1 /* 2 * QEMU block full disk encryption 3 * 4 * Copyright (c) 2015-2016 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #include "qemu/osdep.h" 22 23 #include "block/block_int.h" 24 #include "block/qdict.h" 25 #include "sysemu/block-backend.h" 26 #include "crypto/block.h" 27 #include "qapi/opts-visitor.h" 28 #include "qapi/qapi-visit-crypto.h" 29 #include "qapi/qobject-input-visitor.h" 30 #include "qapi/error.h" 31 #include "qemu/module.h" 32 #include "qemu/option.h" 33 #include "qemu/cutils.h" 34 #include "qemu/memalign.h" 35 #include "crypto.h" 36 37 typedef struct BlockCrypto BlockCrypto; 38 39 struct BlockCrypto { 40 QCryptoBlock *block; 41 bool updating_keys; 42 BdrvChild *header; /* Reference to the detached LUKS header */ 43 }; 44 45 46 static int block_crypto_probe_generic(QCryptoBlockFormat format, 47 const uint8_t *buf, 48 int buf_size, 49 const char *filename) 50 { 51 if (qcrypto_block_has_format(format, buf, buf_size)) { 52 return 100; 53 } else { 54 return 0; 55 } 56 } 57 58 59 static int block_crypto_read_func(QCryptoBlock *block, 60 size_t offset, 61 uint8_t *buf, 62 size_t buflen, 63 void *opaque, 64 Error **errp) 65 { 66 BlockDriverState *bs = opaque; 67 BlockCrypto *crypto = bs->opaque; 68 ssize_t ret; 69 70 GLOBAL_STATE_CODE(); 71 GRAPH_RDLOCK_GUARD_MAINLOOP(); 72 73 ret = bdrv_pread(crypto->header ? crypto->header : bs->file, 74 offset, buflen, buf, 0); 75 if (ret < 0) { 76 error_setg_errno(errp, -ret, "Could not read encryption header"); 77 return ret; 78 } 79 return 0; 80 } 81 82 static int block_crypto_write_func(QCryptoBlock *block, 83 size_t offset, 84 const uint8_t *buf, 85 size_t buflen, 86 void *opaque, 87 Error **errp) 88 { 89 BlockDriverState *bs = opaque; 90 BlockCrypto *crypto = bs->opaque; 91 ssize_t ret; 92 93 GLOBAL_STATE_CODE(); 94 GRAPH_RDLOCK_GUARD_MAINLOOP(); 95 96 ret = bdrv_pwrite(crypto->header ? crypto->header : bs->file, 97 offset, buflen, buf, 0); 98 if (ret < 0) { 99 error_setg_errno(errp, -ret, "Could not write encryption header"); 100 return ret; 101 } 102 return 0; 103 } 104 105 106 struct BlockCryptoCreateData { 107 BlockBackend *blk; 108 uint64_t size; 109 PreallocMode prealloc; 110 }; 111 112 113 static int coroutine_fn GRAPH_UNLOCKED 114 block_crypto_create_write_func(QCryptoBlock *block, size_t offset, 115 const uint8_t *buf, size_t buflen, void *opaque, 116 Error **errp) 117 { 118 struct BlockCryptoCreateData *data = opaque; 119 ssize_t ret; 120 121 ret = blk_pwrite(data->blk, offset, buflen, buf, 0); 122 if (ret < 0) { 123 error_setg_errno(errp, -ret, "Could not write encryption header"); 124 return ret; 125 } 126 return 0; 127 } 128 129 static int coroutine_fn GRAPH_UNLOCKED 130 block_crypto_create_init_func(QCryptoBlock *block, size_t headerlen, 131 void *opaque, Error **errp) 132 { 133 struct BlockCryptoCreateData *data = opaque; 134 Error *local_error = NULL; 135 int ret; 136 137 if (data->size > INT64_MAX || headerlen > INT64_MAX - data->size) { 138 ret = -EFBIG; 139 goto error; 140 } 141 142 /* User provided size should reflect amount of space made 143 * available to the guest, so we must take account of that 144 * which will be used by the crypto header 145 */ 146 ret = blk_truncate(data->blk, data->size + headerlen, false, 147 