1 /* 2 * QEMU Crypto block device encryption LUKS format 3 * 4 * Copyright (c) 2015-2016 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #include "qemu/osdep.h" 22 #include "qapi/error.h" 23 #include "qemu/bswap.h" 24 25 #include "block-luks.h" 26 #include "block-luks-priv.h" 27 28 #include "crypto/hash.h" 29 #include "crypto/afsplit.h" 30 #include "crypto/pbkdf.h" 31 #include "crypto/secret.h" 32 #include "crypto/random.h" 33 #include "qemu/uuid.h" 34 35 #include "qemu/bitmap.h" 36 37 /* 38 * Reference for the LUKS format implemented here is 39 * 40 * docs/on-disk-format.pdf 41 * 42 * in 'cryptsetup' package source code 43 * 44 * This file implements the 1.2.1 specification, dated 45 * Oct 16, 2011. 46 */ 47 48 typedef struct QCryptoBlockLUKS QCryptoBlockLUKS; 49 50 typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap; 51 struct QCryptoBlockLUKSNameMap { 52 const char *name; 53 int id; 54 }; 55 56 typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap; 57 struct QCryptoBlockLUKSCipherSizeMap { 58 uint32_t key_bytes; 59 int id; 60 }; 61 typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap; 62 struct QCryptoBlockLUKSCipherNameMap { 63 const char *name; 64 const QCryptoBlockLUKSCipherSizeMap *sizes; 65 }; 66 67 68 static const QCryptoBlockLUKSCipherSizeMap 69 qcrypto_block_luks_cipher_size_map_aes[] = { 70 { 16, QCRYPTO_CIPHER_ALG_AES_128 }, 71 { 24, QCRYPTO_CIPHER_ALG_AES_192 }, 72 { 32, QCRYPTO_CIPHER_ALG_AES_256 }, 73 { 0, 0 }, 74 }; 75 76 static const QCryptoBlockLUKSCipherSizeMap 77 qcrypto_block_luks_cipher_size_map_cast5[] = { 78 { 16, QCRYPTO_CIPHER_ALG_CAST5_128 }, 79 { 0, 0 }, 80 }; 81 82 static const QCryptoBlockLUKSCipherSizeMap 83 qcrypto_block_luks_cipher_size_map_serpent[] = { 84 { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 }, 85 { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 }, 86 { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 }, 87 { 0, 0 }, 88 }; 89 90 static const QCryptoBlockLUKSCipherSizeMap 91 qcrypto_block_luks_cipher_size_map_twofish[] = { 92 { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 }, 93 { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 }, 94 { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 }, 95 { 0, 0 }, 96 }; 97 98 #ifdef CONFIG_CRYPTO_SM4 99 static const QCryptoBlockLUKSCipherSizeMap 100 qcrypto_block_luks_cipher_size_map_sm4[] = { 101 { 16, QCRYPTO_CIPHER_ALG_SM4}, 102 { 0, 0 }, 103 }; 104 #endif 105 106 static const QCryptoBlockLUKSCipherNameMap 107 qcrypto_block_luks_cipher_name_map[] = { 108 { "aes", qcrypto_block_luks_cipher_size_map_aes }, 109 { "cast5", qcrypto_block_luks_cipher_size_map_cast5 }, 110 { "serpent", qcrypto_block_luks_cipher_size_map_serpent }, 111 { "twofish", qcrypto_block_luks_cipher_size_map_twofish }, 112 #ifdef CONFIG_CRYPTO_SM4 113 { "sm4", qcrypto_block_luks_cipher_size_map_sm4}, 114 #endif 115 }; 116 117 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48); 118 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592); 119 120 121 struct QCryptoBlockLUKS { 122 QCryptoBlockLUKSHeader header; 123 124 /* Main encryption algorithm used for encryption*/ 125 QCryptoCipherAlgorithm cipher_alg; 126 127 /* Mode of encryption for the selected encryption algorithm */ 128 QCryptoCipherMode cipher_mode; 129 130 /* Initialization vector generation algorithm */ 131 QCryptoIVGenAlgorithm ivgen_alg; 132 133 /* Hash algorithm used for IV generation*/ 134 QCryptoHashAlgorithm ivgen_hash_alg; 135 136 /* 137 * Encryption algorithm used for IV generation. 138 * Usually the same as main encryption algorithm 139 */ 140 QCryptoCipherAlgorithm ivgen_cipher_alg; 141 142 /* Hash algorithm used in pbkdf2 function */ 143 QCryptoHashAlgorithm hash_alg; 144 145 /* Name of the secret that was used to open the image */ 146 char *secret; 147 }; 148 149 150 static int qcrypto_block_luks_cipher_name_lookup(const char *name, 151 QCryptoCipherMode mode, 152 uint32_t key_bytes, 153 Error **errp) 154 { 155 const QCryptoBlockLUKSCipherNameMap *map = 156 qcrypto_block_luks_cipher_name_map; 157 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); 158 size_t i, j; 159 160 if (mode == QCRYPTO_CIPHER_MODE_XTS) { 161 key_bytes /= 2; 162 } 163 164 for (i = 0; i < maplen; i++) { 165 if (!g_str_equal(map[i].name, name)) { 166 continue; 167 } 168 for (j = 0; j < map[i].sizes[j].key_bytes; j++) { 169 if (map[i].sizes[j].key_bytes == key_bytes) { 170 return map[i].sizes[j].id; 171 } 172 } 173 } 174 175 error_setg(errp, "Algorithm '%s' with key size %d bytes not supported", 176 name, key_bytes); 177 return 0; 178 } 179 180 static const char * 181 qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg, 182 Error **errp) 183 { 184 const QCryptoBlockLUKSCipherNameMap *map = 185 qcrypto_block_luks_cipher_name_map; 186 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); 187 size_t i, j; 188 for (i = 0; i < maplen; i++) { 189 for (j = 0; j < map[i].sizes[j].key_bytes; j++) { 190 if (map[i].sizes[j].id == alg) { 191 return map[i].name; 192 } 193 } 194 } 195 196 error_setg(errp, "Algorithm '%s' not supported", 197 QCryptoCipherAlgorithm_str(alg)); 198 return NULL; 199 } 200 201 /* XXX replace with qapi_enum_parse() in future, when we can 202 * make that function emit a more friendly error message */ 203 static int qcrypto_block_luks_name_lookup(const char *name, 204 const QEnumLookup *map, 205 const char *type, 206 Error **errp) 207 { 208 int ret = qapi_enum_parse(map, name, -1, NULL); 209 210 if (ret < 0) { 211 error_setg(errp, "%s '%s' not supported", type, name); 212 return 0; 213 } 214 return ret; 215 } 216 217 #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \ 218 qcrypto_block_luks_name_lookup(name, \ 219 &QCryptoCipherMode_lookup, \ 220 "Cipher mode", \ 221 errp) 222 223 #define qcrypto_block_luks_hash_name_lookup(name, errp) \ 224 qcrypto_block_luks_name_lookup(name, \ 225 &QCryptoHashAlgorithm_lookup, \ 226 "Hash algorithm", \ 227 errp) 228 229 #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \ 230 qcrypto_block_luks_name_lookup(name, \ 231 &QCryptoIVGenAlgorithm_lookup, \ 232 "IV generator", \ 233 errp) 234 235 236 static bool 237 qcrypto_block_luks_has_format(const uint8_t *buf, 238 size_t buf_size) 239 { 240 const QCryptoBlockLUKSHeader *luks_header = (const void *)buf; 241 242 if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) && 243 memcmp(luks_header->magic, qcrypto_block_luks_magic, 244 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 && 245 be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) { 246 return true; 247 } else { 248 return false; 249 } 250 } 251 252 253 /** 254 * Deal with a quirk of dm-crypt usage of ESSIV. 