xref: /openbmc/qemu/crypto/block-qcow.c (revision 8692aa29)
1 /*
2  * QEMU Crypto block device encryption QCow/QCow2 AES-CBC format
3  *
4  * Copyright (c) 2015-2016 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 /*
22  * Note that the block encryption implemented in this file is broken
23  * by design. This exists only to allow data to be liberated from
24  * existing qcow[2] images and should not be used in any new areas.
25  */
26 
27 #include "qemu/osdep.h"
28 #include "qapi/error.h"
29 
30 #include "crypto/block-qcow.h"
31 #include "crypto/secret.h"
32 
33 #define QCRYPTO_BLOCK_QCOW_SECTOR_SIZE 512
34 
35 
36 static bool
37 qcrypto_block_qcow_has_format(const uint8_t *buf G_GNUC_UNUSED,
38                               size_t buf_size G_GNUC_UNUSED)
39 {
40     return false;
41 }
42 
43 
44 static int
45 qcrypto_block_qcow_init(QCryptoBlock *block,
46                         const char *keysecret,
47                         Error **errp)
48 {
49     char *password;
50     int ret;
51     uint8_t keybuf[16];
52     int len;
53 
54     memset(keybuf, 0, 16);
55 
56     password = qcrypto_secret_lookup_as_utf8(keysecret, errp);
57     if (!password) {
58         return -1;
59     }
60 
61     len = strlen(password);
62     memcpy(keybuf, password, MIN(len, sizeof(keybuf)));
63     g_free(password);
64 
65     block->niv = qcrypto_cipher_get_iv_len(QCRYPTO_CIPHER_ALG_AES_128,
66                                            QCRYPTO_CIPHER_MODE_CBC);
67     block->ivgen = qcrypto_ivgen_new(QCRYPTO_IVGEN_ALG_PLAIN64,
68                                      0, 0, NULL, 0, errp);
69     if (!block->ivgen) {
70         ret = -ENOTSUP;
71         goto fail;
72     }
73 
74     block->cipher = qcrypto_cipher_new(QCRYPTO_CIPHER_ALG_AES_128,
75                                        QCRYPTO_CIPHER_MODE_CBC,
76                                        keybuf, G_N_ELEMENTS(keybuf),
77                                        errp);
78     if (!block->cipher) {
79         ret = -ENOTSUP;
80         goto fail;
81     }
82 
83     block->payload_offset = 0;
84 
85     return 0;
86 
87  fail:
88     qcrypto_cipher_free(block->cipher);
89     qcrypto_ivgen_free(block->ivgen);
90     return ret;
91 }
92 
93 
94 static int
95 qcrypto_block_qcow_open(QCryptoBlock *block,
96                         QCryptoBlockOpenOptions *options,
97                         QCryptoBlockReadFunc readfunc G_GNUC_UNUSED,
98                         void *opaque G_GNUC_UNUSED,
99                         unsigned int flags,
100                         Error **errp)
101 {
102     if (flags & QCRYPTO_BLOCK_OPEN_NO_IO) {
103         return 0;
104     } else {
105         if (!options->u.qcow.key_secret) {
106             error_setg(errp,
107                        "Parameter 'key-secret' is required for cipher");
108             return -1;
109         }
110         return qcrypto_block_qcow_init(block,
111                                        options->u.qcow.key_secret, errp);
112     }
113 }
114 
115 
116 static int
117 qcrypto_block_qcow_create(QCryptoBlock *block,
118                           QCryptoBlockCreateOptions *options,
119                           QCryptoBlockInitFunc initfunc G_GNUC_UNUSED,
120                           QCryptoBlockWriteFunc writefunc G_GNUC_UNUSED,
121                           void *opaque G_GNUC_UNUSED,
122                           Error **errp)
123 {
124     if (!options->u.qcow.key_secret) {
125         error_setg(errp, "Parameter 'key-secret' is required for cipher");
126         return -1;
127     }
128     /* QCow2 has no special header, since everything is hardwired */
129     return qcrypto_block_qcow_init(block, options->u.qcow.key_secret, errp);
130 }
131 
132 
133 static void
134 qcrypto_block_qcow_cleanup(QCryptoBlock *block)
135 {
136 }
137 
138 
139 static int
140 qcrypto_block_qcow_decrypt(QCryptoBlock *block,
141                            uint64_t startsector,
142                            uint8_t *buf,
143                            size_t len,
144                            Error **errp)
145 {
146     return qcrypto_block_decrypt_helper(block->cipher,
147                                         block->niv, block->ivgen,
148                                         QCRYPTO_BLOCK_QCOW_SECTOR_SIZE,
149                                         startsector, buf, len, errp);
150 }
151 
152 
153 static int
154 qcrypto_block_qcow_encrypt(QCryptoBlock *block,
155                            uint64_t startsector,
156                            uint8_t *buf,
157                            size_t len,
158                            Error **errp)
159 {
160     return qcrypto_block_encrypt_helper(block->cipher,
161                                         block->niv, block->ivgen,
162                                         QCRYPTO_BLOCK_QCOW_SECTOR_SIZE,
163                                         startsector, buf, len, errp);
164 }
165 
166 
167 const QCryptoBlockDriver qcrypto_block_driver_qcow = {
168     .open = qcrypto_block_qcow_open,
169     .create = qcrypto_block_qcow_create,
170     .cleanup = qcrypto_block_qcow_cleanup,
171     .decrypt = qcrypto_block_qcow_decrypt,
172     .encrypt = qcrypto_block_qcow_encrypt,
173     .has_format = qcrypto_block_qcow_has_format,
174 };
175