2 * QEMU Crypto block device encryption LUKS format
4 * Copyright (c) 2015-2016 Red Hat, Inc.
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "qemu/bswap.h"
25 #include "block-luks.h"
27 #include "crypto/hash.h"
28 #include "crypto/afsplit.h"
29 #include "crypto/pbkdf.h"
30 #include "crypto/secret.h"
31 #include "crypto/random.h"
32 #include "qemu/uuid.h"
34 #include "qemu/coroutine.h"
35 #include "qemu/bitmap.h"
38 * Reference for the LUKS format implemented here is
40 * docs/on-disk-format.pdf
42 * in 'cryptsetup' package source code
44 * This file implements the 1.2.1 specification, dated
48 typedef struct QCryptoBlockLUKS QCryptoBlockLUKS
;
49 typedef struct QCryptoBlockLUKSHeader QCryptoBlockLUKSHeader
;
50 typedef struct QCryptoBlockLUKSKeySlot QCryptoBlockLUKSKeySlot
;
53 /* The following constants are all defined by the LUKS spec */
54 #define QCRYPTO_BLOCK_LUKS_VERSION 1
56 #define QCRYPTO_BLOCK_LUKS_MAGIC_LEN 6
57 #define QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN 32
58 #define QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN 32
59 #define QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN 32
60 #define QCRYPTO_BLOCK_LUKS_DIGEST_LEN 20
61 #define QCRYPTO_BLOCK_LUKS_SALT_LEN 32
62 #define QCRYPTO_BLOCK_LUKS_UUID_LEN 40
63 #define QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS 8
64 #define QCRYPTO_BLOCK_LUKS_STRIPES 4000
65 #define QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS 1000
66 #define QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS 1000
67 #define QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET 4096
69 #define QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED 0x0000DEAD
70 #define QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED 0x00AC71F3
72 #define QCRYPTO_BLOCK_LUKS_SECTOR_SIZE 512LL
74 #define QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS 2000
75 #define QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS 40
77 static const char qcrypto_block_luks_magic
[QCRYPTO_BLOCK_LUKS_MAGIC_LEN
] = {
78 'L', 'U', 'K', 'S', 0xBA, 0xBE
81 typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap
;
82 struct QCryptoBlockLUKSNameMap
{
87 typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap
;
88 struct QCryptoBlockLUKSCipherSizeMap
{
92 typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap
;
93 struct QCryptoBlockLUKSCipherNameMap
{
95 const QCryptoBlockLUKSCipherSizeMap
*sizes
;
99 static const QCryptoBlockLUKSCipherSizeMap
100 qcrypto_block_luks_cipher_size_map_aes
[] = {
101 { 16, QCRYPTO_CIPHER_ALG_AES_128
},
102 { 24, QCRYPTO_CIPHER_ALG_AES_192
},
103 { 32, QCRYPTO_CIPHER_ALG_AES_256
},
107 static const QCryptoBlockLUKSCipherSizeMap
108 qcrypto_block_luks_cipher_size_map_cast5
[] = {
109 { 16, QCRYPTO_CIPHER_ALG_CAST5_128
},
113 static const QCryptoBlockLUKSCipherSizeMap
114 qcrypto_block_luks_cipher_size_map_serpent
[] = {
115 { 16, QCRYPTO_CIPHER_ALG_SERPENT_128
},
116 { 24, QCRYPTO_CIPHER_ALG_SERPENT_192
},
117 { 32, QCRYPTO_CIPHER_ALG_SERPENT_256
},
121 static const QCryptoBlockLUKSCipherSizeMap
122 qcrypto_block_luks_cipher_size_map_twofish
[] = {
123 { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128
},
124 { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192
},
125 { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256
},
129 static const QCryptoBlockLUKSCipherNameMap
130 qcrypto_block_luks_cipher_name_map
[] = {
131 { "aes", qcrypto_block_luks_cipher_size_map_aes
},
132 { "cast5", qcrypto_block_luks_cipher_size_map_cast5
},
133 { "serpent", qcrypto_block_luks_cipher_size_map_serpent
},
134 { "twofish", qcrypto_block_luks_cipher_size_map_twofish
},
139 * This struct is written to disk in big-endian format,
140 * but operated upon in native-endian format.
142 struct QCryptoBlockLUKSKeySlot
{
143 /* state of keyslot, enabled/disable */
145 /* iterations for PBKDF2 */
147 /* salt for PBKDF2 */
148 uint8_t salt
[QCRYPTO_BLOCK_LUKS_SALT_LEN
];
149 /* start sector of key material */
150 uint32_t key_offset_sector
;
151 /* number of anti-forensic stripes */
155 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot
) != 48);
159 * This struct is written to disk in big-endian format,
160 * but operated upon in native-endian format.
162 struct QCryptoBlockLUKSHeader
{
163 /* 'L', 'U', 'K', 'S', '0xBA', '0xBE' */
164 char magic
[QCRYPTO_BLOCK_LUKS_MAGIC_LEN
];
166 /* LUKS version, currently 1 */
169 /* cipher name specification (aes, etc) */
170 char cipher_name
[QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN
];
172 /* cipher mode specification (cbc-plain, xts-essiv:sha256, etc) */
173 char cipher_mode
[QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN
];
175 /* hash specification (sha256, etc) */
176 char hash_spec
[QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN
];
178 /* start offset of the volume data (in 512 byte sectors) */
179 uint32_t payload_offset_sector
;
181 /* Number of key bytes */
182 uint32_t master_key_len
;
184 /* master key checksum after PBKDF2 */
185 uint8_t master_key_digest
[QCRYPTO_BLOCK_LUKS_DIGEST_LEN
];
187 /* salt for master key PBKDF2 */
188 uint8_t master_key_salt
[QCRYPTO_BLOCK_LUKS_SALT_LEN
];
190 /* iterations for master key PBKDF2 */
191 uint32_t master_key_iterations
;
193 /* UUID of the partition in standard ASCII representation */
194 uint8_t uuid
[QCRYPTO_BLOCK_LUKS_UUID_LEN
];
197 QCryptoBlockLUKSKeySlot key_slots
[QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
];
200 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader
) != 592);
203 struct QCryptoBlockLUKS
{
204 QCryptoBlockLUKSHeader header
;
206 /* Main encryption algorithm used for encryption*/
207 QCryptoCipherAlgorithm cipher_alg
;
209 /* Mode of encryption for the selected encryption algorithm */
210 QCryptoCipherMode cipher_mode
;
212 /* Initialization vector generation algorithm */
213 QCryptoIVGenAlgorithm ivgen_alg
;
215 /* Hash algorithm used for IV generation*/
216 QCryptoHashAlgorithm ivgen_hash_alg
;
219 * Encryption algorithm used for IV generation.