255 * 256 * When calculating ESSIV IVs, the cipher length used by ESSIV 257 * may be different from the cipher length used for the block 258 * encryption, because dm-crypt uses the hash digest length 259 * as the key size. ie, if you have AES 128 as the block cipher 260 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as 261 * the cipher since that gets a key length matching the digest 262 * size, not AES 128 with truncated digest as might be imagined 263 */ 264 static QCryptoCipherAlgorithm 265 qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher, 266 QCryptoHashAlgorithm hash, 267 Error **errp) 268 { 269 size_t digestlen = qcrypto_hash_digest_len(hash); 270 size_t keylen = qcrypto_cipher_get_key_len(cipher); 271 if (digestlen == keylen) { 272 return cipher; 273 } 274 275 switch (cipher) { 276 case QCRYPTO_CIPHER_ALG_AES_128: 277 case QCRYPTO_CIPHER_ALG_AES_192: 278 case QCRYPTO_CIPHER_ALG_AES_256: 279 if (digestlen == qcrypto_cipher_get_key_len( 280 QCRYPTO_CIPHER_ALG_AES_128)) { 281 return QCRYPTO_CIPHER_ALG_AES_128; 282 } else if (digestlen == qcrypto_cipher_get_key_len( 283 QCRYPTO_CIPHER_ALG_AES_192)) { 284 return QCRYPTO_CIPHER_ALG_AES_192; 285 } else if (digestlen == qcrypto_cipher_get_key_len( 286 QCRYPTO_CIPHER_ALG_AES_256)) { 287 return QCRYPTO_CIPHER_ALG_AES_256; 288 } else { 289 error_setg(errp, "No AES cipher with key size %zu available", 290 digestlen); 291 return 0; 292 } 293 break; 294 case QCRYPTO_CIPHER_ALG_SERPENT_128: 295 case QCRYPTO_CIPHER_ALG_SERPENT_192: 296 case QCRYPTO_CIPHER_ALG_SERPENT_256: 297 if (digestlen == qcrypto_cipher_get_key_len( 298 QCRYPTO_CIPHER_ALG_SERPENT_128)) { 299 return QCRYPTO_CIPHER_ALG_SERPENT_128; 300 } else if (digestlen == qcrypto_cipher_get_key_len( 301 QCRYPTO_CIPHER_ALG_SERPENT_192)) { 302 return QCRYPTO_CIPHER_ALG_SERPENT_192; 303 } else if (digestlen == qcrypto_cipher_get_key_len( 304 QCRYPTO_CIPHER_ALG_SERPENT_256)) { 305 return QCRYPTO_CIPHER_ALG_SERPENT_256; 306 } else { 307 error_setg(errp, "No Serpent cipher with key size %zu available", 308 digestlen); 309 return 0; 310 } 311 break; 312 case QCRYPTO_CIPHER_ALG_TWOFISH_128: 313 case QCRYPTO_CIPHER_ALG_TWOFISH_192: 314 case QCRYPTO_CIPHER_ALG_TWOFISH_256: 315 if (digestlen == qcrypto_cipher_get_key_len( 316 QCRYPTO_CIPHER_ALG_TWOFISH_128)) { 317 return QCRYPTO_CIPHER_ALG_TWOFISH_128; 318 } else if (digestlen == qcrypto_cipher_get_key_len( 319 QCRYPTO_CIPHER_ALG_TWOFISH_192)) { 320 return QCRYPTO_CIPHER_ALG_TWOFISH_192; 321 } else if (digestlen == qcrypto_cipher_get_key_len( 322 QCRYPTO_CIPHER_ALG_TWOFISH_256)) { 323 return QCRYPTO_CIPHER_ALG_TWOFISH_256; 324 } else { 325 error_setg(errp, "No Twofish cipher with key size %zu available", 326 digestlen); 327 return 0; 328 } 329 break; 330 default: 331 error_setg(errp, "Cipher %s not supported with essiv", 332 QCryptoCipherAlgorithm_str(cipher)); 333 return 0; 334 } 335 } 336 337 /* 338 * Returns number of sectors needed to store the key material 339 * given number of anti forensic stripes 340 */ 341 static int 342 qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks, 343 unsigned int header_sectors, 344 unsigned int stripes) 345 { 346 /* 347 * This calculation doesn't match that shown in the spec, 348 * but instead follows the cryptsetup implementation. 349 */ 350 351 size_t splitkeylen = luks->header.master_key_len * stripes; 352 353 /* First align the key material size to block size*/ 354 size_t splitkeylen_sectors = 355 DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE); 356 357 /* Then also align the key material size to the size of the header */ 358 return ROUND_UP(splitkeylen_sectors, header_sectors); 359 } 360 361 362 void 363 qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr) 364 { 365 size_t i; 366 367 /* 368 * Everything on disk uses Big Endian (tm), so flip header fields 369 * before writing them 370 */ 371 cpu_to_be16s(&hdr->version); 372 cpu_to_be32s(&hdr->payload_offset_sector); 373 cpu_to_be32s(&hdr->master_key_len); 374 cpu_to_be32s(&hdr->master_key_iterations); 375 376 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 377 cpu_to_be32s(&hdr->key_slots[i].active); 378 cpu_to_be32s(&hdr->key_slots[i].iterations); 379 cpu_to_be32s(&hdr->key_slots[i].key_offset_sector); 380 cpu_to_be32s(&hdr->key_slots[i].stripes); 381 } 382 } 383 384 void 385 qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr) 386 { 387 size_t i; 388 389 /* 390 * The header is always stored in big-endian format, so 391 * convert everything to native 392 */ 393 be16_to_cpus(&hdr->version); 394 be32_to_cpus(&hdr->payload_offset_sector); 395 be32_to_cpus(&hdr->master_key_len); 396 be32_to_cpus(&hdr->master_key_iterations); 397 398 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 399 be32_to_cpus(&hdr->key_slots[i].active); 400 be32_to_cpus(&hdr->key_slots[i].iterations); 401 be32_to_cpus(&hdr->key_slots[i].key_offset_sector); 402 be32_to_cpus(&hdr->key_slots[i].stripes); 403 } 404 } 405 406 /* 407 * Stores the main LUKS header, taking care of endianness 408 */ 409 static int 410 qcrypto_block_luks_store_header(QCryptoBlock *block, 411 QCryptoBlockWriteFunc writefunc, 412 void *opaque, 413 Error **errp) 414 { 415 const QCryptoBlockLUKS *luks = block->opaque; 416 Error *local_err = NULL; 417 g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL; 418 419 /* Create a copy of the header */ 420 hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1); 421 memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader)); 422 423 qcrypto_block_luks_to_disk_endian(hdr_copy); 424 425 /* Write out the partition header and key slot headers */ 426 writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy), 427 opaque, &local_err); 428 429 if (local_err) { 430 error_propagate(errp, local_err); 431 return -1; 432 } 433 return 0; 434 } 435 436 /* 437 * Loads the main LUKS header, and byteswaps it to native endianness 438 * And run basic sanity checks on it 439 */ 440 static int 441 qcrypto_block_luks_load_header(QCryptoBlock *block, 442 QCryptoBlockReadFunc readfunc, 443 void *opaque, 444 Error **errp) 445 { 446 int rv; 447 QCryptoBlockLUKS *luks = block->opaque; 448 449 /* 450 * Read the entire LUKS header, minus the key material from 451 * the underlying device 452 */ 453 rv = readfunc(block, 0, 454 (uint8_t *)&luks->header, 455 sizeof(luks->header), 456 opaque, 457 errp); 458 if (rv < 0) { 459 return rv; 460 } 461 462 qcrypto_block_luks_from_disk_endian(&luks->header); 463 464 return 0; 465 } 466 467 /* 468 * Does basic sanity checks on the LUKS header 469 */ 470 static int 471 qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, 472 unsigned int flags, 473 Error **errp) 474 { 475 size_t i, j; 476 477 unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 478 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 479 bool detached = flags & QCRYPTO_BLOCK_OPEN_DETACHED; 480 481 if (memcmp(luks->header.magic, qcrypto_block_luks_magic, 482 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) { 483 error_setg(errp, "Volume is not in LUKS format"); 484 return -1; 485 } 486 487 if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) { 488 error_setg(errp, "LUKS version %" PRIu32 " is not supported", 489 luks->header.version); 490 return -1; 491 } 492 493 if (!memchr(luks->header.cipher_name, '\0', 494 sizeof(luks->header.cipher_name))) { 495 error_setg(errp, "LUKS header cipher name is not NUL terminated"); 496 return -1; 497 } 498 499 if (!memchr(luks->header.cipher_mode, '\0', 