1 /* 2 * QEMU Crypto block device encryption LUKS format 3 * 4 * Copyright (c) 2015-2016 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #include "qemu/osdep.h" 22 #include "qapi/error.h" 23 #include "qemu/bswap.h" 24 25 #include "block-luks.h" 26 #include "block-luks-priv.h" 27 28 #include "crypto/hash.h" 29 #include "crypto/afsplit.h" 30 #include "crypto/pbkdf.h" 31 #include "crypto/secret.h" 32 #include "crypto/random.h" 33 #include "qemu/uuid.h" 34 35 #include "qemu/bitmap.h" 36 37 /* 38 * Reference for the LUKS format implemented here is 39 * 40 * docs/on-disk-format.pdf 41 * 42 * in 'cryptsetup' package source code 43 * 44 * This file implements the 1.2.1 specification, dated 45 * Oct 16, 2011. 46 */ 47 48 typedef struct QCryptoBlockLUKS QCryptoBlockLUKS; 49 50 typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap; 51 struct QCryptoBlockLUKSNameMap { 52 const char *name; 53 int id; 54 }; 55 56 typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap; 57 struct QCryptoBlockLUKSCipherSizeMap { 58 uint32_t key_bytes; 59 int id; 60 }; 61 typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap; 62 struct QCryptoBlockLUKSCipherNameMap { 63 const char *name; 64 const QCryptoBlockLUKSCipherSizeMap *sizes; 65 }; 66 67 68 static const QCryptoBlockLUKSCipherSizeMap 69 qcrypto_block_luks_cipher_size_map_aes[] = { 70 { 16, QCRYPTO_CIPHER_ALG_AES_128 }, 71 { 24, QCRYPTO_CIPHER_ALG_AES_192 }, 72 { 32, QCRYPTO_CIPHER_ALG_AES_256 }, 73 { 0, 0 }, 74 }; 75 76 static const QCryptoBlockLUKSCipherSizeMap 77 qcrypto_block_luks_cipher_size_map_cast5[] = { 78 { 16, QCRYPTO_CIPHER_ALG_CAST5_128 }, 79 { 0, 0 }, 80 }; 81 82 static const QCryptoBlockLUKSCipherSizeMap 83 qcrypto_block_luks_cipher_size_map_serpent[] = { 84 { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 }, 85 { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 }, 86 { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 }, 87 { 0, 0 }, 88 }; 89 90 static const QCryptoBlockLUKSCipherSizeMap 91 qcrypto_block_luks_cipher_size_map_twofish[] = { 92 { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 }, 93 { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 }, 94 { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 }, 95 { 0, 0 }, 96 }; 97 98 #ifdef CONFIG_CRYPTO_SM4 99 static const QCryptoBlockLUKSCipherSizeMap 100 qcrypto_block_luks_cipher_size_map_sm4[] = { 101 { 16, QCRYPTO_CIPHER_ALG_SM4}, 102 { 0, 0 }, 103 }; 104 #endif 105 106 static const QCryptoBlockLUKSCipherNameMap 107 qcrypto_block_luks_cipher_name_map[] = { 108 { "aes", qcrypto_block_luks_cipher_size_map_aes }, 109 { "cast5", qcrypto_block_luks_cipher_size_map_cast5 }, 110 { "serpent", qcrypto_block_luks_cipher_size_map_serpent }, 111 { "twofish", qcrypto_block_luks_cipher_size_map_twofish }, 112 #ifdef CONFIG_CRYPTO_SM4 113 { "sm4", qcrypto_block_luks_cipher_size_map_sm4}, 114 #endif 115 }; 116 117 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48); 118 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592); 119 120 121 struct QCryptoBlockLUKS { 122 QCryptoBlockLUKSHeader header; 123 124 /* Main encryption algorithm used for encryption*/ 125 QCryptoCipherAlgorithm cipher_alg; 126 127 /* Mode of encryption for the selected encryption algorithm */ 128 QCryptoCipherMode cipher_mode; 129 130 /* Initialization vector generation algorithm */ 131 QCryptoIVGenAlgorithm ivgen_alg; 132 133 /* Hash algorithm used for IV generation*/ 134 QCryptoHashAlgorithm ivgen_hash_alg; 135 136 /* 137 * Encryption algorithm used for IV generation. 138 * Usually the same as main encryption algorithm 139 */ 140 QCryptoCipherAlgorithm ivgen_cipher_alg; 141 142 /* Hash algorithm used in pbkdf2 function */ 143 QCryptoHashAlgorithm hash_alg; 144 145 /* Name of the secret that was used to open the image */ 146 char *secret; 147 }; 148 149 150 static int qcrypto_block_luks_cipher_name_lookup(const char *name, 151 QCryptoCipherMode mode, 152 uint32_t key_bytes, 153 Error **errp) 154 { 155 const QCryptoBlockLUKSCipherNameMap *map = 156 qcrypto_block_luks_cipher_name_map; 157 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); 158 size_t i, j; 159 160 if (mode == QCRYPTO_CIPHER_MODE_XTS) { 161 key_bytes /= 2; 162 } 163 164 for (i = 0; i < maplen; i++) { 165 if (!g_str_equal(map[i].name, name)) { 166 continue; 167 } 168 for (j = 0; j < map[i].sizes[j].key_bytes; j++) { 169 if (map[i].sizes[j].key_bytes == key_bytes) { 170 return map[i].sizes[j].id; 171 } 172 } 173 } 174 175 error_setg(errp, "Algorithm '%s' with key size %d bytes not supported", 176 name, key_bytes); 177 return 0; 178 } 179 180 static const char * 181 qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg, 182 Error **errp) 183 { 184 const QCryptoBlockLUKSCipherNameMap *map = 185 qcrypto_block_luks_cipher_name_map; 186 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); 187 size_t i, j; 188 for (i = 0; i < maplen; i++) { 189 for (j = 0; j < map[i].sizes[j].key_bytes; j++) { 190 if (map[i].sizes[j].id == alg) { 191 return map[i].name; 192 } 193 } 194 } 195 196 error_setg(errp, "Algorithm '%s' not supported", 197 QCryptoCipherAlgorithm_str(alg)); 198 return NULL; 199 } 200 201 /* XXX replace with qapi_enum_parse() in future, when we can 202 * make that function emit a more friendly error message */ 203 static int qcrypto_block_luks_name_lookup(const char *name, 204 const QEnumLookup *map, 205 const char *type, 206 Error **errp) 207 { 208 int ret = qapi_enum_parse(map, name, -1, NULL); 209 210 if (ret < 0) { 211 error_setg(errp, "%s '%s' not supported", type, name); 212 return 0; 213 } 214 return ret; 215 } 216 217 #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \ 218 qcrypto_block_luks_name_lookup(name, \ 219 &QCryptoCipherMode_lookup, \ 220 "Cipher mode", \ 221 errp) 222 223 #define qcrypto_block_luks_hash_name_lookup(name, errp) \ 224 qcrypto_block_luks_name_lookup(name, \ 225 &QCryptoHashAlgorithm_lookup, \ 226 "Hash algorithm", \ 227 errp) 228 229 #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \ 230 qcrypto_block_luks_name_lookup(name, \ 231 &QCryptoIVGenAlgorithm_lookup, \ 232 "IV generator", \ 233 errp) 234 235 236 static bool 237 qcrypto_block_luks_has_format(const uint8_t *buf, 238 size_t buf_size) 239 { 240 const QCryptoBlockLUKSHeader *luks_header = (const void *)buf; 241 242 if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) && 243 memcmp(luks_header->magic, qcrypto_block_luks_magic, 244 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 && 245 be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) { 246 return true; 247 } else { 248 return false; 249 } 250 } 251 252 253 /** 254 * Deal with a quirk of dm-crypt usage of ESSIV. 