xref: /openbmc/qemu/crypto/block-luks.c (revision 006e845b)
1 /*
2  * QEMU Crypto block device encryption LUKS format
3  *
4  * Copyright (c) 2015-2016 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "qemu/bswap.h"
24 
25 #include "block-luks.h"
26 #include "block-luks-priv.h"
27 
28 #include "crypto/hash.h"
29 #include "crypto/afsplit.h"
30 #include "crypto/pbkdf.h"
31 #include "crypto/secret.h"
32 #include "crypto/random.h"
33 #include "qemu/uuid.h"
34 
35 #include "qemu/bitmap.h"
36 
37 /*
38  * Reference for the LUKS format implemented here is
39  *
40  *   docs/on-disk-format.pdf
41  *
42  * in 'cryptsetup' package source code
43  *
44  * This file implements the 1.2.1 specification, dated
45  * Oct 16, 2011.
46  */
47 
48 typedef struct QCryptoBlockLUKS QCryptoBlockLUKS;
49 
50 typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap;
51 struct QCryptoBlockLUKSNameMap {
52     const char *name;
53     int id;
54 };
55 
56 typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap;
57 struct QCryptoBlockLUKSCipherSizeMap {
58     uint32_t key_bytes;
59     int id;
60 };
61 typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap;
62 struct QCryptoBlockLUKSCipherNameMap {
63     const char *name;
64     const QCryptoBlockLUKSCipherSizeMap *sizes;
65 };
66 
67 
68 static const QCryptoBlockLUKSCipherSizeMap
69 qcrypto_block_luks_cipher_size_map_aes[] = {
70     { 16, QCRYPTO_CIPHER_ALG_AES_128 },
71     { 24, QCRYPTO_CIPHER_ALG_AES_192 },
72     { 32, QCRYPTO_CIPHER_ALG_AES_256 },
73     { 0, 0 },
74 };
75 
76 static const QCryptoBlockLUKSCipherSizeMap
77 qcrypto_block_luks_cipher_size_map_cast5[] = {
78     { 16, QCRYPTO_CIPHER_ALG_CAST5_128 },
79     { 0, 0 },
80 };
81 
82 static const QCryptoBlockLUKSCipherSizeMap
83 qcrypto_block_luks_cipher_size_map_serpent[] = {
84     { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 },
85     { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 },
86     { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 },
87     { 0, 0 },
88 };
89 
90 static const QCryptoBlockLUKSCipherSizeMap
91 qcrypto_block_luks_cipher_size_map_twofish[] = {
92     { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 },
93     { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 },
94     { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 },
95     { 0, 0 },
96 };
97 
98 #ifdef CONFIG_CRYPTO_SM4
99 static const QCryptoBlockLUKSCipherSizeMap
100 qcrypto_block_luks_cipher_size_map_sm4[] = {
101     { 16, QCRYPTO_CIPHER_ALG_SM4},
102     { 0, 0 },
103 };
104 #endif
105 
106 static const QCryptoBlockLUKSCipherNameMap
107 qcrypto_block_luks_cipher_name_map[] = {
108     { "aes", qcrypto_block_luks_cipher_size_map_aes },
109     { "cast5", qcrypto_block_luks_cipher_size_map_cast5 },
110     { "serpent", qcrypto_block_luks_cipher_size_map_serpent },
111     { "twofish", qcrypto_block_luks_cipher_size_map_twofish },
112 #ifdef CONFIG_CRYPTO_SM4
113     { "sm4", qcrypto_block_luks_cipher_size_map_sm4},
114 #endif
115 };
116 
117 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48);
118 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592);
119 
120 
121 struct QCryptoBlockLUKS {
122     QCryptoBlockLUKSHeader header;
123 
124     /* Main encryption algorithm used for encryption*/
125     QCryptoCipherAlgorithm cipher_alg;
126 
127     /* Mode of encryption for the selected encryption algorithm */
128     QCryptoCipherMode cipher_mode;
129 
130     /* Initialization vector generation algorithm */
131     QCryptoIVGenAlgorithm ivgen_alg;
132 
133     /* Hash algorithm used for IV generation*/
134     QCryptoHashAlgorithm ivgen_hash_alg;
135 
136     /*
137      * Encryption algorithm used for IV generation.
138      * Usually the same as main encryption algorithm
139      */
140     QCryptoCipherAlgorithm ivgen_cipher_alg;
141 
142     /* Hash algorithm used in pbkdf2 function */
143     QCryptoHashAlgorithm hash_alg;
144 
145     /* Name of the secret that was used to open the image */
146     char *secret;
147 };
148 
149 
150 static int qcrypto_block_luks_cipher_name_lookup(const char *name,
151                                                  QCryptoCipherMode mode,
152                                                  uint32_t key_bytes,
153                                                  Error **errp)
154 {
155     const QCryptoBlockLUKSCipherNameMap *map =
156         qcrypto_block_luks_cipher_name_map;
157     size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
158     size_t i, j;
159 
160     if (mode == QCRYPTO_CIPHER_MODE_XTS) {
161         key_bytes /= 2;
162     }
163 
164     for (i = 0; i < maplen; i++) {
165         if (!g_str_equal(map[i].name, name)) {
166             continue;
167         }
168         for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
169             if (map[i].sizes[j].key_bytes == key_bytes) {
170                 return map[i].sizes[j].id;
171             }
172         }
173     }
174 
175     error_setg(errp, "Algorithm '%s' with key size %d bytes not supported",
176                name, key_bytes);
177     return 0;
178 }
179 
180 static const char *
181 qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg,
182                                      Error **errp)
183 {
184     const QCryptoBlockLUKSCipherNameMap *map =
185         qcrypto_block_luks_cipher_name_map;
186     size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
187     size_t i, j;
188     for (i = 0; i < maplen; i++) {
189         for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
190             if (map[i].sizes[j].id == alg) {
191                 return map[i].name;
192             }
193         }
194     }
195 
196     error_setg(errp, "Algorithm '%s' not supported",
197                QCryptoCipherAlgorithm_str(alg));
198     return NULL;
199 }
200 
201 /* XXX replace with qapi_enum_parse() in future, when we can
202  * make that function emit a more friendly error message */
203 static int qcrypto_block_luks_name_lookup(const char *name,
204                                           const QEnumLookup *map,
205                                           const char *type,
206                                           Error **errp)
207 {
208     int ret = qapi_enum_parse(map, name, -1, NULL);
209 
210     if (ret < 0) {
211         error_setg(errp, "%s '%s' not supported", type, name);
212         return 0;
213     }
214     return ret;
215 }
216 
217 #define qcrypto_block_luks_cipher_mode_lookup(name, errp)               \
218     qcrypto_block_luks_name_lookup(name,                                \
219                                    &QCryptoCipherMode_lookup,           \
220                                    "Cipher mode",                       \
221                                    errp)
222 
223 #define qcrypto_block_luks_hash_name_lookup(name, errp)                 \
224     qcrypto_block_luks_name_lookup(name,                                \
225                                    &QCryptoHashAlgorithm_lookup,        \
226                                    "Hash algorithm",                    \
227                                    errp)
228 
229 #define qcrypto_block_luks_ivgen_name_lookup(name, errp)                \
230     qcrypto_block_luks_name_lookup(name,                                \
231                                    &QCryptoIVGenAlgorithm_lookup,       \
232                                    "IV generator",                      \
233                                    errp)
234 
235 
236 static bool
237 qcrypto_block_luks_has_format(const uint8_t *buf,
238                               size_t buf_size)
239 {
240     const QCryptoBlockLUKSHeader *luks_header = (const void *)buf;
241 
242     if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) &&
243         memcmp(luks_header->magic, qcrypto_block_luks_magic,
244                QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 &&
245         be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) {
246         return true;
247     } else {
248         return false;
249     }
250 }
251 
252 
253 /**
254  * Deal with a quirk of dm-crypt usage of ESSIV.
