
1296 const char *optprefix
,
1297 QCryptoBlockInitFunc initfunc
,
1298 QCryptoBlockWriteFunc writefunc
,
1302 QCryptoBlockLUKS
*luks
;
1303 QCryptoBlockCreateOptionsLUKS luks_opts
;
1304 Error
*local_err
= NULL
;
1305 g_autofree
uint8_t *masterkey
= NULL
;
1306 size_t header_sectors
;
1307 size_t split_key_sectors
;
1309 g_autofree
char *password
= NULL
;
1310 const char *cipher_alg
;
1311 const char *cipher_mode
;
1312 const char *ivgen_alg
;
1313 const char *ivgen_hash_alg
= NULL
;
1314 const char *hash_alg
;
1315 g_autofree
char *cipher_mode_spec
= NULL
;
1317 uint64_t detached_header_size
;
1319 memcpy(&luks_opts
, &options
->u
.luks
, sizeof(luks_opts
));
1320 if (!luks_opts
.has_iter_time
) {
1321 luks_opts
.iter_time
= QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS
;
1323 if (!luks_opts
.has_cipher_alg
) {
1324 luks_opts
.cipher_alg
= QCRYPTO_CIPHER_ALG_AES_256
;
1326 if (!luks_opts
.has_cipher_mode
) {
1327 luks_opts
.cipher_mode
= QCRYPTO_CIPHER_MODE_XTS
;
1329 if (!luks_opts
.has_ivgen_alg
) {
1330 luks_opts
.ivgen_alg
= QCRYPTO_IVGEN_ALG_PLAIN64
;
1332 if (!luks_opts
.has_hash_alg
) {
1333 luks_opts
.hash_alg
= QCRYPTO_HASH_ALG_SHA256
;
1335 if (luks_opts
.ivgen_alg
== QCRYPTO_IVGEN_ALG_ESSIV
) {
1336 if (!luks_opts
.has_ivgen_hash_alg
) {
1337 luks_opts
.ivgen_hash_alg
= QCRYPTO_HASH_ALG_SHA256
;
1338 luks_opts
.has_ivgen_hash_alg
= true;
1342 luks
= g_new0(QCryptoBlockLUKS
, 1);
1343 block
->opaque
= luks
;
1345 luks
->cipher_alg
= luks_opts
.cipher_alg
;
1346 luks
->cipher_mode
= luks_opts
.cipher_mode
;
1347 luks
->ivgen_alg
= luks_opts
.ivgen_alg
;
1348 luks
->ivgen_hash_alg
= luks_opts
.ivgen_hash_alg
;
1349 luks
->hash_alg
= luks_opts
.hash_alg
;
1352 /* Note we're allowing ivgen_hash_alg to be set even for
1353 * non-essiv iv generators that don't need a hash. It will
1354 * be silently ignored, for compatibility with dm-crypt */
1356 if (!options
->u
.luks
.key_secret
) {
1357 error_setg(errp
, "Parameter '%skey-secret' is required for cipher",
1358 optprefix
? optprefix
: "");
1361 luks
->secret
= g_strdup(options
->u
.luks
.key_secret
);
1363 password
= qcrypto_secret_lookup_as_utf8(luks_opts
.key_secret
, errp
);
1369 memcpy(luks
->header
.magic
, qcrypto_block_luks_magic
,
1370 QCRYPTO_BLOCK_LUKS_MAGIC_LEN
);
1372 /* We populate the header in native endianness initially and
1373 * then convert everything to big endian just before writing
1376 luks
->header
.version
= QCRYPTO_BLOCK_LUKS_VERSION
;
1377 qcrypto_block_luks_uuid_gen(luks
->header
.uuid
);
1379 cipher_alg
= qcrypto_block_luks_cipher_alg_lookup(luks_opts
.cipher_alg
,
1385 cipher_mode
= QCryptoCipherMode_str(luks_opts
.cipher_mode
);
1386 ivgen_alg
= QCryptoIVGenAlgorithm_str(luks_opts
.ivgen_alg
);
1387 if (luks_opts
.has_ivgen_hash_alg
) {
1388 ivgen_hash_alg
= QCryptoHashAlgorithm_str(luks_opts
.ivgen_hash_alg
);
1389 cipher_mode_spec
= g_strdup_printf("%s-%s:%s", cipher_mode
, ivgen_alg
,
1392 cipher_mode_spec
= g_strdup_printf("%s-%s", cipher_mode
, ivgen_alg
);
1394 hash_alg
= QCryptoHashAlgorithm_str(luks_opts
.hash_alg
);
1397 if (strlen(cipher_alg
) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN
) {
1398 error_setg(errp
, "Cipher name '%s' is too long for LUKS header",
1402 if (strlen(cipher_mode_spec
) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN
) {
1403 error_setg(errp
, "Cipher mode '%s' is too long for LUKS header",
1407 if (strlen(hash_alg
) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN
) {
1408 error_setg(errp
, "Hash name '%s' is too long for LUKS header",
1413 if (luks_opts
.ivgen_alg
== QCRYPTO_IVGEN_ALG_ESSIV