220 * Usually the same as main encryption algorithm
222 QCryptoCipherAlgorithm ivgen_cipher_alg
;
224 /* Hash algorithm used in pbkdf2 function */
225 QCryptoHashAlgorithm hash_alg
;
227 /* Name of the secret that was used to open the image */
232 static int qcrypto_block_luks_cipher_name_lookup(const char *name
,
233 QCryptoCipherMode mode
,
237 const QCryptoBlockLUKSCipherNameMap
*map
=
238 qcrypto_block_luks_cipher_name_map
;
239 size_t maplen
= G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map
);
242 if (mode
== QCRYPTO_CIPHER_MODE_XTS
) {
246 for (i
= 0; i
< maplen
; i
++) {
247 if (!g_str_equal(map
[i
].name
, name
)) {
250 for (j
= 0; j
< map
[i
].sizes
[j
].key_bytes
; j
++) {
251 if (map
[i
].sizes
[j
].key_bytes
== key_bytes
) {
252 return map
[i
].sizes
[j
].id
;
257 error_setg(errp
, "Algorithm %s with key size %d bytes not supported",
263 qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg
,
266 const QCryptoBlockLUKSCipherNameMap
*map
=
267 qcrypto_block_luks_cipher_name_map
;
268 size_t maplen
= G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map
);
270 for (i
= 0; i
< maplen
; i
++) {
271 for (j
= 0; j
< map
[i
].sizes
[j
].key_bytes
; j
++) {
272 if (map
[i
].sizes
[j
].id
== alg
) {
278 error_setg(errp
, "Algorithm '%s' not supported",
279 QCryptoCipherAlgorithm_str(alg
));
283 /* XXX replace with qapi_enum_parse() in future, when we can
284 * make that function emit a more friendly error message */
285 static int qcrypto_block_luks_name_lookup(const char *name
,
286 const QEnumLookup
*map
,
290 int ret
= qapi_enum_parse(map
, name
, -1, NULL
);
293 error_setg(errp
, "%s %s not supported", type
, name
);
299 #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \
300 qcrypto_block_luks_name_lookup(name, \
301 &QCryptoCipherMode_lookup, \
305 #define qcrypto_block_luks_hash_name_lookup(name, errp) \
306 qcrypto_block_luks_name_lookup(name, \
307 &QCryptoHashAlgorithm_lookup, \
311 #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \
312 qcrypto_block_luks_name_lookup(name, \
313 &QCryptoIVGenAlgorithm_lookup, \
319 qcrypto_block_luks_has_format(const uint8_t *buf
,
322 const QCryptoBlockLUKSHeader
*luks_header
= (const void *)buf
;
324 if (buf_size
>= offsetof(QCryptoBlockLUKSHeader
, cipher_name
) &&
325 memcmp(luks_header
->magic
, qcrypto_block_luks_magic
,
326 QCRYPTO_BLOCK_LUKS_MAGIC_LEN
) == 0 &&
327 be16_to_cpu(luks_header
->version
) == QCRYPTO_BLOCK_LUKS_VERSION
) {
336 * Deal with a quirk of dm-crypt usage of ESSIV.
338 * When calculating ESSIV IVs, the cipher length used by ESSIV
339 * may be different from the cipher length used for the block
340 * encryption, becauses dm-crypt uses the hash digest length
341 * as the key size. ie, if you have AES 128 as the block cipher
342 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as
343 * the cipher since that gets a key length matching the digest
344 * size, not AES 128 with truncated digest as might be imagined
346 static QCryptoCipherAlgorithm
347 qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher
,
348 QCryptoHashAlgorithm hash
,
351 size_t digestlen
= qcrypto_hash_digest_len(hash
);
352 size_t keylen
= qcrypto_cipher_get_key_len(cipher
);
353 if (digestlen
== keylen
) {
358 case QCRYPTO_CIPHER_ALG_AES_128
:
359 case QCRYPTO_CIPHER_ALG_AES_192
:
360 case QCRYPTO_CIPHER_ALG_AES_256
:
361 if (digestlen
== qcrypto_cipher_get_key_len(
362 QCRYPTO_CIPHER_ALG_AES_128
)) {
363 return QCRYPTO_CIPHER_ALG_AES_128
;
364 } else if (digestlen
== qcrypto_cipher_get_key_len(
365 QCRYPTO_CIPHER_ALG_AES_192
)) {
366 return QCRYPTO_CIPHER_ALG_AES_192
;
367 } else if (digestlen
== qcrypto_cipher_get_key_len(
368 QCRYPTO_CIPHER_ALG_AES_256
)) {
369 return QCRYPTO_CIPHER_ALG_AES_256
;
371 error_setg(errp
, "No AES cipher with key size %zu available",
376 case QCRYPTO_CIPHER_ALG_SERPENT_128
:
377 case QCRYPTO_CIPHER_ALG_SERPENT_192
:
378 case QCRYPTO_CIPHER_ALG_SERPENT_256
:
379 if (digestlen
== qcrypto_cipher_get_key_len(
380 QCRYPTO_CIPHER_ALG_SERPENT_128
)) {
381 return QCRYPTO_CIPHER_ALG_SERPENT_128
;
382 } else if (digestlen
== qcrypto_cipher_get_key_len(
383 QCRYPTO_CIPHER_ALG_SERPENT_192
)) {
384 return QCRYPTO_CIPHER_ALG_SERPENT_192
;
385 } else if (digestlen
== qcrypto_cipher_get_key_len(
386 QCRYPTO_CIPHER_ALG_SERPENT_256
)) {
387 return QCRYPTO_CIPHER_ALG_SERPENT_256
;
389 error_setg(errp
, "No Serpent cipher with key size %zu available",
394 case QCRYPTO_CIPHER_ALG_TWOFISH_128
:
395 case QCRYPTO_CIPHER_ALG_TWOFISH_192
:
396 case QCRYPTO_CIPHER_ALG_TWOFISH_256
:
397 if (digestlen
== qcrypto_cipher_get_key_len(
398 QCRYPTO_CIPHER_ALG_TWOFISH_128
)) {
399 return QCRYPTO_CIPHER_ALG_TWOFISH_128
;
400 } else if (digestlen
== qcrypto_cipher_get_key_len(
401 QCRYPTO_CIPHER_ALG_TWOFISH_192
)) {
402 return QCRYPTO_CIPHER_ALG_TWOFISH_192
;
403 } else if (digestlen
== qcrypto_cipher_get_key_len(
404 QCRYPTO_CIPHER_ALG_TWOFISH_256
)) {
405 return QCRYPTO_CIPHER_ALG_TWOFISH_256
;
407 error_setg(errp
, "No Twofish cipher with key size %zu available",
413 error_setg(errp
, "Cipher %s not supported with essiv",
414 QCryptoCipherAlgorithm_str(cipher
));
420 * Returns number of sectors needed to store the key material
421 * given number of anti forensic stripes
424 qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS
*luks
,
425 unsigned int header_sectors
,
426 unsigned int stripes
)
429 * This calculation doesn't match that shown in the spec,
430 * but instead follows the cryptsetup implementation.