255  *
256  * When calculating ESSIV IVs, the cipher length used by ESSIV
257  * may be different from the cipher length used for the block
258  * encryption, because dm-crypt uses the hash digest length
259  * as the key size. ie, if you have AES 128 as the block cipher
260  * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as
261  * the cipher since that gets a key length matching the digest
262  * size, not AES 128 with truncated digest as might be imagined
263  */
264 static QCryptoCipherAlgorithm
265 qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher,
266                                 QCryptoHashAlgorithm hash,
267                                 Error **errp)
268 {
269     size_t digestlen = qcrypto_hash_digest_len(hash);
270     size_t keylen = qcrypto_cipher_get_key_len(cipher);
271     if (digestlen == keylen) {
272         return cipher;
273     }
274 
275     switch (cipher) {
276     case QCRYPTO_CIPHER_ALG_AES_128:
277     case QCRYPTO_CIPHER_ALG_AES_192:
278     case QCRYPTO_CIPHER_ALG_AES_256:
279         if (digestlen == qcrypto_cipher_get_key_len(
280                 QCRYPTO_CIPHER_ALG_AES_128)) {
281             return QCRYPTO_CIPHER_ALG_AES_128;
282         } else if (digestlen == qcrypto_cipher_get_key_len(
283                        QCRYPTO_CIPHER_ALG_AES_192)) {
284             return QCRYPTO_CIPHER_ALG_AES_192;
285         } else if (digestlen == qcrypto_cipher_get_key_len(
286                        QCRYPTO_CIPHER_ALG_AES_256)) {
287             return QCRYPTO_CIPHER_ALG_AES_256;
288         } else {
289             error_setg(errp, "No AES cipher with key size %zu available",
290                        digestlen);
291             return 0;
292         }
293         break;
294     case QCRYPTO_CIPHER_ALG_SERPENT_128:
295     case QCRYPTO_CIPHER_ALG_SERPENT_192:
296     case QCRYPTO_CIPHER_ALG_SERPENT_256:
297         if (digestlen == qcrypto_cipher_get_key_len(
298                 QCRYPTO_CIPHER_ALG_SERPENT_128)) {
299             return QCRYPTO_CIPHER_ALG_SERPENT_128;
300         } else if (digestlen == qcrypto_cipher_get_key_len(
301                        QCRYPTO_CIPHER_ALG_SERPENT_192)) {
302             return QCRYPTO_CIPHER_ALG_SERPENT_192;
303         } else if (digestlen == qcrypto_cipher_get_key_len(
304                        QCRYPTO_CIPHER_ALG_SERPENT_256)) {
305             return QCRYPTO_CIPHER_ALG_SERPENT_256;
306         } else {
307             error_setg(errp, "No Serpent cipher with key size %zu available",
308                        digestlen);
309             return 0;
310         }
311         break;
312     case QCRYPTO_CIPHER_ALG_TWOFISH_128:
313     case QCRYPTO_CIPHER_ALG_TWOFISH_192:
314     case QCRYPTO_CIPHER_ALG_TWOFISH_256:
315         if (digestlen == qcrypto_cipher_get_key_len(
316                 QCRYPTO_CIPHER_ALG_TWOFISH_128)) {
317             return QCRYPTO_CIPHER_ALG_TWOFISH_128;
318         } else if (digestlen == qcrypto_cipher_get_key_len(
319                        QCRYPTO_CIPHER_ALG_TWOFISH_192)) {
320             return QCRYPTO_CIPHER_ALG_TWOFISH_192;
321         } else if (digestlen == qcrypto_cipher_get_key_len(
322                        QCRYPTO_CIPHER_ALG_TWOFISH_256)) {
323             return QCRYPTO_CIPHER_ALG_TWOFISH_256;
324         } else {
325             error_setg(errp, "No Twofish cipher with key size %zu available",
326                        digestlen);
327             return 0;
328         }
329         break;
330     default:
331         error_setg(errp, "Cipher %s not supported with essiv",
332                    QCryptoCipherAlgorithm_str(cipher));
333         return 0;
334     }
335 }
336 
337 /*
338  * Returns number of sectors needed to store the key material
339  * given number of anti forensic stripes
340  */
341 static int
342 qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks,
343                                        unsigned int header_sectors,
344                                        unsigned int stripes)
345 {
346     /*
347      * This calculation doesn't match that shown in the spec,
348      * but instead follows the cryptsetup implementation.
349      */
350 
351     size_t splitkeylen = luks->header.master_key_len * stripes;
352 
353     /* First align the key material size to block size*/
354     size_t splitkeylen_sectors =
355         DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE);
356 
357     /* Then also align the key material size to the size of the header */
358     return ROUND_UP(splitkeylen_sectors, header_sectors);
359 }
360 
361 
362 void
363 qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr)
364 {
365     size_t i;
366 
367     /*
368      * Everything on disk uses Big Endian (tm), so flip header fields
369      * before writing them
370      */
371     cpu_to_be16s(&hdr->version);
372     cpu_to_be32s(&hdr->payload_offset_sector);
373     cpu_to_be32s(&hdr->master_key_len);
374     cpu_to_be32s(&hdr->master_key_iterations);
375 
376     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
377         cpu_to_be32s(&hdr->key_slots[i].active);
378         cpu_to_be32s(&hdr->key_slots[i].iterations);
379         cpu_to_be32s(&hdr->key_slots[i].key_offset_sector);
380         cpu_to_be32s(&hdr->key_slots[i].stripes);
381     }
382 }
383 
384 void
385 qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr)
386 {
387     size_t i;
388 
389     /*
390      * The header is always stored in big-endian format, so
391      * convert everything to native
392      */
393     be16_to_cpus(&hdr->version);
394     be32_to_cpus(&hdr->payload_offset_sector);
395     be32_to_cpus(&hdr->master_key_len);
396     be32_to_cpus(&hdr->master_key_iterations);
397 
398     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
399         be32_to_cpus(&hdr->key_slots[i].active);
400         be32_to_cpus(&hdr->key_slots[i].iterations);
401         be32_to_cpus(&hdr->key_slots[i].key_offset_sector);
402         be32_to_cpus(&hdr->key_slots[i].stripes);
403     }
404 }
405 
406 /*
407  * Stores the main LUKS header, taking care of endianness
408  */
409 static int
410 qcrypto_block_luks_store_header(QCryptoBlock *block,
411                                 QCryptoBlockWriteFunc writefunc,
412                                 void *opaque,
413                                 Error **errp)
414 {
415     const QCryptoBlockLUKS *luks = block->opaque;
416     Error *local_err = NULL;
417     g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL;
418 
419     /* Create a copy of the header */
420     hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1);
421     memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader));
422 
423     qcrypto_block_luks_to_disk_endian(hdr_copy);
424 
425     /* Write out the partition header and key slot headers */
426     writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy),
427               opaque, &local_err);
428 
429     if (local_err) {
430         error_propagate(errp, local_err);
431         return -1;
432     }
433     return 0;
434 }
435 
436 /*
437  * Loads the main LUKS header, and byteswaps it to native endianness
438  * And run basic sanity checks on it
439  */
440 static int
441 qcrypto_block_luks_load_header(QCryptoBlock *block,
442                                 QCryptoBlockReadFunc readfunc,
443                                 void *opaque,
444                                 Error **errp)
445 {
446     int rv;
447     QCryptoBlockLUKS *luks = block->opaque;
448 
449     /*
450      * Read the entire LUKS header, minus the key material from
451      * the underlying device
452      */
453     rv = readfunc(block, 0,
454                   (uint8_t *)&luks->header,
455                   sizeof(luks->header),
456                   opaque,
457                   errp);
458     if (rv < 0) {
459         return rv;
460     }
461 
462     qcrypto_block_luks_from_disk_endian(&luks->header);
463 
464     return 0;
465 }
466 
467 /*
468  * Does basic sanity checks on the LUKS header
469  */
470 static int
471 qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks,