500 sizeof(luks->header.cipher_mode))) { 501 error_setg(errp, "LUKS header cipher mode is not NUL terminated"); 502 return -1; 503 } 504 505 if (!memchr(luks->header.hash_spec, '\0', 506 sizeof(luks->header.hash_spec))) { 507 error_setg(errp, "LUKS header hash spec is not NUL terminated"); 508 return -1; 509 } 510 511 if (!detached && luks->header.payload_offset_sector < 512 DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, 513 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { 514 error_setg(errp, "LUKS payload is overlapping with the header"); 515 return -1; 516 } 517 518 if (luks->header.master_key_iterations == 0) { 519 error_setg(errp, "LUKS key iteration count is zero"); 520 return -1; 521 } 522 523 /* Check all keyslots for corruption */ 524 for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) { 525 526 const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i]; 527 unsigned int start1 = slot1->key_offset_sector; 528 unsigned int len1 = 529 qcrypto_block_luks_splitkeylen_sectors(luks, 530 header_sectors, 531 slot1->stripes); 532 533 if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) { 534 error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)", 535 i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES); 536 return -1; 537 } 538 539 if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED && 540 slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { 541 error_setg(errp, 542 "Keyslot %zu state (active/disable) is corrupted", i); 543 return -1; 544 } 545 546 if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED && 547 slot1->iterations == 0) { 548 error_setg(errp, "Keyslot %zu iteration count is zero", i); 549 return -1; 550 } 551 552 if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, 553 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { 554 error_setg(errp, 555 "Keyslot %zu is overlapping with the LUKS header", 556 i); 557 return -1; 558 } 559 560 if (!detached && start1 + len1 > luks->header.payload_offset_sector) { 561 error_setg(errp, 562 "Keyslot %zu is overlapping with the encrypted payload", 563 i); 564 return -1; 565 } 566 567 for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) { 568 const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j]; 569 unsigned int start2 = slot2->key_offset_sector; 570 unsigned int len2 = 571 qcrypto_block_luks_splitkeylen_sectors(luks, 572 header_sectors, 573 slot2->stripes); 574 575 if (start1 + len1 > start2 && start2 + len2 > start1) { 576 error_setg(errp, 577 "Keyslots %zu and %zu are overlapping in the header", 578 i, j); 579 return -1; 580 } 581 } 582 583 } 584 return 0; 585 } 586 587 /* 588 * Parses the crypto parameters that are stored in the LUKS header 589 */ 590 591 static int 592 qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp) 593 { 594 g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode); 595 char *ivgen_name, *ivhash_name; 596 Error *local_err = NULL; 597 598 /* 599 * The cipher_mode header contains a string that we have 600 * to further parse, of the format 601 * 602 * <cipher-mode>-<iv-generator>[:<iv-hash>] 603 * 604 * eg cbc-essiv:sha256, cbc-plain64 605 */ 606 ivgen_name = strchr(cipher_mode, '-'); 607 if (!ivgen_name) { 608 error_setg(errp, "Unexpected cipher mode string format '%s'", 609 luks->header.cipher_mode); 610 return -1; 611 } 612 *ivgen_name = '\0'; 613 ivgen_name++; 614 615 ivhash_name = strchr(ivgen_name, ':'); 616 if (!ivhash_name) { 617 luks->ivgen_hash_alg = 0; 618 } else { 619 *ivhash_name = '\0'; 620 ivhash_name++; 621 622 luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name, 623 &local_err); 624 if (local_err) { 625 error_propagate(errp, local_err); 626 return -1; 627 } 628 } 629 630 luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode, 631 &local_err); 632 if (local_err) { 633 error_propagate(errp, local_err); 634 return -1; 635 } 636 637 luks->cipher_alg = 638 qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name, 639 luks->cipher_mode, 640 luks->header.master_key_len, 641 &local_err); 642 if (local_err) { 643 error_propagate(errp, local_err); 644 return -1; 645 } 646 647 luks->hash_alg = 648 qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec, 649 &local_err); 650 if (local_err) { 651 error_propagate(errp, local_err); 652 return -1; 653 } 654 655 luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name, 656 &local_err); 657 if (local_err) { 658 error_propagate(errp, local_err); 659 return -1; 660 } 661 662 if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 663 if (!ivhash_name) { 664 error_setg(errp, "Missing IV generator hash specification"); 665 return -1; 666 } 667 luks->ivgen_cipher_alg = 668 qcrypto_block_luks_essiv_cipher(luks->cipher_alg, 669 luks->ivgen_hash_alg, 670 &local_err); 671 if (local_err) { 672 error_propagate(errp, local_err); 673 return -1; 674 } 675 } else { 676 677 /* 678 * Note we parsed the ivhash_name earlier in the cipher_mode 679 * spec string even with plain/plain64 ivgens, but we 680 * will ignore it, since it is irrelevant for these ivgens. 681 * This is for compat with dm-crypt which will silently 682 * ignore hash names with these ivgens rather than report 683 * an error about the invalid usage 684 */ 685 luks->ivgen_cipher_alg = luks->cipher_alg; 686 } 687 return 0; 688 } 689 690 /* 691 * Given a key slot, user password, and the master key, 692 * will store the encrypted master key there, and update the 693 * in-memory header. User must then write the in-memory header 694 * 695 * Returns: 696 * 0 if the keyslot was written successfully 697 * with the provided password 698 * -1 if a fatal error occurred while storing the key 699 */ 700 static int 701 qcrypto_block_luks_store_key(QCryptoBlock *block, 702 unsigned int slot_idx, 703 const char *password, 704 uint8_t *masterkey, 705 uint64_t iter_time, 706 QCryptoBlockWriteFunc writefunc, 707 void *opaque, 708 Error **errp) 709 { 710 QCryptoBlockLUKS *luks = block->opaque; 711 QCryptoBlockLUKSKeySlot *slot; 712 g_autofree uint8_t *splitkey = NULL; 713 size_t splitkeylen; 714 g_autofree uint8_t *slotkey = NULL; 715 g_autoptr(QCryptoCipher) cipher = NULL; 716 g_autoptr(QCryptoIVGen) ivgen = NULL; 717 Error *local_err = NULL; 718 uint64_t iters; 719 int ret = -1; 720 721 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 722 slot = &luks->header.key_slots[slot_idx]; 723 splitkeylen = luks->header.master_key_len * slot->stripes; 724 725 if (qcrypto_random_bytes(slot->salt, 726 QCRYPTO_BLOCK_LUKS_SALT_LEN, 727 errp) < 0) { 728 goto cleanup; 729 } 730 731 /* 732 * Determine how many iterations are required to 733 * hash the user password while consuming 1 second of compute 734 * time 735 */ 736 iters = qcrypto_pbkdf2_count_iters(luks->hash_alg, 737 (uint8_t *)password, strlen(password), 738 slot->salt, 739 QCRYPTO_BLOCK_LUKS_SALT_LEN, 740 luks->header.master_key_len, 741 &local_err); 742 if (local_err) { 743 error_propagate(errp, local_err); 744 goto cleanup; 745 } 746 747 if (iters > (ULLONG_MAX / iter_time)) { 748 error_setg_errno(errp, ERANGE, 749 "PBKDF iterations %llu too large to scale", 750 (unsigned long long)iters); 751 goto cleanup; 752 } 753 754 /* iter_time was in millis, but count_iters reported for secs */ 755 iters = iters * iter_time / 1000; 756 757 if (iters > UINT32_MAX) { 758 error_setg_errno(errp, ERANGE, 759 "PBKDF iterations %llu larger than %u", 760 (unsigned long long)iters, UINT32_MAX); 761 goto cleanup; 762 } 763 764 slot->iterations = 765 MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS); 766 767 768 /* 769 * Generate a key that we'll use to encrypt the master 770 * key, from the user's password 771 */ 772 slotkey = g_new0(uint8_t, luks->header.master_key_len); 773 if (qcrypto_pbkdf2(luks->hash_alg, 774 (uint8_t *)password, strlen(password), 775 slot->salt, 776 QCRYPTO_BLOCK_LUKS_SALT_LEN, 777 slot->iterations, 778 slotkey, luks->header.master_key_len, 779 errp) < 0) { 780 goto cleanup; 781 } 782 783 784 /* 785 * Setup the encryption objects needed to encrypt the 786 * master key material 787 */ 788 cipher = qcrypto_cipher_new(luks->cipher_alg, 789 luks->cipher_mode, 790 slotkey, luks->header.master_key_len, 791 errp); 792 if (!cipher) { 793 goto cleanup; 794 } 795 796 ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 797 luks->ivgen_cipher_alg, 798 luks->ivgen_hash_alg, 799 slotkey, luks->header.master_key_len, 800 errp); 801 if (!ivgen) { 802 goto cleanup; 803 } 804 805 /* 806 * Before storing the master key, we need to vastly 807 * increase its size, as protection against forensic 808 * disk data recovery 809 */ 810 splitkey = g_new0(uint8_t, splitkeylen); 811 812 if (qcrypto_afsplit_encode(luks->hash_alg, 813 luks->header.master_key_len, 814 slot->stripes, 815 masterkey, 816 splitkey, 817 errp) < 0) { 818 goto cleanup; 819 } 820 821 /* 822 * Now we encrypt the split master key with the key generated 823 * from the user's password, before storing it 824 */ 825 if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen, 826 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 827 0, 828 splitkey, 829 splitkeylen, 830 errp) < 0) { 831 goto cleanup; 832 } 833 834 /* Write out the slot's master key material. */ 835 if (writefunc(block, 836 slot->key_offset_sector * 837 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 838 splitkey, splitkeylen, 839 opaque, 840 errp) < 0) { 841 goto cleanup; 842 } 843 844 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 845 846 if (qcrypto_block_luks_store_header(block, writefunc, opaque, errp) < 0) { 847 goto cleanup; 848 } 849 850 ret = 0; 851 852 cleanup: 853 if (slotkey) { 854 memset(slotkey, 0, luks->header.master_key_len); 855 } 856 if (splitkey) { 857 memset(splitkey, 0, splitkeylen); 858 } 859 return ret; 860 } 861 862 /* 863 * Given a key slot, and user password, this will attempt to unlock 864 * the master encryption key from the key slot. 865 * 866 * Returns: 867 * 0 if the key slot is disabled, or key could not be decrypted 868 * with the provided password 869 * 1 if the key slot is enabled, and key decrypted successfully 870 * with the provided password 871 * -1 if a fatal error occurred loading the key 872 */ 873 static int 874 qcrypto_block_luks_load_key(QCryptoBlock *block, 875 size_t slot_idx, 876 const char *password, 877 uint8_t *masterkey, 878 QCryptoBlockReadFunc readfunc, 879 void *opaque, 880 Error **errp) 881 { 882 QCryptoBlockLUKS *luks = block->opaque; 883 const QCryptoBlockLUKSKeySlot *slot; 884 g_autofree uint8_t *splitkey = NULL; 885 size_t splitkeylen; 886 g_autofree uint8_t *possiblekey = NULL; 887 int rv; 888 g_autoptr(QCryptoCipher) cipher = NULL; 889 uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN]; 890 g_autoptr(QCryptoIVGen) ivgen = NULL; 891 size_t niv; 892 893 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 894 slot = &luks->header.key_slots[slot_idx]; 895 if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { 896 return 0; 897 } 898 899 splitkeylen = luks->header.master_key_len * slot->stripes; 900 splitkey = g_new0(uint8_t, splitkeylen); 901 possiblekey = g_new0(uint8_t, luks->header.master_key_len); 902 903 /* 904 * The user password is used to generate a (possible) 905 * decryption key. This may or may not successfully 906 * decrypt the master key - we just blindly assume 907 * the key is correct and validate the results of 908 * decryption later. 909 */ 910 if (qcrypto_pbkdf2(luks->hash_alg, 911 (const uint8_t *)password, strlen(password), 912 slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN, 913 slot->iterations, 914 possiblekey, luks->header.master_key_len, 915 errp) < 0) { 916 return -1; 917 } 918 919 /* 920 * We need to read the master key material from the 921 * LUKS key material header. What we're reading is 922 * not the raw master key, but rather the data after 923 * it has been passed through AFSplit and the result 924 * then encrypted. 925 */ 926 rv = readfunc(block, 927 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 928 splitkey, splitkeylen, 929 opaque, 930 errp); 931 if (rv < 0) { 932 return -1; 933 } 934 935 936 /* Setup the cipher/ivgen that we'll use to try to decrypt 937 * the split master key material */ 938 cipher = qcrypto_cipher_new(luks->cipher_alg, 939 luks->cipher_mode, 940 possiblekey, 941 luks->header.master_key_len, 942 errp); 943 if (!cipher) { 944 return -1; 945 } 946 947 niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, 948 luks->cipher_mode); 949 950 ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 951 luks->ivgen_cipher_alg, 952 luks->ivgen_hash_alg, 953 possiblekey, 954 luks->header.master_key_len, 955 errp); 956 if (!ivgen) { 957 return -1; 958 } 959 960 961 /* 962 * The master key needs to be decrypted in the same 963 * way that the block device payload will be decrypted 964 * later. In particular we'll be using the IV generator 965 * to reset the encryption cipher every time the master 966 * key crosses a sector boundary. 967 */ 968 if (qcrypto_block_cipher_decrypt_helper(cipher, 969 niv, 970 ivgen, 971 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 972 0, 973 splitkey, 974 splitkeylen, 975 errp) < 0) { 976 return -1; 977 } 978 979 /* 980 * Now we've decrypted the split master key, join 981 * it back together to get the actual master key. 982 */ 983 if (qcrypto_afsplit_decode(luks->hash_alg, 984 luks->header.master_key_len, 985 slot->stripes, 986 splitkey, 987 masterkey, 988 errp) < 0) { 989 return -1; 990 } 991 992 993 /* 994 * We still don't know that the masterkey we got is valid, 995 * because we just blindly assumed the user's password 996 * was correct. This is where we now verify it. We are 997 * creating a hash of the master key using PBKDF and 998 * then comparing that to the hash stored in the key slot 999 * header 1000 */ 1001 if (qcrypto_pbkdf2(luks->hash_alg, 1002 masterkey, 1003 luks->header.master_key_len, 1004 luks->header.master_key_salt, 1005 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1006 luks->header.master_key_iterations, 1007 keydigest, 1008 G_N_ELEMENTS(keydigest), 1009 errp) < 0) { 1010 return -1; 1011 } 1012 1013 if (memcmp(keydigest, luks->header.master_key_digest, 1014 QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) { 1015 /* Success, we got the right master key */ 1016 return 1; 1017 } 1018 1019 /* Fail, user's password was not valid for this key slot, 1020 * tell caller to try another slot */ 1021 return 0; 1022 } 1023 1024 1025 /* 1026 * Given a user password, this will iterate over all key 1027 * slots and try to unlock each active key slot using the 1028 * password until it successfully obtains a master key. 1029 * 1030 * Returns 0 if a key was loaded, -1 if no keys could be loaded 1031 */ 1032 static int 1033 qcrypto_block_luks_find_key(QCryptoBlock *block, 1034 const char *password, 1035 uint8_t *masterkey, 1036 QCryptoBlockReadFunc readfunc, 1037 void *opaque, 1038 Error **errp) 1039 { 1040 size_t i; 1041 int rv; 1042 1043 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1044 rv = qcrypto_block_luks_load_key(block, 1045 i, 1046 password, 1047 masterkey, 1048 readfunc, 1049 opaque, 1050 errp); 1051 if (rv < 0) { 1052 goto error; 1053 } 1054 if (rv == 1) { 1055 return 0; 1056 } 1057 } 1058 1059 error_setg(errp, "Invalid password, cannot unlock any keyslot"); 1060 error: 1061 return -1; 1062 } 1063 1064 /* 1065 * Returns true if a slot i is marked as active 1066 * (contains encrypted copy of the master key) 1067 */ 1068 static bool 1069 qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks, 1070 unsigned int slot_idx) 1071 { 1072 uint32_t val; 1073 1074 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1075 val = luks->header.key_slots[slot_idx].active; 1076 return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 1077 } 1078 1079 /* 1080 * Returns the number of slots that are marked as active 1081 * (slots that contain encrypted copy of the master key) 1082 */ 1083 static unsigned int 1084 qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks) 1085 { 1086 size_t i = 0; 1087 unsigned int ret = 0; 1088 1089 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1090 if (qcrypto_block_luks_slot_active(luks, i)) { 1091 ret++; 1092 } 1093 } 1094 return ret; 1095 } 1096 1097 /* 1098 * Finds first key slot which is not active 1099 * Returns the key slot index, or -1 if it doesn't exist 1100 */ 1101 static int 1102 qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks) 1103 { 1104 size_t i; 1105 1106 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1107 if (!qcrypto_block_luks_slot_active(luks, i)) { 1108 return i; 1109 } 1110 } 1111 return -1; 1112 } 1113 1114 /* 1115 * Erases an keyslot given its index 1116 * Returns: 1117 * 0 if the keyslot was erased successfully 1118 * -1 if a error occurred while erasing the keyslot 1119 * 1120 */ 1121 static int 1122 qcrypto_block_luks_erase_key(QCryptoBlock *block, 1123 unsigned int slot_idx, 1124 QCryptoBlockWriteFunc writefunc, 1125 void *opaque, 1126 Error **errp) 1127 { 1128 QCryptoBlockLUKS *luks = block->opaque; 1129 QCryptoBlockLUKSKeySlot *slot; 1130 g_autofree uint8_t *garbagesplitkey = NULL; 1131 size_t splitkeylen; 1132 size_t i; 1133 Error *local_err = NULL; 1134 int ret; 1135 1136 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1137 slot = &luks->header.key_slots[slot_idx]; 1138 1139 splitkeylen = luks->header.master_key_len * slot->stripes; 1140 assert(splitkeylen > 0); 1141 1142 garbagesplitkey = g_new0(uint8_t, splitkeylen); 1143 1144 /* Reset the key slot header */ 1145 memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN); 1146 slot->iterations = 0; 1147 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; 1148 1149 ret = qcrypto_block_luks_store_header(block, writefunc, 1150 opaque, &local_err); 1151 1152 if (ret < 0) { 1153 error_propagate(errp, local_err); 1154 } 1155 /* 1156 * Now try to erase the key material, even if the header 1157 * update failed 1158 */ 1159 for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) { 1160 if (qcrypto_random_bytes(garbagesplitkey, 1161 splitkeylen, &local_err) < 0) { 1162 /* 1163 * If we failed to get the random data, still write 1164 * at least zeros to the key slot at least once 1165 */ 1166 error_propagate(errp, local_err); 1167 1168 if (i > 0) { 1169 return -1; 1170 } 1171 } 1172 if (writefunc(block, 1173 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1174 garbagesplitkey, 1175 splitkeylen, 1176 opaque, 1177 &local_err) < 0) { 1178 error_propagate(errp, local_err); 1179 return -1; 1180 } 1181 } 1182 return ret; 1183 } 1184 1185 static int 1186 qcrypto_block_luks_open(QCryptoBlock *block, 1187 QCryptoBlockOpenOptions *options, 1188 const char *optprefix, 1189 QCryptoBlockReadFunc readfunc, 1190 void *opaque, 1191 unsigned int flags, 1192 size_t n_threads, 1193 Error **errp) 1194 { 1195 QCryptoBlockLUKS *luks = NULL; 1196 g_autofree uint8_t *masterkey = NULL; 1197 g_autofree char *password = NULL; 1198 1199 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { 1200 if (!options->u.luks.key_secret) { 1201 error_setg(errp, "Parameter '%skey-secret' is required for cipher", 1202 optprefix ? optprefix : ""); 1203 return -1; 1204 } 1205 password = qcrypto_secret_lookup_as_utf8( 1206 options->u.luks.key_secret, errp); 1207 if (!password) { 1208 return -1; 1209 } 1210 } 1211 1212 luks = g_new0(QCryptoBlockLUKS, 1); 1213 block->opaque = luks; 1214 luks->secret = g_strdup(options->u.luks.key_secret); 1215 1216 if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) { 1217 goto fail; 1218 } 1219 1220 if (qcrypto_block_luks_check_header(luks, flags, errp) < 0) { 1221 goto fail; 1222 } 1223 1224 if (qcrypto_block_luks_parse_header(luks, errp) < 0) { 1225 goto fail; 1226 } 1227 1228 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { 1229 /* Try to find which key slot our password is valid for 1230 * and unlock the master key from that slot. 1231 */ 1232 1233 masterkey = g_new0(uint8_t, luks->header.master_key_len); 1234 1235 if (qcrypto_block_luks_find_key(block, 1236 password, 1237 masterkey, 1238 readfunc, opaque, 1239 errp) < 0) { 1240 goto fail; 1241 } 1242 1243 /* We have a valid master key now, so can setup the 1244 * block device payload decryption objects 1245 */ 1246 block->kdfhash = luks->hash_alg; 1247 block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, 1248 luks->cipher_mode); 1249 1250 block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 1251 luks->ivgen_cipher_alg, 1252 luks->ivgen_hash_alg, 1253 masterkey, 1254 luks->header.master_key_len, 1255 errp); 1256 if (!block->ivgen) { 1257 goto fail; 1258 } 1259 1260 if (qcrypto_block_init_cipher(block, 1261 luks->cipher_alg, 1262 luks->cipher_mode, 1263 masterkey, 1264 luks->header.master_key_len, 1265 n_threads, 1266 errp) < 0) { 1267 goto fail; 1268 } 1269 } 1270 1271 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1272 block->payload_offset = luks->header.payload_offset_sector * 1273 block->sector_size; 1274 block->detached_header = (block->payload_offset == 0) ? true : false; 1275 1276 return 0; 1277 1278 fail: 1279 qcrypto_block_free_cipher(block); 1280 qcrypto_ivgen_free(block->ivgen); 1281 g_free(luks->secret); 1282 g_free(luks); 1283 