data->prealloc, 0, &local_error); 148 149 if (ret >= 0) { 150 return 0; 151 } 152 153 error: 154 if (ret == -EFBIG) { 155 /* Replace the error message with a better one */ 156 error_free(local_error); 157 error_setg(errp, "The requested file size is too large"); 158 } else { 159 error_propagate(errp, local_error); 160 } 161 162 return ret; 163 } 164 165 166 static QemuOptsList block_crypto_runtime_opts_luks = { 167 .name = "crypto", 168 .head = QTAILQ_HEAD_INITIALIZER(block_crypto_runtime_opts_luks.head), 169 .desc = { 170 BLOCK_CRYPTO_OPT_DEF_LUKS_KEY_SECRET(""), 171 { /* end of list */ } 172 }, 173 }; 174 175 176 static QemuOptsList block_crypto_create_opts_luks = { 177 .name = "crypto", 178 .head = QTAILQ_HEAD_INITIALIZER(block_crypto_create_opts_luks.head), 179 .desc = { 180 { 181 .name = BLOCK_OPT_SIZE, 182 .type = QEMU_OPT_SIZE, 183 .help = "Virtual disk size" 184 }, 185 BLOCK_CRYPTO_OPT_DEF_LUKS_KEY_SECRET(""), 186 BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_ALG(""), 187 BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_MODE(""), 188 BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_ALG(""), 189 BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_HASH_ALG(""), 190 BLOCK_CRYPTO_OPT_DEF_LUKS_HASH_ALG(""), 191 BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME(""), 192 { /* end of list */ } 193 }, 194 }; 195 196 197 static QemuOptsList block_crypto_amend_opts_luks = { 198 .name = "crypto", 199 .head = QTAILQ_HEAD_INITIALIZER(block_crypto_create_opts_luks.head), 200 .desc = { 201 BLOCK_CRYPTO_OPT_DEF_LUKS_STATE(""), 202 BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT(""), 203 BLOCK_CRYPTO_OPT_DEF_LUKS_OLD_SECRET(""), 204 BLOCK_CRYPTO_OPT_DEF_LUKS_NEW_SECRET(""), 205 BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME(""), 206 { /* end of list */ } 207 }, 208 }; 209 210 QCryptoBlockOpenOptions * 211 block_crypto_open_opts_init(QDict *opts, Error **errp) 212 { 213 Visitor *v; 214 QCryptoBlockOpenOptions *ret; 215 216 v = qobject_input_visitor_new_flat_confused(opts, errp); 217 if (!v) { 218 return NULL; 219 } 220 221 visit_type_QCryptoBlockOpenOptions(v, NULL, &ret, errp); 222 223 visit_free(v); 224 return ret; 225 } 226 227 228 QCryptoBlockCreateOptions * 229 block_crypto_create_opts_init(QDict *opts, Error **errp) 230 { 231 Visitor *v; 232 QCryptoBlockCreateOptions *ret; 233 234 v = qobject_input_visitor_new_flat_confused(opts, errp); 235 if (!v) { 236 return NULL; 237 } 238 239 visit_type_QCryptoBlockCreateOptions(v, NULL, &ret, errp); 240 241 visit_free(v); 242 return ret; 243 } 244 245 QCryptoBlockAmendOptions * 246 block_crypto_amend_opts_init(QDict *opts, Error **errp) 247 { 248 Visitor *v; 249 QCryptoBlockAmendOptions *ret; 250 251 v = qobject_input_visitor_new_flat_confused(opts, errp); 252 if (!v) { 253 return NULL; 254 } 255 256 visit_type_QCryptoBlockAmendOptions(v, NULL, &ret, errp); 257 258 visit_free(v); 259 return ret; 260 } 261 262 263 static int block_crypto_open_generic(QCryptoBlockFormat format, 264 QemuOptsList *opts_spec, 265 BlockDriverState *bs, 266 QDict *options, 267 int flags, 268 Error **errp) 269 { 270 ERRP_GUARD(); 271 272 BlockCrypto *crypto = bs->opaque; 273 QemuOpts *opts = NULL; 274 int ret; 275 QCryptoBlockOpenOptions *open_opts = NULL; 276 unsigned int cflags = 0; 277 QDict *cryptoopts = NULL; 278 279 GLOBAL_STATE_CODE(); 280 281 ret = bdrv_open_file_child(NULL, options, "file", bs, errp); 282 if (ret < 0) { 283 return ret; 284 } 285 286 crypto->header = bdrv_open_child(NULL, options, "header", bs, 287 &child_of_bds, BDRV_CHILD_METADATA, 288 true, errp); 289 if (*errp != NULL) { 290 return -EINVAL; 291 } 292 293 GRAPH_RDLOCK_GUARD_MAINLOOP(); 294 295 bs->supported_write_flags = BDRV_REQ_FUA & 296 bs->file->bs->supported_write_flags; 297 298 opts = qemu_opts_create(opts_spec, NULL, 0, &error_abort); 299 if (!qemu_opts_absorb_qdict(opts, options, errp)) { 300 ret = -EINVAL; 301 goto cleanup; 302 } 303 304 cryptoopts = qemu_opts_to_qdict(opts, NULL); 305 qdict_put_str(cryptoopts, "format", QCryptoBlockFormat_str(format)); 306 307 open_opts = block_crypto_open_opts_init(cryptoopts, errp); 308 if (!open_opts) { 309 ret = -EINVAL; 310 goto cleanup; 311 } 312 313 if (flags & BDRV_O_NO_IO) { 314 cflags |= QCRYPTO_BLOCK_OPEN_NO_IO; 315 } 316 if (crypto->header != NULL) { 317 cflags |= QCRYPTO_BLOCK_OPEN_DETACHED; 318 } 319 crypto->block = qcrypto_block_open(open_opts, NULL, 320 block_crypto_read_func, 321 bs, 322 cflags, 323 1, 324 errp); 325 326 if (!crypto->block) { 327 ret = -EIO; 328 goto cleanup; 329 } 330 331 bs->encrypted = true; 332 333 ret = 0; 334 cleanup: 335 qobject_unref(cryptoopts); 336 qapi_free_QCryptoBlockOpenOptions(open_opts); 337 return ret; 338 } 339 340 341 static int coroutine_fn GRAPH_UNLOCKED 342 block_crypto_co_create_generic(BlockDriverState *bs, int64_t size, 343 QCryptoBlockCreateOptions *opts, 344 PreallocMode prealloc, Error **errp) 345 { 346 int ret; 347 BlockBackend *blk; 348 QCryptoBlock *crypto = NULL; 349 struct BlockCryptoCreateData data; 350 351 blk = blk_co_new_with_bs(bs, BLK_PERM_WRITE | BLK_PERM_RESIZE, BLK_PERM_ALL, 352 errp); 353 if (!blk) { 354 ret = -EPERM; 355 goto cleanup; 356 } 357 358 if (prealloc == PREALLOC_MODE_METADATA) { 359 prealloc = PREALLOC_MODE_OFF; 360 } 361 362 data = (struct BlockCryptoCreateData) { 363 .blk = blk, 364 .size = size, 365 .prealloc = prealloc, 366 }; 367 368 crypto = qcrypto_block_create(opts, NULL, 369 block_crypto_create_init_func, 370 block_crypto_create_write_func, 371 &data, 372 errp); 373 374 if (!crypto) { 375 ret = -EIO; 376 goto cleanup; 377 } 378 379 ret = 0; 380 cleanup: 381 qcrypto_block_free(crypto); 382 blk_co_unref(blk); 383 return ret; 384 } 385 386 static int coroutine_fn GRAPH_RDLOCK 387 block_crypto_co_truncate(BlockDriverState *bs, int64_t offset, bool exact, 388 PreallocMode prealloc, BdrvRequestFlags flags, 389 Error **errp) 390 { 391 BlockCrypto *crypto = bs->opaque; 392 uint64_t payload_offset = 393 qcrypto_block_get_payload_offset(crypto->block); 394 395 if (payload_offset > INT64_MAX - offset) { 396 error_setg(errp, "The requested file size is too large"); 397 return -EFBIG; 398 } 399 400 offset += payload_offset; 401 402 return bdrv_co_truncate(bs->file, offset, exact, prealloc, 0, errp); 403 } 404 405 static void block_crypto_close(BlockDriverState *bs) 406 { 407 BlockCrypto *crypto = bs->opaque; 408 qcrypto_block_free(crypto->block); 409 } 410 411 static int block_crypto_reopen_prepare(BDRVReopenState *state, 412 BlockReopenQueue *queue, Error **errp) 413 { 414 /* nothing needs checking */ 415 return 0; 416 } 417 418 /* 419 * 1 MB bounce buffer gives good performance / memory tradeoff 420 * when using cache=none|directsync. 