xref: /openbmc/qemu/block/crypto.c (revision b0dd0a3d)
1 /*
2  * QEMU block full disk encryption
3  *
4  * Copyright (c) 2015-2016 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #include "qemu/osdep.h"
22 
23 #include "block/block_int.h"
24 #include "block/qdict.h"
25 #include "sysemu/block-backend.h"
26 #include "crypto/block.h"
27 #include "qapi/opts-visitor.h"
28 #include "qapi/qapi-visit-crypto.h"
29 #include "qapi/qobject-input-visitor.h"
30 #include "qapi/error.h"
31 #include "qemu/module.h"
32 #include "qemu/option.h"
33 #include "qemu/cutils.h"
34 #include "qemu/memalign.h"
35 #include "crypto.h"
36 
37 typedef struct BlockCrypto BlockCrypto;
38 
39 struct BlockCrypto {
40     QCryptoBlock *block;
41     bool updating_keys;
42 };
43 
44 
45 static int block_crypto_probe_generic(QCryptoBlockFormat format,
46                                       const uint8_t *buf,
47                                       int buf_size,
48                                       const char *filename)
49 {
50     if (qcrypto_block_has_format(format, buf, buf_size)) {
51         return 100;
52     } else {
53         return 0;
54     }
55 }
56 
57 
58 static ssize_t block_crypto_read_func(QCryptoBlock *block,
59                                       size_t offset,
60                                       uint8_t *buf,
61                                       size_t buflen,
62                                       void *opaque,
63                                       Error **errp)
64 {
65     BlockDriverState *bs = opaque;
66     ssize_t ret;
67 
68     ret = bdrv_pread(bs->file, offset, buf, buflen);
69     if (ret < 0) {
70         error_setg_errno(errp, -ret, "Could not read encryption header");
71         return ret;
72     }
73     return ret;
74 }
75 
76 static ssize_t block_crypto_write_func(QCryptoBlock *block,
77                                        size_t offset,
78                                        const uint8_t *buf,
79                                        size_t buflen,
80                                        void *opaque,
81                                        Error **errp)
82 {
83     BlockDriverState *bs = opaque;
84     ssize_t ret;
85 
86     ret = bdrv_pwrite(bs->file, offset, buf, buflen);
87     if (ret < 0) {
88         error_setg_errno(errp, -ret, "Could not write encryption header");
89         return ret;
90     }
91     return ret;
92 }
93 
94 
95 struct BlockCryptoCreateData {
96     BlockBackend *blk;
97     uint64_t size;
98     PreallocMode prealloc;
99 };
100 
101 
102 static ssize_t block_crypto_create_write_func(QCryptoBlock *block,
103                                               size_t offset,
104                                               const uint8_t *buf,
105                                               size_t buflen,
106                                               void *opaque,
107                                               Error **errp)
108 {
109     struct BlockCryptoCreateData *data = opaque;
110     ssize_t ret;
111 
112     ret = blk_pwrite(data->blk, offset, buf, buflen, 0);
113     if (ret < 0) {
114         error_setg_errno(errp, -ret, "Could not write encryption header");
115         return ret;
116     }
117     return ret;
118 }
119 
120 static ssize_t block_crypto_create_init_func(QCryptoBlock *block,
121                                              size_t headerlen,
122                                              void *opaque,
123                                              Error **errp)
124 {
125     struct BlockCryptoCreateData *data = opaque;
126     Error *local_error = NULL;
127     int ret;
128 
129     if (data->size > INT64_MAX || headerlen > INT64_MAX - data->size) {
130         ret = -EFBIG;
131         goto error;
132     }
133 
134     /* User provided size should reflect amount of space made
135      * available to the guest, so we must take account of that
136      * which will be used by the crypto header
137      */
138     ret = blk_truncate(data->blk, data->size + headerlen, false,
