* [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices
@ 2016-01-12 18:56 Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 01/15] crypto: add cryptographic random byte source Daniel P. Berrange
` (14 more replies)
0 siblings, 15 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
This is a posting of the previously submitted work in progress
code:
https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg04748.html
This series depends on these previously submitted
patches to the block tools:
https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04354.html
As can be guessed from the subject, the primary goal of this
patch series is to support LUKS encryption in the QEMU block
layer. QEMU has increasingly been adding native clients for
network block protocols (RBD, gluster, NFS, iSCSI, etc) and
apps like OpenStack are embracing them as it is much easier
to deal with this from a management POV than to deal with the
kernel block layer & userspace tools. Unfortunately when using
QEMU native clients, apps are locked out of using dm-crypt
and LUKS which is undesirable.
This series introduces two new features to the block layer.
First there is a general purpose 'luks' format driver which
can be layered over any other existing block driver. eg it
can be layed above RBD, iSCSI, etc. Second the qcow2 file
format is extended so that its embedded encryption can be
replaced with the LUKS data format. While you could just
layer the general purpose luks driver over qcow2, this is
slightly less desirable, as it removes the ability to
reliably auto-detect that LUKS is used by QEMU, as opposed
to used by the guest OS. Having use of LUKS encoded in the
qcow2 header addresses this.
The code is designed such that there is a strict separation
between the full disk encryption format and the block I/O
layer. Thus there is an generic API for dealing with full
disk encryption added to the crypto/ subsystem. The block
layer merely calls this FDE API when required, which serves
to minimize the code present in the already complex block
layer.
The first 4 patches add some supporting APIs to the crypto
subsystem.
The 5-6 patches introduce the general full disk encryption
API to the crypto subsystem and LUKS implementation
Patches 7-12 add the new 'luks' block driver format and
convert qcow & qcow2 to the new FDE APIs, enabling LUKS
in qcow2 (but not qcow) at the same time.
Patches 13-14 clean up the horrible password handling
cruft in the block layer and monitor.
Patch 15 blocks use of the legacy qcow[2] encryption
from the system emulators.
Some notable things since the original WIP posting
- QAPI parameters defined for the encryption key ID
- The qcow2 integration of LUKS is working, using
extra allocated clusters to store LUKS header
instead of trying to expand the main qcow2 header
region to > 1 cluster
- qemu-img info now works without prompting for
decryption password
- Unit testing of pbkdf2, afsplit and ivgen APis.
Still to do
- Unit testing coverage of the full disk encryption
APIs
- Functional testing of LUKS driver via the
qemu-iotests for the block layer
- Use GNUTLS random API for the random byte source
- Add support for XTS cipher mode for dm-crypt compat
Daniel P. Berrange (15):
crypto: add cryptographic random byte source
crypto: add support for PBKDF2 algorithm
crypto: add support for generating initialization vectors
crypto: add support for anti-forensic split algorithm
crypto: add block encryption framework
crypto: implement the LUKS block encryption format
block: add flag to indicate that no I/O will be performed
block: add generic full disk encryption driver
qcow2: make qcow2_encrypt_sectors encrypt in place
qcow2: convert QCow2 to use QCryptoBlock for encryption
qcow: make encrypt_sectors encrypt in place
qcow: convert QCow to use QCryptoBlock for encryption
block: rip out all traces of password prompting
block: remove all encryption handling APIs
block: remove support for legecy AES qcow/qcow2 encryption
block.c | 94 +---
block/Makefile.objs | 2 +
block/fde.c | 538 +++++++++++++++++++++
block/qapi.c | 2 +-
block/qcow.c | 199 ++++----
block/qcow2-cluster.c | 55 +--
block/qcow2.c | 511 +++++++++++++++++---
block/qcow2.h | 24 +-
blockdev.c | 40 +-
crypto/Makefile.objs | 10 +
crypto/afsplit.c | 194 ++++++++
crypto/block-luks.c | 1092 ++++++++++++++++++++++++++++++++++++++++++
crypto/block-luks.h | 28 ++
crypto/block-qcowaes.c | 165 +++++++
crypto/block-qcowaes.h | 28 ++
crypto/block.c | 256 ++++++++++
crypto/blockpriv.h | 89 ++++
crypto/ivgen-essiv.c | 116 +++++
crypto/ivgen-essiv.h | 28 ++
crypto/ivgen-plain.c | 60 +++
crypto/ivgen-plain.h | 28 ++
crypto/ivgen-plain64.c | 60 +++
crypto/ivgen-plain64.h | 28 ++
crypto/ivgen.c | 117 +++++
crypto/ivgenpriv.h | 47 ++
crypto/pbkdf-gcrypt.c | 64 +++
crypto/pbkdf-nettle.c | 63 +++
crypto/pbkdf-stub.c | 39 ++
crypto/pbkdf.c | 76 +++
crypto/random.c | 50 ++
docs/specs/qcow2.txt | 71 +++
hmp.c | 31 --
hw/usb/dev-storage.c | 34 --
include/block/block.h | 6 +-
include/block/block_int.h | 1 -
include/crypto/afsplit.h | 133 +++++
include/crypto/block.h | 222 +++++++++
include/crypto/ivgen.h | 167 +++++++
include/crypto/pbkdf.h | 152 ++++++
include/crypto/random.h | 43 ++
include/monitor/monitor.h | 7 -
include/qemu/osdep.h | 2 -
monitor.c | 69 ---
qapi/block-core.json | 41 +-
qapi/crypto.json | 117 +++++
qemu-img.c | 45 +-
qemu-io.c | 21 -
qmp.c | 9 -
tests/.gitignore | 3 +
tests/Makefile | 6 +
tests/qemu-iotests/087 | 20 +
tests/qemu-iotests/087.out | 24 +-
tests/qemu-iotests/134 | 17 +-
tests/qemu-iotests/134.out | 26 -
tests/qemu-iotests/common.rc | 4 +-
tests/test-crypto-afsplit.c | 176 +++++++
tests/test-crypto-ivgen.c | 168 +++++++
tests/test-crypto-pbkdf.c | 378 +++++++++++++++
util/oslib-posix.c | 66 ---
util/oslib-win32.c | 24 -
60 files changed, 5471 insertions(+), 715 deletions(-)
create mode 100644 block/fde.c
create mode 100644 crypto/afsplit.c
create mode 100644 crypto/block-luks.c
create mode 100644 crypto/block-luks.h
create mode 100644 crypto/block-qcowaes.c
create mode 100644 crypto/block-qcowaes.h
create mode 100644 crypto/block.c
create mode 100644 crypto/blockpriv.h
create mode 100644 crypto/ivgen-essiv.c
create mode 100644 crypto/ivgen-essiv.h
create mode 100644 crypto/ivgen-plain.c
create mode 100644 crypto/ivgen-plain.h
create mode 100644 crypto/ivgen-plain64.c
create mode 100644 crypto/ivgen-plain64.h
create mode 100644 crypto/ivgen.c
create mode 100644 crypto/ivgenpriv.h
create mode 100644 crypto/pbkdf-gcrypt.c
create mode 100644 crypto/pbkdf-nettle.c
create mode 100644 crypto/pbkdf-stub.c
create mode 100644 crypto/pbkdf.c
create mode 100644 crypto/random.c
create mode 100644 include/crypto/afsplit.h
create mode 100644 include/crypto/block.h
create mode 100644 include/crypto/ivgen.h
create mode 100644 include/crypto/pbkdf.h
create mode 100644 include/crypto/random.h
create mode 100644 tests/test-crypto-afsplit.c
create mode 100644 tests/test-crypto-ivgen.c
create mode 100644 tests/test-crypto-pbkdf.c
--
2.5.0
^ permalink raw reply [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 01/15] crypto: add cryptographic random byte source
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-13 2:46 ` Fam Zheng
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 02/15] crypto: add support for PBKDF2 algorithm Daniel P. Berrange
` (13 subsequent siblings)
14 siblings, 1 reply; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
crypto/Makefile.objs | 1 +
crypto/random.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++
include/crypto/random.h | 43 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 94 insertions(+)
create mode 100644 crypto/random.c
create mode 100644 include/crypto/random.h
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index a3135f1..5f38d2d 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -8,6 +8,7 @@ crypto-obj-y += tlscredsanon.o
crypto-obj-y += tlscredsx509.o
crypto-obj-y += tlssession.o
crypto-obj-y += secret.o
+crypto-obj-y += random.o
# Let the userspace emulators avoid linking gnutls/etc
crypto-aes-obj-y = aes.o
diff --git a/crypto/random.c b/crypto/random.c
new file mode 100644
index 0000000..8257d24
--- /dev/null
+++ b/crypto/random.c
@@ -0,0 +1,50 @@
+/*
+ * QEMU Crypto random number provider
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config-host.h>
+
+#include "crypto/random.h"
+
+int qcrypto_random_bytes(uint8_t *buf,
+ size_t buflen,
+ Error **errp)
+{
+ ssize_t ret;
+ int fd = open("/dev/random", O_RDONLY);
+ if (fd < 0) {
+ error_setg_errno(errp, errno,
+ "Unable to open /dev/random");
+ return -1;
+ }
+
+ while (buflen) {
+ ret = read(fd, buf, buflen);
+ if (ret < 0) {
+ error_setg_errno(errp, errno,
+ "Unable to read random bytes");
+ close(fd);
+ return -1;
+ }
+ buflen -= ret;
+ }
+
+ close(fd);
+ return 0;
+}
diff --git a/include/crypto/random.h b/include/crypto/random.h
new file mode 100644
index 0000000..ce1626b
--- /dev/null
+++ b/include/crypto/random.h
@@ -0,0 +1,43 @@
+/*
+ * QEMU Crypto random number provider
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_RANDOM_H__
+#define QCRYPTO_RANDOM_H__
+
+#include "qemu-common.h"
+#include "qapi/error.h"
+
+
+/**
+ * qcrypto_random_bytes:
+ * @buf: the buffer to fill
+ * @buflen: length of @buf in bytes
+ * @errp: pointer to uninitialized error objet
+ *
+ * Fill @buf with @buflen bytes of random data
+ *
+ * Returns 0 on sucess, -1 on error
+ */
+int qcrypto_random_bytes(uint8_t *buf,
+ size_t buflen,
+ Error **errp);
+
+
+#endif /* QCRYPTO_RANDOM_H__ */
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 02/15] crypto: add support for PBKDF2 algorithm
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 01/15] crypto: add cryptographic random byte source Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-13 5:53 ` Fam Zheng
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 03/15] crypto: add support for generating initialization vectors Daniel P. Berrange
` (12 subsequent siblings)
14 siblings, 1 reply; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
The LUKS data format includes use of PBKDF2 (Password-Based
Key Derivation Function). The Nettle library can provide
an implementation of this, but we don't want code directly
depending on a specific crypto library backend. Introduce
a include/crypto/pbkdf.h header which defines a QEMU
API for invoking PBKDK2. The initial implementations are
backed by nettle & gcrypt, which are commonly available
with distros shipping GNUTLS.
The test suite data is taken from the cryptsetup codebase
under the LGPLv2.1+ license. This merely aims to verify
that whatever backend we provide for this function in QEMU
will comply with the spec.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
crypto/Makefile.objs | 1 +
crypto/pbkdf-gcrypt.c | 64 ++++++++
crypto/pbkdf-nettle.c | 63 ++++++++
crypto/pbkdf-stub.c | 39 +++++
crypto/pbkdf.c | 76 ++++++++++
include/crypto/pbkdf.h | 152 +++++++++++++++++++
tests/.gitignore | 1 +
tests/Makefile | 2 +
tests/test-crypto-pbkdf.c | 378 ++++++++++++++++++++++++++++++++++++++++++++++
9 files changed, 776 insertions(+)
create mode 100644 crypto/pbkdf-gcrypt.c
create mode 100644 crypto/pbkdf-nettle.c
create mode 100644 crypto/pbkdf-stub.c
create mode 100644 crypto/pbkdf.c
create mode 100644 include/crypto/pbkdf.h
create mode 100644 tests/test-crypto-pbkdf.c
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index 5f38d2d..c1cf45c 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -9,6 +9,7 @@ crypto-obj-y += tlscredsx509.o
crypto-obj-y += tlssession.o
crypto-obj-y += secret.o
crypto-obj-y += random.o
+crypto-obj-y += pbkdf.o
# Let the userspace emulators avoid linking gnutls/etc
crypto-aes-obj-y = aes.o
diff --git a/crypto/pbkdf-gcrypt.c b/crypto/pbkdf-gcrypt.c
new file mode 100644
index 0000000..2e494ce
--- /dev/null
+++ b/crypto/pbkdf-gcrypt.c
@@ -0,0 +1,64 @@
+/*
+ * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "gcrypt.h"
+
+bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
+{
+ switch (hash) {
+ case QCRYPTO_HASH_ALG_SHA1:
+ case QCRYPTO_HASH_ALG_SHA256:
+ return true;
+ default:
+ return false;
+ }
+}
+
+int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
+ const uint8_t *key, size_t nkey,
+ const uint8_t *salt, size_t nsalt,
+ unsigned int iterations,
+ uint8_t *out, size_t nout,
+ Error **errp)
+{
+ static const int hash_map[QCRYPTO_HASH_ALG_LAST] = {
+ [QCRYPTO_HASH_ALG_MD5] = GCRY_MD_MD5,
+ [QCRYPTO_HASH_ALG_SHA1] = GCRY_MD_SHA1,
+ [QCRYPTO_HASH_ALG_SHA256] = GCRY_MD_SHA256,
+ };
+ int ret;
+
+ if (hash > G_N_ELEMENTS(hash_map)) {
+ error_setg(errp, "Unexpected hash algorithm %d", hash);
+ return -1;
+ }
+
+ ret = gcry_kdf_derive(key, nkey, GCRY_KDF_PBKDF2,
+ hash_map[hash],
+ salt, nsalt, iterations,
+ nout, out);
+ if (ret != 0) {
+ error_setg(errp, "Cannot derive password: %s",
+ gcry_strerror(ret));
+ return -1;
+ }
+
+ return 0;
+}
diff --git a/crypto/pbkdf-nettle.c b/crypto/pbkdf-nettle.c
new file mode 100644
index 0000000..d86cd58
--- /dev/null
+++ b/crypto/pbkdf-nettle.c
@@ -0,0 +1,63 @@
+/*
+ * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "nettle/pbkdf2.h"
+
+
+bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
+{
+ switch (hash) {
+ case QCRYPTO_HASH_ALG_SHA1:
+ case QCRYPTO_HASH_ALG_SHA256:
+ return true;
+ default:
+ return false;
+ }
+}
+
+int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
+ const uint8_t *key, size_t nkey,
+ const uint8_t *salt, size_t nsalt,
+ unsigned int iterations,
+ uint8_t *out, size_t nout,
+ Error **errp)
+{
+ switch (hash) {
+ case QCRYPTO_HASH_ALG_SHA1:
+ pbkdf2_hmac_sha1(nkey, key,
+ iterations,
+ nsalt, salt,
+ nout, out);
+ break;
+
+ case QCRYPTO_HASH_ALG_SHA256:
+ pbkdf2_hmac_sha256(nkey, key,
+ iterations,
+ nsalt, salt,
+ nout, out);
+ break;
+
+ default:
+ error_setg_errno(errp, ENOSYS,
+ "PBKDF does not support hash algorithm");
+ return -1;
+ }
+ return 0;
+}
diff --git a/crypto/pbkdf-stub.c b/crypto/pbkdf-stub.c
new file mode 100644
index 0000000..624154a
--- /dev/null
+++ b/crypto/pbkdf-stub.c
@@ -0,0 +1,39 @@
+/*
+ * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
+{
+ return false;
+}
+
+int qcrypto_pbkdf2(QCryptoHashAlgorithm hash G_GNUC_UNUSED,
+ const uint8_t *key G_GNUC_UNUSED,
+ size_t nkey G_GNUC_UNUSED,
+ const uint8_t *salt G_GNUC_UNUSED,
+ size_t nsalt G_GNUC_UNUSED,
+ unsigned int iterations G_GNUC_UNUSED,
+ uint8_t *out G_GNUC_UNUSED,
+ size_t nout G_GNUC_UNUSED,
+ Error **errp)
+{
+ error_setg_errno(errp, ENOSYS,
+ "No crypto library supporting PBKDF in this build");
+ return -1;
+}
diff --git a/crypto/pbkdf.c b/crypto/pbkdf.c
new file mode 100644
index 0000000..176c813
--- /dev/null
+++ b/crypto/pbkdf.c
@@ -0,0 +1,76 @@
+/*
+ * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/pbkdf.h"
+#include <sys/resource.h>
+
+#if defined CONFIG_NETTLE
+#include "crypto/pbkdf-nettle.c"
+#elif defined CONFIG_GCRYPT
+#include "crypto/pbkdf-gcrypt.c"
+#else /* ! CONFIG_GCRYPT */
+#include "crypto/pbkdf-stub.c"
+#endif /* ! CONFIG_GCRYPT */
+
+
+int qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash,
+ const uint8_t *key, size_t nkey,
+ const uint8_t *salt, size_t nsalt,
+ Error **errp)
+{
+ uint8_t out[32];
+ int iterations = (1 << 15);
+ struct rusage start, end;
+ unsigned long long delta;
+
+ while (1) {
+ if (getrusage(RUSAGE_THREAD, &start) < 0) {
+ error_setg_errno(errp, errno, "Unable to get thread CPU usage");
+ return -1;
+ }
+ if (qcrypto_pbkdf2(hash,
+ key, nkey,
+ salt, nsalt,
+ iterations,
+ out, sizeof(out),
+ errp) < 0) {
+ return -1;
+ }
+ if (getrusage(RUSAGE_THREAD, &end) < 0) {
+ error_setg_errno(errp, errno, "Unable to get thread CPU usage");
+ return -1;
+ }
+
+ delta = (((end.ru_utime.tv_sec * 1000ll) +
+ (end.ru_utime.tv_usec / 1000)) -
+ ((start.ru_utime.tv_sec * 1000ll) +
+ (start.ru_utime.tv_usec / 1000)));
+
+ if (delta > 500) {
+ break;
+ } else if (delta < 100) {
+ iterations = iterations * 10;
+ } else {
+ iterations = (iterations * 1000 / delta);
+ }
+ }
+
+ return iterations * 1000 / delta;
+}
diff --git a/include/crypto/pbkdf.h b/include/crypto/pbkdf.h
new file mode 100644
index 0000000..7d75357
--- /dev/null
+++ b/include/crypto/pbkdf.h
@@ -0,0 +1,152 @@
+/*
+ * QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_PBKDF_H__
+#define QCRYPTO_PBKDF_H__
+
+#include "crypto/hash.h"
+
+/**
+ * This module provides an interface to the PBKDF2 algorithm
+ *
+ * https://en.wikipedia.org/wiki/PBKDF2
+ *
+ * <example>
+ * <title>Generating a AES encryption key from a user password</title>
+ * <programlisting>
+ * #include "crypto/cipher.h"
+ * #include "crypto/random.h"
+ * #include "crypto/pbkdf.h"
+ *
+ * ....
