1 /* 2 * QEMU Crypto block device encryption LUKS format 3 * 4 * Copyright (c) 2015-2016 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #include "qemu/osdep.h" 22 #include "qapi/error.h" 23 #include "qemu/bswap.h" 24 25 #include "block-luks.h" 26 #include "block-luks-priv.h" 27 28 #include "crypto/hash.h" 29 #include "crypto/afsplit.h" 30 #include "crypto/pbkdf.h" 31 #include "crypto/secret.h" 32 #include "crypto/random.h" 33 #include "qemu/uuid.h" 34 35 #include "qemu/coroutine.h" 36 #include "qemu/bitmap.h" 37 38 /* 39 * Reference for the LUKS format implemented here is 40 * 41 * docs/on-disk-format.pdf 42 * 43 * in 'cryptsetup' package source code 44 * 45 * This file implements the 1.2.1 specification, dated 46 * Oct 16, 2011. 47 */ 48 49 typedef struct QCryptoBlockLUKS QCryptoBlockLUKS; 50 51 typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap; 52 struct QCryptoBlockLUKSNameMap { 53 const char *name; 54 int id; 55 }; 56 57 typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap; 58 struct QCryptoBlockLUKSCipherSizeMap { 59 uint32_t key_bytes; 60 int id; 61 }; 62 typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap; 63 struct QCryptoBlockLUKSCipherNameMap { 64 const char *name; 65 const QCryptoBlockLUKSCipherSizeMap *sizes; 66 }; 67 68 69 static const QCryptoBlockLUKSCipherSizeMap 70 qcrypto_block_luks_cipher_size_map_aes[] = { 71 { 16, QCRYPTO_CIPHER_ALG_AES_128 }, 72 { 24, QCRYPTO_CIPHER_ALG_AES_192 }, 73 { 32, QCRYPTO_CIPHER_ALG_AES_256 }, 74 { 0, 0 }, 75 }; 76 77 static const QCryptoBlockLUKSCipherSizeMap 78 qcrypto_block_luks_cipher_size_map_cast5[] = { 79 { 16, QCRYPTO_CIPHER_ALG_CAST5_128 }, 80 { 0, 0 }, 81 }; 82 83 static const QCryptoBlockLUKSCipherSizeMap 84 qcrypto_block_luks_cipher_size_map_serpent[] = { 85 { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 }, 86 { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 }, 87 { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 }, 88 { 0, 0 }, 89 }; 90 91 static const QCryptoBlockLUKSCipherSizeMap 92 qcrypto_block_luks_cipher_size_map_twofish[] = { 93 { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 }, 94 { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 }, 95 { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 }, 96 { 0, 0 }, 97 }; 98 99 static const QCryptoBlockLUKSCipherNameMap 100 qcrypto_block_luks_cipher_name_map[] = { 101 { "aes", qcrypto_block_luks_cipher_size_map_aes }, 102 { "cast5", qcrypto_block_luks_cipher_size_map_cast5 }, 103 { "serpent", qcrypto_block_luks_cipher_size_map_serpent }, 104 { "twofish", qcrypto_block_luks_cipher_size_map_twofish }, 105 }; 106 107 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48); 108 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592); 109 110 111 struct QCryptoBlockLUKS { 112 QCryptoBlockLUKSHeader header; 113 114 /* Main encryption algorithm used for encryption*/ 115 QCryptoCipherAlgorithm cipher_alg; 116 117 /* Mode of encryption for the selected encryption algorithm */ 118 QCryptoCipherMode cipher_mode; 119 120 /* Initialization vector generation algorithm */ 121 QCryptoIVGenAlgorithm ivgen_alg; 122 123 /* Hash algorithm used for IV generation*/ 124 QCryptoHashAlgorithm ivgen_hash_alg; 125 126 /* 127 * Encryption algorithm used for IV generation. 128 * Usually the same as main encryption algorithm 129 */ 130 QCryptoCipherAlgorithm ivgen_cipher_alg; 131 132 /* Hash algorithm used in pbkdf2 function */ 133 QCryptoHashAlgorithm hash_alg; 134 135 /* Name of the secret that was used to open the image */ 136 char *secret; 137 }; 138 139 140 static int qcrypto_block_luks_cipher_name_lookup(const char *name, 141 QCryptoCipherMode mode, 142 uint32_t key_bytes, 143 Error **errp) 144 { 145 const QCryptoBlockLUKSCipherNameMap *map = 146 qcrypto_block_luks_cipher_name_map; 147 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); 148 size_t i, j; 149 150 if (mode == QCRYPTO_CIPHER_MODE_XTS) { 151 key_bytes /= 2; 152 } 153 154 for (i = 0; i < maplen; i++) { 155 if (!g_str_equal(map[i].name, name)) { 156 continue; 157 } 158 for (j = 0; j < map[i].sizes[j].key_bytes; j++) { 159 if (map[i].sizes[j].key_bytes == key_bytes) { 160 return map[i].sizes[j].id; 161 } 162 } 163 } 164 165 error_setg(errp, "Algorithm '%s' with key size %d bytes not supported", 166 name, key_bytes); 167 return 0; 168 } 169 170 static const char * 171 qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg, 172 Error **errp) 173 { 174 const QCryptoBlockLUKSCipherNameMap *map = 175 qcrypto_block_luks_cipher_name_map; 176 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); 177 size_t i, j; 178 for (i = 0; i < maplen; i++) { 179 for (j = 0; j < map[i].sizes[j].key_bytes; j++) { 180 if (map[i].sizes[j].id == alg) { 181 return map[i].name; 182 } 183 } 184 } 185 186 error_setg(errp, "Algorithm '%s' not supported", 187 QCryptoCipherAlgorithm_str(alg)); 188 return NULL; 189 } 190 191 /* XXX replace with qapi_enum_parse() in future, when we can 192 * make that function emit a more friendly error message */ 193 static int qcrypto_block_luks_name_lookup(const char *name, 194 const QEnumLookup *map, 195 const char *type, 196 Error **errp) 197 { 198 int ret = qapi_enum_parse(map, name, -1, NULL); 199 200 if (ret < 0) { 201 error_setg(errp, "%s '%s' not supported", type, name); 202 return 0; 203 } 204 return ret; 205 } 206 207 #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \ 208 qcrypto_block_luks_name_lookup(name, \ 209 &QCryptoCipherMode_lookup, \ 210 "Cipher mode", \ 211 errp) 212 213 #define qcrypto_block_luks_hash_name_lookup(name, errp) \ 214 qcrypto_block_luks_name_lookup(name, \ 215 &QCryptoHashAlgorithm_lookup, \ 216 "Hash algorithm", \ 217 errp) 218 219 #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \ 220 qcrypto_block_luks_name_lookup(name, \ 221 &QCryptoIVGenAlgorithm_lookup, \ 222 "IV generator", \ 223 errp) 224 225 226 static bool 227 qcrypto_block_luks_has_format(const uint8_t *buf, 228 size_t buf_size) 229 { 230 const QCryptoBlockLUKSHeader *luks_header = (const void *)buf; 231 232 if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) && 233 memcmp(luks_header->magic, qcrypto_block_luks_magic, 234 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 && 235 be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) { 236 return true; 237 } else { 238 return false; 239 } 240 } 241 242 243 /** 244 * Deal with a quirk of dm-crypt usage of ESSIV. 