139                        data->prealloc, 0, &local_error);
140 
141     if (ret >= 0) {
142         return ret;
143     }
144 
145 error:
146     if (ret == -EFBIG) {
147         /* Replace the error message with a better one */
148         error_free(local_error);
149         error_setg(errp, "The requested file size is too large");
150     } else {
151         error_propagate(errp, local_error);
152     }
153 
154     return ret;
155 }
156 
157 
158 static QemuOptsList block_crypto_runtime_opts_luks = {
159     .name = "crypto",
160     .head = QTAILQ_HEAD_INITIALIZER(block_crypto_runtime_opts_luks.head),
161     .desc = {
162         BLOCK_CRYPTO_OPT_DEF_LUKS_KEY_SECRET(""),
163         { /* end of list */ }
164     },
165 };
166 
167 
168 static QemuOptsList block_crypto_create_opts_luks = {
169     .name = "crypto",
170     .head = QTAILQ_HEAD_INITIALIZER(block_crypto_create_opts_luks.head),
171     .desc = {
172         {
173             .name = BLOCK_OPT_SIZE,
174             .type = QEMU_OPT_SIZE,
175             .help = "Virtual disk size"
176         },
177         BLOCK_CRYPTO_OPT_DEF_LUKS_KEY_SECRET(""),
178         BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_ALG(""),
179         BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_MODE(""),
180         BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_ALG(""),
181         BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_HASH_ALG(""),
182         BLOCK_CRYPTO_OPT_DEF_LUKS_HASH_ALG(""),
183         BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME(""),
184         { /* end of list */ }
185     },
186 };
187 
188 
189 static QemuOptsList block_crypto_amend_opts_luks = {
190     .name = "crypto",
191     .head = QTAILQ_HEAD_INITIALIZER(block_crypto_create_opts_luks.head),
192     .desc = {
193         BLOCK_CRYPTO_OPT_DEF_LUKS_STATE(""),
194         BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT(""),
195         BLOCK_CRYPTO_OPT_DEF_LUKS_OLD_SECRET(""),
196         BLOCK_CRYPTO_OPT_DEF_LUKS_NEW_SECRET(""),
197         BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME(""),
198         { /* end of list */ }
199     },
200 };
201 
202 QCryptoBlockOpenOptions *
203 block_crypto_open_opts_init(QDict *opts, Error **errp)
204 {
205     Visitor *v;
206     QCryptoBlockOpenOptions *ret;
207 
208     v = qobject_input_visitor_new_flat_confused(opts, errp);
209     if (!v) {
210         return NULL;
211     }
212 
213     visit_type_QCryptoBlockOpenOptions(v, NULL, &ret, errp);
214 
215     visit_free(v);
216     return ret;
217 }
218 
219 
220 QCryptoBlockCreateOptions *
221 block_crypto_create_opts_init(QDict *opts, Error **errp)
222 {
223     Visitor *v;
224     QCryptoBlockCreateOptions *ret;
225 
226     v = qobject_input_visitor_new_flat_confused(opts, errp);
227     if (!v) {
228         return NULL;
229     }
230 
231     visit_type_QCryptoBlockCreateOptions(v, NULL, &ret, errp);
232 
233     visit_free(v);
234     return ret;
235 }
236 
237 QCryptoBlockAmendOptions *
238 block_crypto_amend_opts_init(QDict *opts, Error **errp)
239 {
240     Visitor *v;
241     QCryptoBlockAmendOptions *ret;
242 
243     v = qobject_input_visitor_new_flat_confused(opts, errp);
244     if (!v) {
245         return NULL;
246     }
247 
248     visit_type_QCryptoBlockAmendOptions(v, NULL, &ret, errp);
249 
250     visit_free(v);
251     return ret;
252 }
253 
254 
255 static int block_crypto_open_generic(QCryptoBlockFormat format,
256                                      QemuOptsList *opts_spec,
257                                      BlockDriverState *bs,
258                                      QDict *options,
259                                      int flags,
260                                      Error **errp)
261 {
262     BlockCrypto *crypto = bs->opaque;
263     QemuOpts *opts = NULL;
264     int ret = -EINVAL;
265     QCryptoBlockOpenOptions *open_opts = NULL;
266     unsigned int cflags = 0;
267     QDict *cryptoopts = NULL;
268 
