Index: head/sbin/geom/class/eli/geom_eli.c =================================================================== --- head/sbin/geom/class/eli/geom_eli.c (revision 308136) +++ head/sbin/geom/class/eli/geom_eli.c (revision 308137) @@ -1,1726 +1,1726 @@ /*- * Copyright (c) 2004-2010 Pawel Jakub Dawidek * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "core/geom.h" #include "misc/subr.h" uint32_t lib_version = G_LIB_VERSION; uint32_t version = G_ELI_VERSION; #define GELI_BACKUP_DIR "/var/backups/" #define GELI_ENC_ALGO "aes" static void eli_main(struct gctl_req *req, unsigned flags); static void eli_init(struct gctl_req *req); static void eli_attach(struct gctl_req *req); static void eli_configure(struct gctl_req *req); static void eli_setkey(struct gctl_req *req); static void eli_delkey(struct gctl_req *req); static void eli_resume(struct gctl_req *req); static void eli_kill(struct gctl_req *req); static void eli_backup(struct gctl_req *req); static void eli_restore(struct gctl_req *req); static void eli_resize(struct gctl_req *req); static void eli_version(struct gctl_req *req); static void eli_clear(struct gctl_req *req); static void eli_dump(struct gctl_req *req); static int eli_backup_create(struct gctl_req *req, const char *prov, const char *file); /* * Available commands: * * init [-bgPTv] [-a aalgo] [-B backupfile] [-e ealgo] [-i iterations] [-l keylen] [-J newpassfile] [-K newkeyfile] [-s sectorsize] [-V version] prov * label - alias for 'init' * attach [-dprv] [-j passfile] [-k keyfile] prov * detach [-fl] prov ... * stop - alias for 'detach' * onetime [-d] [-a aalgo] [-e ealgo] [-l keylen] prov * configure [-bBgGtT] prov ... * setkey [-pPv] [-n keyno] [-j passfile] [-J newpassfile] [-k keyfile] [-K newkeyfile] prov * delkey [-afv] [-n keyno] prov * suspend [-v] -a | prov ... * resume [-pv] [-j passfile] [-k keyfile] prov * kill [-av] [prov ...] * backup [-v] prov file * restore [-fv] file prov * resize [-v] -s oldsize prov * version [prov ...] * clear [-v] prov ... * dump [-v] prov ... */ struct g_command class_commands[] = { { "init", G_FLAG_VERBOSE, eli_main, { { 'a', "aalgo", "", G_TYPE_STRING }, { 'b', "boot", NULL, G_TYPE_BOOL }, { 'B', "backupfile", "", G_TYPE_STRING }, { 'e', "ealgo", "", G_TYPE_STRING }, { 'g', "geliboot", NULL, G_TYPE_BOOL }, { 'i', "iterations", "-1", G_TYPE_NUMBER }, { 'J', "newpassfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'K', "newkeyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'l', "keylen", "0", G_TYPE_NUMBER }, { 'P', "nonewpassphrase", NULL, G_TYPE_BOOL }, { 's', "sectorsize", "0", G_TYPE_NUMBER }, { 'T', "notrim", NULL, G_TYPE_BOOL }, { 'V', "mdversion", "-1", G_TYPE_NUMBER }, G_OPT_SENTINEL }, "[-bgPTv] [-a aalgo] [-B backupfile] [-e ealgo] [-i iterations] [-l keylen] [-J newpassfile] [-K newkeyfile] [-s sectorsize] [-V version] prov" }, { "label", G_FLAG_VERBOSE, eli_main, { { 'a', "aalgo", "", G_TYPE_STRING }, { 'b', "boot", NULL, G_TYPE_BOOL }, { 'B', "backupfile", "", G_TYPE_STRING }, { 'e', "ealgo", "", G_TYPE_STRING }, { 'g', "geliboot", NULL, G_TYPE_BOOL }, { 'i', "iterations", "-1", G_TYPE_NUMBER }, { 'J', "newpassfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'K', "newkeyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'l', "keylen", "0", G_TYPE_NUMBER }, { 'P', "nonewpassphrase", NULL, G_TYPE_BOOL }, { 's', "sectorsize", "0", G_TYPE_NUMBER }, { 'V', "mdversion", "-1", G_TYPE_NUMBER }, G_OPT_SENTINEL }, "- an alias for 'init'" }, { "attach", G_FLAG_VERBOSE | G_FLAG_LOADKLD, eli_main, { { 'd', "detach", NULL, G_TYPE_BOOL }, { 'j', "passfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'k', "keyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'p', "nopassphrase", NULL, G_TYPE_BOOL }, { 'r', "readonly", NULL, G_TYPE_BOOL }, G_OPT_SENTINEL }, "[-dprv] [-j passfile] [-k keyfile] prov" }, { "detach", 0, NULL, { { 'f', "force", NULL, G_TYPE_BOOL }, { 'l', "last", NULL, G_TYPE_BOOL }, G_OPT_SENTINEL }, "[-fl] prov ..." }, { "stop", 0, NULL, { { 'f', "force", NULL, G_TYPE_BOOL }, { 'l', "last", NULL, G_TYPE_BOOL }, G_OPT_SENTINEL }, "- an alias for 'detach'" }, { "onetime", G_FLAG_VERBOSE | G_FLAG_LOADKLD, NULL, { { 'a', "aalgo", "", G_TYPE_STRING }, { 'd', "detach", NULL, G_TYPE_BOOL }, { 'e', "ealgo", GELI_ENC_ALGO, G_TYPE_STRING }, { 'l', "keylen", "0", G_TYPE_NUMBER }, { 's', "sectorsize", "0", G_TYPE_NUMBER }, { 'T', "notrim", NULL, G_TYPE_BOOL }, G_OPT_SENTINEL }, "[-dT] [-a aalgo] [-e ealgo] [-l keylen] [-s sectorsize] prov" }, { "configure", G_FLAG_VERBOSE, eli_main, { { 'b', "boot", NULL, G_TYPE_BOOL }, { 'B', "noboot", NULL, G_TYPE_BOOL }, { 'g', "geliboot", NULL, G_TYPE_BOOL }, { 'G', "nogeliboot", NULL, G_TYPE_BOOL }, { 't', "trim", NULL, G_TYPE_BOOL }, { 'T', "notrim", NULL, G_TYPE_BOOL }, G_OPT_SENTINEL }, "[-bBgGtT] prov ..." }, { "setkey", G_FLAG_VERBOSE, eli_main, { { 'i', "iterations", "-1", G_TYPE_NUMBER }, { 'j', "passfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'J', "newpassfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'k', "keyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'K', "newkeyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'n', "keyno", "-1", G_TYPE_NUMBER }, { 'p', "nopassphrase", NULL, G_TYPE_BOOL }, { 'P', "nonewpassphrase", NULL, G_TYPE_BOOL }, G_OPT_SENTINEL }, "[-pPv] [-n keyno] [-i iterations] [-j passfile] [-J newpassfile] [-k keyfile] [-K newkeyfile] prov" }, { "delkey", G_FLAG_VERBOSE, eli_main, { { 'a', "all", NULL, G_TYPE_BOOL }, { 'f', "force", NULL, G_TYPE_BOOL }, { 'n', "keyno", "-1", G_TYPE_NUMBER }, G_OPT_SENTINEL }, "[-afv] [-n keyno] prov" }, { "suspend", G_FLAG_VERBOSE, NULL, { { 'a', "all", NULL, G_TYPE_BOOL }, G_OPT_SENTINEL }, "[-v] -a | prov ..." }, { "resume", G_FLAG_VERBOSE, eli_main, { { 'j', "passfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'k', "keyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'p', "nopassphrase", NULL, G_TYPE_BOOL }, G_OPT_SENTINEL }, "[-pv] [-j passfile] [-k keyfile] prov" }, { "kill", G_FLAG_VERBOSE, eli_main, { { 'a', "all", NULL, G_TYPE_BOOL }, G_OPT_SENTINEL }, "[-av] [prov ...]" }, { "backup", G_FLAG_VERBOSE, eli_main, G_NULL_OPTS, "[-v] prov file" }, { "restore", G_FLAG_VERBOSE, eli_main, { { 'f', "force", NULL, G_TYPE_BOOL }, G_OPT_SENTINEL }, "[-fv] file prov" }, { "resize", G_FLAG_VERBOSE, eli_main, { { 's', "oldsize", NULL, G_TYPE_NUMBER }, G_OPT_SENTINEL }, "[-v] -s oldsize prov" }, { "version", G_FLAG_LOADKLD, eli_main, G_NULL_OPTS, "[prov ...]" }, { "clear", G_FLAG_VERBOSE, eli_main, G_NULL_OPTS, "[-v] prov ..." }, { "dump", G_FLAG_VERBOSE, eli_main, G_NULL_OPTS, "[-v] prov ..." }, G_CMD_SENTINEL }; static int verbose = 0; #define BUFSIZE 1024 static int eli_protect(struct gctl_req *req) { struct rlimit rl; /* Disable core dumps. */ rl.rlim_cur = 0; rl.rlim_max = 0; if (setrlimit(RLIMIT_CORE, &rl) == -1) { gctl_error(req, "Cannot disable core dumps: %s.", strerror(errno)); return (-1); } /* Disable swapping. */ if (mlockall(MCL_FUTURE) == -1) { gctl_error(req, "Cannot lock memory: %s.", strerror(errno)); return (-1); } return (0); } static void eli_main(struct gctl_req *req, unsigned int flags) { const char *name; if (eli_protect(req) == -1) return; if ((flags & G_FLAG_VERBOSE) != 0) verbose = 1; name = gctl_get_ascii(req, "verb"); if (name == NULL) { gctl_error(req, "No '%s' argument.", "verb"); return; } if (strcmp(name, "init") == 0 || strcmp(name, "label") == 0) eli_init(req); else if (strcmp(name, "attach") == 0) eli_attach(req); else if (strcmp(name, "configure") == 0) eli_configure(req); else if (strcmp(name, "setkey") == 0) eli_setkey(req); else if (strcmp(name, "delkey") == 0) eli_delkey(req); else if (strcmp(name, "resume") == 0) eli_resume(req); else if (strcmp(name, "kill") == 0) eli_kill(req); else if (strcmp(name, "backup") == 0) eli_backup(req); else if (strcmp(name, "restore") == 0) eli_restore(req); else if (strcmp(name, "resize") == 0) eli_resize(req); else if (strcmp(name, "version") == 0) eli_version(req); else if (strcmp(name, "dump") == 0) eli_dump(req); else if (strcmp(name, "clear") == 0) eli_clear(req); else gctl_error(req, "Unknown command: %s.", name); } static bool eli_is_attached(const char *prov) { char name[MAXPATHLEN]; /* * Not the best way to do it, but the easiest. * We try to open provider and check if it is a GEOM provider * by asking about its sectorsize. */ snprintf(name, sizeof(name), "%s%s", prov, G_ELI_SUFFIX); return (g_get_sectorsize(name) > 0); } static int eli_genkey_files(struct gctl_req *req, bool new, const char *type, struct hmac_ctx *ctxp, char *passbuf, size_t passbufsize) { char *p, buf[BUFSIZE], argname[16]; const char *file; int error, fd, i; ssize_t done; assert((strcmp(type, "keyfile") == 0 && ctxp != NULL && passbuf == NULL && passbufsize == 0) || (strcmp(type, "passfile") == 0 && ctxp == NULL && passbuf != NULL && passbufsize > 0)); assert(strcmp(type, "keyfile") == 0 || passbuf[0] == '\0'); for (i = 0; ; i++) { snprintf(argname, sizeof(argname), "%s%s%d", new ? "new" : "", type, i); /* No more {key,pass}files? */ if (!gctl_has_param(req, argname)) return (i); file = gctl_get_ascii(req, "%s", argname); assert(file != NULL); if (strcmp(file, "-") == 0) fd = STDIN_FILENO; else { fd = open(file, O_RDONLY); if (fd == -1) { gctl_error(req, "Cannot open %s %s: %s.", type, file, strerror(errno)); return (-1); } } if (strcmp(type, "keyfile") == 0) { while ((done = read(fd, buf, sizeof(buf))) > 0) g_eli_crypto_hmac_update(ctxp, buf, done); } else /* if (strcmp(type, "passfile") == 0) */ { assert(strcmp(type, "passfile") == 0); while ((done = read(fd, buf, sizeof(buf) - 1)) > 0) { buf[done] = '\0'; p = strchr(buf, '\n'); if (p != NULL) { *p = '\0'; done = p - buf; } if (strlcat(passbuf, buf, passbufsize) >= passbufsize) { gctl_error(req, "Passphrase in %s too long.", file); bzero(buf, sizeof(buf)); return (-1); } if (p != NULL) break; } } error = errno; if (strcmp(file, "-") != 0) close(fd); bzero(buf, sizeof(buf)); if (done == -1) { gctl_error(req, "Cannot read %s %s: %s.", type, file, strerror(error)); return (-1); } } /* NOTREACHED */ } static int eli_genkey_passphrase_prompt(struct gctl_req *req, bool new, char *passbuf, size_t passbufsize) { char *p; for (;;) { p = readpassphrase( new ? "Enter new passphrase: " : "Enter passphrase: ", passbuf, passbufsize, RPP_ECHO_OFF | RPP_REQUIRE_TTY); if (p == NULL) { bzero(passbuf, passbufsize); gctl_error(req, "Cannot read passphrase: %s.", strerror(errno)); return (-1); } if (new) { char tmpbuf[BUFSIZE]; p = readpassphrase("Reenter new passphrase: ", tmpbuf, sizeof(tmpbuf), RPP_ECHO_OFF | RPP_REQUIRE_TTY); if (p == NULL) { bzero(passbuf, passbufsize); gctl_error(req, "Cannot read passphrase: %s.", strerror(errno)); return (-1); } if (strcmp(passbuf, tmpbuf) != 0) { bzero(passbuf, passbufsize); fprintf(stderr, "They didn't match.\n"); continue; } bzero(tmpbuf, sizeof(tmpbuf)); } return (0); } /* NOTREACHED */ } static int eli_genkey_passphrase(struct gctl_req *req, struct g_eli_metadata *md, bool new, struct hmac_ctx *ctxp) { char passbuf[BUFSIZE]; bool nopassphrase; int nfiles; nopassphrase = gctl_get_int(req, new ? "nonewpassphrase" : "nopassphrase"); if (nopassphrase) { if (gctl_has_param(req, new ? "newpassfile0" : "passfile0")) { gctl_error(req, "Options -%c and -%c are mutually exclusive.", new ? 'J' : 'j', new ? 'P' : 'p'); return (-1); } return (0); } if (!new && md->md_iterations == -1) { gctl_error(req, "Missing -p flag."); return (-1); } passbuf[0] = '\0'; nfiles = eli_genkey_files(req, new, "passfile", NULL, passbuf, sizeof(passbuf)); if (nfiles == -1) return (-1); else if (nfiles == 0) { if (eli_genkey_passphrase_prompt(req, new, passbuf, sizeof(passbuf)) == -1) { return (-1); } } /* * Field md_iterations equal to -1 means "choose some sane * value for me". */ if (md->md_iterations == -1) { assert(new); if (verbose) printf("Calculating number of iterations...\n"); md->md_iterations = pkcs5v2_calculate(2000000); assert(md->md_iterations > 0); if (verbose) { printf("Done, using %d iterations.\n", md->md_iterations); } } /* * If md_iterations is equal to 0, user doesn't want PKCS#5v2. */ if (md->md_iterations == 0) { g_eli_crypto_hmac_update(ctxp, md->md_salt, sizeof(md->md_salt)); g_eli_crypto_hmac_update(ctxp, passbuf, strlen(passbuf)); } else /* if (md->md_iterations > 0) */ { unsigned char dkey[G_ELI_USERKEYLEN]; pkcs5v2_genkey(dkey, sizeof(dkey), md->md_salt, sizeof(md->md_salt), passbuf, md->md_iterations); g_eli_crypto_hmac_update(ctxp, dkey, sizeof(dkey)); bzero(dkey, sizeof(dkey)); } bzero(passbuf, sizeof(passbuf)); return (0); } static unsigned char * eli_genkey(struct gctl_req *req, struct g_eli_metadata *md, unsigned char *key, bool new) { struct hmac_ctx ctx; bool nopassphrase; int nfiles; nopassphrase = gctl_get_int(req, new ? "nonewpassphrase" : "nopassphrase"); g_eli_crypto_hmac_init(&ctx, NULL, 0); nfiles = eli_genkey_files(req, new, "keyfile", &ctx, NULL, 0); if (nfiles == -1) return (NULL); else if (nfiles == 0 && nopassphrase) { gctl_error(req, "No key components given."); return (NULL); } if (eli_genkey_passphrase(req, md, new, &ctx) == -1) return (NULL); g_eli_crypto_hmac_final(&ctx, key, 0); return (key); } static int eli_metadata_read(struct gctl_req *req, const char *prov, struct g_eli_metadata *md) { unsigned char sector[sizeof(struct g_eli_metadata)]; int error; if (g_get_sectorsize(prov) == 0) { int fd; /* This is a file probably. */ fd = open(prov, O_RDONLY); if (fd == -1) { gctl_error(req, "Cannot open %s: %s.", prov, strerror(errno)); return (-1); } if (read(fd, sector, sizeof(sector)) != sizeof(sector)) { gctl_error(req, "Cannot read metadata from %s: %s.", prov, strerror(errno)); close(fd); return (-1); } close(fd); } else { /* This is a GEOM provider. */ error = g_metadata_read(prov, sector, sizeof(sector), G_ELI_MAGIC); if (error != 0) { gctl_error(req, "Cannot read metadata from %s: %s.", prov, strerror(error)); return (-1); } } error = eli_metadata_decode(sector, md); switch (error) { case 0: break; case EOPNOTSUPP: gctl_error(req, "Provider's %s metadata version %u is too new.\n" "geli: The highest supported version is %u.", prov, (unsigned int)md->md_version, G_ELI_VERSION); return (-1); case EINVAL: gctl_error(req, "Inconsistent provider's %s metadata.", prov); return (-1); default: gctl_error(req, "Unexpected error while decoding provider's %s metadata: %s.", prov, strerror(error)); return (-1); } return (0); } static int eli_metadata_store(struct gctl_req *req, const char *prov, struct g_eli_metadata *md) { unsigned char sector[sizeof(struct g_eli_metadata)]; int error; eli_metadata_encode(md, sector); if (g_get_sectorsize(prov) == 0) { int fd; /* This is a file probably. */ fd = open(prov, O_WRONLY | O_TRUNC); if (fd == -1) { gctl_error(req, "Cannot open %s: %s.", prov, strerror(errno)); bzero(sector, sizeof(sector)); return (-1); } if (write(fd, sector, sizeof(sector)) != sizeof(sector)) { gctl_error(req, "Cannot write metadata to %s: %s.", prov, strerror(errno)); bzero(sector, sizeof(sector)); close(fd); return (-1); } close(fd); } else { /* This is a GEOM provider. */ error = g_metadata_store(prov, sector, sizeof(sector)); if (error != 0) { gctl_error(req, "Cannot write metadata to %s: %s.", prov, strerror(errno)); bzero(sector, sizeof(sector)); return (-1); } } bzero(sector, sizeof(sector)); return (0); } static void eli_init(struct gctl_req *req) { struct g_eli_metadata md; - unsigned char sector[sizeof(struct g_eli_metadata)]; + unsigned char sector[sizeof(struct g_eli_metadata)] __aligned(4); unsigned char key[G_ELI_USERKEYLEN]; char backfile[MAXPATHLEN]; const char *str, *prov; unsigned int secsize, version; off_t mediasize; intmax_t val; int error, nargs; nargs = gctl_get_int(req, "nargs"); if (nargs != 1) { gctl_error(req, "Invalid number of arguments."); return; } prov = gctl_get_ascii(req, "arg0"); mediasize = g_get_mediasize(prov); secsize = g_get_sectorsize(prov); if (mediasize == 0 || secsize == 0) { gctl_error(req, "Cannot get informations about %s: %s.", prov, strerror(errno)); return; } bzero(&md, sizeof(md)); strlcpy(md.md_magic, G_ELI_MAGIC, sizeof(md.md_magic)); val = gctl_get_intmax(req, "mdversion"); if (val == -1) { version = G_ELI_VERSION; } else if (val < 0 || val > G_ELI_VERSION) { gctl_error(req, "Invalid version specified should be between %u and %u.", G_ELI_VERSION_00, G_ELI_VERSION); return; } else { version = val; } md.md_version = version; md.md_flags = 0; if (gctl_get_int(req, "boot")) md.md_flags |= G_ELI_FLAG_BOOT; if (gctl_get_int(req, "geliboot")) md.md_flags |= G_ELI_FLAG_GELIBOOT; if (gctl_get_int(req, "notrim")) md.md_flags |= G_ELI_FLAG_NODELETE; md.md_ealgo = CRYPTO_ALGORITHM_MIN - 1; str = gctl_get_ascii(req, "aalgo"); if (*str != '\0') { if (version < G_ELI_VERSION_01) { gctl_error(req, "Data authentication is supported starting from version %u.", G_ELI_VERSION_01); return; } md.md_aalgo = g_eli_str2aalgo(str); if (md.md_aalgo >= CRYPTO_ALGORITHM_MIN && md.md_aalgo <= CRYPTO_ALGORITHM_MAX) { md.md_flags |= G_ELI_FLAG_AUTH; } else { /* * For backward compatibility, check if the -a option * was used to provide encryption algorithm. */ md.md_ealgo = g_eli_str2ealgo(str); if (md.md_ealgo < CRYPTO_ALGORITHM_MIN || md.md_ealgo > CRYPTO_ALGORITHM_MAX) { gctl_error(req, "Invalid authentication algorithm."); return; } else { fprintf(stderr, "warning: The -e option, not " "the -a option is now used to specify " "encryption algorithm to use.\n"); } } } if (md.md_ealgo < CRYPTO_ALGORITHM_MIN || md.md_ealgo > CRYPTO_ALGORITHM_MAX) { str = gctl_get_ascii(req, "ealgo"); if (*str == '\0') { if (version < G_ELI_VERSION_05) str = "aes-cbc"; else str = GELI_ENC_ALGO; } md.md_ealgo = g_eli_str2ealgo(str); if (md.md_ealgo < CRYPTO_ALGORITHM_MIN || md.md_ealgo > CRYPTO_ALGORITHM_MAX) { gctl_error(req, "Invalid encryption algorithm."); return; } if (md.md_ealgo == CRYPTO_CAMELLIA_CBC && version < G_ELI_VERSION_04) { gctl_error(req, "Camellia-CBC algorithm is supported starting from version %u.", G_ELI_VERSION_04); return; } if (md.md_ealgo == CRYPTO_AES_XTS && version < G_ELI_VERSION_05) { gctl_error(req, "AES-XTS algorithm is supported starting from version %u.", G_ELI_VERSION_05); return; } } val = gctl_get_intmax(req, "keylen"); md.md_keylen = val; md.md_keylen = g_eli_keylen(md.md_ealgo, md.md_keylen); if (md.md_keylen == 0) { gctl_error(req, "Invalid key length."); return; } md.md_provsize = mediasize; val = gctl_get_intmax(req, "iterations"); if (val != -1) { int nonewpassphrase; /* * Don't allow to set iterations when there will be no * passphrase. */ nonewpassphrase = gctl_get_int(req, "nonewpassphrase"); if (nonewpassphrase) { gctl_error(req, "Options -i and -P are mutually exclusive."); return; } } md.md_iterations = val; val = gctl_get_intmax(req, "sectorsize"); if (val == 0) md.md_sectorsize = secsize; else { if (val < 0 || (val % secsize) != 0 || !powerof2(val)) { gctl_error(req, "Invalid sector size."); return; } if (val > sysconf(_SC_PAGE_SIZE)) { fprintf(stderr, "warning: Using sectorsize bigger than the page size!