) {
1414 luks
->ivgen_cipher_alg
=
1415 qcrypto_block_luks_essiv_cipher(luks_opts
.cipher_alg
,
1416 luks_opts
.ivgen_hash_alg
,
1419 error_propagate(errp
, local_err
);
1423 luks
->ivgen_cipher_alg
= luks_opts
.cipher_alg
;
1426 strcpy(luks
->header
.cipher_name
, cipher_alg
);
1427 strcpy(luks
->header
.cipher_mode
, cipher_mode_spec
);
1428 strcpy(luks
->header
.hash_spec
, hash_alg
);
1430 luks
->header
.master_key_len
=
1431 qcrypto_cipher_get_key_len(luks_opts
.cipher_alg
);
1433 if (luks_opts
.cipher_mode
== QCRYPTO_CIPHER_MODE_XTS
) {
1434 luks
->header
.master_key_len
*= 2;
1437 /* Generate the salt used for hashing the master key
1440 if (qcrypto_random_bytes(luks
->header
.master_key_salt
,
1441 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
1446 /* Generate random master key */
1447 masterkey
= g_new0(uint8_t, luks
->header
.master_key_len
);
1448 if (qcrypto_random_bytes(masterkey
,
1449 luks
->header
.master_key_len
, errp
) < 0) {
1454 /* Setup the block device payload encryption objects */
1455 if (qcrypto_block_init_cipher(block
, luks_opts
.cipher_alg
,
1456 luks_opts
.cipher_mode
, masterkey
,
1457 luks
->header
.master_key_len
, errp
) < 0) {
1461 block
->kdfhash
= luks_opts
.hash_alg
;
1462 block
->niv
= qcrypto_cipher_get_iv_len(luks_opts
.cipher_alg
,
1463 luks_opts
.cipher_mode
);
1464 block
->ivgen
= qcrypto_ivgen_new(luks_opts
.ivgen_alg
,
1465 luks
->ivgen_cipher_alg
,
1466 luks_opts
.ivgen_hash_alg
,
1467 masterkey
, luks
->header
.master_key_len
,
1470 if (!block
->ivgen
) {
1475 /* Determine how many iterations we need to hash the master
1476 * key, in order to have 1 second of compute time used
1478 iters
= qcrypto_pbkdf2_count_iters(luks_opts
.hash_alg
,
1479 masterkey
, luks
->header
.master_key_len
,
1480 luks
->header
.master_key_salt
,
1481 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
1482 QCRYPTO_BLOCK_LUKS_DIGEST_LEN
,
1485 error_propagate(errp
, local_err
);
1489 if (iters
> (ULLONG_MAX
/ luks_opts
.iter_time
)) {
1490 error_setg_errno(errp
, ERANGE
,
1491 "PBKDF iterations %llu too large to scale",
1492 (unsigned long long)iters
);
1496 /* iter_time was in millis, but count_iters reported for secs */
1497 iters
= iters
* luks_opts
.iter_time
/ 1000;
1499 /* Why /= 8 ? That matches cryptsetup, but there's no
1500 * explanation why they chose /= 8... Probably so that
1501 * if all 8 keyslots are active we only spend 1 second
1502 * in total time to check all keys */
1504 if (iters
> UINT32_MAX
) {
1505 error_setg_errno(errp
, ERANGE
,
1506 "PBKDF iterations %llu larger than %u",
1507 (unsigned long long)iters
, UINT32_MAX
);
1510 iters
= MAX(iters
, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS
);
1511 luks
->header
.master_key_iterations
= iters
;
1513 /* Hash the master key, saving the result in the LUKS
1514 * header. This hash is used when opening the encrypted
1515 * device to verify that the user password unlocked a
1518 if (qcrypto_pbkdf2(luks_opts
.hash_alg
,
1519 masterkey
, luks
->header
.master_key_len
,
1520 luks
->header
.master_key_salt
,
1521 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
1522 luks
->header
.master_key_iterations
,
1523 luks
->header
.master_key_digest
,
1524 QCRYPTO_BLOCK_LUKS_DIGEST_LEN
,
1529 /* start with the sector that follows the header*/
1530 header_sectors
= QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET
/
1531 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
;
1534 qcrypto_block_luks_splitkeylen_sectors(luks
,
1536 QCRYPTO_BLOCK_LUKS_STRIPES
);
1538 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1539 QCryptoBlockLUKSKeySlot