269     bs->file = bdrv_open_child(NULL, options, "file", bs, &child_of_bds,
270                                BDRV_CHILD_IMAGE, false, errp);
271     if (!bs->file) {
272         return -EINVAL;
273     }
274 
275     bs->supported_write_flags = BDRV_REQ_FUA &
276         bs->file->bs->supported_write_flags;
277 
278     opts = qemu_opts_create(opts_spec, NULL, 0, &error_abort);
279     if (!qemu_opts_absorb_qdict(opts, options, errp)) {
280         goto cleanup;
281     }
282 
283     cryptoopts = qemu_opts_to_qdict(opts, NULL);
284     qdict_put_str(cryptoopts, "format", QCryptoBlockFormat_str(format));
285 
286     open_opts = block_crypto_open_opts_init(cryptoopts, errp);
287     if (!open_opts) {
288         goto cleanup;
289     }
290 
291     if (flags & BDRV_O_NO_IO) {
292         cflags |= QCRYPTO_BLOCK_OPEN_NO_IO;
293     }
294     crypto->block = qcrypto_block_open(open_opts, NULL,
295                                        block_crypto_read_func,
296                                        bs,
297                                        cflags,
298                                        1,
299                                        errp);
300 
301     if (!crypto->block) {
302         ret = -EIO;
303         goto cleanup;
304     }
305 
306     bs->encrypted = true;
307 
308     ret = 0;
309  cleanup:
310     qobject_unref(cryptoopts);
311     qapi_free_QCryptoBlockOpenOptions(open_opts);
312     return ret;
313 }
314 
315 
316 static int block_crypto_co_create_generic(BlockDriverState *bs,
317                                           int64_t size,
318                                           QCryptoBlockCreateOptions *opts,
319                                           PreallocMode prealloc,
320                                           Error **errp)
321 {
322     int ret;
323     BlockBackend *blk;
324     QCryptoBlock *crypto = NULL;
325     struct BlockCryptoCreateData data;
326 
327     blk = blk_new_with_bs(bs, BLK_PERM_WRITE | BLK_PERM_RESIZE, BLK_PERM_ALL,
328                           errp);
329     if (!blk) {
330         ret = -EPERM;
331         goto cleanup;
332     }
333 
334     if (prealloc == PREALLOC_MODE_METADATA) {
335         prealloc = PREALLOC_MODE_OFF;
336     }
337 
338     data = (struct BlockCryptoCreateData) {
339         .blk = blk,
340         .size = size,
341         .prealloc = prealloc,
342     };
343 
344     crypto = qcrypto_block_create(opts, NULL,
345                                   block_crypto_create_init_func,
346                                   block_crypto_create_write_func,
347                                   &data,
348                                   errp);
349 
350     if (!crypto) {
351         ret = -EIO;
352         goto cleanup;
353     }
354 
355     ret = 0;
356  cleanup:
357     qcrypto_block_free(crypto);
358     blk_unref(blk);
359     return ret;
360 }
361 
362 static int coroutine_fn
363 block_crypto_co_truncate(BlockDriverState *bs, int64_t offset, bool exact,
364                          PreallocMode prealloc, BdrvRequestFlags flags,
365                          Error **errp)
366 {
367     BlockCrypto *crypto = bs->opaque;
368     uint64_t payload_offset =
369         qcrypto_block_get_payload_offset(crypto->block);
370 
371     if (payload_offset > INT64_MAX - offset) {
372         error_setg(errp, "The requested file size is too large");
373         return -EFBIG;
374     }
375 
376     offset += payload_offset;
377 
378     return bdrv_co_truncate(bs->file, offset, exact, prealloc, 0, errp);
379 }
380 
381 static void block_crypto_close(BlockDriverState *bs)
382 {
383     BlockCrypto *crypto = bs->opaque;
384     qcrypto_block_free(crypto->block);
385 }
386 
387 static int block_crypto_reopen_prepare(BDRVReopenState *state,
388                                        BlockReopenQueue *queue, Error **errp)
389 {
390     /* nothing needs checking */
391     return 0;
392 }
393 
394 /*
395  * 1 MB bounce buffer gives good performance / memory tradeoff
396  * when using cache=none|directsync.