245 * 246 * When calculating ESSIV IVs, the cipher length used by ESSIV 247 * may be different from the cipher length used for the block 248 * encryption, becauses dm-crypt uses the hash digest length 249 * as the key size. ie, if you have AES 128 as the block cipher 250 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as 251 * the cipher since that gets a key length matching the digest 252 * size, not AES 128 with truncated digest as might be imagined 253 */ 254 static QCryptoCipherAlgorithm 255 qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher, 256 QCryptoHashAlgorithm hash, 257 Error **errp) 258 { 259 size_t digestlen = qcrypto_hash_digest_len(hash); 260 size_t keylen = qcrypto_cipher_get_key_len(cipher); 261 if (digestlen == keylen) { 262 return cipher; 263 } 264 265 switch (cipher) { 266 case QCRYPTO_CIPHER_ALG_AES_128: 267 case QCRYPTO_CIPHER_ALG_AES_192: 268 case QCRYPTO_CIPHER_ALG_AES_256: 269 if (digestlen == qcrypto_cipher_get_key_len( 270 QCRYPTO_CIPHER_ALG_AES_128)) { 271 return QCRYPTO_CIPHER_ALG_AES_128; 272 } else if (digestlen == qcrypto_cipher_get_key_len( 273 QCRYPTO_CIPHER_ALG_AES_192)) { 274 return QCRYPTO_CIPHER_ALG_AES_192; 275 } else if (digestlen == qcrypto_cipher_get_key_len( 276 QCRYPTO_CIPHER_ALG_AES_256)) { 277 return QCRYPTO_CIPHER_ALG_AES_256; 278 } else { 279 error_setg(errp, "No AES cipher with key size %zu available", 280 digestlen); 281 return 0; 282 } 283 break; 284 case QCRYPTO_CIPHER_ALG_SERPENT_128: 285 case QCRYPTO_CIPHER_ALG_SERPENT_192: 286 case QCRYPTO_CIPHER_ALG_SERPENT_256: 287 if (digestlen == qcrypto_cipher_get_key_len( 288 QCRYPTO_CIPHER_ALG_SERPENT_128)) { 289 return QCRYPTO_CIPHER_ALG_SERPENT_128; 290 } else if (digestlen == qcrypto_cipher_get_key_len( 291 QCRYPTO_CIPHER_ALG_SERPENT_192)) { 292 return QCRYPTO_CIPHER_ALG_SERPENT_192; 293 } else if (digestlen == qcrypto_cipher_get_key_len( 294 QCRYPTO_CIPHER_ALG_SERPENT_256)) { 295 return QCRYPTO_CIPHER_ALG_SERPENT_256; 296 } else { 297 error_setg(errp, "No Serpent cipher with key size %zu available", 298 digestlen); 299 return 0; 300 } 301 break; 302 case QCRYPTO_CIPHER_ALG_TWOFISH_128: 303 case QCRYPTO_CIPHER_ALG_TWOFISH_192: 304 case QCRYPTO_CIPHER_ALG_TWOFISH_256: 305 if (digestlen == qcrypto_cipher_get_key_len( 306 QCRYPTO_CIPHER_ALG_TWOFISH_128)) { 307 return QCRYPTO_CIPHER_ALG_TWOFISH_128; 308 } else if (digestlen == qcrypto_cipher_get_key_len( 309 QCRYPTO_CIPHER_ALG_TWOFISH_192)) { 310 return QCRYPTO_CIPHER_ALG_TWOFISH_192; 311 } else if (digestlen == qcrypto_cipher_get_key_len( 312 QCRYPTO_CIPHER_ALG_TWOFISH_256)) { 313 return QCRYPTO_CIPHER_ALG_TWOFISH_256; 314 } else { 315 error_setg(errp, "No Twofish cipher with key size %zu available", 316 digestlen); 317 return 0; 318 } 319 break; 320 default: 321 error_setg(errp, "Cipher %s not supported with essiv", 322 QCryptoCipherAlgorithm_str(cipher)); 323 return 0; 324 } 325 } 326 327 /* 328 * Returns number of sectors needed to store the key material 329 * given number of anti forensic stripes 330 */ 331 static int 332 qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks, 333 unsigned int header_sectors, 334 unsigned int stripes) 335 { 336 /* 337 * This calculation doesn't match that shown in the spec, 338 * but instead follows the cryptsetup implementation. 339 */ 340 341 size_t splitkeylen = luks->header.master_key_len * stripes; 342 343 /* First align the key material size to block size*/ 344 size_t splitkeylen_sectors = 345 DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE); 346 347 /* Then also align the key material size to the size of the header */ 348 return ROUND_UP(splitkeylen_sectors, header_sectors); 349 } 350 351 352 void 353 qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr) 354 { 355 size_t i; 356 357 /* 358 * Everything on disk uses Big Endian (tm), so flip header fields 359 * before writing them 360 */ 361 cpu_to_be16s(&hdr->version); 362 cpu_to_be32s(&hdr->payload_offset_sector); 363 cpu_to_be32s(&hdr->master_key_len); 364 cpu_to_be32s(&hdr->master_key_iterations); 365 366 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 367 cpu_to_be32s(&hdr->key_slots[i].active); 368 cpu_to_be32s(&hdr->key_slots[i].iterations); 369 cpu_to_be32s(&hdr->key_slots[i].key_offset_sector); 370 cpu_to_be32s(&hdr->key_slots[i].stripes); 371 } 372 } 373 374 void 375 qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr) 376 { 377 size_t i; 378 379 /* 380 * The header is always stored in big-endian format, so 381 * convert everything to native 382 */ 383 be16_to_cpus(&hdr->version); 384 be32_to_cpus(&hdr->payload_offset_sector); 385 be32_to_cpus(&hdr->master_key_len); 386 be32_to_cpus(&hdr->master_key_iterations); 387 388 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 389 be32_to_cpus(&hdr->key_slots[i].active); 390 be32_to_cpus(&hdr->key_slots[i].iterations); 391 be32_to_cpus(&hdr->key_slots[i].key_offset_sector); 392 be32_to_cpus(&hdr->key_slots[i].stripes); 393 } 394 } 395 396 /* 397 * Stores the main LUKS header, taking care of endianess 398 */ 399 static int 400 qcrypto_block_luks_store_header(QCryptoBlock *block, 401 QCryptoBlockWriteFunc writefunc, 402 void *opaque, 403 Error **errp) 404 { 405 const QCryptoBlockLUKS *luks = block->opaque; 406 Error *local_err = NULL; 407 g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL; 408 409 /* Create a copy of the header */ 410 hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1); 411 memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader)); 412 413 qcrypto_block_luks_to_disk_endian(hdr_copy); 414 415 /* Write out the partition header and key slot headers */ 416 writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy), 417 opaque, &local_err); 418 419 if (local_err) { 420 error_propagate(errp, local_err); 421 return -1; 422 } 423 return 0; 424 } 425 426 /* 427 * Loads the main LUKS header,and byteswaps it to native endianess 428 * And run basic sanity checks on it 429 */ 430 static int 431 qcrypto_block_luks_load_header(QCryptoBlock *block, 432 QCryptoBlockReadFunc readfunc, 433 void *opaque, 434 Error **errp) 435 { 436 int rv; 437 QCryptoBlockLUKS *luks = block->opaque; 438 439 /* 440 * Read the entire LUKS header, minus the key material from 441 * the underlying device 442 */ 443 rv = readfunc(block, 0, 444 (uint8_t *)&luks->header, 445 sizeof(luks->header), 446 opaque, 447 errp); 448 if (rv < 0) { 449 return rv; 450 } 451 452 qcrypto_block_luks_from_disk_endian(&luks->header); 453 454 return 0; 455 } 456 457 /* 458 * Does basic sanity checks on the LUKS header 459 */ 460 static int 461 qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp) 462 { 463 size_t i, j; 464 465 unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 466 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 467 468 if (memcmp(luks->header.magic, qcrypto_block_luks_magic, 469 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) { 470 error_setg(errp, "Volume is not in LUKS format"); 471 return -1; 472 } 473 474 if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) { 475 error_setg(errp, "LUKS version %" PRIu32 " is not supported", 476 luks->header.version); 477 return -1; 478 } 479 480 if (!memchr(luks->header.cipher_name, '\0', 481 sizeof(luks->header.cipher_name))) { 482 error_setg(errp, "LUKS header cipher name is not NUL terminated"); 483 return -1; 484 } 485 486 if (!memchr(luks->header.cipher_mode, '\0', 487 sizeof(luks->header.cipher_mode))) { 488 error_setg(errp, "LUKS header cipher mode is not NUL