*slot
= &luks
->header
.key_slots
[i
];
1540 slot
->active
= QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED
;
1542 slot
->key_offset_sector
= header_sectors
+ i
* split_key_sectors
;
1543 slot
->stripes
= QCRYPTO_BLOCK_LUKS_STRIPES
;
1546 if (block
->detached_header
) {
1548 * For a detached LUKS header image, set the payload_offset_sector
1549 * to 0 to specify the starting point for read/write
1551 luks
->header
.payload_offset_sector
= 0;
1554 * The total size of the LUKS headers is the partition header + key
1555 * slot headers, rounded up to the nearest sector, combined with
1556 * the size of each master key material region, also rounded up
1557 * to the nearest sector
1559 luks
->header
.payload_offset_sector
= header_sectors
+
1560 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
* split_key_sectors
;
1563 block
->sector_size
= QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
;
1564 block
->payload_offset
= luks
->header
.payload_offset_sector
*
1566 detached_header_size
=
1567 (header_sectors
+ QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
*
1568 split_key_sectors
) * block
->sector_size
;
1570 /* Reserve header space to match payload offset */
1571 initfunc(block
, detached_header_size
, opaque
, &local_err
);
1573 error_propagate(errp
, local_err
);
1578 /* populate the slot 0 with the password encrypted master key*/
1579 /* This will also store the header */
1580 if (qcrypto_block_luks_store_key(block
,
1584 luks_opts
.iter_time
,
1591 memset(masterkey
, 0, luks
->header
.master_key_len
);
1597 memset(masterkey
, 0, luks
->header
.master_key_len
);
1600 qcrypto_block_free_cipher(block
);
1601 qcrypto_ivgen_free(block
->ivgen
);
1603 g_free(luks
->secret
);
1609 qcrypto_block_luks_amend_add_keyslot(QCryptoBlock
*block
,
1610 QCryptoBlockReadFunc readfunc
,
1611 QCryptoBlockWriteFunc writefunc
,
1613 QCryptoBlockAmendOptionsLUKS
*opts_luks
,
1617 QCryptoBlockLUKS
*luks
= block
->opaque
;
1618 uint64_t iter_time
= opts_luks
->has_iter_time
?
1619 opts_luks
->iter_time
:
1620 QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS
;
1622 g_autofree
char *old_password
= NULL
;
1623 g_autofree
char *new_password
= NULL
;
1624 g_autofree
uint8_t *master_key
= NULL
;
1626 char *secret
= opts_luks
->secret
?: luks
->secret
;
1628 if (!opts_luks
->new_secret
) {
1629 error_setg(errp
, "'new-secret' is required to activate a keyslot");
1632 if (opts_luks
->old_secret
) {
1634 "'old-secret' must not be given when activating keyslots");
1638 if (opts_luks
->has_keyslot
) {
1639 keyslot
= opts_luks
->keyslot
;
1640 if (keyslot
< 0 || keyslot
>= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
) {
1642 "Invalid keyslot %u specified, must be between 0 and %u",
1643 keyslot
, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
- 1);
1647 keyslot
= qcrypto_block_luks_find_free_keyslot(luks
);
1648 if (keyslot
== -1) {
1650 "Can't add a keyslot - all keyslots are in use");
1655 if (!force
&& qcrypto_block_luks_slot_active(luks
, keyslot
)) {
1657 "Refusing to overwrite active keyslot %i - "
1658 "please erase it first",
1663 /* Locate the password that will be used to retrieve the master key */
1664 old_password
= qcrypto_secret_lookup_as_utf8(secret
, errp
);
1665 if (!old_password
) {
1669 /* Retrieve the master key */
1670 master_key
= g_new0(uint8_t, luks
->header
.master_key_len
);
1672 if (qcrypto_block_luks_find_key(block
, old_password
, master_key
,
1673 readfunc
, opaque
, errp
) < 0) {
1674 error_append_hint(errp
, "Failed to retrieve the master key");
1678 /* Locate the new password*/
