xref: /openbsd/sys/uvm/uvm_swap_encrypt.c (revision 3cab2bb3) 
1 /*	$OpenBSD: uvm_swap_encrypt.c,v 1.22 2015/05/06 04:00:10 dlg Exp $	*/
2 
3 /*
4  * Copyright 1999 Niels Provos <provos@citi.umich.edu>
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. All advertising materials mentioning features or use of this software
16  *    must display the following acknowledgement:
17  *      This product includes software developed by Niels Provos.
18  * 4. The name of the author may not be used to endorse or promote products
19  *    derived from this software without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include <sys/param.h>
34 #include <sys/systm.h>
35 #include <sys/kernel.h>
36 #include <sys/malloc.h>
37 #include <sys/sysctl.h>
38 #include <sys/time.h>
39 #include <crypto/rijndael.h>
40 
41 #include <uvm/uvm.h>
42 #include <uvm/uvm_swap_encrypt.h>
43 
44 struct swap_key *kcur = NULL;
45 rijndael_ctx swap_ctxt;
46 
47 int uvm_doswapencrypt = 1;
48 u_int uvm_swpkeyscreated = 0;
49 u_int uvm_swpkeysdeleted = 0;
50 
51 int swap_encrypt_initialized = 0;
52 
53 int
54 swap_encrypt_ctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
55     void *newp, size_t newlen, struct proc *p)
56 {
57 	/* all sysctl names at this level are terminal */
58 	if (namelen != 1)
59 		return (ENOTDIR);		/* overloaded */
60 
61 	switch (name[0]) {
62 	case SWPENC_ENABLE: {
63 		int doencrypt = uvm_doswapencrypt;
64 		int result;
65 
66 		result = sysctl_int(oldp, oldlenp, newp, newlen, &doencrypt);
67 		if (result)
68 			return result;
69 
70 		/*
71 		 * Swap Encryption has been turned on, we need to
72 		 * initialize state for swap devices that have been
73 		 * added.
74 		 */
75 		if (doencrypt)
76 			uvm_swap_initcrypt_all();
77 		uvm_doswapencrypt = doencrypt;
78 		return (0);
79 	}
80 	case SWPENC_CREATED:
81 		return (sysctl_rdint(oldp, oldlenp, newp, uvm_swpkeyscreated));
82 	case SWPENC_DELETED:
83 		return (sysctl_rdint(oldp, oldlenp, newp, uvm_swpkeysdeleted));
84 	default:
85 		return (EOPNOTSUPP);
86 	}
87 	/* NOTREACHED */
88 }
89 
90 void
91 swap_key_create(struct swap_key *key)
92 {
93 	arc4random_buf(key->key, sizeof(key->key));
94 	uvm_swpkeyscreated++;
95 }
96 
97 void
98 swap_key_delete(struct swap_key *key)
99 {
100 	/* Make sure that this key gets removed if we just used it */
101 	swap_key_cleanup(key);
102 
103 	explicit_bzero(key, sizeof(*key));
104 	uvm_swpkeysdeleted++;
105 }
106 
107 /*
108  * Encrypt the data before it goes to swap, the size should be 64-bit
109  * aligned.
110  */
111 
112 void
113 swap_encrypt(struct swap_key *key, caddr_t src, caddr_t dst, u_int64_t block,
114     size_t count)
115 {
116 	u_int32_t *dsrc = (u_int32_t *)src;
117 	u_int32_t *ddst = (u_int32_t *)dst;
118 	u_int32_t iv[4];
119 	u_int32_t iv1, iv2, iv3, iv4;
120 
121 	if (!swap_encrypt_initialized)
122 		swap_encrypt_initialized = 1;
123 
124 	swap_key_prepare(key, 1);
125 
126 	count /= sizeof(u_int32_t);
127 
128 	iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1];
129 	rijndael_encrypt(&swap_ctxt, (u_char *)iv, (u_char *)iv);
130 	iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3];
131 
132 	for (; count > 0; count -= 4) {
133 		ddst[0] = dsrc[0] ^ iv1;
134 		ddst[1] = dsrc[1] ^ iv2;
135 		ddst[2] = dsrc[2] ^ iv3;
136 		ddst[3] = dsrc[3] ^ iv4;
137 		/*
138 		 * Do not worry about endianess, it only needs to decrypt
139 		 * on this machine.
140 		 */
141 		rijndael_encrypt(&swap_ctxt, (u_char *)ddst, (u_char *)ddst);
142 		iv1 = ddst[0];
143 		iv2 = ddst[1];
144 		iv3 = ddst[2];
145 		iv4 = ddst[3];
146 
147 		dsrc += 4;
148 		ddst += 4;
149 	}
150 }
151 
152 /*
153  * Decrypt the data after we retrieved it from swap, the size should be 64-bit
154  * aligned.
155  */
156 
157 void
158 swap_decrypt(struct swap_key *key, caddr_t src, caddr_t dst, u_int64_t block,
159     size_t count)
160 {
161 	u_int32_t *dsrc = (u_int32_t *)src;
162 	u_int32_t *ddst = (u_int32_t *)dst;
163 	u_int32_t iv[4];
164 	u_int32_t iv1, iv2, iv3, iv4, niv1, niv2, niv3, niv4;
165 
166 	if (!swap_encrypt_initialized)
167 		panic("swap_decrypt: key not initialized");
168 
169 	swap_key_prepare(key, 0);
170 
171 	count /= sizeof(u_int32_t);
172 
173 	iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1];
174 	rijndael_encrypt(&swap_ctxt, (u_char *)iv, (u_char *)iv);
175 	iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3];
176 
177 	for (; count > 0; count -= 4) {
178 		ddst[0] = niv1 = dsrc[0];
179 		ddst[1] = niv2 = dsrc[1];
180 		ddst[2] = niv3 = dsrc[2];
181 		ddst[3] = niv4 = dsrc[3];
182 		rijndael_decrypt(&swap_ctxt, (u_char *)ddst, (u_char *)ddst);
183 		ddst[0] ^= iv1;
184 		ddst[1] ^= iv2;
185 		ddst[2] ^= iv3;
186 		ddst[3] ^= iv4;
187 
188 		iv1 = niv1;
189 		iv2 = niv2;
190 		iv3 = niv3;
191 		iv4 = niv4;
192 
193 		dsrc += 4;
194 		ddst += 4;
195 	}
196 }
197 
198 void
199 swap_key_prepare(struct swap_key *key, int encrypt)
200 {
201 	/*
202 	 * Check if we have prepared for this key already,
203 	 * if we only have the encryption schedule, we have
204 	 * to recompute and get the decryption schedule also.
205 	 */
206 	if (kcur == key && (encrypt || !swap_ctxt.enc_only))
207 		return;
208 
209 	if (encrypt)
210 		rijndael_set_key_enc_only(&swap_ctxt, (u_char *)key->key,
211 		    sizeof(key->key) * 8);
212 	else
213 		rijndael_set_key(&swap_ctxt, (u_char *)key->key,
214 		    sizeof(key->key) * 8);
215 
216 	kcur = key;
217 }
218 
219 /*
220  * Make sure that a specific key is no longer available.
221  */
222 
223 void
224 swap_key_cleanup(struct swap_key *key)
225 {
226 	/* Check if we have a key */
227 	if (kcur == NULL || kcur != key)
228 		return;
229 
230 	/* Zero out the subkeys */
231 	explicit_bzero(&swap_ctxt, sizeof(swap_ctxt));
232 
233 	kcur = NULL;
234 }
235