terminated"); 489 return -1; 490 } 491 492 if (!memchr(luks->header.hash_spec, '\0', 493 sizeof(luks->header.hash_spec))) { 494 error_setg(errp, "LUKS header hash spec is not NUL terminated"); 495 return -1; 496 } 497 498 if (luks->header.payload_offset_sector < 499 DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, 500 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { 501 error_setg(errp, "LUKS payload is overlapping with the header"); 502 return -1; 503 } 504 505 if (luks->header.master_key_iterations == 0) { 506 error_setg(errp, "LUKS key iteration count is zero"); 507 return -1; 508 } 509 510 /* Check all keyslots for corruption */ 511 for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) { 512 513 const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i]; 514 unsigned int start1 = slot1->key_offset_sector; 515 unsigned int len1 = 516 qcrypto_block_luks_splitkeylen_sectors(luks, 517 header_sectors, 518 slot1->stripes); 519 520 if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) { 521 error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)", 522 i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES); 523 return -1; 524 } 525 526 if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED && 527 slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { 528 error_setg(errp, 529 "Keyslot %zu state (active/disable) is corrupted", i); 530 return -1; 531 } 532 533 if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED && 534 slot1->iterations == 0) { 535 error_setg(errp, "Keyslot %zu iteration count is zero", i); 536 return -1; 537 } 538 539 if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, 540 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { 541 error_setg(errp, 542 "Keyslot %zu is overlapping with the LUKS header", 543 i); 544 return -1; 545 } 546 547 if (start1 + len1 > luks->header.payload_offset_sector) { 548 error_setg(errp, 549 "Keyslot %zu is overlapping with the encrypted payload", 550 i); 551 return -1; 552 } 553 554 for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) { 555 const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j]; 556 unsigned int start2 = slot2->key_offset_sector; 557 unsigned int len2 = 558 qcrypto_block_luks_splitkeylen_sectors(luks, 559 header_sectors, 560 slot2->stripes); 561 562 if (start1 + len1 > start2 && start2 + len2 > start1) { 563 error_setg(errp, 564 "Keyslots %zu and %zu are overlapping in the header", 565 i, j); 566 return -1; 567 } 568 } 569 570 } 571 return 0; 572 } 573 574 /* 575 * Parses the crypto parameters that are stored in the LUKS header 576 */ 577 578 static int 579 qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp) 580 { 581 g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode); 582 char *ivgen_name, *ivhash_name; 583 Error *local_err = NULL; 584 585 /* 586 * The cipher_mode header contains a string that we have 587 * to further parse, of the format 588 * 589 * <cipher-mode>-<iv-generator>[:<iv-hash>] 590 * 591 * eg cbc-essiv:sha256, cbc-plain64 592 */ 593 ivgen_name = strchr(cipher_mode, '-'); 594 if (!ivgen_name) { 595 error_setg(errp, "Unexpected cipher mode string format '%s'", 596 luks->header.cipher_mode); 597 return -1; 598 } 599 *ivgen_name = '\0'; 600 ivgen_name++; 601 602 ivhash_name = strchr(ivgen_name, ':'); 603 if (!ivhash_name) { 604 luks->ivgen_hash_alg = 0; 605 } else { 606 *ivhash_name = '\0'; 607 ivhash_name++; 608 609 luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name, 610 &local_err); 611 if (local_err) { 612 error_propagate(errp, local_err); 613 return -1; 614 } 615 } 616 617 luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode, 618 &local_err); 619 if (local_err) { 620 error_propagate(errp, local_err); 621 return -1; 622 } 623 624 luks->cipher_alg = 625 qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name, 626 luks->cipher_mode, 627 luks->header.master_key_len, 628 &local_err); 629 if (local_err) { 630 error_propagate(errp, local_err); 631 return -1; 632 } 633 634 luks->hash_alg = 635 qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec, 636 &local_err); 637 if (local_err) { 638 error_propagate(errp, local_err); 639 return -1; 640 } 641 642 luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name, 643 &local_err); 644 if (local_err) { 645 error_propagate(errp, local_err); 646 return -1; 647 } 648 649 if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 650 if (!ivhash_name) { 651 error_setg(errp, "Missing IV generator hash specification"); 652 return -1; 653 } 654 luks->ivgen_cipher_alg = 655 qcrypto_block_luks_essiv_cipher(luks->cipher_alg, 656 luks->ivgen_hash_alg, 657 &local_err); 658 if (local_err) { 659 error_propagate(errp, local_err); 660 return -1; 661 } 662 } else { 663 664 /* 665 * Note we parsed the ivhash_name earlier in the cipher_mode 666 * spec string even with plain/plain64 ivgens, but we 667 * will ignore it, since it is irrelevant for these ivgens. 668 * This is for compat with dm-crypt which will silently 669 * ignore hash names with these ivgens rather than report 670 * an error about the invalid usage 671 */ 672 luks->ivgen_cipher_alg = luks->cipher_alg; 673 } 674 return 0; 675 } 676 677 /* 678 * Given a key slot, user password, and the master key, 679 * will store the encrypted master key there, and update the 680 * in-memory header. User must then write the in-memory header 681 * 682 * Returns: 683 * 0 if the keyslot was written successfully 684 * with the provided password 685 * -1 if a fatal error occurred while storing the key 686 */ 687 static int 688 qcrypto_block_luks_store_key(QCryptoBlock *block, 689 unsigned int slot_idx, 690 const char *password, 691 uint8_t *masterkey, 692 uint64_t iter_time, 693 QCryptoBlockWriteFunc writefunc, 694 void *opaque, 695 Error **errp) 696 { 697 QCryptoBlockLUKS *luks = block->opaque; 698 QCryptoBlockLUKSKeySlot *slot; 699 g_autofree uint8_t *splitkey = NULL; 700 size_t splitkeylen; 701 g_autofree uint8_t *slotkey = NULL; 702 g_autoptr(QCryptoCipher) cipher = NULL; 703 g_autoptr(QCryptoIVGen) ivgen = NULL; 704 Error *local_err = NULL; 705 uint64_t iters; 706 int ret = -1; 707 708 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 709 slot = &luks->header.key_slots[slot_idx]; 710 if (qcrypto_random_bytes(slot->salt, 711 QCRYPTO_BLOCK_LUKS_SALT_LEN, 712 errp) < 0) { 713 goto cleanup; 714 } 715 716 splitkeylen = luks->header.master_key_len * slot->stripes; 717 718 /* 719 * Determine how many iterations are required to 720 * hash the user password while consuming 1 second of compute 721 * time 722 */ 723 iters = qcrypto_pbkdf2_count_iters(luks->hash_alg, 724 (uint8_t *)password, strlen(password), 725 slot->salt, 726 QCRYPTO_BLOCK_LUKS_SALT_LEN, 727 luks->header.master_key_len, 728 &local_err); 729 if (local_err) { 730 error_propagate(errp, local_err); 731 goto cleanup; 732 } 733 734 if (iters > (ULLONG_MAX / iter_time)) { 735 error_setg_errno(errp, ERANGE, 736 "PBKDF iterations %llu too