397  */
398 #define BLOCK_CRYPTO_MAX_IO_SIZE (1024 * 1024)
399 
400 static coroutine_fn int
401 block_crypto_co_preadv(BlockDriverState *bs, int64_t offset, int64_t bytes,
402                        QEMUIOVector *qiov, BdrvRequestFlags flags)
403 {
404     BlockCrypto *crypto = bs->opaque;
405     uint64_t cur_bytes; /* number of bytes in current iteration */
406     uint64_t bytes_done = 0;
407     uint8_t *cipher_data = NULL;
408     QEMUIOVector hd_qiov;
409     int ret = 0;
410     uint64_t sector_size = qcrypto_block_get_sector_size(crypto->block);
411     uint64_t payload_offset = qcrypto_block_get_payload_offset(crypto->block);
412 
413     assert(!flags);
414     assert(payload_offset < INT64_MAX);
415     assert(QEMU_IS_ALIGNED(offset, sector_size));
416     assert(QEMU_IS_ALIGNED(bytes, sector_size));
417 
418     qemu_iovec_init(&hd_qiov, qiov->niov);
419 
420     /* Bounce buffer because we don't wish to expose cipher text
421      * in qiov which points to guest memory.
422      */
423     cipher_data =
424         qemu_try_blockalign(bs->file->bs, MIN(BLOCK_CRYPTO_MAX_IO_SIZE,
425                                               qiov->size));
426     if (cipher_data == NULL) {
427         ret = -ENOMEM;
428         goto cleanup;
429     }
430 
431     while (bytes) {
432         cur_bytes = MIN(bytes, BLOCK_CRYPTO_MAX_IO_SIZE);
433 
434         qemu_iovec_reset(&hd_qiov);
435         qemu_iovec_add(&hd_qiov, cipher_data, cur_bytes);
436 
437         ret = bdrv_co_preadv(bs->file, payload_offset + offset + bytes_done,
438                              cur_bytes, &hd_qiov, 0);
439         if (ret < 0) {
440             goto cleanup;
441         }
442 
443         if (qcrypto_block_decrypt(crypto->block, offset + bytes_done,
444                                   cipher_data, cur_bytes, NULL) < 0) {
445             ret = -EIO;
446             goto cleanup;
447         }
448 
449         qemu_iovec_from_buf(qiov, bytes_done, cipher_data, cur_bytes);
450 
451         bytes -= cur_bytes;
452         bytes_done += cur_bytes;
453     }
454 
455  cleanup:
456     qemu_iovec_destroy(&hd_qiov);
457     qemu_vfree(cipher_data);
458 
459     return ret;
460 }
461 
462 
463 static coroutine_fn int
464 block_crypto_co_pwritev(BlockDriverState *bs, int64_t offset, int64_t bytes,
465                         QEMUIOVector *qiov, BdrvRequestFlags flags)
466 {
467     BlockCrypto *crypto = bs->opaque;
468     uint64_t cur_bytes; /* number of bytes in current iteration */
469     uint64_t bytes_done = 0;
470     uint8_t *cipher_data = NULL;
471     QEMUIOVector hd_qiov;
472     int ret = 0;
473     uint64_t sector_size = qcrypto_block_get_sector_size(crypto->block);
474     uint64_t payload_offset = qcrypto_block_get_payload_offset(crypto->block);
475 
476     assert(!(flags & ~BDRV_REQ_FUA));
477     assert(payload_offset < INT64_MAX);
478     assert(QEMU_IS_ALIGNED(offset, sector_size));
479     assert(QEMU_IS_ALIGNED(bytes, sector_size));
480 
481     qemu_iovec_init(&hd_qiov, qiov->niov);
482 
483     /* Bounce buffer because we're not permitted to touch
484      * contents of qiov - it points to guest memory.