421 */ 422 #define BLOCK_CRYPTO_MAX_IO_SIZE (1024 * 1024) 423 424 static int coroutine_fn GRAPH_RDLOCK 425 block_crypto_co_preadv(BlockDriverState *bs, int64_t offset, int64_t bytes, 426 QEMUIOVector *qiov, BdrvRequestFlags flags) 427 { 428 BlockCrypto *crypto = bs->opaque; 429 uint64_t cur_bytes; /* number of bytes in current iteration */ 430 uint64_t bytes_done = 0; 431 uint8_t *cipher_data = NULL; 432 QEMUIOVector hd_qiov; 433 int ret = 0; 434 uint64_t sector_size = qcrypto_block_get_sector_size(crypto->block); 435 uint64_t payload_offset = qcrypto_block_get_payload_offset(crypto->block); 436 437 assert(payload_offset < INT64_MAX); 438 assert(QEMU_IS_ALIGNED(offset, sector_size)); 439 assert(QEMU_IS_ALIGNED(bytes, sector_size)); 440 441 qemu_iovec_init(&hd_qiov, qiov->niov); 442 443 /* Bounce buffer because we don't wish to expose cipher text 444 * in qiov which points to guest memory. 445 */ 446 cipher_data = 447 qemu_try_blockalign(bs->file->bs, MIN(BLOCK_CRYPTO_MAX_IO_SIZE, 448 qiov->size)); 449 if (cipher_data == NULL) { 450 ret = -ENOMEM; 451 goto cleanup; 452 } 453 454 while (bytes) { 455 cur_bytes = MIN(bytes, BLOCK_CRYPTO_MAX_IO_SIZE); 456 457 qemu_iovec_reset(&hd_qiov); 458 qemu_iovec_add(&hd_qiov, cipher_data, cur_bytes); 459 460 ret = bdrv_co_preadv(bs->file, payload_offset + offset + bytes_done, 461 cur_bytes, &hd_qiov, 0); 462 if (ret < 0) { 463 goto cleanup; 464 } 465 466 if (qcrypto_block_decrypt(crypto->block, offset + bytes_done, 467 cipher_data, cur_bytes, NULL) < 0) { 468 ret = -EIO; 469 goto cleanup; 470 } 471 472 qemu_iovec_from_buf(qiov, bytes_done, cipher_data, cur_bytes); 473 474 bytes -= cur_bytes; 475 bytes_done += cur_bytes; 476 } 477 478 cleanup: 479 qemu_iovec_destroy(&hd_qiov); 480 qemu_vfree(cipher_data); 481 482 return ret; 483 } 484 485 486 static int coroutine_fn GRAPH_RDLOCK 487 block_crypto_co_pwritev(BlockDriverState *bs, int64_t offset, int64_t bytes, 488 QEMUIOVector *qiov, BdrvRequestFlags flags) 489 { 490 BlockCrypto *crypto = bs->opaque; 491 uint64_t cur_bytes; /* number of bytes in current iteration */ 492 uint64_t bytes_done = 0; 493 uint8_t *cipher_data = NULL; 494 QEMUIOVector hd_qiov; 495 int ret = 0; 496 uint64_t sector_size = qcrypto_block_get_sector_size(crypto->block); 497 uint64_t payload_offset = qcrypto_block_get_payload_offset(crypto->block); 498 499 flags &= ~BDRV_REQ_REGISTERED_BUF; 500 501 assert(payload_offset < INT64_MAX); 502 assert(QEMU_IS_ALIGNED(offset, sector_size)); 503 assert(QEMU_IS_ALIGNED(bytes, sector_size)); 504 505 qemu_iovec_init(&hd_qiov, qiov->niov); 506 507 /* Bounce buffer because we're not permitted to touch 508 * contents of qiov - it points to guest memory. 