433 size_t splitkeylen
= luks
->header
.master_key_len
* stripes
;
435 /* First align the key material size to block size*/
436 size_t splitkeylen_sectors
=
437 DIV_ROUND_UP(splitkeylen
, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
);
439 /* Then also align the key material size to the size of the header */
440 return ROUND_UP(splitkeylen_sectors
, header_sectors
);
444 * Stores the main LUKS header, taking care of endianess
447 qcrypto_block_luks_store_header(QCryptoBlock
*block
,
448 QCryptoBlockWriteFunc writefunc
,
452 const QCryptoBlockLUKS
*luks
= block
->opaque
;
453 Error
*local_err
= NULL
;
455 g_autofree QCryptoBlockLUKSHeader
*hdr_copy
= NULL
;
457 /* Create a copy of the header */
458 hdr_copy
= g_new0(QCryptoBlockLUKSHeader
, 1);
459 memcpy(hdr_copy
, &luks
->header
, sizeof(QCryptoBlockLUKSHeader
));
462 * Everything on disk uses Big Endian (tm), so flip header fields
463 * before writing them
465 cpu_to_be16s(&hdr_copy
->version
);
466 cpu_to_be32s(&hdr_copy
->payload_offset_sector
);
467 cpu_to_be32s(&hdr_copy
->master_key_len
);
468 cpu_to_be32s(&hdr_copy
->master_key_iterations
);
470 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
471 cpu_to_be32s(&hdr_copy
->key_slots
[i
].active
);
472 cpu_to_be32s(&hdr_copy
->key_slots
[i
].iterations
);
473 cpu_to_be32s(&hdr_copy
->key_slots
[i
].key_offset_sector
);
474 cpu_to_be32s(&hdr_copy
->key_slots
[i
].stripes
);
477 /* Write out the partition header and key slot headers */
478 writefunc(block
, 0, (const uint8_t *)hdr_copy
, sizeof(*hdr_copy
),
482 error_propagate(errp
, local_err
);
489 * Loads the main LUKS header,and byteswaps it to native endianess
490 * And run basic sanity checks on it
493 qcrypto_block_luks_load_header(QCryptoBlock
*block
,
494 QCryptoBlockReadFunc readfunc
,
500 QCryptoBlockLUKS
*luks
= block
->opaque
;
503 * Read the entire LUKS header, minus the key material from
504 * the underlying device
506 rv
= readfunc(block
, 0,
507 (uint8_t *)&luks
->header
,
508 sizeof(luks
->header
),
516 * The header is always stored in big-endian format, so
517 * convert everything to native
519 be16_to_cpus(&luks
->header
.version
);
520 be32_to_cpus(&luks
->header
.payload_offset_sector
);
521 be32_to_cpus(&luks
->header
.master_key_len
);
522 be32_to_cpus(&luks
->header
.master_key_iterations
);
524 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
525 be32_to_cpus(&luks
->header
.key_slots
[i
].active
);
526 be32_to_cpus(&luks
->header
.key_slots
[i
].iterations
);
527 be32_to_cpus(&luks
->header
.key_slots
[i
].key_offset_sector
);
528 be32_to_cpus(&luks
->header
.key_slots
[i
].stripes
);
535 * Does basic sanity checks on the LUKS header
538 qcrypto_block_luks_check_header(const QCryptoBlockLUKS
*luks
, Error
**errp
)
542 unsigned int header_sectors
= QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET
/
543 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
;
545 if (memcmp(luks
->header
.magic
, qcrypto_block_luks_magic
,
546 QCRYPTO_BLOCK_LUKS_MAGIC_LEN
) != 0) {
547 error_setg(errp
, "Volume is not in LUKS format");
551 if (luks
->header
.version
!= QCRYPTO_BLOCK_LUKS_VERSION
) {
552 error_setg(errp
, "LUKS version %" PRIu32
" is not supported",
553 luks
->header
.version
);
557 /* Check all keyslots for corruption */
558 for (i
= 0 ; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
560 const QCryptoBlockLUKSKeySlot
*slot1
= &luks
->header
.key_slots
[i
];
561 unsigned int start1
= slot1
->key_offset_sector
;
563 qcrypto_block_luks_splitkeylen_sectors(luks
,
567 if (slot1
->stripes
== 0) {
568 error_setg(errp
, "Keyslot %zu is corrupted (stripes == 0)", i
);
572 if (slot1
->active
!= QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED
&&
573 slot1
->active
!= QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED
) {
575 "Keyslot %zu state (active/disable) is corrupted", i
);
579 if (start1
+ len1
> luks
->header
.payload_offset_sector
) {
581 "Keyslot %zu is overlapping with the encrypted payload",
586 for (j
= i
+ 1 ; j
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; j
++) {
587 const QCryptoBlockLUKSKeySlot
*slot2
= &luks
->header
.key_slots
[j
];
588 unsigned int start2
= slot2
->key_offset_sector
;
590 qcrypto_block_luks_splitkeylen_sectors(luks
,
594 if (start1
+ len1
> start2
&& start2
+ len2
> start1
) {
596 "Keyslots %zu and %zu are overlapping in the header",
607 * Parses the crypto parameters that are stored in the LUKS header
611 qcrypto_block_luks_parse_header(QCryptoBlockLUKS
*luks
, Error
**errp
)
613 g_autofree
char *cipher_mode
= g_strdup(luks
->header
.cipher_mode
);
614 char *ivgen_name
, *ivhash_name
;
615 Error
*local_err
= NULL
;
618 * The cipher_mode header contains a string that we have
619 * to further parse, of the format
621 * <cipher-mode>-<iv-generator>[:<iv-hash>]
623 * eg cbc-essiv:sha256, cbc-plain64
625 ivgen_name
= strchr(cipher_mode
, '-');
627 error_setg(errp
, "Unexpected cipher mode string format %s",
628 luks
->header
.cipher_mode
);
634 ivhash_name
= strchr(ivgen_name
, ':');
636 luks
->ivgen_hash_alg
= 0;
641 luks
->ivgen_hash_alg
= qcrypto_block_luks_hash_name_lookup(ivhash_name
,
644 error_propagate(errp
, local_err
);
649 luks
->cipher_mode
= qcrypto_block_luks_cipher_mode_lookup(cipher_mode
,
652 error_propagate(errp
, local_err
);
657 qcrypto_block_luks_cipher_name_lookup(luks
->header
.cipher_name
,
659 luks
->header
.master_key_len
,
662 error_propagate(errp
, local_err
);
667 qcrypto_block_luks_hash_name_lookup(luks
->header
.hash_spec
,
670 error_propagate(errp
, local_err
);
674 luks
->ivgen_alg
= qcrypto_block_luks_ivgen_name_lookup(ivgen_name
,
677 error_propagate(errp
, local_err
);
681 if (luks
->ivgen_alg
== QCRYPTO_IVGEN_ALG_ESSIV
) {
683 error_setg(errp
, "Missing IV generator hash specification");
686 luks
->ivgen_cipher_alg
=
687 qcrypto_block_luks_essiv_cipher(luks
->cipher_alg
,
688 luks
->ivgen_hash_alg
,
691 error_propagate(errp
, local_err
);
697 * Note we parsed the ivhash_name earlier in the cipher_mode
698 * spec string even with plain/plain64 ivgens, but we
699 * will ignore it, since it is irrelevant for these ivgens.
