summaryrefslogtreecommitdiffstats
path: root/crypto/block-luks.c
Commit message (Collapse)AuthorAgeFilesLines
* qcrypto/luks: implement encryption key managementMaxim Levitsky2020-07-061-4/+412
| | | | | | | | | Next few patches will expose that functionality to the user. Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20200608094030.670121-3-mlevitsk@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com>
* qcrypto-luks: more rigorous header checkingMaxim Levitsky2019-09-261-0/+52
| | | | | | | | | | | Check that keyslots don't overlap with the data, and check that keyslots don't overlap with each other. (this is done using naive O(n^2) nested loops, but since there are just 8 keyslots, this doesn't really matter. Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* qcrypto-luks: simplify the math used for keyslot locationsMaxim Levitsky2019-09-261-23/+40
| | | | | | Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* qcrypto-luks: extract store key functionMaxim Levitsky2019-09-261-123/+181
| | | | | | | | | This function will be used later to store new keys to the luks metadata Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* qcrypto-luks: extract check and parse headerMaxim Levitsky2019-09-261-98/+125
| | | | | | | | | This is just to make qcrypto_block_luks_open more reasonable in size. Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* qcrypto-luks: extract store and load headerMaxim Levitsky2019-09-261-62/+93
| | | | | | Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* qcrypto-luks: purge unused error codes from open callbackMaxim Levitsky2019-09-261-32/+13Star
| | | | | | | | These values are not used by generic crypto code anyway Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* qcrypto-luks: use the parsed encryption settings in QCryptoBlockLUKSMaxim Levitsky2019-09-261-90/+79Star
| | | | | | | | | | | | Prior to that patch, the parsed encryption settings were already stored into the QCryptoBlockLUKS but not used anywhere but in qcrypto_block_luks_get_info Using them simplifies the code Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* qcrypto-luks: pass keyslot index rather that pointer to the keyslotMaxim Levitsky2019-09-261-3/+3
| | | | | | | | Another minor refactoring Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* qcrypto-luks: simplify masterkey and masterkey lengthMaxim Levitsky2019-09-261-23/+21Star
| | | | | | | | | Let the caller allocate masterkey Always use master key len from the header Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* qcrypto-luks: don't overwrite cipher_mode in headerMaxim Levitsky2019-09-261-3/+6
| | | | | | | | | This way we can store the header we loaded, which will be used in key management code Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* qcrypto-luks: rename some fields in QCryptoBlockLUKSHeaderMaxim Levitsky2019-09-261-44/+47
| | | | | | | | | | * key_bytes -> master_key_len * payload_offset = payload_offset_sector (to emphasise that this isn't byte offset) * key_offset -> key_offset_sector - same as above for luks slots Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* crypto: use auto cleanup for many stack variablesDaniel P. Berrangé2019-08-221-52/+22Star
| | | | | | | | | Simplify cleanup paths by using glib's auto cleanup macros for stack variables, allowing several goto jumps / labels to be eliminated. Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* crypto: Fix LGPL information in the file headersThomas Huth2019-07-191-1/+1
| | | | | | | | | It's either "GNU *Library* General Public License version 2" or "GNU Lesser General Public License version *2.1*", but there was no "version 2.0" of the "Lesser" license. So assume that version 2.1 is meant here. Signed-off-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* crypto/block: remove redundant struct packing to fix build with gcc 9Greg Kurz2019-03-211-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Build fails with gcc 9: crypto/block-luks.c:689:18: error: taking address of packed member of ‘struct QCryptoBlockLUKSHeader’ may result in an unaligned pointer value [-Werror=address-of-packed-member] 689 | be32_to_cpus(&luks->header.payload_offset); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ crypto/block-luks.c:690:18: error: taking address of packed member of ‘struct QCryptoBlockLUKSHeader’ may result in an unaligned pointer value [-Werror=address-of-packed-member] 690 | be32_to_cpus(&luks->header.key_bytes); | ^~~~~~~~~~~~~~~~~~~~~~~ crypto/block-luks.c:691:18: error: taking address of packed member of ‘struct QCryptoBlockLUKSHeader’ may result in an unaligned pointer value [-Werror=address-of-packed-member] 691 | be32_to_cpus(&luks->header.master_key_iterations); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... a bunch of similar errors... crypto/block-luks.c:1288:22: error: taking address of packed member of ‘struct QCryptoBlockLUKSKeySlot’ may result in an unaligned pointer value [-Werror=address-of-packed-member] 1288 | be32_to_cpus(&luks->header.key_slots[i].stripes); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors All members of the QCryptoBlockLUKSKeySlot and QCryptoBlockLUKSHeader are naturally aligned and we already check at build time there isn't any unwanted padding. Drop the QEMU_PACKED attribute. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Greg Kurz <groug@kaod.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* crypto: support multiple threads accessing one QCryptoBlockVladimir Sementsov-Ogievskiy2018-12-121-12/+10Star
| | | | | | | | | | | The two thing that should be handled are cipher and ivgen. For ivgen the solution is just mutex, as iv calculations should not be long in comparison with encryption/decryption. And for cipher let's just keep per-thread ciphers. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* crypto/block: introduce qcrypto_block_*crypt_helper functionsVladimir Sementsov-Ogievskiy2018-12-121-8/+6Star
| | | | | | | | | Introduce QCryptoBlock-based functions and use them where possible. This is needed to implement thread-safe encrypt/decrypt operations. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* crypto/block: rename qcrypto_block_*crypt_helperVladimir Sementsov-Ogievskiy2018-12-121-22/+22
| | | | | | | | | | | | | Rename qcrypto_block_*crypt_helper to qcrypto_block_cipher_*crypt_helper, as it's not about QCryptoBlock. This is needed to introduce qcrypto_block_*crypt_helper in the next commit, which will have QCryptoBlock pointer and than will be able to use additional fields of it, which in turn will be used to implement thread-safe QCryptoBlock operations. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* crypto/block-luks: fix memory leak in qcrypto_block_luks_createVladimir Sementsov-Ogievskiy2018-12-121-0/+3
| | | | | | | | Free block->cipher and block->ivgen on error path. Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
* crypto: use local path for local headersMichael S. Tsirkin2018-06-011-1/+1
| | | | | | | | | | | When pulling in headers that are in the same directory as the C file (as opposed to one in include/), we should use its relative path, without a directory. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Daniel P. Berrangé <berrange@redhat.com>
* block: convert qcrypto_block_encrypt|decrypt to take bytes offsetDaniel P. Berrange2017-10-061-4/+8
| | | | | | | | | | | Instead of sector offset, take the bytes offset when encrypting or decrypting data. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-id: 20170927125340.12360-6-berrange@redhat.com Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com>
* crypto: expose encryption sector size in APIsDaniel P. Berrange2017-10-061-2/+4
| | | | | | | | | | | | | While current encryption schemes all have a fixed sector size of 512 bytes, this is not guaranteed to be the case in future. Expose the sector size in the APIs so the block layer can remove assumptions about fixed 512 byte sectors. Reviewed-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-id: 20170927125340.12360-3-berrange@redhat.com Signed-off-by: Max Reitz <mreitz@redhat.com>
* qapi: Change data type of the FOO_lookup generated for enum FOOMarc-André Lureau2017-09-041-4/+4
| | | | | | | | | | | | | | | | | | | | Currently, a FOO_lookup is an array of strings terminated by a NULL sentinel. A future patch will generate enums with "holes". NULL-termination will cease to work then. To prepare for that, store the length in the FOO_lookup by wrapping it in a struct and adding a member for the length. The sentinel will be dropped next. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20170822132255.23945-13-marcandre.lureau@redhat.com> [Basically redone] Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1503564371-26090-16-git-send-email-armbru@redhat.com> [Rebased]
* qapi: Mechanically convert FOO_lookup[...] to FOO_str(...)Markus Armbruster2017-09-041-6/+6
| | | | | | Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1503564371-26090-14-git-send-email-armbru@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
* qapi: Generate FOO_str() macro for QAPI enum FOOMarkus Armbruster2017-09-041-1/+0Star
