1 /* 2 * QEMU Crypto block device encryption LUKS format 3 * 4 * Copyright (c) 2015-2016 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #include "qemu/osdep.h" 22 #include "qapi/error.h" 23 #include "qemu/bswap.h" 24 25 #include "block-luks.h" 26 #include "block-luks-priv.h" 27 28 #include "crypto/hash.h" 29 #include "crypto/afsplit.h" 30 #include "crypto/pbkdf.h" 31 #include "crypto/secret.h" 32 #include "crypto/random.h" 33 #include "qemu/uuid.h" 34 35 #include "qemu/bitmap.h" 36 37 /* 38 * Reference for the LUKS format implemented here is 39 * 40 * docs/on-disk-format.pdf 41 * 42 * in 'cryptsetup' package source code 43 * 44 * This file implements the 1.2.1 specification, dated 45 * Oct 16, 2011. 46 */ 47 48 typedef struct QCryptoBlockLUKS QCryptoBlockLUKS; 49 50 typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap; 51 struct QCryptoBlockLUKSNameMap { 52 const char *name; 53 int id; 54 }; 55 56 typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap; 57 struct QCryptoBlockLUKSCipherSizeMap { 58 uint32_t key_bytes; 59 int id; 60 }; 61 typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap; 62 struct QCryptoBlockLUKSCipherNameMap { 63 const char *name; 64 const QCryptoBlockLUKSCipherSizeMap *sizes; 65 }; 66 67 68 static const QCryptoBlockLUKSCipherSizeMap 69 qcrypto_block_luks_cipher_size_map_aes[] = { 70 { 16, QCRYPTO_CIPHER_ALG_AES_128 }, 71 { 24, QCRYPTO_CIPHER_ALG_AES_192 }, 72 { 32, QCRYPTO_CIPHER_ALG_AES_256 }, 73 { 0, 0 }, 74 }; 75 76 static const QCryptoBlockLUKSCipherSizeMap 77 qcrypto_block_luks_cipher_size_map_cast5[] = { 78 { 16, QCRYPTO_CIPHER_ALG_CAST5_128 }, 79 { 0, 0 }, 80 }; 81 82 static const QCryptoBlockLUKSCipherSizeMap 83 qcrypto_block_luks_cipher_size_map_serpent[] = { 84 { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 }, 85 { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 }, 86 { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 }, 87 { 0, 0 }, 88 }; 89 90 static const QCryptoBlockLUKSCipherSizeMap 91 qcrypto_block_luks_cipher_size_map_twofish[] = { 92 { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 }, 93 { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 }, 94 { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 }, 95 { 0, 0 }, 96 }; 97 98 #ifdef CONFIG_CRYPTO_SM4 99 static const QCryptoBlockLUKSCipherSizeMap 100 qcrypto_block_luks_cipher_size_map_sm4[] = { 101 { 16, QCRYPTO_CIPHER_ALG_SM4}, 102 { 0, 0 }, 103 }; 104 #endif 105 106 static const QCryptoBlockLUKSCipherNameMap 107 qcrypto_block_luks_cipher_name_map[] = { 108 { "aes", qcrypto_block_luks_cipher_size_map_aes }, 109 { "cast5", qcrypto_block_luks_cipher_size_map_cast5 }, 110 { "serpent", qcrypto_block_luks_cipher_size_map_serpent }, 111 { "twofish", qcrypto_block_luks_cipher_size_map_twofish }, 112 #ifdef CONFIG_CRYPTO_SM4 113 { "sm4", qcrypto_block_luks_cipher_size_map_sm4}, 114 #endif 115 }; 116 117 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48); 118 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592); 119 120 121 struct QCryptoBlockLUKS { 122 QCryptoBlockLUKSHeader header; 123 124 /* Main encryption algorithm used for encryption*/ 125 QCryptoCipherAlgorithm cipher_alg; 126 127 /* Mode of encryption for the selected encryption algorithm */ 128 QCryptoCipherMode cipher_mode; 129 130 /* Initialization vector generation algorithm */ 131 QCryptoIVGenAlgorithm ivgen_alg; 132 133 /* Hash algorithm used for IV generation*/ 134 QCryptoHashAlgorithm ivgen_hash_alg; 135 136 /* 137 * Encryption algorithm used for IV generation. 138 * Usually the same as main encryption algorithm 139 */ 140 QCryptoCipherAlgorithm ivgen_cipher_alg; 141 142 /* Hash algorithm used in pbkdf2 function */ 143 QCryptoHashAlgorithm hash_alg; 144 145 /* Name of the secret that was used to open the image */ 146 char *secret; 147 }; 148 149 150 static int qcrypto_block_luks_cipher_name_lookup(const char *name, 151 QCryptoCipherMode mode, 152 uint32_t key_bytes, 153 Error **errp) 154 { 155 const QCryptoBlockLUKSCipherNameMap *map = 156 qcrypto_block_luks_cipher_name_map; 157 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); 158 size_t i, j; 159 160 if (mode == QCRYPTO_CIPHER_MODE_XTS) { 161 key_bytes /= 2; 162 } 163 164 for (i = 0; i < maplen; i++) { 165 if (!g_str_equal(map[i].name, name)) { 166 continue; 167 } 168 for (j = 0; j < map[i].sizes[j].key_bytes; j++) { 169 if (map[i].sizes[j].key_bytes == key_bytes) { 170 return map[i].sizes[j].id; 171 } 172 } 173 } 174 175 error_setg(errp, "Algorithm '%s' with key size %d bytes not supported", 176 name, key_bytes); 177 return 0; 178 } 179 180 static const char * 181 qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg, 182 Error **errp) 183 { 184 const QCryptoBlockLUKSCipherNameMap *map = 185 qcrypto_block_luks_cipher_name_map; 186 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); 187 size_t i, j; 188 for (i = 0; i < maplen; i++) { 189 for (j = 0; j < map[i].sizes[j].key_bytes; j++) { 190 if (map[i].sizes[j].id == alg) { 191 return map[i].name; 192 } 193 } 194 } 195 196 error_setg(errp, "Algorithm '%s' not supported", 197 QCryptoCipherAlgorithm_str(alg)); 198 return NULL; 199 } 200 201 /* XXX replace with qapi_enum_parse() in future, when we can 202 * make that function emit a more friendly error message */ 203 static int qcrypto_block_luks_name_lookup(const char *name, 204 const QEnumLookup *map, 205 const char *type, 206 Error **errp) 207 { 208 int ret = qapi_enum_parse(map, name, -1, NULL); 209 210 if (ret < 0) { 211 error_setg(errp, "%s '%s' not supported", type, name); 212 return 0; 213 } 214 return ret; 215 } 216 217 #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \ 218 qcrypto_block_luks_name_lookup(name, \ 219 &QCryptoCipherMode_lookup, \ 220 "Cipher mode", \ 221 errp) 222 223 #define qcrypto_block_luks_hash_name_lookup(name, errp) \ 224 qcrypto_block_luks_name_lookup(name, \ 225 &QCryptoHashAlgorithm_lookup, \ 226 "Hash algorithm", \ 227 errp) 228 229 #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \ 230 qcrypto_block_luks_name_lookup(name, \ 231 &QCryptoIVGenAlgorithm_lookup, \ 232 "IV generator", \ 233 errp) 234 235 236 static bool 237 qcrypto_block_luks_has_format(const uint8_t *buf, 238 size_t buf_size) 239 { 240 const QCryptoBlockLUKSHeader *luks_header = (const void *)buf; 241 242 if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) && 243 memcmp(luks_header->magic, qcrypto_block_luks_magic, 244 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 && 245 be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) { 246 return true; 247 } else { 248 return false; 249 } 250 } 251 252 253 /** 254 * Deal with a quirk of dm-crypt usage of ESSIV. 