+ *
+ * char *password = "a-typical-awful-user-password";
+ * size_t nkey = qcrypto_cipher_get_key_len(QCRYPTO_CIPHER_ALG_AES_128);
+ * uint8_t *salt = g_new0(uint8_t, nkey);
+ * uint8_t *key = g_new0(uint8_t, nkey);
+ * int iterations;
+ * QCryptoCipher *cipher;
+ *
+ * if (qcrypto_random_bytes(salt, nkey, errp) < 0) {
+ * g_free(key);
+ * g_free(salt);
+ * return -1;
+ * }
+ *
+ * iterations = qcrypto_pbkdf2_count_iters(QCRYPTO_HASH_ALG_SHA256,
+ * (const uint8_t *)password,
+ * strlen(password),
+ * salt, nkey, errp);
+ * if (iterations < 0) {
+ * g_free(key);
+ * g_free(salt);
+ * return -1;
+ * }
+ *
+ * if (qcrypto_pbkdf2(QCRYPTO_HASH_ALG_SHA256,
+ * (const uint8_t *)password, strlen(password),
+ * salt, nkey, iterations, key, nkey, errp) < 0) {
+ * g_free(key);
+ * g_free(salt);
+ * return -1;
+ * }
+ *
+ * g_free(salt);
+ *
+ * cipher = qcrypto_cipher_new(QCRYPTO_CIPHER_ALG_AES_128,
+ * QCRYPTO_CIPHER_MODE_ECB,
+ * key, nkey, errp);
+ * g_free(key);
+ *
+ * ....encrypt some data...
+ *
+ * qcrypto_cipher_free(cipher);
+ * </programlisting>
+ * </example>
+ *
+ */
+
+/**
+ * qcrypto_pbkdf2_supports:
+ * @hash: the hash algorithm
+ *
+ * Determine if the current build supports the PBKDF2 algorithm
+ * in combination with the hash @hash.
+ *
+ * Returns true if supported, false otherwise
+ */
+bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash);
+
+
+/**
+ * qcrypto_pbkdf2:
+ * @hash: the hash algorithm to use
+ * @key: the user password / key
+ * @nkey: the length of @key in bytes
+ * @salt: a random salt
+ * @nsalt: length of @salt in bytes
+ * @iterations: the number of iterations to compute
+ * @out: pointer to pre-allocated buffer to hold output
+ * @nout: length of @out in bytes
+ * @errp: pointer to uninitialized error object
+ *
+ * Apply the PBKDF2 algorithm to derive an encryption
+ * key from a user password provided in @key. The
+ * @salt parameter is used to perturb the algorithm.
+ * The @iterations count determines how many times
+ * the hashing process is run, which influences how
+ * hard it is to crack the key. The number of @iterations
+ * should be large enough such that the algorithm takes
+ * 1 second or longer to derive a key. The derived key
+ * will be stored in the preallocated buffer @out.
+ *
+ * Returns: 0 on success, -1 on error
+ */
+int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
+ const uint8_t *key, size_t nkey,
+ const uint8_t *salt, size_t nsalt,
+ unsigned int iterations,
+ uint8_t *out, size_t nout,
+ Error **errp);
+
+/**
+ * qcrypto_pbkdf2_count_iters:
+ * @hash: the hash algorithm to use
+ * @key: the user password / key
+ * @nkey: the length of @key in bytes
+ * @salt: a random salt
+ * @nsalt: length of @salt in bytes
+ * @errp: pointer to uninitialized error object
+ *
+ * Time the PBKDF2 algorithm to determine how many
+ * iterations are required to derive an encryption
+ * key from a user password provided in @key in 1
+ * second of compute time. The result of this can
+ * be used as a the @iterations parameter of a later
+ * call to qcrypto_pbkdf2().
+ *
+ * Returns: number of iterations in 1 second, -1 on error
+ */
+int qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash,
+ const uint8_t *key, size_t nkey,
+ const uint8_t *salt, size_t nsalt,
+ Error **errp);
+
+#endif /* QCRYPTO_PBKDF_H__ */
diff --git a/tests/.gitignore b/tests/.gitignore
index 787c95c..db6b9be 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -14,6 +14,7 @@ test-blockjob-txn
test-coroutine
test-crypto-cipher
test-crypto-hash
+test-crypto-pbkdf
test-crypto-secret
test-crypto-tlscredsx509
test-crypto-tlscredsx509-work/
diff --git a/tests/Makefile b/tests/Makefile
index b7352f1..833a290 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -92,6 +92,7 @@ check-unit-$(CONFIG_GNUTLS) += tests/test-io-channel-tls$(EXESUF)
check-unit-y += tests/test-io-channel-command$(EXESUF)
check-unit-y += tests/test-io-channel-buffer$(EXESUF)
check-unit-y += tests/test-base64$(EXESUF)
+check-unit-y += tests/test-crypto-pbkdf$(EXESUF)
check-block-$(CONFIG_POSIX) += tests/qemu-iotests-quick.sh
@@ -495,6 +496,7 @@ tests/test-io-channel-command$(EXESUF): tests/test-io-channel-command.o \
tests/io-channel-helpers.o $(test-io-obj-y)
tests/test-io-channel-buffer$(EXESUF): tests/test-io-channel-buffer.o \
tests/io-channel-helpers.o $(test-io-obj-y)
+tests/test-crypto-pbkdf$(EXESUF): tests/test-crypto-pbkdf.o $(test-crypto-obj-y)
libqos-obj-y = tests/libqos/pci.o tests/libqos/fw_cfg.o tests/libqos/malloc.o
libqos-obj-y += tests/libqos/i2c.o tests/libqos/libqos.o
diff --git a/tests/test-crypto-pbkdf.c b/tests/test-crypto-pbkdf.c
new file mode 100644
index 0000000..3ff8cd8
--- /dev/null
+++ b/tests/test-crypto-pbkdf.c
@@ -0,0 +1,378 @@
+/*
+ * QEMU Crypto cipher algorithms
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <glib.h>
+
+#include "crypto/init.h"
+
+#if defined(CONFIG_NETTLE) || defined(CONFIG_GCRYPT)
+#include "crypto/pbkdf.h"
+
+typedef struct QCryptoPbkdfTestData QCryptoPbkdfTestData;
+struct QCryptoPbkdfTestData {
+ const char *path;
+ QCryptoHashAlgorithm hash;
+ unsigned int iterations;
+ const char *key;
+ size_t nkey;
+ const char *salt;
+ size_t nsalt;
+ const char *out;
+ size_t nout;
+};
+
+/* This test data comes from cryptsetup package
+ *
+ * $SRC/lib/crypto_backend/pbkdf2_generic.c
+ *
+ * under LGPLv2.1+ license
+ */
+static QCryptoPbkdfTestData test_data[] = {
+ /* RFC 3962 test data */
+ {
+ .path = "/crypto/pbkdf/rfc3962/sha1/iter1",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 1,
+ .key = "password",
+ .nkey = 8,
+ .salt = "ATHENA.MIT.EDUraeburn",
+ .nsalt = 21,
+ .out = "\xcd\xed\xb5\x28\x1b\xb2\xf8\x01"
+ "\x56\x5a\x11\x22\xb2\x56\x35\x15"
+ "\x0a\xd1\xf7\xa0\x4b\xb9\xf3\xa3"
+ "\x33\xec\xc0\xe2\xe1\xf7\x08\x37",
+ .nout = 32
+ },
+ {
+ .path = "/crypto/pbkdf/rfc3962/sha1/iter2",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 2,
+ .key = "password",
+ .nkey = 8,
+ .salt = "ATHENA.MIT.EDUraeburn",
+ .nsalt = 21,
+ .out = "\x01\xdb\xee\x7f\x4a\x9e\x24\x3e"
+ "\x98\x8b\x62\xc7\x3c\xda\x93\x5d"
+ "\xa0\x53\x78\xb9\x32\x44\xec\x8f"
+ "\x48\xa9\x9e\x61\xad\x79\x9d\x86",
+ .nout = 32
+ },
+ {
+ .path = "/crypto/pbkdf/rfc3962/sha1/iter1200a",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 1200,
+ .key = "password",
+ .nkey = 8,
+ .salt = "ATHENA.MIT.EDUraeburn",
+ .nsalt = 21,
+ .out = "\x5c\x08\xeb\x61\xfd\xf7\x1e\x4e"
+ "\x4e\xc3\xcf\x6b\xa1\xf5\x51\x2b"
+ "\xa7\xe5\x2d\xdb\xc5\xe5\x14\x2f"
+ "\x70\x8a\x31\xe2\xe6\x2b\x1e\x13",
+ .nout = 32
+ },
+ {
+ .path = "/crypto/pbkdf/rfc3962/sha1/iter5",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 5,
+ .key = "password",
+ .nkey = 8,
+ .salt = "\0224VxxV4\022", /* "\x1234567878563412 */
+ .nsalt = 8,
+ .out = "\xd1\xda\xa7\x86\x15\xf2\x87\xe6"
+ "\xa1\xc8\xb1\x20\xd7\x06\x2a\x49"
+ "\x3f\x98\xd2\x03\xe6\xbe\x49\xa6"
+ "\xad\xf4\xfa\x57\x4b\x6e\x64\xee",
+ .nout = 32
+ },
+ {
+ .path = "/crypto/pbkdf/rfc3962/sha1/iter1200b",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 1200,
+ .key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+ .nkey = 64,
+ .salt = "pass phrase equals block size",
+ .nsalt = 29,
+ .out = "\x13\x9c\x30\xc0\x96\x6b\xc3\x2b"
+ "\xa5\x5f\xdb\xf2\x12\x53\x0a\xc9"
+ "\xc5\xec\x59\xf1\xa4\x52\xf5\xcc"
+ "\x9a\xd9\x40\xfe\xa0\x59\x8e\xd1",
+ .nout = 32
+ },
+ {
+ .path = "/crypto/pbkdf/rfc3962/sha1/iter1200c",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 1200,
+ .key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+ .nkey = 65,
+ .salt = "pass phrase exceeds block size",
+ .nsalt = 30,
+ .out = "\x9c\xca\xd6\xd4\x68\x77\x0c\xd5"
+ "\x1b\x10\xe6\xa6\x87\x21\xbe\x61"
+ "\x1a\x8b\x4d\x28\x26\x01\xdb\x3b"
+ "\x36\xbe\x92\x46\x91\x5e\xc8\x2a",
+ .nout = 32
+ },
+ {
+ .path = "/crypto/pbkdf/rfc3962/sha1/iter50",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 50,
+ .key = "\360\235\204\236", /* g-clef ("\xf09d849e) */
+ .nkey = 4,
+ .salt = "EXAMPLE.COMpianist",
+ .nsalt = 18,
+ .out = "\x6b\x9c\xf2\x6d\x45\x45\x5a\x43"
+ "\xa5\xb8\xbb\x27\x6a\x40\x3b\x39"
+ "\xe7\xfe\x37\xa0\xc4\x1e\x02\xc2"
+ "\x81\xff\x30\x69\xe1\xe9\x4f\x52",
+ .nout = 32
+ },
+
+ /* RFC-6070 test data */
+ {
+ .path = "/crypto/pbkdf/rfc6070/sha1/iter1",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 1,
+ .key = "password",
+ .nkey = 8,
+ .salt = "salt",
+ .nsalt = 4,
+ .out = "\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9"
+ "\xb5\x24\xaf\x60\x12\x06\x2f\xe0\x37\xa6",
+ .nout = 20
+ },
+ {
+ .path = "/crypto/pbkdf/rfc6070/sha1/iter2",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 2,
+ .key = "password",
+ .nkey = 8,
+ .salt = "salt",
+ .nsalt = 4,
+ .out = "\xea\x6c\x01\x4d\xc7\x2d\x6f\x8c\xcd\x1e"
+ "\xd9\x2a\xce\x1d\x41\xf0\xd8\xde\x89\x57",
+ .nout = 20
+ },
+ {
+ .path = "/crypto/pbkdf/rfc6070/sha1/iter4096",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 4096,
+ .key = "password",
+ .nkey = 8,
+ .salt = "salt",
+ .nsalt = 4,
+ .out = "\x4b\x00\x79\x01\xb7\x65\x48\x9a\xbe\xad"
+ "\x49\xd9\x26\xf7\x21\xd0\x65\xa4\x29\xc1",
+ .nout = 20
+ },
+ {
+ .path = "/crypto/pbkdf/rfc6070/sha1/iter16777216",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 16777216,
+ .key = "password",
+ .nkey = 8,
+ .salt = "salt",
+ .nsalt = 4,
+ .out = "\xee\xfe\x3d\x61\xcd\x4d\xa4\xe4\xe9\x94"
+ "\x5b\x3d\x6b\xa2\x15\x8c\x26\x34\xe9\x84",
+ .nout = 20
+ },
+ {
+ .path = "/crypto/pbkdf/rfc6070/sha1/iter4096a",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 4096,
+ .key = "passwordPASSWORDpassword",
+ .nkey = 24,
+ .salt = "saltSALTsaltSALTsaltSALTsaltSALTsalt",
+ .nsalt = 36,
+ .out = "\x3d\x2e\xec\x4f\xe4\x1c\x84\x9b\x80\xc8"
+ "\xd8\x36\x62\xc0\xe4\x4a\x8b\x29\x1a\x96"
+ "\x4c\xf2\xf0\x70\x38",
+ .nout = 25
+ },
+ {
+ .path = "/crypto/pbkdf/rfc6070/sha1/iter4096b",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 4096,
+ .key = "pass\0word",
+ .nkey = 9,
+ .salt = "sa\0lt",
+ .nsalt = 5,
+ .out = "\x56\xfa\x6a\xa7\x55\x48\x09\x9d\xcc\x37"
+ "\xd7\xf0\x34\x25\xe0\xc3",
+ .nout = 16
+ },
+
+ /* non-RFC misc test data */
+ {
+ /* empty password test */
+ .path = "/crypto/pbkdf/nonrfc/sha1/iter2",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .iterations = 2,
+ .key = "",
+ .nkey = 0,
+ .salt = "salt",
+ .nsalt = 4,
+ .out = "\x13\x3a\x4c\xe8\x37\xb4\xd2\x52\x1e\xe2"
+ "\xbf\x03\xe1\x1c\x71\xca\x79\x4e\x07\x97",
+ .nout = 20
+ }, {
+ /* Password exceeds block size test */
+ .path = "/crypto/pbkdf/nonrfc/sha256/iter1200",
+ .hash = QCRYPTO_HASH_ALG_SHA256,
+ .iterations = 1200,
+ .key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+ .nkey = 65,
+ .salt = "pass phrase exceeds block size",
+ .nsalt = 30,
+ .out = "\x22\x34\x4b\xc4\xb6\xe3\x26\x75"
+ "\xa8\x09\x0f\x3e\xa8\x0b\xe0\x1d"
+ "\x5f\x95\x12\x6a\x2c\xdd\xc3\xfa"
+ "\xcc\x4a\x5e\x6d\xca\x04\xec\x58",
+ .nout = 32
+ },
+#if 0
+ {
+ .path = "/crypto/pbkdf/nonrfc/sha512/iter1200",
+ .hash = QCRYPTO_HASH_ALG_SHA512,
+ .iterations = 1200,
+ .key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+ .nkey = 129,
+ .salt = "pass phrase exceeds block size",
+ .nsalt = 30,
+ .out = "\x0f\xb2\xed\x2c\x0e\x6e\xfb\x7d"
+ "\x7d\x8e\xdd\x58\x01\xb4\x59\x72"
+ "\x99\x92\x16\x30\x5e\xa4\x36\x8d"
+ "\x76\x14\x80\xf3\xe3\x7a\x22\xb9",
+ .nout = 32
+ },
+ {
+ .path = "/crypto/pbkdf/nonrfc/whirlpool/iter1200",
+ .hash = QCRYPTO_HASH_ALG_WHIRLPOOL,
+ .iterations = 1200,
+ .key = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+ .nkey = 65,
+ .salt = "pass phrase exceeds block size",
+ .nsalt = 30,
+ .out = "\x9c\x1c\x74\xf5\x88\x26\xe7\x6a"
+ "\x53\x58\xf4\x0c\x39\xe7\x80\x89"
+ "\x07\xc0\x31\x19\x9a\x50\xa2\x48"
+ "\xf1\xd9\xfe\x78\x64\xe5\x84\x50",
+ .nout = 32
+ }
+#endif
+};
+
+
+static inline char hex(int i)
+{
+ if (i < 10) {
+ return '0' + i;
+ }
+ return 'a' + (i - 10);
+}
+
+static char *hex_string(const uint8_t *bytes,
+ size_t len)
+{
+ char *hexstr = g_new0(char, len * 2 + 1);
+ size_t i;
+
+ for (i = 0; i < len; i++) {
+ hexstr[i*2] = hex((bytes[i] >> 4) & 0xf);
+ hexstr[i*2+1] = hex(bytes[i] & 0xf);
+ }
+ hexstr[len*2] = '\0';
+
+ return hexstr;
+}
+
+static void test_pbkdf(const void *opaque)
+{
+ const QCryptoPbkdfTestData *data = opaque;
+ size_t nout = data->nout;
+ uint8_t *out = g_new0(uint8_t, nout);
+ gchar *expect, *actual;
+
+ qcrypto_pbkdf2(data->hash,
+ (uint8_t *)data->key, data->nkey,
+ (uint8_t *)data->salt, data->nsalt,
+ data->iterations,
+ (uint8_t *)out, nout,
+ &error_abort);
+
+ expect = hex_string((const uint8_t *)data->out, data->nout);
+ actual = hex_string(out, nout);
+
+ g_assert_cmpstr(actual, ==, expect);
+
+ g_free(actual);
+ g_free(expect);
+ g_free(out);
+}
+
+
+static void test_pbkdf_timing(void)
+{
+ uint8_t key[32];
+ uint8_t salt[32];
+ int iters;
+
+ memset(key, 0x5d, sizeof(key));
+ memset(salt, 0x7c, sizeof(salt));
+
+ iters = qcrypto_pbkdf2_count_iters(QCRYPTO_HASH_ALG_SHA256,
+ key, sizeof(key),
+ salt, sizeof(salt),