472                                 unsigned int flags,
473                                 Error **errp)
474 {
475     size_t i, j;
476 
477     unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
478         QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
479     bool detached = flags & QCRYPTO_BLOCK_OPEN_DETACHED;
480 
481     if (memcmp(luks->header.magic, qcrypto_block_luks_magic,
482                QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) {
483         error_setg(errp, "Volume is not in LUKS format");
484         return -1;
485     }
486 
487     if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) {
488         error_setg(errp, "LUKS version %" PRIu32 " is not supported",
489                    luks->header.version);
490         return -1;
491     }
492 
493     if (!memchr(luks->header.cipher_name, '\0',
494                 sizeof(luks->header.cipher_name))) {
495         error_setg(errp, "LUKS header cipher name is not NUL terminated");
496         return -1;
497     }
498 
499     if (!memchr(luks->header.cipher_mode, '\0',
500                 sizeof(luks->header.cipher_mode))) {
501         error_setg(errp, "LUKS header cipher mode is not NUL terminated");
502         return -1;
503     }
504 
505     if (!memchr(luks->header.hash_spec, '\0',
506                 sizeof(luks->header.hash_spec))) {
507         error_setg(errp, "LUKS header hash spec is not NUL terminated");
508         return -1;
509     }
510 
511     if (!detached && luks->header.payload_offset_sector <
512         DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
513                      QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
514         error_setg(errp, "LUKS payload is overlapping with the header");
515         return -1;
516     }
517 
518     if (luks->header.master_key_iterations == 0) {
519         error_setg(errp, "LUKS key iteration count is zero");
520         return -1;
521     }
522 
523     /* Check all keyslots for corruption  */
524     for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) {
525 
526         const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i];
527         unsigned int start1 = slot1->key_offset_sector;
528         unsigned int len1 =
529             qcrypto_block_luks_splitkeylen_sectors(luks,
530                                                    header_sectors,
531                                                    slot1->stripes);
532 
533         if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) {
534             error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)",
535                        i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES);
536             return -1;
537         }
538 
539         if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED &&
540             slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
541             error_setg(errp,
542                        "Keyslot %zu state (active/disable) is corrupted", i);
543             return -1;
544         }
545 
546         if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED &&
547             slot1->iterations == 0) {
548             error_setg(errp, "Keyslot %zu iteration count is zero", i);
549             return -1;
550         }
551 
552         if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
553                                   QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
554             error_setg(errp,
555                        "Keyslot %zu is overlapping with the LUKS header",
556                        i);
557             return -1;
558         }
559 
560         if (!detached && start1 + len1 > luks->header.payload_offset_sector) {
561             error_setg(errp,
562                        "Keyslot %zu is overlapping with the encrypted payload",
563                        i);
564             return -1;
565         }
566 
567         for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) {
568             const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j];
569             unsigned int start2 = slot2->key_offset_sector;
570             unsigned int len2 =
571                 qcrypto_block_luks_splitkeylen_sectors(luks,
572                                                        header_sectors,
573                                                        slot2->stripes);
574 
575             if (start1 + len1 > start2 && start2 + len2 > start1) {
576                 error_setg(errp,
577                            "Keyslots %zu and %zu are overlapping in the header",
578                            i, j);
579                 return -1;
580             }
581         }
582 
583     }
584     return 0;
585 }
586 
587 /*
588  * Parses the crypto parameters that are stored in the LUKS header
589  */
590 
591 static int
592 qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp)
593 {
594     g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode);
595     char *ivgen_name, *ivhash_name;
596     Error *local_err = NULL;
597 
598     /*
599      * The cipher_mode header contains a string that we have
600      * to further parse, of the format
601      *
602      *    <cipher-mode>-<iv-generator>[:<iv-hash>]
603      *
604      * eg  cbc-essiv:sha256, cbc-plain64
605      */
606     ivgen_name = strchr(cipher_mode, '-');
607     if (!ivgen_name) {
608         error_setg(errp, "Unexpected cipher mode string format '%s'",
609                    luks->header.cipher_mode);
610         return -1;
611     }
612     *ivgen_name = '\0';
613     ivgen_name++;
614 
615     ivhash_name = strchr(ivgen_name, ':');
616     if (!ivhash_name) {
617         luks->ivgen_hash_alg = 0;
618     } else {
619         *ivhash_name = '\0';
620         ivhash_name++;
621 
622         luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name,
623                                                                    &local_err);
624         if (local_err) {
625             error_propagate(errp, local_err);
626             return -1;
627         }
628     }
629 
630     luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode,
631                                                               &local_err);
632     if (local_err) {
633         error_propagate(errp, local_err);
634         return -1;
635     }
636 
637     luks->cipher_alg =
638             qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name,
639                                                   luks->cipher_mode,
640                                                   luks->header.master_key_len,
641                                                   &local_err);
642     if (local_err) {
643         error_propagate(errp, local_err);
644         return -1;
645     }
646 
647     luks->hash_alg =
648             qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec,
649                                                 &local_err);
650     if (local_err) {
651         error_propagate(errp, local_err);
652         return -1;
653     }
654 
655     luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name,
656                                                            &local_err);
657     if (local_err) {
658         error_propagate(errp, local_err);
659         return -1;
660     }
661 
662     if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
663         if (!ivhash_name) {
664             error_setg(errp, "Missing IV generator hash specification");
665             return -1;
666         }
667         luks->ivgen_cipher_alg =
668                 qcrypto_block_luks_essiv_cipher(luks->cipher_alg,
669                                                 luks->ivgen_hash_alg,
670                                                 &local_err);
671         if (local_err) {
672             error_propagate(errp, local_err);
673             return -1;
674         }
675     } else {
676 
677         /*
678          * Note we parsed the ivhash_name earlier in the cipher_mode
679          * spec string even with plain/plain64 ivgens, but we
680          * will ignore it, since it is irrelevant for these ivgens.