255 * 256 * When calculating ESSIV IVs, the cipher length used by ESSIV 257 * may be different from the cipher length used for the block 258 * encryption, because dm-crypt uses the hash digest length 259 * as the key size. ie, if you have AES 128 as the block cipher 260 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as 261 * the cipher since that gets a key length matching the digest 262 * size, not AES 128 with truncated digest as might be imagined 263 */ 264 static QCryptoCipherAlgorithm 265 qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher, 266 QCryptoHashAlgorithm hash, 267 Error **errp) 268 { 269 size_t digestlen = qcrypto_hash_digest_len(hash); 270 size_t keylen = qcrypto_cipher_get_key_len(cipher); 271 if (digestlen == keylen) { 272 return cipher; 273 } 274 275 switch (cipher) { 276 case QCRYPTO_CIPHER_ALG_AES_128: 277 case QCRYPTO_CIPHER_ALG_AES_192: 278 case QCRYPTO_CIPHER_ALG_AES_256: 279 if (digestlen == qcrypto_cipher_get_key_len( 280 QCRYPTO_CIPHER_ALG_AES_128)) { 281 return QCRYPTO_CIPHER_ALG_AES_128; 282 } else if (digestlen == qcrypto_cipher_get_key_len( 283 QCRYPTO_CIPHER_ALG_AES_192)) { 284 return QCRYPTO_CIPHER_ALG_AES_192; 285 } else if (digestlen == qcrypto_cipher_get_key_len( 286 QCRYPTO_CIPHER_ALG_AES_256)) { 287 return QCRYPTO_CIPHER_ALG_AES_256; 288 } else { 289 error_setg(errp, "No AES cipher with key size %zu available", 290 digestlen); 291 return 0; 292 } 293 break; 294 case QCRYPTO_CIPHER_ALG_SERPENT_128: 295 case QCRYPTO_CIPHER_ALG_SERPENT_192: 296 case QCRYPTO_CIPHER_ALG_SERPENT_256: 297 if (digestlen == qcrypto_cipher_get_key_len( 298 QCRYPTO_CIPHER_ALG_SERPENT_128)) { 299 return QCRYPTO_CIPHER_ALG_SERPENT_128; 300 } else if (digestlen == qcrypto_cipher_get_key_len( 301 QCRYPTO_CIPHER_ALG_SERPENT_192)) { 302 return QCRYPTO_CIPHER_ALG_SERPENT_192; 303 } else if (digestlen == qcrypto_cipher_get_key_len( 304 QCRYPTO_CIPHER_ALG_SERPENT_256)) { 305 return QCRYPTO_CIPHER_ALG_SERPENT_256; 306 } else { 307 error_setg(errp, "No Serpent cipher with key size %zu available", 308 digestlen); 309 return 0; 310 } 311 break; 312 case QCRYPTO_CIPHER_ALG_TWOFISH_128: 313 case QCRYPTO_CIPHER_ALG_TWOFISH_192: 314 case QCRYPTO_CIPHER_ALG_TWOFISH_256: 315 if (digestlen == qcrypto_cipher_get_key_len( 316 QCRYPTO_CIPHER_ALG_TWOFISH_128)) { 317 return QCRYPTO_CIPHER_ALG_TWOFISH_128; 318 } else if (digestlen == qcrypto_cipher_get_key_len( 319 QCRYPTO_CIPHER_ALG_TWOFISH_192)) { 320 return QCRYPTO_CIPHER_ALG_TWOFISH_192; 321 } else if (digestlen == qcrypto_cipher_get_key_len( 322 QCRYPTO_CIPHER_ALG_TWOFISH_256)) { 323 return QCRYPTO_CIPHER_ALG_TWOFISH_256; 324 } else { 325 error_setg(errp, "No Twofish cipher with key size %zu available", 326 digestlen); 327 return 0; 328 } 329 break; 330 default: 331 error_setg(errp, "Cipher %s not supported with essiv", 332 QCryptoCipherAlgorithm_str(cipher)); 333 return 0; 334 } 335 } 336 337 /* 338 * Returns number of sectors needed to store the key material 339 * given number of anti forensic stripes 340 */ 341 static int 342 qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks, 343 unsigned int header_sectors, 344 unsigned int stripes) 345 { 346 /* 347 * This calculation doesn't match that shown in the spec, 348 * but instead follows the cryptsetup implementation. 349 */ 350 351 size_t splitkeylen = luks->header.master_key_len * stripes; 352 353 /* First align the key material size to block size*/ 354 size_t splitkeylen_sectors = 355 DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE); 356 357 /* Then also align the key material size to the size of the header */ 358 return ROUND_UP(splitkeylen_sectors, header_sectors); 359 } 360 361 362 void 363 qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr) 364 { 365 size_t i; 366 367 /* 368 * Everything on disk uses Big Endian (tm), so flip header fields 369 * before writing them 370 */ 371 cpu_to_be16s(&hdr->version); 372 cpu_to_be32s(&hdr->payload_offset_sector); 373 cpu_to_be32s(&hdr->master_key_len); 374 cpu_to_be32s(&hdr->master_key_iterations); 375 376 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 377 cpu_to_be32s(&hdr->key_slots[i].active); 378 cpu_to_be32s(&hdr->key_slots[i].iterations); 379 cpu_to_be32s(&hdr->key_slots[i].key_offset_sector); 380 cpu_to_be32s(&hdr->key_slots[i].stripes); 381 } 382 } 383 384 void 385 qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr) 386 { 387 size_t i; 388 389 /* 390 * The header is always stored in big-endian format, so 391 * convert everything to native 392 */ 393 be16_to_cpus(&hdr->version); 394 be32_to_cpus(&hdr->payload_offset_sector); 395 be32_to_cpus(&hdr->master_key_len); 396 be32_to_cpus(&hdr->master_key_iterations); 397 398 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 399 be32_to_cpus(&hdr->key_slots[i].active); 400 be32_to_cpus(&hdr->key_slots[i].iterations); 401 be32_to_cpus(&hdr->key_slots[i].key_offset_sector); 402 be32_to_cpus(&hdr->key_slots[i].stripes); 403 } 404 } 405 406 /* 407 * Stores the main LUKS header, taking care of endianness 408 */ 409 static int 410 qcrypto_block_luks_store_header(QCryptoBlock *block, 411 QCryptoBlockWriteFunc writefunc, 412 void *opaque, 413 Error **errp) 414 { 415 const QCryptoBlockLUKS *luks = block->opaque; 416 Error *local_err = NULL; 417 g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL; 418 419 /* Create a copy of the header */ 420 hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1); 421 memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader)); 422 423 qcrypto_block_luks_to_disk_endian(hdr_copy); 424 425 /* Write out the partition header and key slot headers */ 426 writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy), 427 opaque, &local_err); 428 429 if (local_err) { 430 error_propagate(errp, local_err); 431 return -1; 432 } 433 return 0; 434 } 435 436 /* 437 * Loads the main LUKS header, and byteswaps it to native endianness 438 * And run basic sanity checks on it 439 */ 440 static int 441 qcrypto_block_luks_load_header(QCryptoBlock *block, 442 QCryptoBlockReadFunc readfunc, 443 void *opaque, 444 Error **errp) 445 { 446 int rv; 447 QCryptoBlockLUKS *luks = block->opaque; 448 449 /* 450 * Read the entire LUKS header, minus the key material from 451 * the underlying device 452 */ 453 rv = readfunc(block, 0, 454 (uint8_t *)&luks->header, 455 sizeof(luks->header), 456 opaque, 457 errp); 458 if (rv < 0) { 459 return rv; 460 } 461 462 qcrypto_block_luks_from_disk_endian(&luks->header); 463 464 return 0; 465 } 466 467 /* 468 * Does basic sanity checks on the LUKS header 469 */ 470 static int 471 qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp) 472 { 473 size_t i, j; 474 475 unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 476 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 477 478 if (memcmp(luks->header.magic, qcrypto_block_luks_magic, 479 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) { 480 error_setg(errp, "Volume is not in LUKS format"); 481 return -1; 482 } 483 484 if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) { 485 error_setg(errp, "LUKS version %" PRIu32 " is not supported", 486 luks->header.version); 487 return -1; 488 } 489 490 if (!memchr(luks->header.cipher_name, '\0', 491 sizeof(luks->header.cipher_name))) { 492 error_setg(errp, "LUKS header cipher