255 * 256 * When calculating ESSIV IVs, the cipher length used by ESSIV 257 * may be different from the cipher length used for the block 258 * encryption, because dm-crypt uses the hash digest length 259 * as the key size. ie, if you have AES 128 as the block cipher 260 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as 261 * the cipher since that gets a key length matching the digest 262 * size, not AES 128 with truncated digest as might be imagined 263 */ 264 static QCryptoCipherAlgorithm 265 qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher, 266 QCryptoHashAlgorithm hash, 267 Error **errp) 268 { 269 size_t digestlen = qcrypto_hash_digest_len(hash); 270 size_t keylen = qcrypto_cipher_get_key_len(cipher); 271 if (digestlen == keylen) { 272 return cipher; 273 } 274 275 switch (cipher) { 276 case QCRYPTO_CIPHER_ALG_AES_128: 277 case QCRYPTO_CIPHER_ALG_AES_192: 278 case QCRYPTO_CIPHER_ALG_AES_256: 279 if (digestlen == qcrypto_cipher_get_key_len( 280 QCRYPTO_CIPHER_ALG_AES_128)) { 281 return QCRYPTO_CIPHER_ALG_AES_128; 282 } else if (digestlen == qcrypto_cipher_get_key_len( 283 QCRYPTO_CIPHER_ALG_AES_192)) { 284 return QCRYPTO_CIPHER_ALG_AES_192; 285 } else if (digestlen == qcrypto_cipher_get_key_len( 286 QCRYPTO_CIPHER_ALG_AES_256)) { 287 return QCRYPTO_CIPHER_ALG_AES_256; 288 } else { 289 error_setg(errp, "No AES cipher with key size %zu available", 290 digestlen); 291 return 0; 292 } 293 break; 294 case QCRYPTO_CIPHER_ALG_SERPENT_128: 295 case QCRYPTO_CIPHER_ALG_SERPENT_192: 296 case QCRYPTO_CIPHER_ALG_SERPENT_256: 297 if (digestlen == qcrypto_cipher_get_key_len( 298 QCRYPTO_CIPHER_ALG_SERPENT_128)) { 299 return QCRYPTO_CIPHER_ALG_SERPENT_128; 300 } else if (digestlen == qcrypto_cipher_get_key_len( 301 QCRYPTO_CIPHER_ALG_SERPENT_192)) { 302 return QCRYPTO_CIPHER_ALG_SERPENT_192; 303 } else if (digestlen == qcrypto_cipher_get_key_len( 304 QCRYPTO_CIPHER_ALG_SERPENT_256)) { 305 return QCRYPTO_CIPHER_ALG_SERPENT_256; 306 } else { 307 error_setg(errp, "No Serpent cipher with key size %zu available", 308 digestlen); 309 return 0; 310 } 311 break; 312 case QCRYPTO_CIPHER_ALG_TWOFISH_128: 313 case QCRYPTO_CIPHER_ALG_TWOFISH_192: 314 case QCRYPTO_CIPHER_ALG_TWOFISH_256: 315 if (digestlen == qcrypto_cipher_get_key_len( 316 QCRYPTO_CIPHER_ALG_TWOFISH_128)) { 317 return QCRYPTO_CIPHER_ALG_TWOFISH_128; 318 } else if (digestlen == qcrypto_cipher_get_key_len( 319 QCRYPTO_CIPHER_ALG_TWOFISH_192)) { 320 return QCRYPTO_CIPHER_ALG_TWOFISH_192; 321 } else if (digestlen == qcrypto_cipher_get_key_len( 322 QCRYPTO_CIPHER_ALG_TWOFISH_256)) { 323 return QCRYPTO_CIPHER_ALG_TWOFISH_256; 324 } else { 325 error_setg(errp, "No Twofish cipher with key size %zu available", 326 digestlen); 327 return 0; 328 } 329 break; 330 default: 331 error_setg(errp, "Cipher %s not supported with essiv", 332 QCryptoCipherAlgorithm_str(cipher)); 333 return 0; 334 } 335 } 336 337 /* 338 * Returns number of sectors needed to store the key material 339 * given number of anti forensic stripes 340 */ 341 static int 342 qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks, 343 unsigned int header_sectors, 344 unsigned int stripes) 345 { 346 /* 347 * This calculation doesn't match that shown in the spec, 348 * but instead follows the cryptsetup implementation. 349 */ 350 351 size_t splitkeylen = luks->header.master_key_len * stripes; 352 353 /* First align the key material size to block size*/ 354 size_t splitkeylen_sectors = 355 DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE); 356 357 /* Then also align the key material size to the size of the header */ 358 return ROUND_UP(splitkeylen_sectors, header_sectors); 359 } 360 361 362 void 363 qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr) 364 { 365 size_t i; 366 367 /* 368 * Everything on disk uses Big Endian (tm), so flip header fields 369 * before writing them 370 */ 371 cpu_to_be16s(&hdr->version); 372 cpu_to_be32s(&hdr->payload_offset_sector); 373 cpu_to_be32s(&hdr->master_key_len); 374 cpu_to_be32s(&hdr->master_key_iterations); 375 376 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 377 cpu_to_be32s(&hdr->key_slots[i].active); 378 cpu_to_be32s(&hdr->key_slots[i].iterations); 379 cpu_to_be32s(&hdr->key_slots[i].key_offset_sector); 380 cpu_to_be32s(&hdr->key_slots[i].stripes); 381 } 382 } 383 384 void 385 qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr) 386 { 387 size_t i; 388 389 /* 390 * The header is always stored in big-endian format, so 391 * convert everything to native 392 */ 393 be16_to_cpus(&hdr->version); 394 be32_to_cpus(&hdr->payload_offset_sector); 395 be32_to_cpus(&hdr->master_key_len); 396 be32_to_cpus(&hdr->master_key_iterations); 397 398 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 399 be32_to_cpus(&hdr->key_slots[i].active); 400 be32_to_cpus(&hdr->key_slots[i].iterations); 401 be32_to_cpus(&hdr->key_slots[i].key_offset_sector); 402 be32_to_cpus(&hdr->key_slots[i].stripes); 403 } 404 } 405 406 /* 407 * Stores the main LUKS header, taking care of endianness 408 */ 409 static int 410 qcrypto_block_luks_store_header(QCryptoBlock *block, 411 QCryptoBlockWriteFunc writefunc, 412 void *opaque, 413 Error **errp) 414 { 415 const QCryptoBlockLUKS *luks = block->opaque; 416 Error *local_err = NULL; 417 g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL; 418 419 /* Create a copy of the header */ 420 hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1); 421 memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader)); 422 423 qcrypto_block_luks_to_disk_endian(hdr_copy); 424 425 /* Write out the partition header and key slot headers */ 426 writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy), 427 opaque, &local_err); 428 429 if (local_err) { 430 error_propagate(errp, local_err); 431 return -1; 432 } 433 return 0; 434 } 435 436 /* 437 * Loads the main LUKS header, and byteswaps it to native endianness 438 * And run basic sanity checks on it 439 */ 440 static int 441 qcrypto_block_luks_load_header(QCryptoBlock *block, 442 QCryptoBlockReadFunc readfunc, 443 void *opaque, 444 Error **errp) 445 { 446 int rv; 447 QCryptoBlockLUKS *luks = block->opaque; 448 449 /* 450 * Read the entire LUKS header, minus the key material from 451 * the underlying device 452 */ 453 rv = readfunc(block, 0, 454 (uint8_t *)&luks->header, 455 sizeof(luks->header), 456 opaque, 457 errp); 458 if (rv < 0) { 459 return rv; 460 } 461 462 qcrypto_block_luks_from_disk_endian(&luks->header); 463 464 return 0; 465 } 466 467 /* 468 * Does basic sanity checks on the LUKS header 469 */ 470 static int 471 qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, 472 unsigned int flags, 473 Error **errp) 474 { 475 size_t i, j; 476 477 unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 478 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 479 bool detached = flags & QCRYPTO_BLOCK_OPEN_DETACHED; 480 481 if (memcmp(luks->header.magic, qcrypto_block_luks_magic, 482 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) { 483 error_setg(errp, "Volume is not in LUKS format"); 484 return -1; 485 } 486 487 if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) { 488 error_setg(errp, "LUKS version %" PRIu32 " is not supported", 489 luks->header.version); 490 return -1; 491 } 492 493 if (!memchr(luks->header.cipher_name, '\0', 494 sizeof(luks->header.cipher_name))) { 495 error_setg(errp, "LUKS header cipher name is not NUL terminated"); 496 return -1; 497 } 498 499 if (!memchr(luks->header.cipher_mode, '\0', 500 sizeof(luks->header.cipher_mode))) { 501 error_setg(errp, "LUKS header cipher mode is not NUL terminated"); 502 return -1; 503 } 504 505 if (!memchr(luks->header.hash_spec, '\0', 506 sizeof(luks->header.hash_spec))) { 507 error_setg(errp, "LUKS header hash spec is not NUL terminated"); 508 return -1; 509 } 510 511 if (!detached && luks->header.payload_offset_sector < 512 DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, 513 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { 514 error_setg(errp, "LUKS payload is overlapping with the header"); 515 return -1; 516 } 517 518 if (luks->header.master_key_iterations == 0) { 519 error_setg(errp, "LUKS key iteration count is zero"); 520 return -1; 521 } 522 523 /* Check all keyslots for corruption */ 524 for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) { 525 526 const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i]; 527 unsigned int start1 = slot1->key_offset_sector; 528 unsigned int len1 = 529 qcrypto_block_luks_splitkeylen_sectors(luks, 530 header_sectors, 531 slot1->stripes); 532 533 if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) { 534 error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)", 535 i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES); 536 return -1; 537 } 538 539 if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED && 540 slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { 541 error_setg(errp, 542 "Keyslot %zu state (active/disable) is corrupted", i); 543 return -1; 544 } 545 546 if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED && 547 slot1->iterations == 0) { 548 error_setg(errp, "Keyslot %zu iteration count is zero", i); 549 return -1; 550 } 551 552 if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET, 553 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) { 554 error_setg(errp, 555 "Keyslot %zu is overlapping with the LUKS header", 556 i); 557 return -1; 558 } 559 560 if (!detached && start1 + len1 > luks->header.payload_offset_sector) { 561 error_setg(errp, 562 "Keyslot %zu is overlapping with the encrypted payload", 563 i); 564 return -1; 565 } 566 567 for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) { 568 const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j]; 569 unsigned int start2 = slot2->key_offset_sector; 570 unsigned int len2 = 571 qcrypto_block_luks_splitkeylen_sectors(luks, 572 header_sectors, 573 slot2->stripes); 574 575 if (start1 + len1 > start2 && start2 + len2 > start1) { 576 error_setg(errp, 577 "Keyslots %zu and %zu are overlapping in the header", 578 i, j); 579 return -1; 580 } 581 } 582 583 } 584 return 0; 585 } 586 587 /* 588 * Parses the crypto parameters that are stored in the LUKS header 589 */ 590 591 static int 592 qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp) 593 { 594 g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode); 595 char *ivgen_name, *ivhash_name; 596 Error *local_err = NULL; 597 598 /* 599 * The cipher_mode header contains a string that we have 600 * to further parse, of the format 601 * 602 * <cipher-mode>-<iv-generator>[:<iv-hash>] 603 * 604 * eg cbc-essiv:sha256, cbc-plain64 605 */ 606 ivgen_name = strchr(cipher_mode, '-'); 607 if (!ivgen_name) { 608 error_setg(errp, "Unexpected cipher mode string format '%s'", 609 luks->header.cipher_mode); 610 return -1; 611 } 612 *ivgen_name = '\0'; 613 ivgen_name++; 614 615 ivhash_name = strchr(ivgen_name, ':'); 616 if (!ivhash_name) { 617 luks->ivgen_hash_alg = 0; 618 } else { 619 *ivhash_name = '\0'; 620 ivhash_name++; 621 622 luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name, 623 &local_err); 624 if (local_err) { 625 error_propagate(errp, local_err); 626 return -1; 627 } 628 } 629 630 luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode, 631 &local_err); 632 if (local_err) { 633 error_propagate(errp, local_err); 634 return -1; 635 } 636 637 luks->cipher_alg = 638 qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name, 639 luks->cipher_mode, 640 luks->header.master_key_len, 641 &local_err); 642 if (local_err) { 643 error_propagate(errp, local_err); 644 return -1; 645 } 646 647 luks->hash_alg = 648 qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec, 649 &local_err); 650 if (local_err) { 651 error_propagate(errp, local_err); 652 return -1; 653 } 654 655 luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name, 656 &local_err); 657 if (local_err) { 658 error_propagate(errp, local_err); 659 return -1; 660 } 661 662 if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 663 if (!ivhash_name) { 664 error_setg(errp, "Missing IV generator hash specification"); 665 return -1; 666 } 667 luks->ivgen_cipher_alg = 668 qcrypto_block_luks_essiv_cipher(luks->cipher_alg, 669 luks->ivgen_hash_alg, 670 &local_err); 671 if (local_err) { 672 error_propagate(errp, local_err); 673 return -1; 674 } 675 } else { 676 677 /* 678 * Note we parsed the ivhash_name earlier in the cipher_mode 679 * spec string even with plain/plain64 ivgens, but we 680 * will ignore it, since it is irrelevant for these ivgens. 681 * This is for compat with dm-crypt which will silently 682 * ignore hash names with these ivgens rather than report 683 * an error about the invalid usage 684 */ 685 luks->ivgen_cipher_alg = luks->cipher_alg; 686 } 687 return 0; 688 } 689 690 /* 691 * Given a key slot, user password, and the master key, 692 * will store the encrypted master key there, and update the 693 * in-memory header. User must then write the in-memory header 694 * 695 * Returns: 696 * 0 if the keyslot was written successfully 697 * with the provided password 698 * -1 if a fatal error occurred while storing the key 699 */ 700 static int 701 qcrypto_block_luks_store_key(QCryptoBlock *block, 702 unsigned int slot_idx, 703 const char *password, 704 uint8_t *masterkey, 705 uint64_t iter_time, 706 QCryptoBlockWriteFunc writefunc, 707 void *opaque, 708 Error **errp) 709 { 710 QCryptoBlockLUKS *luks = block->opaque; 711 QCryptoBlockLUKSKeySlot *slot; 712 g_autofree uint8_t *splitkey = NULL; 713 size_t splitkeylen; 714 g_autofree uint8_t *slotkey = NULL; 715 g_autoptr(QCryptoCipher) cipher = NULL; 716 g_autoptr(QCryptoIVGen) ivgen = NULL; 717 Error *local_err = NULL; 718 uint64_t iters; 719 int ret = -1; 720 721 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 722 slot = &luks->header.key_slots[slot_idx]; 723 splitkeylen = luks->header.master_key_len * slot->stripes; 724 725 if (qcrypto_random_bytes(slot->salt, 726 QCRYPTO_BLOCK_LUKS_SALT_LEN, 727 errp) < 0) { 728 goto cleanup; 729 } 730 731 /* 732 * Determine how many iterations are required to 733 * hash the user password while consuming 1 second of compute 734 * time 735 */ 736 iters = qcrypto_pbkdf2_count_iters(luks->hash_alg, 737 (uint8_t *)password, strlen(password), 738 slot->salt, 739 QCRYPTO_BLOCK_LUKS_SALT_LEN, 740 luks->header.master_key_len, 741 &local_err); 742 if (local_err) { 743 error_propagate(errp, local_err); 744 goto cleanup; 745 } 746 747 if (iters > (ULLONG_MAX / iter_time)) { 748 error_setg_errno(errp, ERANGE, 