large to scale", 737 (unsigned long long)iters); 738 goto cleanup; 739 } 740 741 /* iter_time was in millis, but count_iters reported for secs */ 742 iters = iters * iter_time / 1000; 743 744 if (iters > UINT32_MAX) { 745 error_setg_errno(errp, ERANGE, 746 "PBKDF iterations %llu larger than %u", 747 (unsigned long long)iters, UINT32_MAX); 748 goto cleanup; 749 } 750 751 slot->iterations = 752 MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS); 753 754 755 /* 756 * Generate a key that we'll use to encrypt the master 757 * key, from the user's password 758 */ 759 slotkey = g_new0(uint8_t, luks->header.master_key_len); 760 if (qcrypto_pbkdf2(luks->hash_alg, 761 (uint8_t *)password, strlen(password), 762 slot->salt, 763 QCRYPTO_BLOCK_LUKS_SALT_LEN, 764 slot->iterations, 765 slotkey, luks->header.master_key_len, 766 errp) < 0) { 767 goto cleanup; 768 } 769 770 771 /* 772 * Setup the encryption objects needed to encrypt the 773 * master key material 774 */ 775 cipher = qcrypto_cipher_new(luks->cipher_alg, 776 luks->cipher_mode, 777 slotkey, luks->header.master_key_len, 778 errp); 779 if (!cipher) { 780 goto cleanup; 781 } 782 783 ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 784 luks->ivgen_cipher_alg, 785 luks->ivgen_hash_alg, 786 slotkey, luks->header.master_key_len, 787 errp); 788 if (!ivgen) { 789 goto cleanup; 790 } 791 792 /* 793 * Before storing the master key, we need to vastly 794 * increase its size, as protection against forensic 795 * disk data recovery 796 */ 797 splitkey = g_new0(uint8_t, splitkeylen); 798 799 if (qcrypto_afsplit_encode(luks->hash_alg, 800 luks->header.master_key_len, 801 slot->stripes, 802 masterkey, 803 splitkey, 804 errp) < 0) { 805 goto cleanup; 806 } 807 808 /* 809 * Now we encrypt the split master key with the key generated 810 * from the user's password, before storing it 811 */ 812 if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen, 813 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 814 0, 815 splitkey, 816 splitkeylen, 817 errp) < 0) { 818 goto cleanup; 819 } 820 821 /* Write out the slot's master key material. */ 822 if (writefunc(block, 823 slot->key_offset_sector * 824 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 825 splitkey, splitkeylen, 826 opaque, 827 errp) < 0) { 828 goto cleanup; 829 } 830 831 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 832 833 if (qcrypto_block_luks_store_header(block, writefunc, opaque, errp) < 0) { 834 goto cleanup; 835 } 836 837 ret = 0; 838 839 cleanup: 840 if (slotkey) { 841 memset(slotkey, 0, luks->header.master_key_len); 842 } 843 if (splitkey) { 844 memset(splitkey, 0, splitkeylen); 845 } 846 return ret; 847 } 848 849 /* 850 * Given a key slot, and user password, this will attempt to unlock 851 * the master encryption key from the key slot. 852 * 853 * Returns: 854 * 0 if the key slot is disabled, or key could not be decrypted 855 * with the provided password 856 * 1 if the key slot is enabled, and key decrypted successfully 857 * with the provided password 858 * -1 if a fatal error occurred loading the key 859 */ 860 static int 861 qcrypto_block_luks_load_key(QCryptoBlock *block, 862 size_t slot_idx, 863 const char *password, 864 uint8_t *masterkey, 865 QCryptoBlockReadFunc readfunc, 866 void *opaque, 867 Error **errp) 868 { 869 QCryptoBlockLUKS *luks = block->opaque; 870 const QCryptoBlockLUKSKeySlot *slot; 871 g_autofree uint8_t *splitkey = NULL; 872 size_t splitkeylen; 873 g_autofree uint8_t *possiblekey = NULL; 874 int rv; 875 g_autoptr(QCryptoCipher) cipher = NULL; 876 uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN]; 877 g_autoptr(QCryptoIVGen) ivgen = NULL; 878 size_t niv; 879 880 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 881 slot = &luks->header.key_slots[slot_idx]; 882 if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { 883 return 0; 884 } 885 886 splitkeylen = luks->header.master_key_len * slot->stripes; 887 splitkey = g_new0(uint8_t, splitkeylen); 888 possiblekey = g_new0(uint8_t, luks->header.master_key_len); 889 890 /* 891 * The user password is used to generate a (possible) 892 * decryption key. This may or may not successfully 893 * decrypt the master key - we just blindly assume 894 * the key is correct and validate the results of 895 * decryption later. 896 */ 897 if (qcrypto_pbkdf2(luks->hash_alg, 898 (const uint8_t *)password, strlen(password), 899 slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN, 900 slot->iterations, 901 possiblekey, luks->header.master_key_len, 902 errp) < 0) { 903 return -1; 904 } 905 906 /* 907 * We need to read the master key material from the 908 * LUKS key material header. What we're reading is 909 * not the raw master key, but rather the data after 910 * it has been passed through AFSplit and the result 911 * then encrypted. 912 */ 913 rv = readfunc(block, 914 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 915 splitkey, splitkeylen, 916 opaque, 917 errp); 918 if (rv < 0) { 919 return -1; 920 } 921 922 923 /* Setup the cipher/ivgen that we'll use to try to decrypt 924 * the split master key material */ 925 cipher = qcrypto_cipher_new(luks->cipher_alg, 926 luks->cipher_mode, 927 possiblekey, 928 luks->header.master_key_len, 929 errp); 930 if (!cipher) { 931 return -1; 932 } 933 934 niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, 935 luks->cipher_mode); 936 937 ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 938 luks->ivgen_cipher_alg, 939 luks->ivgen_hash_alg, 940 possiblekey, 941 luks->header.master_key_len, 942 errp); 943 if (!ivgen) { 944 return -1; 945 } 946 947 948 /* 949 * The master key needs to be decrypted in the same 950 * way that the block device payload will be decrypted 951 * later. In particular we'll be using the IV generator 952 * to reset the encryption cipher every time the master 953 * key crosses a sector boundary. 954 */ 955 if (qcrypto_block_cipher_decrypt_helper(cipher, 956 niv, 957 ivgen, 958 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 959 0, 960 splitkey, 961 splitkeylen, 962 errp) < 0) { 963 return -1; 964 } 965 966 /* 967 * Now we've decrypted the split master key, join 968 * it back together to get the actual master key. 969 */ 970 if (qcrypto_afsplit_decode(luks->hash_alg, 971 luks->header.master_key_len, 972 slot->stripes, 973 splitkey, 974 masterkey, 975 errp) < 0) { 976 return -1; 977 } 978 979 980 /* 981 * We still don't know that the masterkey we got is valid, 982 * because we just blindly assumed the user's password 983 * was correct. This is where we now verify it. We are 984 * creating a hash of the master key using PBKDF and 985 * then comparing that to the hash stored in the key slot 986 * header 987 */ 988 if (qcrypto_pbkdf2(luks->hash_alg, 989 masterkey, 990 luks->header.master_key_len, 991 luks->header.master_key_salt, 992 QCRYPTO_BLOCK_LUKS_SALT_LEN, 993 luks->header.master_key_iterations, 994 keydigest, 995 G_N_ELEMENTS(keydigest), 996 errp) < 0) { 