700 * This is for compat with dm-crypt which will silently
701 * ignore hash names with these ivgens rather than report
702 * an error about the invalid usage
704 luks
->ivgen_cipher_alg
= luks
->cipher_alg
;
710 * Given a key slot, user password, and the master key,
711 * will store the encrypted master key there, and update the
712 * in-memory header. User must then write the in-memory header
715 * 0 if the keyslot was written successfully
716 * with the provided password
717 * -1 if a fatal error occurred while storing the key
720 qcrypto_block_luks_store_key(QCryptoBlock
*block
,
721 unsigned int slot_idx
,
722 const char *password
,
725 QCryptoBlockWriteFunc writefunc
,
729 QCryptoBlockLUKS
*luks
= block
->opaque
;
730 QCryptoBlockLUKSKeySlot
*slot
;
731 g_autofree
uint8_t *splitkey
= NULL
;
733 g_autofree
uint8_t *slotkey
= NULL
;
734 g_autoptr(QCryptoCipher
) cipher
= NULL
;
735 g_autoptr(QCryptoIVGen
) ivgen
= NULL
;
736 Error
*local_err
= NULL
;
740 assert(slot_idx
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
);
741 slot
= &luks
->header
.key_slots
[slot_idx
];
742 if (qcrypto_random_bytes(slot
->salt
,
743 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
748 splitkeylen
= luks
->header
.master_key_len
* slot
->stripes
;
751 * Determine how many iterations are required to
752 * hash the user password while consuming 1 second of compute
755 iters
= qcrypto_pbkdf2_count_iters(luks
->hash_alg
,
756 (uint8_t *)password
, strlen(password
),
758 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
759 luks
->header
.master_key_len
,
762 error_propagate(errp
, local_err
);
766 if (iters
> (ULLONG_MAX
/ iter_time
)) {
767 error_setg_errno(errp
, ERANGE
,
768 "PBKDF iterations %llu too large to scale",
769 (unsigned long long)iters
);
773 /* iter_time was in millis, but count_iters reported for secs */
774 iters
= iters
* iter_time
/ 1000;
776 if (iters
> UINT32_MAX
) {
777 error_setg_errno(errp
, ERANGE
,
778 "PBKDF iterations %llu larger than %u",
779 (unsigned long long)iters
, UINT32_MAX
);
784 MAX(iters
, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS
);
788 * Generate a key that we'll use to encrypt the master
789 * key, from the user's password
791 slotkey
= g_new0(uint8_t, luks
->header
.master_key_len
);
792 if (qcrypto_pbkdf2(luks
->hash_alg
,
793 (uint8_t *)password
, strlen(password
),
795 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
797 slotkey
, luks
->header
.master_key_len
,
804 * Setup the encryption objects needed to encrypt the
805 * master key material
807 cipher
= qcrypto_cipher_new(luks
->cipher_alg
,
809 slotkey
, luks
->header
.master_key_len
,
815 ivgen
= qcrypto_ivgen_new(luks
->ivgen_alg
,
816 luks
->ivgen_cipher_alg
,
817 luks
->ivgen_hash_alg
,
818 slotkey
, luks
->header
.master_key_len
,
825 * Before storing the master key, we need to vastly
826 * increase its size, as protection against forensic
829 splitkey
= g_new0(uint8_t, splitkeylen
);
831 if (qcrypto_afsplit_encode(luks
->hash_alg
,
832 luks
->header
.master_key_len
,
841 * Now we encrypt the split master key with the key generated
842 * from the user's password, before storing it
844 if (qcrypto_block_cipher_encrypt_helper(cipher
, block
->niv
, ivgen
,
845 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
853 /* Write out the slot's master key material. */
855 slot
->key_offset_sector
*
856 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
857 splitkey
, splitkeylen
,
863 slot
->active
= QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED
;
865 if (qcrypto_block_luks_store_header(block
, writefunc
, opaque
, errp
) < 0) {
873 memset(slotkey
, 0, luks
->header
.master_key_len
);
876 memset(splitkey
, 0, splitkeylen
);
882 * Given a key slot, and user password, this will attempt to unlock
883 * the master encryption key from the key slot.
886 * 0 if the key slot is disabled, or key could not be decrypted
887 * with the provided password
888 * 1 if the key slot is enabled, and key decrypted successfully
889 * with the provided password
890 * -1 if a fatal error occurred loading the key
893 qcrypto_block_luks_load_key(QCryptoBlock
*block
,
895 const char *password
,
897 QCryptoBlockReadFunc readfunc
,
901 QCryptoBlockLUKS
*luks
= block
->opaque
;
902 const QCryptoBlockLUKSKeySlot
*slot
;
903 g_autofree
uint8_t *splitkey
= NULL
;
905 g_autofree
uint8_t *possiblekey
= NULL
;
907 g_autoptr(QCryptoCipher
) cipher
= NULL
;
908 uint8_t keydigest
[QCRYPTO_BLOCK_LUKS_DIGEST_LEN
];
909 g_autoptr(QCryptoIVGen
) ivgen
= NULL
;
912 assert(slot_idx
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
);
913 slot
= &luks
->header
.key_slots
[slot_idx
];
914 if (slot
->active
!= QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED
) {
918 splitkeylen
= luks
->header
.master_key_len
* slot
->stripes
;
919 splitkey
= g_new0(uint8_t, splitkeylen
);
920 possiblekey
= g_new0(uint8_t, luks
->header
.master_key_len
);
923 * The user password is used to generate a (possible)
924 * decryption key. This may or may not successfully
925 * decrypt the master key - we just blindly assume
926 * the key is correct and validate the results of
929 if (qcrypto_pbkdf2(luks
->hash_alg
,
930 (const uint8_t *)password
, strlen(password
),
931 slot
->salt
, QCRYPTO_BLOCK_LUKS_SALT_LEN
,
933 possiblekey
, luks
->header
.master_key_len
,
939 * We need to read the master key material from the
940 * LUKS key material header. What we're reading is
941 * not the raw master key, but rather the data after
942 * it has been passed through AFSplit and the result
946 slot
->key_offset_sector
* QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
947 splitkey
, splitkeylen
,
955 /* Setup the cipher/ivgen that we'll use to try to decrypt
956 * the split master key material */
957 cipher
= qcrypto_cipher_new(luks
->cipher_alg
,
960 luks
->header
.master_key_len
,
966 niv
= qcrypto_cipher_get_iv_len(luks
->cipher_alg
,
969 ivgen
= qcrypto_ivgen_new(luks
->ivgen_alg
,
970 luks
->ivgen_cipher_alg
,
971 luks
->ivgen_hash_alg
,
973 luks
->header
.master_key_len
,
981 * The master key needs to be decrypted in the same
982 * way that the block device payload will be decrypted
983 * later. In particular we'll be using the IV generator
984 * to reset the encryption cipher every time the master
985 * key crosses a sector boundary.
987 if (qcrypto_block_cipher_decrypt_helper(cipher
,
990 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
999 * Now we've decrypted the split master key, join
1000 * it back together to get the actual master key.