681          * This is for compat with dm-crypt which will silently
682          * ignore hash names with these ivgens rather than report
683          * an error about the invalid usage
684          */
685         luks->ivgen_cipher_alg = luks->cipher_alg;
686     }
687     return 0;
688 }
689 
690 /*
691  * Given a key slot,  user password, and the master key,
692  * will store the encrypted master key there, and update the
693  * in-memory header. User must then write the in-memory header
694  *
695  * Returns:
696  *    0 if the keyslot was written successfully
697  *      with the provided password
698  *   -1 if a fatal error occurred while storing the key
699  */
700 static int
701 qcrypto_block_luks_store_key(QCryptoBlock *block,
702                              unsigned int slot_idx,
703                              const char *password,
704                              uint8_t *masterkey,
705                              uint64_t iter_time,
706                              QCryptoBlockWriteFunc writefunc,
707                              void *opaque,
708                              Error **errp)
709 {
710     QCryptoBlockLUKS *luks = block->opaque;
711     QCryptoBlockLUKSKeySlot *slot;
712     g_autofree uint8_t *splitkey = NULL;
713     size_t splitkeylen;
714     g_autofree uint8_t *slotkey = NULL;
715     g_autoptr(QCryptoCipher) cipher = NULL;
716     g_autoptr(QCryptoIVGen) ivgen = NULL;
717     Error *local_err = NULL;
718     uint64_t iters;
719     int ret = -1;
720 
721     assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
722     slot = &luks->header.key_slots[slot_idx];
723     splitkeylen = luks->header.master_key_len * slot->stripes;
724 
725     if (qcrypto_random_bytes(slot->salt,
726                              QCRYPTO_BLOCK_LUKS_SALT_LEN,
727                              errp) < 0) {
728         goto cleanup;
729     }
730 
731     /*
732      * Determine how many iterations are required to
733      * hash the user password while consuming 1 second of compute
734      * time
735      */
736     iters = qcrypto_pbkdf2_count_iters(luks->hash_alg,
737                                        (uint8_t *)password, strlen(password),
738                                        slot->salt,
739                                        QCRYPTO_BLOCK_LUKS_SALT_LEN,
740                                        luks->header.master_key_len,
741                                        &local_err);
742     if (local_err) {
743         error_propagate(errp, local_err);
744         goto cleanup;
745     }
746 
747     if (iters > (ULLONG_MAX / iter_time)) {
748         error_setg_errno(errp, ERANGE,
749                          "PBKDF iterations %llu too large to scale",
750                          (unsigned long long)iters);
751         goto cleanup;
752     }
753 
754     /* iter_time was in millis, but count_iters reported for secs */
755     iters = iters * iter_time / 1000;
756 
757     if (iters > UINT32_MAX) {
758         error_setg_errno(errp, ERANGE,
759                          "PBKDF iterations %llu larger than %u",
760                          (unsigned long long)iters, UINT32_MAX);
761         goto cleanup;
762     }
763 
764     slot->iterations =
765         MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS);
766 
767 
768     /*
769      * Generate a key that we'll use to encrypt the master
770      * key, from the user's password
771      */
772     slotkey = g_new0(uint8_t, luks->header.master_key_len);
773     if (qcrypto_pbkdf2(luks->hash_alg,
774                        (uint8_t *)password, strlen(password),
775                        slot->salt,
776                        QCRYPTO_BLOCK_LUKS_SALT_LEN,
777                        slot->iterations,
778                        slotkey, luks->header.master_key_len,
779                        errp) < 0) {
780         goto cleanup;
781     }
782 
783 
784     /*
785      * Setup the encryption objects needed to encrypt the
786      * master key material
787      */
788     cipher = qcrypto_cipher_new(luks->cipher_alg,
789                                 luks->cipher_mode,
790                                 slotkey, luks->header.master_key_len,
791                                 errp);
792     if (!cipher) {
793         goto cleanup;
794     }
795 
796     ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
797                               luks->ivgen_cipher_alg,
798                               luks->ivgen_hash_alg,
799                               slotkey, luks->header.master_key_len,
800                               errp);
801     if (!ivgen) {
802         goto cleanup;
803     }
804 
805     /*
806      * Before storing the master key, we need to vastly
807      * increase its size, as protection against forensic
808      * disk data recovery
809      */
810     splitkey = g_new0(uint8_t, splitkeylen);
811 
812     if (qcrypto_afsplit_encode(luks->hash_alg,
813                                luks->header.master_key_len,
814                                slot->stripes,
815                                masterkey,
816                                splitkey,
817                                errp) < 0) {
818         goto cleanup;
819     }
820 
821     /*
822      * Now we encrypt the split master key with the key generated
823      * from the user's password, before storing it
824      */
825     if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen,
826                                             QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
827                                             0,
828                                             splitkey,
829                                             splitkeylen,
830                                             errp) < 0) {
831         goto cleanup;
832     }
833 
834     /* Write out the slot's master key material. */
835     if (writefunc(block,
836                   slot->key_offset_sector *
837                   QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
838                   splitkey, splitkeylen,
839                   opaque,
840                   errp) < 0) {
841         goto cleanup;
842     }
843 
844     slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
845 
846     if (qcrypto_block_luks_store_header(block,  writefunc, opaque, errp) < 0) {
847         goto cleanup;
848     }
849 
850     ret = 0;
851 
852 cleanup:
853     if (slotkey) {
854         memset(slotkey, 0, luks->header.master_key_len);
855     }
856     if (splitkey) {
857         memset(splitkey, 0, splitkeylen);
858     }
859     return ret;
860 }
861 
862 /*
863  * Given a key slot, and user password, this will attempt to unlock
864  * the master encryption key from the key slot.
865  *
866  * Returns:
867  *    0 if the key slot is disabled, or key could not be decrypted
868  *      with the provided password
869  *    1 if the key slot is enabled, and key decrypted successfully
870  *      with the provided password
871  *   -1 if a fatal error occurred loading the key
872  */
873 static int
874 qcrypto_block_luks_load_key(QCryptoBlock *block,
875                             size_t slot_idx,
876                             const char *password,
877                             uint8_t *masterkey,
878                             QCryptoBlockReadFunc readfunc,
879                             void *opaque,
880                             Error **errp)
881 {
882     QCryptoBlockLUKS *luks = block->opaque;
883     const QCryptoBlockLUKSKeySlot *slot;
884     g_autofree uint8_t *splitkey = NULL;
885     size_t splitkeylen;
886     g_autofree uint8_t *possiblekey = NULL;
887     int rv;
888     g_autoptr(QCryptoCipher) cipher = NULL;
889     uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
890     g_autoptr(QCryptoIVGen) ivgen = NULL;
891     size_t niv;
892 
893     assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
894     slot = &luks->header.key_slots[slot_idx];
895     if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
896         return 0;
897     }
898 
899     splitkeylen = luks->header.master_key_len * slot->stripes;
900     splitkey = g_new0(uint8_t, splitkeylen);
901     possiblekey = g_new0(uint8_t, luks->header.master_key_len);
902 
903     /*
904      * The user password is used to generate a (possible)
905      * decryption key. This may or may not successfully
906      * decrypt the master key - we just blindly assume
907      * the key is correct and validate the results of
908      * decryption later.
909      */
910     if (qcrypto_pbkdf2(luks->hash_alg,
911                        (const uint8_t *)password, strlen(password),
912                        slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN,
913                        slot->iterations,
914                        possiblekey, luks->header.master_key_len,
915                        errp) < 0) {
916         return -1;
917     }
918 
919     /*
920      * We need to read the master key material from the
921      * LUKS key material header. What we're reading is
922      * not the raw master key, but rather the data after
923      * it has been passed through AFSplit and the result
924      * then encrypted.
925      */
926     rv = readfunc(block,
927                   slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
928                   splitkey, splitkeylen,
929                   opaque,
930                   errp);
931     if (rv < 0) {
932         return -1;
933     }
934 
935 
936     /* Setup the cipher/ivgen that we'll use to try to decrypt
937      * the split master key material */
938     cipher = qcrypto_cipher_new(luks->cipher_alg,
939                                 luks->cipher_mode,
940                                 possiblekey,
941                                 luks->header.master_key_len,
942                                 errp);
943     if (!cipher) {
944         return -1;
945     }
946 
947     niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
948                                     luks->cipher_mode);
949 
950     ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
951                               luks->ivgen_cipher_alg,
952                               luks->ivgen_hash_alg,
953                               possiblekey,
954                               luks->header.master_key_len,
955                               errp);
956     if (!ivgen) {
957         return -1;
958     }
959 
960 
961     /*
962      * The master key needs to be decrypted in the same
963      * way that the block device payload will be decrypted
964      * later. In particular we'll be using the IV generator
965      * to reset the encryption cipher every time the master
966      * key crosses a sector boundary.
967      */
968     if (qcrypto_block_cipher_decrypt_helper(cipher,
969                                             niv,
970                                             ivgen,
971                                             QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
972                                             0,
973                                             splitkey,
974                                             splitkeylen,
975                                             errp) < 0) {
976         return -1;
977     }
978 
979     /*
980      * Now we've decrypted the split master key, join
981      * it back together to get the actual master key.