997 return -1; 998 } 999 1000 if (memcmp(keydigest, luks->header.master_key_digest, 1001 QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) { 1002 /* Success, we got the right master key */ 1003 return 1; 1004 } 1005 1006 /* Fail, user's password was not valid for this key slot, 1007 * tell caller to try another slot */ 1008 return 0; 1009 } 1010 1011 1012 /* 1013 * Given a user password, this will iterate over all key 1014 * slots and try to unlock each active key slot using the 1015 * password until it successfully obtains a master key. 1016 * 1017 * Returns 0 if a key was loaded, -1 if no keys could be loaded 1018 */ 1019 static int 1020 qcrypto_block_luks_find_key(QCryptoBlock *block, 1021 const char *password, 1022 uint8_t *masterkey, 1023 QCryptoBlockReadFunc readfunc, 1024 void *opaque, 1025 Error **errp) 1026 { 1027 size_t i; 1028 int rv; 1029 1030 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1031 rv = qcrypto_block_luks_load_key(block, 1032 i, 1033 password, 1034 masterkey, 1035 readfunc, 1036 opaque, 1037 errp); 1038 if (rv < 0) { 1039 goto error; 1040 } 1041 if (rv == 1) { 1042 return 0; 1043 } 1044 } 1045 1046 error_setg(errp, "Invalid password, cannot unlock any keyslot"); 1047 error: 1048 return -1; 1049 } 1050 1051 /* 1052 * Returns true if a slot i is marked as active 1053 * (contains encrypted copy of the master key) 1054 */ 1055 static bool 1056 qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks, 1057 unsigned int slot_idx) 1058 { 1059 uint32_t val; 1060 1061 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1062 val = luks->header.key_slots[slot_idx].active; 1063 return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 1064 } 1065 1066 /* 1067 * Returns the number of slots that are marked as active 1068 * (slots that contain encrypted copy of the master key) 1069 */ 1070 static unsigned int 1071 qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks) 1072 { 1073 size_t i = 0; 1074 unsigned int ret = 0; 1075 1076 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1077 if (qcrypto_block_luks_slot_active(luks, i)) { 1078 ret++; 1079 } 1080 } 1081 return ret; 1082 } 1083 1084 /* 1085 * Finds first key slot which is not active 1086 * Returns the key slot index, or -1 if it doesn't exist 1087 */ 1088 static int 1089 qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks) 1090 { 1091 size_t i; 1092 1093 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1094 if (!qcrypto_block_luks_slot_active(luks, i)) { 1095 return i; 1096 } 1097 } 1098 return -1; 1099 } 1100 1101 /* 1102 * Erases an keyslot given its index 1103 * Returns: 1104 * 0 if the keyslot was erased successfully 1105 * -1 if a error occurred while erasing the keyslot 1106 * 1107 */ 1108 static int 1109 qcrypto_block_luks_erase_key(QCryptoBlock *block, 1110 unsigned int slot_idx, 1111 QCryptoBlockWriteFunc writefunc, 1112 void *opaque, 1113 Error **errp) 1114 { 1115 QCryptoBlockLUKS *luks = block->opaque; 1116 QCryptoBlockLUKSKeySlot *slot; 1117 g_autofree uint8_t *garbagesplitkey = NULL; 1118 size_t splitkeylen; 1119 size_t i; 1120 Error *local_err = NULL; 1121 int ret; 1122 1123 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1124 slot = &luks->header.key_slots[slot_idx]; 1125 1126 splitkeylen = luks->header.master_key_len * slot->stripes; 1127 assert(splitkeylen > 0); 1128 1129 garbagesplitkey = g_new0(uint8_t, splitkeylen); 1130 1131 /* Reset the key slot header */ 1132 memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN); 1133 slot->iterations = 0; 1134 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; 1135 1136 ret = qcrypto_block_luks_store_header(block, writefunc, 1137 opaque, &local_err); 1138 1139 if (ret < 0) { 1140 error_propagate(errp, local_err); 1141 } 1142 /* 1143 * Now try to erase the key material, even if the header 1144 * update failed 1145 */ 1146 for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) { 1147 if (qcrypto_random_bytes(garbagesplitkey, 1148 splitkeylen, &local_err) < 0) { 1149 /* 1150 * If we failed to get the random data, still write 1151 * at least zeros to the key slot at least once 1152 */ 1153 error_propagate(errp, local_err); 1154 1155 if (i > 0) { 1156 return -1; 1157 } 1158 } 1159 if (writefunc(block, 1160 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1161 garbagesplitkey, 1162 splitkeylen, 1163 opaque, 1164 &local_err) < 0) { 1165 error_propagate(errp, local_err); 1166 return -1; 1167 } 1168 } 1169 return ret; 1170 } 1171 1172 static int 1173 qcrypto_block_luks_open(QCryptoBlock *block, 1174 QCryptoBlockOpenOptions *options, 1175 const char *optprefix, 1176 QCryptoBlockReadFunc readfunc, 1177 void *opaque, 1178 unsigned int flags, 1179 size_t n_threads, 1180 Error **errp) 1181 { 1182 QCryptoBlockLUKS *luks = NULL; 1183 g_autofree uint8_t *masterkey = NULL; 1184 g_autofree char *password = NULL; 1185 1186 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { 1187 if (!options->u.luks.key_secret) { 1188 error_setg(errp, "Parameter '%skey-secret' is required for cipher", 1189 optprefix ? optprefix : ""); 1190 return -1; 1191 } 1192 password = qcrypto_secret_lookup_as_utf8( 1193 options->u.luks.key_secret, errp); 1194 if (!password) { 1195 return -1; 1196 } 1197 } 1198 1199 luks = g_new0(QCryptoBlockLUKS, 1); 1200 block->opaque = luks; 1201 luks->secret = g_strdup(options->u.luks.key_secret); 1202 1203 if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) { 1204 goto fail; 1205 } 1206 1207 if (qcrypto_block_luks_check_header(luks, errp) < 0) { 1208 goto fail; 1209 } 1210 1211 if (qcrypto_block_luks_parse_header(luks, errp) < 0) { 1212 goto fail; 1213 } 1214 1215 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { 1216 /* Try to find which key slot our password is valid for 1217 * and unlock the master key from that slot. 1218 */ 1219 1220 masterkey = g_new0(uint8_t, luks->header.master_key_len); 1221 1222 if (qcrypto_block_luks_find_key(block, 1223 password, 1224 masterkey, 1225 readfunc, opaque, 1226 errp) < 0) { 1227 goto fail; 1228 } 1229 1230 /* We have a valid master key now, so can setup the 1231 * block device payload decryption objects 1232 */ 1233 block->kdfhash = luks->hash_alg; 1234 block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, 1235 luks->cipher_mode); 1236 1237 block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 1238 luks->ivgen_cipher_alg, 1239 luks->ivgen_hash_alg, 1240 masterkey, 1241 luks->header.master_key_len, 1242 errp); 1243 if (!block->ivgen) { 1244 goto fail; 1245 } 1246 1247 if (qcrypto_block_init_cipher(block, 1248 luks->cipher_alg, 1249 luks->cipher_mode, 1250 masterkey, 1251 luks->header.master_key_len, 1252 n_threads, 1253 errp) < 0) { 1254 goto fail; 1255 } 1256 } 1257 1258 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1259 block->payload_offset = luks->header.payload_offset_sector * 1260 block->sector_size; 1261 1262 return 0; 1263 1264 fail: 1265 qcrypto_block_free_cipher(block); 