1002 if (qcrypto_afsplit_decode(luks
->hash_alg
,
1003 luks
->header
.master_key_len
,
1013 * We still don't know that the masterkey we got is valid,
1014 * because we just blindly assumed the user's password
1015 * was correct. This is where we now verify it. We are
1016 * creating a hash of the master key using PBKDF and
1017 * then comparing that to the hash stored in the key slot
1020 if (qcrypto_pbkdf2(luks
->hash_alg
,
1022 luks
->header
.master_key_len
,
1023 luks
->header
.master_key_salt
,
1024 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
1025 luks
->header
.master_key_iterations
,
1027 G_N_ELEMENTS(keydigest
),
1032 if (memcmp(keydigest
, luks
->header
.master_key_digest
,
1033 QCRYPTO_BLOCK_LUKS_DIGEST_LEN
) == 0) {
1034 /* Success, we got the right master key */
1038 /* Fail, user's password was not valid for this key slot,
1039 * tell caller to try another slot */
1045 * Given a user password, this will iterate over all key
1046 * slots and try to unlock each active key slot using the
1047 * password until it successfully obtains a master key.
1049 * Returns 0 if a key was loaded, -1 if no keys could be loaded
1052 qcrypto_block_luks_find_key(QCryptoBlock
*block
,
1053 const char *password
,
1055 QCryptoBlockReadFunc readfunc
,
1062 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1063 rv
= qcrypto_block_luks_load_key(block
,
1078 error_setg(errp
, "Invalid password, cannot unlock any keyslot");
1084 * Returns true if a slot i is marked as active
1085 * (contains encrypted copy of the master key)
1088 qcrypto_block_luks_slot_active(const QCryptoBlockLUKS
*luks
,
1089 unsigned int slot_idx
)
1093 assert(slot_idx
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
);
1094 val
= luks
->header
.key_slots
[slot_idx
].active
;
1095 return val
== QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED
;
1099 * Returns the number of slots that are marked as active
1100 * (slots that contain encrypted copy of the master key)
1103 qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS
*luks
)
1106 unsigned int ret
= 0;
1108 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1109 if (qcrypto_block_luks_slot_active(luks
, i
)) {
1117 * Finds first key slot which is not active
1118 * Returns the key slot index, or -1 if it doesn't exist
1121 qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS
*luks
)
1125 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1126 if (!qcrypto_block_luks_slot_active(luks
, i
)) {
1134 * Erases an keyslot given its index
1136 * 0 if the keyslot was erased successfully
1137 * -1 if a error occurred while erasing the keyslot
1141 qcrypto_block_luks_erase_key(QCryptoBlock
*block
,
1142 unsigned int slot_idx
,
1143 QCryptoBlockWriteFunc writefunc
,
1147 QCryptoBlockLUKS
*luks
= block
->opaque
;
1148 QCryptoBlockLUKSKeySlot
*slot
;
1149 g_autofree
uint8_t *garbagesplitkey
= NULL
;
1152 Error
*local_err
= NULL
;
1155 assert(slot_idx
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
);
1156 slot
= &luks
->header
.key_slots
[slot_idx
];
1158 splitkeylen
= luks
->header
.master_key_len
* slot
->stripes
;
1159 assert(splitkeylen
> 0);
1161 garbagesplitkey
= g_new0(uint8_t, splitkeylen
);
1163 /* Reset the key slot header */
1164 memset(slot
->salt
, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN
);
1165 slot
->iterations
= 0;
1166 slot
->active
= QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED
;
1168 ret
= qcrypto_block_luks_store_header(block
, writefunc
,
1169 opaque
, &local_err
);
1172 error_propagate(errp
, local_err
);
1175 * Now try to erase the key material, even if the header
1178 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS
; i
++) {
1179 if (qcrypto_random_bytes(garbagesplitkey
,
1180 splitkeylen
, &local_err
) < 0) {
1182 * If we failed to get the random data, still write
1183 * at least zeros to the key slot at least once
1185 error_propagate(errp
, local_err
);
1191 if (writefunc(block
,
1192 slot
->key_offset_sector
* QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
1197 error_propagate(errp
, local_err
);
1205 qcrypto_block_luks_open(QCryptoBlock
*block
,
1206 QCryptoBlockOpenOptions
*options
,
1207 const char *optprefix
,
1208 QCryptoBlockReadFunc readfunc
,
1214 QCryptoBlockLUKS
*luks
= NULL
;
1215 g_autofree
uint8_t *masterkey
= NULL
;
1216 g_autofree
char *password
= NULL
;
1218 if (!(flags
& QCRYPTO_BLOCK_OPEN_NO_IO
)) {
1219 if (!options
->u
.luks
.key_secret
) {
1220 error_setg(errp
, "Parameter '%skey-secret' is required for cipher",
1221 optprefix
? optprefix
: "");
1224 password
= qcrypto_secret_lookup_as_utf8(
1225 options
->u
.luks
.key_secret
, errp
);
1231 luks
= g_new0(QCryptoBlockLUKS
, 1);
1232 block
->opaque
= luks
;
1233 luks
->secret
= g_strdup(options
->u
.luks
.key_secret
);
1235 if (qcrypto_block_luks_load_header(block
, readfunc
, opaque
, errp
) < 0) {
1239 if (qcrypto_block_luks_check_header(luks
, errp
) < 0) {
1243 if (qcrypto_block_luks_parse_header(luks
, errp
) < 0) {
1247 if (!(flags
& QCRYPTO_BLOCK_OPEN_NO_IO
)) {
1248 /* Try to find which key slot our password is valid for
1249 * and unlock the master key from that slot.