+ &error_abort);
+
+ g_assert(iters >= (1 << 15));
+}
+
+
+int main(int argc, char **argv)
+{
+ size_t i;
+
+ g_test_init(&argc, &argv, NULL);
+
+ g_assert(qcrypto_init(NULL) == 0);
+
+ for (i = 0; i < G_N_ELEMENTS(test_data); i++) {
+ g_test_add_data_func(test_data[i].path, &test_data[i], test_pbkdf);
+ }
+
+ g_test_add_func("/crypt/pbkdf/timing", test_pbkdf_timing);
+
+ return g_test_run();
+}
+#else
+int main(int argc, char **argv)
+{
+ return 0;
+}
+#endif
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 03/15] crypto: add support for generating initialization vectors
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 01/15] crypto: add cryptographic random byte source Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 02/15] crypto: add support for PBKDF2 algorithm Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 04/15] crypto: add support for anti-forensic split algorithm Daniel P. Berrange
` (11 subsequent siblings)
14 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
There are a number of different algorithms that can be used
to generate initialization vectors for disk encryption. This
introduces a simple internal QCryptoBlockIV object to provide
a consistent internal API to the different algorithms. The
initially implemented algorithms are 'plain', 'plain64' and
'essiv', each matching the same named algorithm provided
by the Linux kernel dm-crypt driver.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
crypto/Makefile.objs | 4 ++
crypto/ivgen-essiv.c | 116 ++++++++++++++++++++++++++++++++
crypto/ivgen-essiv.h | 28 ++++++++
crypto/ivgen-plain.c | 60 +++++++++++++++++
crypto/ivgen-plain.h | 28 ++++++++
crypto/ivgen-plain64.c | 60 +++++++++++++++++
crypto/ivgen-plain64.h | 28 ++++++++
crypto/ivgen.c | 117 ++++++++++++++++++++++++++++++++
crypto/ivgenpriv.h | 47 +++++++++++++
include/crypto/ivgen.h | 167 +++++++++++++++++++++++++++++++++++++++++++++
qapi/crypto.json | 16 +++++
tests/.gitignore | 1 +
tests/Makefile | 2 +
tests/test-crypto-ivgen.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++
14 files changed, 842 insertions(+)
create mode 100644 crypto/ivgen-essiv.c
create mode 100644 crypto/ivgen-essiv.h
create mode 100644 crypto/ivgen-plain.c
create mode 100644 crypto/ivgen-plain.h
create mode 100644 crypto/ivgen-plain64.c
create mode 100644 crypto/ivgen-plain64.h
create mode 100644 crypto/ivgen.c
create mode 100644 crypto/ivgenpriv.h
create mode 100644 include/crypto/ivgen.h
create mode 100644 tests/test-crypto-ivgen.c
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index c1cf45c..a973483 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -10,6 +10,10 @@ crypto-obj-y += tlssession.o
crypto-obj-y += secret.o
crypto-obj-y += random.o
crypto-obj-y += pbkdf.o
+crypto-obj-y += ivgen.o
+crypto-obj-y += ivgen-essiv.o
+crypto-obj-y += ivgen-plain.o
+crypto-obj-y += ivgen-plain64.o
# Let the userspace emulators avoid linking gnutls/etc
crypto-aes-obj-y = aes.o
diff --git a/crypto/ivgen-essiv.c b/crypto/ivgen-essiv.c
new file mode 100644
index 0000000..fad8f95
--- /dev/null
+++ b/crypto/ivgen-essiv.c
@@ -0,0 +1,116 @@
+/*
+ * QEMU Crypto block IV generator - essiv
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/ivgen-essiv.h"
+
+typedef struct QCryptoIVGenESSIV QCryptoIVGenESSIV;
+struct QCryptoIVGenESSIV {
+ QCryptoCipher *cipher;
+ QCryptoCipherAlgorithm cipheralg;
+};
+
+static int qcrypto_ivgen_essiv_init(QCryptoIVGen *ivgen,
+ QCryptoCipherAlgorithm cipheralg,
+ QCryptoHashAlgorithm hash,
+ const uint8_t *key, size_t nkey,
+ Error **errp)
+{
+ uint8_t *salt;
+ size_t nhash;
+ QCryptoIVGenESSIV *essiv = g_new0(QCryptoIVGenESSIV, 1);
+
+ nhash = qcrypto_hash_digest_len(hash);
+ /* Salt must be larger of hash size or key size */
+ salt = g_new0(uint8_t, nhash > nkey ? nhash : nkey);
+
+ if (qcrypto_hash_bytes(hash, (const gchar*)key, nkey,
+ &salt, &nhash,
+ errp) < 0) {
+ g_free(essiv);
+ return -1;
+ }
+
+ essiv->cipheralg = cipheralg;
+ essiv->cipher = qcrypto_cipher_new(cipheralg,
+ QCRYPTO_CIPHER_MODE_ECB,
+ salt, nkey,
+ errp);
+ if (!essiv->cipher) {
+ g_free(essiv);
+ g_free(salt);
+ return -1;
+ }
+
+ g_free(salt);
+ ivgen->private = essiv;
+
+ return 0;
+}
+
+static int qcrypto_ivgen_essiv_calculate(QCryptoIVGen *ivgen,
+ uint64_t sector,
+ uint8_t *iv, size_t niv,
+ Error **errp)
+{
+ QCryptoIVGenESSIV *essiv = ivgen->private;
+ size_t ndata = qcrypto_cipher_get_block_len(essiv->cipheralg);
+ uint8_t *data = g_new(uint8_t, ndata);
+
+ sector = cpu_to_le64((uint32_t)sector);
+ memcpy(data, (uint8_t *)§or, ndata);
+ if (sizeof(sector) < ndata) {
+ memset(data + sizeof(sector), 0, ndata - sizeof(sector));
+ }
+
+ if (qcrypto_cipher_encrypt(essiv->cipher,
+ data,
+ data,
+ ndata,
+ errp) < 0) {
+ g_free(data);
+ return -1;
+ }
+
+ if (ndata > niv) {
+ ndata = niv;
+ }
+ memcpy(iv, data, ndata);
+ if (ndata < niv) {
+ memset(iv + ndata, 0, niv - ndata);
+ }
+ g_free(data);
+ return 0;
+}
+
+static void qcrypto_ivgen_essiv_cleanup(QCryptoIVGen *ivgen)
+{
+ QCryptoIVGenESSIV *essiv = ivgen->private;
+
+ qcrypto_cipher_free(essiv->cipher);
+ g_free(essiv);
+}
+
+
+struct QCryptoIVGenDriver qcrypto_ivgen_essiv = {
+ qcrypto_ivgen_essiv_init,
+ qcrypto_ivgen_essiv_calculate,
+ qcrypto_ivgen_essiv_cleanup,
+};
+
diff --git a/crypto/ivgen-essiv.h b/crypto/ivgen-essiv.h
new file mode 100644
index 0000000..eed80c1
--- /dev/null
+++ b/crypto/ivgen-essiv.h
@@ -0,0 +1,28 @@
+/*
+ * QEMU Crypto block IV generator - essiv
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/ivgenpriv.h"
+
+#ifndef QCRYPTO_IVGEN_ESSIV_H__
+#define QCRYPTO_IVGEN_ESSIV_H__
+
+extern struct QCryptoIVGenDriver qcrypto_ivgen_essiv;
+
+#endif /* QCRYPTO_IVGEN_ESSIV_H__ */
diff --git a/crypto/ivgen-plain.c b/crypto/ivgen-plain.c
new file mode 100644
index 0000000..784ebc1
--- /dev/null
+++ b/crypto/ivgen-plain.c
@@ -0,0 +1,60 @@
+/*
+ * QEMU Crypto block IV generator - plain
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/ivgen-plain.h"
+
+static int qcrypto_ivgen_plain_init(QCryptoIVGen *ivgen,
+ QCryptoCipherAlgorithm cipheralg,
+ QCryptoHashAlgorithm hash,
+ const uint8_t *key, size_t nkey,
+ Error **errp)
+{
+ return 0;
+}
+
+static int qcrypto_ivgen_plain_calculate(QCryptoIVGen *ivgen,
+ uint64_t sector,
+ uint8_t *iv, size_t niv,
+ Error **errp)
+{
+ size_t ivprefix;
+ uint32_t shortsector = cpu_to_le32((uint32_t)(sector & 0xffffffff));
+ ivprefix = sizeof(shortsector);
+ if (ivprefix > niv) {
+ ivprefix = niv;
+ }
+ memcpy(iv, &shortsector, ivprefix);
+ if (ivprefix < niv) {
+ memset(iv + ivprefix, 0, niv - ivprefix);
+ }
+ return 0;
+}
+
+static void qcrypto_ivgen_plain_cleanup(QCryptoIVGen *ivgen)
+{
+}
+
+
+struct QCryptoIVGenDriver qcrypto_ivgen_plain = {
+ qcrypto_ivgen_plain_init,
+ qcrypto_ivgen_plain_calculate,
+ qcrypto_ivgen_plain_cleanup,
+};
+
diff --git a/crypto/ivgen-plain.h b/crypto/ivgen-plain.h
new file mode 100644
index 0000000..82c0939
--- /dev/null
+++ b/crypto/ivgen-plain.h
@@ -0,0 +1,28 @@
+/*
+ * QEMU Crypto block IV generator - plain
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/ivgenpriv.h"
+
+#ifndef QCRYPTO_IVGEN_PLAIN_H__
+#define QCRYPTO_IVGEN_PLAIN_H__
+
+extern struct QCryptoIVGenDriver qcrypto_ivgen_plain;
+
+#endif /* QCRYPTO_IVGEN_PLAIN_H__ */
diff --git a/crypto/ivgen-plain64.c b/crypto/ivgen-plain64.c
new file mode 100644
index 0000000..40bbcc2
--- /dev/null
+++ b/crypto/ivgen-plain64.c
@@ -0,0 +1,60 @@
+/*
+ * QEMU Crypto block IV generator - plain
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/ivgen-plain.h"
+
+static int qcrypto_ivgen_plain_init(QCryptoIVGen *ivgen,
+ QCryptoCipherAlgorithm cipheralg,
+ QCryptoHashAlgorithm hash,
+ const uint8_t *key, size_t nkey,
+ Error **errp)
+{
+ return 0;
+}
+
+static int qcrypto_ivgen_plain_calculate(QCryptoIVGen *ivgen,
+ uint64_t sector,
+ uint8_t *iv, size_t niv,
+ Error **errp)
+{
+ size_t ivprefix;
+ ivprefix = sizeof(sector);
+ sector = cpu_to_le64(sector);
+ if (ivprefix > niv) {
+ ivprefix = niv;
+ }
+ memcpy(iv, §or, ivprefix);
+ if (ivprefix < niv) {
+ memset(iv + ivprefix, 0, niv - ivprefix);
+ }
+ return 0;
+}
+
+static void qcrypto_ivgen_plain_cleanup(QCryptoIVGen *ivgen)
+{
+}
+
+
+struct QCryptoIVGenDriver qcrypto_ivgen_plain64 = {
+ qcrypto_ivgen_plain_init,
+ qcrypto_ivgen_plain_calculate,
+ qcrypto_ivgen_plain_cleanup,
+};
+
diff --git a/crypto/ivgen-plain64.h b/crypto/ivgen-plain64.h
new file mode 100644
index 0000000..031d8f4
--- /dev/null
+++ b/crypto/ivgen-plain64.h
@@ -0,0 +1,28 @@
+/*
+ * QEMU Crypto block IV generator - plain64
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/ivgenpriv.h"
+
+#ifndef QCRYPTO_IVGEN_PLAIN64_H__
+#define QCRYPTO_IVGEN_PLAIN64_H__
+
+extern struct QCryptoIVGenDriver qcrypto_ivgen_plain64;
+
+#endif /* QCRYPTO_IVGEN_PLAIN64_H__ */
diff --git a/crypto/ivgen.c b/crypto/ivgen.c
new file mode 100644
index 0000000..2353660
--- /dev/null
+++ b/crypto/ivgen.c
@@ -0,0 +1,117 @@
+/*
+ * QEMU Crypto block IV generator
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/ivgenpriv.h"
+#include "crypto/ivgen-plain.h"
+#include "crypto/ivgen-plain64.h"
+#include "crypto/ivgen-essiv.h"
+
+
+/**
+ * @qcrypto_ivgen_new:
+ * @alg: the initialization vector generator algorithm
+ * @cipheralg: the cipher algorithm (if applicable)
+ * @hash: the hash algorithm (if applicable)
+ * @key: the encryption key (if applicable)
+ * @nkey: the length of @key in bytes
+ * @errp: pointer to an uninitialized error object
+ *
+ * Create a new initialization vector generator implementing
+ * the algorithm specified in @alg.
+ *
+ * For the ESSIV algorithm, the @cipheralg, @ciphermode
+ * @hash, @key and @nkey parameters are required. For
+ * other algorithms they should be NULL / zero as
+ * appropriate.
+ *
+ * Returns the new IV generator or NULL on error
+ */
+QCryptoIVGen *qcrypto_ivgen_new(QCryptoIVGenAlgorithm alg,
+ QCryptoCipherAlgorithm cipheralg,
+ QCryptoHashAlgorithm hash,
+ const uint8_t *key, size_t nkey,
+ Error **errp)
+{
+ QCryptoIVGen *ivgen = g_new0(QCryptoIVGen, 1);
+
+
+ switch (alg) {
+ case QCRYPTO_IVGEN_ALG_PLAIN:
+ ivgen->driver = &qcrypto_ivgen_plain;
+ break;
+ case QCRYPTO_IVGEN_ALG_PLAIN64:
+ ivgen->driver = &qcrypto_ivgen_plain64;
+ break;
+ case QCRYPTO_IVGEN_ALG_ESSIV:
+ ivgen->driver = &qcrypto_ivgen_essiv;
+ break;
+ default:
+ error_setg(errp, "Unknown block IV generator algorithm %d", alg);
+ g_free(ivgen);
+ return NULL;
+ }
+
+ if (ivgen->driver->init(ivgen, cipheralg, hash, key, nkey, errp) < 0) {
+ g_free(ivgen);
+ return NULL;
+ }
+
+ return ivgen;
+}
+
+
+/**
+ * qcrypto_ivgen_calculate:
+ * @ivgen: the IV generator object
+ * @sector: the sector number in the volume
+ * @iv: buffer to store the generated IV in
+ * @niv: length of @iv in bytes
+ * @errp: pointer to an uninitialized error object
+ *
+ * Calculate a new initialization vector storing the
+ * result in @iv. The @iv buffer must be pre-allocated
+ * by the caller and @niv provides its length in bytes.
+ *
+ * Returns 0 on success, -1 on failure
+ */
+int qcrypto_ivgen_calculate(QCryptoIVGen *ivgen,
+ uint64_t sector,
+ uint8_t *iv, size_t niv,
+ Error **errp)
+{
+ return ivgen->driver->calculate(ivgen, sector, iv, niv, errp);
+}
+
+
+/**
+ * qcrypto_ivgen_free:
+ * @ivgen: the IV generator object
+ *
+ * Release all resources associated with the
+ * IV generator
+ */
+void qcrypto_ivgen_free(QCryptoIVGen *ivgen)
+{
+ if (!ivgen) {
+ return;
+ }
+ ivgen->driver->cleanup(ivgen);
+ g_free(ivgen);
+}
diff --git a/crypto/ivgenpriv.h b/crypto/ivgenpriv.h
new file mode 100644
index 0000000..f9ebe8a
--- /dev/null
+++ b/crypto/ivgenpriv.h
@@ -0,0 +1,47 @@
+/*
+ * QEMU Crypto block IV generator
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_IVGEN_PRIV_H__
+#define QCRYPTO_IVGEN_PRIV_H__
+
+#include "crypto/ivgen.h"
+
+typedef struct QCryptoIVGenDriver QCryptoIVGenDriver;
+
+struct QCryptoIVGenDriver {
+ int (*init)(QCryptoIVGen *biv,
+ QCryptoCipherAlgorithm cipheralg,
+ QCryptoHashAlgorithm hash,
+ const uint8_t *key, size_t nkey,
+ Error **errp);
+ int (*calculate)(QCryptoIVGen *biv,
+ uint64_t sector,
+ uint8_t *iv, size_t niv,
+ Error **errp);
+ void (*cleanup)(QCryptoIVGen *biv);
+};
+
+struct QCryptoIVGen {
+ QCryptoIVGenDriver *driver;
+ void *private;
+};
+
+
+#endif /* QCRYPTO_IVGEN_PRIV_H__ */
diff --git a/include/crypto/ivgen.h b/include/crypto/ivgen.h
new file mode 100644
index 0000000..6f8acdd
--- /dev/null
+++ b/include/crypto/ivgen.h
@@ -0,0 +1,167 @@
+/*
+ * QEMU Crypto block IV generator
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_IVGEN_H__
+#define QCRYPTO_IVGEN_H__
+
+#include "crypto/cipher.h"
+#include "crypto/hash.h"
+
+/**
+ * This module provides a framework for generating initialization
+ * vectors for block encryption schemes using chained cipher modes
+ * CBC. The principle is that each disk sector is assigned a unique
+ * initialization vector for use for encryption of data in that
+ * sector.