1266 qcrypto_ivgen_free(block->ivgen); 1267 g_free(luks->secret); 1268 g_free(luks); 1269 return -1; 1270 } 1271 1272 1273 static void 1274 qcrypto_block_luks_uuid_gen(uint8_t *uuidstr) 1275 { 1276 QemuUUID uuid; 1277 qemu_uuid_generate(&uuid); 1278 qemu_uuid_unparse(&uuid, (char *)uuidstr); 1279 } 1280 1281 static int 1282 qcrypto_block_luks_create(QCryptoBlock *block, 1283 QCryptoBlockCreateOptions *options, 1284 const char *optprefix, 1285 QCryptoBlockInitFunc initfunc, 1286 QCryptoBlockWriteFunc writefunc, 1287 void *opaque, 1288 Error **errp) 1289 { 1290 QCryptoBlockLUKS *luks; 1291 QCryptoBlockCreateOptionsLUKS luks_opts; 1292 Error *local_err = NULL; 1293 g_autofree uint8_t *masterkey = NULL; 1294 size_t header_sectors; 1295 size_t split_key_sectors; 1296 size_t i; 1297 g_autofree char *password = NULL; 1298 const char *cipher_alg; 1299 const char *cipher_mode; 1300 const char *ivgen_alg; 1301 const char *ivgen_hash_alg = NULL; 1302 const char *hash_alg; 1303 g_autofree char *cipher_mode_spec = NULL; 1304 uint64_t iters; 1305 1306 memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts)); 1307 if (!luks_opts.has_iter_time) { 1308 luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; 1309 } 1310 if (!luks_opts.has_cipher_alg) { 1311 luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256; 1312 } 1313 if (!luks_opts.has_cipher_mode) { 1314 luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS; 1315 } 1316 if (!luks_opts.has_ivgen_alg) { 1317 luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64; 1318 } 1319 if (!luks_opts.has_hash_alg) { 1320 luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256; 1321 } 1322 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1323 if (!luks_opts.has_ivgen_hash_alg) { 1324 luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256; 1325 luks_opts.has_ivgen_hash_alg = true; 1326 } 1327 } 1328 1329 luks = g_new0(QCryptoBlockLUKS, 1); 1330 block->opaque = luks; 1331 1332 luks->cipher_alg = luks_opts.cipher_alg; 1333 luks->cipher_mode = luks_opts.cipher_mode; 1334 luks->ivgen_alg = luks_opts.ivgen_alg; 1335 luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg; 1336 luks->hash_alg = luks_opts.hash_alg; 1337 1338 1339 /* Note we're allowing ivgen_hash_alg to be set even for 1340 * non-essiv iv generators that don't need a hash. It will 1341 * be silently ignored, for compatibility with dm-crypt */ 1342 1343 if (!options->u.luks.key_secret) { 1344 error_setg(errp, "Parameter '%skey-secret' is required for cipher", 1345 optprefix ? optprefix : ""); 1346 goto error; 1347 } 1348 luks->secret = g_strdup(options->u.luks.key_secret); 1349 1350 password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp); 1351 if (!password) { 1352 goto error; 1353 } 1354 1355 1356 memcpy(luks->header.magic, qcrypto_block_luks_magic, 1357 QCRYPTO_BLOCK_LUKS_MAGIC_LEN); 1358 1359 /* We populate the header in native endianness initially and 1360 * then convert everything to big endian just before writing 1361 * it out to disk 1362 */ 1363 luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION; 1364 qcrypto_block_luks_uuid_gen(luks->header.uuid); 1365 1366 cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg, 1367 errp); 1368 if (!cipher_alg) { 1369 goto error; 1370 } 1371 1372 cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode); 1373 ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg); 1374 if (luks_opts.has_ivgen_hash_alg) { 1375 ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg); 1376 cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg, 1377 ivgen_hash_alg); 1378 } else { 1379 cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg); 1380 } 1381 hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg); 1382 1383 1384 if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) { 1385 error_setg(errp, "Cipher name '%s' is too long for LUKS header", 1386 cipher_alg); 1387 goto error; 1388 } 1389 if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) { 1390 error_setg(errp, "Cipher mode '%s' is too long for LUKS header", 1391 cipher_mode_spec); 1392 goto error; 1393 } 1394 if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) { 1395 error_setg(errp, "Hash name '%s' is too long for LUKS header", 1396 hash_alg); 1397 goto error; 1398 } 1399 1400 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1401 luks->ivgen_cipher_alg = 1402 qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg, 1403 luks_opts.ivgen_hash_alg, 1404 &local_err); 1405 if (local_err) { 1406 error_propagate(errp, local_err); 1407 goto error; 1408 } 1409 } else { 1410 luks->ivgen_cipher_alg = luks_opts.cipher_alg; 1411 } 1412 1413 strcpy(luks->header.cipher_name, cipher_alg); 1414 strcpy(luks->header.cipher_mode, cipher_mode_spec); 1415 strcpy(luks->header.hash_spec, hash_alg); 1416 1417 luks->header.master_key_len = 1418 qcrypto_cipher_get_key_len(luks_opts.cipher_alg); 1419 1420 if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) { 1421 luks->header.master_key_len *= 2; 1422 } 1423 1424 /* Generate the salt used for hashing the master key 1425 * with PBKDF later 1426 */ 1427 if (qcrypto_random_bytes(luks->header.master_key_salt, 1428 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1429 errp) < 0) { 1430 goto error; 1431 } 1432 1433 /* Generate random master key */ 1434 masterkey = g_new0(uint8_t, luks->header.master_key_len); 1435 if (qcrypto_random_bytes(masterkey, 1436 luks->header.master_key_len, errp) < 0) { 1437 goto error; 1438 } 1439 1440 1441 /* Setup the block device payload encryption objects */ 1442 if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg, 1443 luks_opts.cipher_mode, masterkey, 1444 luks->header.master_key_len, 1, errp) < 0) { 1445 goto error; 1446 } 1447 1448 block->kdfhash = luks_opts.hash_alg; 1449 block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg, 1450 luks_opts.cipher_mode); 1451 block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg, 1452 luks->ivgen_cipher_alg, 1453 luks_opts.ivgen_hash_alg, 1454 masterkey, luks->header.master_key_len, 1455 errp); 1456 1457 if (!block->ivgen) { 1458 goto error; 1459 } 1460 1461 1462 /* Determine how many iterations we need to hash the master 1463 * key, in order to have 1 second of compute time used 1464 */ 1465 iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg, 1466 masterkey, luks->header.master_key_len, 1467 luks->header.master_key_salt, 1468 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1469 QCRYPTO_BLOCK_LUKS_DIGEST_LEN, 1470 &local_err); 1471 if (local_err) { 1472 error_propagate(errp, local_err); 1473 goto error; 1474 } 1475 1476 if (iters > (ULLONG_MAX / luks_opts.iter_time)) { 1477 error_setg_errno(errp, ERANGE, 1478 "PBKDF iterations %llu too large to scale", 1479 (unsigned long long)iters); 1480 goto error; 1481 } 1482 1483 /* iter_time was in millis, but count_iters reported for secs */ 1484 iters = iters * luks_opts.iter_time / 1000; 1485 1486 /* Why /= 8 ? That