name is not NUL terminated"); 493 return -1; 494 } 495 496 if (!memchr(luks->header.cipher_mode, '\0', 497 sizeof(luks->header.cipher_mode))) { 498 error_setg(errp, "LUKS header cipher mode is not NUL terminated"); 499 return -1; 500 } 501 502 if (!memchr(luks->header.hash_spec, '\0', 503 sizeof(luks->header.hash_spec))) { 504 error_setg(errp, "LUKS header hash spec is not NUL terminated"); 505 return -1; 506 } 507 508 if (luks->header.payload_offset_sector < 509 DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, 510 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { 511 error_setg(errp, "LUKS payload is overlapping with the header"); 512 return -1; 513 } 514 515 if (luks->header.master_key_iterations == 0) { 516 error_setg(errp, "LUKS key iteration count is zero"); 517 return -1; 518 } 519 520 /* Check all keyslots for corruption */ 521 for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) { 522 523 const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i]; 524 unsigned int start1 = slot1->key_offset_sector; 525 unsigned int len1 = 526 qcrypto_block_luks_splitkeylen_sectors(luks, 527 header_sectors, 528 slot1->stripes); 529 530 if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) { 531 error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)", 532 i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES); 533 return -1; 534 } 535 536 if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED && 537 slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { 538 error_setg(errp, 539 "Keyslot %zu state (active/disable) is corrupted", i); 540 return -1; 541 } 542 543 if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED && 544 slot1->iterations == 0) { 545 error_setg(errp, "Keyslot %zu iteration count is zero", i); 546 return -1; 547 } 548 549 if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, 550 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { 551 error_setg(errp, 552 "Keyslot %zu is overlapping with the LUKS header", 553 i); 554 return -1; 555 } 556 557 if (start1 + len1 > luks->header.payload_offset_sector) { 558 error_setg(errp, 559 "Keyslot %zu is overlapping with the encrypted payload", 560 i); 561 return -1; 562 } 563 564 for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) { 565 const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j]; 566 unsigned int start2 = slot2->key_offset_sector; 567 unsigned int len2 = 568 qcrypto_block_luks_splitkeylen_sectors(luks, 569 header_sectors, 570 slot2->stripes); 571 572 if (start1 + len1 > start2 && start2 + len2 > start1) { 573 error_setg(errp, 574 "Keyslots %zu and %zu are overlapping in the header", 575 i, j); 576 return -1; 577 } 578 } 579 580 } 581 return 0; 582 } 583 584 /* 585 * Parses the crypto parameters that are stored in the LUKS header 586 */ 587 588 static int 589 qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp) 590 { 591 g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode); 592 char *ivgen_name, *ivhash_name; 593 Error *local_err = NULL; 594 595 /* 596 * The cipher_mode header contains a string that we have 597 * to further parse, of the format 598 * 599 * <cipher-mode>-<iv-generator>[:<iv-hash>] 600 * 601 * eg cbc-essiv:sha256, cbc-plain64 602 */ 603 ivgen_name = strchr(cipher_mode, '-'); 604 if (!ivgen_name) { 605 error_setg(errp, "Unexpected cipher mode string format '%s'", 606 luks->header.cipher_mode); 607 return -1; 608 } 609 *ivgen_name = '\0'; 610 ivgen_name++; 611 612 ivhash_name = strchr(ivgen_name, ':'); 613 if (!ivhash_name) { 614 luks->ivgen_hash_alg = 0; 615 } else { 616 *ivhash_name = '\0'; 617 ivhash_name++; 618 619 luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name, 620 &local_err); 621 if (local_err) { 622 error_propagate(errp, local_err); 623 return -1; 624 } 625 } 626 627 luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode, 628 &local_err); 629 if (local_err) { 630 error_propagate(errp, local_err); 631 return -1; 632 } 633 634 luks->cipher_alg = 635 qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name, 636 luks->cipher_mode, 637 luks->header.master_key_len, 638 &local_err); 639 if (local_err) { 640 error_propagate(errp, local_err); 641 return -1; 642 } 643 644 luks->hash_alg = 645 qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec, 646 &local_err); 647 if (local_err) { 648 error_propagate(errp, local_err); 649 return -1; 650 } 651 652 luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name, 653 &local_err); 654 if (local_err) { 655 error_propagate(errp, local_err); 656 return -1; 657 } 658 659 if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 660 if (!ivhash_name) { 661 error_setg(errp, "Missing IV generator hash specification"); 662 return -1; 663 } 664 luks->ivgen_cipher_alg = 665 qcrypto_block_luks_essiv_cipher(luks->cipher_alg, 666 luks->ivgen_hash_alg, 667 &local_err); 668 if (local_err) { 669 error_propagate(errp, local_err); 670 return -1; 671 } 672 } else { 673 674 /* 675 * Note we parsed the ivhash_name earlier in the cipher_mode 676 * spec string even with plain/plain64 ivgens, but we 677 * will ignore it, since it is irrelevant for these ivgens. 678 * This is for compat with dm-crypt which will silently 679 * ignore hash names with these ivgens rather than report 680 * an error about the invalid usage 681 */ 682 luks->ivgen_cipher_alg = luks->cipher_alg; 683 } 684 return 0; 685 } 686 687 /* 688 * Given a key slot, user password, and the master key, 689 * will store the encrypted master key there, and update the 690 * in-memory header. User must then write the in-memory header 691 * 692 * Returns: 693 * 0 if the keyslot was written successfully 694 * with the provided password 695 * -1 if a fatal error occurred while storing the key 696 */ 697 static int 698 qcrypto_block_luks_store_key(QCryptoBlock *block, 699 unsigned int slot_idx, 700 const char *password, 701 uint8_t *masterkey, 702 uint64_t iter_time, 703 QCryptoBlockWriteFunc writefunc, 704 void *opaque, 705 Error **errp) 706 { 707 QCryptoBlockLUKS *luks = block->opaque; 708 QCryptoBlockLUKSKeySlot *slot; 709 g_autofree uint8_t *splitkey = NULL; 710 size_t splitkeylen; 711 g_autofree uint8_t *slotkey = NULL; 712 g_autoptr(QCryptoCipher) cipher = NULL; 713 g_autoptr(QCryptoIVGen) ivgen = NULL; 714 Error *local_err = NULL; 715 uint64_t iters; 716 int ret = -1; 717 718 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 719 slot = &luks->header.key_slots[slot_idx]; 720 splitkeylen = luks->header.master_key_len * slot->stripes; 721 722 if (qcrypto_random_bytes(slot->salt, 723 QCRYPTO_BLOCK_LUKS_SALT_LEN, 724 errp) < 0) { 725 goto cleanup; 726 } 727 728 /* 729 * Determine how many iterations are required to 730 * hash the user password while consuming 1 second of compute 731 * time 732 */ 733 iters = qcrypto_pbkdf2_count_iters(luks->hash_alg, 734 (uint8_t *)password, strlen(password), 735 slot->salt, 736 QCRYPTO_BLOCK_LUKS_SALT_LEN, 737 luks->header.master_key_len, 738 &local_err); 739 if (local_err) { 740 