+ *
+ * <example>
+ * <title>Encrypting block data with initialiation vectors</title>
+ * <programlisting>
+ * uint8_t *data = ....data to encrypt...
+ * size_t ndata = XXX;
+ * uint8_t *key = ....some encryption key...
+ * size_t nkey = XXX;
+ * uint8_t *iv;
+ * size_t niv;
+ * size_t sector = 0;
+ *
+ * g_assert((ndata % 512) == 0);
+ *
+ * QCryptoIVGen *ivgen = qcrypto_ivgen_new(QCRYPTO_IVGEN_ALG_ESSIV,
+ * QCRYPTO_CIPHER_ALG_AES_128,
+ * QCRYPTO_HASH_ALG_SHA256,
+ * key, nkey, errp);
+ * if (!ivgen) {
+ * return -1;
+ * }
+ *
+ * QCryptoCipher *cipher = qcrypto_cipher_new(QCRYPTO_CIPHER_ALG_AES_128,
+ * QCRYPTO_CIPHER_MODE_CBC,
+ * key, nkey, errp);
+ * if (!cipher) {
+ * goto error;
+ * }
+ *
+ * niv = qcrypto_cipher_get_iv_len(QCRYPTO_CIPHER_ALG_AES_128,
+ * QCRYPTO_CIPHER_MODE_CBC);
+ * iv = g_new0(uint8_t, niv);
+ *
+ *
+ * while (ndata) {
+ * if (qcrypto_ivgen_calculate(ivgen, sector, iv, niv, errp) < 0) {
+ * goto error;
+ * }
+ * if (qcrypto_cipher_setiv(cipher, iv, niv, errp) < 0) {
+ * goto error;
+ * }
+ * if (qcrypto_cipher_encrypt(cipher,
+ * data + (sector * 512),
+ * data + (sector * 512),
+ * 512, errp) < 0) {
+ * goto error;
+ * }
+ * }
+ *
+ * g_free(iv);
+ * qcrypto_ivgen_free(ivgen);
+ * qcrypto_cipher_free(cipher);
+ * return 0;
+ *
+ *error:
+ * g_free(iv);
+ * qcrypto_ivgen_free(ivgen);
+ * qcrypto_cipher_free(cipher);
+ * return -1;
+ * </programlisting>
+ * </example>
+ */
+
+typedef struct QCryptoIVGen QCryptoIVGen;
+
+/* See also QCryptoIVGenAlgorithm enum in qapi/crypto.json */
+
+
+/**
+ * qcrypto_ivgen_new:
+ * @alg: the initialization vector generation algorithm
+ * @cipheralg: the cipher algorithm or 0
+ * @hash: the hash algorithm or 0,
+ * @key: the encryption key or NULL
+ * @nkey: the size of @key in bytes
+ *
+ * Create a new initialization vector generator that uses
+ * the algorithm @alg. Whether the remaining parameters
+ * are required or not depends on the choice of @alg
+ * requested.
+ *
+ * - QCRYPTO_IVGEN_ALG_PLAIN
+ *
+ * The IVs are generated by the 32-bit truncated sector
+ * number. This should never be used for block devices
+ * that are larger than 2^32 sectors in size
+ * All the other parameters are unused.
+ *
+ * - QCRYPTO_IVGEN_ALG_PLAIN64
+ *
+ * The IVs are generated by the 64-bit sector number.
+ * All the other parameters are unused.
+ *
+ * - QCRYPTO_IVGEN_ALG_ESSIV:
+ *
+ * The IVs are generated by encrypting the 64-bit sector
+ * number with a hash of an encryption key. The @cipheralg,
+ * @hash, @key and @nkey parameters are all required.
+ *
+ * Returns: a new IV generator, or NULL on error
+ */
+QCryptoIVGen *qcrypto_ivgen_new(QCryptoIVGenAlgorithm alg,
+ QCryptoCipherAlgorithm cipheralg,
+ QCryptoHashAlgorithm hash,
+ const uint8_t *key, size_t nkey,
+ Error **errp);
+
+/**
+ * qcrypto_ivgen_calculate:
+ * @ivgen: the IV generator object
+ * @sector: the 64-bit sector number
+ * @iv: a pre-allocated buffer to hold the generated IV
+ * @niv: the number of bytes in @iv
+ * @errp: pointer to an uninitialized error object
+ *
+ * Calculate a new initialiation vector for the data
+ * to be stored in sector @sector. The IV will be
+ * written into the buffer @iv of size @niv.
+ *
+ * Returns: 0 on success, -1 on error
+ */
+int qcrypto_ivgen_calculate(QCryptoIVGen *ivgen,
+ uint64_t sector,
+ uint8_t *iv, size_t niv,
+ Error **errp);
+
+/**
+ * qcrypto_ivgen_free:
+ * @ivgen: the IV generator object
+ *
+ * Release all resources associated with @ivgen
+ */
+void qcrypto_ivgen_free(QCryptoIVGen *ivgen);
+
+#endif /* QCRYPTO_IVGEN_H__ */
diff --git a/qapi/crypto.json b/qapi/crypto.json
index 4bd690f..48946b0 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -78,3 +78,19 @@
{ 'enum': 'QCryptoCipherMode',
'prefix': 'QCRYPTO_CIPHER_MODE',
'data': ['ecb', 'cbc']}
+
+
+##
+# QCryptoIVGenAlgorithm:
+#
+# The supported algorithms for generating initialization
+# vectors for full disk encryption
+#
+# @plain: 64-bit sector number truncated to 32-bits
+# @plain64: 64-bit sector number
+# @essiv: 64-bit sector number encrypted with a hash of the encryption key
+# Since: 2.6
+##
+{ 'enum': 'QCryptoIVGenAlgorithm',
+ 'prefix': 'QCRYPTO_IVGEN_ALG',
+ 'data': ['plain', 'plain64', 'essiv']}
diff --git a/tests/.gitignore b/tests/.gitignore
index db6b9be..369f848 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -14,6 +14,7 @@ test-blockjob-txn
test-coroutine
test-crypto-cipher
test-crypto-hash
+test-crypto-ivgen
test-crypto-pbkdf
test-crypto-secret
test-crypto-tlscredsx509
diff --git a/tests/Makefile b/tests/Makefile
index 833a290..5fdbaf0 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -93,6 +93,7 @@ check-unit-y += tests/test-io-channel-command$(EXESUF)
check-unit-y += tests/test-io-channel-buffer$(EXESUF)
check-unit-y += tests/test-base64$(EXESUF)
check-unit-y += tests/test-crypto-pbkdf$(EXESUF)
+check-unit-y += tests/test-crypto-ivgen$(EXESUF)
check-block-$(CONFIG_POSIX) += tests/qemu-iotests-quick.sh
@@ -497,6 +498,7 @@ tests/test-io-channel-command$(EXESUF): tests/test-io-channel-command.o \
tests/test-io-channel-buffer$(EXESUF): tests/test-io-channel-buffer.o \
tests/io-channel-helpers.o $(test-io-obj-y)
tests/test-crypto-pbkdf$(EXESUF): tests/test-crypto-pbkdf.o $(test-crypto-obj-y)
+tests/test-crypto-ivgen$(EXESUF): tests/test-crypto-ivgen.o $(test-crypto-obj-y)
libqos-obj-y = tests/libqos/pci.o tests/libqos/fw_cfg.o tests/libqos/malloc.o
libqos-obj-y += tests/libqos/i2c.o tests/libqos/libqos.o
diff --git a/tests/test-crypto-ivgen.c b/tests/test-crypto-ivgen.c
new file mode 100644
index 0000000..3c58e46
--- /dev/null
+++ b/tests/test-crypto-ivgen.c
@@ -0,0 +1,168 @@
+/*
+ * QEMU Crypto IV generator algorithms
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/ivgen.h"
+
+
+struct QCryptoIVGenTestData {
+ const char *path;
+ uint64_t sector;
+ QCryptoIVGenAlgorithm ivalg;
+ QCryptoHashAlgorithm hashalg;
+ QCryptoCipherAlgorithm cipheralg;
+ const uint8_t *key;
+ size_t nkey;
+ const uint8_t *iv;
+ size_t niv;
+} test_data[] = {
+ /* Small */
+ {
+ "/crypto/ivgen/plain/1",
+ .sector = 0x1,
+ .ivalg = QCRYPTO_IVGEN_ALG_PLAIN,
+ .iv = (const uint8_t *)"\x01\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .niv = 16,
+ },
+ /* Big ! */
+ {
+ "/crypto/ivgen/plain/1f2e3d4c",
+ .sector = 0x1f2e3d4cULL,
+ .ivalg = QCRYPTO_IVGEN_ALG_PLAIN,
+ .iv = (const uint8_t *)"\x4c\x3d\x2e\x1f\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .niv = 16,
+ },
+ /* Truncation */
+ {
+ "/crypto/ivgen/plain/1f2e3d4c5b6a7988",
+ .sector = 0x1f2e3d4c5b6a7988ULL,
+ .ivalg = QCRYPTO_IVGEN_ALG_PLAIN,
+ .iv = (const uint8_t *)"\x88\x79\x6a\x5b\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .niv = 16,
+ },
+ /* Small */
+ {
+ "/crypto/ivgen/plain64/1",
+ .sector = 0x1,
+ .ivalg = QCRYPTO_IVGEN_ALG_PLAIN64,
+ .iv = (const uint8_t *)"\x01\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .niv = 16,
+ },
+ /* Big ! */
+ {
+ "/crypto/ivgen/plain64/1f2e3d4c",
+ .sector = 0x1f2e3d4cULL,
+ .ivalg = QCRYPTO_IVGEN_ALG_PLAIN64,
+ .iv = (const uint8_t *)"\x4c\x3d\x2e\x1f\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .niv = 16,
+ },
+ /* No Truncation */
+ {
+ "/crypto/ivgen/plain64/1f2e3d4c5b6a7988",
+ .sector = 0x1f2e3d4c5b6a7988ULL,
+ .ivalg = QCRYPTO_IVGEN_ALG_PLAIN64,
+ .iv = (const uint8_t *)"\x88\x79\x6a\x5b\x4c\x3d\x2e\x1f"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+ .niv = 16,
+ },
+ /* Small */
+ {
+ "/crypto/ivgen/essiv/1",
+ .sector = 0x1,
+ .ivalg = QCRYPTO_IVGEN_ALG_ESSIV,
+ .cipheralg = QCRYPTO_CIPHER_ALG_AES_128,
+ .hashalg = QCRYPTO_HASH_ALG_SHA256,
+ .key = (const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ .nkey = 16,
+ .iv = (const uint8_t *)"\xd4\x83\x71\xb2\xa1\x94\x53\x88"
+ "\x1c\x7a\x2d\06\x2d\x0b\x65\x46",
+ .niv = 16,
+ },
+ /* Big ! */
+ {
+ "/crypto/ivgen/essiv/1f2e3d4c",
+ .sector = 0x1f2e3d4cULL,
+ .ivalg = QCRYPTO_IVGEN_ALG_ESSIV,
+ .cipheralg = QCRYPTO_CIPHER_ALG_AES_128,
+ .hashalg = QCRYPTO_HASH_ALG_SHA256,
+ .key = (const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ .nkey = 16,
+ .iv = (const uint8_t *)"\x5d\x36\x09\x5d\xc6\x9e\x5e\xe9"
+ "\xe3\x02\x8d\xd8\x7a\x3d\xe7\x8f",
+ .niv = 16,
+ },
+ /* No Truncation */
+ {
+ "/crypto/ivgen/essiv/1f2e3d4c5b6a7988",
+ .sector = 0x1f2e3d4c5b6a7988ULL,
+ .ivalg = QCRYPTO_IVGEN_ALG_ESSIV,
+ .cipheralg = QCRYPTO_CIPHER_ALG_AES_128,
+ .hashalg = QCRYPTO_HASH_ALG_SHA256,
+ .key = (const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ .nkey = 16,
+ .iv = (const uint8_t *)"\xe8\x6d\xb9\x11\x17\x7a\x86\xed"
+ "\x7e\xe6\xb2\xe7\xbf\x8f\xa1\x8c",
+ .niv = 16,
+ },
+};
+
+
+static void test_ivgen(const void *opaque)
+{
+ const struct QCryptoIVGenTestData *data = opaque;
+ uint8_t *iv = g_new0(uint8_t, data->niv);
+ QCryptoIVGen *ivgen = qcrypto_ivgen_new(
+ data->ivalg,
+ data->cipheralg,
+ data->hashalg,
+ data->key,
+ data->nkey,
+ &error_abort);
+
+ qcrypto_ivgen_calculate(ivgen,
+ data->sector,
+ iv,
+ data->niv,
+ &error_abort);
+
+ g_assert(memcmp(iv, data->iv, data->niv) == 0);
+
+ qcrypto_ivgen_free(ivgen);
+ g_free(iv);
+}
+
+int main(int argc, char **argv)
+{
+ size_t i;
+ g_test_init(&argc, &argv, NULL);
+ for (i = 0; i < G_N_ELEMENTS(test_data); i++) {
+ g_test_add_data_func(test_data[i].path,
+ &(test_data[i]),
+ test_ivgen);
+ }
+ return g_test_run();
+}
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 04/15] crypto: add support for anti-forensic split algorithm
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (2 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 03/15] crypto: add support for generating initialization vectors Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 05/15] crypto: add block encryption framework Daniel P. Berrange
` (10 subsequent siblings)
14 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
The LUKS format specifies an anti-forensic split algorithm which
is used to artificially expand the size of the key material on
disk. This is an implementation of that algorithm.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
crypto/Makefile.objs | 1 +
crypto/afsplit.c | 194 ++++++++++++++++++++++++++++++++++++++++++++
include/crypto/afsplit.h | 133 ++++++++++++++++++++++++++++++
tests/.gitignore | 1 +
tests/Makefile | 2 +
tests/test-crypto-afsplit.c | 176 ++++++++++++++++++++++++++++++++++++++++
6 files changed, 507 insertions(+)
create mode 100644 crypto/afsplit.c
create mode 100644 include/crypto/afsplit.h
create mode 100644 tests/test-crypto-afsplit.c
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index a973483..1e08a3a 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -14,6 +14,7 @@ crypto-obj-y += ivgen.o
crypto-obj-y += ivgen-essiv.o
crypto-obj-y += ivgen-plain.o
crypto-obj-y += ivgen-plain64.o
+crypto-obj-y += afsplit.o
# Let the userspace emulators avoid linking gnutls/etc
crypto-aes-obj-y = aes.o
diff --git a/crypto/afsplit.c b/crypto/afsplit.c
new file mode 100644
index 0000000..7131622
--- /dev/null
+++ b/crypto/afsplit.c
@@ -0,0 +1,194 @@
+/*
+ * QEMU Crypto anti forensic information splitter
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * Derived from cryptsetup package lib/lusk1/af.c
+ *
+ * Copyright (C) 2004, Clemens Fruhwirth <clemens@endorphin.org>
+ * Copyright (C) 2009-2012, Red Hat, Inc. All rights reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/afsplit.h"
+#include "crypto/random.h"
+
+
+static void qcrypto_afsplit_xor(size_t blocklen,
+ const uint8_t *in1,
+ const uint8_t *in2,
+ uint8_t *out)
+{
+ size_t i;
+ for (i = 0; i < blocklen; i++) {
+ out[i] = in1[i] ^ in2[i];
+ }
+}
+
+
+static int qcrypto_afsplit_hash(QCryptoHashAlgorithm hash,
+ size_t blocklen,
+ uint8_t *block,
+ Error **errp)
+{
+ size_t digestlen = qcrypto_hash_digest_len(hash);
+
+ size_t hashcount = blocklen / digestlen;
+ size_t finallen = blocklen % digestlen;
+ uint32_t i;
+
+ if (finallen) {
+ hashcount++;
+ } else {
+ finallen = blocklen;
+ }
+
+ for (i = 0; i < hashcount; i++) {
+ uint8_t *out = NULL;
+ size_t outlen = 0;
+ uint32_t iv = cpu_to_be32(i);
+ struct iovec in[] = {
+ { .iov_base = &iv,
+ .iov_len = sizeof(iv) },
+ { .iov_base = block + (i * digestlen),
+ .iov_len = (i == (hashcount - 1)) ? finallen : digestlen },
+ };
+
+ if (qcrypto_hash_bytesv(hash,
+ in,
+ G_N_ELEMENTS(in),
+ &out, &outlen,
+ errp) < 0) {
+ return -1;
+ }
+
+ if (outlen != digestlen) {
+ error_setg(errp, "Hash output %zu not %zu",
+ outlen, digestlen);
+ g_free(out);
+ return -1;
+ }
+ memcpy(block + (i * digestlen), out,
+ (i == (hashcount - 1)) ? finallen : digestlen);
+ g_free(out);
+ }
+
+ return 0;
+}
+
+
+/**
+ * qcrypto_afsplit_encode:
+ * @hash: the hash function to use when splitting
+ * @blocklen: the length of @in in bytes
+ * @stripes: the number of stripes to split @in into
+ * @in: the input data, @blocklen bytes
+ * @out: the output data, @blocklen * @stripes bytes
+ * @errp: pointer to an uninitialized error object
+ *
+ * Transform the data (key material) in @in which is @blocklen
+ * bytes long, into data that is (@blocklen * @stripes) bytes
+ * long. The caller is responsible for allocating @out with
+ * @blocklen * @stripes bytes of memory.