749 "PBKDF iterations %llu too large to scale", 750 (unsigned long long)iters); 751 goto cleanup; 752 } 753 754 /* iter_time was in millis, but count_iters reported for secs */ 755 iters = iters * iter_time / 1000; 756 757 if (iters > UINT32_MAX) { 758 error_setg_errno(errp, ERANGE, 759 "PBKDF iterations %llu larger than %u", 760 (unsigned long long)iters, UINT32_MAX); 761 goto cleanup; 762 } 763 764 slot->iterations = 765 MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS); 766 767 768 /* 769 * Generate a key that we'll use to encrypt the master 770 * key, from the user's password 771 */ 772 slotkey = g_new0(uint8_t, luks->header.master_key_len); 773 if (qcrypto_pbkdf2(luks->hash_alg, 774 (uint8_t *)password, strlen(password), 775 slot->salt, 776 QCRYPTO_BLOCK_LUKS_SALT_LEN, 777 slot->iterations, 778 slotkey, luks->header.master_key_len, 779 errp) < 0) { 780 goto cleanup; 781 } 782 783 784 /* 785 * Setup the encryption objects needed to encrypt the 786 * master key material 787 */ 788 cipher = qcrypto_cipher_new(luks->cipher_alg, 789 luks->cipher_mode, 790 slotkey, luks->header.master_key_len, 791 errp); 792 if (!cipher) { 793 goto cleanup; 794 } 795 796 ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 797 luks->ivgen_cipher_alg, 798 luks->ivgen_hash_alg, 799 slotkey, luks->header.master_key_len, 800 errp); 801 if (!ivgen) { 802 goto cleanup; 803 } 804 805 /* 806 * Before storing the master key, we need to vastly 807 * increase its size, as protection against forensic 808 * disk data recovery 809 */ 810 splitkey = g_new0(uint8_t, splitkeylen); 811 812 if (qcrypto_afsplit_encode(luks->hash_alg, 813 luks->header.master_key_len, 814 slot->stripes, 815 masterkey, 816 splitkey, 817 errp) < 0) { 818 goto cleanup; 819 } 820 821 /* 822 * Now we encrypt the split master key with the key generated 823 * from the user's password, before storing it 824 */ 825 if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen, 826 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 827 0, 828 splitkey, 829 splitkeylen, 830 errp) < 0) { 831 goto cleanup; 832 } 833 834 /* Write out the slot's master key material. */ 835 if (writefunc(block, 836 slot->key_offset_sector * 837 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 838 splitkey, splitkeylen, 839 opaque, 840 errp) < 0) { 841 goto cleanup; 842 } 843 844 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 845 846 if (qcrypto_block_luks_store_header(block, writefunc, opaque, errp) < 0) { 847 goto cleanup; 848 } 849 850 ret = 0; 851 852 cleanup: 853 if (slotkey) { 854 memset(slotkey, 0, luks->header.master_key_len); 855 } 856 if (splitkey) { 857 memset(splitkey, 0, splitkeylen); 858 } 859 return ret; 860 } 861 862 /* 863 * Given a key slot, and user password, this will attempt to unlock 864 * the master encryption key from the key slot. 865 * 866 * Returns: 867 * 0 if the key slot is disabled, or key could not be decrypted 868 * with the provided password 869 * 1 if the key slot is enabled, and key decrypted successfully 870 * with the provided password 871 * -1 if a fatal error occurred loading the key 872 */ 873 static int 874 qcrypto_block_luks_load_key(QCryptoBlock *block, 875 size_t slot_idx, 876 const char *password, 877 uint8_t *masterkey, 878 QCryptoBlockReadFunc readfunc, 879 void *opaque, 880 Error **errp) 881 { 882 QCryptoBlockLUKS *luks = block->opaque; 883 const QCryptoBlockLUKSKeySlot *slot; 884 g_autofree uint8_t *splitkey = NULL; 885 size_t splitkeylen; 886 g_autofree uint8_t *possiblekey = NULL; 887 int rv; 888 g_autoptr(QCryptoCipher) cipher = NULL; 889 uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN]; 890 g_autoptr(QCryptoIVGen) ivgen = NULL; 891 size_t niv; 892 893 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 894 slot = &luks->header.key_slots[slot_idx]; 895 if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { 896 return 0; 897 } 898 899 splitkeylen = luks->header.master_key_len * slot->stripes; 900 splitkey = g_new0(uint8_t, splitkeylen); 901 possiblekey = g_new0(uint8_t, luks->header.master_key_len); 902 903 /* 904 * The user password is used to generate a (possible) 905 * decryption key. This may or may not successfully 906 * decrypt the master key - we just blindly assume 907 * the key is correct and validate the results of 908 * decryption later. 909 */ 910 if (qcrypto_pbkdf2(luks->hash_alg, 911 (const uint8_t *)password, strlen(password), 912 slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN, 913 slot->iterations, 914 possiblekey, luks->header.master_key_len, 915 errp) < 0) { 916 return -1; 917 } 918 919 /* 920 * We need to read the master key material from the 921 * LUKS key material header. What we're reading is 922 * not the raw master key, but rather the data after 923 * it has been passed through AFSplit and the result 924 * then encrypted. 925 */ 926 rv = readfunc(block, 927 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 928 splitkey, splitkeylen, 929 opaque, 930 errp); 931 if (rv < 0) { 932 return -1; 933 } 934 935 936 /* Setup the cipher/ivgen that we'll use to try to decrypt 937 * the split master key material */ 938 cipher = qcrypto_cipher_new(luks->cipher_alg, 939 luks->cipher_mode, 940 possiblekey, 941 luks->header.master_key_len, 942 errp); 943 if (!cipher) { 944 return -1; 945 } 946 947 niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, 948 luks->cipher_mode); 949 950 ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 951 luks->ivgen_cipher_alg, 952 luks->ivgen_hash_alg, 953 possiblekey, 954 luks->header.master_key_len, 955 errp); 956 if (!ivgen) { 957 return -1; 958 } 959 960 961 /* 962 * The master key needs to be decrypted in the same 963 * way that the block device payload will be decrypted 964 * later. In particular we'll be using the IV generator 965 * to reset the encryption cipher every time the master 966 * key crosses a sector boundary. 967 */ 968 if (qcrypto_block_cipher_decrypt_helper(cipher, 969 niv, 970 ivgen, 971 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 972 0, 973 splitkey, 974 splitkeylen, 975 errp) < 0) { 976 return -1; 977 } 978 979 /* 980 * Now we've decrypted the split master key, join 981 * it back together to get the actual master key. 982 */ 983 if (qcrypto_afsplit_decode(luks->hash_alg, 984 luks->header.master_key_len, 985 slot->stripes, 986 splitkey, 987 masterkey, 988 errp) < 0) { 989 return -1; 990 } 991 992 993 /* 994 * We still don't know that the masterkey we got is valid, 995 * because we just blindly assumed the user's password 996 * was correct. This is where we now verify it. We are 997 * creating a hash of the master key using PBKDF and 998 * then comparing that to the hash stored in the key slot 999 * header 1000 */ 1001 if (qcrypto_pbkdf2(luks->hash_alg, 1002 masterkey, 1003 luks->header.master_key_len, 1004 luks->header.master_key_salt, 1005 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1006 luks->header.master_key_iterations, 1007 keydigest, 1008 G_N_ELEMENTS(keydigest), 1009 errp) < 0) { 1010 return -1; 1011 } 1012 1013 