509 */ 510 cipher_data = 511 qemu_try_blockalign(bs->file->bs, MIN(BLOCK_CRYPTO_MAX_IO_SIZE, 512 qiov->size)); 513 if (cipher_data == NULL) { 514 ret = -ENOMEM; 515 goto cleanup; 516 } 517 518 while (bytes) { 519 cur_bytes = MIN(bytes, BLOCK_CRYPTO_MAX_IO_SIZE); 520 521 qemu_iovec_to_buf(qiov, bytes_done, cipher_data, cur_bytes); 522 523 if (qcrypto_block_encrypt(crypto->block, offset + bytes_done, 524 cipher_data, cur_bytes, NULL) < 0) { 525 ret = -EIO; 526 goto cleanup; 527 } 528 529 qemu_iovec_reset(&hd_qiov); 530 qemu_iovec_add(&hd_qiov, cipher_data, cur_bytes); 531 532 ret = bdrv_co_pwritev(bs->file, payload_offset + offset + bytes_done, 533 cur_bytes, &hd_qiov, flags); 534 if (ret < 0) { 535 goto cleanup; 536 } 537 538 bytes -= cur_bytes; 539 bytes_done += cur_bytes; 540 } 541 542 cleanup: 543 qemu_iovec_destroy(&hd_qiov); 544 qemu_vfree(cipher_data); 545 546 return ret; 547 } 548 549 static void block_crypto_refresh_limits(BlockDriverState *bs, Error **errp) 550 { 551 BlockCrypto *crypto = bs->opaque; 552 uint64_t sector_size = qcrypto_block_get_sector_size(crypto->block); 553 bs->bl.request_alignment = sector_size; /* No sub-sector I/O */ 554 } 555 556 557 static int64_t coroutine_fn GRAPH_RDLOCK 558 block_crypto_co_getlength(BlockDriverState *bs) 559 { 560 BlockCrypto *crypto = bs->opaque; 561 int64_t len = bdrv_co_getlength(bs->file->bs); 562 563 uint64_t offset = qcrypto_block_get_payload_offset(crypto->block); 564 assert(offset < INT64_MAX); 565 566 if (offset > len) { 567 return -EIO; 568 } 569 570 len -= offset; 571 572 return len; 573 } 574 575 576 static BlockMeasureInfo *block_crypto_measure(QemuOpts *opts, 577 BlockDriverState *in_bs, 578 Error **errp) 579 { 580 g_autoptr(QCryptoBlockCreateOptions) create_opts = NULL; 581 Error *local_err = NULL; 582 BlockMeasureInfo *info; 583 uint64_t size; 584 size_t luks_payload_size; 585 QDict *cryptoopts; 586 587 /* 588 * Preallocation mode doesn't affect size requirements but we must consume 589 * the option. 590 */ 591 g_free(qemu_opt_get_del(opts, BLOCK_OPT_PREALLOC)); 592 593 size = qemu_opt_get_size_del(opts, BLOCK_OPT_SIZE, 0); 594 595 if (in_bs) { 596 int64_t ssize = bdrv_getlength(in_bs); 597 598 if (ssize < 0) { 599 error_setg_errno(&local_err, -ssize, 600 "Unable to get image virtual_size"); 601 goto err; 602 } 603 604 size = ssize; 605 } 606 607 cryptoopts = qemu_opts_to_qdict_filtered(opts, NULL, 608 &block_crypto_create_opts_luks, true); 609 qdict_put_str(cryptoopts, "format", "luks"); 610 create_opts = block_crypto_create_opts_init(cryptoopts, &local_err); 611 qobject_unref(cryptoopts); 612 if (!create_opts) { 613 goto err; 614 } 615 616 if (!qcrypto_block_calculate_payload_offset(create_opts, NULL, 617 &luks_payload_size, 618 &local_err)) { 619 goto err; 620 } 621 622 /* 623 * Unallocated blocks are still encrypted so allocation status makes no 624 * difference to the file size. 625 */ 626 info = g_new0(BlockMeasureInfo, 1); 627 info->fully_allocated = luks_payload_size + size; 628 info->required = luks_payload_size + size; 629 return info; 630 631 err: 632 error_propagate(errp, local_err); 633 return NULL; 634 } 635 636 637 static int block_crypto_probe_luks(const uint8_t *buf, 638 int buf_size, 639 const char *filename) { 640 return block_crypto_probe_generic(Q_CRYPTO_BLOCK_FORMAT_LUKS, 641 buf, buf_size, filename); 642 } 643 644 static int block_crypto_open_luks(BlockDriverState *bs, 645 QDict *options, 646 int flags, 647 Error **errp) 648 { 649 return block_crypto_open_generic(Q_CRYPTO_BLOCK_FORMAT_LUKS, 650 &block_crypto_runtime_opts_luks, 651 bs, options, flags, errp); 652 } 653 654 static int