485      */
486     cipher_data =
487         qemu_try_blockalign(bs->file->bs, MIN(BLOCK_CRYPTO_MAX_IO_SIZE,
488                                               qiov->size));
489     if (cipher_data == NULL) {
490         ret = -ENOMEM;
491         goto cleanup;
492     }
493 
494     while (bytes) {
495         cur_bytes = MIN(bytes, BLOCK_CRYPTO_MAX_IO_SIZE);
496 
497         qemu_iovec_to_buf(qiov, bytes_done, cipher_data, cur_bytes);
498 
499         if (qcrypto_block_encrypt(crypto->block, offset + bytes_done,
500                                   cipher_data, cur_bytes, NULL) < 0) {
501             ret = -EIO;
502             goto cleanup;
503         }
504 
505         qemu_iovec_reset(&hd_qiov);
506         qemu_iovec_add(&hd_qiov, cipher_data, cur_bytes);
507 
508         ret = bdrv_co_pwritev(bs->file, payload_offset + offset + bytes_done,
509                               cur_bytes, &hd_qiov, flags);
510         if (ret < 0) {
511             goto cleanup;
512         }
513 
514         bytes -= cur_bytes;
515         bytes_done += cur_bytes;
516     }
517 
518  cleanup:
519     qemu_iovec_destroy(&hd_qiov);
520     qemu_vfree(cipher_data);
521 
522     return ret;
523 }
524 
525 static void block_crypto_refresh_limits(BlockDriverState *bs, Error **errp)
526 {
527     BlockCrypto *crypto = bs->opaque;
528     uint64_t sector_size = qcrypto_block_get_sector_size(crypto->block);
529     bs->bl.request_alignment = sector_size; /* No sub-sector I/O */
530 }
531 
532 
533 static int64_t block_crypto_getlength(BlockDriverState *bs)
534 {
535     BlockCrypto *crypto = bs->opaque;
536     int64_t len = bdrv_getlength(bs->file->bs);
537 
538     uint64_t offset = qcrypto_block_get_payload_offset(crypto->block);
539     assert(offset < INT64_MAX);
540 
541     if (offset > len) {
542         return -EIO;
543     }
544 
545     len -= offset;
546 
547     return len;
548 }
549 
550 
551 static BlockMeasureInfo *block_crypto_measure(QemuOpts *opts,
552                                               BlockDriverState *in_bs,
553                                               Error **errp)
554 {
555     g_autoptr(QCryptoBlockCreateOptions) create_opts = NULL;
556     Error *local_err = NULL;
557     BlockMeasureInfo *info;
558     uint64_t size;
559     size_t luks_payload_size;
560     QDict *cryptoopts;
561 
562     /*
563      * Preallocation mode doesn't affect size requirements but we must consume
564      * the option.
565      */
566     g_free(qemu_opt_get_del(opts, BLOCK_OPT_PREALLOC));
567 
568     size = qemu_opt_get_size_del(opts, BLOCK_OPT_SIZE, 0);
569 
570     if (in_bs) {
571         int64_t ssize = bdrv_getlength(in_bs);
572 
573         if (ssize < 0) {
574             error_setg_errno(&local_err, -ssize,
575                              "Unable to get image virtual_size");
576             goto err;
577         }
578 
579         size = ssize;
580     }
581 
582     cryptoopts = qemu_opts_to_qdict_filtered(opts, NULL,
583             &block_crypto_create_opts_luks, true);
584     qdict_put_str(cryptoopts, "format", "luks");
585     create_opts = block_crypto_create_opts_init(cryptoopts, &local_err);
586     qobject_unref(cryptoopts);
587     if (!create_opts) {
588         goto err;
589     }
590 
591     if (!qcrypto_block_calculate_payload_offset(create_opts, NULL,
592                                                 &luks_payload_size,
593                                                 &local_err)) {
594         goto err;
595     }
596 
597     /*
598      * Unallocated blocks are still encrypted so allocation status makes no
599      * difference to the file size.
