1 /* 2 * QEMU Crypto block device encryption LUKS format 3 * 4 * Copyright (c) 2015-2016 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #include "qemu/osdep.h" 22 #include "qapi/error.h" 23 #include "qemu/bswap.h" 24 25 #include "block-luks.h" 26 #include "block-luks-priv.h" 27 28 #include "crypto/hash.h" 29 #include "crypto/afsplit.h" 30 #include "crypto/pbkdf.h" 31 #include "crypto/secret.h" 32 #include "crypto/random.h" 33 #include "qemu/uuid.h" 34 35 #include "qemu/bitmap.h" 36 #include "qemu/range.h" 37 38 /* 39 * Reference for the LUKS format implemented here is 40 * 41 * docs/on-disk-format.pdf 42 * 43 * in 'cryptsetup' package source code 44 * 45 * This file implements the 1.2.1 specification, dated 46 * Oct 16, 2011. 47 */ 48 49 typedef struct QCryptoBlockLUKS QCryptoBlockLUKS; 50 51 typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap; 52 struct QCryptoBlockLUKSNameMap { 53 const char *name; 54 int id; 55 }; 56 57 typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap; 58 struct QCryptoBlockLUKSCipherSizeMap { 59 uint32_t key_bytes; 60 int id; 61 }; 62 typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap; 63 struct QCryptoBlockLUKSCipherNameMap { 64 const char *name; 65 const QCryptoBlockLUKSCipherSizeMap *sizes; 66 }; 67 68 69 static const QCryptoBlockLUKSCipherSizeMap 70 qcrypto_block_luks_cipher_size_map_aes[] = { 71 { 16, QCRYPTO_CIPHER_ALGO_AES_128 }, 72 { 24, QCRYPTO_CIPHER_ALGO_AES_192 }, 73 { 32, QCRYPTO_CIPHER_ALGO_AES_256 }, 74 { 0, 0 }, 75 }; 76 77 static const QCryptoBlockLUKSCipherSizeMap 78 qcrypto_block_luks_cipher_size_map_cast5[] = { 79 { 16, QCRYPTO_CIPHER_ALGO_CAST5_128 }, 80 { 0, 0 }, 81 }; 82 83 static const QCryptoBlockLUKSCipherSizeMap 84 qcrypto_block_luks_cipher_size_map_serpent[] = { 85 { 16, QCRYPTO_CIPHER_ALGO_SERPENT_128 }, 86 { 24, QCRYPTO_CIPHER_ALGO_SERPENT_192 }, 87 { 32, QCRYPTO_CIPHER_ALGO_SERPENT_256 }, 88 { 0, 0 }, 89 }; 90 91 static const QCryptoBlockLUKSCipherSizeMap 92 qcrypto_block_luks_cipher_size_map_twofish[] = { 93 { 16, QCRYPTO_CIPHER_ALGO_TWOFISH_128 }, 94 { 24, QCRYPTO_CIPHER_ALGO_TWOFISH_192 }, 95 { 32, QCRYPTO_CIPHER_ALGO_TWOFISH_256 }, 96 { 0, 0 }, 97 }; 98 99 #ifdef CONFIG_CRYPTO_SM4 100 static const QCryptoBlockLUKSCipherSizeMap 101 qcrypto_block_luks_cipher_size_map_sm4[] = { 102 { 16, QCRYPTO_CIPHER_ALGO_SM4}, 103 { 0, 0 }, 104 }; 105 #endif 106 107 static const QCryptoBlockLUKSCipherNameMap 108 qcrypto_block_luks_cipher_name_map[] = { 109 { "aes", qcrypto_block_luks_cipher_size_map_aes }, 110 { "cast5", qcrypto_block_luks_cipher_size_map_cast5 }, 111 { "serpent", qcrypto_block_luks_cipher_size_map_serpent }, 112 { "twofish", qcrypto_block_luks_cipher_size_map_twofish }, 113 #ifdef CONFIG_CRYPTO_SM4 114 { "sm4", qcrypto_block_luks_cipher_size_map_sm4}, 115 #endif 116 }; 117 118 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48); 119 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592); 120 121 122 struct QCryptoBlockLUKS { 123 QCryptoBlockLUKSHeader header; 124 125 /* Main encryption algorithm used for encryption*/ 126 QCryptoCipherAlgo cipher_alg; 127 128 /* Mode of encryption for the selected encryption algorithm */ 129 QCryptoCipherMode cipher_mode; 130 131 /* Initialization vector generation algorithm */ 132 QCryptoIVGenAlgo ivgen_alg; 133 134 /* Hash algorithm used for IV generation*/ 135 QCryptoHashAlgo ivgen_hash_alg; 136 137 /* 138 * Encryption algorithm used for IV generation. 139 * Usually the same as main encryption algorithm 140 */ 141 QCryptoCipherAlgo ivgen_cipher_alg; 142 143 /* Hash algorithm used in pbkdf2 function */ 144 QCryptoHashAlgo hash_alg; 145 146 /* Name of the secret that was used to open the image */ 147 char *secret; 148 }; 149 150 151 static int qcrypto_block_luks_cipher_name_lookup(const char *name, 152 QCryptoCipherMode mode, 153 uint32_t key_bytes, 154 Error **errp) 155 { 156 const QCryptoBlockLUKSCipherNameMap *map = 157 qcrypto_block_luks_cipher_name_map; 158 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); 159 size_t i, j; 160 161 if (mode == QCRYPTO_CIPHER_MODE_XTS) { 162 key_bytes /= 2; 163 } 164 165 for (i = 0; i < maplen; i++) { 166 if (!g_str_equal(map[i].name, name)) { 167 continue; 168 } 169 for (j = 0; j < map[i].sizes[j].key_bytes; j++) { 170 if (map[i].sizes[j].key_bytes == key_bytes) { 171 return map[i].sizes[j].id; 172 } 173 } 174 } 175 176 error_setg(errp, "Algorithm '%s' with key size %d bytes not supported", 177 name, key_bytes); 178 return 0; 179 } 180 181 static const char * 182 qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgo alg, 183 Error **errp) 184 { 185 const QCryptoBlockLUKSCipherNameMap *map = 186 qcrypto_block_luks_cipher_name_map; 187 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); 188 size_t i, j; 189 for (i = 0; i < maplen; i++) { 190 for (j = 0; j < map[i].sizes[j].key_bytes; j++) { 191 if (map[i].sizes[j].id == alg) { 192 return map[i].name; 193 } 194 } 195 } 196 197 error_setg(errp, "Algorithm '%s' not supported", 198 QCryptoCipherAlgo_str(alg)); 199 return NULL; 200 } 201 202 /* XXX replace with qapi_enum_parse() in future, when we can 203 * make that function emit a more friendly error message */ 204 static int qcrypto_block_luks_name_lookup(const char *name, 205 const QEnumLookup *map, 206 const char *type, 207 Error **errp) 208 { 209 int ret = qapi_enum_parse(map, name, -1, NULL); 210 211 if (ret < 0) { 212 error_setg(errp, "%s '%s' not supported", type, name); 213 return 0; 214 } 215 return ret; 216 } 217 218 #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \ 219 qcrypto_block_luks_name_lookup(name, \ 220 &QCryptoCipherMode_lookup, \ 221 "Cipher mode", \ 222 errp) 223 224 #define qcrypto_block_luks_hash_name_lookup(name, errp) \ 225 qcrypto_block_luks_name_lookup(name, \ 226 &QCryptoHashAlgo_lookup, \ 227 "Hash algorithm", \ 228 errp) 229 230 #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \ 231 qcrypto_block_luks_name_lookup(name, \ 232 &QCryptoIVGenAlgo_lookup, \ 233 "IV generator", \ 234 errp) 235 236 237 static bool 238 qcrypto_block_luks_has_format(const uint8_t *buf, 239 size_t buf_size) 240 { 241 const QCryptoBlockLUKSHeader *luks_header = (const void *)buf; 242 243 if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) && 244 memcmp(luks_header->magic, qcrypto_block_luks_magic, 245 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 && 246 be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) { 247 return true; 248 } else { 249 return false; 250 } 251 } 252 253 254 /** 255 * Deal with a quirk of dm-crypt usage of ESSIV. 