1 /* $OpenBSD: uvm_swap_encrypt.c,v 1.24 2021/03/12 14:15:49 jsg Exp $ */
2
3 /*
4 * Copyright 1999 Niels Provos <provos@citi.umich.edu>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. All advertising materials mentioning features or use of this software
16 * must display the following acknowledgement:
17 * This product includes software developed by Niels Provos.
18 * 4. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include <sys/param.h>
34 #include <sys/systm.h>
35 #include <sys/kernel.h>
36 #include <sys/malloc.h>
37 #include <sys/sysctl.h>
38 #include <sys/time.h>
39 #include <crypto/rijndael.h>
40
41 #include <uvm/uvm.h>
42 #include <uvm/uvm_swap_encrypt.h>
43
44 struct swap_key *kcur = NULL;
45 rijndael_ctx swap_ctxt;
46
47 int uvm_doswapencrypt = 1;
48 u_int uvm_swpkeyscreated = 0;
49 u_int uvm_swpkeysdeleted = 0;
50
51 int swap_encrypt_initialized = 0;
52
53 int
swap_encrypt_ctl(int * name,u_int namelen,void * oldp,size_t * oldlenp,void * newp,size_t newlen,struct proc * p)54 swap_encrypt_ctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
55 void *newp, size_t newlen, struct proc *p)
56 {
57 /* all sysctl names at this level are terminal */
58 if (namelen != 1)
59 return (ENOTDIR); /* overloaded */
60
61 switch (name[0]) {
62 case SWPENC_ENABLE: {
63 int doencrypt = uvm_doswapencrypt;
64 int result;
65
66 result = sysctl_int_bounded(oldp, oldlenp, newp, newlen,
67 &doencrypt, 0, 1);
68 if (result)
69 return result;
70
71 /*
72 * Swap Encryption has been turned on, we need to
73 * initialize state for swap devices that have been
74 * added.
75 */
76 if (doencrypt)
77 uvm_swap_initcrypt_all();
78 uvm_doswapencrypt = doencrypt;
79 return (0);
80 }
81 case SWPENC_CREATED:
82 return (sysctl_rdint(oldp, oldlenp, newp, uvm_swpkeyscreated));
83 case SWPENC_DELETED:
84 return (sysctl_rdint(oldp, oldlenp, newp, uvm_swpkeysdeleted));
85 default:
86 return (EOPNOTSUPP);
87 }
88 /* NOTREACHED */
89 }
90
91 void
swap_key_create(struct swap_key * key)92 swap_key_create(struct swap_key *key)
93 {
94 arc4random_buf(key->key, sizeof(key->key));
95 uvm_swpkeyscreated++;
96 }
97
98 void
swap_key_delete(struct swap_key * key)99 swap_key_delete(struct swap_key *key)
100 {
101 /* Make sure that this key gets removed if we just used it */
102 swap_key_cleanup(key);
103
104 explicit_bzero(key, sizeof(*key));
105 uvm_swpkeysdeleted++;
106 }
107
108 /*
109 * Encrypt the data before it goes to swap, the size should be 64-bit
110 * aligned.
111 */
112
113 void
swap_encrypt(struct swap_key * key,caddr_t src,caddr_t dst,u_int64_t block,size_t count)114 swap_encrypt(struct swap_key *key, caddr_t src, caddr_t dst, u_int64_t block,
115 size_t count)
116 {
117 u_int32_t *dsrc = (u_int32_t *)src;
118 u_int32_t *ddst = (u_int32_t *)dst;
119 u_int32_t iv[4];
120 u_int32_t iv1, iv2, iv3, iv4;
121
122 if (!swap_encrypt_initialized)
123 swap_encrypt_initialized = 1;
124
125 swap_key_prepare(key, 1);
126
127 count /= sizeof(u_int32_t);
128
129 iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1];
130 rijndael_encrypt(&swap_ctxt, (u_char *)iv, (u_char *)iv);
131 iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3];
132
133 for (; count > 0; count -= 4) {
134 ddst[0] = dsrc[0] ^ iv1;
135 ddst[1] = dsrc[1] ^ iv2;
136 ddst[2] = dsrc[2] ^ iv3;
137 ddst[3] = dsrc[3] ^ iv4;
138 /*
139 * Do not worry about endianness, it only needs to decrypt
140 * on this machine.
141 */
142 rijndael_encrypt(&swap_ctxt, (u_char *)ddst, (u_char *)ddst);
143 iv1 = ddst[0];
144 iv2 = ddst[1];
145 iv3 = ddst[2];
146 iv4 = ddst[3];
147
148 dsrc += 4;
149 ddst += 4;
150 }
151 }
152
153 /*
154 * Decrypt the data after we retrieved it from swap, the size should be 64-bit
155 * aligned.
156 */
157
158 void
swap_decrypt(struct swap_key * key,caddr_t src,caddr_t dst,u_int64_t block,size_t count)159 swap_decrypt(struct swap_key *key, caddr_t src, caddr_t dst, u_int64_t block,
160 size_t count)
161 {
162 u_int32_t *dsrc = (u_int32_t *)src;
163 u_int32_t *ddst = (u_int32_t *)dst;
164 u_int32_t iv[4];
165 u_int32_t iv1, iv2, iv3, iv4, niv1, niv2, niv3, niv4;
166
167 if (!swap_encrypt_initialized)
168 panic("swap_decrypt: key not initialized");
169
170 swap_key_prepare(key, 0);
171
172 count /= sizeof(u_int32_t);
173
174 iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1];
175 rijndael_encrypt(&swap_ctxt, (u_char *)iv, (u_char *)iv);
176 iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3];
177
178 for (; count > 0; count -= 4) {
179 ddst[0] = niv1 = dsrc[0];
180 ddst[1] = niv2 = dsrc[1];
181 ddst[2] = niv3 = dsrc[2];
182 ddst[3] = niv4 = dsrc[3];
183 rijndael_decrypt(&swap_ctxt, (u_char *)ddst, (u_char *)ddst);
184 ddst[0] ^= iv1;
185 ddst[1] ^= iv2;
186 ddst[2] ^= iv3;
187 ddst[3] ^= iv4;
188
189 iv1 = niv1;
190 iv2 = niv2;
191 iv3 = niv3;
192 iv4 = niv4;
193
194 dsrc += 4;
195 ddst += 4;
196 }
197 }
198
199 void
swap_key_prepare(struct swap_key * key,int encrypt)200 swap_key_prepare(struct swap_key *key, int encrypt)
201 {
202 /*
203 * Check if we have prepared for this key already,
204 * if we only have the encryption schedule, we have
205 * to recompute and get the decryption schedule also.
206 */
207 if (kcur == key && (encrypt || !swap_ctxt.enc_only))
208 return;
209
210 if (encrypt)
211 rijndael_set_key_enc_only(&swap_ctxt, (u_char *)key->key,
212 sizeof(key->key) * 8);
213 else
214 rijndael_set_key(&swap_ctxt, (u_char *)key->key,
215 sizeof(key->key) * 8);
216
217 kcur = key;
218 }
219
220 /*
221 * Make sure that a specific key is no longer available.
222 */
223
224 void
swap_key_cleanup(struct swap_key * key)225 swap_key_cleanup(struct swap_key *key)
226 {
227 /* Check if we have a key */
228 if (kcur == NULL || kcur != key)
229 return;
230
231 /* Zero out the subkeys */
232 explicit_bzero(&swap_ctxt, sizeof(swap_ctxt));
233
234 kcur = NULL;
235 }
236