return -1; 1284 } 1285 1286 1287 static void 1288 qcrypto_block_luks_uuid_gen(uint8_t *uuidstr) 1289 { 1290 QemuUUID uuid; 1291 qemu_uuid_generate(&uuid); 1292 qemu_uuid_unparse(&uuid, (char *)uuidstr); 1293 } 1294 1295 static int 1296 qcrypto_block_luks_create(QCryptoBlock *block, 1297 QCryptoBlockCreateOptions *options, 1298 const char *optprefix, 1299 QCryptoBlockInitFunc initfunc, 1300 QCryptoBlockWriteFunc writefunc, 1301 void *opaque, 1302 Error **errp) 1303 { 1304 QCryptoBlockLUKS *luks; 1305 QCryptoBlockCreateOptionsLUKS luks_opts; 1306 Error *local_err = NULL; 1307 g_autofree uint8_t *masterkey = NULL; 1308 size_t header_sectors; 1309 size_t split_key_sectors; 1310 size_t i; 1311 g_autofree char *password = NULL; 1312 const char *cipher_alg; 1313 const char *cipher_mode; 1314 const char *ivgen_alg; 1315 const char *ivgen_hash_alg = NULL; 1316 const char *hash_alg; 1317 g_autofree char *cipher_mode_spec = NULL; 1318 uint64_t iters; 1319 uint64_t detached_header_size; 1320 1321 memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts)); 1322 if (!luks_opts.has_iter_time) { 1323 luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; 1324 } 1325 if (!luks_opts.has_cipher_alg) { 1326 luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256; 1327 } 1328 if (!luks_opts.has_cipher_mode) { 1329 luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS; 1330 } 1331 if (!luks_opts.has_ivgen_alg) { 1332 luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64; 1333 } 1334 if (!luks_opts.has_hash_alg) { 1335 luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256; 1336 } 1337 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1338 if (!luks_opts.has_ivgen_hash_alg) { 1339 luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256; 1340 luks_opts.has_ivgen_hash_alg = true; 1341 } 1342 } 1343 1344 luks = g_new0(QCryptoBlockLUKS, 1); 1345 block->opaque = luks; 1346 1347 luks->cipher_alg = luks_opts.cipher_alg; 1348 luks->cipher_mode = luks_opts.cipher_mode; 1349 luks->ivgen_alg = luks_opts.ivgen_alg; 1350 luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg; 1351 luks->hash_alg = luks_opts.hash_alg; 1352 1353 1354 /* Note we're allowing ivgen_hash_alg to be set even for 1355 * non-essiv iv generators that don't need a hash. It will 1356 * be silently ignored, for compatibility with dm-crypt */ 1357 1358 if (!options->u.luks.key_secret) { 1359 error_setg(errp, "Parameter '%skey-secret' is required for cipher", 1360 optprefix ? optprefix : ""); 1361 goto error; 1362 } 1363 luks->secret = g_strdup(options->u.luks.key_secret); 1364 1365 password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp); 1366 if (!password) { 1367 goto error; 1368 } 1369 1370 1371 memcpy(luks->header.magic, qcrypto_block_luks_magic, 1372 QCRYPTO_BLOCK_LUKS_MAGIC_LEN); 1373 1374 /* We populate the header in native endianness initially and 1375 * then convert everything to big endian just before writing 1376 * it out to disk 1377 */ 1378 luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION; 1379 qcrypto_block_luks_uuid_gen(luks->header.uuid); 1380 1381 cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg, 1382 errp); 1383 if (!cipher_alg) { 1384 goto error; 1385 } 1386 1387 cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode); 1388 ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg); 1389 if (luks_opts.has_ivgen_hash_alg) { 1390 ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg); 1391 cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg, 1392 ivgen_hash_alg); 1393 } else { 1394 cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg); 1395 } 1396 hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg); 1397 1398 1399 if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) { 1400 error_setg(errp, "Cipher name '%s' is too long for LUKS header", 1401 cipher_alg); 1402 goto error; 1403 } 1404 if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) { 1405 error_setg(errp, "Cipher mode '%s' is too long for LUKS header", 1406 cipher_mode_spec); 1407 goto error; 1408 } 1409 if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) { 1410 error_setg(errp, "Hash name '%s' is too long for LUKS header", 1411 hash_alg); 1412 goto error; 1413 } 1414 1415 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1416 luks->ivgen_cipher_alg = 1417 qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg, 1418 luks_opts.ivgen_hash_alg, 1419 &local_err); 1420 if (local_err) { 1421 error_propagate(errp, local_err); 1422 goto error; 1423 } 1424 } else { 1425 luks->ivgen_cipher_alg = luks_opts.cipher_alg; 1426 } 1427 1428 strcpy(luks->header.cipher_name, cipher_alg); 1429 strcpy(luks->header.cipher_mode, cipher_mode_spec); 1430 strcpy(luks->header.hash_spec, hash_alg); 1431 1432 luks->header.master_key_len = 1433 qcrypto_cipher_get_key_len(luks_opts.cipher_alg); 1434 1435 if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) { 1436 luks->header.master_key_len *= 2; 1437 } 1438 1439 /* Generate the salt used for hashing the master key 1440 * with PBKDF later 1441 */ 1442 if (qcrypto_random_bytes(luks->header.master_key_salt, 1443 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1444 errp) < 0) { 1445 goto error; 1446 } 1447 1448 /* Generate random master key */ 1449 masterkey = g_new0(uint8_t, luks->header.master_key_len); 1450 if (qcrypto_random_bytes(masterkey, 1451 luks->header.master_key_len, errp) < 0) { 1452 goto error; 1453 } 1454 1455 1456 /* Setup the block device payload encryption objects */ 1457 if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg, 1458 luks_opts.cipher_mode, masterkey, 1459 luks->header.master_key_len, 1, errp) < 0) { 1460 goto error; 1461 } 1462 1463 block->kdfhash = luks_opts.hash_alg; 1464 block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg, 1465 luks_opts.cipher_mode); 1466 block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg, 1467 luks->ivgen_cipher_alg, 1468 luks_opts.ivgen_hash_alg, 1469 masterkey, luks->header.master_key_len, 1470 errp); 1471 1472 if (!block->ivgen) { 1473 goto error; 1474 } 1475 1476 1477 /* Determine how many iterations we need to hash the master 1478 * key, in order to have 1 second of compute time used 1479 */ 1480 iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg, 1481 masterkey, luks->header.master_key_len, 1482 luks->header.master_key_salt, 1483 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1484 QCRYPTO_BLOCK_LUKS_DIGEST_LEN, 1485 &local_err); 1486 if (local_err) { 1487 error_propagate(errp, local_err); 1488 goto error; 1489 } 1490 1491 if (iters > (ULLONG_MAX / luks_opts.iter_time)) { 1492 error_setg_errno(errp, ERANGE, 1493 "PBKDF iterations %llu too large to scale", 1494 (unsigned long long)iters); 1495 goto error; 1496 } 1497 1498 /* iter_time was in millis, but count_iters reported for secs */ 1499 iters = iters * luks_opts.iter_time / 1000; 1500 1501 /* Why /= 8 ? That matches cryptsetup, but there's no 1502 * explanation why they chose /= 8... Probably so that 1503 * if all 8 keyslots are active we only spend 1 second 1504 * in total time to