256 * 257 * When calculating ESSIV IVs, the cipher length used by ESSIV 258 * may be different from the cipher length used for the block 259 * encryption, because dm-crypt uses the hash digest length 260 * as the key size. ie, if you have AES 128 as the block cipher 261 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as 262 * the cipher since that gets a key length matching the digest 263 * size, not AES 128 with truncated digest as might be imagined 264 */ 265 static QCryptoCipherAlgo 266 qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgo cipher, 267 QCryptoHashAlgo hash, 268 Error **errp) 269 { 270 size_t digestlen = qcrypto_hash_digest_len(hash); 271 size_t keylen = qcrypto_cipher_get_key_len(cipher); 272 if (digestlen == keylen) { 273 return cipher; 274 } 275 276 switch (cipher) { 277 case QCRYPTO_CIPHER_ALGO_AES_128: 278 case QCRYPTO_CIPHER_ALGO_AES_192: 279 case QCRYPTO_CIPHER_ALGO_AES_256: 280 if (digestlen == qcrypto_cipher_get_key_len( 281 QCRYPTO_CIPHER_ALGO_AES_128)) { 282 return QCRYPTO_CIPHER_ALGO_AES_128; 283 } else if (digestlen == qcrypto_cipher_get_key_len( 284 QCRYPTO_CIPHER_ALGO_AES_192)) { 285 return QCRYPTO_CIPHER_ALGO_AES_192; 286 } else if (digestlen == qcrypto_cipher_get_key_len( 287 QCRYPTO_CIPHER_ALGO_AES_256)) { 288 return QCRYPTO_CIPHER_ALGO_AES_256; 289 } else { 290 error_setg(errp, "No AES cipher with key size %zu available", 291 digestlen); 292 return 0; 293 } 294 break; 295 case QCRYPTO_CIPHER_ALGO_SERPENT_128: 296 case QCRYPTO_CIPHER_ALGO_SERPENT_192: 297 case QCRYPTO_CIPHER_ALGO_SERPENT_256: 298 if (digestlen == qcrypto_cipher_get_key_len( 299 QCRYPTO_CIPHER_ALGO_SERPENT_128)) { 300 return QCRYPTO_CIPHER_ALGO_SERPENT_128; 301 } else if (digestlen == qcrypto_cipher_get_key_len( 302 QCRYPTO_CIPHER_ALGO_SERPENT_192)) { 303 return QCRYPTO_CIPHER_ALGO_SERPENT_192; 304 } else if (digestlen == qcrypto_cipher_get_key_len( 305 QCRYPTO_CIPHER_ALGO_SERPENT_256)) { 306 return QCRYPTO_CIPHER_ALGO_SERPENT_256; 307 } else { 308 error_setg(errp, "No Serpent cipher with key size %zu available", 309 digestlen); 310 return 0; 311 } 312 break; 313 case QCRYPTO_CIPHER_ALGO_TWOFISH_128: 314 case QCRYPTO_CIPHER_ALGO_TWOFISH_192: 315 case QCRYPTO_CIPHER_ALGO_TWOFISH_256: 316 if (digestlen == qcrypto_cipher_get_key_len( 317 QCRYPTO_CIPHER_ALGO_TWOFISH_128)) { 318 return QCRYPTO_CIPHER_ALGO_TWOFISH_128; 319 } else if (digestlen == qcrypto_cipher_get_key_len( 320 QCRYPTO_CIPHER_ALGO_TWOFISH_192)) { 321 return QCRYPTO_CIPHER_ALGO_TWOFISH_192; 322 } else if (digestlen == qcrypto_cipher_get_key_len( 323 QCRYPTO_CIPHER_ALGO_TWOFISH_256)) { 324 return QCRYPTO_CIPHER_ALGO_TWOFISH_256; 325 } else { 326 error_setg(errp, "No Twofish cipher with key size %zu available", 327 digestlen); 328 return 0; 329 } 330 break; 331 default: 332 error_setg(errp, "Cipher %s not supported with essiv", 333 QCryptoCipherAlgo_str(cipher)); 334 return 0; 335 } 336 } 337 338 /* 339 * Returns number of sectors needed to store the key material 340 * given number of anti forensic stripes 341 */ 342 static int 343 qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks, 344 unsigned int header_sectors, 345 unsigned int stripes) 346 { 347 /* 348 * This calculation doesn't match that shown in the spec, 349 * but instead follows the cryptsetup implementation. 350 */ 351 352 size_t splitkeylen = luks->header.master_key_len * stripes; 353 354 /* First align the key material size to block size*/ 355 size_t splitkeylen_sectors = 356 DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE); 357 358 /* Then also align the key material size to the size of the header */ 359 return ROUND_UP(splitkeylen_sectors, header_sectors); 360 } 361 362 363 void 364 qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr) 365 { 366 size_t i; 367 368 /* 369 * Everything on disk uses Big Endian (tm), so flip header fields 370 * before writing them 371 */ 372 cpu_to_be16s(&hdr->version); 373 cpu_to_be32s(&hdr->payload_offset_sector); 374 cpu_to_be32s(&hdr->master_key_len); 375 cpu_to_be32s(&hdr->master_key_iterations); 376 377 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 378 cpu_to_be32s(&hdr->key_slots[i].active); 379 cpu_to_be32s(&hdr->key_slots[i].iterations); 380 cpu_to_be32s(&hdr->key_slots[i].key_offset_sector); 381 cpu_to_be32s(&hdr->key_slots[i].stripes); 382 } 383 } 384 385 void 386 qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr) 387 { 388 size_t i; 389 390 /* 391 * The header is always stored in big-endian format, so 392 * convert everything to native 393 */ 394 be16_to_cpus(&hdr->version); 395 be32_to_cpus(&hdr->payload_offset_sector); 396 be32_to_cpus(&hdr->master_key_len); 397 be32_to_cpus(&hdr->master_key_iterations); 398 399 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 400 be32_to_cpus(&hdr->key_slots[i].active); 401 be32_to_cpus(&hdr->key_slots[i].iterations); 402 be32_to_cpus(&hdr->key_slots[i].key_offset_sector); 403 be32_to_cpus(&hdr->key_slots[i].stripes); 404 } 405 } 406 407 /* 408 * Stores the main LUKS header, taking care of endianness 409 */ 410 static int 411 qcrypto_block_luks_store_header(QCryptoBlock *block, 412 QCryptoBlockWriteFunc writefunc, 413 void *opaque, 414 Error **errp) 415 { 416 const QCryptoBlockLUKS *luks = block->opaque; 417 Error *local_err = NULL; 418 g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL; 419 420 /* Create a copy of the header */ 421 hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1); 422 memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader)); 423 424 qcrypto_block_luks_to_disk_endian(hdr_copy); 425 426 /* Write out the partition header and key slot headers */ 427 writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy), 428 opaque, &local_err); 429 430 if (local_err) { 431 error_propagate(errp, local_err); 432 return -1; 433 } 434 return 0; 435 } 436 437 /* 438 * Loads the main LUKS header, and byteswaps it to native endianness 439 * And run basic sanity checks on it 440 */ 441 static int 442 qcrypto_block_luks_load_header(QCryptoBlock *block, 443 QCryptoBlockReadFunc readfunc, 444 void *opaque, 445 Error **errp) 446 { 447 int rv; 448 QCryptoBlockLUKS *luks = block->opaque; 449 450 /* 451 * Read the entire LUKS header, minus the key material from 452 * the underlying device 453 */ 454 rv = readfunc(block, 0, 455 (uint8_t *)&luks->header, 456 sizeof(luks->header), 457 opaque, 458 errp); 459 if (rv < 0) { 460 return rv; 461 } 462 463 qcrypto_block_luks_from_disk_endian(&luks->header); 464 465 return 0; 466 } 467 468 /* 469 * Does basic sanity checks on the LUKS header 470 */ 471 static int 472 qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, 473 unsigned int flags, 474 Error **errp) 475 { 476 size_t i, j; 477 478 unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 479 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 480 bool detached = flags & QCRYPTO_BLOCK_OPEN_DETACHED; 481 482 if (memcmp(luks->header.magic, qcrypto_block_luks_magic, 483 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) { 484 error_setg(errp, "Volume is not in LUKS format"); 485 return -1; 486 } 487 488 if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) { 489 error_setg(errp, "LUKS version %" PRIu32 " is not supported", 490 luks->header.version); 491 return -1; 492 } 493 494 if (!memchr(luks->header.cipher_name, '\0', 495 sizeof(luks->header.cipher_name))) { 496 error_setg(errp, "LUKS header cipher name is not NUL terminated"); 497 return -1; 498 } 499 500 if (!memchr(luks->header.cipher_mode, '\0', 501 sizeof(luks->header.cipher_mode))) { 