| | | | | | | | | The next commit will put it to use. May look pointless now, but we're going to change the FOO_lookup's type, and then it'll help. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1503564371-26090-13-git-send-email-armbru@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
* crypto: Use qapi_enum_parse() in qcrypto_block_luks_name_lookup()Markus Armbruster2017-09-041-12/+7Star
| | | | | | | | Cc: "Daniel P. Berrange" <berrange@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1503564371-26090-10-git-send-email-armbru@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Acked-by: Daniel P. Berrange <berrange@redhat.com>
* block: pass option prefix down to crypto layerDaniel P. Berrange2017-07-111-2/+6
| | | | | | | | | | | | | | | While the crypto layer uses a fixed option name "key-secret", the upper block layer may have a prefix on the options. e.g. "encrypt.key-secret", in order to avoid clashes between crypto option names & other block option names. To ensure the crypto layer can report accurate error messages, we must tell it what option name prefix was used. Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-id: 20170623162419.26068-19-berrange@redhat.com Signed-off-by: Max Reitz <mreitz@redhat.com>
* crypto: move 'opaque' parameter to (nearly) the end of parameter listDaniel P. Berrange2017-05-091-5/+8
| | | | | | | | | | | | | | | | | | | Previous commit moved 'opaque' to be the 2nd parameter in the list: commit 375092332eeaa6e47561ce47fd36144cdaf964d0 Author: Fam Zheng <famz@redhat.com> Date: Fri Apr 21 20:27:02 2017 +0800 crypto: Make errp the last parameter of functions Move opaque to 2nd instead of the 2nd to last, so that compilers help check with the conversion. this puts it back to the 2nd to last position. Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* crypto: Make errp the last parameter of functionsFam Zheng2017-04-241-12/+9Star
| | | | | | | | | | | | Move opaque to 2nd instead of the 2nd to last, so that compilers help check with the conversion. Signed-off-by: Fam Zheng <famz@redhat.com> Message-Id: <20170421122710.15373-7-famz@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [Commit message typo corrected] Signed-off-by: Markus Armbruster <armbru@redhat.com>
* crypto: Switch to QEMU UUID APIFam Zheng2016-09-231-19/+7Star
| | | | | | | | | | | The uuid generation doesn't return error, so update the function signature and calling code accordingly. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com> Message-Id: <1474432046-325-7-git-send-email-famz@redhat.com> Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
* crypto: increase default pbkdf2 time for luks to 2 secondsDaniel P. Berrange2016-09-191-1/+1
| | | | | | | | | | cryptsetup recently increased the default pbkdf2 time to 2 seconds to partially mitigate improvements in hardware performance wrt brute-forcing the pbkdf algorithm. This updates QEMU defaults to match. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* crypto: remove bogus /= 2 for pbkdf iterationsDaniel P. Berrange2016-09-191-4/+0Star
| | | | | | | | | | | When calculating iterations for pbkdf of the key slot data, we had a /= 2, which was copied from identical code in cryptsetup. It was always unclear & undocumented why cryptsetup had this division and it was recently removed there, too. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* crypto: use correct derived key size when timing pbkdfDaniel P. Berrange2016-09-191-0/+2
| | | | | | | | | | | | | | | | Currently when timing the pbkdf algorithm a fixed key size of 32 bytes is used. This results in inaccurate timings for certain hashes depending on their digest size. For example when using sha1 with aes-256, this causes us to measure time for the master key digest doing 2 sha1 operations per iteration, instead of 1. Instead we should pass in the desired key size to the timing routine that matches the key size that will be used for real later. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* crypto: make PBKDF iterations configurable for LUKS formatDaniel P. Berrange2016-09-191-0/+24
| | | | | | | | | | | | | | As protection against bruteforcing passphrases, the PBKDF algorithm is tuned by counting the number of iterations needed to produce 1 second of running time. If the machine that the image will be used on is much faster than the machine where the image is created, it can be desirable to raise the number of iterations. This change adds a new 'iter-time' property that allows the user to choose the iteration wallclock time. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* crypto: use uint64_t for pbkdf iteration count parametersDaniel P. Berrange2016-09-191-21/+31