1252 masterkey
= g_new0(uint8_t, luks
->header
.master_key_len
);
1254 if (qcrypto_block_luks_find_key(block
,
1262 /* We have a valid master key now, so can setup the
1263 * block device payload decryption objects
1265 block
->kdfhash
= luks
->hash_alg
;
1266 block
->niv
= qcrypto_cipher_get_iv_len(luks
->cipher_alg
,
1269 block
->ivgen
= qcrypto_ivgen_new(luks
->ivgen_alg
,
1270 luks
->ivgen_cipher_alg
,
1271 luks
->ivgen_hash_alg
,
1273 luks
->header
.master_key_len
,
1275 if (!block
->ivgen
) {
1279 if (qcrypto_block_init_cipher(block
,
1283 luks
->header
.master_key_len
,
1290 block
->sector_size
= QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
;
1291 block
->payload_offset
= luks
->header
.payload_offset_sector
*
1297 qcrypto_block_free_cipher(block
);
1298 qcrypto_ivgen_free(block
->ivgen
);
1299 g_free(luks
->secret
);
1306 qcrypto_block_luks_uuid_gen(uint8_t *uuidstr
)
1309 qemu_uuid_generate(&uuid
);
1310 qemu_uuid_unparse(&uuid
, (char *)uuidstr
);
1314 qcrypto_block_luks_create(QCryptoBlock
*block
,
1315 QCryptoBlockCreateOptions
*options
,
1316 const char *optprefix
,
1317 QCryptoBlockInitFunc initfunc
,
1318 QCryptoBlockWriteFunc writefunc
,
1322 QCryptoBlockLUKS
*luks
;
1323 QCryptoBlockCreateOptionsLUKS luks_opts
;
1324 Error
*local_err
= NULL
;
1325 g_autofree
uint8_t *masterkey
= NULL
;
1326 size_t header_sectors
;
1327 size_t split_key_sectors
;
1329 g_autofree
char *password
= NULL
;
1330 const char *cipher_alg
;
1331 const char *cipher_mode
;
1332 const char *ivgen_alg
;
1333 const char *ivgen_hash_alg
= NULL
;
1334 const char *hash_alg
;
1335 g_autofree
char *cipher_mode_spec
= NULL
;
1338 memcpy(&luks_opts
, &options
->u
.luks
, sizeof(luks_opts
));
1339 if (!luks_opts
.has_iter_time
) {
1340 luks_opts
.iter_time
= QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS
;
1342 if (!luks_opts
.has_cipher_alg
) {
1343 luks_opts
.cipher_alg
= QCRYPTO_CIPHER_ALG_AES_256
;
1345 if (!luks_opts
.has_cipher_mode
) {
1346 luks_opts
.cipher_mode
= QCRYPTO_CIPHER_MODE_XTS
;
1348 if (!luks_opts
.has_ivgen_alg
) {
1349 luks_opts
.ivgen_alg
= QCRYPTO_IVGEN_ALG_PLAIN64
;
1351 if (!luks_opts
.has_hash_alg
) {
1352 luks_opts
.hash_alg
= QCRYPTO_HASH_ALG_SHA256
;
1354 if (luks_opts
.ivgen_alg
== QCRYPTO_IVGEN_ALG_ESSIV
) {
1355 if (!luks_opts
.has_ivgen_hash_alg
) {
1356 luks_opts
.ivgen_hash_alg
= QCRYPTO_HASH_ALG_SHA256
;
1357 luks_opts
.has_ivgen_hash_alg
= true;
1361 luks
= g_new0(QCryptoBlockLUKS
, 1);
1362 block
->opaque
= luks
;
1364 luks
->cipher_alg
= luks_opts
.cipher_alg
;
1365 luks
->cipher_mode
= luks_opts
.cipher_mode
;
1366 luks
->ivgen_alg
= luks_opts
.ivgen_alg
;
1367 luks
->ivgen_hash_alg
= luks_opts
.ivgen_hash_alg
;
1368 luks
->hash_alg
= luks_opts
.hash_alg
;
1371 /* Note we're allowing ivgen_hash_alg to be set even for
1372 * non-essiv iv generators that don't need a hash. It will
1373 * be silently ignored, for compatibility with dm-crypt */
1375 if (!options
->u
.luks
.key_secret
) {
1376 error_setg(errp
, "Parameter '%skey-secret' is required for cipher",
1377 optprefix
? optprefix
: "");
1380 luks
->secret
= g_strdup(options
->u
.luks
.key_secret
);
1382 password
= qcrypto_secret_lookup_as_utf8(luks_opts
.key_secret
, errp
);
1388 memcpy(luks
->header
.magic
, qcrypto_block_luks_magic
,
1389 QCRYPTO_BLOCK_LUKS_MAGIC_LEN
);
1391 /* We populate the header in native endianness initially and
1392 * then convert everything to big endian just before writing
1395 luks
->header
.version
= QCRYPTO_BLOCK_LUKS_VERSION
;
1396 qcrypto_block_luks_uuid_gen(luks
->header
.uuid
);
1398 cipher_alg
= qcrypto_block_luks_cipher_alg_lookup(luks_opts
.cipher_alg
,
1404 cipher_mode
= QCryptoCipherMode_str(luks_opts
.cipher_mode
);
1405 ivgen_alg
= QCryptoIVGenAlgorithm_str(luks_opts
.ivgen_alg
);
1406 if (luks_opts
.has_ivgen_hash_alg
) {
1407 ivgen_hash_alg
= QCryptoHashAlgorithm_str(luks_opts
.ivgen_hash_alg
);
1408 cipher_mode_spec
= g_strdup_printf("%s-%s:%s", cipher_mode
, ivgen_alg
,
1411 cipher_mode_spec
= g_strdup_printf("%s-%s", cipher_mode
, ivgen_alg
);
1413 hash_alg
= QCryptoHashAlgorithm_str(luks_opts
.hash_alg
);
1416 if (strlen(cipher_alg
) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN
) {
1417 error_setg(errp
, "Cipher name '%s' is too long for LUKS header",
1421 if (strlen(cipher_mode_spec
) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN
) {
1422 error_setg(errp
, "Cipher mode '%s' is too long for LUKS header",
1426 if (strlen(hash_alg
) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN
) {
1427 error_setg(errp
, "Hash name '%s' is too long for LUKS header",
1432 if (luks_opts
.ivgen_alg
== QCRYPTO_IVGEN_ALG_ESSIV
) {
1433 luks
->ivgen_cipher_alg
=
1434 qcrypto_block_luks_essiv_cipher(luks_opts
.cipher_alg
,
1435 luks_opts
.ivgen_hash_alg
,
1438 error_propagate(errp
, local_err
);
1442 luks
->ivgen_cipher_alg
= luks_opts
.cipher_alg
;
1445 strcpy(luks
->header
.cipher_name
, cipher_alg
);
1446 strcpy(luks
->header
.cipher_mode
, cipher_mode_spec
);
1447 strcpy(luks
->header
.hash_spec
, hash_alg
);
1449 luks
->header
.master_key_len
=
1450 qcrypto_cipher_get_key_len(luks_opts
.cipher_alg
);
1452 if (luks_opts
.cipher_mode
== QCRYPTO_CIPHER_MODE_XTS
) {
1453 luks
->header
.master_key_len
*= 2;
1456 /* Generate the salt used for hashing the master key
1459 if (qcrypto_random_bytes(luks
->header
.master_key_salt
,
1460 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
1465 /* Generate random master key */
1466 masterkey
= g_new0(uint8_t, luks
->header
.master_key_len
);
1467 if (qcrypto_random_bytes(masterkey
,
1468 luks
->header
.master_key_len
, errp
) < 0) {
1473 /* Setup the block device payload encryption objects */
1474 if (qcrypto_block_init_cipher(block
, luks_opts
.cipher_alg
,
1475 luks_opts
.cipher_mode
, masterkey
,
1476 luks
->header
.master_key_len
, 1, errp
) < 0) {
1480 block
->kdfhash
= luks_opts
.hash_alg
;
1481 block
->niv
= qcrypto_cipher_get_iv_len(luks_opts
.cipher_alg
,
1482 luks_opts
.cipher_mode
);
1483 block
->ivgen
= qcrypto_ivgen_new(luks_opts
.ivgen_alg
,
1484 luks
->ivgen_cipher_alg
,
1485 luks_opts
.ivgen_hash_alg
,
1486 masterkey
, luks
->header
.master_key_len
,
1489 if (!block
->ivgen
) {
1494 /* Determine how many iterations we need to hash the master