502 error_setg(errp, "LUKS header cipher mode is not NUL terminated"); 503 return -1; 504 } 505 506 if (!memchr(luks->header.hash_spec, '\0', 507 sizeof(luks->header.hash_spec))) { 508 error_setg(errp, "LUKS header hash spec is not NUL terminated"); 509 return -1; 510 } 511 512 if (!detached && luks->header.payload_offset_sector < 513 DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, 514 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { 515 error_setg(errp, "LUKS payload is overlapping with the header"); 516 return -1; 517 } 518 519 if (luks->header.master_key_iterations == 0) { 520 error_setg(errp, "LUKS key iteration count is zero"); 521 return -1; 522 } 523 524 /* Check all keyslots for corruption */ 525 for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) { 526 527 const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i]; 528 unsigned int start1 = slot1->key_offset_sector; 529 unsigned int len1 = 530 qcrypto_block_luks_splitkeylen_sectors(luks, 531 header_sectors, 532 slot1->stripes); 533 534 if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) { 535 error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)", 536 i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES); 537 return -1; 538 } 539 540 if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED && 541 slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { 542 error_setg(errp, 543 "Keyslot %zu state (active/disable) is corrupted", i); 544 return -1; 545 } 546 547 if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED && 548 slot1->iterations == 0) { 549 error_setg(errp, "Keyslot %zu iteration count is zero", i); 550 return -1; 551 } 552 553 if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, 554 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { 555 error_setg(errp, 556 "Keyslot %zu is overlapping with the LUKS header", 557 i); 558 return -1; 559 } 560 561 if (!detached && start1 + len1 > luks->header.payload_offset_sector) { 562 error_setg(errp, 563 "Keyslot %zu is overlapping with the encrypted payload", 564 i); 565 return -1; 566 } 567 568 for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) { 569 const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j]; 570 unsigned int start2 = slot2->key_offset_sector; 571 unsigned int len2 = 572 qcrypto_block_luks_splitkeylen_sectors(luks, 573 header_sectors, 574 slot2->stripes); 575 576 if (ranges_overlap(start1, len1, start2, len2)) { 577 error_setg(errp, 578 "Keyslots %zu and %zu are overlapping in the header", 579 i, j); 580 return -1; 581 } 582 } 583 584 } 585 return 0; 586 } 587 588 /* 589 * Parses the crypto parameters that are stored in the LUKS header 590 */ 591 592 static int 593 qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp) 594 { 595 g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode); 596 char *ivgen_name, *ivhash_name; 597 Error *local_err = NULL; 598 599 /* 600 * The cipher_mode header contains a string that we have 601 * to further parse, of the format 602 * 603 * <cipher-mode>-<iv-generator>[:<iv-hash>] 604 * 605 * eg cbc-essiv:sha256, cbc-plain64 606 */ 607 ivgen_name = strchr(cipher_mode, '-'); 608 if (!ivgen_name) { 609 error_setg(errp, "Unexpected cipher mode string format '%s'", 610 luks->header.cipher_mode); 611 return -1; 612 } 613 *ivgen_name = '\0'; 614 ivgen_name++; 615 616 ivhash_name = strchr(ivgen_name, ':'); 617 if (!ivhash_name) { 618 luks->ivgen_hash_alg = 0; 619 } else { 620 *ivhash_name = '\0'; 621 ivhash_name++; 622 623 luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name, 624 &local_err); 625 if (local_err) { 626 error_propagate(errp, local_err); 627 return -1; 628 } 629 } 630 631 luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode, 632 &local_err); 633 if (local_err) { 634 error_propagate(errp, local_err); 635 return -1; 636 } 637 638 luks->cipher_alg = 639 qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name, 640 luks->cipher_mode, 641 luks->header.master_key_len, 642 &local_err); 643 if (local_err) { 644 error_propagate(errp, local_err); 645 return -1; 646 } 647 648 luks->hash_alg = 649 qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec, 650 &local_err); 651 if (local_err) { 652 error_propagate(errp, local_err); 653 return -1; 654 } 655 656 luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name, 657 &local_err); 658 if (local_err) { 659 error_propagate(errp, local_err); 660 return -1; 661 } 662 663 if (luks->ivgen_alg == QCRYPTO_IV_GEN_ALGO_ESSIV) { 664 if (!ivhash_name) { 665 error_setg(errp, "Missing IV generator hash specification"); 666 return -1; 667 } 668 luks->ivgen_cipher_alg = 669 qcrypto_block_luks_essiv_cipher(luks->cipher_alg, 670 luks->ivgen_hash_alg, 671 &local_err); 672 if (local_err) { 673 error_propagate(errp, local_err); 674 return -1; 675 } 676 } else { 677 678 /* 679 * Note we parsed the ivhash_name earlier in the cipher_mode 680 * spec string even with plain/plain64 ivgens, but we 681 * will ignore it, since it is irrelevant for these ivgens. 682 * This is for compat with dm-crypt which will silently 683 * ignore hash names with these ivgens rather than report 684 * an error about the invalid usage 685 */ 686 luks->ivgen_cipher_alg = luks->cipher_alg; 687 } 688 return 0; 689 } 690 691 /* 692 * Given a key slot, user password, and the master key, 693 * will store the encrypted master key there, and update the 694 * in-memory header. User must then write the in-memory header 695 * 696 * Returns: 697 * 0 if the keyslot was written successfully 698 * with the provided password 699 * -1 if a fatal error occurred while storing the key 700 */ 701 static int 702 qcrypto_block_luks_store_key(QCryptoBlock *block, 703 unsigned int slot_idx, 704 const char *password, 705 uint8_t *masterkey, 706 uint64_t iter_time, 707 QCryptoBlockWriteFunc writefunc, 708 void *opaque, 709 Error **errp) 710 { 711 QCryptoBlockLUKS *luks = block->opaque; 712 QCryptoBlockLUKSKeySlot *slot; 713 g_autofree uint8_t *splitkey = NULL; 714 size_t splitkeylen; 715 g_autofree uint8_t *slotkey = NULL; 716 g_autoptr(QCryptoCipher) cipher = NULL; 717 g_autoptr(QCryptoIVGen) ivgen = NULL; 718 Error *local_err = NULL; 719 uint64_t iters; 720 int ret = -1; 721 722 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 723 slot = &luks->header.key_slots[slot_idx]; 724 splitkeylen = luks->header.master_key_len * slot->stripes; 725 726 if (qcrypto_random_bytes(slot->salt, 727 QCRYPTO_BLOCK_LUKS_SALT_LEN, 728 errp) < 0) { 729 goto cleanup; 730 } 731 732 /* 733 * Determine how many iterations are required to 734 * hash the user password while consuming 1 second of compute 735 * time 736 */ 737 iters = qcrypto_pbkdf2_count_iters(luks->hash_alg, 738 (uint8_t *)password, strlen(password), 739 slot->salt, 740 QCRYPTO_BLOCK_LUKS_SALT_LEN, 741 luks->header.master_key_len, 742 &local_err); 743 if (local_err) { 744 error_propagate(errp, local_err); 745 goto cleanup; 746 } 747 748 if (iters > (ULLONG_MAX / iter_time)) { 749 error_setg_errno(errp, ERANGE, 750 "PBKDF iterations %llu too large to