coroutine_fn GRAPH_UNLOCKED 655 block_crypto_co_create_luks(BlockdevCreateOptions *create_options, Error **errp) 656 { 657 BlockdevCreateOptionsLUKS *luks_opts; 658 BlockDriverState *bs = NULL; 659 QCryptoBlockCreateOptions create_opts; 660 PreallocMode preallocation = PREALLOC_MODE_OFF; 661 int ret; 662 663 assert(create_options->driver == BLOCKDEV_DRIVER_LUKS); 664 luks_opts = &create_options->u.luks; 665 666 bs = bdrv_co_open_blockdev_ref(luks_opts->file, errp); 667 if (bs == NULL) { 668 return -EIO; 669 } 670 671 create_opts = (QCryptoBlockCreateOptions) { 672 .format = Q_CRYPTO_BLOCK_FORMAT_LUKS, 673 .u.luks = *qapi_BlockdevCreateOptionsLUKS_base(luks_opts), 674 }; 675 676 if (luks_opts->has_preallocation) { 677 preallocation = luks_opts->preallocation; 678 } 679 680 ret = block_crypto_co_create_generic(bs, luks_opts->size, &create_opts, 681 preallocation, errp); 682 if (ret < 0) { 683 goto fail; 684 } 685 686 ret = 0; 687 fail: 688 bdrv_co_unref(bs); 689 return ret; 690 } 691 692 static int coroutine_fn GRAPH_UNLOCKED 693 block_crypto_co_create_opts_luks(BlockDriver *drv, const char *filename, 694 QemuOpts *opts, Error **errp) 695 { 696 QCryptoBlockCreateOptions *create_opts = NULL; 697 BlockDriverState *bs = NULL; 698 QDict *cryptoopts; 699 PreallocMode prealloc; 700 char *buf = NULL; 701 int64_t size; 702 int ret; 703 Error *local_err = NULL; 704 705 /* Parse options */ 706 size = qemu_opt_get_size_del(opts, BLOCK_OPT_SIZE, 0); 707 708 buf = qemu_opt_get_del(opts, BLOCK_OPT_PREALLOC); 709 prealloc = qapi_enum_parse(&PreallocMode_lookup, buf, 710 PREALLOC_MODE_OFF, &local_err); 711 g_free(buf); 712 if (local_err) { 713 error_propagate(errp, local_err); 714 return -EINVAL; 715 } 716 717 cryptoopts = qemu_opts_to_qdict_filtered(opts, NULL, 718 &block_crypto_create_opts_luks, 719 true); 720 721 qdict_put_str(cryptoopts, "format", "luks"); 722 create_opts = block_crypto_create_opts_init(cryptoopts, errp); 723 if (!create_opts) { 724 ret = -EINVAL; 725 goto fail; 726 } 727 728 /* Create protocol layer */ 729 ret = bdrv_co_create_file(filename, opts, errp); 730 if (ret < 0) { 731 goto fail; 732 } 733 734 bs = bdrv_co_open(filename, NULL, NULL, 735 BDRV_O_RDWR | BDRV_O_RESIZE | BDRV_O_PROTOCOL, errp); 736 if (!bs) { 737 ret = -EINVAL; 738 goto fail; 739 } 740 741 /* Create format layer */ 742 ret = block_crypto_co_create_generic(bs, size, create_opts, prealloc, errp); 743 if (ret < 0) { 744 goto fail; 745 } 746 747 ret = 0; 748 fail: 749 /* 750 * If an error occurred, delete 'filename'. Even if the file existed 751 * beforehand, it has been truncated and corrupted in the process. 752 */ 753 if (ret) { 754 bdrv_graph_co_rdlock(); 755 bdrv_co_delete_file_noerr(bs); 756 bdrv_graph_co_rdunlock(); 757 } 758 759 bdrv_co_unref(bs); 760 qapi_free_QCryptoBlockCreateOptions(create_opts); 761 qobject_unref(cryptoopts); 762 return ret; 763 } 764 765 static int coroutine_fn GRAPH_RDLOCK 766 block_crypto_co_get_info_luks(BlockDriverState *bs, BlockDriverInfo *bdi) 767 { 768 BlockDriverInfo subbdi; 769 int ret; 770 771 ret = bdrv_co_get_info(bs->file->bs, &subbdi); 772 if (ret != 0) { 773 return ret; 774 } 775 776 bdi->cluster_size = subbdi.cluster_size; 777 778 return 0; 779 } 780 781 static ImageInfoSpecific * 782 