\n"); } md.md_sectorsize = val; } md.md_keys = 0x01; arc4random_buf(md.md_salt, sizeof(md.md_salt)); arc4random_buf(md.md_mkeys, sizeof(md.md_mkeys)); /* Generate user key. */ if (eli_genkey(req, &md, key, true) == NULL) { bzero(key, sizeof(key)); bzero(&md, sizeof(md)); return; } /* Encrypt the first and the only Master Key. */ error = g_eli_mkey_encrypt(md.md_ealgo, key, md.md_keylen, md.md_mkeys); bzero(key, sizeof(key)); if (error != 0) { bzero(&md, sizeof(md)); gctl_error(req, "Cannot encrypt Master Key: %s.", strerror(error)); return; } eli_metadata_encode(&md, sector); bzero(&md, sizeof(md)); error = g_metadata_store(prov, sector, sizeof(sector)); bzero(sector, sizeof(sector)); if (error != 0) { gctl_error(req, "Cannot store metadata on %s: %s.", prov, strerror(error)); return; } if (verbose) printf("Metadata value stored on %s.\n", prov); /* Backup metadata to a file. */ str = gctl_get_ascii(req, "backupfile"); if (str[0] != '\0') { /* Backupfile given be the user, just copy it. */ strlcpy(backfile, str, sizeof(backfile)); } else { /* Generate file name automatically. */ const char *p = prov; unsigned int i; if (strncmp(p, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0) p += sizeof(_PATH_DEV) - 1; snprintf(backfile, sizeof(backfile), "%s%s.eli", GELI_BACKUP_DIR, p); /* Replace all / with _. */ for (i = strlen(GELI_BACKUP_DIR); backfile[i] != '\0'; i++) { if (backfile[i] == '/') backfile[i] = '_'; } } if (strcmp(backfile, "none") != 0 && eli_backup_create(req, prov, backfile) == 0) { printf("\nMetadata backup can be found in %s and\n", backfile); printf("can be restored with the following command:\n"); printf("\n\t# geli restore %s %s\n\n", backfile, prov); } } static void eli_attach(struct gctl_req *req) { struct g_eli_metadata md; unsigned char key[G_ELI_USERKEYLEN]; const char *prov; off_t mediasize; int nargs; nargs = gctl_get_int(req, "nargs"); if (nargs != 1) { gctl_error(req, "Invalid number of arguments."); return; } prov = gctl_get_ascii(req, "arg0"); if (eli_metadata_read(req, prov, &md) == -1) return; mediasize = g_get_mediasize(prov); if (md.md_provsize != (uint64_t)mediasize) { gctl_error(req, "Provider size mismatch."); return; } if (eli_genkey(req, &md, key, false) == NULL) { bzero(key, sizeof(key)); return; } gctl_ro_param(req, "key", sizeof(key), key); if (gctl_issue(req) == NULL) { if (verbose) printf("Attached to %s.\n", prov); } bzero(key, sizeof(key)); } static void eli_configure_detached(struct gctl_req *req, const char *prov, int boot, int geliboot, int trim) { struct g_eli_metadata md; bool changed = 0; if (eli_metadata_read(req, prov, &md) == -1) return; if (boot == 1 && (md.md_flags & G_ELI_FLAG_BOOT)) { if (verbose) printf("BOOT flag already configured for %s.\n", prov); } else if (boot == 0 && !(md.md_flags & G_ELI_FLAG_BOOT)) { if (verbose) printf("BOOT flag not configured for %s.\n", prov); } else if (boot >= 0) { if (boot) md.md_flags |= G_ELI_FLAG_BOOT; else md.md_flags &= ~G_ELI_FLAG_BOOT; changed = 1; } if (geliboot == 1 && (md.md_flags & G_ELI_FLAG_GELIBOOT)) { if (verbose) printf("GELIBOOT flag already configured for %s.\n", prov); } else if (geliboot == 0 && !(md.md_flags & G_ELI_FLAG_GELIBOOT)) { if (verbose) printf("GELIBOOT flag not configured for %s.\n", prov); } else if (geliboot >= 0) { if (geliboot) md.md_flags |= G_ELI_FLAG_GELIBOOT; else md.md_flags &= ~G_ELI_FLAG_GELIBOOT; changed = 1; } if (trim == 0 && (md.md_flags & G_ELI_FLAG_NODELETE)) { if (verbose) printf("TRIM disable flag already configured for %s.\n", prov); } else if (trim == 1 && !(md.md_flags & G_ELI_FLAG_NODELETE)) { if (verbose) printf("TRIM disable flag not configured for %s.\n", prov); } else if (trim >= 0) { if (trim) md.md_flags &= ~G_ELI_FLAG_NODELETE; else md.md_flags |= G_ELI_FLAG_NODELETE; changed = 1; } if (changed) eli_metadata_store(req, prov, &md); bzero(&md, sizeof(md)); } static void eli_configure(struct gctl_req *req) { const char *prov; bool boot, noboot, geliboot, nogeliboot, trim, notrim; int doboot, dogeliboot, dotrim; int i, nargs; nargs = gctl_get_int(req, "nargs"); if (nargs == 0) { gctl_error(req, "Too few arguments."); return; } boot = gctl_get_int(req, "boot"); noboot = gctl_get_int(req, "noboot"); geliboot = gctl_get_int(req, "geliboot"); nogeliboot = gctl_get_int(req, "nogeliboot"); trim = gctl_get_int(req, "trim"); notrim = gctl_get_int(req, "notrim"); doboot = -1; if (boot && noboot) { gctl_error(req, "Options -b and -B are mutually exclusive."); return; } if (boot) doboot = 1; else if (noboot) doboot = 0; dogeliboot = -1; if (geliboot && nogeliboot) { gctl_error(req, "Options -g and -G are mutually exclusive."); return; } if (geliboot) dogeliboot = 1; else if (nogeliboot) dogeliboot = 0; dotrim = -1; if (trim && notrim) { gctl_error(req, "Options -t and -T are mutually exclusive."); return; } if (trim) dotrim = 1; else if (notrim) dotrim = 0; if (doboot == -1 && dogeliboot == -1 && dotrim == -1) { gctl_error(req, "No option given."); return; } /* First attached providers. */ gctl_issue(req); /* Now the rest. */ for (i = 0; i < nargs; i++) { prov = gctl_get_ascii(req, "arg%d", i); if (!eli_is_attached(prov)) eli_configure_detached(req, prov, doboot, dogeliboot, dotrim); } } static void eli_setkey_attached(struct gctl_req *req, struct g_eli_metadata *md) { unsigned char key[G_ELI_USERKEYLEN]; intmax_t val, old = 0; int error; val = gctl_get_intmax(req, "iterations"); /* Check if iterations number should be changed. */ if (val != -1) md->md_iterations = val; else old = md->md_iterations; /* Generate key for Master Key encryption. */ if (eli_genkey(req, md, key, true) == NULL) { bzero(key, sizeof(key)); return; } /* * If number of iterations has changed, but wasn't given as a * command-line argument, update the request. */ if (val == -1 && md->md_iterations != old) { error = gctl_change_param(req, "iterations", sizeof(intmax_t), &md->md_iterations); assert(error == 0); } gctl_ro_param(req, "key", sizeof(key), key); gctl_issue(req); bzero(key, sizeof(key)); } static void eli_setkey_detached(struct gctl_req *req, const char *prov, struct g_eli_metadata *md) { unsigned char key[G_ELI_USERKEYLEN], mkey[G_ELI_DATAIVKEYLEN]; unsigned char *mkeydst; unsigned int nkey; intmax_t val; int error; if (md->md_keys == 0) { gctl_error(req, "No valid keys on %s.", prov); return; } /* Generate key for Master Key decryption. */ if (eli_genkey(req, md, key, false) == NULL) { bzero(key, sizeof(key)); return; } /* Decrypt Master Key. */ error = g_eli_mkey_decrypt(md, key, mkey, &nkey); bzero(key, sizeof(key)); if (error != 0) { bzero(md, sizeof(*md)); if (error == -1) gctl_error(req, "Wrong key for %s.", prov); else /* if (error > 0) */ { gctl_error(req, "Cannot decrypt Master Key: %s.", strerror(error)); } return; } if (verbose) printf("Decrypted Master Key %u.\n", nkey); val = gctl_get_intmax(req, "keyno"); if (val != -1) nkey = val; #if 0 else ; /* Use the key number which was found during decryption. */ #endif if (nkey >= G_ELI_MAXMKEYS) { gctl_error(req, "Invalid '%s' argument.", "keyno"); return; } val = gctl_get_intmax(req, "iterations"); /* Check if iterations number should and can be changed. */ if (val != -1) { if (bitcount32(md->md_keys) != 1) { gctl_error(req, "To be able to use '-i' option, only " "one key can be defined."); return; } if (md->md_keys != (1 << nkey)) { gctl_error(req, "Only already defined key can be " "changed when '-i' option is used."); return; } md->md_iterations = val; } mkeydst = md->md_mkeys + nkey * G_ELI_MKEYLEN; md->md_keys |= (1 << nkey); bcopy(mkey, mkeydst, sizeof(mkey)); bzero(mkey, sizeof(mkey)); /* Generate key for Master Key encryption. */ if (eli_genkey(req, md, key, true) == NULL) { bzero(key, sizeof(key)); bzero(md, sizeof(*md)); return; } /* Encrypt the Master-Key with the new key. */ error = g_eli_mkey_encrypt(md->md_ealgo, key, md->md_keylen, mkeydst); bzero(key, sizeof(key)); if (error != 0) { bzero(md, sizeof(*md)); gctl_error(req, "Cannot encrypt Master Key: %s.", strerror(error)); return; } /* Store metadata with fresh key. */ eli_metadata_store(req, prov, md); bzero(md, sizeof(*md)); } static void eli_setkey(struct gctl_req *req) { struct g_eli_metadata md; const char *prov; int nargs; nargs = gctl_get_int(req, "nargs"); if (nargs != 1) { gctl_error(req, "Invalid number of arguments."); return; } prov = gctl_get_ascii(req, "arg0"); if (eli_metadata_read(req, prov, &md) == -1) return; if (eli_is_attached(prov)) eli_setkey_attached(req, &md); else eli_setkey_detached(req, prov, &md); if (req->error == NULL || req->error[0] == '\0') { printf("Note, that the master key encrypted with old keys " "and/or passphrase may still exists in a metadata backup " "file.