scale", 751 (unsigned long long)iters); 752 goto cleanup; 753 } 754 755 /* iter_time was in millis, but count_iters reported for secs */ 756 iters = iters * iter_time / 1000; 757 758 if (iters > UINT32_MAX) { 759 error_setg_errno(errp, ERANGE, 760 "PBKDF iterations %llu larger than %u", 761 (unsigned long long)iters, UINT32_MAX); 762 goto cleanup; 763 } 764 765 slot->iterations = 766 MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS); 767 768 769 /* 770 * Generate a key that we'll use to encrypt the master 771 * key, from the user's password 772 */ 773 slotkey = g_new0(uint8_t, luks->header.master_key_len); 774 if (qcrypto_pbkdf2(luks->hash_alg, 775 (uint8_t *)password, strlen(password), 776 slot->salt, 777 QCRYPTO_BLOCK_LUKS_SALT_LEN, 778 slot->iterations, 779 slotkey, luks->header.master_key_len, 780 errp) < 0) { 781 goto cleanup; 782 } 783 784 785 /* 786 * Setup the encryption objects needed to encrypt the 787 * master key material 788 */ 789 cipher = qcrypto_cipher_new(luks->cipher_alg, 790 luks->cipher_mode, 791 slotkey, luks->header.master_key_len, 792 errp); 793 if (!cipher) { 794 goto cleanup; 795 } 796 797 ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 798 luks->ivgen_cipher_alg, 799 luks->ivgen_hash_alg, 800 slotkey, luks->header.master_key_len, 801 errp); 802 if (!ivgen) { 803 goto cleanup; 804 } 805 806 /* 807 * Before storing the master key, we need to vastly 808 * increase its size, as protection against forensic 809 * disk data recovery 810 */ 811 splitkey = g_new0(uint8_t, splitkeylen); 812 813 if (qcrypto_afsplit_encode(luks->hash_alg, 814 luks->header.master_key_len, 815 slot->stripes, 816 masterkey, 817 splitkey, 818 errp) < 0) { 819 goto cleanup; 820 } 821 822 /* 823 * Now we encrypt the split master key with the key generated 824 * from the user's password, before storing it 825 */ 826 if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen, 827 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 828 0, 829 splitkey, 830 splitkeylen, 831 errp) < 0) { 832 goto cleanup; 833 } 834 835 /* Write out the slot's master key material. */ 836 if (writefunc(block, 837 slot->key_offset_sector * 838 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 839 splitkey, splitkeylen, 840 opaque, 841 errp) < 0) { 842 goto cleanup; 843 } 844 845 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 846 847 if (qcrypto_block_luks_store_header(block, writefunc, opaque, errp) < 0) { 848 goto cleanup; 849 } 850 851 ret = 0; 852 853 cleanup: 854 if (slotkey) { 855 memset(slotkey, 0, luks->header.master_key_len); 856 } 857 if (splitkey) { 858 memset(splitkey, 0, splitkeylen); 859 } 860 return ret; 861 } 862 863 /* 864 * Given a key slot, and user password, this will attempt to unlock 865 * the master encryption key from the key slot. 866 * 867 * Returns: 868 * 0 if the key slot is disabled, or key could not be decrypted 869 * with the provided password 870 * 1 if the key slot is enabled, and key decrypted successfully 871 * with the provided password 872 * -1 if a fatal error occurred loading the key 873 */ 874 static int 875 qcrypto_block_luks_load_key(QCryptoBlock *block, 876 size_t slot_idx, 877 const char *password, 878 uint8_t *masterkey, 879 QCryptoBlockReadFunc readfunc, 880 void *opaque, 881 Error **errp) 882 { 883 QCryptoBlockLUKS *luks = block->opaque; 884 const QCryptoBlockLUKSKeySlot *slot; 885 g_autofree uint8_t *splitkey = NULL; 886 size_t splitkeylen; 887 g_autofree uint8_t *possiblekey = NULL; 888 int rv; 889 g_autoptr(QCryptoCipher) cipher = NULL; 890 uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN]; 891 g_autoptr(QCryptoIVGen) ivgen = NULL; 892 size_t niv; 893 894 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 895 slot = &luks->header.key_slots[slot_idx]; 896 if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { 897 return 0; 898 } 899 900 splitkeylen = luks->header.master_key_len * slot->stripes; 901 splitkey = g_new0(uint8_t, splitkeylen); 902 possiblekey = g_new0(uint8_t, luks->header.master_key_len); 903 904 /* 905 * The user password is used to generate a (possible) 906 * decryption key. This may or may not successfully 907 * decrypt the master key - we just blindly assume 908 * the key is correct and validate the results of 909 * decryption later. 910 */ 911 if (qcrypto_pbkdf2(luks->hash_alg, 912 (const uint8_t *)password, strlen(password), 913 slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN, 914 slot->iterations, 915 possiblekey, luks->header.master_key_len, 916 errp) < 0) { 917 return -1; 918 } 919 920 /* 921 * We need to read the master key material from the 922 * LUKS key material header. What we're reading is 923 * not the raw master key, but rather the data after 924 * it has been passed through AFSplit and the result 925 * then encrypted. 926 */ 927 rv = readfunc(block, 928 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 929 splitkey, splitkeylen, 930 opaque, 931 errp); 932 if (rv < 0) { 933 return -1; 934 } 935 936 937 /* Setup the cipher/ivgen that we'll use to try to decrypt 938 * the split master key material */ 939 cipher = qcrypto_cipher_new(luks->cipher_alg, 940 luks->cipher_mode, 941 possiblekey, 942 luks->header.master_key_len, 943 errp); 944 if (!cipher) { 945 return -1; 946 } 947 948 niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, 949 luks->cipher_mode); 950 951 ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 952 luks->ivgen_cipher_alg, 953 luks->ivgen_hash_alg, 954 possiblekey, 955 luks->header.master_key_len, 956 errp); 957 if (!ivgen) { 958 return -1; 959 } 960 961 962 /* 963 * The master key needs to be decrypted in the same 964 * way that the block device payload will be decrypted 965 * later. In particular we'll be using the IV generator 966 * to reset the encryption cipher every time the master 967 * key crosses a sector boundary. 968 */ 969 if (qcrypto_block_cipher_decrypt_helper(cipher, 970 niv, 971 ivgen, 972 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 973 0, 974 splitkey, 975 splitkeylen, 976 errp) < 0) { 977 return -1; 978 } 979 980 /* 981 * Now we've decrypted the split master key, join 982 * it back together to get the actual master key. 983 */ 984 if (qcrypto_afsplit_decode(luks->hash_alg, 985 luks->header.master_key_len, 986 slot->stripes, 987 splitkey, 988 masterkey, 989 errp) < 0) { 990 return -1; 991 } 992 993 994 /* 995 * We still don't know that the masterkey we got is valid, 996 * because we just blindly assumed the user's password 997 * was correct. This is where we now verify it. We are 998 * creating a hash of the master key using PBKDF and 999 * then comparing that to the hash stored in the key slot 1000 * header 1001 */ 1002 if (qcrypto_pbkdf2(luks->hash_alg, 1003 masterkey, 1004 luks->header.master_key_len, 1005 luks->header.master_key_salt, 1006 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1007 luks->header.master_key_iterations, 1008 keydigest, 1009 G_N_ELEMENTS(keydigest), 1010 errp) < 0) { 1011 return -1; 1012 } 1013 1014 if (memcmp(keydigest, luks->header.master_key_digest, 