block_crypto_get_specific_info_luks(BlockDriverState *bs, Error **errp) 783 { 784 BlockCrypto *crypto = bs->opaque; 785 ImageInfoSpecific *spec_info; 786 QCryptoBlockInfo *info; 787 788 info = qcrypto_block_get_info(crypto->block, errp); 789 if (!info) { 790 return NULL; 791 } 792 assert(info->format == Q_CRYPTO_BLOCK_FORMAT_LUKS); 793 794 spec_info = g_new(ImageInfoSpecific, 1); 795 spec_info->type = IMAGE_INFO_SPECIFIC_KIND_LUKS; 796 spec_info->u.luks.data = g_new(QCryptoBlockInfoLUKS, 1); 797 *spec_info->u.luks.data = info->u.luks; 798 799 /* Blank out pointers we've just stolen to avoid double free */ 800 memset(&info->u.luks, 0, sizeof(info->u.luks)); 801 802 qapi_free_QCryptoBlockInfo(info); 803 804 return spec_info; 805 } 806 807 static int GRAPH_RDLOCK 808 block_crypto_amend_prepare(BlockDriverState *bs, Error **errp) 809 { 810 BlockCrypto *crypto = bs->opaque; 811 int ret; 812 813 /* apply for exclusive read/write permissions to the underlying file */ 814 crypto->updating_keys = true; 815 ret = bdrv_child_refresh_perms(bs, bs->file, errp); 816 if (ret < 0) { 817 /* Well, in this case we will not be updating any keys */ 818 crypto->updating_keys = false; 819 } 820 return ret; 821 } 822 823 static void GRAPH_RDLOCK 824 block_crypto_amend_cleanup(BlockDriverState *bs) 825 { 826 BlockCrypto *crypto = bs->opaque; 827 Error *errp = NULL; 828 829 /* release exclusive read/write permissions to the underlying file */ 830 crypto->updating_keys = false; 831 bdrv_child_refresh_perms(bs, bs->file, &errp); 832 833 if (errp) { 834 error_report_err(errp); 835 } 836 } 837 838 static int 839 block_crypto_amend_options_generic_luks(BlockDriverState *bs, 840 QCryptoBlockAmendOptions *amend_options, 841 bool force, 842 Error **errp) 843 { 844 BlockCrypto *crypto = bs->opaque; 845 846 assert(crypto); 847 assert(crypto->block); 848 849 return qcrypto_block_amend_options(crypto->block, 850 block_crypto_read_func, 851 block_crypto_write_func, 852 bs, 853 amend_options, 854 force, 855 errp); 856 } 857 858 static int GRAPH_RDLOCK 859 block_crypto_amend_options_luks(BlockDriverState *bs, 860 QemuOpts *opts, 861 BlockDriverAmendStatusCB *status_cb, 862 void *cb_opaque, 863 bool force, 864 Error **errp) 865 { 866 BlockCrypto *crypto = bs->opaque; 867 QDict *cryptoopts = NULL; 868 QCryptoBlockAmendOptions *amend_options = NULL; 869 int ret = -EINVAL; 870 871 assert(crypto); 872 assert(crypto->block); 873 874 cryptoopts = qemu_opts_to_qdict(opts, NULL); 875 qdict_put_str(cryptoopts, "format", "luks"); 876 amend_options = block_crypto_amend_opts_init(cryptoopts, errp); 877 qobject_unref(cryptoopts); 878 if (!amend_options) { 879 goto cleanup; 880 } 881 882 ret = block_crypto_amend_prepare(bs, errp); 883 if (ret) { 884 goto perm_cleanup; 885 } 886 ret = block_crypto_amend_options_generic_luks(bs, amend_options, 887 force, errp); 888 889 perm_cleanup: 890 block_crypto_amend_cleanup(bs); 891 cleanup: 892 qapi_free_QCryptoBlockAmendOptions(amend_options); 893 return ret; 894 } 895 896 static int 897 coroutine_fn block_crypto_co_amend_luks(BlockDriverState *bs, 898 BlockdevAmendOptions *opts, 899 bool force, 900 Error **errp) 901 { 902 QCryptoBlockAmendOptions amend_opts; 903 904 amend_opts = (QCryptoBlockAmendOptions) { 905 .format = Q_CRYPTO_BLOCK_FORMAT_LUKS, 906 .u.luks = *qapi_BlockdevAmendOptionsLUKS_base(&opts->u.luks), 907 }; 908 return block_crypto_amend_options_generic_luks(bs, &amend_opts, 909 force, errp); 910 } 911 912 static void 913 block_crypto_child_perms(BlockDriverState *bs, BdrvChild *c, 914 const BdrvChildRole role, 915 BlockReopenQueue *reopen_queue, 916 uint64_t perm, uint64_t shared, 917 uint64_t *nperm, uint64_t *nshared) 918 { 919 920 BlockCrypto *crypto = bs->opaque; 921 922 bdrv_default_perms(bs, c, role, reopen_queue, perm, shared, nperm, nshared); 923 924 /* 925 * For backward compatibility, manually share the write 926 * and resize permission 927 */ 928 *nshared |= shared & (BLK_PERM_WRITE | BLK_PERM_RESIZE); 929 /* 930 * Since we are not fully a format driver, don't always request 931 * the read/resize permission but only when explicitly 932 * requested 933 */ 934 *nperm &= ~(BLK_PERM_WRITE | BLK_PERM_RESIZE); 935 *nperm |= perm & (BLK_PERM_WRITE | BLK_PERM_RESIZE); 936 937 /* 938 * This driver doesn't modify LUKS metadata except 939 * when updating the encryption slots. 940 * Thus unlike a proper format driver we don't ask for 941 * shared write/read permission. However we need it 942 * when we are updating the keys, to ensure that only we 943 * have access to the device. 944 * 945 * Encryption update will set the crypto->updating_keys 946 * during that period and refresh permissions 947 * 948 */ 949 if (crypto->updating_keys) { 950 /* need exclusive write access for header update */ 951 *nperm |= BLK_PERM_WRITE; 952 /* unshare read and write permission */ 953 *nshared &= ~(BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE); 954 } 955 } 956 957 958 static const char *const block_crypto_strong_runtime_opts[] = { 959 BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET, 960 961 NULL 962 }; 963 964 static BlockDriver bdrv_crypto_luks = { 965 .format_name = "luks", 966 .instance_size = sizeof(BlockCrypto), 967 .bdrv_probe = block_crypto_probe_luks, 968 .bdrv_open = block_crypto_open_luks, 969 .bdrv_close = block_crypto_close, 970 .bdrv_child_perm = block_crypto_child_perms, 971 .bdrv_co_create = block_crypto_co_create_luks, 972 .bdrv_co_create_opts = block_crypto_co_create_opts_luks, 973 .bdrv_co_truncate = block_crypto_co_truncate, 974 .create_opts = &block_crypto_create_opts_luks, 975 .amend_opts = &block_crypto_amend_opts_luks, 976 977 .bdrv_reopen_prepare = block_crypto_reopen_prepare, 978 .bdrv_refresh_limits = block_crypto_refresh_limits, 979 .bdrv_co_preadv = block_crypto_co_preadv, 980 .bdrv_co_pwritev = block_crypto_co_pwritev, 981 .bdrv_co_getlength = block_crypto_co_getlength, 982 .bdrv_measure = block_crypto_measure, 983 .bdrv_co_get_info = block_crypto_co_get_info_luks, 984 .bdrv_get_specific_info = block_crypto_get_specific_info_luks, 985 .bdrv_amend_options = block_crypto_amend_options_luks, 986 .bdrv_co_amend = block_crypto_co_amend_luks, 987 .bdrv_amend_pre_run = block_crypto_amend_prepare, 988 .bdrv_amend_clean = block_crypto_amend_cleanup, 989 990 .is_format = true, 991 992 .strong_runtime_opts = block_crypto_strong_runtime_opts, 993 }; 994 995 static void block_crypto_init(void) 996 { 997 bdrv_register(&bdrv_crypto_luks); 998 } 999 1000 block_init(block_crypto_init); 1001