\n"); } } static void eli_delkey_attached(struct gctl_req *req, const char *prov __unused) { gctl_issue(req); } static void eli_delkey_detached(struct gctl_req *req, const char *prov) { struct g_eli_metadata md; unsigned char *mkeydst; unsigned int nkey; intmax_t val; bool all, force; if (eli_metadata_read(req, prov, &md) == -1) return; all = gctl_get_int(req, "all"); if (all) arc4random_buf(md.md_mkeys, sizeof(md.md_mkeys)); else { force = gctl_get_int(req, "force"); val = gctl_get_intmax(req, "keyno"); if (val == -1) { gctl_error(req, "Key number has to be specified."); return; } nkey = val; if (nkey >= G_ELI_MAXMKEYS) { gctl_error(req, "Invalid '%s' argument.", "keyno"); return; } if (!(md.md_keys & (1 << nkey)) && !force) { gctl_error(req, "Master Key %u is not set.", nkey); return; } md.md_keys &= ~(1 << nkey); if (md.md_keys == 0 && !force) { gctl_error(req, "This is the last Master Key. Use '-f' " "option if you really want to remove it."); return; } mkeydst = md.md_mkeys + nkey * G_ELI_MKEYLEN; arc4random_buf(mkeydst, G_ELI_MKEYLEN); } eli_metadata_store(req, prov, &md); bzero(&md, sizeof(md)); } static void eli_delkey(struct gctl_req *req) { const char *prov; int nargs; nargs = gctl_get_int(req, "nargs"); if (nargs != 1) { gctl_error(req, "Invalid number of arguments."); return; } prov = gctl_get_ascii(req, "arg0"); if (eli_is_attached(prov)) eli_delkey_attached(req, prov); else eli_delkey_detached(req, prov); } static void eli_resume(struct gctl_req *req) { struct g_eli_metadata md; unsigned char key[G_ELI_USERKEYLEN]; const char *prov; off_t mediasize; int nargs; nargs = gctl_get_int(req, "nargs"); if (nargs != 1) { gctl_error(req, "Invalid number of arguments."); return; } prov = gctl_get_ascii(req, "arg0"); if (eli_metadata_read(req, prov, &md) == -1) return; mediasize = g_get_mediasize(prov); if (md.md_provsize != (uint64_t)mediasize) { gctl_error(req, "Provider size mismatch."); return; } if (eli_genkey(req, &md, key, false) == NULL) { bzero(key, sizeof(key)); return; } gctl_ro_param(req, "key", sizeof(key), key); if (gctl_issue(req) == NULL) { if (verbose) printf("Resumed %s.\n", prov); } bzero(key, sizeof(key)); } static int eli_trash_metadata(struct gctl_req *req, const char *prov, int fd, off_t offset) { unsigned int overwrites; unsigned char *sector; ssize_t size; int error; size = sizeof(overwrites); if (sysctlbyname("kern.geom.eli.overwrites", &overwrites, &size, NULL, 0) == -1 || overwrites == 0) { overwrites = G_ELI_OVERWRITES; } size = g_sectorsize(fd); if (size <= 0) { gctl_error(req, "Cannot obtain provider sector size %s: %s.", prov, strerror(errno)); return (-1); } sector = malloc(size); if (sector == NULL) { gctl_error(req, "Cannot allocate %zd bytes of memory.", size); return (-1); } error = 0; do { arc4random_buf(sector, size); if (pwrite(fd, sector, size, offset) != size) { if (error == 0) error = errno; } (void)g_flush(fd); } while (--overwrites > 0); free(sector); if (error != 0) { gctl_error(req, "Cannot trash metadata on provider %s: %s.", prov, strerror(error)); return (-1); } return (0); } static void eli_kill_detached(struct gctl_req *req, const char *prov) { off_t offset; int fd; /* * NOTE: Maybe we should verify if this is geli provider first, * but 'kill' command is quite critical so better don't waste * the time. */ #if 0 error = g_metadata_read(prov, (unsigned char *)&md, sizeof(md), G_ELI_MAGIC); if (error != 0) { gctl_error(req, "Cannot read metadata from %s: %s.", prov, strerror(error)); return; } #endif fd = g_open(prov, 1); if (fd == -1) { gctl_error(req, "Cannot open provider %s: %s.", prov, strerror(errno)); return; } offset = g_mediasize(fd) - g_sectorsize(fd); if (offset <= 0) { gctl_error(req, "Cannot obtain media size or sector size for provider %s: %s.", prov, strerror(errno)); (void)g_close(fd); return; } (void)eli_trash_metadata(req, prov, fd, offset); (void)g_close(fd); } static void eli_kill(struct gctl_req *req) { const char *prov; int i, nargs, all; nargs = gctl_get_int(req, "nargs"); all = gctl_get_int(req, "all"); if (!all && nargs == 0) { gctl_error(req, "Too few arguments."); return; } /* * How '-a' option combine with a list of providers: * Delete Master Keys from all attached providers: * geli kill -a * Delete Master Keys from all attached providers and from * detached da0 and da1: * geli kill -a da0 da1 * Delete Master Keys from (attached or detached) da0 and da1: * geli kill da0 da1 */ /* First detached providers. */ for (i = 0; i < nargs; i++) { prov = gctl_get_ascii(req, "arg%d", i); if (!eli_is_attached(prov)) eli_kill_detached(req, prov); } /* Now attached providers. */ gctl_issue(req); } static int eli_backup_create(struct gctl_req *req, const char *prov, const char *file) { unsigned char *sector; ssize_t secsize; int error, filefd, ret; ret = -1; filefd = -1; sector = NULL; secsize = 0; secsize = g_get_sectorsize(prov); if (secsize == 0) { gctl_error(req, "Cannot get informations about %s: %s.", prov, strerror(errno)); goto out; } sector = malloc(secsize); if (sector == NULL) { gctl_error(req, "Cannot allocate memory."); goto out; } /* Read metadata from the provider. */ error = g_metadata_read(prov, sector, secsize, G_ELI_MAGIC); if (error != 0) { gctl_error(req, "Unable to read metadata from %s: %s.", prov, strerror(error)); goto out; } filefd = open(file, O_WRONLY | O_TRUNC | O_CREAT, 0600); if (filefd == -1) { gctl_error(req, "Unable to open %s: %s.", file, strerror(errno)); goto out; } /* Write metadata to the destination file. */ if (write(filefd, sector, secsize) != secsize) { gctl_error(req, "Unable to write to %s: %s.", file, strerror(errno)); (void)close(filefd); (void)unlink(file); goto out; } (void)fsync(filefd); (void)close(filefd); /* Success. */ ret = 0; out: if (sector != NULL) { bzero(sector, secsize); free(sector); } return (ret); } static void eli_backup(struct gctl_req *req) { const char *file, *prov; int nargs; nargs = gctl_get_int(req, "nargs"); if (nargs != 2) { gctl_error(req, "Invalid number of arguments."); return; } prov = gctl_get_ascii(req, "arg0"); file = gctl_get_ascii(req, "arg1"); eli_backup_create(req, prov, file); } static void eli_restore(struct gctl_req *req) { struct g_eli_metadata md; const char *file, *prov; off_t mediasize; int nargs; nargs = gctl_get_int(req, "nargs"); if (nargs != 2) { gctl_error(req, "Invalid number of arguments."); return; } file = gctl_get_ascii(req, "arg0"); prov = gctl_get_ascii(req, "arg1"); /* Read metadata from the backup file. */ if (eli_metadata_read(req, file, &md) == -1) return; /* Obtain provider's mediasize. */ mediasize = g_get_mediasize(prov); if (mediasize == 0) { gctl_error(req, "Cannot get informations about %s: %s.", prov, strerror(errno)); return; } /* Check if the provider size has changed since we did the backup. */ if (md.md_provsize != (uint64_t)mediasize) { if (gctl_get_int(req, "force")) { md.md_provsize = mediasize; } else { gctl_error(req, "Provider size mismatch: " "wrong backup file?"); return; } } /* Write metadata to the provider. */ (void)eli_metadata_store(req, prov, &md); } static void eli_resize(struct gctl_req *req) { struct g_eli_metadata md; const char *prov; unsigned char *sector; ssize_t secsize; off_t mediasize, oldsize; int error, nargs, provfd; nargs = gctl_get_int(req, "nargs"); if (nargs != 1) { gctl_error(req, "Invalid number of arguments."); return; } prov = gctl_get_ascii(req, "arg0"); provfd = -1; sector = NULL; secsize = 0; provfd = g_open(prov, 1); if (provfd == -1) { gctl_error(req, "Cannot open %s: %s.", prov, strerror(errno)); goto out; } mediasize = g_mediasize(provfd); secsize = g_sectorsize(provfd); if (mediasize == -1 || secsize == -1) { gctl_error(req, "Cannot get information about %s: %s.", prov, strerror(errno)); goto out; } sector = malloc(secsize); if (sector == NULL) { gctl_error(req, "Cannot allocate memory."); goto out; } oldsize = gctl_get_intmax(req, "oldsize"); if (oldsize < 0 || oldsize > mediasize) { gctl_error(req, "Invalid oldsize: Out of range."); goto out; } if (oldsize == mediasize) { gctl_error(req, "Size hasn't changed."); goto out; } /* Read metadata from the 'oldsize' offset. */ if (pread(provfd, sector, secsize, oldsize - secsize) != secsize) { gctl_error(req, "Cannot read old metadata: %s.", strerror(errno)); goto out; } /* Check if this sector contains geli metadata. */ error = eli_metadata_decode(sector, &md); switch (error) { case 0: break; case EOPNOTSUPP: gctl_error(req, "Provider's %s metadata version %u is too new.