1015 QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) { 1016 /* Success, we got the right master key */ 1017 return 1; 1018 } 1019 1020 /* Fail, user's password was not valid for this key slot, 1021 * tell caller to try another slot */ 1022 return 0; 1023 } 1024 1025 1026 /* 1027 * Given a user password, this will iterate over all key 1028 * slots and try to unlock each active key slot using the 1029 * password until it successfully obtains a master key. 1030 * 1031 * Returns 0 if a key was loaded, -1 if no keys could be loaded 1032 */ 1033 static int 1034 qcrypto_block_luks_find_key(QCryptoBlock *block, 1035 const char *password, 1036 uint8_t *masterkey, 1037 QCryptoBlockReadFunc readfunc, 1038 void *opaque, 1039 Error **errp) 1040 { 1041 size_t i; 1042 int rv; 1043 1044 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1045 rv = qcrypto_block_luks_load_key(block, 1046 i, 1047 password, 1048 masterkey, 1049 readfunc, 1050 opaque, 1051 errp); 1052 if (rv < 0) { 1053 goto error; 1054 } 1055 if (rv == 1) { 1056 return 0; 1057 } 1058 } 1059 1060 error_setg(errp, "Invalid password, cannot unlock any keyslot"); 1061 error: 1062 return -1; 1063 } 1064 1065 /* 1066 * Returns true if a slot i is marked as active 1067 * (contains encrypted copy of the master key) 1068 */ 1069 static bool 1070 qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks, 1071 unsigned int slot_idx) 1072 { 1073 uint32_t val; 1074 1075 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1076 val = luks->header.key_slots[slot_idx].active; 1077 return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 1078 } 1079 1080 /* 1081 * Returns the number of slots that are marked as active 1082 * (slots that contain encrypted copy of the master key) 1083 */ 1084 static unsigned int 1085 qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks) 1086 { 1087 size_t i = 0; 1088 unsigned int ret = 0; 1089 1090 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1091 if (qcrypto_block_luks_slot_active(luks, i)) { 1092 ret++; 1093 } 1094 } 1095 return ret; 1096 } 1097 1098 /* 1099 * Finds first key slot which is not active 1100 * Returns the key slot index, or -1 if it doesn't exist 1101 */ 1102 static int 1103 qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks) 1104 { 1105 size_t i; 1106 1107 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1108 if (!qcrypto_block_luks_slot_active(luks, i)) { 1109 return i; 1110 } 1111 } 1112 return -1; 1113 } 1114 1115 /* 1116 * Erases an keyslot given its index 1117 * Returns: 1118 * 0 if the keyslot was erased successfully 1119 * -1 if a error occurred while erasing the keyslot 1120 * 1121 */ 1122 static int 1123 qcrypto_block_luks_erase_key(QCryptoBlock *block, 1124 unsigned int slot_idx, 1125 QCryptoBlockWriteFunc writefunc, 1126 void *opaque, 1127 Error **errp) 1128 { 1129 QCryptoBlockLUKS *luks = block->opaque; 1130 QCryptoBlockLUKSKeySlot *slot; 1131 g_autofree uint8_t *garbagesplitkey = NULL; 1132 size_t splitkeylen; 1133 size_t i; 1134 Error *local_err = NULL; 1135 int ret; 1136 1137 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1138 slot = &luks->header.key_slots[slot_idx]; 1139 1140 splitkeylen = luks->header.master_key_len * slot->stripes; 1141 assert(splitkeylen > 0); 1142 1143 garbagesplitkey = g_new0(uint8_t, splitkeylen); 1144 1145 /* Reset the key slot header */ 1146 memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN); 1147 slot->iterations = 0; 1148 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; 1149 1150 ret = qcrypto_block_luks_store_header(block, writefunc, 1151 opaque, &local_err); 1152 1153 if (ret < 0) { 1154 error_propagate(errp, local_err); 1155 } 1156 /* 1157 * Now try to erase the key material, even if the header 1158 * update failed 1159 */ 1160 for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) { 1161 if (qcrypto_random_bytes(garbagesplitkey, 1162 splitkeylen, &local_err) < 0) { 1163 /* 1164 * If we failed to get the random data, still write 1165 * at least zeros to the key slot at least once 1166 */ 1167 error_propagate(errp, local_err); 1168 1169 if (i > 0) { 1170 return -1; 1171 } 1172 } 1173 if (writefunc(block, 1174 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1175 garbagesplitkey, 1176 splitkeylen, 1177 opaque, 1178 &local_err) < 0) { 1179 error_propagate(errp, local_err); 1180 return -1; 1181 } 1182 } 1183 return ret; 1184 } 1185 1186 static int 1187 qcrypto_block_luks_open(QCryptoBlock *block, 1188 QCryptoBlockOpenOptions *options, 1189 const char *optprefix, 1190 QCryptoBlockReadFunc readfunc, 1191 void *opaque, 1192 unsigned int flags, 1193 Error **errp) 1194 { 1195 QCryptoBlockLUKS *luks = NULL; 1196 g_autofree uint8_t *masterkey = NULL; 1197 g_autofree char *password = NULL; 1198 1199 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { 1200 if (!options->u.luks.key_secret) { 1201 error_setg(errp, "Parameter '%skey-secret' is required for cipher", 1202 optprefix ? optprefix : ""); 1203 return -1; 1204 } 1205 password = qcrypto_secret_lookup_as_utf8( 1206 options->u.luks.key_secret, errp); 1207 if (!password) { 1208 return -1; 1209 } 1210 } 1211 1212 luks = g_new0(QCryptoBlockLUKS, 1); 1213 block->opaque = luks; 1214 luks->secret = g_strdup(options->u.luks.key_secret); 1215 1216 if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) { 1217 goto fail; 1218 } 1219 1220 if (qcrypto_block_luks_check_header(luks, flags, errp) < 0) { 1221 goto fail; 1222 } 1223 1224 if (qcrypto_block_luks_parse_header(luks, errp) < 0) { 1225 goto fail; 1226 } 1227 1228 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { 1229 /* Try to find which key slot our password is valid for 1230 * and unlock the master key from that slot. 1231 */ 1232 1233 masterkey = g_new0(uint8_t, luks->header.master_key_len); 1234 1235 if (qcrypto_block_luks_find_key(block, 1236 password, 1237 masterkey, 1238 readfunc, opaque, 1239 errp) < 0) { 1240 goto fail; 1241 } 1242 1243 /* We have a valid master key now, so can setup the 1244 * block device payload decryption objects 1245 */ 1246 block->kdfhash = luks->hash_alg; 1247 block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, 1248 luks->cipher_mode); 1249 1250 block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 1251 luks->ivgen_cipher_alg, 1252 luks->ivgen_hash_alg, 1253 masterkey, 1254 luks->header.master_key_len, 1255 errp); 1256 if (!block->ivgen) { 1257 goto fail; 1258 } 1259 1260 if (qcrypto_block_init_cipher(block, 1261 luks->cipher_alg, 1262 luks->cipher_mode, 1263 masterkey, 1264 luks->header.master_key_len, 1265 errp) < 0) { 1266 goto fail; 1267 } 1268 } 1269 1270 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1271 block->payload_offset = luks->header.payload_offset_sector * 1272 block->sector_size; 1273 block->detached_header = (block->payload_offset == 0) ? true : false; 1274 1275 return 0; 1276 1277 fail: 1278 qcrypto_block_free_cipher(block); 1279 qcrypto_ivgen_free(block->ivgen); 1280 g_free(luks->secret); 1281 g_free(luks); 1282 return -1; 1283 } 1284 1285 1286 