if (memcmp(keydigest, luks->header.master_key_digest, 1014 QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) { 1015 /* Success, we got the right master key */ 1016 return 1; 1017 } 1018 1019 /* Fail, user's password was not valid for this key slot, 1020 * tell caller to try another slot */ 1021 return 0; 1022 } 1023 1024 1025 /* 1026 * Given a user password, this will iterate over all key 1027 * slots and try to unlock each active key slot using the 1028 * password until it successfully obtains a master key. 1029 * 1030 * Returns 0 if a key was loaded, -1 if no keys could be loaded 1031 */ 1032 static int 1033 qcrypto_block_luks_find_key(QCryptoBlock *block, 1034 const char *password, 1035 uint8_t *masterkey, 1036 QCryptoBlockReadFunc readfunc, 1037 void *opaque, 1038 Error **errp) 1039 { 1040 size_t i; 1041 int rv; 1042 1043 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1044 rv = qcrypto_block_luks_load_key(block, 1045 i, 1046 password, 1047 masterkey, 1048 readfunc, 1049 opaque, 1050 errp); 1051 if (rv < 0) { 1052 goto error; 1053 } 1054 if (rv == 1) { 1055 return 0; 1056 } 1057 } 1058 1059 error_setg(errp, "Invalid password, cannot unlock any keyslot"); 1060 error: 1061 return -1; 1062 } 1063 1064 /* 1065 * Returns true if a slot i is marked as active 1066 * (contains encrypted copy of the master key) 1067 */ 1068 static bool 1069 qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks, 1070 unsigned int slot_idx) 1071 { 1072 uint32_t val; 1073 1074 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1075 val = luks->header.key_slots[slot_idx].active; 1076 return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 1077 } 1078 1079 /* 1080 * Returns the number of slots that are marked as active 1081 * (slots that contain encrypted copy of the master key) 1082 */ 1083 static unsigned int 1084 qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks) 1085 { 1086 size_t i = 0; 1087 unsigned int ret = 0; 1088 1089 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1090 if (qcrypto_block_luks_slot_active(luks, i)) { 1091 ret++; 1092 } 1093 } 1094 return ret; 1095 } 1096 1097 /* 1098 * Finds first key slot which is not active 1099 * Returns the key slot index, or -1 if it doesn't exist 1100 */ 1101 static int 1102 qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks) 1103 { 1104 size_t i; 1105 1106 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1107 if (!qcrypto_block_luks_slot_active(luks, i)) { 1108 return i; 1109 } 1110 } 1111 return -1; 1112 } 1113 1114 /* 1115 * Erases an keyslot given its index 1116 * Returns: 1117 * 0 if the keyslot was erased successfully 1118 * -1 if a error occurred while erasing the keyslot 1119 * 1120 */ 1121 static int 1122 qcrypto_block_luks_erase_key(QCryptoBlock *block, 1123 unsigned int slot_idx, 1124 QCryptoBlockWriteFunc writefunc, 1125 void *opaque, 1126 Error **errp) 1127 { 1128 QCryptoBlockLUKS *luks = block->opaque; 1129 QCryptoBlockLUKSKeySlot *slot; 1130 g_autofree uint8_t *garbagesplitkey = NULL; 1131 size_t splitkeylen; 1132 size_t i; 1133 Error *local_err = NULL; 1134 int ret; 1135 1136 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1137 slot = &luks->header.key_slots[slot_idx]; 1138 1139 splitkeylen = luks->header.master_key_len * slot->stripes; 1140 assert(splitkeylen > 0); 1141 1142 garbagesplitkey = g_new0(uint8_t, splitkeylen); 1143 1144 /* Reset the key slot header */ 1145 memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN); 1146 slot->iterations = 0; 1147 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; 1148 1149 ret = qcrypto_block_luks_store_header(block, writefunc, 1150 opaque, &local_err); 1151 1152 if (ret < 0) { 1153 error_propagate(errp, local_err); 1154 } 1155 /* 1156 * Now try to erase the key material, even if the header 1157 * update failed 1158 */ 1159 for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) { 1160 if (qcrypto_random_bytes(garbagesplitkey, 1161 splitkeylen, &local_err) < 0) { 1162 /* 1163 * If we failed to get the random data, still write 1164 * at least zeros to the key slot at least once 1165 */ 1166 error_propagate(errp, local_err); 1167 1168 if (i > 0) { 1169 return -1; 1170 } 1171 } 1172 if (writefunc(block, 1173 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1174 garbagesplitkey, 1175 splitkeylen, 1176 opaque, 1177 &local_err) < 0) { 1178 error_propagate(errp, local_err); 1179 return -1; 1180 } 1181 } 1182 return ret; 1183 } 1184 1185 static int 1186 qcrypto_block_luks_open(QCryptoBlock *block, 1187 QCryptoBlockOpenOptions *options, 1188 const char *optprefix, 1189 QCryptoBlockReadFunc readfunc, 1190 void *opaque, 1191 unsigned int flags, 1192 Error **errp) 1193 { 1194 QCryptoBlockLUKS *luks = NULL; 1195 g_autofree uint8_t *masterkey = NULL; 1196 g_autofree char *password = NULL; 1197 1198 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { 1199 if (!options->u.luks.key_secret) { 1200 error_setg(errp, "Parameter '%skey-secret' is required for cipher", 1201 optprefix ? optprefix : ""); 1202 return -1; 1203 } 1204 password = qcrypto_secret_lookup_as_utf8( 1205 options->u.luks.key_secret, errp); 1206 if (!password) { 1207 return -1; 1208 } 1209 } 1210 1211 luks = g_new0(QCryptoBlockLUKS, 1); 1212 block->opaque = luks; 1213 luks->secret = g_strdup(options->u.luks.key_secret); 1214 1215 if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) { 1216 goto fail; 1217 } 1218 1219 if (qcrypto_block_luks_check_header(luks, flags, errp) < 0) { 1220 goto fail; 1221 } 1222 1223 if (qcrypto_block_luks_parse_header(luks, errp) < 0) { 1224 goto fail; 1225 } 1226 1227 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { 1228 /* Try to find which key slot our password is valid for 1229 * and unlock the master key from that slot. 1230 */ 1231 1232 masterkey = g_new0(uint8_t, luks->header.master_key_len); 1233 1234 if (qcrypto_block_luks_find_key(block, 1235 password, 1236 masterkey, 1237 readfunc, opaque, 1238 errp) < 0) { 1239 goto fail; 1240 } 1241 1242 /* We have a valid master key now, so can setup the 1243 * block device payload decryption objects 1244 */ 1245 block->kdfhash = luks->hash_alg; 1246 block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, 1247 luks->cipher_mode); 1248 1249 block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg, 1250 luks->ivgen_cipher_alg, 1251 luks->ivgen_hash_alg, 1252 masterkey, 1253 luks->header.master_key_len, 1254 errp); 1255 if (!block->ivgen) { 1256 goto fail; 1257 } 1258 1259 if (qcrypto_block_init_cipher(block, 1260 luks->cipher_alg, 1261 luks->cipher_mode, 1262 masterkey, 1263 luks->header.master_key_len, 1264 errp) < 0) { 1265 goto fail; 1266 } 1267 } 1268 1269 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1270 block->payload_offset = luks->header.payload_offset_sector * 1271 block->sector_size; 1272 block->detached_header = (block->payload_offset == 0) ? true : false; 1273 1274 return 0; 1275 1276 fail: 1277 qcrypto_block_free_cipher(block); 1278 qcrypto_ivgen_free(block->ivgen); 1279 g_free(luks->secret); 1280 g_free(luks); 1281 return -1; 1282 } 1283 1284 1285 static void 1286 qcrypto_block_luks_uuid_gen(uint8_t *uuidstr) 1287 { 1288 QemuUUID uuid; 1289 qemu_uuid_generate(&uuid); 1290 qemu_uuid_unparse(&uuid, (char *)uuidstr); 1291 } 1292 1293 static int 1294 qcrypto_block_luks_create(QCryptoBlock *block, 1295 QCryptoBlockCreateOptions *options, 1296 const char *optprefix, 1297 QCryptoBlockInitFunc initfunc, 1298 QCryptoBlockWriteFunc writefunc, 1299 void *opaque, 1300 Error **errp) 1301 { 1302 QCryptoBlockLUKS *luks; 1303 QCryptoBlockCreateOptionsLUKS luks_opts; 1304 Error *local_err = NULL; 1305 g_autofree uint8_t *masterkey = NULL; 1306 size_t header_sectors; 1307 size_t split_key_sectors; 1308 size_t i; 1309 g_autofree char *password = NULL; 1310 const char *cipher_alg; 1311 const char *cipher_mode; 1312 const char *ivgen_alg; 1313 const char *ivgen_hash_alg = NULL; 1314 const char *hash_alg; 1315 g_autofree char *cipher_mode_spec = NULL; 1316 uint64_t iters; 1317 uint64_t detached_header_size; 1318 1319 memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts)); 1320 if (!luks_opts.has_iter_time) { 1321 luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; 1322 } 1323 if (!luks_opts.has_cipher_alg) { 1324 luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256; 1325 } 1326 if (!luks_opts.has_cipher_mode) { 1327 luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS; 1328 } 1329 if (!luks_opts.has_ivgen_alg) { 1330 luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64; 1331 } 1332 if (!luks_opts.has_hash_alg) { 1333 luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256; 1334 } 1335 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1336 if (!luks_opts.has_ivgen_hash_alg) { 1337 luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256; 1338 luks_opts.has_ivgen_hash_alg = true; 1339 } 1340 } 1341 1342 luks = g_new0(QCryptoBlockLUKS, 1); 1343 block->opaque = luks; 1344 1345 luks->cipher_alg = luks_opts.cipher_alg; 1346 luks->cipher_mode = luks_opts.cipher_mode; 1347 luks->ivgen_alg = luks_opts.ivgen_alg; 1348 luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg; 1349 luks->hash_alg = luks_opts.hash_alg; 1350 1351 1352 /* Note we're allowing ivgen_hash_alg to be set even for 1353 * non-essiv iv generators that don't need a hash. It will 1354 * be silently ignored, for compatibility with dm-crypt */ 1355 1356 if (!options->u.luks.key_secret) { 1357 error_setg(errp, "Parameter '%skey-secret' is required for cipher", 1358 optprefix ? optprefix : ""); 1359 goto error; 1360 } 1361 luks->secret = g_strdup(options->u.luks.key_secret); 1362 1363 password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp); 1364 if (!password) { 1365 goto error; 1366 } 1367 1368 1369 memcpy(luks->header.magic, qcrypto_block_luks_magic, 1370 QCRYPTO_BLOCK_LUKS_MAGIC_LEN); 1371 1372 /* We populate the header in native endianness initially and 1373 * then convert everything to big endian just before writing 1374 * it out to disk 1375 */ 1376 luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION; 1377 qcrypto_block_luks_uuid_gen(luks->header.uuid); 1378 1379 cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg, 1380 errp); 1381 if (!cipher_alg) { 1382 goto error; 1383 } 1384 1385 cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode); 1386 ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg); 1387 if (luks_opts.has_ivgen_hash_alg) { 1388 ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg); 1389 cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg, 1390 ivgen_hash_alg); 1391 } else { 1392 cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg); 1393 } 1394 hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg); 1395 1396 1397 if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) { 1398 error_setg(errp, "Cipher name '%s' is too long for LUKS header", 1399 cipher_alg); 1400 goto error; 1401 } 1402 if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) { 1403 error_setg(errp, "Cipher mode '%s' is too long for LUKS header", 1404 cipher_mode_spec); 1405 goto error; 1406 } 1407 if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) { 1408 error_setg(errp, "Hash name '%s' is too long for LUKS header", 1409 hash_alg); 1410 goto error; 1411 } 1412 1413 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1414 luks->ivgen_cipher_alg = 1415 qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg, 1416 luks_opts.ivgen_hash_alg, 1417 &local_err); 1418 if (local_err) { 1419 error_propagate(errp, local_err); 1420 goto error; 1421 } 1422 } else { 1423 luks->ivgen_cipher_alg = luks_opts.cipher_alg; 1424 } 1425 1426 strcpy(luks->header.cipher_name, cipher_alg); 1427 strcpy(luks->header.cipher_mode, cipher_mode_spec); 1428 strcpy(luks->header.hash_spec, hash_alg); 1429 1430 luks->header.master_key_len = 1431 qcrypto_cipher_get_key_len(luks_opts.cipher_alg); 1432 1433 if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) { 1434 luks->header.master_key_len *= 2; 1435 } 1436 1437 /* Generate the salt used for hashing the master key 1438 * with PBKDF later 1439 */ 1440 if (qcrypto_random_bytes(luks->header.master_key_salt, 1441 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1442 errp) < 0) { 1443 goto error; 1444 } 1445 1446 /* Generate random master key */ 1447 masterkey = g_new0(uint8_t, luks->header.master_key_len); 1448 if (qcrypto_random_bytes(masterkey, 1449 luks->header.master_key_len, errp) < 0) { 1450 goto error; 1451 } 1452 1453 1454 /* Setup the block device payload encryption objects */ 1455 if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg, 1456 luks_opts.cipher_mode, masterkey, 1457 luks->header.master_key_len, errp) < 0) { 1458 goto error; 1459 } 1460 1461 block->kdfhash = luks_opts.hash_alg; 1462 block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg, 1463 luks_opts.cipher_mode); 1464 block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg, 1465 luks->ivgen_cipher_alg, 1466 luks_opts.ivgen_hash_alg, 1467 masterkey, luks->header.master_key_len, 1468 errp); 1469 1470 if (!block->ivgen) { 1471 goto error; 1472 } 1473 1474 1475 /* Determine how many iterations we need to hash the master 1476 * key, in order to have 1 second of compute time used 1477 */ 1478 iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg, 1479 masterkey, luks->header.master_key_len, 1480 luks->header.master_key_salt, 1481 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1482 QCRYPTO_BLOCK_LUKS_DIGEST_LEN, 1483 &local_err); 1484 if (local_err) { 1485 error_propagate(errp, local_err); 1486 goto error; 1487 } 1488 1489 if (iters > (ULLONG_MAX / luks_opts.iter_time)) { 1490 error_setg_errno(errp, ERANGE, 1491 "PBKDF iterations %llu too large to scale", 1492 (unsigned long long)iters); 1493 goto error; 1494 } 1495 1496 /* iter_time was in millis, but count_iters reported for secs */ 1497 iters = iters * luks_opts.iter_time / 1000; 1498 1499 /* Why /= 8 ? That matches cryptsetup, but there's no 1500 * explanation why they chose /= 8... Probably so that 1501 * if all 8 keyslots are active we only spend 1 second 1502 * in total time to check