982      */
983     if (qcrypto_afsplit_decode(luks->hash_alg,
984                                luks->header.master_key_len,
985                                slot->stripes,
986                                splitkey,
987                                masterkey,
988                                errp) < 0) {
989         return -1;
990     }
991 
992 
993     /*
994      * We still don't know that the masterkey we got is valid,
995      * because we just blindly assumed the user's password
996      * was correct. This is where we now verify it. We are
997      * creating a hash of the master key using PBKDF and
998      * then comparing that to the hash stored in the key slot
999      * header
1000      */
1001     if (qcrypto_pbkdf2(luks->hash_alg,
1002                        masterkey,
1003                        luks->header.master_key_len,
1004                        luks->header.master_key_salt,
1005                        QCRYPTO_BLOCK_LUKS_SALT_LEN,
1006                        luks->header.master_key_iterations,
1007                        keydigest,
1008                        G_N_ELEMENTS(keydigest),
1009                        errp) < 0) {
1010         return -1;
1011     }
1012 
1013     if (memcmp(keydigest, luks->header.master_key_digest,
1014                QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) {
1015         /* Success, we got the right master key */
1016         return 1;
1017     }
1018 
1019     /* Fail, user's password was not valid for this key slot,
1020      * tell caller to try another slot */
1021     return 0;
1022 }
1023 
1024 
1025 /*
1026  * Given a user password, this will iterate over all key
1027  * slots and try to unlock each active key slot using the
1028  * password until it successfully obtains a master key.
1029  *
1030  * Returns 0 if a key was loaded, -1 if no keys could be loaded
1031  */
1032 static int
1033 qcrypto_block_luks_find_key(QCryptoBlock *block,
1034                             const char *password,
1035                             uint8_t *masterkey,
1036                             QCryptoBlockReadFunc readfunc,
1037                             void *opaque,
1038                             Error **errp)
1039 {
1040     size_t i;
1041     int rv;
1042 
1043     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1044         rv = qcrypto_block_luks_load_key(block,
1045                                          i,
1046                                          password,
1047                                          masterkey,
1048                                          readfunc,
1049                                          opaque,
1050                                          errp);
1051         if (rv < 0) {
1052             goto error;
1053         }
1054         if (rv == 1) {
1055             return 0;
1056         }
1057     }
1058 
1059     error_setg(errp, "Invalid password, cannot unlock any keyslot");
1060  error:
1061     return -1;
1062 }
1063 
1064 /*
1065  * Returns true if a slot i is marked as active
1066  * (contains encrypted copy of the master key)
1067  */
1068 static bool
1069 qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks,
1070                                unsigned int slot_idx)
1071 {
1072     uint32_t val;
1073 
1074     assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1075     val = luks->header.key_slots[slot_idx].active;
1076     return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1077 }
1078 
1079 /*
1080  * Returns the number of slots that are marked as active
1081  * (slots that contain encrypted copy of the master key)
1082  */
1083 static unsigned int
1084 qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks)
1085 {
1086     size_t i = 0;
1087     unsigned int ret = 0;
1088 
1089     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1090         if (qcrypto_block_luks_slot_active(luks, i)) {
1091             ret++;
1092         }
1093     }
1094     return ret;
1095 }
1096 
1097 /*
1098  * Finds first key slot which is not active
1099  * Returns the key slot index, or -1 if it doesn't exist
1100  */
1101 static int
1102 qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks)
1103 {
1104     size_t i;
1105 
1106     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1107         if (!qcrypto_block_luks_slot_active(luks, i)) {
1108             return i;
1109         }
1110     }
1111     return -1;
1112 }
1113 
1114 /*
1115  * Erases an keyslot given its index
1116  * Returns:
1117  *    0 if the keyslot was erased successfully
1118  *   -1 if a error occurred while erasing the keyslot
1119  *
1120  */
1121 static int
1122 qcrypto_block_luks_erase_key(QCryptoBlock *block,
1123                              unsigned int slot_idx,
1124                              QCryptoBlockWriteFunc writefunc,
1125                              void *opaque,
1126                              Error **errp)
1127 {
1128     QCryptoBlockLUKS *luks = block->opaque;
1129     QCryptoBlockLUKSKeySlot *slot;
1130     g_autofree uint8_t *garbagesplitkey = NULL;
1131     size_t splitkeylen;
1132     size_t i;
1133     Error *local_err = NULL;
1134     int ret;
1135 
1136     assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1137     slot = &luks->header.key_slots[slot_idx];
1138 
1139     splitkeylen = luks->header.master_key_len * slot->stripes;
1140     assert(splitkeylen > 0);
1141 
1142     garbagesplitkey = g_new0(uint8_t, splitkeylen);
1143 
1144     /* Reset the key slot header */
1145     memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN);
1146     slot->iterations = 0;
1147     slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1148 
1149     ret = qcrypto_block_luks_store_header(block, writefunc,
1150                                           opaque, &local_err);
1151 
1152     if (ret < 0) {
1153         error_propagate(errp, local_err);
1154     }
1155     /*
1156      * Now try to erase the key material, even if the header
1157      * update failed
1158      */
1159     for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) {
1160         if (qcrypto_random_bytes(garbagesplitkey,
1161                                  splitkeylen, &local_err) < 0) {
1162             /*
1163              * If we failed to get the random data, still write
1164              * at least zeros to the key slot at least once
1165              */
1166             error_propagate(errp, local_err);
1167 
1168             if (i > 0) {
1169                 return -1;
1170             }
1171         }
1172         if (writefunc(block,
1173                       slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1174                       garbagesplitkey,
1175                       splitkeylen,
1176                       opaque,
1177                       &local_err) < 0) {
1178             error_propagate(errp, local_err);
1179             return -1;
1180         }
1181     }
1182     return ret;
1183 }
1184 
1185 static int
1186 qcrypto_block_luks_open(QCryptoBlock *block,
1187                         QCryptoBlockOpenOptions *options,
1188                         const char *optprefix,
1189                         QCryptoBlockReadFunc readfunc,
1190                         void *opaque,
1191                         unsigned int flags,
1192                         size_t n_threads,
1193                         Error **errp)
1194 {
1195     QCryptoBlockLUKS *luks = NULL;
1196     g_autofree uint8_t *masterkey = NULL;
1197     g_autofree char *password = NULL;
1198 
1199     if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1200         if (!options->u.luks.key_secret) {
1201             error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1202                        optprefix ? optprefix : "");
1203             return -1;
1204         }
1205         password = qcrypto_secret_lookup_as_utf8(
1206             options->u.luks.key_secret, errp);
1207         if (!password) {
1208             return -1;
1209         }
1210     }
1211 
1212     luks = g_new0(QCryptoBlockLUKS, 1);
1213     block->opaque = luks;
1214     luks->secret = g_strdup(options->u.luks.key_secret);
1215 
1216     if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) {
1217         goto fail;
1218     }
1219 
1220     if (qcrypto_block_luks_check_header(luks, flags, errp) < 0) {
1221         goto fail;
1222     }
1223 
1224     if (qcrypto_block_luks_parse_header(luks, errp) < 0) {
1225         goto fail;
1226     }
1227 
1228     if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1229         /* Try to find which key slot our password is valid for
1230          * and unlock the master key from that slot.