static void 1287 qcrypto_block_luks_uuid_gen(uint8_t *uuidstr) 1288 { 1289 QemuUUID uuid; 1290 qemu_uuid_generate(&uuid); 1291 qemu_uuid_unparse(&uuid, (char *)uuidstr); 1292 } 1293 1294 static int 1295 qcrypto_block_luks_create(QCryptoBlock *block, 1296 QCryptoBlockCreateOptions *options, 1297 const char *optprefix, 1298 QCryptoBlockInitFunc initfunc, 1299 QCryptoBlockWriteFunc writefunc, 1300 void *opaque, 1301 Error **errp) 1302 { 1303 QCryptoBlockLUKS *luks; 1304 QCryptoBlockCreateOptionsLUKS luks_opts; 1305 Error *local_err = NULL; 1306 g_autofree uint8_t *masterkey = NULL; 1307 size_t header_sectors; 1308 size_t split_key_sectors; 1309 size_t i; 1310 g_autofree char *password = NULL; 1311 const char *cipher_alg; 1312 const char *cipher_mode; 1313 const char *ivgen_alg; 1314 const char *ivgen_hash_alg = NULL; 1315 const char *hash_alg; 1316 g_autofree char *cipher_mode_spec = NULL; 1317 uint64_t iters; 1318 uint64_t detached_header_size; 1319 1320 memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts)); 1321 if (!luks_opts.has_iter_time) { 1322 luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; 1323 } 1324 if (!luks_opts.has_cipher_alg) { 1325 luks_opts.cipher_alg = QCRYPTO_CIPHER_ALGO_AES_256; 1326 } 1327 if (!luks_opts.has_cipher_mode) { 1328 luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS; 1329 } 1330 if (!luks_opts.has_ivgen_alg) { 1331 luks_opts.ivgen_alg = QCRYPTO_IV_GEN_ALGO_PLAIN64; 1332 } 1333 if (!luks_opts.has_hash_alg) { 1334 luks_opts.hash_alg = QCRYPTO_HASH_ALGO_SHA256; 1335 } 1336 if (luks_opts.ivgen_alg == QCRYPTO_IV_GEN_ALGO_ESSIV) { 1337 if (!luks_opts.has_ivgen_hash_alg) { 1338 luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALGO_SHA256; 1339 luks_opts.has_ivgen_hash_alg = true; 1340 } 1341 } 1342 1343 luks = g_new0(QCryptoBlockLUKS, 1); 1344 block->opaque = luks; 1345 1346 luks->cipher_alg = luks_opts.cipher_alg; 1347 luks->cipher_mode = luks_opts.cipher_mode; 1348 luks->ivgen_alg = luks_opts.ivgen_alg; 1349 luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg; 1350 luks->hash_alg = luks_opts.hash_alg; 1351 1352 1353 /* Note we're allowing ivgen_hash_alg to be set even for 1354 * non-essiv iv generators that don't need a hash. It will 1355 * be silently ignored, for compatibility with dm-crypt */ 1356 1357 if (!options->u.luks.key_secret) { 1358 error_setg(errp, "Parameter '%skey-secret' is required for cipher", 1359 optprefix ? optprefix : ""); 1360 goto error; 1361 } 1362 luks->secret = g_strdup(options->u.luks.key_secret); 1363 1364 password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp); 1365 if (!password) { 1366 goto error; 1367 } 1368 1369 1370 memcpy(luks->header.magic, qcrypto_block_luks_magic, 1371 QCRYPTO_BLOCK_LUKS_MAGIC_LEN); 1372 1373 /* We populate the header in native endianness initially and 1374 * then convert everything to big endian just before writing 1375 * it out to disk 1376 */ 1377 luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION; 1378 qcrypto_block_luks_uuid_gen(luks->header.uuid); 1379 1380 cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg, 1381 errp); 1382 if (!cipher_alg) { 1383 goto error; 1384 } 1385 1386 cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode); 1387 ivgen_alg = QCryptoIVGenAlgo_str(luks_opts.ivgen_alg); 1388 if (luks_opts.has_ivgen_hash_alg) { 1389 ivgen_hash_alg = QCryptoHashAlgo_str(luks_opts.ivgen_hash_alg); 1390 cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg, 1391 ivgen_hash_alg); 1392 } else { 1393 cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg); 1394 } 1395 hash_alg = QCryptoHashAlgo_str(luks_opts.hash_alg); 1396 1397 1398 if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) { 1399 error_setg(errp, "Cipher name '%s' is too long for LUKS header", 1400 cipher_alg); 1401 goto error; 1402 } 1403 if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) { 1404 error_setg(errp, "Cipher mode '%s' is too long for LUKS header", 1405 cipher_mode_spec); 1406 goto error; 1407 } 1408 if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) { 1409 error_setg(errp, "Hash name '%s' is too long for LUKS header", 1410 hash_alg); 1411 goto error; 1412 } 1413 1414 if (luks_opts.ivgen_alg == QCRYPTO_IV_GEN_ALGO_ESSIV) { 1415 luks->ivgen_cipher_alg = 1416 qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg, 1417 luks_opts.ivgen_hash_alg, 1418 &local_err); 1419 if (local_err) { 1420 error_propagate(errp, local_err); 1421 goto error; 1422 } 1423 } else { 1424 luks->ivgen_cipher_alg = luks_opts.cipher_alg; 1425 } 1426 1427 strcpy(luks->header.cipher_name, cipher_alg); 1428 strcpy(luks->header.cipher_mode, cipher_mode_spec); 1429 strcpy(luks->header.hash_spec, hash_alg); 1430 1431 luks->header.master_key_len = 1432 qcrypto_cipher_get_key_len(luks_opts.cipher_alg); 1433 1434 if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) { 1435 luks->header.master_key_len *= 2; 1436 } 1437 1438 /* Generate the salt used for hashing the master key 1439 * with PBKDF later 1440 */ 1441 if (qcrypto_random_bytes(luks->header.master_key_salt, 1442 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1443 errp) < 0) { 1444 goto error; 1445 } 1446 1447 /* Generate random master key */ 1448 masterkey = g_new0(uint8_t, luks->header.master_key_len); 1449 if (qcrypto_random_bytes(masterkey, 1450 luks->header.master_key_len, errp) < 0) { 1451 goto error; 1452 } 1453 1454 1455 /* Setup the block device payload encryption objects */ 1456 if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg, 1457 luks_opts.cipher_mode, masterkey, 1458 luks->header.master_key_len, errp) < 0) { 1459 goto error; 1460 } 1461 1462 block->kdfhash = luks_opts.hash_alg; 1463 block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg, 1464 luks_opts.cipher_mode); 1465 block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg, 1466 luks->ivgen_cipher_alg, 1467 luks_opts.ivgen_hash_alg, 1468 masterkey, luks->header.master_key_len, 1469 errp); 1470 1471 if (!block->ivgen) { 1472 goto error; 1473 } 1474 1475 1476 /* Determine how many iterations we need to hash the master 1477 * key, in order to have 1 second of compute time used 1478 */ 1479 iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg, 1480 masterkey, luks->header.master_key_len, 1481 luks->header.master_key_salt, 1482 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1483 QCRYPTO_BLOCK_LUKS_DIGEST_LEN, 1484 &local_err); 1485 if (local_err) { 1486 error_propagate(errp, local_err); 1487 goto error; 1488 } 1489 1490 if (iters > (ULLONG_MAX / luks_opts.iter_time)) { 1491 error_setg_errno(errp, ERANGE, 1492 "PBKDF iterations %llu too large to scale", 1493 (unsigned long long)iters); 1494 goto error; 1495 } 1496 1497 /* iter_time was in millis, but count_iters reported for secs */ 1498 iters = iters * luks_opts.iter_time / 1000; 1499 1500 /* Why /= 8 ? That matches cryptsetup, but there's no 1501 * explanation why they chose /= 8... Probably so that 1502 * if all 8 keyslots are active we only spend 1 second 1503 * in total time to check all keys */ 1504 iters /= 8; 1505 if (iters > UINT32_MAX) { 1506 error_setg_errno(errp, ERANGE, 1507 "PBKDF iterations %llu larger than %u", 1508 (unsigned long long)iters, UINT32_MAX); 1509 goto error; 1510 } 1511 iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS); 1512 luks->header.master_key_iterations = iters; 1513 1514 /* Hash the master key, saving the result in the LUKS 1515 * header. This hash is used when opening the encrypted 1516 * device to verify that the user password unlocked a 1517 * valid master key 1518 */ 1519 if (qcrypto_pbkdf2(luks_opts.hash_alg, 1520 masterkey, luks->header.master_key_len, 1521 luks->header.master_key_salt, 1522 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1523 luks->header.master_key_iterations, 1524 luks->header.master_key_digest, 1525 QCRYPTO_BLOCK_LUKS_DIGEST_LEN, 1526 errp) < 0) { 1527 goto error; 1528 } 1529 1530 /* start with the sector that follows the header*/ 1531 header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 1532 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1533 1534 split_key_sectors = 1535 qcrypto_block_luks_splitkeylen_sectors(luks, 1536 header_sectors, 1537 QCRYPTO_BLOCK_LUKS_STRIPES); 1538 1539 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1540 QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i]; 1541 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; 1542 1543 slot->key_offset_sector = header_sectors + i * split_key_sectors; 1544 slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES; 1545 } 1546 1547 if (block->detached_header) { 1548 /* 1549 * For a detached LUKS header image, set the payload_offset_sector 1550 * to 0 to specify the starting point for read/write 1551 */ 1552 luks->header.payload_offset_sector = 0; 1553 } else { 1554 /* 1555 * The total size of the LUKS headers is the partition header + key 1556 * slot headers, rounded up to the nearest sector, combined with 1557 * the size of each master key material region, also rounded up 1558 * to the nearest sector 1559 */ 1560 luks->header.payload_offset_sector = header_sectors + 1561 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors; 1562 } 1563 1564 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1565 block->payload_offset = luks->header.payload_offset_sector * 1566 block->sector_size; 1567 detached_header_size = 1568 (header_sectors + QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * 1569 split_key_sectors) * block->sector_size; 1570 1571 /* Reserve header space to match payload offset */ 1572 initfunc(block, detached_header_size, opaque, &local_err); 1573 if (local_err) { 1574 error_propagate(errp, local_err); 1575 goto error; 1576 } 1577 1578 1579 /* populate the slot 0 with the password encrypted master key*/ 1580 /* This will also store the header */ 1581 if (qcrypto_block_luks_store_key(block, 1582 0, 1583 password, 1584 masterkey, 1585 luks_opts.iter_time, 1586 writefunc, 1587 opaque, 1588 errp) < 0) { 1589 goto error; 1590 } 1591 1592 memset(masterkey, 0, luks->header.master_key_len); 1593 1594 return 0; 1595 1596 error: 1597 if (masterkey) { 1598 memset(masterkey, 0, luks->header.master_key_len); 1599 } 1600 1601 qcrypto_block_free_cipher(block); 1602 qcrypto_ivgen_free(block->ivgen); 1603 1604 g_free(luks->secret); 1605 g_free(luks); 1606 return -1; 1607 } 1608 1609 static int 1610 qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block, 1611 QCryptoBlockReadFunc readfunc, 1612 QCryptoBlockWriteFunc writefunc, 1613 void *opaque, 1614 QCryptoBlockAmendOptionsLUKS *opts_luks, 1615 bool force, 1616 Error **errp) 1617 { 1618 QCryptoBlockLUKS *luks = block->opaque; 1619 uint64_t iter_time = opts_luks->has_iter_time ? 1620 opts_luks->iter_time : 1621 QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; 1622 int keyslot; 1623 g_autofree char *old_password = NULL; 1624 g_autofree char *new_password = NULL; 1625 g_autofree uint8_t *master_key = NULL; 1626 1627 char *secret = opts_luks->secret ?: luks->secret; 1628 1629 if (!opts_luks->new_secret) { 1630 error_setg(errp, "'new-secret' is required to activate a keyslot"); 1631 return -1; 1632 } 1633 if (opts_luks->old_secret) { 1634 error_setg(errp, 1635 "'old-secret' must not be given when activating keyslots"); 1636 return -1; 1637 } 1638 1639 if (opts_luks->has_keyslot) { 1640 keyslot = opts_luks->keyslot; 1641 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { 1642 error_setg(errp, 1643 "Invalid keyslot %u specified, must be between 0 and %u", 1644 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); 1645 return -1; 1646 } 1647 } else { 1648 keyslot = qcrypto_block_luks_find_free_keyslot(luks); 1649 if (keyslot == -1) { 1650 error_setg(errp, 1651 "Can't add a keyslot - all keyslots are in use"); 1652 return -1; 1653 } 1654 } 1655 1656 if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) { 1657 error_setg(errp, 1658 "Refusing to overwrite active keyslot %i - " 1659 "please erase it first", 1660 keyslot); 1661 return -1; 1662 } 1663 1664 /* Locate the password that will be used to retrieve the master key */ 1665 old_password = qcrypto_secret_lookup_as_utf8(secret, errp); 1666 if (!old_password) { 1667 return -1; 1668 } 1669 1670 /* Retrieve the master key */ 1671 master_key = g_new0(uint8_t, luks->header.master_key_len); 1672 1673 if (qcrypto_block_luks_find_key(block, old_password, master_key, 1674 readfunc, opaque, errp) < 0) { 1675 error_append_hint(errp, "Failed to retrieve the master key"); 1676 return -1; 1677 } 1678 1679 /* Locate the new password*/ 1680 new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp); 1681 if (!new_password) { 1682 return -1; 1683 } 1684 1685 /* Now set the new keyslots */ 1686 if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key, 1687 iter_time, writefunc, opaque, errp)) { 1688 error_append_hint(errp, "Failed to write to keyslot %i", keyslot); 1689 return -1; 1690 } 1691 return 0; 1692 } 1693 1694 static int 1695 qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block, 1696 QCryptoBlockReadFunc readfunc, 1697 QCryptoBlockWriteFunc writefunc, 1698 void *opaque, 1699 QCryptoBlockAmendOptionsLUKS *opts_luks, 1700 bool force, 1701 Error **errp) 1702 { 1703 QCryptoBlockLUKS *luks = block->opaque; 1704 g_autofree uint8_t *tmpkey = NULL; 1705 g_autofree char *old_password = NULL; 1706 1707 if (opts_luks->new_secret) { 1708 error_setg(errp, 1709 "'new-secret' must not be given when erasing keyslots"); 1710 return -1; 1711 } 1712 if (opts_luks->has_iter_time) { 1713 error_setg(errp, 1714 "'iter-time' must not be given when erasing keyslots"); 1715 return -1; 1716 } 1717 if (opts_luks->secret) { 1718 error_setg(errp, 1719 "'secret' must not be given when erasing keyslots"); 1720 return -1; 1721 } 1722 1723 /* Load the old password if given */ 1724 if (opts_luks->old_secret) { 1725 old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret, 1726 errp); 1727 if (!old_password) { 1728 return -1; 1729 } 1730 1731 /* 1732 * Allocate a temporary key buffer that we will need when 1733 * checking if slot matches the given old password 1734 */ 1735 