\n" "geli: The highest supported version is %u.", prov, (unsigned int)md.md_version, G_ELI_VERSION); goto out; case EINVAL: gctl_error(req, "Inconsistent provider's %s metadata.", prov); goto out; default: gctl_error(req, "Unexpected error while decoding provider's %s metadata: %s.", prov, strerror(error)); goto out; } /* * If the old metadata doesn't have a correct provider size, refuse * to resize. */ if (md.md_provsize != (uint64_t)oldsize) { gctl_error(req, "Provider size mismatch at oldsize."); goto out; } /* * Update the old metadata with the current provider size and write * it back to the correct place on the provider. */ md.md_provsize = mediasize; /* Write metadata to the provider. */ (void)eli_metadata_store(req, prov, &md); /* Now trash the old metadata. */ (void)eli_trash_metadata(req, prov, provfd, oldsize - secsize); out: if (provfd != -1) (void)g_close(provfd); if (sector != NULL) { bzero(sector, secsize); free(sector); } } static void eli_version(struct gctl_req *req) { struct g_eli_metadata md; const char *name; unsigned int version; int error, i, nargs; nargs = gctl_get_int(req, "nargs"); if (nargs == 0) { unsigned int kernver; ssize_t size; size = sizeof(kernver); if (sysctlbyname("kern.geom.eli.version", &kernver, &size, NULL, 0) == -1) { warn("Unable to obtain GELI kernel version"); } else { printf("kernel: %u\n", kernver); } printf("userland: %u\n", G_ELI_VERSION); return; } for (i = 0; i < nargs; i++) { name = gctl_get_ascii(req, "arg%d", i); error = g_metadata_read(name, (unsigned char *)&md, sizeof(md), G_ELI_MAGIC); if (error != 0) { warn("%s: Unable to read metadata: %s.", name, strerror(error)); gctl_error(req, "Not fully done."); continue; } version = le32dec(&md.md_version); printf("%s: %u\n", name, version); } } static void eli_clear(struct gctl_req *req) { const char *name; int error, i, nargs; nargs = gctl_get_int(req, "nargs"); if (nargs < 1) { gctl_error(req, "Too few arguments."); return; } for (i = 0; i < nargs; i++) { name = gctl_get_ascii(req, "arg%d", i); error = g_metadata_clear(name, G_ELI_MAGIC); if (error != 0) { fprintf(stderr, "Cannot clear metadata on %s: %s.\n", name, strerror(error)); gctl_error(req, "Not fully done."); continue; } if (verbose) printf("Metadata cleared on %s.\n", name); } } static void eli_dump(struct gctl_req *req) { struct g_eli_metadata md; const char *name; int i, nargs; nargs = gctl_get_int(req, "nargs"); if (nargs < 1) { gctl_error(req, "Too few arguments."); return; } for (i = 0; i < nargs; i++) { name = gctl_get_ascii(req, "arg%d", i); if (eli_metadata_read(NULL, name, &md) == -1) { gctl_error(req, "Not fully done."); continue; } printf("Metadata on %s:\n", name); eli_metadata_dump(&md); printf("\n"); } } Index: head/sys/geom/eli/g_eli.h =================================================================== --- head/sys/geom/eli/g_eli.h (revision 308136) +++ head/sys/geom/eli/g_eli.h (revision 308137) @@ -1,709 +1,715 @@ /*- * Copyright (c) 2005-2011 Pawel Jakub Dawidek * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $FreeBSD$ */ #ifndef _G_ELI_H_ #define _G_ELI_H_ #include #include #include #include #include #include #ifdef _KERNEL #include #include #include #include #include #else #include #include #include #include #endif #include #include #ifndef _OpenSSL_ #include #endif #define G_ELI_CLASS_NAME "ELI" #define G_ELI_MAGIC "GEOM::ELI" #define G_ELI_SUFFIX ".eli" /* * Version history: * 0 - Initial version number. * 1 - Added data authentication support (md_aalgo field and * G_ELI_FLAG_AUTH flag). * 2 - Added G_ELI_FLAG_READONLY. * 3 - Added 'configure' subcommand. * 4 - IV is generated from offset converted to little-endian * (the G_ELI_FLAG_NATIVE_BYTE_ORDER flag will be set for older versions). * 5 - Added multiple encrypton keys and AES-XTS support. * 6 - Fixed usage of multiple keys for authenticated providers (the * G_ELI_FLAG_FIRST_KEY flag will be set for older versions). * 7 - Encryption keys are now generated from the Data Key and not from the * IV Key (the G_ELI_FLAG_ENC_IVKEY flag will be set for older versions). */ #define G_ELI_VERSION_00 0 #define G_ELI_VERSION_01 1 #define G_ELI_VERSION_02 2 #define G_ELI_VERSION_03 3 #define G_ELI_VERSION_04 4 #define G_ELI_VERSION_05 5 #define G_ELI_VERSION_06 6 #define G_ELI_VERSION_07 7 #define G_ELI_VERSION G_ELI_VERSION_07 /* ON DISK FLAGS. */ /* Use random, onetime keys. */ #define G_ELI_FLAG_ONETIME 0x00000001 /* Ask for the passphrase from the kernel, before mounting root. */ #define G_ELI_FLAG_BOOT 0x00000002 /* Detach on last close, if we were open for writing. */ #define G_ELI_FLAG_WO_DETACH 0x00000004 /* Detach on last close. */ #define G_ELI_FLAG_RW_DETACH 0x00000008 /* Provide data authentication. */ #define G_ELI_FLAG_AUTH 0x00000010 /* Provider is read-only, we should deny all write attempts. */ #define G_ELI_FLAG_RO 0x00000020 /* Don't pass through BIO_DELETE requests. */ #define G_ELI_FLAG_NODELETE 0x00000040 /* This GELI supports GELIBoot */ #define G_ELI_FLAG_GELIBOOT 0x00000080 /* RUNTIME FLAGS. */ /* Provider was open for writing. */ #define G_ELI_FLAG_WOPEN 0x00010000 /* Destroy device. */ #define G_ELI_FLAG_DESTROY 0x00020000 /* Provider uses native byte-order for IV generation. */ #define G_ELI_FLAG_NATIVE_BYTE_ORDER 0x00040000 /* Provider uses single encryption key. */ #define G_ELI_FLAG_SINGLE_KEY 0x00080000 /* Device suspended. */ #define G_ELI_FLAG_SUSPEND 0x00100000 /* Provider uses first encryption key. */ #define G_ELI_FLAG_FIRST_KEY 0x00200000 /* Provider uses IV-Key for encryption key generation. */ #define G_ELI_FLAG_ENC_IVKEY 0x00400000 #define G_ELI_NEW_BIO 255 #define SHA512_MDLEN 64 #define G_ELI_AUTH_SECKEYLEN SHA256_DIGEST_LENGTH #define G_ELI_MAXMKEYS 2 #define G_ELI_MAXKEYLEN 64 #define G_ELI_USERKEYLEN G_ELI_MAXKEYLEN #define G_ELI_DATAKEYLEN G_ELI_MAXKEYLEN #define G_ELI_AUTHKEYLEN G_ELI_MAXKEYLEN #define G_ELI_IVKEYLEN G_ELI_MAXKEYLEN #define G_ELI_SALTLEN 64 #define G_ELI_DATAIVKEYLEN (G_ELI_DATAKEYLEN + G_ELI_IVKEYLEN) /* Data-Key, IV-Key, HMAC_SHA512(Derived-Key, Data-Key+IV-Key) */ #define G_ELI_MKEYLEN (G_ELI_DATAIVKEYLEN + SHA512_MDLEN) #define G_ELI_OVERWRITES 5 /* Switch data encryption key every 2^20 blocks. */ #define G_ELI_KEY_SHIFT 20 #define G_ELI_CRYPTO_UNKNOWN 0 #define G_ELI_CRYPTO_HW 1 #define G_ELI_CRYPTO_SW 2 #ifdef _KERNEL extern int g_eli_debug; extern u_int g_eli_overwrites; extern u_int g_eli_batch; #define G_ELI_DEBUG(lvl, ...) do { \ if (g_eli_debug >= (lvl)) { \ printf("GEOM_ELI"); \ if (g_eli_debug > 0) \ printf("[%u]", lvl); \ printf(": "); \ printf(__VA_ARGS__); \ printf("\n"); \ } \ } while (0) #define G_ELI_LOGREQ(lvl, bp, ...) do { \ if (g_eli_debug >= (lvl)) { \ printf("GEOM_ELI"); \ if (g_eli_debug > 0) \ printf("[%u]", lvl); \ printf(": "); \ printf(__VA_ARGS__); \ printf(" "); \ g_print_bio(bp); \ printf("\n"); \ } \ } while (0) struct g_eli_worker { struct g_eli_softc *w_softc; struct proc *w_proc; u_int w_number; uint64_t w_sid; boolean_t w_active; LIST_ENTRY(g_eli_worker) w_next; }; #endif /* _KERNEL */ struct g_eli_softc { struct g_geom *sc_geom; u_int sc_version; u_int sc_crypto; uint8_t sc_mkey[G_ELI_DATAIVKEYLEN]; uint8_t sc_ekey[G_ELI_DATAKEYLEN]; TAILQ_HEAD(, g_eli_key) sc_ekeys_queue; RB_HEAD(g_eli_key_tree, g_eli_key) sc_ekeys_tree; struct mtx sc_ekeys_lock; uint64_t sc_ekeys_total; uint64_t sc_ekeys_allocated; u_int sc_ealgo; u_int sc_ekeylen; uint8_t sc_akey[G_ELI_AUTHKEYLEN]; u_int sc_aalgo; u_int sc_akeylen; u_int sc_alen; SHA256_CTX sc_akeyctx; uint8_t sc_ivkey[G_ELI_IVKEYLEN]; SHA256_CTX sc_ivctx; int sc_nkey; uint32_t sc_flags; int sc_inflight; off_t sc_mediasize; size_t sc_sectorsize; u_int sc_bytes_per_sector; u_int sc_data_per_sector; #ifndef _KERNEL int sc_cpubind; #else /* _KERNEL */ boolean_t sc_cpubind; /* Only for software cryptography. */ struct bio_queue_head sc_queue; struct mtx sc_queue_mtx; LIST_HEAD(, g_eli_worker) sc_workers; #endif /* _KERNEL */ }; #define sc_name sc_geom->name #define G_ELI_KEY_MAGIC 0xe11341c struct g_eli_key { /* Key value, must be first in the structure. */ uint8_t gek_key[G_ELI_DATAKEYLEN]; /* Magic. */ int gek_magic; /* Key number. */ uint64_t gek_keyno; /* Reference counter. */ int gek_count; /* Keeps keys sorted by most recent use. */ TAILQ_ENTRY(g_eli_key) gek_next; /* Keeps keys sorted by number. */ RB_ENTRY(g_eli_key) gek_link; }; struct g_eli_metadata { char md_magic[16]; /* Magic value. */ uint32_t md_version; /* Version number. */ uint32_t md_flags; /* Additional flags. */ uint16_t md_ealgo; /* Encryption algorithm. */ uint16_t md_keylen; /* Key length. */ uint16_t md_aalgo; /* Authentication algorithm. */ uint64_t md_provsize; /* Provider's size. */ uint32_t md_sectorsize; /* Sector size. */ uint8_t md_keys; /* Available keys. */ int32_t md_iterations; /* Number of iterations for PKCS#5v2. */ uint8_t md_salt[G_ELI_SALTLEN]; /* Salt. */ /* Encrypted master key (IV-key, Data-key, HMAC). */ uint8_t md_mkeys[G_ELI_MAXMKEYS * G_ELI_MKEYLEN]; u_char md_hash[16]; /* MD5 hash. */ } __packed; #ifndef _OpenSSL_ static __inline void eli_metadata_encode_v0(struct g_eli_metadata *md, u_char **datap) { u_char *p; p = *datap; le32enc(p, md->md_flags); p += sizeof(md->md_flags); le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); *p = md->md_keys; p += sizeof(md->md_keys); le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); *datap = p; } static __inline void eli_metadata_encode_v1v2v3v4v5v6v7(struct g_eli_metadata *md, u_char **datap) { u_char *p; p = *datap; le32enc(p, md->md_flags); p += sizeof(md->md_flags); le16enc(p, md->md_ealgo); p += sizeof(md->md_ealgo); le16enc(p, md->md_keylen); p += sizeof(md->md_keylen); le16enc(p, md->md_aalgo); p += sizeof(md->md_aalgo); le64enc(p, md->md_provsize); p += sizeof(md->md_provsize); le32enc(p, md->md_sectorsize); p += sizeof(md->md_sectorsize); *p = md->md_keys; p += sizeof(md->md_keys); le32enc(p, md->md_iterations); p += sizeof(md->md_iterations); bcopy(md->md_salt, p, sizeof(md->md_salt)); p += sizeof(md->md_salt); bcopy(md->md_mkeys, p, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); *datap = p; } static __inline void eli_metadata_encode(struct g_eli_metadata *md, u_char *data) { + uint32_t hash[4]; MD5_CTX ctx; u_char *p; p = data; bcopy(md->md_magic, p, sizeof(md->md_magic)); p += sizeof(md->md_magic); le32enc(p, md->md_version); p += sizeof(md->md_version); switch (md->md_version) { case G_ELI_VERSION_00: eli_metadata_encode_v0(md, &p); break; case G_ELI_VERSION_01: case G_ELI_VERSION_02: case G_ELI_VERSION_03: case G_ELI_VERSION_04: case G_ELI_VERSION_05: case G_ELI_VERSION_06: case G_ELI_VERSION_07: eli_metadata_encode_v1v2v3v4v5v6v7(md, &p); break; default: #ifdef _KERNEL panic("%s: Unsupported version %u.", __func__, (u_int)md->md_version); #else assert(!"Unsupported metadata version."); #endif } MD5Init(&ctx); MD5Update(&ctx, data, p - data); - MD5Final(md->md_hash, &ctx); + MD5Final((void *)hash, &ctx); + bcopy(hash, md->md_hash, sizeof(md->md_hash)); bcopy(md->md_hash, p, sizeof(md->md_hash)); } static __inline int eli_metadata_decode_v0(const u_char *data, struct g_eli_metadata *md) { + uint32_t hash[4]; MD5_CTX ctx; const u_char *p; p = data + sizeof(md->md_magic) + sizeof(md->md_version); md->md_flags = le32dec(p); p += sizeof(md->md_flags); md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); md->md_keys = *p; p += sizeof(md->md_keys); md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); MD5Init(&ctx); MD5Update(&ctx, data, p - data); - MD5Final(md->md_hash, &ctx); + MD5Final((void *)hash, &ctx); + bcopy(hash, md->md_hash, sizeof(md->md_hash)); if (bcmp(md->md_hash, p, 16) != 0) return (EINVAL); return (0); } static __inline int eli_metadata_decode_v1v2v3v4v5v6v7(const u_char *data, struct g_eli_metadata *md) { + uint32_t hash[4]; MD5_CTX ctx; const u_char *p; p = data + sizeof(md->md_magic) + sizeof(md->md_version); md->md_flags = le32dec(p); p += sizeof(md->md_flags); md->md_ealgo = le16dec(p); p += sizeof(md->md_ealgo); md->md_keylen = le16dec(p); p += sizeof(md->md_keylen); md->md_aalgo = le16dec(p); p += sizeof(md->md_aalgo); md->md_provsize = le64dec(p); p += sizeof(md->md_provsize); md->md_sectorsize = le32dec(p); p += sizeof(md->md_sectorsize); md->md_keys = *p; p += sizeof(md->md_keys); md->md_iterations = le32dec(p); p += sizeof(md->md_iterations); bcopy(p, md->md_salt, sizeof(md->md_salt)); p += sizeof(md->md_salt); bcopy(p, md->md_mkeys, sizeof(md->md_mkeys)); p += sizeof(md->md_mkeys); MD5Init(&ctx); MD5Update(&ctx, data, p - data); - MD5Final(md->md_hash, &ctx); + MD5Final((void *)hash, &ctx); + bcopy(hash, md->md_hash, sizeof(md->md_hash)); if (bcmp(md->md_hash, p, 16) != 0) return (EINVAL); return (0); } static __inline int eli_metadata_decode(const u_char *data, struct g_eli_metadata *md) { int error; bcopy(data, md->md_magic, sizeof(md->md_magic)); if (strcmp(md->md_magic, G_ELI_MAGIC) != 0) return (EINVAL); md->md_version = le32dec(data + sizeof(md->md_magic)); switch (md->md_version) { case G_ELI_VERSION_00: error = eli_metadata_decode_v0(data, md); break; case G_ELI_VERSION_01: case G_ELI_VERSION_02: case G_ELI_VERSION_03: case G_ELI_VERSION_04: case G_ELI_VERSION_05: case G_ELI_VERSION_06: case G_ELI_VERSION_07: error = eli_metadata_decode_v1v2v3v4v5v6v7(data, md); break; default: error = EOPNOTSUPP; break; } return (error); } #endif /* !_OpenSSL */ static __inline u_int g_eli_str2ealgo(const char *name) { if (strcasecmp("null", name) == 0) return (CRYPTO_NULL_CBC); else if (strcasecmp("null-cbc", name) == 0) return (CRYPTO_NULL_CBC); else if (strcasecmp("aes", name) == 0) return (CRYPTO_AES_XTS); else if (strcasecmp("aes-cbc", name) == 0) return (CRYPTO_AES_CBC); else if (strcasecmp("aes-xts", name) == 0) return (CRYPTO_AES_XTS); else if (strcasecmp("blowfish", name) == 0) return (CRYPTO_BLF_CBC); else if (strcasecmp("blowfish-cbc", name) == 0) return (CRYPTO_BLF_CBC); else if (strcasecmp("camellia", name) == 0) return (CRYPTO_CAMELLIA_CBC); else if (strcasecmp("camellia-cbc", name) == 0) return (CRYPTO_CAMELLIA_CBC); else if (strcasecmp("3des", name) == 0) return (CRYPTO_3DES_CBC); else if (strcasecmp("3des-cbc", name) == 0) return (CRYPTO_3DES_CBC); return (CRYPTO_ALGORITHM_MIN - 1); } static __inline u_int g_eli_str2aalgo(const char *name) { if (strcasecmp("hmac/md5", name) == 0) return (CRYPTO_MD5_HMAC); else if (strcasecmp("hmac/sha1", name) == 0) return (CRYPTO_SHA1_HMAC); else if (strcasecmp("hmac/ripemd160", name) == 0) return (CRYPTO_RIPEMD160_HMAC); else if (strcasecmp("hmac/sha256", name) == 0) return (CRYPTO_SHA2_256_HMAC); else if (strcasecmp("hmac/sha384", name) == 0) return (CRYPTO_SHA2_384_HMAC); else if (strcasecmp("hmac/sha512", name) == 0) return (CRYPTO_SHA2_512_HMAC); return (CRYPTO_ALGORITHM_MIN - 1); } static __inline const char * g_eli_algo2str(u_int algo) { switch (algo) { case CRYPTO_NULL_CBC: return ("NULL"); case CRYPTO_AES_CBC: return ("AES-CBC"); case CRYPTO_AES_XTS: return ("AES-XTS"); case CRYPTO_BLF_CBC: return ("Blowfish-CBC"); case CRYPTO_CAMELLIA_CBC: return ("CAMELLIA-CBC"); case CRYPTO_3DES_CBC: return ("3DES-CBC"); case CRYPTO_MD5_HMAC: return ("HMAC/MD5"); case CRYPTO_SHA1_HMAC: return ("HMAC/SHA1"); case CRYPTO_RIPEMD160_HMAC: return ("HMAC/RIPEMD160"); case CRYPTO_SHA2_256_HMAC: return ("HMAC/SHA256"); case CRYPTO_SHA2_384_HMAC: return ("HMAC/SHA384"); case CRYPTO_SHA2_512_HMAC: return ("HMAC/SHA512"); } return ("unknown"); } static __inline void eli_metadata_dump(const struct g_eli_metadata *md) { static const char hex[] = "0123456789abcdef"; char str[sizeof(md->md_mkeys) * 2 + 1]; u_int i; printf(" magic: %s\n", md->md_magic); printf(" version: %u\n", (u_int)md->md_version); printf(" flags: 0x%x\n", (u_int)md->md_flags); printf(" ealgo: %s\n", g_eli_algo2str(md->md_ealgo)); printf(" keylen: %u\n", (u_int)md->md_keylen); if (md->md_flags & G_ELI_FLAG_AUTH) printf(" aalgo: %s\n", g_eli_algo2str(md->md_aalgo)); printf(" provsize: %ju\n", (uintmax_t)md->md_provsize); printf("sectorsize: %u\n", (u_int)md->md_sectorsize); printf(" keys: 0x%02x\n", (u_int)md->md_keys); printf("iterations: %u\n", (u_int)md->md_iterations); bzero(str, sizeof(str)); for (i = 0; i < sizeof(md->md_salt); i++) { str[i * 2] = hex[md->md_salt[i] >> 4]; str[i * 2 + 1] = hex[md->md_salt[i] & 0x0f]; } printf(" Salt: %s\n", str); bzero(str, sizeof(str)); for (i = 0; i < sizeof(md->md_mkeys); i++) { str[i * 2] = hex[md->md_mkeys[i] >> 4]; str[i * 2 + 1] = hex[md->md_mkeys[i] & 0x0f]; } printf("Master Key: %s\n", str); bzero(str, sizeof(str)); for (i = 0; i < 16; i++) { str[i * 2] = hex[md->md_hash[i] >> 4]; str[i * 2 + 1] = hex[md->md_hash[i] & 0x0f]; } printf(" MD5 hash: %s\n", str); } static __inline u_int g_eli_keylen(u_int algo, u_int keylen) { switch (algo) { case CRYPTO_NULL_CBC: if (keylen == 0) keylen = 64 * 8; else { if (keylen > 64 * 8) keylen = 0; } return (keylen); case CRYPTO_AES_CBC: case CRYPTO_CAMELLIA_CBC: switch (keylen) { case 0: return (128); case 128: case 192: case 256: return (keylen); default: return (0); } case CRYPTO_AES_XTS: switch (keylen) { case 0: return (128); case 128: case 256: return (keylen); default: return (0); } case CRYPTO_BLF_CBC: if (keylen == 0) return (128); if (keylen < 128 || keylen > 448) return (0); if ((keylen % 32) != 0) return (0); return (keylen); case CRYPTO_3DES_CBC: if (keylen == 0 || keylen == 192) return (192); return (0); default: return (0); } } static __inline u_int g_eli_hashlen(u_int algo) { switch (algo) { case CRYPTO_MD5_HMAC: return (16); case CRYPTO_SHA1_HMAC: return (20); case CRYPTO_RIPEMD160_HMAC: return (20); case CRYPTO_SHA2_256_HMAC: return (32); case CRYPTO_SHA2_384_HMAC: return (48); case CRYPTO_SHA2_512_HMAC: return (64); } return (0); } static __inline void eli_metadata_softc(struct g_eli_softc *sc, const struct g_eli_metadata *md, u_int sectorsize, off_t mediasize) { sc->sc_version = md->md_version; sc->sc_inflight = 0; sc->sc_crypto = G_ELI_CRYPTO_UNKNOWN; sc->sc_flags = md->md_flags; /* Backward compatibility. */ if (md->md_version < G_ELI_VERSION_04) sc->sc_flags |= G_ELI_FLAG_NATIVE_BYTE_ORDER; if (md->md_version < G_ELI_VERSION_05) sc->sc_flags |= G_ELI_FLAG_SINGLE_KEY; if (md->md_version < G_ELI_VERSION_06 && (sc->sc_flags & G_ELI_FLAG_AUTH) != 0) { sc->sc_flags |= G_ELI_FLAG_FIRST_KEY; } if (md->md_version < G_ELI_VERSION_07) sc->sc_flags |= G_ELI_FLAG_ENC_IVKEY; sc->sc_ealgo = md->md_ealgo; if (sc->sc_flags & G_ELI_FLAG_AUTH) { sc->sc_akeylen = sizeof(sc->sc_akey) * 8; sc->sc_aalgo = md->md_aalgo; sc->sc_alen = g_eli_hashlen(sc->sc_aalgo); sc->sc_data_per_sector = sectorsize - sc->sc_alen; /* * Some hash functions (like SHA1 and RIPEMD160) generates hash * which length is not multiple of 128 bits, but we want data * length to be multiple of 128, so we can encrypt without * padding. The line below rounds down data length to multiple * of 128 bits. */ sc->sc_data_per_sector -= sc->sc_data_per_sector % 16; sc->sc_bytes_per_sector = (md->md_sectorsize - 1) / sc->sc_data_per_sector + 1; sc->sc_bytes_per_sector *= sectorsize; } sc->sc_sectorsize = md->md_sectorsize; sc->sc_mediasize = mediasize; if (!(sc->sc_flags & G_ELI_FLAG_ONETIME)) sc->sc_mediasize -= sectorsize; if (!