600      */
601     info = g_new0(BlockMeasureInfo, 1);
602     info->fully_allocated = luks_payload_size + size;
603     info->required = luks_payload_size + size;
604     return info;
605 
606 err:
607     error_propagate(errp, local_err);
608     return NULL;
609 }
610 
611 
612 static int block_crypto_probe_luks(const uint8_t *buf,
613                                    int buf_size,
614                                    const char *filename) {
615     return block_crypto_probe_generic(Q_CRYPTO_BLOCK_FORMAT_LUKS,
616                                       buf, buf_size, filename);
617 }
618 
619 static int block_crypto_open_luks(BlockDriverState *bs,
620                                   QDict *options,
621                                   int flags,
622                                   Error **errp)
623 {
624     return block_crypto_open_generic(Q_CRYPTO_BLOCK_FORMAT_LUKS,
625                                      &block_crypto_runtime_opts_luks,
626                                      bs, options, flags, errp);
627 }
628 
629 static int coroutine_fn
630 block_crypto_co_create_luks(BlockdevCreateOptions *create_options, Error **errp)
631 {
632     BlockdevCreateOptionsLUKS *luks_opts;
633     BlockDriverState *bs = NULL;
634     QCryptoBlockCreateOptions create_opts;
635     PreallocMode preallocation = PREALLOC_MODE_OFF;
636     int ret;
637 
638     assert(create_options->driver == BLOCKDEV_DRIVER_LUKS);
639     luks_opts = &create_options->u.luks;
640 
641     bs = bdrv_open_blockdev_ref(luks_opts->file, errp);
642     if (bs == NULL) {
643         return -EIO;
644     }
645 
646     create_opts = (QCryptoBlockCreateOptions) {
647         .format = Q_CRYPTO_BLOCK_FORMAT_LUKS,
648         .u.luks = *qapi_BlockdevCreateOptionsLUKS_base(luks_opts),
649     };
650 
651     if (luks_opts->has_preallocation) {
652         preallocation = luks_opts->preallocation;
653     }
654 
655     ret = block_crypto_co_create_generic(bs, luks_opts->size, &create_opts,
656                                          preallocation, errp);
657     if (ret < 0) {
658         goto fail;
659     }
660 
661     ret = 0;
662 fail:
663     bdrv_unref(bs);
664     return ret;
665 }
666 
667 static int coroutine_fn block_crypto_co_create_opts_luks(BlockDriver *drv,
668                                                          const char *filename,
669                                                          QemuOpts *opts,
670                                                          Error **errp)
671 {
672     QCryptoBlockCreateOptions *create_opts = NULL;
673     BlockDriverState *bs = NULL;
674     QDict *cryptoopts;
675     PreallocMode prealloc;
676     char *buf = NULL;
677     int64_t size;
678     int ret;
679     Error *local_err = NULL;
680 
681     /* Parse options */
682     size = qemu_opt_get_size_del(opts, BLOCK_OPT_SIZE, 0);
683 
684     buf = qemu_opt_get_del(opts, BLOCK_OPT_PREALLOC);
685     prealloc = qapi_enum_parse(&PreallocMode_lookup, buf,
686                                PREALLOC_MODE_OFF, &local_err);
687     g_free(buf);
688     if (local_err) {
689         error_propagate(errp, local_err);
690         return -EINVAL;
691     }
692 
693     cryptoopts = qemu_opts_to_qdict_filtered(opts, NULL,
694                                              &block_crypto_create_opts_luks,
695                                              true);
696 
697     qdict_put_str(cryptoopts, "format", "luks");
698     create_opts = block_crypto_create_opts_init(cryptoopts, errp);
699     if (!create_opts) {
700         ret = -EINVAL;
701         goto fail;
702     }
703 
704     /* Create protocol layer */
705     ret = bdrv_create_file(filename, opts, errp);
706     if (ret < 0) {
707         goto fail;
708     }
709 
710     bs = bdrv_open(filename, NULL, NULL,
711                    BDRV_O_RDWR | BDRV_O_RESIZE | BDRV_O_PROTOCOL, errp);
712     if (!bs) {
713         ret = -EINVAL;
714         goto fail;
715     }
716 
717     /* Create format layer */
718     ret = block_crypto_co_create_generic(bs, size, create_opts, prealloc, errp);
719     if (ret < 0) {
720         goto fail;
721     }
722 
723     ret = 0;
724 fail:
725     /*
726      * If an error occurred, delete 'filename'. Even if the file existed
727      * beforehand, it has been truncated and corrupted in the process.