1231          */
1232 
1233         masterkey = g_new0(uint8_t, luks->header.master_key_len);
1234 
1235         if (qcrypto_block_luks_find_key(block,
1236                                         password,
1237                                         masterkey,
1238                                         readfunc, opaque,
1239                                         errp) < 0) {
1240             goto fail;
1241         }
1242 
1243         /* We have a valid master key now, so can setup the
1244          * block device payload decryption objects
1245          */
1246         block->kdfhash = luks->hash_alg;
1247         block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
1248                                                luks->cipher_mode);
1249 
1250         block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
1251                                          luks->ivgen_cipher_alg,
1252                                          luks->ivgen_hash_alg,
1253                                          masterkey,
1254                                          luks->header.master_key_len,
1255                                          errp);
1256         if (!block->ivgen) {
1257             goto fail;
1258         }
1259 
1260         if (qcrypto_block_init_cipher(block,
1261                                       luks->cipher_alg,
1262                                       luks->cipher_mode,
1263                                       masterkey,
1264                                       luks->header.master_key_len,
1265                                       n_threads,
1266                                       errp) < 0) {
1267             goto fail;
1268         }
1269     }
1270 
1271     block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1272     block->payload_offset = luks->header.payload_offset_sector *
1273         block->sector_size;
1274     block->detached_header = (block->payload_offset == 0) ? true : false;
1275 
1276     return 0;
1277 
1278  fail:
1279     qcrypto_block_free_cipher(block);
1280     qcrypto_ivgen_free(block->ivgen);
1281     g_free(luks->secret);
1282     g_free(luks);
1283     return -1;
1284 }
1285 
1286 
1287 static void
1288 qcrypto_block_luks_uuid_gen(uint8_t *uuidstr)
1289 {
1290     QemuUUID uuid;
1291     qemu_uuid_generate(&uuid);
1292     qemu_uuid_unparse(&uuid, (char *)uuidstr);
1293 }
1294 
1295 static int
1296 qcrypto_block_luks_create(QCryptoBlock *block,
1297                           QCryptoBlockCreateOptions *options,
1298                           const char *optprefix,
1299                           QCryptoBlockInitFunc initfunc,
1300                           QCryptoBlockWriteFunc writefunc,
1301                           void *opaque,
1302                           Error **errp)
1303 {
1304     QCryptoBlockLUKS *luks;
1305     QCryptoBlockCreateOptionsLUKS luks_opts;
1306     Error *local_err = NULL;
1307     g_autofree uint8_t *masterkey = NULL;
1308     size_t header_sectors;
1309     size_t split_key_sectors;
1310     size_t i;
1311     g_autofree char *password = NULL;
1312     const char *cipher_alg;
1313     const char *cipher_mode;
1314     const char *ivgen_alg;
1315     const char *ivgen_hash_alg = NULL;
1316     const char *hash_alg;
1317     g_autofree char *cipher_mode_spec = NULL;
1318     uint64_t iters;
1319     uint64_t detached_header_size;
1320 
1321     memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
1322     if (!luks_opts.has_iter_time) {
1323         luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1324     }
1325     if (!luks_opts.has_cipher_alg) {
1326         luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;
1327     }
1328     if (!luks_opts.has_cipher_mode) {
1329         luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS;
1330     }
1331     if (!luks_opts.has_ivgen_alg) {
1332         luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64;
1333     }
1334     if (!luks_opts.has_hash_alg) {
1335         luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256;
1336     }
1337     if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1338         if (!luks_opts.has_ivgen_hash_alg) {
1339             luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256;
1340             luks_opts.has_ivgen_hash_alg = true;
1341         }
1342     }
1343 
1344     luks = g_new0(QCryptoBlockLUKS, 1);
1345     block->opaque = luks;
1346 
1347     luks->cipher_alg = luks_opts.cipher_alg;
1348     luks->cipher_mode = luks_opts.cipher_mode;
1349     luks->ivgen_alg = luks_opts.ivgen_alg;
1350     luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg;
1351     luks->hash_alg = luks_opts.hash_alg;
1352 
1353 
1354     /* Note we're allowing ivgen_hash_alg to be set even for
1355      * non-essiv iv generators that don't need a hash. It will
1356      * be silently ignored, for compatibility with dm-crypt */
1357 
1358     if (!options->u.luks.key_secret) {
1359         error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1360                    optprefix ? optprefix : "");
1361         goto error;
1362     }
1363     luks->secret = g_strdup(options->u.luks.key_secret);
1364 
1365     password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp);
1366     if (!password) {
1367         goto error;
1368     }
1369 
1370 
1371     memcpy(luks->header.magic, qcrypto_block_luks_magic,
1372            QCRYPTO_BLOCK_LUKS_MAGIC_LEN);
1373 
1374     /* We populate the header in native endianness initially and
1375      * then convert everything to big endian just before writing
1376      * it out to disk
1377      */
1378     luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION;
1379     qcrypto_block_luks_uuid_gen(luks->header.uuid);
1380 
1381     cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg,
1382                                                       errp);
1383     if (!cipher_alg) {
1384         goto error;
1385     }
1386 
1387     cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode);
1388     ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg);
1389     if (luks_opts.has_ivgen_hash_alg) {
1390         ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg);
1391         cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg,
1392                                            ivgen_hash_alg);
1393     } else {
1394         cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg);
1395     }
1396     hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg);
1397 
1398 
1399     if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) {
1400         error_setg(errp, "Cipher name '%s' is too long for LUKS header",
1401                    cipher_alg);
1402         goto error;
1403     }
1404     if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) {
1405         error_setg(errp, "Cipher mode '%s' is too long for LUKS header",
1406                    cipher_mode_spec);
1407         goto error;
1408     }
1409     if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) {
1410         error_setg(errp, "Hash name '%s' is too long for LUKS header",
1411                    hash_alg);
1412         goto error;
1413     }
1414 
1415     if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1416         luks->ivgen_cipher_alg =
1417                 qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg,
1418                                                 luks_opts.ivgen_hash_alg,
1419                                                 &local_err);
1420         if (local_err) {
1421             error_propagate(errp, local_err);
1422             goto error;
1423         }
1424     } else {
1425         luks->ivgen_cipher_alg = luks_opts.cipher_alg;
1426     }
1427 
1428     strcpy(luks->header.cipher_name, cipher_alg);
1429     strcpy(luks->header.cipher_mode, cipher_mode_spec);
1430     strcpy(luks->header.hash_spec, hash_alg);
1431 
1432     luks->header.master_key_len =
1433         qcrypto_cipher_get_key_len(luks_opts.cipher_alg);
1434 
1435     if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) {
1436         luks->header.master_key_len *= 2;
1437     }
1438 
1439     /* Generate the salt used for hashing the master key
1440      * with PBKDF later
1441      */
1442     if (qcrypto_random_bytes(luks->header.master_key_salt,
1443                              QCRYPTO_BLOCK_LUKS_SALT_LEN,
1444                              errp) < 0) {
1445         goto error;
1446     }
1447 
1448     /* Generate random master key */
1449     masterkey = g_new0(uint8_t, luks->header.master_key_len);
1450     if (qcrypto_random_bytes(masterkey,
1451                              luks->header.master_key_len, errp) < 0) {
1452         goto error;
1453     }
1454 
1455 
1456     /* Setup the block device payload encryption objects */
1457     if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg,
1458                                   luks_opts.cipher_mode, masterkey,
1459                                   luks->header.master_key_len, 1, errp) < 0) {
1460         goto error;
1461     }
1462 
1463     block->kdfhash = luks_opts.hash_alg;
1464     block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg,
1465                                            luks_opts.cipher_mode);
1466     block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
1467                                      luks->ivgen_cipher_alg,
1468                                      luks_opts.ivgen_hash_alg,
1469                                      masterkey, luks->header.master_key_len,
1470                                      errp);
1471 
1472     if (!block->ivgen) {
1473         goto error;
1474     }
1475 
1476 
1477     /* Determine how many iterations we need to hash the master
1478      * key, in order to have 1 second of compute time used
1479      */
1480     iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
1481                                        masterkey, luks->header.master_key_len,
1482                                        luks->header.master_key_salt,
1483                                        QCRYPTO_BLOCK_LUKS_SALT_LEN,