matches cryptsetup, but there's no 1487 * explanation why they chose /= 8... Probably so that 1488 * if all 8 keyslots are active we only spend 1 second 1489 * in total time to check all keys */ 1490 iters /= 8; 1491 if (iters > UINT32_MAX) { 1492 error_setg_errno(errp, ERANGE, 1493 "PBKDF iterations %llu larger than %u", 1494 (unsigned long long)iters, UINT32_MAX); 1495 goto error; 1496 } 1497 iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS); 1498 luks->header.master_key_iterations = iters; 1499 1500 /* Hash the master key, saving the result in the LUKS 1501 * header. This hash is used when opening the encrypted 1502 * device to verify that the user password unlocked a 1503 * valid master key 1504 */ 1505 if (qcrypto_pbkdf2(luks_opts.hash_alg, 1506 masterkey, luks->header.master_key_len, 1507 luks->header.master_key_salt, 1508 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1509 luks->header.master_key_iterations, 1510 luks->header.master_key_digest, 1511 QCRYPTO_BLOCK_LUKS_DIGEST_LEN, 1512 errp) < 0) { 1513 goto error; 1514 } 1515 1516 /* start with the sector that follows the header*/ 1517 header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 1518 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1519 1520 split_key_sectors = 1521 qcrypto_block_luks_splitkeylen_sectors(luks, 1522 header_sectors, 1523 QCRYPTO_BLOCK_LUKS_STRIPES); 1524 1525 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1526 QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i]; 1527 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; 1528 1529 slot->key_offset_sector = header_sectors + i * split_key_sectors; 1530 slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES; 1531 } 1532 1533 /* The total size of the LUKS headers is the partition header + key 1534 * slot headers, rounded up to the nearest sector, combined with 1535 * the size of each master key material region, also rounded up 1536 * to the nearest sector */ 1537 luks->header.payload_offset_sector = header_sectors + 1538 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors; 1539 1540 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1541 block->payload_offset = luks->header.payload_offset_sector * 1542 block->sector_size; 1543 1544 /* Reserve header space to match payload offset */ 1545 initfunc(block, block->payload_offset, opaque, &local_err); 1546 if (local_err) { 1547 error_propagate(errp, local_err); 1548 goto error; 1549 } 1550 1551 1552 /* populate the slot 0 with the password encrypted master key*/ 1553 /* This will also store the header */ 1554 if (qcrypto_block_luks_store_key(block, 1555 0, 1556 password, 1557 masterkey, 1558 luks_opts.iter_time, 1559 writefunc, 1560 opaque, 1561 errp) < 0) { 1562 goto error; 1563 } 1564 1565 memset(masterkey, 0, luks->header.master_key_len); 1566 1567 return 0; 1568 1569 error: 1570 if (masterkey) { 1571 memset(masterkey, 0, luks->header.master_key_len); 1572 } 1573 1574 qcrypto_block_free_cipher(block); 1575 qcrypto_ivgen_free(block->ivgen); 1576 1577 g_free(luks->secret); 1578 g_free(luks); 1579 return -1; 1580 } 1581 1582 static int 1583 qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block, 1584 QCryptoBlockReadFunc readfunc, 1585 QCryptoBlockWriteFunc writefunc, 1586 void *opaque, 1587 QCryptoBlockAmendOptionsLUKS *opts_luks, 1588 bool force, 1589 Error **errp) 1590 { 1591 QCryptoBlockLUKS *luks = block->opaque; 1592 uint64_t iter_time = opts_luks->has_iter_time ? 1593 opts_luks->iter_time : 1594 QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; 1595 int keyslot; 1596 g_autofree char *old_password = NULL; 1597 g_autofree char *new_password = NULL; 1598 g_autofree uint8_t *master_key = NULL; 1599 1600 char *secret = opts_luks->has_secret ? opts_luks->secret : luks->secret; 1601 1602 if (!opts_luks->has_new_secret) { 1603 error_setg(errp, "'new-secret' is required to activate a keyslot"); 1604 return -1; 1605 } 1606 if (opts_luks->has_old_secret) { 1607 error_setg(errp, 1608 "'old-secret' must not be given when activating keyslots"); 1609 return -1; 1610 } 1611 1612 if (opts_luks->has_keyslot) { 1613 keyslot = opts_luks->keyslot; 1614 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { 1615 error_setg(errp, 1616 "Invalid keyslot %u specified, must be between 0 and %u", 1617 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); 1618 return -1; 1619 } 1620 } else { 1621 keyslot = qcrypto_block_luks_find_free_keyslot(luks); 1622 if (keyslot == -1) { 1623 error_setg(errp, 1624 "Can't add a keyslot - all keyslots are in use"); 1625 return -1; 1626 } 1627 } 1628 1629 if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) { 1630 error_setg(errp, 1631 "Refusing to overwrite active keyslot %i - " 1632 "please erase it first", 1633 keyslot); 1634 return -1; 1635 } 1636 1637 /* Locate the password that will be used to retrieve the master key */ 1638 old_password = qcrypto_secret_lookup_as_utf8(secret, errp); 1639 if (!old_password) { 1640 return -1; 1641 } 1642 1643 /* Retrieve the master key */ 1644 master_key = g_new0(uint8_t, luks->header.master_key_len); 1645 1646 if (qcrypto_block_luks_find_key(block, old_password, master_key, 1647 readfunc, opaque, errp) < 0) { 1648 error_append_hint(errp, "Failed to retrieve the master key"); 1649 return -1; 1650 } 1651 1652 /* Locate the new password*/ 1653 new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp); 1654 if (!new_password) { 1655 return -1; 1656 } 1657 1658 /* Now set the new keyslots */ 1659 if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key, 1660 iter_time, writefunc, opaque, errp)) { 1661 error_append_hint(errp, "Failed to write to keyslot %i", keyslot); 1662 return -1; 1663 } 1664 return 0; 1665 } 1666 1667 static int 1668 qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block, 1669 QCryptoBlockReadFunc readfunc, 1670 QCryptoBlockWriteFunc writefunc, 1671 void *opaque, 1672 QCryptoBlockAmendOptionsLUKS *opts_luks, 1673 bool force, 1674 Error **errp) 1675 { 1676 QCryptoBlockLUKS *luks = block->opaque; 1677 g_autofree uint8_t *tmpkey = NULL; 1678 g_autofree char *old_password = NULL; 1679 1680 if (opts_luks->has_new_secret) { 1681 error_setg(errp, 1682 "'new-secret' must not be given when erasing keyslots"); 1683 return -1; 1684 } 1685 if (opts_luks->has_iter_time) { 1686 error_setg(errp, 1687 "'iter-time' must not be given when erasing keyslots"); 1688 return -1; 1689 } 1690 if (opts_luks->has_secret) { 1691 error_setg(errp, 1692 "'secret' must not be given when erasing keyslots"); 1693 return -1; 1694 } 1695 1696 /* Load the old password if given */ 1697 if (opts_luks->has_old_secret) { 1698 old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret, 1699 errp); 1700 if (!old_password) { 1701 return -1; 1702 } 1703 1704 /* 1705 * Allocate a temporary key buffer that we will need when 1706 * checking if slot matches the given old password 1707 */ 1708 tmpkey = g_new0(uint8_t, luks->header.master_key_len); 1709 } 