1679 new_password
= qcrypto_secret_lookup_as_utf8(opts_luks
->new_secret
, errp
);
1680 if (!new_password
) {
1684 /* Now set the new keyslots */
1685 if (qcrypto_block_luks_store_key(block
, keyslot
, new_password
, master_key
,
1686 iter_time
, writefunc
, opaque
, errp
)) {
1687 error_append_hint(errp
, "Failed to write to keyslot %i", keyslot
);
1694 qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock
*block
,
1695 QCryptoBlockReadFunc readfunc
,
1696 QCryptoBlockWriteFunc writefunc
,
1698 QCryptoBlockAmendOptionsLUKS
*opts_luks
,
1702 QCryptoBlockLUKS
*luks
= block
->opaque
;
1703 g_autofree
uint8_t *tmpkey
= NULL
;
1704 g_autofree
char *old_password
= NULL
;
1706 if (opts_luks
->new_secret
) {
1708 "'new-secret' must not be given when erasing keyslots");
1711 if (opts_luks
->has_iter_time
) {
1713 "'iter-time' must not be given when erasing keyslots");
1716 if (opts_luks
->secret
) {
1718 "'secret' must not be given when erasing keyslots");
1722 /* Load the old password if given */
1723 if (opts_luks
->old_secret
) {
1724 old_password
= qcrypto_secret_lookup_as_utf8(opts_luks
->old_secret
,
1726 if (!old_password
) {
1731 * Allocate a temporary key buffer that we will need when
1732 * checking if slot matches the given old password
1734 tmpkey
= g_new0(uint8_t, luks
->header
.master_key_len
);
1737 /* Erase an explicitly given keyslot */
1738 if (opts_luks
->has_keyslot
) {
1739 int keyslot
= opts_luks
->keyslot
;
1741 if (keyslot
< 0 || keyslot
>= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
) {
1743 "Invalid keyslot %i specified, must be between 0 and %i",
1744 keyslot
, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
- 1);
1748 if (opts_luks
->old_secret
) {
1749 int rv
= qcrypto_block_luks_load_key(block
,
1758 } else if (rv
== 0) {
1760 "Given keyslot %i doesn't contain the given "
1761 "old password for erase operation",
1767 if (!force
&& !qcrypto_block_luks_slot_active(luks
, keyslot
)) {
1769 "Given keyslot %i is already erased (inactive) ",
1774 if (!force
&& qcrypto_block_luks_count_active_slots(luks
) == 1) {
1776 "Attempt to erase the only active keyslot %i "
1777 "which will erase all the data in the image "
1778 "irreversibly - refusing operation",
1783 if (qcrypto_block_luks_erase_key(block
, keyslot
,
1784 writefunc
, opaque
, errp
)) {
1785 error_append_hint(errp
, "Failed to erase keyslot %i", keyslot
);
1789 /* Erase all keyslots that match the given old password */
1790 } else if (opts_luks
->old_secret
) {
1792 unsigned long slots_to_erase_bitmap
= 0;
1796 assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
<=
1797 sizeof(slots_to_erase_bitmap
) * 8);
1799 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1800 int rv
= qcrypto_block_luks_load_key(block
,
1809 } else if (rv
== 1) {
1810 bitmap_set(&slots_to_erase_bitmap
, i
, 1);
1814 slot_count
= bitmap_count_one(&slots_to_erase_bitmap
,
1815 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
);
1816 if (slot_count
== 0) {
1818 "No keyslots match given (old) password for erase operation");
1823 slot_count
== qcrypto_block_luks_count_active_slots(luks
)) {
1825 "All the active keyslots match the (old) password that "
1826 "was given and erasing them will erase all the data in "
1827 "the image irreversibly - refusing operation");
1831 /* Now apply the update */
1832 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1833 if (!test_bit(i
, &slots_to_erase_bitmap
)) {
1836 if (qcrypto_block_luks_erase_key(block
, i
, writefunc
,
1838 error_append_hint(errp
, "Failed to erase keyslot %zu", i
);
1844 "To erase keyslot(s), either explicit keyslot index "