| | | | | | | | | | | | | | | | | The qcrypto_pbkdf_count_iters method uses a 64 bit int but then checks its value against INT32_MAX before returning it. This bounds check is premature, because the calling code may well scale the iteration count by some value. It is thus better to return a 64-bit integer and let the caller do range checking. For consistency the qcrypto_pbkdf method is also changed to accept a 64bit int, though this is somewhat academic since nettle is limited to taking an 'int' while gcrypt is limited to taking a 'long int'. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* crypto: add support for querying parameters for block encryptionDaniel P. Berrange2016-07-261-0/+67
| | | | | | | | | | | | | When creating new block encryption volumes, we accept a list of parameters to control the formatting process. It is useful to be able to query what those parameters were for existing block devices. Add a qcrypto_block_get_info() method which returns a QCryptoBlockInfo instance to report this data. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-id: 1469192015-16487-2-git-send-email-berrange@redhat.com Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com>
* crypto: fix handling of iv generator hash defaultsDaniel P. Berrange2016-07-041-0/+21
| | | | | | | | | | | | | | | | | When opening an existing LUKS volume, if the iv generator is essiv, then the iv hash algorithm is mandatory to provide. We must report an error if it is omitted in the cipher mode spec, not silently default to hash 0 (md5). If the iv generator is not essiv, then we explicitly ignore any iv hash algorithm, rather than report an error, for compatibility with dm-crypt. When creating a new LUKS volume, if the iv generator is essiv and no iv hsah algorithm is provided, we should default to using the sha256 hash. Reported-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* crypto: Use DIV_ROUND_UPLaurent Vivier2016-06-071-4/+2Star
| | | | | | | | | | | | Replace (((n) + (d) - 1) /(d)) by DIV_ROUND_UP(n,d). This patch is the result of coccinelle script scripts/coccinelle/round.cocci CC: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* qemu-common: stop including qemu/bswap.h from qemu-common.hPaolo Bonzini2016-05-191-0/+1
| | | | | | | Move it to the actual users. There are still a few includes of qemu/bswap.h in headers; removing them is left for future work. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* include/qemu/osdep.h: Don't include qapi/error.hMarkus Armbruster2016-03-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 57cb38b included qapi/error.h into qemu/osdep.h to get the Error typedef. Since then, we've moved to include qemu/osdep.h everywhere. Its file comment explains: "To avoid getting into possible circular include dependencies, this file should not include any other QEMU headers, with the exceptions of config-host.h, compiler.h, os-posix.h and os-win32.h, all of which are doing a similar job to this file and are under similar constraints." qapi/error.h doesn't do a similar job, and it doesn't adhere to similar constraints: it includes qapi-types.h. That's in excess of 100KiB of crap most .c files don't actually need. Add the typedef to qemu/typedefs.h, and include that instead of qapi/error.h. Include qapi/error.h in .c files that need it and don't get it now. Include qapi-types.h in qom/object.h for uint16List. Update scripts/clean-includes accordingly. Update it further to match reality: replace config.h by config-target.h, add sysemu/os-posix.h, sysemu/os-win32.h. Update the list of includes in the qemu/osdep.h comment quoted above similarly. This reduces the number of objects depending on qapi/error.h from "all of them" to less than a third. Unfortunately, the number depending on qapi-types.h shrinks only a little. More work is needed for that one. Signed-off-by: Markus Armbruster <armbru@redhat.com> [Fix compilation without the spice devel packages. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* crypto: implement the LUKS block encryption formatDaniel P. Berrange2016-03-171-0/+1328
Provide a block encryption implementation that follows the LUKS/dm-crypt specification. This supports all combinations of hash, cipher algorithm, cipher mode and iv generator that are implemented by the current crypto layer. There is support for opening existing volumes formatted by dm-crypt, and for formatting new volumes. In the latter case it will only use key slot 0. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>