tmpkey = g_new0(uint8_t, luks->header.master_key_len); 1736 } 1737 1738 /* Erase an explicitly given keyslot */ 1739 if (opts_luks->has_keyslot) { 1740 int keyslot = opts_luks->keyslot; 1741 1742 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { 1743 error_setg(errp, 1744 "Invalid keyslot %i specified, must be between 0 and %i", 1745 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); 1746 return -1; 1747 } 1748 1749 if (opts_luks->old_secret) { 1750 int rv = qcrypto_block_luks_load_key(block, 1751 keyslot, 1752 old_password, 1753 tmpkey, 1754 readfunc, 1755 opaque, 1756 errp); 1757 if (rv == -1) { 1758 return -1; 1759 } else if (rv == 0) { 1760 error_setg(errp, 1761 "Given keyslot %i doesn't contain the given " 1762 "old password for erase operation", 1763 keyslot); 1764 return -1; 1765 } 1766 } 1767 1768 if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) { 1769 error_setg(errp, 1770 "Given keyslot %i is already erased (inactive) ", 1771 keyslot); 1772 return -1; 1773 } 1774 1775 if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) { 1776 error_setg(errp, 1777 "Attempt to erase the only active keyslot %i " 1778 "which will erase all the data in the image " 1779 "irreversibly - refusing operation", 1780 keyslot); 1781 return -1; 1782 } 1783 1784 if (qcrypto_block_luks_erase_key(block, keyslot, 1785 writefunc, opaque, errp)) { 1786 error_append_hint(errp, "Failed to erase keyslot %i", keyslot); 1787 return -1; 1788 } 1789 1790 /* Erase all keyslots that match the given old password */ 1791 } else if (opts_luks->old_secret) { 1792 1793 unsigned long slots_to_erase_bitmap = 0; 1794 size_t i; 1795 int slot_count; 1796 1797 assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <= 1798 sizeof(slots_to_erase_bitmap) * 8); 1799 1800 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1801 int rv = qcrypto_block_luks_load_key(block, 1802 i, 1803 old_password, 1804 tmpkey, 1805 readfunc, 1806 opaque, 1807 errp); 1808 if (rv == -1) { 1809 return -1; 1810 } else if (rv == 1) { 1811 bitmap_set(&slots_to_erase_bitmap, i, 1); 1812 } 1813 } 1814 1815 slot_count = bitmap_count_one(&slots_to_erase_bitmap, 1816 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1817 if (slot_count == 0) { 1818 error_setg(errp, 1819 "No keyslots match given (old) password for erase operation"); 1820 return -1; 1821 } 1822 1823 if (!force && 1824 slot_count == qcrypto_block_luks_count_active_slots(luks)) { 1825 error_setg(errp, 1826 "All the active keyslots match the (old) password that " 1827 "was given and erasing them will erase all the data in " 1828 "the image irreversibly - refusing operation"); 1829 return -1; 1830 } 1831 1832 /* Now apply the update */ 1833 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1834 if (!test_bit(i, &slots_to_erase_bitmap)) { 1835 continue; 1836 } 1837 if (qcrypto_block_luks_erase_key(block, i, writefunc, 1838 opaque, errp)) { 1839 error_append_hint(errp, "Failed to erase keyslot %zu", i); 1840 return -1; 1841 } 1842 } 1843 } else { 1844 error_setg(errp, 1845 "To erase keyslot(s), either explicit keyslot index " 1846 "or the password currently contained in them must be given"); 1847 return -1; 1848 } 1849 return 0; 1850 } 1851 1852 static int 1853 qcrypto_block_luks_amend_options(QCryptoBlock *block, 1854 QCryptoBlockReadFunc readfunc, 1855 QCryptoBlockWriteFunc writefunc, 1856 void *opaque, 1857 QCryptoBlockAmendOptions *options, 1858 bool force, 1859 Error **errp) 1860 { 1861 QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks; 1862 1863 switch (opts_luks->state) { 1864 case QCRYPTO_BLOCK_LUKS_KEYSLOT_STATE_ACTIVE: 1865 return qcrypto_block_luks_amend_add_keyslot(block, readfunc, 1866 writefunc, opaque, 1867 opts_luks, force, errp); 1868 case QCRYPTO_BLOCK_LUKS_KEYSLOT_STATE_INACTIVE: 1869 return qcrypto_block_luks_amend_erase_keyslots(block, readfunc, 1870 writefunc, opaque, 1871 opts_luks, force, errp); 1872 default: 1873 g_assert_not_reached(); 1874 } 1875 } 1876 1877 static int qcrypto_block_luks_get_info(QCryptoBlock *block, 1878 QCryptoBlockInfo *info, 1879 Error **errp) 1880 { 1881 QCryptoBlockLUKS *luks = block->opaque; 1882 QCryptoBlockInfoLUKSSlot *slot; 1883 QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots; 1884 size_t i; 1885 1886 info->u.luks.cipher_alg = luks->cipher_alg; 1887 info->u.luks.cipher_mode = luks->cipher_mode; 1888 info->u.luks.ivgen_alg = luks->ivgen_alg; 1889 if (info->u.luks.ivgen_alg == QCRYPTO_IV_GEN_ALGO_ESSIV) { 1890 info->u.luks.has_ivgen_hash_alg = true; 1891 info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg; 1892 } 1893 info->u.luks.hash_alg = luks->hash_alg; 1894 info->u.luks.payload_offset = block->payload_offset; 1895 info->u.luks.master_key_iters = luks->header.master_key_iterations; 1896 info->u.luks.uuid = g_strndup((const char *)luks->header.uuid, 1897 sizeof(luks->header.uuid)); 1898 info->u.luks.detached_header = block->detached_header; 1899 1900 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1901 slot = g_new0(QCryptoBlockInfoLUKSSlot, 1); 1902 slot->active = luks->header.key_slots[i].active == 1903 QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 1904 slot->key_offset = luks->header.key_slots[i].key_offset_sector 1905 * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1906 if (slot->active) { 1907 slot->has_iters = true; 1908 slot->iters = luks->header.key_slots[i].iterations; 1909 slot->has_stripes = true; 1910 slot->stripes = luks->header.key_slots[i].stripes; 1911 } 1912 1913 QAPI_LIST_APPEND(tail, slot); 1914 } 1915 1916 return 0; 1917 } 1918 1919 1920 static void qcrypto_block_luks_cleanup(QCryptoBlock *block) 1921 { 1922 QCryptoBlockLUKS *luks = block->opaque; 1923 if (luks) { 1924 g_free(luks->secret); 1925 g_free(luks); 1926 } 1927 } 1928 1929 1930 static int 1931 qcrypto_block_luks_decrypt(QCryptoBlock *block, 1932 uint64_t offset, 1933 uint8_t *buf, 1934 size_t len, 1935 Error **errp) 1936 { 1937 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1938 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1939 return qcrypto_block_decrypt_helper(block, 1940 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1941 offset, buf, len, errp); 1942 } 1943 1944 1945 static int 1946 qcrypto_block_luks_encrypt(QCryptoBlock *block, 1947 uint64_t offset, 1948 uint8_t *buf, 1949 size_t len, 1950 Error **errp) 1951 { 1952 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1953 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1954 return qcrypto_block_encrypt_helper(block, 1955 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1956 offset, buf, len, errp); 1957 } 1958 1959 1960 const QCryptoBlockDriver qcrypto_block_driver_luks = { 1961 .open = qcrypto_block_luks_open, 1962 .create = qcrypto_block_luks_create, 1963 .amend = qcrypto_block_luks_amend_options, 1964 .get_info = qcrypto_block_luks_get_info, 1965 .cleanup = qcrypto_block_luks_cleanup, 1966 .decrypt = qcrypto_block_luks_decrypt, 1967 .encrypt = qcrypto_block_luks_encrypt, 1968 .has_format = qcrypto_block_luks_has_format, 1969 }; 1970