+ *
+ * Returns: 0 on success, -1 on error
+ */
+int qcrypto_afsplit_encode(QCryptoHashAlgorithm hash,
+ size_t blocklen,
+ uint32_t stripes,
+ const uint8_t *in,
+ uint8_t *out,
+ Error **errp)
+{
+ uint8_t *block = g_new0(uint8_t, blocklen);
+ size_t i;
+ int ret = -1;
+
+ for (i = 0; i < (stripes - 1); i++) {
+ if (qcrypto_random_bytes(out + (i * blocklen), blocklen, errp) < 0) {
+ goto cleanup;
+ }
+
+ qcrypto_afsplit_xor(blocklen,
+ out + (i * blocklen),
+ block,
+ block);
+ if (qcrypto_afsplit_hash(hash, blocklen, block,
+ errp) < 0) {
+ goto cleanup;
+ }
+ }
+ qcrypto_afsplit_xor(blocklen,
+ in,
+ block,
+ out + (i * blocklen));
+ ret = 0;
+
+ cleanup:
+ g_free(block);
+ return ret;
+}
+
+
+/**
+ * qcrypto_afsplit_decode:
+ * @hash: the hash function to use when splitting
+ * @blocklen: the length of @iout in bytes
+ * @stripes: the number of stripes to split @in into
+ * @in: the input data, @blocklen * @stripes bytes
+ * @out: the output data, @blocklen bytes
+ * @errp: pointer to an uninitialized error object
+ *
+ * Transform the split data in @in which is (@blocklen * @stripes)
+ * bytes long, into the original data (key material) that is
+ * @blocklen bytes long. The caller is responsible for allocating
+ * @out with @blocklen bytes of memory.
+ *
+ * Returns: 0 on success, -1 on error
+ */
+int qcrypto_afsplit_decode(QCryptoHashAlgorithm hash,
+ size_t blocklen,
+ uint32_t stripes,
+ const uint8_t *in,
+ uint8_t *out,
+ Error **errp)
+{
+ uint8_t *block = g_new0(uint8_t, blocklen);
+ size_t i;
+ int ret = -1;
+
+ for (i = 0; i < (stripes - 1); i++) {
+ qcrypto_afsplit_xor(blocklen,
+ in + (i * blocklen),
+ block,
+ block);
+ if (qcrypto_afsplit_hash(hash, blocklen, block,
+ errp) < 0) {
+ goto cleanup;
+ }
+ }
+
+ qcrypto_afsplit_xor(blocklen,
+ in + (i * blocklen),
+ block,
+ out);
+
+ ret = 0;
+
+ cleanup:
+ g_free(block);
+ return ret;
+}
diff --git a/include/crypto/afsplit.h b/include/crypto/afsplit.h
new file mode 100644
index 0000000..a331d8a
--- /dev/null
+++ b/include/crypto/afsplit.h
@@ -0,0 +1,133 @@
+/*
+ * QEMU Crypto anti forensic information splitter
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_AFSPLIT_H__
+#define QCRYPTO_AFSPLIT_H__
+
+#include "crypto/hash.h"
+
+/**
+ * This module implements the anti-forensic splitter that is specified
+ * as part of the LUKS format:
+ *
+ * http://clemens.endorphin.org/cryptography
+ * http://clemens.endorphin.org/TKS1-draft.pdf
+ *
+ * The core idea is to take a short piece of data (key material)
+ * and process it to expand it to a much larger piece of data.
+ * The expansion process is reversable, to obtain the original
+ * short data. The key property of the expansion is that if any
+ * byte in the larger data set is changed / missing, it should be
+ * impossible to recreate the original short data.
+ *
+ * <example>
+ * <title>Creating a large split key for storage</title>
+ * <programlisting>
+ * size_t nkey = 32;
+ * uint32_t stripes = 32768; // To produce a 1 MB split key
+ * uint8_t *masterkey = ....a 32-byte AES key...
+ * uint8_t *splitkey;
+ *
+ * splitkey = g_new0(uint8_t, nkey * stripes);
+ *
+ * if (qcrypto_afsplit_encode(QCRYPTO_HASH_ALG_SHA256,
+ * nkey, stripes,
+ * masterkey, splitkey, errp) < 0) {
+ * g_free(splitkey);
+ * g_free(masterkey);
+ * return -1;
+ * }
+ *
+ * ...store splitkey somewhere...
+ *
+ * g_free(splitkey);
+ * g_free(masterkey);
+ * </programlisting>
+ * </example>
+ *
+ * <example>
+ * <title>Retrieving a master key from storage</title>
+ * <programlisting>
+ * size_t nkey = 32;
+ * uint32_t stripes = 32768; // To produce a 1 MB split key
+ * uint8_t *masterkey;
+ * uint8_t *splitkey = .... read in 1 MB of data...
+ *
+ * masterkey = g_new0(uint8_t, nkey);
+ *
+ * if (qcrypto_afsplit_decode(QCRYPTO_HASH_ALG_SHA256,
+ * nkey, stripes,
+ * splitkey, masterkey, errp) < 0) {
+ * g_free(splitkey);
+ * g_free(masterkey);
+ * return -1;
+ * }
+ *
+ * ..decrypt data with masterkey...
+ *
+ * g_free(splitkey);
+ * g_free(masterkey);
+ * </programlisting>
+ * </example>
+ */
+
+/**
+ * qcrypto_afsplit_encode:
+ * @hash: the hash algorithm to use for data expansion
+ * @blocklen: the size of @in in bytes
+ * @stripes: the number of times to expand @in in size
+ * @in: the master key to be expanded in size
+ * @out: preallocted buffer to hold the split key
+ *
+ * Split the data in @in, which is @blocklen bytes in
+ * size, to form a larger piece of data @out, which is
+ * @blocklen * @stripes bytes in size.
+ *
+ * Returns: 0 on success, -1 on error;
+ */
+int qcrypto_afsplit_encode(QCryptoHashAlgorithm hash,
+ size_t blocklen,
+ uint32_t stripes,
+ const uint8_t *in,
+ uint8_t *out,
+ Error **errp);
+
+/**
+ * qcrypto_afsplit_decode:
+ * @hash: the hash algorithm to use for data compression
+ * @blocklen: the size of @out in bytes
+ * @stripes: the number of times to decrease @in in size
+ * @in: the master key to be expanded in size
+ * @out: preallocted buffer to hold the split key
+ *
+ * Join the data in @in, which is @blocklen * @stripes
+ * bytes in size, to form the original small piece o
+ * data @out, which is @blocklen bytes in size.
+ *
+ * Returns: 0 on success, -1 on error;
+ */
+int qcrypto_afsplit_decode(QCryptoHashAlgorithm hash,
+ size_t blocklen,
+ uint32_t stripes,
+ const uint8_t *in,
+ uint8_t *out,
+ Error **errp);
+
+#endif /* QCRYPTO_AFSPLIT_H__ */
diff --git a/tests/.gitignore b/tests/.gitignore
index 369f848..5b97e8c 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -12,6 +12,7 @@ test-base64
test-bitops
test-blockjob-txn
test-coroutine
+test-crypto-afsplit
test-crypto-cipher
test-crypto-hash
test-crypto-ivgen
diff --git a/tests/Makefile b/tests/Makefile
index 5fdbaf0..80847b9 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -94,6 +94,7 @@ check-unit-y += tests/test-io-channel-buffer$(EXESUF)
check-unit-y += tests/test-base64$(EXESUF)
check-unit-y += tests/test-crypto-pbkdf$(EXESUF)
check-unit-y += tests/test-crypto-ivgen$(EXESUF)
+check-unit-y += tests/test-crypto-afsplit$(EXESUF)
check-block-$(CONFIG_POSIX) += tests/qemu-iotests-quick.sh
@@ -499,6 +500,7 @@ tests/test-io-channel-buffer$(EXESUF): tests/test-io-channel-buffer.o \
tests/io-channel-helpers.o $(test-io-obj-y)
tests/test-crypto-pbkdf$(EXESUF): tests/test-crypto-pbkdf.o $(test-crypto-obj-y)
tests/test-crypto-ivgen$(EXESUF): tests/test-crypto-ivgen.o $(test-crypto-obj-y)
+tests/test-crypto-afsplit$(EXESUF): tests/test-crypto-afsplit.o $(test-crypto-obj-y)
libqos-obj-y = tests/libqos/pci.o tests/libqos/fw_cfg.o tests/libqos/malloc.o
libqos-obj-y += tests/libqos/i2c.o tests/libqos/libqos.o
diff --git a/tests/test-crypto-afsplit.c b/tests/test-crypto-afsplit.c
new file mode 100644
index 0000000..da301b8
--- /dev/null
+++ b/tests/test-crypto-afsplit.c
@@ -0,0 +1,176 @@
+/*
+ * QEMU Crypto anti-forensic splitter
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <glib.h>
+
+#include "crypto/init.h"
+#include "crypto/afsplit.h"
+
+typedef struct QCryptoAFSplitTestData QCryptoAFSplitTestData;
+struct QCryptoAFSplitTestData {
+ const char *path;
+ QCryptoHashAlgorithm hash;
+ uint32_t stripes;
+ size_t blocklen;
+ const uint8_t *key;
+ const uint8_t *splitkey;
+};
+
+static QCryptoAFSplitTestData test_data[] = {
+ {
+ .path = "/crypto/afsplit/sha256/5",
+ .hash = QCRYPTO_HASH_ALG_SHA256,
+ .stripes = 5,
+ .blocklen = 32,
+ .key = (const uint8_t *)
+ "\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+ "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7"
+ "\xa8\xa9\xaa\xab\xac\xad\xae\xaf",
+ .splitkey = (const uint8_t *)
+ "\xfd\xd2\x73\xb1\x7d\x99\x93\x34"
+ "\x70\xde\xfa\x07\xc5\xac\x58\xd2"
+ "\x30\x67\x2f\x1a\x35\x43\x60\x7d"
+ "\x77\x02\xdb\x62\x3c\xcb\x2c\x33"
+ "\x48\x08\xb6\xf1\x7c\xa3\x20\xa0"
+ "\xad\x2d\x4c\xf3\xcd\x18\x6f\x53"
+ "\xf9\xe8\xe7\x59\x27\x3c\xa9\x54"
+ "\x61\x87\xb3\xaf\xf6\xf7\x7e\x64"
+ "\x86\xaa\x89\x7f\x1f\x9f\xdb\x86"
+ "\xf4\xa2\x16\xff\xa3\x4f\x8c\xa1"
+ "\x59\xc4\x23\x34\x28\xc4\x77\x71"
+ "\x83\xd4\xcd\x8e\x89\x1b\xc7\xc5"
+ "\xae\x4d\xa9\xcd\xc9\x72\x85\x70"
+ "\x13\x68\x52\x83\xfc\xb8\x11\x72"
+ "\xba\x3d\xc6\x4a\x28\xfa\xe2\x86"
+ "\x7b\x27\xab\x58\xe1\xa4\xca\xf6"
+ "\x9e\xbc\xfe\x0c\x92\x79\xb3\xec"
+ "\x1c\x5f\x79\x3b\x0d\x1e\xaa\x1a"
+ "\x77\x0f\x70\x19\x4b\xc8\x80\xee"
+ "\x27\x7c\x6e\x4a\x91\x96\x5c\xf4"
+ },
+ {
+ .path = "/crypto/afsplit/sha256/5000",
+ .hash = QCRYPTO_HASH_ALG_SHA256,
+ .stripes = 5000,
+ .blocklen = 16,
+ .key = (const uint8_t *)
+ "\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ },
+ {
+ .path = "/crypto/afsplit/sha1/1000",
+ .hash = QCRYPTO_HASH_ALG_SHA1,
+ .stripes = 1000,
+ .blocklen = 32,
+ .key = (const uint8_t *)
+ "\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+ "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7"
+ "\xa8\xa9\xaa\xab\xac\xad\xae\xaf",
+ },
+};
+
+
+static inline char hex(int i)
+{
+ if (i < 10) {
+ return '0' + i;
+ }
+ return 'a' + (i - 10);
+}
+
+static char *hex_string(const uint8_t *bytes,
+ size_t len)
+{
+ char *hexstr = g_new0(char, len * 2 + 1);
+ size_t i;
+
+ for (i = 0; i < len; i++) {
+ hexstr[i*2] = hex((bytes[i] >> 4) & 0xf);
+ hexstr[i*2+1] = hex(bytes[i] & 0xf);
+ }
+ hexstr[len*2] = '\0';
+
+ return hexstr;
+}
+
+static void test_afsplit(const void *opaque)
+{
+ const QCryptoAFSplitTestData *data = opaque;
+ size_t splitlen = data->blocklen * data->stripes;
+ uint8_t *splitkey = g_new0(uint8_t, splitlen);
+ uint8_t *key = g_new0(uint8_t, data->blocklen);
+ gchar *expect, *actual;
+
+ /* First time we round-trip the key */
+ qcrypto_afsplit_encode(data->hash,
+ data->blocklen, data->stripes,
+ data->key, splitkey,
+ &error_abort);
+
+ qcrypto_afsplit_decode(data->hash,
+ data->blocklen, data->stripes,
+ splitkey, key,
+ &error_abort);
+
+ expect = hex_string(data->key, data->blocklen);
+ actual = hex_string(key, data->blocklen);
+
+ g_assert_cmpstr(actual, ==, expect);
+
+ g_free(actual);
+ g_free(expect);
+
+ /* Second time we merely try decoding a previous split */
+ if (data->splitkey) {
+ memset(key, 0, data->blocklen);
+
+ qcrypto_afsplit_decode(data->hash,
+ data->blocklen, data->stripes,
+ data->splitkey, key,
+ &error_abort);
+
+ expect = hex_string(data->key, data->blocklen);
+ actual = hex_string(key, data->blocklen);
+
+ g_assert_cmpstr(actual, ==, expect);
+
+ g_free(actual);
+ g_free(expect);
+ }
+
+ g_free(key);
+ g_free(splitkey);
+}
+
+int main(int argc, char **argv)
+{
+ size_t i;
+
+ g_test_init(&argc, &argv, NULL);
+
+ g_assert(qcrypto_init(NULL) == 0);
+
+ for (i = 0; i < G_N_ELEMENTS(test_data); i++) {
+ g_test_add_data_func(test_data[i].path, &test_data[i], test_afsplit);
+ }
+ return g_test_run();
+}
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 05/15] crypto: add block encryption framework
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (3 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 04/15] crypto: add support for anti-forensic split algorithm Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-13 23:40 ` Eric Blake
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 06/15] crypto: implement the LUKS block encryption format Daniel P. Berrange
` (9 subsequent siblings)
14 siblings, 1 reply; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
Add a generic framework for support different block encryption
formats. Upon instantiating a QCryptoBlock object, it will read
the encryption header and extract the encryption keys. It is
then possible to call methods to encrypt/decrypt data buffers.
There is also a mode whereby it will create/initialize a new
encryption header on a previously unformatted volume.