1495 * key, in order to have 1 second of compute time used
1497 iters
= qcrypto_pbkdf2_count_iters(luks_opts
.hash_alg
,
1498 masterkey
, luks
->header
.master_key_len
,
1499 luks
->header
.master_key_salt
,
1500 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
1501 QCRYPTO_BLOCK_LUKS_DIGEST_LEN
,
1504 error_propagate(errp
, local_err
);
1508 if (iters
> (ULLONG_MAX
/ luks_opts
.iter_time
)) {
1509 error_setg_errno(errp
, ERANGE
,
1510 "PBKDF iterations %llu too large to scale",
1511 (unsigned long long)iters
);
1515 /* iter_time was in millis, but count_iters reported for secs */
1516 iters
= iters
* luks_opts
.iter_time
/ 1000;
1518 /* Why /= 8 ? That matches cryptsetup, but there's no
1519 * explanation why they chose /= 8... Probably so that
1520 * if all 8 keyslots are active we only spend 1 second
1521 * in total time to check all keys */
1523 if (iters
> UINT32_MAX
) {
1524 error_setg_errno(errp
, ERANGE
,
1525 "PBKDF iterations %llu larger than %u",
1526 (unsigned long long)iters
, UINT32_MAX
);
1529 iters
= MAX(iters
, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS
);
1530 luks
->header
.master_key_iterations
= iters
;
1532 /* Hash the master key, saving the result in the LUKS
1533 * header. This hash is used when opening the encrypted
1534 * device to verify that the user password unlocked a
1537 if (qcrypto_pbkdf2(luks_opts
.hash_alg
,
1538 masterkey
, luks
->header
.master_key_len
,
1539 luks
->header
.master_key_salt
,
1540 QCRYPTO_BLOCK_LUKS_SALT_LEN
,
1541 luks
->header
.master_key_iterations
,
1542 luks
->header
.master_key_digest
,
1543 QCRYPTO_BLOCK_LUKS_DIGEST_LEN
,
1548 /* start with the sector that follows the header*/
1549 header_sectors
= QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET
/
1550 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
;
1553 qcrypto_block_luks_splitkeylen_sectors(luks
,
1555 QCRYPTO_BLOCK_LUKS_STRIPES
);
1557 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1558 QCryptoBlockLUKSKeySlot
*slot
= &luks
->header
.key_slots
[i
];
1559 slot
->active
= QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED
;
1561 slot
->key_offset_sector
= header_sectors
+ i
* split_key_sectors
;
1562 slot
->stripes
= QCRYPTO_BLOCK_LUKS_STRIPES
;
1565 /* The total size of the LUKS headers is the partition header + key
1566 * slot headers, rounded up to the nearest sector, combined with
1567 * the size of each master key material region, also rounded up
1568 * to the nearest sector */
1569 luks
->header
.payload_offset_sector
= header_sectors
+
1570 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
* split_key_sectors
;
1572 block
->sector_size
= QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
;
1573 block
->payload_offset
= luks
->header
.payload_offset_sector
*
1576 /* Reserve header space to match payload offset */
1577 initfunc(block
, block
->payload_offset
, opaque
, &local_err
);
1579 error_propagate(errp
, local_err
);
1584 /* populate the slot 0 with the password encrypted master key*/
1585 /* This will also store the header */
1586 if (qcrypto_block_luks_store_key(block
,
1590 luks_opts
.iter_time
,
1597 memset(masterkey
, 0, luks
->header
.master_key_len
);
1603 memset(masterkey
, 0, luks
->header
.master_key_len
);
1606 qcrypto_block_free_cipher(block
);
1607 qcrypto_ivgen_free(block
->ivgen
);
1609 g_free(luks
->secret
);
1615 qcrypto_block_luks_amend_add_keyslot(QCryptoBlock
*block
,
1616 QCryptoBlockReadFunc readfunc
,
1617 QCryptoBlockWriteFunc writefunc
,
1619 QCryptoBlockAmendOptionsLUKS
*opts_luks
,
1623 QCryptoBlockLUKS
*luks
= block
->opaque
;
1624 uint64_t iter_time
= opts_luks
->has_iter_time
?
1625 opts_luks
->iter_time
:
1626 QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS
;
1628 g_autofree
char *old_password
= NULL
;
1629 g_autofree
char *new_password
= NULL
;
1630 g_autofree
uint8_t *master_key
= NULL
;
1632 char *secret
= opts_luks
->has_secret
? opts_luks
->secret
: luks
->secret
;
1634 if (!opts_luks
->has_new_secret
) {
1635 error_setg(errp
, "'new-secret' is required to activate a keyslot");
1638 if (opts_luks
->has_old_secret
) {
1640 "'old-secret' must not be given when activating keyslots");
1644 if (opts_luks
->has_keyslot
) {
1645 keyslot
= opts_luks
->keyslot
;
1646 if (keyslot
< 0 || keyslot
>= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
) {
1648 "Invalid keyslot %u specified, must be between 0 and %u",
1649 keyslot
, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
- 1);
1653 keyslot
= qcrypto_block_luks_find_free_keyslot(luks
);
1654 if (keyslot
== -1) {
1656 "Can't add a keyslot - all keyslots are in use");
1661 if (!force
&& qcrypto_block_luks_slot_active(luks
, keyslot
)) {
1663 "Refusing to overwrite active keyslot %i - "
1664 "please erase it first",
1669 /* Locate the password that will be used to retrieve the master key */
1670 old_password
= qcrypto_secret_lookup_as_utf8(secret
, errp
);
1671 if (!old_password
) {
1675 /* Retrieve the master key */
1676 master_key
= g_new0(uint8_t, luks
->header
.master_key_len
);
1678 if (qcrypto_block_luks_find_key(block
, old_password
, master_key
,
1679 readfunc
, opaque
, errp
) < 0) {
1680 error_append_hint(errp
, "Failed to retrieve the master key");
1684 /* Locate the new password*/
1685 new_password
= qcrypto_secret_lookup_as_utf8(opts_luks
->new_secret
, errp
);
1686 if (!new_password
) {
1690 /* Now set the new keyslots */
1691 if (qcrypto_block_luks_store_key(block
, keyslot
, new_password
, master_key
,
1692 iter_time
, writefunc
, opaque
, errp
)) {
1693 error_append_hint(errp
, "Failed to write to keyslot %i", keyslot
);
1700 qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock
*block
,
1701 QCryptoBlockReadFunc readfunc
,
1702 QCryptoBlockWriteFunc writefunc
,
1704 QCryptoBlockAmendOptionsLUKS
*opts_luks
,
1708 QCryptoBlockLUKS
*luks
= block
->opaque
;
1709 g_autofree
uint8_t *tmpkey
= NULL
;
1710 g_autofree
char *old_password
= NULL
;
1712 if (opts_luks
->has_new_secret
) {
1714 "'new-secret' must not be given when erasing keyslots");
1717 if (opts_luks
->has_iter_time
) {
1719 "'iter-time' must not be given when erasing keyslots");
1722 if (opts_luks
->has_secret
) {
1724 "'secret' must not be given when erasing keyslots");