(sc->sc_flags & G_ELI_FLAG_AUTH)) sc->sc_mediasize -= (sc->sc_mediasize % sc->sc_sectorsize); else { sc->sc_mediasize /= sc->sc_bytes_per_sector; sc->sc_mediasize *= sc->sc_sectorsize; } sc->sc_ekeylen = md->md_keylen; } #ifdef _KERNEL int g_eli_read_metadata(struct g_class *mp, struct g_provider *pp, struct g_eli_metadata *md); struct g_geom *g_eli_create(struct gctl_req *req, struct g_class *mp, struct g_provider *bpp, const struct g_eli_metadata *md, const u_char *mkey, int nkey); int g_eli_destroy(struct g_eli_softc *sc, boolean_t force); int g_eli_access(struct g_provider *pp, int dr, int dw, int de); void g_eli_config(struct gctl_req *req, struct g_class *mp, const char *verb); void g_eli_read_done(struct bio *bp); void g_eli_write_done(struct bio *bp); int g_eli_crypto_rerun(struct cryptop *crp); void g_eli_crypto_read(struct g_eli_softc *sc, struct bio *bp, boolean_t fromworker); void g_eli_crypto_run(struct g_eli_worker *wr, struct bio *bp); void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp); void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp); #endif void g_eli_crypto_ivgen(struct g_eli_softc *sc, off_t offset, u_char *iv, size_t size); void g_eli_mkey_hmac(unsigned char *mkey, const unsigned char *key); int g_eli_mkey_decrypt(const struct g_eli_metadata *md, const unsigned char *key, unsigned char *mkey, unsigned *nkeyp); int g_eli_mkey_encrypt(unsigned algo, const unsigned char *key, unsigned keylen, unsigned char *mkey); #ifdef _KERNEL void g_eli_mkey_propagate(struct g_eli_softc *sc, const unsigned char *mkey); #endif int g_eli_crypto_encrypt(u_int algo, u_char *data, size_t datasize, const u_char *key, size_t keysize); int g_eli_crypto_decrypt(u_int algo, u_char *data, size_t datasize, const u_char *key, size_t keysize); struct hmac_ctx { SHA512_CTX shactx; u_char k_opad[128]; }; void g_eli_crypto_hmac_init(struct hmac_ctx *ctx, const uint8_t *hkey, size_t hkeylen); void g_eli_crypto_hmac_update(struct hmac_ctx *ctx, const uint8_t *data, size_t datasize); void g_eli_crypto_hmac_final(struct hmac_ctx *ctx, uint8_t *md, size_t mdsize); void g_eli_crypto_hmac(const uint8_t *hkey, size_t hkeysize, const uint8_t *data, size_t datasize, uint8_t *md, size_t mdsize); void g_eli_key_fill(struct g_eli_softc *sc, struct g_eli_key *key, uint64_t keyno); #ifdef _KERNEL void g_eli_key_init(struct g_eli_softc *sc); void g_eli_key_destroy(struct g_eli_softc *sc); uint8_t *g_eli_key_hold(struct g_eli_softc *sc, off_t offset, size_t blocksize); void g_eli_key_drop(struct g_eli_softc *sc, uint8_t *rawkey); #endif #endif /* !_G_ELI_H_ */ Index: head/sys/geom/eli/g_eli_integrity.c =================================================================== --- head/sys/geom/eli/g_eli_integrity.c (revision 308136) +++ head/sys/geom/eli/g_eli_integrity.c (revision 308137) @@ -1,525 +1,530 @@ /*- * Copyright (c) 2005-2011 Pawel Jakub Dawidek * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* * The data layout description when integrity verification is configured. * * One of the most important assumption here is that authenticated data and its * HMAC has to be stored in the same place (namely in the same sector) to make * it work reliable. * The problem is that file systems work only with sectors that are multiple of * 512 bytes and a power of two number. * My idea to implement it is as follows. * Let's store HMAC in sector. This is a must. This leaves us 480 bytes for * data. We can't use that directly (ie. we can't create provider with 480 bytes * sector size). We need another sector from where we take only 32 bytes of data * and we store HMAC of this data as well. This takes two sectors from the * original provider at the input and leaves us one sector of authenticated data * at the output. Not very efficient, but you got the idea. * Now, let's assume, we want to create provider with 4096 bytes sector. * To output 4096 bytes of authenticated data we need 8x480 plus 1x256, so we * need nine 512-bytes sectors at the input to get one 4096-bytes sector at the * output. That's better. With 4096 bytes sector we can use 89% of size of the * original provider. I find it as an acceptable cost. * The reliability comes from the fact, that every HMAC stored inside the sector * is calculated only for the data in the same sector, so its impossible to * write new data and leave old HMAC or vice versa. * * And here is the picture: * * da0: +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+-----+ * |32b |480b| |32b |480b| |32b |480b| |32b |480b| |32b |480b| |32b |480b| |32b |480b| |32b |480b| |32b |256b | * |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data| |HMAC|Data | * +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+----+ +----+-----+ * |512 bytes| |512 bytes| |512 bytes| |512 bytes| |512 bytes| |512 bytes| |512 bytes| |512 bytes| |288 bytes | * +---------+ +---------+ +---------+ +---------+ +---------+ +---------+ +---------+ +---------+ |224 unused| * +----------+ * da0.eli: +----+----+----+----+----+----+----+----+----+ * |480b|480b|480b|480b|480b|480b|480b|480b|256b| * +----+----+----+----+----+----+----+----+----+ * | 4096 bytes | * +--------------------------------------------+ * * PS. You can use any sector size with geli(8). My example is using 4kB, * because it's most efficient. For 8kB sectors you need 2 extra sectors, * so the cost is the same as for 4kB sectors. */ /* * Code paths: * BIO_READ: * g_eli_start -> g_eli_auth_read -> g_io_request -> g_eli_read_done -> g_eli_auth_run -> g_eli_auth_read_done -> g_io_deliver * BIO_WRITE: * g_eli_start -> g_eli_auth_run -> g_eli_auth_write_done -> g_io_request -> g_eli_write_done -> g_io_deliver */ MALLOC_DECLARE(M_ELI); /* * Here we generate key for HMAC. Every sector has its own HMAC key, so it is * not possible to copy sectors. * We cannot depend on fact, that every sector has its own IV, because different * IV doesn't change HMAC, when we use encrypt-then-authenticate method. */ static void g_eli_auth_keygen(struct g_eli_softc *sc, off_t offset, u_char *key) { SHA256_CTX ctx; /* Copy precalculated SHA256 context. */ bcopy(&sc->sc_akeyctx, &ctx, sizeof(ctx)); SHA256_Update(&ctx, (uint8_t *)&offset, sizeof(offset)); SHA256_Final(key, &ctx); } /* * The function is called after we read and decrypt data. * * g_eli_start -> g_eli_auth_read -> g_io_request -> g_eli_read_done -> g_eli_auth_run -> G_ELI_AUTH_READ_DONE -> g_io_deliver */ static int g_eli_auth_read_done(struct cryptop *crp) { struct g_eli_softc *sc; struct bio *bp; if (crp->crp_etype == EAGAIN) { if (g_eli_crypto_rerun(crp) == 0) return (0); } bp = (struct bio *)crp->crp_opaque; bp->bio_inbed++; if (crp->crp_etype == 0) { bp->bio_completed += crp->crp_olen; G_ELI_DEBUG(3, "Crypto READ request done (%d/%d) (add=%jd completed=%jd).", bp->bio_inbed, bp->bio_children, (intmax_t)crp->crp_olen, (intmax_t)bp->bio_completed); } else { G_ELI_DEBUG(1, "Crypto READ request failed (%d/%d) error=%d.", bp->bio_inbed, bp->bio_children, crp->crp_etype); if (bp->bio_error == 0) bp->bio_error = crp->crp_etype; } sc = bp->bio_to->geom->softc; g_eli_key_drop(sc, crp->crp_desc->crd_next->crd_key); /* * Do we have all sectors already? */ if (bp->bio_inbed < bp->bio_children) return (0); if (bp->bio_error == 0) { u_int i, lsec, nsec, data_secsize, decr_secsize, encr_secsize; u_char *srcdata, *dstdata, *auth; off_t coroff, corsize; /* * Verify data integrity based on calculated and read HMACs. */ /* Sectorsize of decrypted provider eg. 4096. */ decr_secsize = bp->bio_to->sectorsize; /* The real sectorsize of encrypted provider, eg. 512. */ encr_secsize = LIST_FIRST(&sc->sc_geom->consumer)->provider->sectorsize; /* Number of data bytes in one encrypted sector, eg. 480. */ data_secsize = sc->sc_data_per_sector; /* Number of sectors from decrypted provider, eg. 2. */ nsec = bp->bio_length / decr_secsize; /* Number of sectors from encrypted provider, eg. 18. */ nsec = (nsec * sc->sc_bytes_per_sector) / encr_secsize; /* Last sector number in every big sector, eg. 9. */ lsec = sc->sc_bytes_per_sector / encr_secsize; srcdata = bp->bio_driver2; dstdata = bp->bio_data; auth = srcdata + encr_secsize * nsec; coroff = -1; corsize = 0; for (i = 1; i <= nsec; i++) { data_secsize = sc->sc_data_per_sector; if ((i % lsec) == 0) data_secsize = decr_secsize % data_secsize; if (bcmp(srcdata, auth, sc->sc_alen) != 0) { /* * Curruption detected, remember the offset if * this is the first corrupted sector and * increase size. */ if (bp->bio_error == 0) bp->bio_error = -1; if (coroff == -1) { coroff = bp->bio_offset + (dstdata - (u_char *)bp->bio_data); } corsize += data_secsize; } else { /* * No curruption, good. * Report previous corruption if there was one. */ if (coroff != -1) { G_ELI_DEBUG(0, "%s: Failed to authenticate %jd " "bytes of data at offset %jd.", sc->sc_name, (intmax_t)corsize, (intmax_t)coroff); coroff = -1; corsize = 0; } bcopy(srcdata + sc->sc_alen, dstdata, data_secsize); } srcdata += encr_secsize; dstdata += data_secsize; auth += sc->sc_alen; } /* Report previous corruption if there was one. */ if (coroff != -1) { G_ELI_DEBUG(0, "%s: Failed to authenticate %jd " "bytes of data at offset %jd.", sc->sc_name, (intmax_t)corsize, (intmax_t)coroff); } } free(bp->bio_driver2, M_ELI); bp->bio_driver2 = NULL; if (bp->bio_error != 0) { if (bp->bio_error == -1) bp->bio_error = EINVAL; else { G_ELI_LOGREQ(0, bp, "Crypto