1845 "or the password currently contained in them must be given");
1852 qcrypto_block_luks_amend_options(QCryptoBlock
*block
,
1853 QCryptoBlockReadFunc readfunc
,
1854 QCryptoBlockWriteFunc writefunc
,
1856 QCryptoBlockAmendOptions
*options
,
1860 QCryptoBlockAmendOptionsLUKS
*opts_luks
= &options
->u
.luks
;
1862 switch (opts_luks
->state
) {
1863 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE
:
1864 return qcrypto_block_luks_amend_add_keyslot(block
, readfunc
,
1866 opts_luks
, force
, errp
);
1867 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE
:
1868 return qcrypto_block_luks_amend_erase_keyslots(block
, readfunc
,
1870 opts_luks
, force
, errp
);
1872 g_assert_not_reached();
1876 static int qcrypto_block_luks_get_info(QCryptoBlock
*block
,
1877 QCryptoBlockInfo
*info
,
1880 QCryptoBlockLUKS
*luks
= block
->opaque
;
1881 QCryptoBlockInfoLUKSSlot
*slot
;
1882 QCryptoBlockInfoLUKSSlotList
**tail
= &info
->u
.luks
.slots
;
1885 info
->u
.luks
.cipher_alg
= luks
->cipher_alg
;
1886 info
->u
.luks
.cipher_mode
= luks
->cipher_mode
;
1887 info
->u
.luks
.ivgen_alg
= luks
->ivgen_alg
;
1888 if (info
->u
.luks
.ivgen_alg
== QCRYPTO_IVGEN_ALG_ESSIV
) {
1889 info
->u
.luks
.has_ivgen_hash_alg
= true;
1890 info
->u
.luks
.ivgen_hash_alg
= luks
->ivgen_hash_alg
;
1892 info
->u
.luks
.hash_alg
= luks
->hash_alg
;
1893 info
->u
.luks
.payload_offset
= block
->payload_offset
;
1894 info
->u
.luks
.master_key_iters
= luks
->header
.master_key_iterations
;
1895 info
->u
.luks
.uuid
= g_strndup((const char *)luks
->header
.uuid
,
1896 sizeof(luks
->header
.uuid
));
1897 info
->u
.luks
.detached_header
= block
->detached_header
;
1899 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1900 slot
= g_new0(QCryptoBlockInfoLUKSSlot
, 1);
1901 slot
->active
= luks
->header
.key_slots
[i
].active
==
1902 QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED
;
1903 slot
->key_offset
= luks
->header
.key_slots
[i
].key_offset_sector
1904 * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
;
1906 slot
->has_iters
= true;
1907 slot
->iters
= luks
->header
.key_slots
[i
].iterations
;
1908 slot
->has_stripes
= true;
1909 slot
->stripes
= luks
->header
.key_slots
[i
].stripes
;
1912 QAPI_LIST_APPEND(tail
, slot
);
1919 static void qcrypto_block_luks_cleanup(QCryptoBlock
*block
)
1921 QCryptoBlockLUKS
*luks
= block
->opaque
;
1923 g_free(luks
->secret
);
1930 qcrypto_block_luks_decrypt(QCryptoBlock
*block
,
1936 assert(QEMU_IS_ALIGNED(offset
, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
));
1937 assert(QEMU_IS_ALIGNED(len
, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
));
1938 return qcrypto_block_decrypt_helper(block
,
1939 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
1940 offset
, buf
, len
, errp
);
1945 qcrypto_block_luks_encrypt(QCryptoBlock
*block
,
1951 assert(QEMU_IS_ALIGNED(offset
, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
));
1952 assert(QEMU_IS_ALIGNED(len
, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
));
1953 return qcrypto_block_encrypt_helper(block
,
1954 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
1955 offset
, buf
, len
, errp
);
1959 const QCryptoBlockDriver qcrypto_block_driver_luks
= {
1960 .open
= qcrypto_block_luks_open
,
1961 .create
= qcrypto_block_luks_create
,
1962 .amend
= qcrypto_block_luks_amend_options
,
1963 .get_info
= qcrypto_block_luks_get_info
,
1964 .cleanup
= qcrypto_block_luks_cleanup
,
1965 .decrypt
= qcrypto_block_luks_decrypt
,
1966 .encrypt
= qcrypto_block_luks_encrypt
,
1967 .has_format
= qcrypto_block_luks_has_format
,