1484                                        QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1485                                        &local_err);
1486     if (local_err) {
1487         error_propagate(errp, local_err);
1488         goto error;
1489     }
1490 
1491     if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
1492         error_setg_errno(errp, ERANGE,
1493                          "PBKDF iterations %llu too large to scale",
1494                          (unsigned long long)iters);
1495         goto error;
1496     }
1497 
1498     /* iter_time was in millis, but count_iters reported for secs */
1499     iters = iters * luks_opts.iter_time / 1000;
1500 
1501     /* Why /= 8 ?  That matches cryptsetup, but there's no
1502      * explanation why they chose /= 8... Probably so that
1503      * if all 8 keyslots are active we only spend 1 second
1504      * in total time to check all keys */
1505     iters /= 8;
1506     if (iters > UINT32_MAX) {
1507         error_setg_errno(errp, ERANGE,
1508                          "PBKDF iterations %llu larger than %u",
1509                          (unsigned long long)iters, UINT32_MAX);
1510         goto error;
1511     }
1512     iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS);
1513     luks->header.master_key_iterations = iters;
1514 
1515     /* Hash the master key, saving the result in the LUKS
1516      * header. This hash is used when opening the encrypted
1517      * device to verify that the user password unlocked a
1518      * valid master key
1519      */
1520     if (qcrypto_pbkdf2(luks_opts.hash_alg,
1521                        masterkey, luks->header.master_key_len,
1522                        luks->header.master_key_salt,
1523                        QCRYPTO_BLOCK_LUKS_SALT_LEN,
1524                        luks->header.master_key_iterations,
1525                        luks->header.master_key_digest,
1526                        QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1527                        errp) < 0) {
1528         goto error;
1529     }
1530 
1531     /* start with the sector that follows the header*/
1532     header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
1533         QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1534 
1535     split_key_sectors =
1536         qcrypto_block_luks_splitkeylen_sectors(luks,
1537                                                header_sectors,
1538                                                QCRYPTO_BLOCK_LUKS_STRIPES);
1539 
1540     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1541         QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i];
1542         slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1543 
1544         slot->key_offset_sector = header_sectors + i * split_key_sectors;
1545         slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES;
1546     }
1547 
1548     if (block->detached_header) {
1549         /*
1550          * For a detached LUKS header image, set the payload_offset_sector
1551          * to 0 to specify the starting point for read/write
1552          */
1553         luks->header.payload_offset_sector = 0;
1554     } else {
1555         /*
1556          * The total size of the LUKS headers is the partition header + key
1557          * slot headers, rounded up to the nearest sector, combined with
1558          * the size of each master key material region, also rounded up
1559          * to the nearest sector
1560          */
1561         luks->header.payload_offset_sector = header_sectors +
1562                 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors;
1563     }
1564 
1565     block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1566     block->payload_offset = luks->header.payload_offset_sector *
1567         block->sector_size;
1568     detached_header_size =
1569         (header_sectors + QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS *
1570          split_key_sectors) * block->sector_size;
1571 
1572     /* Reserve header space to match payload offset */
1573     initfunc(block, detached_header_size, opaque, &local_err);
1574     if (local_err) {
1575         error_propagate(errp, local_err);
1576         goto error;
1577     }
1578 
1579 
1580     /* populate the slot 0 with the password encrypted master key*/
1581     /* This will also store the header */
1582     if (qcrypto_block_luks_store_key(block,
1583                                      0,
1584                                      password,
1585                                      masterkey,
1586                                      luks_opts.iter_time,
1587                                      writefunc,
1588                                      opaque,
1589                                      errp) < 0) {
1590         goto error;
1591     }
1592 
1593     memset(masterkey, 0, luks->header.master_key_len);
1594 
1595     return 0;
1596 
1597  error:
1598     if (masterkey) {
1599         memset(masterkey, 0, luks->header.master_key_len);
1600     }
1601 
1602     qcrypto_block_free_cipher(block);
1603     qcrypto_ivgen_free(block->ivgen);
1604 
1605     g_free(luks->secret);
1606     g_free(luks);
1607     return -1;
1608 }
1609 
1610 static int
1611 qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block,
1612                                      QCryptoBlockReadFunc readfunc,
1613                                      QCryptoBlockWriteFunc writefunc,
1614                                      void *opaque,
1615                                      QCryptoBlockAmendOptionsLUKS *opts_luks,
1616                                      bool force,
1617                                      Error **errp)
1618 {
1619     QCryptoBlockLUKS *luks = block->opaque;
1620     uint64_t iter_time = opts_luks->has_iter_time ?
1621                          opts_luks->iter_time :
1622                          QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1623     int keyslot;
1624     g_autofree char *old_password = NULL;
1625     g_autofree char *new_password = NULL;
1626     g_autofree uint8_t *master_key = NULL;
1627 
1628     char *secret = opts_luks->secret ?: luks->secret;
1629 
1630     if (!opts_luks->new_secret) {
1631         error_setg(errp, "'new-secret' is required to activate a keyslot");
1632         return -1;
1633     }
1634     if (opts_luks->old_secret) {
1635         error_setg(errp,
1636                    "'old-secret' must not be given when activating keyslots");
1637         return -1;
1638     }
1639 
1640     if (opts_luks->has_keyslot) {
1641         keyslot = opts_luks->keyslot;
1642         if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1643             error_setg(errp,
1644                        "Invalid keyslot %u specified, must be between 0 and %u",
1645                        keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1646             return -1;
1647         }
1648     } else {
1649         keyslot = qcrypto_block_luks_find_free_keyslot(luks);
1650         if (keyslot == -1) {
1651             error_setg(errp,
1652                        "Can't add a keyslot - all keyslots are in use");
1653             return -1;
1654         }
1655     }
1656 
1657     if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) {
1658         error_setg(errp,
1659                    "Refusing to overwrite active keyslot %i - "
1660                    "please erase it first",
1661                    keyslot);
1662         return -1;
1663     }
1664 
1665     /* Locate the password that will be used to retrieve the master key */
1666     old_password = qcrypto_secret_lookup_as_utf8(secret, errp);
1667     if (!old_password) {
1668         return -1;
1669     }
1670 
1671     /* Retrieve the master key */
1672     master_key = g_new0(uint8_t, luks->header.master_key_len);
1673 
1674     if (qcrypto_block_luks_find_key(block, old_password, master_key,
1675                                     readfunc, opaque, errp) < 0) {
1676         error_append_hint(errp, "Failed to retrieve the master key");
1677         return -1;
1678     }
1679 
1680     /* Locate the new password*/
1681     new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp);
1682     if (!new_password) {
1683         return -1;
1684     }
1685 
1686     /* Now set the new keyslots */
1687     if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key,
1688                                      iter_time, writefunc, opaque, errp)) {
1689         error_append_hint(errp, "Failed to write to keyslot %i", keyslot);
1690         return -1;
1691     }
1692     return 0;
1693 }
1694 
1695 static int
1696 qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block,
1697                                         QCryptoBlockReadFunc readfunc,
1698                                         QCryptoBlockWriteFunc writefunc,
1699                                         void *opaque,
1700                                         QCryptoBlockAmendOptionsLUKS *opts_luks,
1701                                         bool force,
1702                                         Error **errp)
1703 {
1704     QCryptoBlockLUKS *luks = block->opaque;
1705     g_autofree uint8_t *tmpkey = NULL;
1706     g_autofree char *old_password = NULL;
1707 
1708     if (opts_luks->new_secret) {
1709         error_setg(errp,
1710                    "'new-secret' must not be given when erasing keyslots");
1711         return -1;
1712     }
1713     if (opts_luks->has_iter_time) {
1714         error_setg(errp,
1715                    "'iter-time' must not be given when erasing keyslots");
1716         return -1;
1717     }
1718     if (opts_luks->secret) {
1719         error_setg(errp,
1720                    "'secret' must not be given when erasing keyslots");
1721         return -1;
1722     }
1723 
1724     /* Load the old password if given */
1725     if (opts_luks->old_secret) {
1726         old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret,
1727                                                      errp);
1728         if (!old_password) {
1729             return -1;
1730         }
1731 
1732         /*
1733          * Allocate a temporary key buffer that we will need when