READ request failed (error=%d).", bp->bio_error); } bp->bio_completed = 0; } /* * Read is finished, send it up. */ g_io_deliver(bp, bp->bio_error); atomic_subtract_int(&sc->sc_inflight, 1); return (0); } /* * The function is called after data encryption. * * g_eli_start -> g_eli_auth_run -> G_ELI_AUTH_WRITE_DONE -> g_io_request -> g_eli_write_done -> g_io_deliver */ static int g_eli_auth_write_done(struct cryptop *crp) { struct g_eli_softc *sc; struct g_consumer *cp; struct bio *bp, *cbp, *cbp2; u_int nsec; if (crp->crp_etype == EAGAIN) { if (g_eli_crypto_rerun(crp) == 0) return (0); } bp = (struct bio *)crp->crp_opaque; bp->bio_inbed++; if (crp->crp_etype == 0) { G_ELI_DEBUG(3, "Crypto WRITE request done (%d/%d).", bp->bio_inbed, bp->bio_children); } else { G_ELI_DEBUG(1, "Crypto WRITE request failed (%d/%d) error=%d.", bp->bio_inbed, bp->bio_children, crp->crp_etype); if (bp->bio_error == 0) bp->bio_error = crp->crp_etype; } sc = bp->bio_to->geom->softc; g_eli_key_drop(sc, crp->crp_desc->crd_key); /* * All sectors are already encrypted? */ if (bp->bio_inbed < bp->bio_children) return (0); if (bp->bio_error != 0) { G_ELI_LOGREQ(0, bp, "Crypto WRITE request failed (error=%d).", bp->bio_error); free(bp->bio_driver2, M_ELI); bp->bio_driver2 = NULL; cbp = bp->bio_driver1; bp->bio_driver1 = NULL; g_destroy_bio(cbp); g_io_deliver(bp, bp->bio_error); atomic_subtract_int(&sc->sc_inflight, 1); return (0); } cp = LIST_FIRST(&sc->sc_geom->consumer); cbp = bp->bio_driver1; bp->bio_driver1 = NULL; cbp->bio_to = cp->provider; cbp->bio_done = g_eli_write_done; /* Number of sectors from decrypted provider, eg. 1. */ nsec = bp->bio_length / bp->bio_to->sectorsize; /* Number of sectors from encrypted provider, eg. 9. */ nsec = (nsec * sc->sc_bytes_per_sector) / cp->provider->sectorsize; cbp->bio_length = cp->provider->sectorsize * nsec; cbp->bio_offset = (bp->bio_offset / bp->bio_to->sectorsize) * sc->sc_bytes_per_sector; cbp->bio_data = bp->bio_driver2; /* * We write more than what is requested, so we have to be ready to write * more than MAXPHYS. */ cbp2 = NULL; if (cbp->bio_length > MAXPHYS) { cbp2 = g_duplicate_bio(bp); cbp2->bio_length = cbp->bio_length - MAXPHYS; cbp2->bio_data = cbp->bio_data + MAXPHYS; cbp2->bio_offset = cbp->bio_offset + MAXPHYS; cbp2->bio_to = cp->provider; cbp2->bio_done = g_eli_write_done; cbp->bio_length = MAXPHYS; } /* * Send encrypted data to the provider. */ G_ELI_LOGREQ(2, cbp, "Sending request."); bp->bio_inbed = 0; bp->bio_children = (cbp2 != NULL ? 2 : 1); g_io_request(cbp, cp); if (cbp2 != NULL) { G_ELI_LOGREQ(2, cbp2, "Sending request."); g_io_request(cbp2, cp); } return (0); } void g_eli_auth_read(struct g_eli_softc *sc, struct bio *bp) { struct g_consumer *cp; struct bio *cbp, *cbp2; size_t size; off_t nsec; bp->bio_pflags = 0; cp = LIST_FIRST(&sc->sc_geom->consumer); cbp = bp->bio_driver1; bp->bio_driver1 = NULL; cbp->bio_to = cp->provider; cbp->bio_done = g_eli_read_done; /* Number of sectors from decrypted provider, eg. 1. */ nsec = bp->bio_length / bp->bio_to->sectorsize; /* Number of sectors from encrypted provider, eg. 9. */ nsec = (nsec * sc->sc_bytes_per_sector) / cp->provider->sectorsize; cbp->bio_length = cp->provider->sectorsize * nsec; size = cbp->bio_length; size += sc->sc_alen * nsec; size += sizeof(struct cryptop) * nsec; size += sizeof(struct cryptodesc) * nsec * 2; size += G_ELI_AUTH_SECKEYLEN * nsec; cbp->bio_offset = (bp->bio_offset / bp->bio_to->sectorsize) * sc->sc_bytes_per_sector; bp->bio_driver2 = malloc(size, M_ELI, M_WAITOK); cbp->bio_data = bp->bio_driver2; /* * We read more than what is requested, so we have to be ready to read * more than MAXPHYS. */ cbp2 = NULL; if (cbp->bio_length > MAXPHYS) { cbp2 = g_duplicate_bio(bp); cbp2->bio_length = cbp->bio_length - MAXPHYS; cbp2->bio_data = cbp->bio_data + MAXPHYS; cbp2->bio_offset = cbp->bio_offset + MAXPHYS; cbp2->bio_to = cp->provider; cbp2->bio_done = g_eli_read_done; cbp->bio_length = MAXPHYS; } /* * Read encrypted data from provider. */ G_ELI_LOGREQ(2, cbp, "Sending request."); g_io_request(cbp, cp); if (cbp2 != NULL) { G_ELI_LOGREQ(2, cbp2, "Sending request."); g_io_request(cbp2, cp); } } /* * This is the main function responsible for cryptography (ie. communication * with crypto(9) subsystem). * * BIO_READ: * g_eli_start -> g_eli_auth_read -> g_io_request -> g_eli_read_done -> G_ELI_AUTH_RUN -> g_eli_auth_read_done -> g_io_deliver * BIO_WRITE: * g_eli_start -> G_ELI_AUTH_RUN -> g_eli_auth_write_done -> g_io_request -> g_eli_write_done -> g_io_deliver */ void g_eli_auth_run(struct g_eli_worker *wr, struct bio *bp) { struct g_eli_softc *sc; struct cryptop *crp; struct cryptodesc *crde, *crda; u_int i, lsec, nsec, data_secsize, decr_secsize, encr_secsize; off_t dstoff; u_char *p, *data, *auth, *authkey, *plaindata; int error; G_ELI_LOGREQ(3, bp, "%s", __func__); bp->bio_pflags = wr->w_number; sc = wr->w_softc; /* Sectorsize of decrypted provider eg. 4096. */ decr_secsize = bp->bio_to->sectorsize; /* The real sectorsize of encrypted provider, eg. 512. */ encr_secsize = LIST_FIRST(&sc->sc_geom->consumer)->provider->sectorsize; /* Number of data bytes in one encrypted sector, eg. 480. */ data_secsize = sc->sc_data_per_sector; /* Number of sectors from decrypted provider, eg. 2. */ nsec = bp->bio_length / decr_secsize; /* Number of sectors from encrypted provider, eg. 18. */ nsec = (nsec * sc->sc_bytes_per_sector) / encr_secsize; /* Last sector number in every big sector, eg. 9. */ lsec = sc->sc_bytes_per_sector / encr_secsize; /* Destination offset, used for IV generation. */ dstoff = (bp->bio_offset / bp->bio_to->sectorsize) * sc->sc_bytes_per_sector; auth = NULL; /* Silence compiler warning. */ plaindata = bp->bio_data; if (bp->bio_cmd == BIO_READ) { data = bp->bio_driver2; auth = data + encr_secsize * nsec; p = auth + sc->sc_alen * nsec; } else { size_t size; size = encr_secsize * nsec; size += sizeof(*crp) * nsec; size += sizeof(*crde) * nsec; size += sizeof(*crda) * nsec; size += G_ELI_AUTH_SECKEYLEN * nsec; + size += sizeof(uintptr_t); /* Space for alignment. */ data = malloc(size, M_ELI, M_WAITOK); bp->bio_driver2 = data; p = data + encr_secsize * nsec; } bp->bio_inbed = 0; bp->bio_children = nsec; + +#if defined(__mips_n64) || defined(__mips_o64) + p = (char *)roundup((uintptr_t)p, sizeof(uintptr_t)); +#endif for (i = 1; i <= nsec; i++, dstoff += encr_secsize) { crp = (struct cryptop *)p; p += sizeof(*crp); crde = (struct cryptodesc *)p; p += sizeof(*crde); crda = (struct cryptodesc *)p; p += sizeof(*crda); authkey = (u_char *)p; p += G_ELI_AUTH_SECKEYLEN; data_secsize = sc->sc_data_per_sector; if ((i % lsec) == 0) data_secsize = decr_secsize % data_secsize; if (bp->bio_cmd == BIO_READ) { /* Remember read HMAC. */ bcopy(data, auth, sc->sc_alen); auth += sc->sc_alen; /* TODO: bzero(9) can be commented out later. */ bzero(data, sc->sc_alen); } else { bcopy(plaindata, data + sc->sc_alen, data_secsize); plaindata += data_secsize; } crp->crp_sid = wr->w_sid; crp->crp_ilen = sc->sc_alen + data_secsize; crp->crp_olen = data_secsize; crp->crp_opaque = (void *)bp; crp->crp_buf = (void *)data; data += encr_secsize; crp->crp_flags = CRYPTO_F_CBIFSYNC; if (g_eli_batch) crp->crp_flags |= CRYPTO_F_BATCH; if (bp->bio_cmd == BIO_WRITE) { crp->crp_callback = g_eli_auth_write_done; crp->crp_desc = crde; crde->crd_next = crda; crda->crd_next = NULL; } else { crp->crp_callback = g_eli_auth_read_done; crp->crp_desc = crda; crda->crd_next = crde; crde->crd_next = NULL; } crde->crd_skip = sc->sc_alen; crde->crd_len = data_secsize; crde->crd_flags = CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT; if ((sc->sc_flags & G_ELI_FLAG_FIRST_KEY) == 0) crde->crd_flags |= CRD_F_KEY_EXPLICIT; if (bp->bio_cmd == BIO_WRITE) crde->crd_flags |= CRD_F_ENCRYPT; crde->crd_alg = sc->sc_ealgo; crde->crd_key = g_eli_key_hold(sc, dstoff, encr_secsize); crde->crd_klen = sc->sc_ekeylen; if (sc->sc_ealgo == CRYPTO_AES_XTS) crde->crd_klen <<= 1; g_eli_crypto_ivgen(sc, dstoff, crde->crd_iv, sizeof(crde->crd_iv)); crda->crd_skip = sc->sc_alen; crda->crd_len = data_secsize; crda->crd_inject = 0; crda->crd_flags = CRD_F_KEY_EXPLICIT; crda->crd_alg = sc->sc_aalgo; g_eli_auth_keygen(sc, dstoff, authkey); crda->crd_key = authkey; crda->crd_klen = G_ELI_AUTH_SECKEYLEN * 8; crp->crp_etype = 0; error = crypto_dispatch(crp); KASSERT(error == 0, ("crypto_dispatch() failed (error=%d)", error)); } } Index: head/sys/modules/geom/Makefile =================================================================== --- head/sys/modules/geom/Makefile (revision 308136) +++ head/sys/modules/geom/Makefile (revision 308137) @@ -1,37 +1,33 @@ # $FreeBSD$ SYSDIR?=${.CURDIR}/../.. .include "${SYSDIR}/conf/kern.opts.mk" SUBDIR= geom_bde \ geom_cache \ geom_concat \ + geom_eli \ geom_gate \ geom_journal \ geom_label \ geom_linux_lvm \ geom_mirror \ geom_mountver \ geom_multipath \ geom_nop \ geom_part \ geom_raid \ geom_raid3 \ geom_sched \ geom_shsec \ geom_stripe \ geom_uzip \ geom_vinum \ geom_virstor \ geom_zero .if ${MK_CCD} != "no" || defined(ALL_MODULES) SUBDIR+= geom_ccd -.endif - -# Alignment issues in g_eli_auth_run() on MIPS64 causes kernel panic -.if ${MACHINE_ARCH} != "mips64" && ${MACHINE_ARCH} != "mips64el" -SUBDIR+= geom_eli .endif .include