The initial framework comes with support for the legacy QCow
AES based encryption. This enables code in the QCow driver to
be consolidated later.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
crypto/Makefile.objs | 2 +
crypto/block-qcowaes.c | 165 ++++++++++++++++++++++++++++++++
crypto/block-qcowaes.h | 28 ++++++
crypto/block.c | 254 +++++++++++++++++++++++++++++++++++++++++++++++++
crypto/blockpriv.h | 89 +++++++++++++++++
include/crypto/block.h | 222 ++++++++++++++++++++++++++++++++++++++++++
qapi/crypto.json | 65 +++++++++++++
7 files changed, 825 insertions(+)
create mode 100644 crypto/block-qcowaes.c
create mode 100644 crypto/block-qcowaes.h
create mode 100644 crypto/block.c
create mode 100644 crypto/blockpriv.h
create mode 100644 include/crypto/block.h
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index 1e08a3a..b5b32a6 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -15,6 +15,8 @@ crypto-obj-y += ivgen-essiv.o
crypto-obj-y += ivgen-plain.o
crypto-obj-y += ivgen-plain64.o
crypto-obj-y += afsplit.o
+crypto-obj-y += block.o
+crypto-obj-y += block-qcowaes.o
# Let the userspace emulators avoid linking gnutls/etc
crypto-aes-obj-y = aes.o
diff --git a/crypto/block-qcowaes.c b/crypto/block-qcowaes.c
new file mode 100644
index 0000000..cf8ff50
--- /dev/null
+++ b/crypto/block-qcowaes.c
@@ -0,0 +1,165 @@
+/*
+ * QEMU Crypto block device encryption QCOWAES format
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "config-host.h"
+
+#include "crypto/block-qcowaes.h"
+#include "crypto/secret.h"
+
+static gboolean
+qcrypto_block_qcowaes_has_format(const uint8_t *buf G_GNUC_UNUSED,
+ size_t buf_size G_GNUC_UNUSED)
+{
+ return false;
+}
+
+
+static int
+qcrypto_block_qcowaes_init(QCryptoBlock *block,
+ const char *keyid,
+ Error **errp)
+{
+ char *password;
+ int ret;
+ uint8_t keybuf[16];
+ int len, i;
+
+ memset(keybuf, 0, 16);
+
+ password = qcrypto_secret_lookup_as_utf8(keyid, errp);
+ if (!password) {
+ return -1;
+ }
+
+ len = strlen(password);
+ if (len > 16) {
+ len = 16;
+ }
+ for (i = 0; i < len; i++) {
+ keybuf[i] = password[i];
+ }
+ g_free(password);
+
+ block->niv = qcrypto_cipher_get_iv_len(QCRYPTO_CIPHER_ALG_AES_128,
+ QCRYPTO_CIPHER_MODE_CBC);
+ block->ivgen = qcrypto_ivgen_new(QCRYPTO_IVGEN_ALG_PLAIN64,
+ 0, 0, NULL, 0, errp);
+ if (!block->ivgen) {
+ ret = -ENOTSUP;
+ goto fail;
+ }
+
+ block->cipher = qcrypto_cipher_new(QCRYPTO_CIPHER_ALG_AES_128,
+ QCRYPTO_CIPHER_MODE_CBC,
+ keybuf, G_N_ELEMENTS(keybuf),
+ errp);
+ if (!block->cipher) {
+ ret = -ENOTSUP;
+ goto fail;
+ }
+
+ block->payload_offset = 0;
+
+ return 0;
+
+ fail:
+ qcrypto_cipher_free(block->cipher);
+ qcrypto_ivgen_free(block->ivgen);
+ return ret;
+}
+
+
+static int
+qcrypto_block_qcowaes_open(QCryptoBlock *block,
+ QCryptoBlockOpenOptions *options,
+ QCryptoBlockReadFunc readfunc G_GNUC_UNUSED,
+ void *opaque G_GNUC_UNUSED,
+ unsigned int flags,
+ Error **errp)
+{
+ if (flags & QCRYPTO_BLOCK_OPEN_NO_IO) {
+ return 0;
+ } else {
+ if (!options->u.qcowaes->key_id) {
+ error_setg(errp, "Parameter 'key-id' is required to initialize cipher");
+ return -1;
+ }
+ return qcrypto_block_qcowaes_init(block, options->u.qcowaes->key_id, errp);
+ }
+}
+
+
+static int
+qcrypto_block_qcowaes_create(QCryptoBlock *block,
+ QCryptoBlockCreateOptions *options,
+ QCryptoBlockInitFunc initfunc G_GNUC_UNUSED,
+ QCryptoBlockWriteFunc writefunc G_GNUC_UNUSED,
+ void *opaque G_GNUC_UNUSED,
+ Error **errp)
+{
+ if (!options->u.qcowaes->key_id) {
+ error_setg(errp, "Parameter 'key-id' is required to initialize cipher");
+ return -1;
+ }
+ /* QCow2 has no special header, since everything is hardwired */
+ return qcrypto_block_qcowaes_init(block, options->u.qcowaes->key_id, errp);
+}
+
+
+static void
+qcrypto_block_qcowaes_cleanup(QCryptoBlock *block)
+{
+}
+
+
+static int
+qcrypto_block_qcowaes_decrypt(QCryptoBlock *block,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp)
+{
+ return qcrypto_block_decrypt_helper(block->cipher,
+ block->niv, block->ivgen,
+ startsector, buf, len, errp);
+}
+
+
+static int
+qcrypto_block_qcowaes_encrypt(QCryptoBlock *block,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp)
+{
+ return qcrypto_block_encrypt_helper(block->cipher,
+ block->niv, block->ivgen,
+ startsector, buf, len, errp);
+}
+
+
+const QCryptoBlockDriver qcrypto_block_driver_qcowaes = {
+ .open = qcrypto_block_qcowaes_open,
+ .create = qcrypto_block_qcowaes_create,
+ .cleanup = qcrypto_block_qcowaes_cleanup,
+ .decrypt = qcrypto_block_qcowaes_decrypt,
+ .encrypt = qcrypto_block_qcowaes_encrypt,
+ .has_format = qcrypto_block_qcowaes_has_format,
+};
diff --git a/crypto/block-qcowaes.h b/crypto/block-qcowaes.h
new file mode 100644
index 0000000..e43b7e5
--- /dev/null
+++ b/crypto/block-qcowaes.h
@@ -0,0 +1,28 @@
+/*
+ * QEMU Crypto block device encryption QCow AES format
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_BLOCK_QCOWAES_H__
+#define QCRYPTO_BLOCK_QCOWAES_H__
+
+#include "crypto/blockpriv.h"
+
+extern const QCryptoBlockDriver qcrypto_block_driver_qcowaes;
+
+#endif /* QCRYPTO_BLOCK_QCOWAES_H__ */
diff --git a/crypto/block.c b/crypto/block.c
new file mode 100644
index 0000000..657f4a9
--- /dev/null
+++ b/crypto/block.c
@@ -0,0 +1,254 @@
+/*
+ * QEMU Crypto block device encryption
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "crypto/blockpriv.h"
+#include "crypto/block-qcowaes.h"
+
+static const QCryptoBlockDriver *qcrypto_block_drivers[] = {
+ [Q_CRYPTO_BLOCK_FORMAT_QCOWAES] = &qcrypto_block_driver_qcowaes,
+};
+
+
+gboolean qcrypto_block_has_format(QCryptoBlockFormat format,
+ const uint8_t *buf,
+ size_t len)
+{
+ const QCryptoBlockDriver *driver;
+
+ if (format >= G_N_ELEMENTS(qcrypto_block_drivers) ||
+ !qcrypto_block_drivers[format]) {
+ return false;
+ }
+
+ driver = qcrypto_block_drivers[format];
+
+ return driver->has_format(buf, len);
+}
+
+
+QCryptoBlock *qcrypto_block_open(QCryptoBlockOpenOptions *options,
+ QCryptoBlockReadFunc readfunc,
+ void *opaque,
+ unsigned int flags,
+ Error **errp)
+{
+ QCryptoBlock *block = g_new0(QCryptoBlock, 1);
+
+ block->format = options->format;
+
+ if (options->format >= G_N_ELEMENTS(qcrypto_block_drivers) ||
+ !qcrypto_block_drivers[options->format]) {
+ error_setg(errp, "Unsupported block driver %d", options->format);
+ g_free(block);
+ return NULL;
+ }
+
+ block->driver = qcrypto_block_drivers[options->format];
+
+ if (block->driver->open(block, options, readfunc, opaque, flags, errp) < 0) {
+ g_free(block);
+ return NULL;
+ }
+
+ return block;
+}
+
+
+QCryptoBlock *qcrypto_block_create(QCryptoBlockCreateOptions *options,
+ QCryptoBlockInitFunc initfunc,
+ QCryptoBlockWriteFunc writefunc,
+ void *opaque,
+ Error **errp)
+{
+ QCryptoBlock *block = g_new0(QCryptoBlock, 1);
+
+ block->format = options->format;
+
+ if (options->format >= G_N_ELEMENTS(qcrypto_block_drivers) ||
+ !qcrypto_block_drivers[options->format]) {
+ error_setg(errp, "Unsupported block driver %d", options->format);
+ g_free(block);
+ return NULL;
+ }
+
+ block->driver = qcrypto_block_drivers[options->format];
+
+ if (block->driver->create(block, options, initfunc,
+ writefunc, opaque, errp) < 0) {
+ g_free(block);
+ return NULL;
+ }
+
+ return block;
+}
+
+
+int qcrypto_block_decrypt(QCryptoBlock *block,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp)
+{
+ return block->driver->decrypt(block, startsector, buf, len, errp);
+}
+
+
+int qcrypto_block_encrypt(QCryptoBlock *block,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp)
+{
+ return block->driver->encrypt(block, startsector, buf, len, errp);
+}
+
+
+QCryptoCipher *qcrypto_block_get_cipher(QCryptoBlock *block)
+{
+ return block->cipher;
+}
+
+
+QCryptoIVGen *qcrypto_block_get_ivgen(QCryptoBlock *block)
+{
+ return block->ivgen;
+}
+
+
+uint64_t qcrypto_block_get_payload_offset(QCryptoBlock *block)
+{
+ return block->payload_offset;
+}
+
+
+void qcrypto_block_free(QCryptoBlock *block)
+{
+ if (!block) {
+ return;
+ }
+
+ block->driver->cleanup(block);
+
+ g_free(block);
+}
+
+
+int qcrypto_block_decrypt_helper(QCryptoCipher *cipher,
+ size_t niv,
+ QCryptoIVGen *ivgen,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp)
+{
+ size_t nsectors = len / 512;
+ size_t i;
+ uint8_t *iv;
+ int ret = -1;
+
+ if (len % 512) {
+ error_setg(errp, "Length %zu must be a multiple of sector size",
+ len);
+ return -1;
+ }
+
+ iv = niv ? g_new0(uint8_t, niv) : NULL;
+
+ for (i = 0; i < nsectors; i++) {
+ if (niv) {
+ if (qcrypto_ivgen_calculate(ivgen,
+ startsector + i,
+ iv, niv,
+ errp) < 0) {
+ goto cleanup;
+ }
+
+ if (qcrypto_cipher_setiv(cipher,
+ iv, niv,
+ errp) < 0) {
+ goto cleanup;
+ }
+ }
+ if (qcrypto_cipher_decrypt(cipher,
+ buf + (i * 512),
+ buf + (i * 512),
+ 512,
+ errp) < 0) {
+ goto cleanup;
+ }
+ }
+
+ ret = 0;
+ cleanup:
+ g_free(iv);
+ return ret;
+}
+
+
+int qcrypto_block_encrypt_helper(QCryptoCipher *cipher,
+ size_t niv,
+ QCryptoIVGen *ivgen,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp)
+{
+ size_t nsectors = len / 512;
+ size_t i;
+ uint8_t *iv;
+ int ret = -1;
+
+ if (len % 512) {
+ error_setg(errp, "Length %zu must be a multiple of sector size",
+ len);
+ return -1;
+ }
+
+ iv = niv ? g_new0(uint8_t, niv) : NULL;
+
+ for (i = 0; i < nsectors; i++) {
+ if (niv) {
+ if (qcrypto_ivgen_calculate(ivgen,
+ startsector + i,
+ iv, niv,
+ errp) < 0) {
+ goto cleanup;
+ }
+
+ if (qcrypto_cipher_setiv(cipher,
+ iv, niv,
+ errp) < 0) {
+ goto cleanup;
+ }
+ }
+ if (qcrypto_cipher_encrypt(cipher,
+ buf + (i * 512),
+ buf + (i * 512),
+ 512,
+ errp) < 0) {
+ goto cleanup;
+ }
+ }
+
+ ret = 0;
+ cleanup:
+ g_free(iv);
+ return ret;
+}
diff --git a/crypto/blockpriv.h b/crypto/blockpriv.h
new file mode 100644
index 0000000..7ca42c5
--- /dev/null
+++ b/crypto/blockpriv.h
@@ -0,0 +1,89 @@
+/*
+ * QEMU Crypto block device encryption
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_BLOCK_PRIV_H__
+#define QCRYPTO_BLOCK_PRIV_H__
+
+#include "crypto/block.h"
+
+typedef struct QCryptoBlockDriver QCryptoBlockDriver;
+
+struct QCryptoBlock {
+ QCryptoBlockFormat format;
+
+ const QCryptoBlockDriver *driver;
+ void *opaque;
+
+ QCryptoCipher *cipher;
+ QCryptoIVGen *ivgen;
+ size_t niv;
+ uint64_t payload_offset; /* In 512 byte sectors */
+};
+
+struct QCryptoBlockDriver {
+ int (*open)(QCryptoBlock *block,
+ QCryptoBlockOpenOptions *options,
+ QCryptoBlockReadFunc readfunc,
+ void *opaque,
+ unsigned int flags,
+ Error **errp);
+
+ int (*create)(QCryptoBlock *block,
+ QCryptoBlockCreateOptions *options,
+ QCryptoBlockInitFunc initfunc,
+ QCryptoBlockWriteFunc writefunc,
+ void *opaque,
+ Error **errp);
+
+ void (*cleanup)(QCryptoBlock *block);
+
+ int (*encrypt)(QCryptoBlock *block,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp);
+ int (*decrypt)(QCryptoBlock *block,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp);
+
+ gboolean (*has_format)(const uint8_t *buf,
+ size_t buflen);
+};
+
+
+int qcrypto_block_decrypt_helper(QCryptoCipher *cipher,
+ size_t niv,
+ QCryptoIVGen *ivgen,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp);
+
+int qcrypto_block_encrypt_helper(QCryptoCipher *cipher,
+ size_t niv,
+ QCryptoIVGen *ivgen,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp);
+
+#endif /* QCRYPTO_BLOCK_PRIV_H__ */
diff --git a/include/crypto/block.h b/include/crypto/block.h
new file mode 100644
index 0000000..e4834b3
--- /dev/null
+++ b/include/crypto/block.h
@@ -0,0 +1,222 @@
+/*
+ * QEMU Crypto block device encryption
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_BLOCK_H__
+#define QCRYPTO_BLOCK_H__
+
+#include "crypto/cipher.h"
+#include "crypto/ivgen.h"
+
+typedef struct QCryptoBlock QCryptoBlock;
+
+/* See also QCryptoBlockFormat, QCryptoBlockCreateOptions
+ * and QCryptoBlockOpenOptions in qapi/crypto.json */
+
+typedef ssize_t (*QCryptoBlockReadFunc)(QCryptoBlock *block,
+ size_t offset,
+ uint8_t *buf,
+ size_t buflen,
+ Error **errp,
+ void *opaque);
+
+typedef ssize_t (*QCryptoBlockInitFunc)(QCryptoBlock *block,
+ size_t headerlen,
+ Error **errp,
+ void *opaque);
+
+typedef ssize_t (*QCryptoBlockWriteFunc)(QCryptoBlock *block,
+ size_t offset,
+ const uint8_t *buf,
+ size_t buflen,
+ Error **errp,
+ void *opaque);
+
+/**
+ * qcrypto_block_has_format:
+ * @format: the encryption format
+ * @buf: the data from head of the volume
+ * @len: the length of @buf in bytes
+ *
+ * Given @len bytes of data from the head of a storage volume
+ * in @buf, probe to determine if the volume has the encryption
+ * format specified in @format.
+ *
+ * Returns: true if the data in @buf matches @format
+ */
+gboolean qcrypto_block_has_format(QCryptoBlockFormat format,
+ const uint8_t *buf,
+ size_t buflen);
+
+typedef enum {
+ QCRYPTO_BLOCK_OPEN_NO_IO = (1 << 0),
+} QCryptoBlockOpenFlags;
+
+/**
+ * qcrypto_block_open:
+ * @options: the encryption options
+ * @readfunc: callback for reading data from the volume
+ * @opaque: data to pass to @readfunc
+ * @flags: bitmask of QCryptoBlockOpenFlags values
+ * @errp: pointer to an uninitialized error object
+ *
+ * Create a new block encryption object for an existing
+ * storage volume encrypted with format identified by
+ * the parameters in @options.
+ *
+ * This will use @readfunc to initialize the encryption
+ * context based on the volume header(s), extracting the
+ * master key(s) as required.
+ *
+ * If @flags contains QCRYPTO_BLOCK_OPEN_NO_IO then
+ * the open process will be optimized to skip any parts
+ * that are only required to perform I/O. In particular
+ * this would usually avoid the need to decrypt any
+ * master keys. The only thing that can be done with
+ * the resulting QCryptoBlock object would be to query
+ * metadata such as the payload offset. There will be
+ * no cipher or ivgen objects available.
+ *
+ * If any part of initializing the encryption context
+ * fails an error will be returned. This could be due
+ * to the volume being in the wrong format, an cipher
+ * or IV generator algorithm that is not supoported,
+ * or incorrect passphrases.
+ *
+ * Returns: a block encryption format, or NULL on error
+ */
+QCryptoBlock *qcrypto_block_open(QCryptoBlockOpenOptions *options,
+ QCryptoBlockReadFunc readfunc,
+ void *opaque,
+ unsigned int flags,
+ Error **errp);
+
+/**
+ * qcrypto_block_create:
+ * @format: the encryption format
+ * @keyid: ID of a QCryptoSecret with key for unlocking master key
+ * @initfunc: callback for initializing volume header
+ * @writefunc: callback for writing data to the volume header
+ * @opaque: data to pass to @initfunc & @writefunc
+ * @errp: pointer to an uninitialized error object
+ *
+ * Create a new block encryption object for initializing
+ * a storage volume to be encrypted with format identified
+ * by the parameters in @options.
+ *
+ * This method will allocate space for a new volume header
+ * using @initfunc and then write header data using @writefunc,
+ * generating new master keys, etc as required. Any existing
+ * data present on the volume will be irrevokably destroyed.
+ *
+ * If any part of initializing the encryption context
+ * fails an error will be returned. This could be due
+ * to the volume being in the wrong format, an cipher
+ * or IV generator algorithm that is not supoported,
+ * or incorrect passphrases.
+ *
+ * Returns: a block encryption format, or NULL on error
+ */
+QCryptoBlock *qcrypto_block_create(QCryptoBlockCreateOptions *options,
+ QCryptoBlockInitFunc initfunc,
+ QCryptoBlockWriteFunc writefunc,
+ void *opaque,
+ Error **errp);
+
+/**
+ * @qcrypto_block_decrypt:
+ * @block: the block encryption object
+ * @startsector: the sector from which @buf was read
+ * @buf: the buffer to decrypt
+ * @len: the length of @buf in bytes
+ * @errp: pointer to an uninitialized error object
+ *
+ * Decrypt @len bytes of cipher text in @buf, writing
+ * plain text back into @buf
+ *
+ * Returns 0 on success, -1 on failure
+ */
+int qcrypto_block_decrypt(QCryptoBlock *block,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp);
+
+/**
+ * @qcrypto_block_encrypt:
+ * @block: the block encryption object
+ * @startsector: the sector to which @buf will be written
+ * @buf: the buffer to decrypt
+ * @len: the length of @buf in bytes
+ * @errp: pointer to an uninitialized error object
+ *
+ * Encrypt @len bytes of plain text in @buf, writing
+ * cipher text back into @buf
+ *
+ * Returns 0 on success, -1 on failure
+ */
+int qcrypto_block_encrypt(QCryptoBlock *block,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp);
+
+/**
+ * qcrypto_block_get_cipher:
+ * @block: the block encryption object
+ *
+ * Get the cipher to use for payload encryption
+ *
+ * Returns: the cipher object
+ */
+QCryptoCipher *qcrypto_block_get_cipher(QCryptoBlock *block);
+
+/**
+ * qcrypto_block_get_ivgen:
+ * @block: the block encryption object
+ *
+ * Get the initialization vector generator to use for
+ * payload encryption
+ *
+ * Returns: the IV generator object
+ */
+QCryptoIVGen *qcrypto_block_get_ivgen(QCryptoBlock *block);
+
+/**
+ * qcrypto_block_get_payload_offset:
+ * @block: the block encryption object
+ *
+ * Get the offset to the payload indicated by the
+ * encryption header. The offset is measured in
+ * 512 byte sectors
+ *
+ * Returns: the payload offset in sectors.