error_propagate(errp, local_err); 741 goto cleanup; 742 } 743 744 if (iters > (ULLONG_MAX / iter_time)) { 745 error_setg_errno(errp, ERANGE, 746 "PBKDF iterations %llu too large to scale", 747 (unsigned long long)iters); 748 goto cleanup; 749 } 750 751 /* iter_time was in millis, but count_iters reported for secs */ 752 iters = iters * iter_time / 1000; 753 754 if (iters > UINT32_MAX) { 755 error_setg_errno(errp, ERANGE, 756 "PBKDF iterations %llu larger than %u", 757 (unsigned long long)iters, UINT32_MAX); 758 goto cleanup; 759 } 760 761 slot->iterations = 762 MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS); 763 764 765 /* 766 * Generate a key that we'll use to encrypt the master 767 * key, from the user's password 768 */ 769 slotkey = g_new0(uint8_t, luks->header.master_key_len); 770 if (qcrypto_pbkdf2(luks->hash_alg, 771 (uint8_t *)password, strlen(password), 772 slot->salt, 773 QCRYPTO_BLOCK_LUKS_SALT_LEN, 774 slot->iterations, 775 slotkey, luks->header.master_key_len, 776 errp) < 0) { 777 goto cleanup; 778 } 779 780 781 /* 782 * Setup the encryption objects needed to encrypt the 783 * master key material 784 */ 785 cipher = qcrypto_cipher_new(luks->cipher_alg, 786 luks->cipher_mode, 787 slotkey, luks->header.master_key_len, 788 errp); 789 if (!cipher) { 790 goto cleanup; 791 } 792 793 ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 794 luks->ivgen_cipher_alg, 795 luks->ivgen_hash_alg, 796 slotkey, luks->header.master_key_len, 797 errp); 798 if (!ivgen) { 799 goto cleanup; 800 } 801 802 /* 803 * Before storing the master key, we need to vastly 804 * increase its size, as protection against forensic 805 * disk data recovery 806 */ 807 splitkey = g_new0(uint8_t, splitkeylen); 808 809 if (qcrypto_afsplit_encode(luks->hash_alg, 810 luks->header.master_key_len, 811 slot->stripes, 812 masterkey, 813 splitkey, 814 errp) < 0) { 815 goto cleanup; 816 } 817 818 /* 819 * Now we encrypt the split master key with the key generated 820 * from the user's password, before storing it 821 */ 822 if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen, 823 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 824 0, 825 splitkey, 826 splitkeylen, 827 errp) < 0) { 828 goto cleanup; 829 } 830 831 /* Write out the slot's master key material. */ 832 if (writefunc(block, 833 slot->key_offset_sector * 834 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 835 splitkey, splitkeylen, 836 opaque, 837 errp) < 0) { 838 goto cleanup; 839 } 840 841 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 842 843 if (qcrypto_block_luks_store_header(block, writefunc, opaque, errp) < 0) { 844 goto cleanup; 845 } 846 847 ret = 0; 848 849 cleanup: 850 if (slotkey) { 851 memset(slotkey, 0, luks->header.master_key_len); 852 } 853 if (splitkey) { 854 memset(splitkey, 0, splitkeylen); 855 } 856 return ret; 857 } 858 859 /* 860 * Given a key slot, and user password, this will attempt to unlock 861 * the master encryption key from the key slot. 862 * 863 * Returns: 864 * 0 if the key slot is disabled, or key could not be decrypted 865 * with the provided password 866 * 1 if the key slot is enabled, and key decrypted successfully 867 * with the provided password 868 * -1 if a fatal error occurred loading the key 869 */ 870 static int 871 qcrypto_block_luks_load_key(QCryptoBlock *block, 872 size_t slot_idx, 873 const char *password, 874 uint8_t *masterkey, 875 QCryptoBlockReadFunc readfunc, 876 void *opaque, 877 Error **errp) 878 { 879 QCryptoBlockLUKS *luks = block->opaque; 880 const QCryptoBlockLUKSKeySlot *slot; 881 g_autofree uint8_t *splitkey = NULL; 882 size_t splitkeylen; 883 g_autofree uint8_t *possiblekey = NULL; 884 int rv; 885 g_autoptr(QCryptoCipher) cipher = NULL; 886 uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN]; 887 g_autoptr(QCryptoIVGen) ivgen = NULL; 888 size_t niv; 889 890 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 891 slot = &luks->header.key_slots[slot_idx]; 892 if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { 893 return 0; 894 } 895 896 splitkeylen = luks->header.master_key_len * slot->stripes; 897 splitkey = g_new0(uint8_t, splitkeylen); 898 possiblekey = g_new0(uint8_t, luks->header.master_key_len); 899 900 /* 901 * The user password is used to generate a (possible) 902 * decryption key. This may or may not successfully 903 * decrypt the master key - we just blindly assume 904 * the key is correct and validate the results of 905 * decryption later. 906 */ 907 if (qcrypto_pbkdf2(luks->hash_alg, 908 (const uint8_t *)password, strlen(password), 909 slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN, 910 slot->iterations, 911 possiblekey, luks->header.master_key_len, 912 errp) < 0) { 913 return -1; 914 } 915 916 /* 917 * We need to read the master key material from the 918 * LUKS key material header. What we're reading is 919 * not the raw master key, but rather the data after 920 * it has been passed through AFSplit and the result 921 * then encrypted. 922 */ 923 rv = readfunc(block, 924 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 925 splitkey, splitkeylen, 926 opaque, 927 errp); 928 if (rv < 0) { 929 return -1; 930 } 931 932 933 /* Setup the cipher/ivgen that we'll use to try to decrypt 934 * the split master key material */ 935 cipher = qcrypto_cipher_new(luks->cipher_alg, 936 luks->cipher_mode, 937 possiblekey, 938 luks->header.master_key_len, 939 errp); 940 if (!cipher) { 941 return -1; 942 } 943 944 niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, 945 luks->cipher_mode); 946 947 ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 948 luks->ivgen_cipher_alg, 949 luks->ivgen_hash_alg, 950 possiblekey, 951 luks->header.master_key_len, 952 errp); 953 if (!ivgen) { 954 return -1; 955 } 956 957 958 /* 959 * The master key needs to be decrypted in the same 960 * way that the block device payload will be decrypted 961 * later. In particular we'll be using the IV generator 962 * to reset the encryption cipher every time the master 963 * key crosses a sector boundary. 