check all keys */ 1505 iters /= 8; 1506 if (iters > UINT32_MAX) { 1507 error_setg_errno(errp, ERANGE, 1508 "PBKDF iterations %llu larger than %u", 1509 (unsigned long long)iters, UINT32_MAX); 1510 goto error; 1511 } 1512 iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS); 1513 luks->header.master_key_iterations = iters; 1514 1515 /* Hash the master key, saving the result in the LUKS 1516 * header. This hash is used when opening the encrypted 1517 * device to verify that the user password unlocked a 1518 * valid master key 1519 */ 1520 if (qcrypto_pbkdf2(luks_opts.hash_alg, 1521 masterkey, luks->header.master_key_len, 1522 luks->header.master_key_salt, 1523 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1524 luks->header.master_key_iterations, 1525 luks->header.master_key_digest, 1526 QCRYPTO_BLOCK_LUKS_DIGEST_LEN, 1527 errp) < 0) { 1528 goto error; 1529 } 1530 1531 /* start with the sector that follows the header*/ 1532 header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 1533 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1534 1535 split_key_sectors = 1536 qcrypto_block_luks_splitkeylen_sectors(luks, 1537 header_sectors, 1538 QCRYPTO_BLOCK_LUKS_STRIPES); 1539 1540 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1541 QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i]; 1542 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; 1543 1544 slot->key_offset_sector = header_sectors + i * split_key_sectors; 1545 slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES; 1546 } 1547 1548 if (block->detached_header) { 1549 /* 1550 * For a detached LUKS header image, set the payload_offset_sector 1551 * to 0 to specify the starting point for read/write 1552 */ 1553 luks->header.payload_offset_sector = 0; 1554 } else { 1555 /* 1556 * The total size of the LUKS headers is the partition header + key 1557 * slot headers, rounded up to the nearest sector, combined with 1558 * the size of each master key material region, also rounded up 1559 * to the nearest sector 1560 */ 1561 luks->header.payload_offset_sector = header_sectors + 1562 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors; 1563 } 1564 1565 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1566 block->payload_offset = luks->header.payload_offset_sector * 1567 block->sector_size; 1568 detached_header_size = 1569 (header_sectors + QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * 1570 split_key_sectors) * block->sector_size; 1571 1572 /* Reserve header space to match payload offset */ 1573 initfunc(block, detached_header_size, opaque, &local_err); 1574 if (local_err) { 1575 error_propagate(errp, local_err); 1576 goto error; 1577 } 1578 1579 1580 /* populate the slot 0 with the password encrypted master key*/ 1581 /* This will also store the header */ 1582 if (qcrypto_block_luks_store_key(block, 1583 0, 1584 password, 1585 masterkey, 1586 luks_opts.iter_time, 1587 writefunc, 1588 opaque, 1589 errp) < 0) { 1590 goto error; 1591 } 1592 1593 memset(masterkey, 0, luks->header.master_key_len); 1594 1595 return 0; 1596 1597 error: 1598 if (masterkey) { 1599 memset(masterkey, 0, luks->header.master_key_len); 1600 } 1601 1602 qcrypto_block_free_cipher(block); 1603 qcrypto_ivgen_free(block->ivgen); 1604 1605 g_free(luks->secret); 1606 g_free(luks); 1607 return -1; 1608 } 1609 1610 static int 1611 qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block, 1612 QCryptoBlockReadFunc readfunc, 1613 QCryptoBlockWriteFunc writefunc, 1614 void *opaque, 1615 QCryptoBlockAmendOptionsLUKS *opts_luks, 1616 bool force, 1617 Error **errp) 1618 { 1619 QCryptoBlockLUKS *luks = block->opaque; 1620 uint64_t iter_time = opts_luks->has_iter_time ? 1621 opts_luks->iter_time : 1622 QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; 1623 int keyslot; 1624 g_autofree char *old_password = NULL; 1625 g_autofree char *new_password = NULL; 1626 g_autofree uint8_t *master_key = NULL; 1627 1628 char *secret = opts_luks->secret ?: luks->secret; 1629 1630 if (!opts_luks->new_secret) { 1631 error_setg(errp, "'new-secret' is required to activate a keyslot"); 1632 return -1; 1633 } 1634 if (opts_luks->old_secret) { 1635 error_setg(errp, 1636 "'old-secret' must not be given when activating keyslots"); 1637 return -1; 1638 } 1639 1640 if (opts_luks->has_keyslot) { 1641 keyslot = opts_luks->keyslot; 1642 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { 1643 error_setg(errp, 1644 "Invalid keyslot %u specified, must be between 0 and %u", 1645 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); 1646 return -1; 1647 } 1648 } else { 1649 keyslot = qcrypto_block_luks_find_free_keyslot(luks); 1650 if (keyslot == -1) { 1651 error_setg(errp, 1652 "Can't add a keyslot - all keyslots are in use"); 1653 return -1; 1654 } 1655 } 1656 1657 if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) { 1658 error_setg(errp, 1659 "Refusing to overwrite active keyslot %i - " 1660 "please erase it first", 1661 keyslot); 1662 return -1; 1663 } 1664 1665 /* Locate the password that will be used to retrieve the master key */ 1666 old_password = qcrypto_secret_lookup_as_utf8(secret, errp); 1667 if (!old_password) { 1668 return -1; 1669 } 1670 1671 /* Retrieve the master key */ 1672 master_key = g_new0(uint8_t, luks->header.master_key_len); 1673 1674 if (qcrypto_block_luks_find_key(block, old_password, master_key, 1675 readfunc, opaque, errp) < 0) { 1676 error_append_hint(errp, "Failed to retrieve the master key"); 1677 return -1; 1678 } 1679 1680 /* Locate the new password*/ 1681 new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp); 1682 if (!new_password) { 1683 return -1; 1684 } 1685 1686 /* Now set the new keyslots */ 1687 if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key, 1688 iter_time, writefunc, opaque, errp)) { 1689 error_append_hint(errp, "Failed to write to keyslot %i", keyslot); 1690 return -1; 1691 } 1692 return 0; 1693 } 1694 1695 static int 1696 qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block, 1697 QCryptoBlockReadFunc readfunc, 1698 QCryptoBlockWriteFunc writefunc, 1699 void *opaque, 1700 QCryptoBlockAmendOptionsLUKS *opts_luks, 1701 bool force, 1702 Error **errp) 1703 { 1704 QCryptoBlockLUKS *luks = block->opaque; 1705 g_autofree uint8_t *tmpkey = NULL; 1706 g_autofree char *old_password = NULL; 1707 1708 if (opts_luks->new_secret) { 1709 error_setg(errp, 1710 "'new-secret' must not be given when erasing keyslots"); 1711 return -1; 1712 } 1713 if (opts_luks->has_iter_time) { 1714 error_setg(errp, 1715 "'iter-time' must not be given when erasing keyslots"); 1716 return -1; 1717 } 1718 if (opts_luks->secret) { 1719 error_setg(errp, 1720 "'secret' must not be given when erasing keyslots"); 1721 return -1; 1722 } 1723 1724 /* Load the old password if given */ 1725 if (opts_luks->old_secret) { 1726 old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret, 1727 errp); 1728 if (!old_password) { 1729 return -1; 1730 } 1731 1732 /* 1733 * Allocate a temporary key buffer that we will need when 1734 * checking if slot matches the given old password 1735 */ 