+ */
+uint64_t qcrypto_block_get_payload_offset(QCryptoBlock *block);
+
+/**
+ * qcrypto_block_free:
+ * @block: the block encryption object
+ *
+ * Release all resources associated with the encryption
+ * object
+ */
+void qcrypto_block_free(QCryptoBlock *block);
+
+#endif /* QCRYPTO_BLOCK_H__ */
diff --git a/qapi/crypto.json b/qapi/crypto.json
index 48946b0..07b9b46 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -94,3 +94,68 @@
{ 'enum': 'QCryptoIVGenAlgorithm',
'prefix': 'QCRYPTO_IVGEN_ALG',
'data': ['plain', 'plain64', 'essiv']}
+
+##
+# QCryptoBlockFormat:
+#
+# The supported full disk encryption formats
+#
+# @qcowaes: QCow/QCow2 built-in AES-CBC encryption. Do not use
+#
+# Since: 2.6
+##
+{ 'enum': 'QCryptoBlockFormat',
+# 'prefix': 'QCRYPTO_BLOCK_FORMAT',
+ 'data': ['qcowaes']}
+
+##
+# QCryptoBlockOptionsBase:
+#
+# The common options that apply to all full disk
+# encryption formats
+#
+# @format: the encryption format
+#
+# Since: 2.6
+##
+{ 'struct': 'QCryptoBlockOptionsBase',
+ 'data': { 'format': 'QCryptoBlockFormat' }}
+
+##
+# QCryptoBlockOptionsQCowAES:
+#
+# The options that apply to QCow AES encryption format
+#
+# @key-id: the ID of a QCryptoSecret object providing the decryption key
+#
+# Since: 2.6
+##
+{ 'struct': 'QCryptoBlockOptionsQCowAES',
+ 'data': { '*key-id': 'str' }}
+
+##
+# QCryptoBlockOpenOptions:
+#
+# The options that are available for all encryption formats
+# when opening an existing volume
+#
+# Since: 2.6
+##
+{ 'union': 'QCryptoBlockOpenOptions',
+ 'base': 'QCryptoBlockOptionsBase',
+ 'discriminator': 'format',
+ 'data': { 'qcowaes': 'QCryptoBlockOptionsQCowAES' } }
+
+
+##
+# QCryptoBlockCreateOptions:
+#
+# The options that are available for all encryption formats
+# when initializing a new volume
+#
+# Since: 2.6
+##
+{ 'union': 'QCryptoBlockCreateOptions',
+ 'base': 'QCryptoBlockOptionsBase',
+ 'discriminator': 'format',
+ 'data': { 'qcowaes': 'QCryptoBlockOptionsQCowAES' } }
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 06/15] crypto: implement the LUKS block encryption format
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (4 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 05/15] crypto: add block encryption framework Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-13 23:43 ` Eric Blake
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 07/15] block: add flag to indicate that no I/O will be performed Daniel P. Berrange
` (8 subsequent siblings)
14 siblings, 1 reply; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
Provide a block encryption implementation that follows the
LUKS/dm-crypt specification.
This supports all combinations of hash, cipher algorithm,
cipher mode and iv generator that are implemented by the
current crypto layer.
The notable missing feature is support for the 'xts'
cipher mode, which is commonly used for disk encryption
instead of 'cbc'. This is because it is not provided by
either nettle or libgcrypt. A suitable implementation
will be identified & integrated later.
There is support for opening existing volumes formatted
by dm-crypt, and for formatting new volumes. In the latter
case it will only use key slot 0.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
crypto/Makefile.objs | 1 +
crypto/block-luks.c | 1092 ++++++++++++++++++++++++++++++++++++++++++++++++++
crypto/block-luks.h | 28 ++
crypto/block.c | 2 +
qapi/crypto.json | 42 +-
5 files changed, 1162 insertions(+), 3 deletions(-)
create mode 100644 crypto/block-luks.c
create mode 100644 crypto/block-luks.h
diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index b5b32a6..c65880f 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -17,6 +17,7 @@ crypto-obj-y += ivgen-plain64.o
crypto-obj-y += afsplit.o
crypto-obj-y += block.o
crypto-obj-y += block-qcowaes.o
+crypto-obj-y += block-luks.o
# Let the userspace emulators avoid linking gnutls/etc
crypto-aes-obj-y = aes.o
diff --git a/crypto/block-luks.c b/crypto/block-luks.c
new file mode 100644
index 0000000..dbe107c
--- /dev/null
+++ b/crypto/block-luks.c
@@ -0,0 +1,1092 @@
+/*
+ * QEMU Crypto block device encryption LUKS format
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "config-host.h"
+
+#include "crypto/block-luks.h"
+
+#include "crypto/hash.h"
+#include "crypto/afsplit.h"
+#include "crypto/pbkdf.h"
+#include "crypto/secret.h"
+#include "crypto/random.h"
+
+#ifdef CONFIG_UUID
+#include <uuid/uuid.h>
+#endif
+
+#include "qemu/coroutine.h"
+
+/*
+ * Reference for format is
+ *
+ * docs/on-disk-format.pdf
+ *
+ * In 'cryptsetup' package source code
+ *
+ */
+
+typedef struct QCryptoBlockLUKS QCryptoBlockLUKS;
+typedef struct QCryptoBlockLUKSHeader QCryptoBlockLUKSHeader;
+typedef struct QCryptoBlockLUKSKeySlot QCryptoBlockLUKSKeySlot;
+
+#define QCRYPTO_BLOCK_LUKS_VERSION 1
+
+#define QCRYPTO_BLOCK_LUKS_MAGIC_LEN 6
+#define QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN 32
+#define QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN 32
+#define QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN 32
+#define QCRYPTO_BLOCK_LUKS_DIGEST_LEN 20
+#define QCRYPTO_BLOCK_LUKS_SALT_LEN 32
+#define QCRYPTO_BLOCK_LUKS_UUID_LEN 40
+#define QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS 8
+#define QCRYPTO_BLOCK_LUKS_STRIPES 4000
+#define QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS 1000
+#define QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS 1000
+#define QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET 4096
+
+#define QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED 0x0000DEAD
+#define QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED 0x00AC71F3
+
+static const char qcrypto_block_luks_magic[QCRYPTO_BLOCK_LUKS_MAGIC_LEN] = {
+ 'L', 'U', 'K', 'S', 0xBA, 0xBE
+};
+
+typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap;
+struct QCryptoBlockLUKSNameMap {
+ const char *name;
+ int id;
+};
+
+typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap;
+struct QCryptoBlockLUKSCipherSizeMap {
+ uint32_t key_bytes;
+ int id;
+};
+typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap;
+struct QCryptoBlockLUKSCipherNameMap {
+ const char *name;
+ const QCryptoBlockLUKSCipherSizeMap *sizes;
+};
+
+
+static const QCryptoBlockLUKSCipherSizeMap
+qcrypto_block_luks_cipher_size_map_aes[] = {
+ { 16, QCRYPTO_CIPHER_ALG_AES_128 },
+ { 24, QCRYPTO_CIPHER_ALG_AES_192 },
+ { 32, QCRYPTO_CIPHER_ALG_AES_256 },
+ { 0, 0 },
+};
+
+static const QCryptoBlockLUKSCipherNameMap
+qcrypto_block_luks_cipher_name_map[] = {
+ { "aes", qcrypto_block_luks_cipher_size_map_aes, },
+};
+
+
+struct QCryptoBlockLUKSKeySlot {
+ /* state of keyslot, enabled/disable */
+ uint32_t active;
+ /* iterations for PBKDF2 */
+ uint32_t iterations;
+ /* salt for PBKDF2 */
+ uint8_t salt[QCRYPTO_BLOCK_LUKS_SALT_LEN];
+ /* start sector of key material */
+ uint32_t key_offset;
+ /* number of anti-forensic stripes */
+ uint32_t stripes;
+} QEMU_PACKED;
+
+struct QCryptoBlockLUKSHeader {
+ /* 'L', 'U', 'K', 'S', '0xBA', '0xBE' */
+ char magic[QCRYPTO_BLOCK_LUKS_MAGIC_LEN];
+
+ /* LUKS version, currently 1 */
+ uint16_t version;
+
+ /* cipher name specification (aes, etc */
+ char cipher_name[QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN];
+
+ /* cipher mode specification () */
+ char cipher_mode[QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN];
+
+ /* hash specication () */
+ char hash_spec[QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN];
+
+ /* start offset of the volume data (in sectors) */
+ uint32_t payload_offset;
+
+ /* Number of key bytes */
+ uint32_t key_bytes;
+
+ /* master key checksum after PBKDF2 */
+ uint8_t master_key_digest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
+
+ /* salt for master key PBKDF2 */
+ uint8_t master_key_salt[QCRYPTO_BLOCK_LUKS_SALT_LEN];
+
+ /* iterations for master key PBKDF2 */
+ uint32_t master_key_iterations;
+
+ /* UUID of the partition */
+ uint8_t uuid[QCRYPTO_BLOCK_LUKS_UUID_LEN];
+
+ /* key slots */
+ QCryptoBlockLUKSKeySlot key_slots[QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS];
+} QEMU_PACKED;
+
+struct QCryptoBlockLUKS {
+ QCryptoBlockLUKSHeader header;
+};
+
+
+static int qcrypto_block_luks_cipher_name_lookup(const char *name,
+ uint32_t key_bytes,
+ Error **errp)
+{
+ const QCryptoBlockLUKSCipherNameMap *map =
+ qcrypto_block_luks_cipher_name_map;
+ size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
+ size_t i, j;
+ for (i = 0; i < maplen; i++) {
+ if (!g_str_equal(map[i].name, name)) {
+ continue;
+ }
+ for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
+ if (map[i].sizes[j].key_bytes == key_bytes) {
+ return map[i].sizes[j].id;
+ }
+ }
+ }
+
+ error_setg(errp, "Algorithm %s with key size %d bytes not supported",
+ name, key_bytes);
+ return 0;
+}
+
+/* XXX doesn't QEMU already have a string -> enum val convertor ? */
+static int qcrypto_block_luks_name_lookup(const char *name,
+ const char *const *map,
+ size_t maplen,
+ const char *type,
+ Error **errp)
+{
+ size_t i;
+ for (i = 0; i < maplen; i++) {
+ if (g_str_equal(map[i], name)) {
+ return i;
+ }
+ }
+
+ error_setg(errp, "%s %s not supported", type, name);
+ return 0;
+}
+
+#define qcrypto_block_luks_cipher_mode_lookup(name, errp) \
+ qcrypto_block_luks_name_lookup(name, \
+ QCryptoCipherMode_lookup, \
+ QCRYPTO_CIPHER_MODE__MAX, \
+ "Cipher mode", \
+ errp)
+
+#define qcrypto_block_luks_hash_name_lookup(name, errp) \
+ qcrypto_block_luks_name_lookup(name, \
+ QCryptoHashAlgorithm_lookup, \
+ QCRYPTO_HASH_ALG__MAX, \
+ "Hash algorithm", \
+ errp)
+
+#define qcrypto_block_luks_ivgen_name_lookup(name, errp) \
+ qcrypto_block_luks_name_lookup(name, \
+ QCryptoIVGenAlgorithm_lookup, \
+ QCRYPTO_IVGEN_ALG__MAX, \
+ "IV generator", \
+ errp)
+
+
+static gboolean
+qcrypto_block_luks_has_format(const uint8_t *buf,
+ size_t buf_size)
+{
+ const QCryptoBlockLUKSHeader *luks_header = (const void *)buf;
+
+ if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) &&
+ memcmp(luks_header->magic, qcrypto_block_luks_magic,
+ QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 &&
+ be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) {
+ return true;
+ } else {
+ return false;
+ }
+}
+
+
+/*
+ * Given a key slot, and user password, this will attempt to unlock
+ * the master encryption key from the key slot
+ */
+static int
+qcrypto_block_luks_load_key(QCryptoBlock *block,
+ QCryptoBlockLUKSKeySlot *slot,
+ const char *password,
+ QCryptoCipherAlgorithm cipheralg,
+ QCryptoCipherMode ciphermode,
+ QCryptoHashAlgorithm hash,
+ QCryptoIVGenAlgorithm ivalg,
+ QCryptoHashAlgorithm ivhash,
+ uint8_t *masterkey,
+ size_t masterkeylen,
+ QCryptoBlockReadFunc readfunc,
+ void *opaque,
+ Error **errp)
+{
+ QCryptoBlockLUKS *luks = block->opaque;
+ uint8_t *splitkey;
+ size_t splitkeylen;
+ uint8_t *possiblekey;
+ int ret = -1;
+ ssize_t rv;
+ QCryptoCipher *cipher = NULL;
+ uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
+ QCryptoIVGen *ivgen = NULL;
+ size_t niv;
+
+ if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
+ return 0;
+ }
+
+ splitkeylen = masterkeylen * slot->stripes;
+ splitkey = g_new0(uint8_t, splitkeylen);
+ possiblekey = g_new0(uint8_t, masterkeylen);
+
+ /*
+ * The user password is used to generate a (possible)
+ * decryption key. This may or may not successfully
+ * decrypt the master key - we just blindly assume
+ * the key is correct and validate the results of
+ * decryption later.
+ */
+ if (qcrypto_pbkdf2(hash,
+ (const uint8_t *)password, strlen(password),
+ slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN,
+ slot->iterations,
+ possiblekey, masterkeylen,
+ errp) < 0) {
+ goto cleanup;
+ }
+
+ /*
+ * We need to read the master key material from the
+ * LUKS key material header. What we're reading is
+ * not the raw master key, but rather the data after
+ * it has been passed through AFSplit and the result
+ * then encrypted.
+ */
+ rv = readfunc(block,
+ slot->key_offset * 512ll,
+ splitkey, splitkeylen,
+ errp,
+ opaque);
+ if (rv < 0) {
+ goto cleanup;
+ }
+
+
+ /* Setup the cipher/ivgen that we'll use to try to decrypt
+ * the split master key material */
+ cipher = qcrypto_cipher_new(cipheralg, ciphermode,
+ possiblekey, masterkeylen,
+ errp);
+ if (!cipher) {
+ goto cleanup;
+ }
+
+ niv = qcrypto_cipher_get_iv_len(cipheralg,
+ ciphermode);
+ ivgen = qcrypto_ivgen_new(ivalg,
+ cipheralg,
+ ivhash,
+ possiblekey, masterkeylen,
+ errp);
+ if (!ivgen) {
+ goto cleanup;
+ }
+
+
+ /*
+ * The master key needs to be decrypted in the same
+ * way that the block device payload will be decrypted
+ * later. In particular we'll be using the IV generator
+ * to reset the encryption cipher every time the master
+ * key crosses a sector boundary.
+ */
+ if (qcrypto_block_decrypt_helper(cipher,
+ niv,
+ ivgen,
+ 0,
+ splitkey,
+ splitkeylen,
+ errp) < 0) {
+ goto cleanup;
+ }
+
+ /*
+ * Now we're decrypted the split master key, join
+ * it back together to get the actual master key.
+ */
+ if (qcrypto_afsplit_decode(hash,
+ masterkeylen,
+ slot->stripes,
+ splitkey,
+ masterkey,
+ errp) < 0) {
+ goto cleanup;
+ }
+
+
+ /*
+ * We still don't know that the masterkey we got is valid,
+ * because we just blindly assumed the user's password
+ * was correct. This is where we now verify it. We are
+ * creating a hash of the master key using PBKDF and
+ * then comparing that to the hash stored in the key slot
+ * header
+ */
+ if (qcrypto_pbkdf2(hash,
+ masterkey, masterkeylen,
+ luks->header.master_key_salt,
+ QCRYPTO_BLOCK_LUKS_SALT_LEN,
+ luks->header.master_key_iterations,
+ keydigest, G_N_ELEMENTS(keydigest),
+ errp) < 0) {
+ goto cleanup;
+ }
+
+ if (memcmp(keydigest, luks->header.master_key_digest,
+ QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) {
+ /* Success, we got the right master key */
+ return 1;
+ }
+
+ /* Fail, user's password was not valid for this key slot,
+ * tell caller to try another slot */
+ ret = 0;
+
+ cleanup:
+ qcrypto_ivgen_free(ivgen);
+ qcrypto_cipher_free(cipher);
+ g_free(splitkey);
+ g_free(possiblekey);
+ return ret;
+}
+
+
+/*
+ * Given a user password, this will iterate over all key
+ * slots and try to unlock each active key slot using the
+ * password until it successfully obtains a master key.