728      */
729     if (ret) {
730         bdrv_co_delete_file_noerr(bs);
731     }
732 
733     bdrv_unref(bs);
734     qapi_free_QCryptoBlockCreateOptions(create_opts);
735     qobject_unref(cryptoopts);
736     return ret;
737 }
738 
739 static int block_crypto_get_info_luks(BlockDriverState *bs,
740                                       BlockDriverInfo *bdi)
741 {
742     BlockDriverInfo subbdi;
743     int ret;
744 
745     ret = bdrv_get_info(bs->file->bs, &subbdi);
746     if (ret != 0) {
747         return ret;
748     }
749 
750     bdi->cluster_size = subbdi.cluster_size;
751 
752     return 0;
753 }
754 
755 static ImageInfoSpecific *
756 block_crypto_get_specific_info_luks(BlockDriverState *bs, Error **errp)
757 {
758     BlockCrypto *crypto = bs->opaque;
759     ImageInfoSpecific *spec_info;
760     QCryptoBlockInfo *info;
761 
762     info = qcrypto_block_get_info(crypto->block, errp);
763     if (!info) {
764         return NULL;
765     }
766     assert(info->format == Q_CRYPTO_BLOCK_FORMAT_LUKS);
767 
768     spec_info = g_new(ImageInfoSpecific, 1);
769     spec_info->type = IMAGE_INFO_SPECIFIC_KIND_LUKS;
770     spec_info->u.luks.data = g_new(QCryptoBlockInfoLUKS, 1);
771     *spec_info->u.luks.data = info->u.luks;
772 
773     /* Blank out pointers we've just stolen to avoid double free */
774     memset(&info->u.luks, 0, sizeof(info->u.luks));
775 
776     qapi_free_QCryptoBlockInfo(info);
777 
778     return spec_info;
779 }
780 
781 static int
782 block_crypto_amend_prepare(BlockDriverState *bs, Error **errp)
783 {
784     BlockCrypto *crypto = bs->opaque;
785     int ret;
786 
787     /* apply for exclusive read/write permissions to the underlying file */
788     crypto->updating_keys = true;
789     ret = bdrv_child_refresh_perms(bs, bs->file, errp);
790     if (ret < 0) {
791         /* Well, in this case we will not be updating any keys */
792         crypto->updating_keys = false;
793     }
794     return ret;
795 }
796 
797 static void
798 block_crypto_amend_cleanup(BlockDriverState *bs)
799 {
800     BlockCrypto *crypto = bs->opaque;
801     Error *errp = NULL;
802 
803     /* release exclusive read/write permissions to the underlying file */
804     crypto->updating_keys = false;
805     bdrv_child_refresh_perms(bs, bs->file, &errp);
806 
807     if (errp) {
808         error_report_err(errp);
809     }
810 }
811 
812 static int
813 block_crypto_amend_options_generic_luks(BlockDriverState *bs,
814                                         QCryptoBlockAmendOptions *amend_options,
815                                         bool force,
816                                         Error **errp)
817 {
818     BlockCrypto *crypto = bs->opaque;
819 
820     assert(crypto);
821     assert(crypto->block);
822 
823     return qcrypto_block_amend_options(crypto->block,
824                                        block_crypto_read_func,
825                                        block_crypto_write_func,
826                                        bs,
827                                        amend_options,
828                                        force,
829                                        errp);
830 }
831 
832 static int
833 block_crypto_amend_options_luks(BlockDriverState *bs,
834                                 QemuOpts *opts,
835                                 BlockDriverAmendStatusCB *status_cb,
836                                 void *cb_opaque,
837                                 bool force,
838                                 Error **errp)
839 {
840     BlockCrypto *crypto = bs->opaque;
841     QDict *cryptoopts = NULL;
842     QCryptoBlockAmendOptions *amend_options = NULL;
843     int ret = -EINVAL;
844 
845     assert(crypto);
846     assert(crypto->block);
847 
848     cryptoopts = qemu_opts_to_qdict(opts, NULL);
849     qdict_put_str(cryptoopts, "format", "luks");
850     amend_options = block_crypto_amend_opts_init(cryptoopts, errp);
851     qobject_unref(cryptoopts);
852     if (!amend_options) {
853         goto cleanup;
854     }
855 
856     ret = block_crypto_amend_prepare(bs, errp);
857     if (ret) {
858         goto perm_cleanup;
859     }
860     ret = block_crypto_amend_options_generic_luks(bs, amend_options,
861                                                   force, errp);
862 
863 perm_cleanup:
864     block_crypto_amend_cleanup(bs);
865 cleanup:
866     qapi_free_QCryptoBlockAmendOptions(amend_options);
867     return ret;
868 }
869 
870 static int
871 coroutine_fn block_crypto_co_amend_luks(BlockDriverState *bs,
872                                         BlockdevAmendOptions *opts,
873                                         bool force,
874                                         Error **errp)
875 {
876     QCryptoBlockAmendOptions amend_opts;
877 
878     amend_opts = (QCryptoBlockAmendOptions) {
879         .format = Q_CRYPTO_BLOCK_FORMAT_LUKS,
880         .u.luks = *qapi_BlockdevAmendOptionsLUKS_base(&opts->u.luks),
881     };
882     return block_crypto_amend_options_generic_luks(bs, &amend_opts,
883                                                    force, errp);
884 }
885 
886 static void
887 block_crypto_child_perms(BlockDriverState *bs, BdrvChild *c,
888                          const BdrvChildRole role,
889                          BlockReopenQueue *reopen_queue,
890                          uint64_t perm, uint64_t shared,
891                          uint64_t *nperm, uint64_t *nshared)
892 {
893 
894     BlockCrypto *crypto = bs->opaque;
895 
896     bdrv_default_perms(bs, c, role, reopen_queue, perm, shared, nperm, nshared);
897 
898     /*
899      * For backward compatibility, manually share the write
900      * and resize permission
901      */
902     *nshared |= shared & (BLK_PERM_WRITE | BLK_PERM_RESIZE);
903     /*
904      * Since we are not fully a format driver, don't always request
905      * the read/resize permission but only when explicitly
906      * requested
907      */
908     *nperm &= ~(BLK_PERM_WRITE | BLK_PERM_RESIZE);
909     *nperm |= perm & (BLK_PERM_WRITE | BLK_PERM_RESIZE);
910 
911     /*
912      * This driver doesn't modify LUKS metadata except
913      * when updating the encryption slots.
914      * Thus unlike a proper format driver we don't ask for
915      * shared write/read permission. However we need it
916      * when we are updating the keys, to ensure that only we
917      * have access to the device.
918      *
919      * Encryption update will set the crypto->updating_keys
920      * during that period and refresh permissions
921      *
922      */
923     if (crypto->updating_keys) {
924         /* need exclusive write access for header update */
925         *nperm |= BLK_PERM_WRITE;
926         /* unshare read and write permission */
927         *nshared &= ~(BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE);
928     }
929 }
930 
931 
932 static const char *const block_crypto_strong_runtime_opts[] = {
933     BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET,
934 
935     NULL
936 };
937 
938 static BlockDriver bdrv_crypto_luks = {
939     .format_name        = "luks",
940     .instance_size      = sizeof(BlockCrypto),
941     .bdrv_probe         = block_crypto_probe_luks,
942     .bdrv_open          = block_crypto_open_luks,
943     .bdrv_close         = block_crypto_close,
944     .bdrv_child_perm    = block_crypto_child_perms,
945     .bdrv_co_create     = block_crypto_co_create_luks,
946     .bdrv_co_create_opts = block_crypto_co_create_opts_luks,
947     .bdrv_co_truncate   = block_crypto_co_truncate,
948     .create_opts        = &block_crypto_create_opts_luks,
949     .amend_opts         = &block_crypto_amend_opts_luks,
950 
951     .bdrv_reopen_prepare = block_crypto_reopen_prepare,
952     .bdrv_refresh_limits = block_crypto_refresh_limits,
953     .bdrv_co_preadv     = block_crypto_co_preadv,
954     .bdrv_co_pwritev    = block_crypto_co_pwritev,
955     .bdrv_getlength     = block_crypto_getlength,
956     .bdrv_measure       = block_crypto_measure,
957     .bdrv_get_info      = block_crypto_get_info_luks,
958     .bdrv_get_specific_info = block_crypto_get_specific_info_luks,
959     .bdrv_amend_options = block_crypto_amend_options_luks,
960     .bdrv_co_amend      = block_crypto_co_amend_luks,
961     .bdrv_amend_pre_run = block_crypto_amend_prepare,
962     .bdrv_amend_clean   = block_crypto_amend_cleanup,
963 
964     .is_format          = true,
965 
966     .strong_runtime_opts = block_crypto_strong_runtime_opts,
967 };
968 
969 static void block_crypto_init(void)
970 {
971     bdrv_register(&bdrv_crypto_luks);
972 }
973 
974 block_init(block_crypto_init);
975