1734          * checking if slot matches the given old password
1735          */
1736         tmpkey = g_new0(uint8_t, luks->header.master_key_len);
1737     }
1738 
1739     /* Erase an explicitly given keyslot */
1740     if (opts_luks->has_keyslot) {
1741         int keyslot = opts_luks->keyslot;
1742 
1743         if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1744             error_setg(errp,
1745                        "Invalid keyslot %i specified, must be between 0 and %i",
1746                        keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1747             return -1;
1748         }
1749 
1750         if (opts_luks->old_secret) {
1751             int rv = qcrypto_block_luks_load_key(block,
1752                                                  keyslot,
1753                                                  old_password,
1754                                                  tmpkey,
1755                                                  readfunc,
1756                                                  opaque,
1757                                                  errp);
1758             if (rv == -1) {
1759                 return -1;
1760             } else if (rv == 0) {
1761                 error_setg(errp,
1762                            "Given keyslot %i doesn't contain the given "
1763                            "old password for erase operation",
1764                            keyslot);
1765                 return -1;
1766             }
1767         }
1768 
1769         if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) {
1770             error_setg(errp,
1771                        "Given keyslot %i is already erased (inactive) ",
1772                        keyslot);
1773             return -1;
1774         }
1775 
1776         if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) {
1777             error_setg(errp,
1778                        "Attempt to erase the only active keyslot %i "
1779                        "which will erase all the data in the image "
1780                        "irreversibly - refusing operation",
1781                        keyslot);
1782             return -1;
1783         }
1784 
1785         if (qcrypto_block_luks_erase_key(block, keyslot,
1786                                          writefunc, opaque, errp)) {
1787             error_append_hint(errp, "Failed to erase keyslot %i", keyslot);
1788             return -1;
1789         }
1790 
1791     /* Erase all keyslots that match the given old password */
1792     } else if (opts_luks->old_secret) {
1793 
1794         unsigned long slots_to_erase_bitmap = 0;
1795         size_t i;
1796         int slot_count;
1797 
1798         assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <=
1799                sizeof(slots_to_erase_bitmap) * 8);
1800 
1801         for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1802             int rv = qcrypto_block_luks_load_key(block,
1803                                                  i,
1804                                                  old_password,
1805                                                  tmpkey,
1806                                                  readfunc,
1807                                                  opaque,
1808                                                  errp);
1809             if (rv == -1) {
1810                 return -1;
1811             } else if (rv == 1) {
1812                 bitmap_set(&slots_to_erase_bitmap, i, 1);
1813             }
1814         }
1815 
1816         slot_count = bitmap_count_one(&slots_to_erase_bitmap,
1817                                       QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1818         if (slot_count == 0) {
1819             error_setg(errp,
1820                        "No keyslots match given (old) password for erase operation");
1821             return -1;
1822         }
1823 
1824         if (!force &&
1825             slot_count == qcrypto_block_luks_count_active_slots(luks)) {
1826             error_setg(errp,
1827                        "All the active keyslots match the (old) password that "
1828                        "was given and erasing them will erase all the data in "
1829                        "the image irreversibly - refusing operation");
1830             return -1;
1831         }
1832 
1833         /* Now apply the update */
1834         for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1835             if (!test_bit(i, &slots_to_erase_bitmap)) {
1836                 continue;
1837             }
1838             if (qcrypto_block_luks_erase_key(block, i, writefunc,
1839                 opaque, errp)) {
1840                 error_append_hint(errp, "Failed to erase keyslot %zu", i);
1841                 return -1;
1842             }
1843         }
1844     } else {
1845         error_setg(errp,
1846                    "To erase keyslot(s), either explicit keyslot index "
1847                    "or the password currently contained in them must be given");
1848         return -1;
1849     }
1850     return 0;
1851 }
1852 
1853 static int
1854 qcrypto_block_luks_amend_options(QCryptoBlock *block,
1855                                  QCryptoBlockReadFunc readfunc,
1856                                  QCryptoBlockWriteFunc writefunc,
1857                                  void *opaque,
1858                                  QCryptoBlockAmendOptions *options,
1859                                  bool force,
1860                                  Error **errp)
1861 {
1862     QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks;
1863 
1864     switch (opts_luks->state) {
1865     case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE:
1866         return qcrypto_block_luks_amend_add_keyslot(block, readfunc,
1867                                                     writefunc, opaque,
1868                                                     opts_luks, force, errp);
1869     case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE:
1870         return qcrypto_block_luks_amend_erase_keyslots(block, readfunc,
1871                                                        writefunc, opaque,
1872                                                        opts_luks, force, errp);
1873     default:
1874         g_assert_not_reached();
1875     }
1876 }
1877 
1878 static int qcrypto_block_luks_get_info(QCryptoBlock *block,
1879                                        QCryptoBlockInfo *info,
1880                                        Error **errp)
1881 {
1882     QCryptoBlockLUKS *luks = block->opaque;
1883     QCryptoBlockInfoLUKSSlot *slot;
1884     QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots;
1885     size_t i;
1886 
1887     info->u.luks.cipher_alg = luks->cipher_alg;
1888     info->u.luks.cipher_mode = luks->cipher_mode;
1889     info->u.luks.ivgen_alg = luks->ivgen_alg;
1890     if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1891         info->u.luks.has_ivgen_hash_alg = true;
1892         info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg;
1893     }
1894     info->u.luks.hash_alg = luks->hash_alg;
1895     info->u.luks.payload_offset = block->payload_offset;
1896     info->u.luks.master_key_iters = luks->header.master_key_iterations;
1897     info->u.luks.uuid = g_strndup((const char *)luks->header.uuid,
1898                                   sizeof(luks->header.uuid));
1899     info->u.luks.detached_header = block->detached_header;
1900 
1901     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1902         slot = g_new0(QCryptoBlockInfoLUKSSlot, 1);
1903         slot->active = luks->header.key_slots[i].active ==
1904             QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1905         slot->key_offset = luks->header.key_slots[i].key_offset_sector
1906              * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1907         if (slot->active) {
1908             slot->has_iters = true;
1909             slot->iters = luks->header.key_slots[i].iterations;
1910             slot->has_stripes = true;
1911             slot->stripes = luks->header.key_slots[i].stripes;
1912         }
1913 
1914         QAPI_LIST_APPEND(tail, slot);
1915     }
1916 
1917     return 0;
1918 }
1919 
1920 
1921 static void qcrypto_block_luks_cleanup(QCryptoBlock *block)
1922 {
1923     QCryptoBlockLUKS *luks = block->opaque;
1924     if (luks) {
1925         g_free(luks->secret);
1926         g_free(luks);
1927     }
1928 }
1929 
1930 
1931 static int
1932 qcrypto_block_luks_decrypt(QCryptoBlock *block,
1933                            uint64_t offset,
1934                            uint8_t *buf,
1935                            size_t len,
1936                            Error **errp)
1937 {
1938     assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1939     assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1940     return qcrypto_block_decrypt_helper(block,
1941                                         QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1942                                         offset, buf, len, errp);
1943 }
1944 
1945 
1946 static int
1947 qcrypto_block_luks_encrypt(QCryptoBlock *block,
1948                            uint64_t offset,
1949                            uint8_t *buf,
1950                            size_t len,
1951                            Error **errp)
1952 {
1953     assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1954     assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1955     return qcrypto_block_encrypt_helper(block,
1956                                         QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1957                                         offset, buf, len, errp);
1958 }
1959 
1960 
1961 const QCryptoBlockDriver qcrypto_block_driver_luks = {
1962     .open = qcrypto_block_luks_open,
1963     .create = qcrypto_block_luks_create,
1964     .amend = qcrypto_block_luks_amend_options,
1965     .get_info = qcrypto_block_luks_get_info,
1966     .cleanup = qcrypto_block_luks_cleanup,
1967     .decrypt = qcrypto_block_luks_decrypt,
1968     .encrypt = qcrypto_block_luks_encrypt,
1969     .has_format = qcrypto_block_luks_has_format,
1970 };
1971