all keys */ 1503 iters /= 8; 1504 if (iters > UINT32_MAX) { 1505 error_setg_errno(errp, ERANGE, 1506 "PBKDF iterations %llu larger than %u", 1507 (unsigned long long)iters, UINT32_MAX); 1508 goto error; 1509 } 1510 iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS); 1511 luks->header.master_key_iterations = iters; 1512 1513 /* Hash the master key, saving the result in the LUKS 1514 * header. This hash is used when opening the encrypted 1515 * device to verify that the user password unlocked a 1516 * valid master key 1517 */ 1518 if (qcrypto_pbkdf2(luks_opts.hash_alg, 1519 masterkey, luks->header.master_key_len, 1520 luks->header.master_key_salt, 1521 QCRYPTO_BLOCK_LUKS_SALT_LEN, 1522 luks->header.master_key_iterations, 1523 luks->header.master_key_digest, 1524 QCRYPTO_BLOCK_LUKS_DIGEST_LEN, 1525 errp) < 0) { 1526 goto error; 1527 } 1528 1529 /* start with the sector that follows the header*/ 1530 header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 1531 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1532 1533 split_key_sectors = 1534 qcrypto_block_luks_splitkeylen_sectors(luks, 1535 header_sectors, 1536 QCRYPTO_BLOCK_LUKS_STRIPES); 1537 1538 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1539 QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i]; 1540 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; 1541 1542 slot->key_offset_sector = header_sectors + i * split_key_sectors; 1543 slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES; 1544 } 1545 1546 if (block->detached_header) { 1547 /* 1548 * For a detached LUKS header image, set the payload_offset_sector 1549 * to 0 to specify the starting point for read/write 1550 */ 1551 luks->header.payload_offset_sector = 0; 1552 } else { 1553 /* 1554 * The total size of the LUKS headers is the partition header + key 1555 * slot headers, rounded up to the nearest sector, combined with 1556 * the size of each master key material region, also rounded up 1557 * to the nearest sector 1558 */ 1559 luks->header.payload_offset_sector = header_sectors + 1560 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors; 1561 } 1562 1563 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1564 block->payload_offset = luks->header.payload_offset_sector * 1565 block->sector_size; 1566 detached_header_size = 1567 (header_sectors + QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * 1568 split_key_sectors) * block->sector_size; 1569 1570 /* Reserve header space to match payload offset */ 1571 initfunc(block, detached_header_size, opaque, &local_err); 1572 if (local_err) { 1573 error_propagate(errp, local_err); 1574 goto error; 1575 } 1576 1577 1578 /* populate the slot 0 with the password encrypted master key*/ 1579 /* This will also store the header */ 1580 if (qcrypto_block_luks_store_key(block, 1581 0, 1582 password, 1583 masterkey, 1584 luks_opts.iter_time, 1585 writefunc, 1586 opaque, 1587 errp) < 0) { 1588 goto error; 1589 } 1590 1591 memset(masterkey, 0, luks->header.master_key_len); 1592 1593 return 0; 1594 1595 error: 1596 if (masterkey) { 1597 memset(masterkey, 0, luks->header.master_key_len); 1598 } 1599 1600 qcrypto_block_free_cipher(block); 1601 qcrypto_ivgen_free(block->ivgen); 1602 1603 g_free(luks->secret); 1604 g_free(luks); 1605 return -1; 1606 } 1607 1608 static int 1609 qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block, 1610 QCryptoBlockReadFunc readfunc, 1611 QCryptoBlockWriteFunc writefunc, 1612 void *opaque, 1613 QCryptoBlockAmendOptionsLUKS *opts_luks, 1614 bool force, 1615 Error **errp) 1616 { 1617 QCryptoBlockLUKS *luks = block->opaque; 1618 uint64_t iter_time = opts_luks->has_iter_time ? 1619 opts_luks->iter_time : 1620 QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; 1621 int keyslot; 1622 g_autofree char *old_password = NULL; 1623 g_autofree char *new_password = NULL; 1624 g_autofree uint8_t *master_key = NULL; 1625 1626 char *secret = opts_luks->secret ?: luks->secret; 1627 1628 if (!opts_luks->new_secret) { 1629 error_setg(errp, "'new-secret' is required to activate a keyslot"); 1630 return -1; 1631 } 1632 if (opts_luks->old_secret) { 1633 error_setg(errp, 1634 "'old-secret' must not be given when activating keyslots"); 1635 return -1; 1636 } 1637 1638 if (opts_luks->has_keyslot) { 1639 keyslot = opts_luks->keyslot; 1640 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { 1641 error_setg(errp, 1642 "Invalid keyslot %u specified, must be between 0 and %u", 1643 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); 1644 return -1; 1645 } 1646 } else { 1647 keyslot = qcrypto_block_luks_find_free_keyslot(luks); 1648 if (keyslot == -1) { 1649 error_setg(errp, 1650 "Can't add a keyslot - all keyslots are in use"); 1651 return -1; 1652 } 1653 } 1654 1655 if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) { 1656 error_setg(errp, 1657 "Refusing to overwrite active keyslot %i - " 1658 "please erase it first", 1659 keyslot); 1660 return -1; 1661 } 1662 1663 /* Locate the password that will be used to retrieve the master key */ 1664 old_password = qcrypto_secret_lookup_as_utf8(secret, errp); 1665 if (!old_password) { 1666 return -1; 1667 } 1668 1669 /* Retrieve the master key */ 1670 master_key = g_new0(uint8_t, luks->header.master_key_len); 1671 1672 if (qcrypto_block_luks_find_key(block, old_password, master_key, 1673 readfunc, opaque, errp) < 0) { 1674 error_append_hint(errp, "Failed to retrieve the master key"); 1675 return -1; 1676 } 1677 1678 /* Locate the new password*/ 1679 new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp); 1680 if (!new_password) { 1681 return -1; 1682 } 1683 1684 /* Now set the new keyslots */ 1685 if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key, 1686 iter_time, writefunc, opaque, errp)) { 1687 error_append_hint(errp, "Failed to write to keyslot %i", keyslot); 1688 return -1; 1689 } 1690 return 0; 1691 } 1692 1693 static int 1694 qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block, 1695 QCryptoBlockReadFunc readfunc, 1696 QCryptoBlockWriteFunc writefunc, 1697 void *opaque, 1698 QCryptoBlockAmendOptionsLUKS *opts_luks, 1699 bool force, 1700 Error **errp) 1701 { 1702 QCryptoBlockLUKS *luks = block->opaque; 1703 g_autofree uint8_t *tmpkey = NULL; 1704 g_autofree char *old_password = NULL; 1705 1706 if (opts_luks->new_secret) { 1707 error_setg(errp, 1708 "'new-secret' must not be given when erasing keyslots"); 1709 return -1; 1710 } 1711 if (opts_luks->has_iter_time) { 1712 error_setg(errp, 1713 "'iter-time' must not be given when erasing keyslots"); 1714 return -1; 1715 } 1716 if (opts_luks->secret) { 1717 error_setg(errp, 1718 "'secret' must not be given when erasing keyslots"); 1719 return -1; 1720 } 1721 1722 /* Load the old password if given */ 1723 if (opts_luks->old_secret) { 1724 old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret, 1725 errp); 1726 if (!old_password) { 1727 return -1; 1728 } 1729 1730 /* 1731 * Allocate a temporary key buffer that we will need when 1732 * checking if slot matches the given old password 1733 */ 1734 tmpkey = g_new0(uint8_t, luks->header.master_key_len); 1735 } 1736 1737 /* Erase an explicitly given keyslot */ 1738 if (opts_luks->has_keyslot) { 1739 int keyslot = opts_luks->keyslot; 1740 1741 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { 1742 error_setg(errp, 1743 "Invalid keyslot %i specified, must be between 0 and %i", 1744 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); 1745 return -1; 1746 } 1747 1748 if (opts_luks->old_secret) { 1749 int rv = qcrypto_block_luks_load_key(block, 1750 keyslot, 1751 old_password, 1752 tmpkey, 1753 readfunc, 1754 opaque, 1755 errp); 1756 if (rv == -1) { 1757 return -1; 1758 } else if (rv == 0) { 1759 error_setg(errp, 1760 "Given keyslot %i doesn't contain the given " 1761 "old password for erase operation", 1762 keyslot); 1763 return -1; 1764 } 1765 } 1766 1767 if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) { 1768 error_setg(errp, 1769 "Given keyslot %i is already erased (inactive) ", 1770 keyslot); 1771 return -1; 1772 } 1773 1774 if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) { 1775 error_setg(errp, 1776 "Attempt to erase the only active keyslot %i " 1777 "which will erase all the data in the image " 1778 "irreversibly - refusing operation", 1779 keyslot); 1780 return -1; 1781 } 1782 1783 if (qcrypto_block_luks_erase_key(block, keyslot, 1784 writefunc, opaque, errp)) { 1785 error_append_hint(errp, "Failed to erase keyslot %i", keyslot); 1786 return -1; 1787 } 1788 1789 /* Erase all keyslots that match the given old password */ 1790 } else if (opts_luks->old_secret) { 1791 1792 unsigned long slots_to_erase_bitmap = 0; 1793 size_t i; 1794 int slot_count; 1795 1796 assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <= 1797 sizeof(slots_to_erase_bitmap) * 8); 1798 1799 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1800 int rv = qcrypto_block_luks_load_key(block, 1801 i, 1802 old_password, 1803 tmpkey, 1804 readfunc, 1805 opaque, 1806 errp); 1807 if (rv == -1) { 1808 return -1; 1809 } else if (rv == 1) { 1810 bitmap_set(&slots_to_erase_bitmap, i, 1); 1811 } 1812 } 1813 1814 slot_count = bitmap_count_one(&slots_to_erase_bitmap, 1815 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); 1816 if (slot_count == 0) { 1817 error_setg(errp, 1818 "No keyslots match given (old) password for erase operation"); 1819 return -1; 1820 } 1821 1822 if (!force && 1823 slot_count == qcrypto_block_luks_count_active_slots(luks)) { 1824 error_setg(errp, 1825 "All the active keyslots match the (old) password that " 1826 "was given and erasing them will erase all the data in " 1827 "the image irreversibly - refusing operation"); 1828 return -1; 1829 } 1830 1831 /* Now apply the update */ 1832 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1833 if (!test_bit(i, &slots_to_erase_bitmap)) { 1834 continue; 1835 } 1836 if (qcrypto_block_luks_erase_key(block, i, writefunc, 1837 opaque, errp)) { 1838 error_append_hint(errp, "Failed to erase keyslot %zu", i); 1839 return -1; 1840 } 1841 } 1842 } else { 1843 error_setg(errp, 1844 "To erase keyslot(s), either explicit keyslot index " 1845 "or the password currently contained in them must be given"); 1846 return -1; 1847 } 1848 return 0; 1849 } 1850 1851 static int 1852 qcrypto_block_luks_amend_options(QCryptoBlock *block, 1853 QCryptoBlockReadFunc readfunc, 1854 QCryptoBlockWriteFunc writefunc, 1855 void *opaque, 1856 QCryptoBlockAmendOptions *options, 1857 bool force, 1858 Error **errp) 1859 { 1860 QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks; 1861 1862 switch (opts_luks->state) { 1863 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE: 1864 return qcrypto_block_luks_amend_add_keyslot(block, readfunc, 1865 writefunc, opaque, 1866 opts_luks, force, errp); 1867 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE: 1868 return qcrypto_block_luks_amend_erase_keyslots(block, readfunc, 1869 writefunc, opaque, 1870 opts_luks, force, errp); 1871 default: 1872 g_assert_not_reached(); 1873 } 1874 } 1875 1876 static int qcrypto_block_luks_get_info(QCryptoBlock *block, 1877 QCryptoBlockInfo *info, 1878 Error **errp) 1879 { 1880 QCryptoBlockLUKS *luks = block->opaque; 1881 QCryptoBlockInfoLUKSSlot *slot; 1882 QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots; 1883 size_t i; 1884 1885 info->u.luks.cipher_alg = luks->cipher_alg; 1886 info->u.luks.cipher_mode = luks->cipher_mode; 1887 info->u.luks.ivgen_alg = luks->ivgen_alg; 1888 if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { 1889 info->u.luks.has_ivgen_hash_alg = true; 1890 info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg; 1891 } 1892 info->u.luks.hash_alg = luks->hash_alg; 1893 info->u.luks.payload_offset = block->payload_offset; 1894 info->u.luks.master_key_iters = luks->header.master_key_iterations; 1895 info->u.luks.uuid = g_strndup((const char *)luks->header.uuid, 1896 sizeof(luks->header.uuid)); 1897 info->u.luks.detached_header = block->detached_header; 1898 1899 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { 1900 slot = g_new0(QCryptoBlockInfoLUKSSlot, 1); 1901 slot->active = luks->header.key_slots[i].active == 1902 QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; 1903 slot->key_offset = luks->header.key_slots[i].key_offset_sector 1904 * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; 1905 if (slot->active) { 1906 slot->has_iters = true; 1907 slot->iters = luks->header.key_slots[i].iterations; 1908 slot->has_stripes = true; 1909 slot->stripes = luks->header.key_slots[i].stripes; 1910 } 1911 1912 QAPI_LIST_APPEND(tail, slot); 1913 } 1914 1915 return 0; 1916 } 1917 1918 1919 static void qcrypto_block_luks_cleanup(QCryptoBlock *block) 1920 { 1921 QCryptoBlockLUKS *luks = block->opaque; 1922 if (luks) { 1923 g_free(luks->secret); 1924 g_free(luks); 1925 } 1926 } 1927 1928 1929 static int 1930 qcrypto_block_luks_decrypt(QCryptoBlock *block, 1931 uint64_t offset, 1932 uint8_t *buf, 1933 size_t len, 1934 Error **errp) 1935 { 1936 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1937 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1938 return qcrypto_block_decrypt_helper(block, 1939 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1940 offset, buf, len, errp); 1941 } 1942 1943 1944 static int 1945 qcrypto_block_luks_encrypt(QCryptoBlock *block, 1946 uint64_t offset, 1947 uint8_t *buf, 1948 size_t len, 1949 Error **errp) 1950 { 1951 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1952 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); 1953 return qcrypto_block_encrypt_helper(block, 1954 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, 1955 offset, buf, len, errp); 1956 } 1957 1958 1959 const QCryptoBlockDriver qcrypto_block_driver_luks = { 1960 .open = qcrypto_block_luks_open, 1961 .create = qcrypto_block_luks_create, 1962 .amend = qcrypto_block_luks_amend_options, 1963 .get_info = qcrypto_block_luks_get_info, 1964 .cleanup = qcrypto_block_luks_cleanup, 1965 .decrypt = qcrypto_block_luks_decrypt, 1966 .encrypt = qcrypto_block_luks_encrypt, 1967 .has_format = qcrypto_block_luks_has_format, 1968 }; 1969