1710 1711 /* Erase an explicitly given keyslot */ 1712 if (opts_luks->has_keyslot) { 1713 int keyslot = opts_luks->keyslot; 1714 1715 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { 1716 error_setg(errp, 1717 "Invalid keyslot %i specified, must be between 0 and %i", 1718 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); 1719 return -1; 1720 } 1721 1722 if (opts_luks->has_old_secret) { 1723 int rv = qcrypto_block_luks_load_key(block, 1724 keyslot, 1725 old_password, 1726 tmpkey, 1727 readfunc, 1728 opaque, 1729 errp); 1730 if (rv == -1) { 1731 return -1; 1732 } else if (rv == 0) { 1733 error_setg(errp, 1734 "Given keyslot %i doesn't contain the given " 1735 "old password for erase operation", 1736 keyslot); 1737 return -1; 1738 } 1739 } 1740 1741 if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) { 1742 error_setg(errp, 1743 "Given keyslot %i is already erased (inactive) ", 1744 keyslot); 1745 return -1; 1746 } 1747 1748 if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) { 1749 error_setg(errp, 1750 "Attempt to erase the only active keyslot %i " 1751 "which will erase all the data in the image " 1752 "irreversibly - refusing operation", 1753 keyslot); 1754 return -1; 1755 } 1756 1757 if (qcrypto_block_luks_erase_key(block, keyslot, 1758 writefunc, opaque, errp)) { 1759 error_append_hint(errp, "Failed to erase keyslot %i", keyslot); 1760 return -1; 1761 } 1762 1763 /* Erase all keyslots that match the given old password */ 1764 } else if (opts_luks->has_old_secret) { 1765 1766 unsigned long slots_to_erase_bitmap = 0; 1767 size_t i; 1768 int slot_count; 1769 1770 assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <= 1771 sizeof(slots_to_erase_bitmap) * 8); 1772 1773 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1774 int rv = qcrypto_block_luks_load_key(block, 1775 i, 1776 old_password, 1777 tmpkey, 1778 readfunc, 1779 opaque, 1780 errp); 1781 if (rv == -1) { 1782 return -1; 1783 } else if (rv == 1) { 1784 bitmap_set(&slots_to_erase_bitmap, i, 1); 1785 } 1786 } 1787 1788 slot_count = bitmap_count_one(&slots_to_erase_bitmap, 1789 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1790 if (slot_count == 0) { 1791 error_setg(errp, 1792 "No keyslots match given (old) password for erase operation"); 1793 return -1; 1794 } 1795 1796 if (!force && 1797 slot_count == qcrypto_block_luks_count_active_slots(luks)) { 1798 error_setg(errp, 1799 "All the active keyslots match the (old) password that " 1800 "was given and erasing them will erase all the data in " 1801 "the image irreversibly - refusing operation"); 1802 return -1; 1803 } 1804 1805 /* Now apply the update */ 1806 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1807 if (!test_bit(i, &slots_to_erase_bitmap)) { 1808 continue; 1809 } 1810 if (qcrypto_block_luks_erase_key(block, i, writefunc, 1811 opaque, errp)) { 1812 error_append_hint(errp, "Failed to erase keyslot %zu", i); 1813 return -1; 1814 } 1815 } 1816 } else { 1817 error_setg(errp, 1818 "To erase keyslot(s), either explicit keyslot index " 1819 "or the password currently contained in them must be given"); 1820 return -1; 1821 } 1822 return 0; 1823 } 1824 1825 static int 1826 qcrypto_block_luks_amend_options(QCryptoBlock *block, 1827 QCryptoBlockReadFunc readfunc, 1828 QCryptoBlockWriteFunc writefunc, 1829 void *opaque, 1830 QCryptoBlockAmendOptions *options, 1831 bool force, 1832 Error **errp) 1833 { 1834 QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks; 1835 1836 switch (opts_luks->state) { 1837 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE: 1838 return qcrypto_block_luks_amend_add_keyslot(block, readfunc, 1839 writefunc, opaque, 1840 opts_luks, force, errp); 1841 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE: 1842 return qcrypto_block_luks_amend_erase_keyslots(block, readfunc, 1843 writefunc, opaque, 1844 opts_luks, force, errp); 1845 default: 1846 g_assert_not_reached(); 1847 } 1848 } 1849 1850 static int qcrypto_block_luks_get_info(QCryptoBlock *block, 1851 QCryptoBlockInfo *info, 1852 Error **errp) 1853 { 1854 QCryptoBlockLUKS *luks = block->opaque; 1855 QCryptoBlockInfoLUKSSlot *slot; 1856 QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots; 1857 size_t i; 1858 1859 info->u.luks.cipher_alg = luks->cipher_alg; 1860 info->u.luks.cipher_mode = luks->cipher_mode; 1861 info->u.luks.ivgen_alg = luks->ivgen_alg; 1862 if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1863 info->u.luks.has_ivgen_hash_alg = true; 1864 info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg; 1865 } 1866 info->u.luks.hash_alg = luks->hash_alg; 1867 info->u.luks.payload_offset = block->payload_offset; 1868 info->u.luks.master_key_iters = luks->header.master_key_iterations; 1869 info->u.luks.uuid = g_strndup((const char *)luks->header.uuid, 1870 sizeof(luks->header.uuid)); 1871 1872 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1873 slot = g_new0(QCryptoBlockInfoLUKSSlot, 1); 1874 slot->active = luks->header.key_slots[i].active == 1875 QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 1876 slot->key_offset = luks->header.key_slots[i].key_offset_sector 1877 * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1878 if (slot->active) { 1879 slot->has_iters = true; 1880 slot->iters = luks->header.key_slots[i].iterations; 1881 slot->has_stripes = true; 1882 slot->stripes = luks->header.key_slots[i].stripes; 1883 } 1884 1885 QAPI_LIST_APPEND(tail, slot); 1886 } 1887 1888 return 0; 1889 } 1890 1891 1892 static void qcrypto_block_luks_cleanup(QCryptoBlock *block) 1893 { 1894 QCryptoBlockLUKS *luks = block->opaque; 1895 if (luks) { 1896 g_free(luks->secret); 1897 g_free(luks); 1898 } 1899 } 1900 1901 1902 static int 1903 qcrypto_block_luks_decrypt(QCryptoBlock *block, 1904 uint64_t offset, 1905 uint8_t *buf, 1906 size_t len, 1907 Error **errp) 1908 { 1909 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1910 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1911 return qcrypto_block_decrypt_helper(block, 1912 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1913 offset, buf, len, errp); 1914 } 1915 1916 1917 static int 1918 qcrypto_block_luks_encrypt(QCryptoBlock *block, 1919 uint64_t offset, 1920 uint8_t *buf, 1921 size_t len, 1922 Error **errp) 1923 { 1924 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1925 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1926 return qcrypto_block_encrypt_helper(block, 1927 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1928 offset, buf, len, errp); 1929 } 1930 1931 1932 const QCryptoBlockDriver qcrypto_block_driver_luks = { 1933 .open = qcrypto_block_luks_open, 1934 .create = qcrypto_block_luks_create, 1935 .amend = qcrypto_block_luks_amend_options, 1936 .get_info = qcrypto_block_luks_get_info, 1937 .cleanup = qcrypto_block_luks_cleanup, 1938 .decrypt = qcrypto_block_luks_decrypt, 1939 .encrypt = qcrypto_block_luks_encrypt, 1940 .has_format = qcrypto_block_luks_has_format, 1941 }; 1942