964 */ 965 if (qcrypto_block_cipher_decrypt_helper(cipher, 966 niv, 967 ivgen, 968 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 969 0, 970 splitkey, 971 splitkeylen, 972 errp) < 0) { 973 return -1; 974 } 975 976 /* 977 * Now we've decrypted the split master key, join 978 * it back together to get the actual master key. 979 */ 980 if (qcrypto_afsplit_decode(luks->hash_alg, 981 luks->header.master_key_len, 982 slot->stripes, 983 splitkey, 984 masterkey, 985 errp) < 0) { 986 return -1; 987 } 988 989 990 /* 991 * We still don't know that the masterkey we got is valid, 992 * because we just blindly assumed the user's password 993 * was correct. This is where we now verify it. We are 994 * creating a hash of the master key using PBKDF and 995 * then comparing that to the hash stored in the key slot 996 * header 997 */ 998 if (qcrypto_pbkdf2(luks->hash_alg, 999 masterkey, 1000 luks->header.master_key_len, 1001 luks->header.master_key_salt, 1002 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1003 luks->header.master_key_iterations, 1004 keydigest, 1005 G_N_ELEMENTS(keydigest), 1006 errp) < 0) { 1007 return -1; 1008 } 1009 1010 if (memcmp(keydigest, luks->header.master_key_digest, 1011 QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) { 1012 /* Success, we got the right master key */ 1013 return 1; 1014 } 1015 1016 /* Fail, user's password was not valid for this key slot, 1017 * tell caller to try another slot */ 1018 return 0; 1019 } 1020 1021 1022 /* 1023 * Given a user password, this will iterate over all key 1024 * slots and try to unlock each active key slot using the 1025 * password until it successfully obtains a master key. 1026 * 1027 * Returns 0 if a key was loaded, -1 if no keys could be loaded 1028 */ 1029 static int 1030 qcrypto_block_luks_find_key(QCryptoBlock *block, 1031 const char *password, 1032 uint8_t *masterkey, 1033 QCryptoBlockReadFunc readfunc, 1034 void *opaque, 1035 Error **errp) 1036 { 1037 size_t i; 1038 int rv; 1039 1040 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1041 rv = qcrypto_block_luks_load_key(block, 1042 i, 1043 password, 1044 masterkey, 1045 readfunc, 1046 opaque, 1047 errp); 1048 if (rv < 0) { 1049 goto error; 1050 } 1051 if (rv == 1) { 1052 return 0; 1053 } 1054 } 1055 1056 error_setg(errp, "Invalid password, cannot unlock any keyslot"); 1057 error: 1058 return -1; 1059 } 1060 1061 /* 1062 * Returns true if a slot i is marked as active 1063 * (contains encrypted copy of the master key) 1064 */ 1065 static bool 1066 qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks, 1067 unsigned int slot_idx) 1068 { 1069 uint32_t val; 1070 1071 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1072 val = luks->header.key_slots[slot_idx].active; 1073 return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 1074 } 1075 1076 /* 1077 * Returns the number of slots that are marked as active 1078 * (slots that contain encrypted copy of the master key) 1079 */ 1080 static unsigned int 1081 qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks) 1082 { 1083 size_t i = 0; 1084 unsigned int ret = 0; 1085 1086 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1087 if (qcrypto_block_luks_slot_active(luks, i)) { 1088 ret++; 1089 } 1090 } 1091 return ret; 1092 } 1093 1094 /* 1095 * Finds first key slot which is not active 1096 * Returns the key slot index, or -1 if it doesn't exist 1097 */ 1098 static int 1099 qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks) 1100 { 1101 size_t i; 1102 1103 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1104 if (!qcrypto_block_luks_slot_active(luks, i)) { 1105 return i; 1106 } 1107 } 1108 return -1; 1109 } 1110 1111 /* 1112 * Erases an keyslot given its index 1113 * Returns: 1114 * 0 if the keyslot was erased successfully 1115 * -1 if a error occurred while erasing the keyslot 1116 * 1117 */ 1118 static int 1119 qcrypto_block_luks_erase_key(QCryptoBlock *block, 1120 unsigned int slot_idx, 1121 QCryptoBlockWriteFunc writefunc, 1122 void *opaque, 1123 Error **errp) 1124 { 1125 QCryptoBlockLUKS *luks = block->opaque; 1126 QCryptoBlockLUKSKeySlot *slot; 1127 g_autofree uint8_t *garbagesplitkey = NULL; 1128 size_t splitkeylen; 1129 size_t i; 1130 Error *local_err = NULL; 1131 int ret; 1132 1133 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1134 slot = &luks->header.key_slots[slot_idx]; 1135 1136 splitkeylen = luks->header.master_key_len * slot->stripes; 1137 assert(splitkeylen > 0); 1138 1139 garbagesplitkey = g_new0(uint8_t, splitkeylen); 1140 1141 /* Reset the key slot header */ 1142 memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN); 1143 slot->iterations = 0; 1144 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; 1145 1146 ret = qcrypto_block_luks_store_header(block, writefunc, 1147 opaque, &local_err); 1148 1149 if (ret < 0) { 1150 error_propagate(errp, local_err); 1151 } 1152 /* 1153 * Now try to erase the key material, even if the header 1154 * update failed 1155 */ 1156 for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) { 1157 if (qcrypto_random_bytes(garbagesplitkey, 1158 splitkeylen, &local_err) < 0) { 1159 /* 1160 * If we failed to get the random data, still write 1161 * at least zeros to the key slot at least once 1162 */ 1163 error_propagate(errp, local_err); 1164 1165 if (i > 0) { 1166 return -1; 1167 } 1168 } 1169 if (writefunc(block, 1170 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1171 garbagesplitkey, 1172 splitkeylen, 1173 opaque, 1174 &local_err) < 0) { 1175 error_propagate(errp, local_err); 1176 return -1; 1177 } 1178 } 1179 return ret; 1180 } 1181 1182 static int 1183 qcrypto_block_luks_open(QCryptoBlock *block, 1184 QCryptoBlockOpenOptions *options, 1185 const char *optprefix, 1186 QCryptoBlockReadFunc readfunc, 1187 void *opaque, 1188 unsigned int flags, 1189 size_t n_threads, 1190 Error **errp) 1191 { 1192 QCryptoBlockLUKS *luks = NULL; 1193 g_autofree uint8_t *masterkey = NULL; 1194 g_autofree char *password = NULL; 1195 1196 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { 1197 if (!options->u.luks.key_secret) { 1198 error_setg(errp, "Parameter '%skey-secret' is required for cipher", 1199 optprefix ? optprefix : ""); 1200 return -1; 1201 } 1202 password = qcrypto_secret_lookup_as_utf8( 1203 options->u.luks.key_secret, errp); 1204 if (!password) { 1205 return -1; 1206 } 1207 } 1208 1209 luks = g_new0(QCryptoBlockLUKS, 1); 1210 block->opaque = luks; 1211 luks->secret = g_strdup(options->u.luks.key_secret); 1212 1213 if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) { 1214 goto fail; 1215 } 1216 1217 if (qcrypto_block_luks_check_header(luks, errp) < 0) { 1218 goto fail; 1219 } 1220 1221 if (qcrypto_block_luks_parse_header(luks, errp) < 0) { 1222 goto fail; 1223 } 1224 1225 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { 1226 /* Try to find which key slot our password is valid for 1227 * and unlock the master key from that slot. 1228 */ 1229 1230 masterkey = g_new0(uint8_t, luks->header.master_key_len); 1231 1232 if (qcrypto_block_luks_find_key(block, 1233 password, 1234 masterkey, 1235 readfunc, opaque, 1236 errp) < 0) { 1237 goto fail; 1238 } 1239 1240 /* We have a valid master key now, so can setup the 1241 * block device payload decryption objects 1242 */ 1243 block->kdfhash = luks->hash_alg; 1244 block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, 1245 luks->cipher_mode); 1246 1247 block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 1248 luks->ivgen_cipher_alg, 1249 luks->ivgen_hash_alg, 1250 masterkey, 1251 luks->header.master_key_len, 1252 errp); 1253 if (!block->ivgen) { 1254 goto fail; 1255 } 1256 1257 if (qcrypto_block_init_cipher(block, 1258 luks->cipher_alg, 1259 luks->cipher_mode, 1260 masterkey, 1261 luks->header.master_key_len, 1262 n_threads, 1263 errp) < 0) { 1264 goto fail; 1265 } 1266 } 1267 1268 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1269 block->payload_offset = luks->header.payload_offset_sector * 1270 block->sector_size; 1271 1272 return 0; 1273 1274 fail: 1275 qcrypto_block_free_cipher(block); 1276 qcrypto_ivgen_free(block->ivgen); 1277 g_free(luks->secret); 1278 g_free(luks); 1279 return -1; 1280 } 1281 1282 1283 static void 1284 qcrypto_block_luks_uuid_gen(uint8_t *uuidstr) 1285 { 1286 QemuUUID uuid; 1287 qemu_uuid_generate(&uuid); 1288 qemu_uuid_unparse(&uuid, (char *)uuidstr); 1289 } 1290 1291 static int 1292 qcrypto_block_luks_create(QCryptoBlock *block, 1293 QCryptoBlockCreateOptions *options, 1294 const char *optprefix, 1295 QCryptoBlockInitFunc initfunc, 1296 QCryptoBlockWriteFunc writefunc, 1297 void *opaque, 1298 Error **errp) 1299 { 1300 QCryptoBlockLUKS *luks; 1301 QCryptoBlockCreateOptionsLUKS luks_opts; 1302 Error *local_err = NULL; 1303 g_autofree uint8_t *masterkey = NULL; 1304 size_t header_sectors; 1305 size_t split_key_sectors; 1306 size_t i; 1307 g_autofree char *password = NULL; 1308 const char *cipher_alg; 1309 const char *cipher_mode; 1310 const char *ivgen_alg; 1311 const char *ivgen_hash_alg = NULL; 1312 const char *hash_alg; 1313 g_autofree char *cipher_mode_spec = NULL; 1314 uint64_t iters; 1315 1316 memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts)); 1317 if (!luks_opts.has_iter_time) { 1318 luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; 1319 } 1320 if (!luks_opts.has_cipher_alg) { 1321 luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256; 1322 } 1323 if (!luks_opts.has_cipher_mode) { 1324 luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS; 1325 } 1326 if (!luks_opts.has_ivgen_alg) { 1327 luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64; 1328 } 1329 if (!luks_opts.has_hash_alg) { 1330 luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256; 1331 } 1332 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1333 if (!luks_opts.has_ivgen_hash_alg) { 1334 luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256; 1335 luks_opts.has_ivgen_hash_alg = true; 1336 } 1337 } 1338 1339 luks = g_new0(QCryptoBlockLUKS, 1); 1340 block->opaque = luks; 1341 1342 luks->cipher_alg = luks_opts.cipher_alg; 1343 luks->cipher_mode = luks_opts.cipher_mode; 1344 luks->ivgen_alg = luks_opts.ivgen_alg; 1345 luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg; 1346 luks->hash_alg = luks_opts.hash_alg; 1347 1348 1349 /* Note we're allowing ivgen_hash_alg to be set even for 1350 * non-essiv iv generators that don't need a hash. It will 1351 * be silently ignored, for compatibility with dm-crypt */ 1352 1353 if (!options->u.luks.key_secret) { 1354 error_setg(errp, "Parameter '%skey-secret' is required for cipher", 1355 optprefix ? optprefix : ""); 1356 goto error; 1357 } 1358 luks->secret = g_strdup(options->u.luks.key_secret); 1359 1360 password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp); 1361 if (!password) { 1362 goto error; 1363 } 1364 1365 1366 memcpy(luks->header.magic, qcrypto_block_luks_magic, 1367 QCRYPTO_BLOCK_LUKS_MAGIC_LEN); 1368 1369 /* We populate the header in native endianness initially and 1370 * then convert everything to big endian just before writing 1371 * it out to disk 1372 */ 1373 luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION; 1374 qcrypto_block_luks_uuid_gen(luks->header.uuid); 1375 1376 cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg, 1377 errp); 1378 if (!cipher_alg) { 1379 goto error; 1380 } 1381 1382 cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode); 1383 ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg); 1384 if (luks_opts.has_ivgen_hash_alg) { 1385 ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg); 1386 cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg, 1387 ivgen_hash_alg); 1388 } else { 1389 cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg); 1390 } 1391 hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg); 1392 1393 1394 if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) { 1395 error_setg(errp, "Cipher name '%s' is too long for LUKS header", 1396 cipher_alg); 1397 goto error; 1398 } 1399 if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) { 1400 error_setg(errp, "Cipher mode '%s' is too long for LUKS header", 1401 cipher_mode_spec); 1402 goto error; 1403 } 1404 if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) { 1405 error_setg(errp, "Hash name '%s' is too long for LUKS header", 1406 hash_alg); 1407 goto error; 1408 } 1409 1410 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1411 luks->ivgen_cipher_alg = 1412 qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg, 1413 luks_opts.ivgen_hash_alg, 1414 &local_err); 1415 if (local_err) { 1416 error_propagate(errp, local_err); 1417 goto error; 1418 } 1419 } else { 1420 luks->ivgen_cipher_alg = luks_opts.cipher_alg; 1421 } 1422 1423 strcpy(luks->header.cipher_name, cipher_alg); 1424 strcpy(luks->header.cipher_mode, cipher_mode_spec); 1425 strcpy(luks->header.hash_spec, hash_alg); 1426 1427 luks->header.master_key_len = 1428 qcrypto_cipher_get_key_len(luks_opts.cipher_alg); 1429 1430 if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) { 1431 luks->header.master_key_len *= 2; 1432 } 1433 1434 /* Generate the salt used for hashing the master key 1435 * with PBKDF later 1436 */ 1437 if (qcrypto_random_bytes(luks->header.master_key_salt, 1438 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1439 errp) < 0) { 1440 goto error; 1441 } 1442 1443 /* Generate random master key */ 1444 masterkey = g_new0(uint8_t, luks->header.master_key_len); 1445 if (qcrypto_random_bytes(masterkey, 1446 luks->header.master_key_len, errp) < 0) { 1447 goto error; 1448 } 1449 1450 1451 /* Setup the block device payload encryption objects */ 1452 if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg, 1453 luks_opts.cipher_mode, masterkey, 1454 luks->header.master_key_len, 1, errp) < 0) { 1455 goto error; 1456 } 1457 1458 block->kdfhash = luks_opts.hash_alg; 1459 block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg, 1460 luks_opts.cipher_mode); 1461 block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg, 1462 luks->ivgen_cipher_alg, 1463 luks_opts.ivgen_hash_alg, 1464 masterkey, luks->header.master_key_len, 1465 errp); 1466 1467 if (!block->ivgen) { 1468 goto error; 1469 } 1470 1471 1472 /* Determine how many iterations we need to hash the master 1473 * key, in order to have 1 second of compute time used 1474 */ 1475 iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg, 1476 masterkey, luks->header.master_key_len, 1477 luks->header.master_key_salt, 1478 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1479 QCRYPTO_BLOCK_LUKS_DIGEST_LEN, 1480 &local_err); 1481 if (local_err) { 1482 error_propagate(errp, local_err); 1483 goto error; 1484 } 1485 1486 if (iters > (ULLONG_MAX / luks_opts.iter_time)) { 1487 error_setg_errno(errp, ERANGE, 1488 "PBKDF iterations %llu too large to scale", 1489 (unsigned long long)iters); 1490 goto error; 1491 } 1492 1493 /* iter_time was in millis, but