1728 /* Load the old password if given */
1729 if (opts_luks
->has_old_secret
) {
1730 old_password
= qcrypto_secret_lookup_as_utf8(opts_luks
->old_secret
,
1732 if (!old_password
) {
1737 * Allocate a temporary key buffer that we will need when
1738 * checking if slot matches the given old password
1740 tmpkey
= g_new0(uint8_t, luks
->header
.master_key_len
);
1743 /* Erase an explicitly given keyslot */
1744 if (opts_luks
->has_keyslot
) {
1745 int keyslot
= opts_luks
->keyslot
;
1747 if (keyslot
< 0 || keyslot
>= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
) {
1749 "Invalid keyslot %i specified, must be between 0 and %i",
1750 keyslot
, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
- 1);
1754 if (opts_luks
->has_old_secret
) {
1755 int rv
= qcrypto_block_luks_load_key(block
,
1764 } else if (rv
== 0) {
1766 "Given keyslot %i doesn't contain the given "
1767 "old password for erase operation",
1773 if (!force
&& !qcrypto_block_luks_slot_active(luks
, keyslot
)) {
1775 "Given keyslot %i is already erased (inactive) ",
1780 if (!force
&& qcrypto_block_luks_count_active_slots(luks
) == 1) {
1782 "Attempt to erase the only active keyslot %i "
1783 "which will erase all the data in the image "
1784 "irreversibly - refusing operation",
1789 if (qcrypto_block_luks_erase_key(block
, keyslot
,
1790 writefunc
, opaque
, errp
)) {
1791 error_append_hint(errp
, "Failed to erase keyslot %i", keyslot
);
1795 /* Erase all keyslots that match the given old password */
1796 } else if (opts_luks
->has_old_secret
) {
1798 unsigned long slots_to_erase_bitmap
= 0;
1802 assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
<=
1803 sizeof(slots_to_erase_bitmap
) * 8);
1805 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1806 int rv
= qcrypto_block_luks_load_key(block
,
1815 } else if (rv
== 1) {
1816 bitmap_set(&slots_to_erase_bitmap
, i
, 1);
1820 slot_count
= bitmap_count_one(&slots_to_erase_bitmap
,
1821 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
);
1822 if (slot_count
== 0) {
1824 "No keyslots match given (old) password for erase operation");
1829 slot_count
== qcrypto_block_luks_count_active_slots(luks
)) {
1831 "All the active keyslots match the (old) password that "
1832 "was given and erasing them will erase all the data in "
1833 "the image irreversibly - refusing operation");
1837 /* Now apply the update */
1838 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1839 if (!test_bit(i
, &slots_to_erase_bitmap
)) {
1842 if (qcrypto_block_luks_erase_key(block
, i
, writefunc
,
1844 error_append_hint(errp
, "Failed to erase keyslot %zu", i
);
1850 "To erase keyslot(s), either explicit keyslot index "
1851 "or the password currently contained in them must be given");
1858 qcrypto_block_luks_amend_options(QCryptoBlock
*block
,
1859 QCryptoBlockReadFunc readfunc
,
1860 QCryptoBlockWriteFunc writefunc
,
1862 QCryptoBlockAmendOptions
*options
,
1866 QCryptoBlockAmendOptionsLUKS
*opts_luks
= &options
->u
.luks
;
1868 switch (opts_luks
->state
) {
1869 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE
:
1870 return qcrypto_block_luks_amend_add_keyslot(block
, readfunc
,
1872 opts_luks
, force
, errp
);
1873 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE
:
1874 return qcrypto_block_luks_amend_erase_keyslots(block
, readfunc
,
1876 opts_luks
, force
, errp
);
1878 g_assert_not_reached();
1882 static int qcrypto_block_luks_get_info(QCryptoBlock
*block
,
1883 QCryptoBlockInfo
*info
,
1886 QCryptoBlockLUKS
*luks
= block
->opaque
;
1887 QCryptoBlockInfoLUKSSlot
*slot
;
1888 QCryptoBlockInfoLUKSSlotList
**tail
= &info
->u
.luks
.slots
;
1891 info
->u
.luks
.cipher_alg
= luks
->cipher_alg
;
1892 info
->u
.luks
.cipher_mode
= luks
->cipher_mode
;
1893 info
->u
.luks
.ivgen_alg
= luks
->ivgen_alg
;
1894 if (info
->u
.luks
.ivgen_alg
== QCRYPTO_IVGEN_ALG_ESSIV
) {
1895 info
->u
.luks
.has_ivgen_hash_alg
= true;
1896 info
->u
.luks
.ivgen_hash_alg
= luks
->ivgen_hash_alg
;
1898 info
->u
.luks
.hash_alg
= luks
->hash_alg
;
1899 info
->u
.luks
.payload_offset
= block
->payload_offset
;
1900 info
->u
.luks
.master_key_iters
= luks
->header
.master_key_iterations
;
1901 info
->u
.luks
.uuid
= g_strndup((const char *)luks
->header
.uuid
,
1902 sizeof(luks
->header
.uuid
));
1904 for (i
= 0; i
< QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS
; i
++) {
1905 slot
= g_new0(QCryptoBlockInfoLUKSSlot
, 1);
1906 slot
->active
= luks
->header
.key_slots
[i
].active
==
1907 QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED
;
1908 slot
->key_offset
= luks
->header
.key_slots
[i
].key_offset_sector
1909 * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
;
1911 slot
->has_iters
= true;
1912 slot
->iters
= luks
->header
.key_slots
[i
].iterations
;
1913 slot
->has_stripes
= true;
1914 slot
->stripes
= luks
->header
.key_slots
[i
].stripes
;
1917 QAPI_LIST_APPEND(tail
, slot
);
1924 static void qcrypto_block_luks_cleanup(QCryptoBlock
*block
)
1926 QCryptoBlockLUKS
*luks
= block
->opaque
;
1928 g_free(luks
->secret
);
1935 qcrypto_block_luks_decrypt(QCryptoBlock
*block
,
1941 assert(QEMU_IS_ALIGNED(offset
, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
));
1942 assert(QEMU_IS_ALIGNED(len
, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
));
1943 return qcrypto_block_decrypt_helper(block
,
1944 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
1945 offset
, buf
, len
, errp
);
1950 qcrypto_block_luks_encrypt(QCryptoBlock
*block
,
1956 assert(QEMU_IS_ALIGNED(offset
, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
));
1957 assert(QEMU_IS_ALIGNED(len
, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
));
1958 return qcrypto_block_encrypt_helper(block
,
1959 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE
,
1960 offset
, buf
, len
, errp
);
1964 const QCryptoBlockDriver qcrypto_block_driver_luks
= {
1965 .open
= qcrypto_block_luks_open
,
1966 .create
= qcrypto_block_luks_create
,
1967 .amend
= qcrypto_block_luks_amend_options
,
1968 .get_info
= qcrypto_block_luks_get_info
,
1969 .cleanup
= qcrypto_block_luks_cleanup
,
1970 .decrypt
= qcrypto_block_luks_decrypt
,
1971 .encrypt
= qcrypto_block_luks_encrypt
,
1972 .has_format
= qcrypto_block_luks_has_format
,