1736 tmpkey = g_new0(uint8_t, luks->header.master_key_len); 1737 } 1738 1739 /* Erase an explicitly given keyslot */ 1740 if (opts_luks->has_keyslot) { 1741 int keyslot = opts_luks->keyslot; 1742 1743 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { 1744 error_setg(errp, 1745 "Invalid keyslot %i specified, must be between 0 and %i", 1746 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); 1747 return -1; 1748 } 1749 1750 if (opts_luks->old_secret) { 1751 int rv = qcrypto_block_luks_load_key(block, 1752 keyslot, 1753 old_password, 1754 tmpkey, 1755 readfunc, 1756 opaque, 1757 errp); 1758 if (rv == -1) { 1759 return -1; 1760 } else if (rv == 0) { 1761 error_setg(errp, 1762 "Given keyslot %i doesn't contain the given " 1763 "old password for erase operation", 1764 keyslot); 1765 return -1; 1766 } 1767 } 1768 1769 if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) { 1770 error_setg(errp, 1771 "Given keyslot %i is already erased (inactive) ", 1772 keyslot); 1773 return -1; 1774 } 1775 1776 if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) { 1777 error_setg(errp, 1778 "Attempt to erase the only active keyslot %i " 1779 "which will erase all the data in the image " 1780 "irreversibly - refusing operation", 1781 keyslot); 1782 return -1; 1783 } 1784 1785 if (qcrypto_block_luks_erase_key(block, keyslot, 1786 writefunc, opaque, errp)) { 1787 error_append_hint(errp, "Failed to erase keyslot %i", keyslot); 1788 return -1; 1789 } 1790 1791 /* Erase all keyslots that match the given old password */ 1792 } else if (opts_luks->old_secret) { 1793 1794 unsigned long slots_to_erase_bitmap = 0; 1795 size_t i; 1796 int slot_count; 1797 1798 assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <= 1799 sizeof(slots_to_erase_bitmap) * 8); 1800 1801 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1802 int rv = qcrypto_block_luks_load_key(block, 1803 i, 1804 old_password, 1805 tmpkey, 1806 readfunc, 1807 opaque, 1808 errp); 1809 if (rv == -1) { 1810 return -1; 1811 } else if (rv == 1) { 1812 bitmap_set(&slots_to_erase_bitmap, i, 1); 1813 } 1814 } 1815 1816 slot_count = bitmap_count_one(&slots_to_erase_bitmap, 1817 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1818 if (slot_count == 0) { 1819 error_setg(errp, 1820 "No keyslots match given (old) password for erase operation"); 1821 return -1; 1822 } 1823 1824 if (!force && 1825 slot_count == qcrypto_block_luks_count_active_slots(luks)) { 1826 error_setg(errp, 1827 "All the active keyslots match the (old) password that " 1828 "was given and erasing them will erase all the data in " 1829 "the image irreversibly - refusing operation"); 1830 return -1; 1831 } 1832 1833 /* Now apply the update */ 1834 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1835 if (!test_bit(i, &slots_to_erase_bitmap)) { 1836 continue; 1837 } 1838 if (qcrypto_block_luks_erase_key(block, i, writefunc, 1839 opaque, errp)) { 1840 error_append_hint(errp, "Failed to erase keyslot %zu", i); 1841 return -1; 1842 } 1843 } 1844 } else { 1845 error_setg(errp, 1846 "To erase keyslot(s), either explicit keyslot index " 1847 "or the password currently contained in them must be given"); 1848 return -1; 1849 } 1850 return 0; 1851 } 1852 1853 static int 1854 qcrypto_block_luks_amend_options(QCryptoBlock *block, 1855 QCryptoBlockReadFunc readfunc, 1856 QCryptoBlockWriteFunc writefunc, 1857 void *opaque, 1858 QCryptoBlockAmendOptions *options, 1859 bool force, 1860 Error **errp) 1861 { 1862 QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks; 1863 1864 switch (opts_luks->state) { 1865 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE: 1866 return qcrypto_block_luks_amend_add_keyslot(block, readfunc, 1867 writefunc, opaque, 1868 opts_luks, force, errp); 1869 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE: 1870 return qcrypto_block_luks_amend_erase_keyslots(block, readfunc, 1871 writefunc, opaque, 1872 opts_luks, force, errp); 1873 default: 1874 g_assert_not_reached(); 1875 } 1876 } 1877 1878 static int qcrypto_block_luks_get_info(QCryptoBlock *block, 1879 QCryptoBlockInfo *info, 1880 Error **errp) 1881 { 1882 QCryptoBlockLUKS *luks = block->opaque; 1883 QCryptoBlockInfoLUKSSlot *slot; 1884 QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots; 1885 size_t i; 1886 1887 info->u.luks.cipher_alg = luks->cipher_alg; 1888 info->u.luks.cipher_mode = luks->cipher_mode; 1889 info->u.luks.ivgen_alg = luks->ivgen_alg; 1890 if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1891 info->u.luks.has_ivgen_hash_alg = true; 1892 info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg; 1893 } 1894 info->u.luks.hash_alg = luks->hash_alg; 1895 info->u.luks.payload_offset = block->payload_offset; 1896 info->u.luks.master_key_iters = luks->header.master_key_iterations; 1897 info->u.luks.uuid = g_strndup((const char *)luks->header.uuid, 1898 sizeof(luks->header.uuid)); 1899 info->u.luks.detached_header = block->detached_header; 1900 1901 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1902 slot = g_new0(QCryptoBlockInfoLUKSSlot, 1); 1903 slot->active = luks->header.key_slots[i].active == 1904 QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 1905 slot->key_offset = luks->header.key_slots[i].key_offset_sector 1906 * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1907 if (slot->active) { 1908 slot->has_iters = true; 1909 slot->iters = luks->header.key_slots[i].iterations; 1910 slot->has_stripes = true; 1911 slot->stripes = luks->header.key_slots[i].stripes; 1912 } 1913 1914 QAPI_LIST_APPEND(tail, slot); 1915 } 1916 1917 return 0; 1918 } 1919 1920 1921 static void qcrypto_block_luks_cleanup(QCryptoBlock *block) 1922 { 1923 QCryptoBlockLUKS *luks = block->opaque; 1924 if (luks) { 1925 g_free(luks->secret); 1926 g_free(luks); 1927 } 1928 } 1929 1930 1931 static int 1932 qcrypto_block_luks_decrypt(QCryptoBlock *block, 1933 uint64_t offset, 1934 uint8_t *buf, 1935 size_t len, 1936 Error **errp) 1937 { 1938 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1939 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1940 return qcrypto_block_decrypt_helper(block, 1941 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1942 offset, buf, len, errp); 1943 } 1944 1945 1946 static int 1947 qcrypto_block_luks_encrypt(QCryptoBlock *block, 1948 uint64_t offset, 1949 uint8_t *buf, 1950 size_t len, 1951 Error **errp) 1952 { 1953 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1954 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1955 return qcrypto_block_encrypt_helper(block, 1956 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1957 offset, buf, len, errp); 1958 } 1959 1960 1961 const QCryptoBlockDriver qcrypto_block_driver_luks = { 1962 .open = qcrypto_block_luks_open, 1963 .create = qcrypto_block_luks_create, 1964 .amend = qcrypto_block_luks_amend_options, 1965 .get_info = qcrypto_block_luks_get_info, 1966 .cleanup = qcrypto_block_luks_cleanup, 1967 .decrypt = qcrypto_block_luks_decrypt, 1968 .encrypt = qcrypto_block_luks_encrypt, 1969 .has_format = qcrypto_block_luks_has_format, 1970 }; 1971