count_iters reported for secs */ 1494 iters = iters * luks_opts.iter_time / 1000; 1495 1496 /* Why /= 8 ? That matches cryptsetup, but there's no 1497 * explanation why they chose /= 8... Probably so that 1498 * if all 8 keyslots are active we only spend 1 second 1499 * in total time to check all keys */ 1500 iters /= 8; 1501 if (iters > UINT32_MAX) { 1502 error_setg_errno(errp, ERANGE, 1503 "PBKDF iterations %llu larger than %u", 1504 (unsigned long long)iters, UINT32_MAX); 1505 goto error; 1506 } 1507 iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS); 1508 luks->header.master_key_iterations = iters; 1509 1510 /* Hash the master key, saving the result in the LUKS 1511 * header. This hash is used when opening the encrypted 1512 * device to verify that the user password unlocked a 1513 * valid master key 1514 */ 1515 if (qcrypto_pbkdf2(luks_opts.hash_alg, 1516 masterkey, luks->header.master_key_len, 1517 luks->header.master_key_salt, 1518 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1519 luks->header.master_key_iterations, 1520 luks->header.master_key_digest, 1521 QCRYPTO_BLOCK_LUKS_DIGEST_LEN, 1522 errp) < 0) { 1523 goto error; 1524 } 1525 1526 /* start with the sector that follows the header*/ 1527 header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 1528 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1529 1530 split_key_sectors = 1531 qcrypto_block_luks_splitkeylen_sectors(luks, 1532 header_sectors, 1533 QCRYPTO_BLOCK_LUKS_STRIPES); 1534 1535 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1536 QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i]; 1537 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; 1538 1539 slot->key_offset_sector = header_sectors + i * split_key_sectors; 1540 slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES; 1541 } 1542 1543 /* The total size of the LUKS headers is the partition header + key 1544 * slot headers, rounded up to the nearest sector, combined with 1545 * the size of each master key material region, also rounded up 1546 * to the nearest sector */ 1547 luks->header.payload_offset_sector = header_sectors + 1548 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors; 1549 1550 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1551 block->payload_offset = luks->header.payload_offset_sector * 1552 block->sector_size; 1553 1554 /* Reserve header space to match payload offset */ 1555 initfunc(block, block->payload_offset, opaque, &local_err); 1556 if (local_err) { 1557 error_propagate(errp, local_err); 1558 goto error; 1559 } 1560 1561 1562 /* populate the slot 0 with the password encrypted master key*/ 1563 /* This will also store the header */ 1564 if (qcrypto_block_luks_store_key(block, 1565 0, 1566 password, 1567 masterkey, 1568 luks_opts.iter_time, 1569 writefunc, 1570 opaque, 1571 errp) < 0) { 1572 goto error; 1573 } 1574 1575 memset(masterkey, 0, luks->header.master_key_len); 1576 1577 return 0; 1578 1579 error: 1580 if (masterkey) { 1581 memset(masterkey, 0, luks->header.master_key_len); 1582 } 1583 1584 qcrypto_block_free_cipher(block); 1585 qcrypto_ivgen_free(block->ivgen); 1586 1587 g_free(luks->secret); 1588 g_free(luks); 1589 return -1; 1590 } 1591 1592 static int 1593 qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block, 1594 QCryptoBlockReadFunc readfunc, 1595 QCryptoBlockWriteFunc writefunc, 1596 void *opaque, 1597 QCryptoBlockAmendOptionsLUKS *opts_luks, 1598 bool force, 1599 Error **errp) 1600 { 1601 QCryptoBlockLUKS *luks = block->opaque; 1602 uint64_t iter_time = opts_luks->has_iter_time ? 1603 opts_luks->iter_time : 1604 QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; 1605 int keyslot; 1606 g_autofree char *old_password = NULL; 1607 g_autofree char *new_password = NULL; 1608 g_autofree uint8_t *master_key = NULL; 1609 1610 char *secret = opts_luks->secret ?: luks->secret; 1611 1612 if (!opts_luks->new_secret) { 1613 error_setg(errp, "'new-secret' is required to activate a keyslot"); 1614 return -1; 1615 } 1616 if (opts_luks->old_secret) { 1617 error_setg(errp, 1618 "'old-secret' must not be given when activating keyslots"); 1619 return -1; 1620 } 1621 1622 if (opts_luks->has_keyslot) { 1623 keyslot = opts_luks->keyslot; 1624 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { 1625 error_setg(errp, 1626 "Invalid keyslot %u specified, must be between 0 and %u", 1627 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); 1628 return -1; 1629 } 1630 } else { 1631 keyslot = qcrypto_block_luks_find_free_keyslot(luks); 1632 if (keyslot == -1) { 1633 error_setg(errp, 1634 "Can't add a keyslot - all keyslots are in use"); 1635 return -1; 1636 } 1637 } 1638 1639 if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) { 1640 error_setg(errp, 1641 "Refusing to overwrite active keyslot %i - " 1642 "please erase it first", 1643 keyslot); 1644 return -1; 1645 } 1646 1647 /* Locate the password that will be used to retrieve the master key */ 1648 old_password = qcrypto_secret_lookup_as_utf8(secret, errp); 1649 if (!old_password) { 1650 return -1; 1651 } 1652 1653 /* Retrieve the master key */ 1654 master_key = g_new0(uint8_t, luks->header.master_key_len); 1655 1656 if (qcrypto_block_luks_find_key(block, old_password, master_key, 1657 readfunc, opaque, errp) < 0) { 1658 error_append_hint(errp, "Failed to retrieve the master key"); 1659 return -1; 1660 } 1661 1662 /* Locate the new password*/ 1663 new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp); 1664 if (!new_password) { 1665 return -1; 1666 } 1667 1668 /* Now set the new keyslots */ 1669 if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key, 1670 iter_time, writefunc, opaque, errp)) { 1671 error_append_hint(errp, "Failed to write to keyslot %i", keyslot); 1672 return -1; 1673 } 1674 return 0; 1675 } 1676 1677 static int 1678 qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block, 1679 QCryptoBlockReadFunc readfunc, 1680 QCryptoBlockWriteFunc writefunc, 1681 void *opaque, 1682 QCryptoBlockAmendOptionsLUKS *opts_luks, 1683 bool force, 1684 Error **errp) 1685 { 1686 QCryptoBlockLUKS *luks = block->opaque; 1687 g_autofree uint8_t *tmpkey = NULL; 1688 g_autofree char *old_password = NULL; 1689 1690 if (opts_luks->new_secret) { 1691 error_setg(errp, 1692 "'new-secret' must not be given when erasing keyslots"); 1693 return -1; 1694 } 1695 if (opts_luks->has_iter_time) { 1696 error_setg(errp, 1697 "'iter-time' must not be given when erasing keyslots"); 1698 return -1; 1699 } 1700 if (opts_luks->secret) { 1701 error_setg(errp, 1702 "'secret' must not be given when erasing keyslots"); 1703 return -1; 1704 } 1705 1706 /* Load the old password if given */ 1707 if (opts_luks->old_secret) { 1708 old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret, 1709 errp); 1710 if (!old_password) { 1711 return -1; 1712 } 1713 1714 /* 1715 * Allocate a temporary key buffer that we will need when 1716 * checking if slot matches the given old password 1717 */ 1718 tmpkey = g_new0(uint8_t, luks->header.master_key_len); 1719 } 1720 1721 /* Erase an explicitly given keyslot */ 1722 if (opts_luks->has_keyslot) { 1723 int keyslot = opts_luks->keyslot; 1724 1725 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { 1726 error_setg(errp, 1727 "Invalid keyslot %i specified, must be between 0 and %i", 1728 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); 1729 return -1; 1730 } 1731 1732 if (opts_luks->old_secret) { 1733 int rv = qcrypto_block_luks_load_key(block, 1734 keyslot, 1735 old_password, 1736 tmpkey, 1737 readfunc, 1738 opaque, 1739 errp); 1740 if (rv == -1) { 1741 return -1; 1742 } else if (rv == 0) { 1743 error_setg(errp, 1744 "Given keyslot %i doesn't contain the given " 1745 "old password for erase operation", 1746 keyslot); 1747 return -1; 1748 } 1749 } 1750 1751 if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) { 1752 error_setg(errp, 1753 "Given keyslot %i is already erased (inactive) ", 1754 keyslot); 1755 return -1; 1756 } 1757 1758 if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) { 1759 error_setg(errp, 1760 "Attempt to erase the only active keyslot %i " 1761 "which will erase all the data in the image " 1762 "irreversibly - refusing operation", 1763 keyslot); 1764 return -1; 1765 } 1766 1767 if (qcrypto_block_luks_erase_key(block, keyslot, 1768 writefunc, opaque, errp)) { 1769 error_append_hint(errp, "Failed to erase keyslot %i", keyslot); 1770 return -1; 1771 } 1772 1773 /* Erase all keyslots that match the given old password */ 1774 } else if (opts_luks->old_secret) { 1775 1776 unsigned long slots_to_erase_bitmap = 0; 1777 size_t i; 1778 int slot_count; 1779 1780 assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <= 1781 sizeof(slots_to_erase_bitmap) * 8); 1782 1783 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1784 int rv = qcrypto_block_luks_load_key(block, 1785 i, 1786 old_password, 1787 tmpkey, 1788 readfunc, 1789 opaque, 1790 errp); 1791 if (rv == -1) { 1792 return -1; 1793 } else if (rv == 1) { 1794 bitmap_set(&slots_to_erase_bitmap, i, 1); 1795 } 1796 } 1797 1798 slot_count = bitmap_count_one(&slots_to_erase_bitmap, 1799 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1800 if (slot_count == 0) { 1801 error_setg(errp, 1802 "No keyslots match given (old) password for erase operation"); 1803 return -1; 1804 } 1805 1806 if (!force && 1807 slot_count == qcrypto_block_luks_count_active_slots(luks)) { 1808 error_setg(errp, 1809 "All the active keyslots match the (old) password that " 1810 "was given and erasing them will erase all the data in " 1811 "the image irreversibly - refusing operation"); 1812 return -1; 1813 } 1814 1815 /* Now apply the update */ 1816 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1817 if (!test_bit(i, &slots_to_erase_bitmap)) { 1818 continue; 1819 } 1820 if (qcrypto_block_luks_erase_key(block, i, writefunc, 1821 opaque, errp)) { 1822 error_append_hint(errp, "Failed to erase keyslot %zu", i); 1823 return -1; 1824 } 1825 } 1826 } else { 1827 error_setg(errp, 1828 "To erase keyslot(s), either explicit keyslot index " 1829 "or the password currently contained in them must be given"); 1830 return -1; 1831 } 1832 return 0; 1833 } 1834 1835 static int 1836 qcrypto_block_luks_amend_options(QCryptoBlock *block, 1837 QCryptoBlockReadFunc readfunc, 1838 QCryptoBlockWriteFunc writefunc, 1839 void *opaque, 1840 QCryptoBlockAmendOptions *options, 1841 bool force, 1842 Error **errp) 1843 { 1844 QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks; 1845 1846 switch (opts_luks->state) { 1847 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE: 1848 return qcrypto_block_luks_amend_add_keyslot(block, readfunc, 1849 writefunc, opaque, 1850 opts_luks, force, errp); 1851 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE: 1852 return qcrypto_block_luks_amend_erase_keyslots(block, readfunc, 1853 writefunc, opaque, 1854 opts_luks, force, errp); 1855 default: 1856 g_assert_not_reached(); 1857 } 1858 } 1859 1860 static int qcrypto_block_luks_get_info(QCryptoBlock *block, 1861 QCryptoBlockInfo *info, 1862 Error **errp) 1863 { 1864 QCryptoBlockLUKS *luks = block->opaque; 1865 QCryptoBlockInfoLUKSSlot *slot; 1866 QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots; 1867 size_t i; 1868 1869 info->u.luks.cipher_alg = luks->cipher_alg; 1870 info->u.luks.cipher_mode = luks->cipher_mode; 1871 info->u.luks.ivgen_alg = luks->ivgen_alg; 1872 if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1873 info->u.luks.has_ivgen_hash_alg = true; 1874 info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg; 1875 } 1876 info->u.luks.hash_alg = luks->hash_alg; 1877 info->u.luks.payload_offset = block->payload_offset; 1878 info->u.luks.master_key_iters = luks->header.master_key_iterations; 1879 info->u.luks.uuid = g_strndup((const char *)luks->header.uuid, 1880 sizeof(luks->header.uuid)); 1881 1882 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1883 slot = g_new0(QCryptoBlockInfoLUKSSlot, 1); 1884 slot->active = luks->header.key_slots[i].active == 1885 QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 1886 slot->key_offset = luks->header.key_slots[i].key_offset_sector 1887 * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1888 if (slot->active) { 1889 slot->has_iters = true; 1890 slot->iters = luks->header.key_slots[i].iterations; 1891 slot->has_stripes = true; 1892 slot->stripes = luks->header.key_slots[i].stripes; 1893 } 1894 1895 QAPI_LIST_APPEND(tail, slot); 1896 } 1897 1898 return 0; 1899 } 1900 1901 1902 static void qcrypto_block_luks_cleanup(QCryptoBlock *block) 1903 { 1904 QCryptoBlockLUKS *luks = block->opaque; 1905 if (luks) { 1906 g_free(luks->secret); 1907 g_free(luks); 1908 } 1909 } 1910 1911 1912 static int 1913 qcrypto_block_luks_decrypt(QCryptoBlock *block, 1914 uint64_t offset, 1915 uint8_t *buf, 1916 size_t len, 1917 Error **errp) 1918 { 1919 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1920 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1921 return qcrypto_block_decrypt_helper(block, 1922 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1923 offset, buf, len, errp); 1924 } 1925 1926 1927 static int 1928 qcrypto_block_luks_encrypt(QCryptoBlock *block, 1929 uint64_t offset, 1930 uint8_t *buf, 1931 size_t len, 1932 Error **errp) 1933 { 1934 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1935 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1936 return qcrypto_block_encrypt_helper(block, 1937 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1938 offset, buf, len, errp); 1939 } 1940 1941 1942 const QCryptoBlockDriver qcrypto_block_driver_luks = { 1943 .open = qcrypto_block_luks_open, 1944 .create = qcrypto_block_luks_create, 1945 .amend = qcrypto_block_luks_amend_options, 1946 .get_info = qcrypto_block_luks_get_info, 1947 .cleanup = qcrypto_block_luks_cleanup, 1948 .decrypt = qcrypto_block_luks_decrypt, 1949 .encrypt = qcrypto_block_luks_encrypt, 1950 .has_format = qcrypto_block_luks_has_format, 1951 }; 1952