+ */
+static int
+qcrypto_block_luks_find_key(QCryptoBlock *block,
+ const char *password,
+ QCryptoCipherAlgorithm cipheralg,
+ QCryptoCipherMode ciphermode,
+ QCryptoHashAlgorithm hash,
+ QCryptoIVGenAlgorithm ivalg,
+ QCryptoHashAlgorithm ivhash,
+ uint8_t **masterkey,
+ size_t *masterkeylen,
+ QCryptoBlockReadFunc readfunc,
+ void *opaque,
+ Error **errp)
+{
+ QCryptoBlockLUKS *luks = block->opaque;
+ size_t i;
+ int rv;
+
+ *masterkey = g_new0(uint8_t, luks->header.key_bytes);
+ *masterkeylen = luks->header.key_bytes;
+
+ for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
+ rv = qcrypto_block_luks_load_key(block,
+ &luks->header.key_slots[i],
+ password,
+ cipheralg,
+ ciphermode,
+ hash,
+ ivalg,
+ ivhash,
+ *masterkey,
+ *masterkeylen,
+ readfunc,
+ opaque,
+ errp);
+ if (rv < 0) {
+ goto error;
+ }
+ if (rv == 1) {
+ return 0;
+ }
+ }
+
+ error_setg(errp, "Invalid password, cannot unlock any keyslot");
+
+ error:
+ g_free(*masterkey);
+ *masterkey = NULL;
+ *masterkeylen = 0;
+ return -1;
+}
+
+
+static int
+qcrypto_block_luks_open(QCryptoBlock *block,
+ QCryptoBlockOpenOptions *options,
+ QCryptoBlockReadFunc readfunc,
+ void *opaque,
+ unsigned int flags,
+ Error **errp)
+{
+ QCryptoBlockLUKS *luks;
+ Error *local_err = NULL;
+ int ret = 0;
+ size_t i;
+ ssize_t rv;
+ uint8_t *masterkey = NULL;
+ size_t masterkeylen;
+ char *ivgen_name, *ivhash_name;
+ QCryptoCipherMode ciphermode;
+ QCryptoCipherAlgorithm cipheralg;
+ QCryptoIVGenAlgorithm ivalg;
+ QCryptoHashAlgorithm hash;
+ QCryptoHashAlgorithm ivhash;
+ char *password = NULL;
+
+ if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
+ if (!options->u.luks->key_id) {
+ error_setg(errp, "Parameter 'key-id' is required to unlock master key");
+ return -1;
+ }
+ password = qcrypto_secret_lookup_as_utf8(options->u.luks->key_id, errp);
+ if (!password) {
+ return -1;
+ }
+ }
+
+ luks = g_new0(QCryptoBlockLUKS, 1);
+ block->opaque = luks;
+
+ /* Read the entire LUKS header, minus the key material from
+ * the underling device */
+ rv = readfunc(block, 0,
+ (uint8_t *)&luks->header,
+ sizeof(luks->header),
+ errp,
+ opaque);
+ if (rv < 0) {
+ ret = rv;
+ goto fail;
+ }
+
+ /* The header is always stored in big-endian format, so
+ * convert everything to native */
+ be16_to_cpus(&luks->header.version);
+ be32_to_cpus(&luks->header.payload_offset);
+ be32_to_cpus(&luks->header.key_bytes);
+ be32_to_cpus(&luks->header.master_key_iterations);
+
+ for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
+ be32_to_cpus(&luks->header.key_slots[i].active);
+ be32_to_cpus(&luks->header.key_slots[i].iterations);
+ be32_to_cpus(&luks->header.key_slots[i].key_offset);
+ be32_to_cpus(&luks->header.key_slots[i].stripes);
+ }
+
+ if (memcmp(luks->header.magic, qcrypto_block_luks_magic,
+ QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) {
+ error_setg(errp, "Volume is not in LUKS format");
+ ret = -EINVAL;
+ goto fail;
+ }
+ if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) {
+ error_setg(errp, "LUKS version %" PRIu32 " is not supported",
+ luks->header.version);
+ ret = -ENOTSUP;
+ goto fail;
+ }
+
+ /*
+ * The cipher_mode header contains a string that we have
+ * to further parse of the format
+ *
+ * <cipher-mode>-<iv-generator>[:<iv-hash>]
+ *
+ * eg cbc-essiv:sha256, cbc-plain64
+ */
+ ivgen_name = strchr(luks->header.cipher_mode, '-');
+ if (!ivgen_name) {
+ ret = -EINVAL;
+ error_setg(errp, "Unexpected cipher mode string format %s",
+ luks->header.cipher_mode);
+ goto fail;
+ }
+ *ivgen_name = '\0';
+ ivgen_name++;
+
+ ivhash_name = strchr(ivgen_name, ':');
+ if (!ivhash_name) {
+ ivhash = 0;
+ } else {
+ *ivhash_name = '\0';
+ ivhash_name++;
+
+ ivhash = qcrypto_block_luks_hash_name_lookup(ivhash_name,
+ &local_err);
+ if (local_err) {
+ ret = -ENOTSUP;
+ error_propagate(errp, local_err);
+ goto fail;
+ }
+ }
+
+ ciphermode = qcrypto_block_luks_cipher_mode_lookup(luks->header.cipher_mode,
+ &local_err);
+ if (local_err) {
+ ret = -ENOTSUP;
+ error_propagate(errp, local_err);
+ goto fail;
+ }
+
+ cipheralg = qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name,
+ luks->header.key_bytes,
+ &local_err);
+ if (local_err) {
+ ret = -ENOTSUP;
+ error_propagate(errp, local_err);
+ goto fail;
+ }
+
+ hash = qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec,
+ &local_err);
+ if (local_err) {
+ ret = -ENOTSUP;
+ error_propagate(errp, local_err);
+ goto fail;
+ }
+
+ ivalg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name,
+ &local_err);
+ if (local_err) {
+ ret = -ENOTSUP;
+ error_propagate(errp, local_err);
+ goto fail;
+ }
+
+
+ if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
+ /* Try to find which key slot our password is valid for
+ * and unlock the master key from that slot.
+ */
+ if (qcrypto_block_luks_find_key(block,
+ password,
+ cipheralg, ciphermode,
+ hash,
+ ivalg,
+ ivhash,
+ &masterkey, &masterkeylen,
+ readfunc, opaque,
+ errp) < 0) {
+ ret = -EACCES;
+ goto fail;
+ }
+
+ /* We have a valid master key now, so can setup the
+ * block device payload decryption objects
+ */
+ block->niv = qcrypto_cipher_get_iv_len(cipheralg,
+ ciphermode);
+ block->ivgen = qcrypto_ivgen_new(ivalg,
+ cipheralg,
+ hash,
+ masterkey, masterkeylen,
+ errp);
+ if (!block->ivgen) {
+ ret = -ENOTSUP;
+ goto fail;
+ }
+
+ block->cipher = qcrypto_cipher_new(cipheralg,
+ ciphermode,
+ masterkey, masterkeylen,
+ errp);
+ if (!block->cipher) {
+ ret = -ENOTSUP;
+ goto fail;
+ }
+ }
+
+ block->payload_offset = luks->header.payload_offset;
+
+ g_free(masterkey);
+ g_free(password);
+
+ return 0;
+
+ fail:
+ g_free(masterkey);
+ qcrypto_cipher_free(block->cipher);
+ qcrypto_ivgen_free(block->ivgen);
+ g_free(luks);
+ g_free(password);
+ return ret;
+}
+
+
+static int
+qcrypto_block_luks_create(QCryptoBlock *block,
+ QCryptoBlockCreateOptions *options,
+ QCryptoBlockInitFunc initfunc,
+ QCryptoBlockWriteFunc writefunc,
+ void *opaque,
+ Error **errp)
+{
+ QCryptoBlockLUKS *luks;
+ QCryptoBlockCreateOptionsLUKS luks_opts;
+ Error *local_err = NULL;
+ uint8_t *masterkey = NULL;
+ uint8_t *slotkey = NULL;
+ uint8_t *splitkey = NULL;
+ size_t splitkeylen = NULL;
+ size_t i;
+ QCryptoCipher *cipher = NULL;
+ QCryptoIVGen *ivgen = NULL;
+ char *password;
+ const char *cipher_alg;
+ const char *cipher_mode;
+ const char *ivgen_alg;
+ const char *ivgen_hash_alg = NULL;
+ const char *hash_alg;
+ char *cipher_mode_spec = NULL;
+ uuid_t uuid;
+
+ memcpy(&luks_opts, options->u.luks, sizeof(luks_opts));
+ if (!luks_opts.has_cipher_alg) {
+ luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;
+ }
+ if (!luks_opts.has_cipher_mode) {
+ /* XXX switch to XTS */
+ luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_CBC;
+ }
+ if (!luks_opts.has_ivgen_alg) {
+ luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_ESSIV;
+ }
+ if (!luks_opts.has_hash_alg) {
+ luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256;
+ }
+
+ if (!options->u.luks->key_id) {
+ error_setg(errp, "Parameter 'key-id' is required to create master key");
+ return -1;
+ }
+ password = qcrypto_secret_lookup_as_utf8(luks_opts.key_id, errp);
+ if (!password) {
+ return -1;
+ }
+
+ luks = g_new0(QCryptoBlockLUKS, 1);
+ block->opaque = luks;
+
+ memcpy(luks->header.magic, qcrypto_block_luks_magic,
+ QCRYPTO_BLOCK_LUKS_MAGIC_LEN);
+
+ luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION;
+ uuid_generate(uuid);
+ uuid_unparse(uuid, (char *)luks->header.uuid);
+
+ switch (luks_opts.cipher_alg) {
+ case QCRYPTO_CIPHER_ALG_AES_128:
+ case QCRYPTO_CIPHER_ALG_AES_192:
+ case QCRYPTO_CIPHER_ALG_AES_256:
+ cipher_alg = "aes";
+ break;
+ default:
+ error_setg(errp, "Cipher algorithm is not supported");
+ goto error;
+ }
+
+ cipher_mode = QCryptoCipherMode_lookup[luks_opts.cipher_mode];
+ ivgen_alg = QCryptoIVGenAlgorithm_lookup[luks_opts.ivgen_alg];
+ if (luks_opts.has_ivgen_hash_alg) {
+ ivgen_hash_alg = QCryptoHashAlgorithm_lookup[luks_opts.ivgen_hash_alg];
+ cipher_mode_spec = g_strdup_printf("%s-%s: %s", cipher_mode, ivgen_alg,
+ ivgen_hash_alg);
+ } else {
+ cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg);
+ }
+ hash_alg = QCryptoHashAlgorithm_lookup[luks_opts.hash_alg];
+
+
+ if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) {
+ error_setg(errp, "Cipher name '%s' is too long for LUKS header",
+ cipher_alg);
+ goto error;
+ }
+ if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) {
+ error_setg(errp, "Cipher mode '%s' is too long for LUKS header",
+ cipher_mode_spec);
+ goto error;
+ }
+ if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) {
+ error_setg(errp, "Hash name '%s' is too long for LUKS header",
+ hash_alg);
+ goto error;
+ }
+
+ memcpy(luks->header.cipher_name, cipher_alg,
+ strlen(cipher_alg) + 1);
+ memcpy(luks->header.cipher_mode, cipher_mode_spec,
+ strlen(cipher_mode_spec) + 1);
+ memcpy(luks->header.hash_spec, hash_alg,
+ strlen(hash_alg) + 1);
+
+ luks->header.key_bytes = qcrypto_cipher_get_key_len(luks_opts.cipher_alg);
+
+ /* Generate the salt used for hashing the master key
+ * with PBKDF later
+ */
+ if (qcrypto_random_bytes(luks->header.master_key_salt,
+ QCRYPTO_BLOCK_LUKS_SALT_LEN,
+ errp) < 0) {
+ goto error;
+ }
+
+ /* Generate random master key */
+ masterkey = g_new0(uint8_t, luks->header.key_bytes);
+ if (qcrypto_random_bytes(masterkey,
+ luks->header.key_bytes, errp) < 0) {
+ goto error;
+ }
+
+
+ /* Setup the block device payload encryption objects */
+ block->cipher = qcrypto_cipher_new(luks_opts.cipher_alg,
+ luks_opts.cipher_mode,
+ masterkey, luks->header.key_bytes,
+ errp);
+ if (!block->cipher) {
+ goto error;
+ }
+
+ block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg,
+ luks_opts.cipher_mode);
+ block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
+ luks_opts.cipher_alg,
+ luks_opts.ivgen_hash_alg,
+ masterkey, luks->header.key_bytes,
+ errp);
+
+ if (!block->ivgen) {
+ goto error;
+ }
+
+
+ /* Determine how many iterations we need to hash the master
+ * key with in order to have 1 second of compute time used
+ */
+ luks->header.master_key_iterations =
+ qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
+ masterkey, luks->header.key_bytes,
+ luks->header.master_key_salt,
+ QCRYPTO_BLOCK_LUKS_SALT_LEN,
+ &local_err);
+ if (local_err) {
+ error_propagate(errp, local_err);
+ goto error;
+ }
+
+ /* Why /= 8 ? That matches cryptsetup, but there's no
+ * explanation why they chose /= 8... */
+ luks->header.master_key_iterations /= 8;
+ luks->header.master_key_iterations = MAX(
+ luks->header.master_key_iterations,
+ QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS);
+
+
+ /* Hash the master key, saving the result in the LUKS
+ * header. This hash is used when opening the encrypted
+ * device to verify that the user password unlocked a
+ * valid master key
+ */
+ if (qcrypto_pbkdf2(luks_opts.hash_alg,
+ masterkey, luks->header.key_bytes,
+ luks->header.master_key_salt,
+ QCRYPTO_BLOCK_LUKS_SALT_LEN,
+ luks->header.master_key_iterations,
+ luks->header.master_key_digest,
+ QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
+ errp) < 0) {
+ goto error;
+ }
+
+
+ /* Although LUKS has multiple key slots, we're just going
+ * to use the first key slot */
+
+ splitkeylen = luks->header.key_bytes * QCRYPTO_BLOCK_LUKS_STRIPES;
+ for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
+ luks->header.key_slots[i].active = i == 0 ?
+ QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED :
+ QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
+ luks->header.key_slots[i].stripes = QCRYPTO_BLOCK_LUKS_STRIPES;
+ luks->header.key_slots[i].key_offset =
+ (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 512) +
+ (ROUND_UP(((splitkeylen + 511) / 512),
+ (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 512)) * i);
+ }
+
+ if (qcrypto_random_bytes(luks->header.key_slots[0].salt,
+ QCRYPTO_BLOCK_LUKS_SALT_LEN,
+ errp) < 0) {
+ goto error;
+ }
+
+ /* Again we determine how many iterations are required to
+ * hash the user password while consuming 1 second of compute
+ * time */
+ luks->header.key_slots[0].iterations =
+ qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
+ (uint8_t *)password, strlen(password),
+ luks->header.key_slots[0].salt,
+ QCRYPTO_BLOCK_LUKS_SALT_LEN,
+ &local_err);
+ if (local_err) {
+ error_propagate(errp, local_err);
+ goto error;
+ }
+ /* Why /= 2 ? That matches cryptsetup, but there's no
+ * explanation why they chose /= 2... */
+ luks->header.key_slots[0].iterations /= 2;
+ luks->header.key_slots[0].iterations = MAX(
+ luks->header.key_slots[0].iterations,
+ QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS);
+
+
+ /* Generate a key that we'll use to encrypt the master
+ * key, from the user's password
+ */
+ slotkey = g_new0(uint8_t, luks->header.key_bytes);
+ if (qcrypto_pbkdf2(luks_opts.hash_alg,
+ (uint8_t *)password, strlen(password),
+ luks->header.key_slots[0].salt,
+ QCRYPTO_BLOCK_LUKS_SALT_LEN,
+ luks->header.key_slots[0].iterations,
+ slotkey, luks->header.key_bytes,
+ errp) < 0) {
+ goto error;
+ }
+
+
+ /* Setup the encryption objects needed to encrypt the
+ * master key material
+ */
+ cipher = qcrypto_cipher_new(luks_opts.cipher_alg,
+ luks_opts.cipher_mode,
+ slotkey, luks->header.key_bytes,
+ errp);
+ if (!cipher) {
+ goto error;
+ }
+
+ ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
+ luks_opts.cipher_alg,
+ luks_opts.ivgen_hash_alg,
+ slotkey, luks->header.key_bytes,
+ errp);
+ if (!ivgen) {
+ goto error;
+ }
+
+ /* Before storing the master key, we need to vastly
+ * increase its size, as protection against forensic
+ * disk data recovery */
+ splitkey = g_new0(uint8_t, splitkeylen);
+
+ if (qcrypto_afsplit_encode(luks_opts.hash_alg,
+ luks->header.key_bytes,
+ luks->header.key_slots[0].stripes,
+ masterkey,
+ splitkey,
+ errp) < 0) {
+ goto error;
+ }
+
+ /* Now we encrypt the split master key with the key generated
+ * from the user's password, before storing it */
+ if (qcrypto_block_encrypt_helper(cipher, block->niv, ivgen,
+ 0,
+ splitkey,
+ splitkeylen,
+ errp) < 0) {
+ goto error;
+ }
+
+
+
+ /* The total size of the LUKS headers is the partition header + key
+ * slot headers, rounded up to the nearest sector, combined with
+ * the size of each master key material region, also rounded up
+ * to the nearest sector */
+ luks->header.payload_offset =
+ (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 512) +
+ (ROUND_UP(((splitkeylen + 511) / 512),
+ (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / 512)) *
+ QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
+
+ block->payload_offset = luks->header.payload_offset;
+
+ /* Reserve header space to match payload offset */
+ initfunc(block, block->payload_offset * 512, &local_err, opaque);
+ if (local_err) {
+ error_propagate(errp, local_err);
+ goto error;
+ }
+
+ /* Everything on disk uses Big Endian, so flip header fields
+ * before writing them */
+ cpu_to_be16s(&luks->header.version);
+ cpu_to_be32s(&luks->header.payload_offset);
+ cpu_to_be32s(&luks->header.key_bytes);
+ cpu_to_be32s(&luks->header.master_key_iterations);
+
+ for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
+ cpu_to_be32s(&luks->header.key_slots[i].active);
+ cpu_to_be32s(&luks->header.key_slots[i].iterations);
+ cpu_to_be32s(&luks->header.key_slots[i].key_offset);
+ cpu_to_be32s(&luks->header.key_slots[i].stripes);
+ }
+
+
+ /* Write out the partition header and key slot headers */
+ writefunc(block, 0,
+ (const uint8_t *)&luks->header,
+ sizeof(luks->header),
+ &local_err,
+ opaque);
+
+ /* Delay checking local_err until we've byte-swapped */
+
+ /* Byte swap the header back to native, in case we need
+ * to read it again later */
+ be16_to_cpus(&luks->header.version);
+ be32_to_cpus(&luks->header.payload_offset);
+ be32_to_cpus(&luks->header.key_bytes);
+ be32_to_cpus(&luks->header.master_key_iterations);
+
+ for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
+ be32_to_cpus(&luks->header.key_slots[i].active);
+ be32_to_cpus(&luks->header.key_slots[i].iterations);
+ be32_to_cpus(&luks->header.key_slots[i].key_offset);
+ be32_to_cpus(&luks->header.key_slots[i].stripes);
+ }
+
+ if (local_err) {
+ error_propagate(errp, local_err);
+ goto error;
+ }
+
+ /* Write out the master key material, starting at the
+ * sector immediately following the partition header. */
+ if (writefunc(block,
+ luks->header.key_slots[0].key_offset * 512,
+ splitkey, splitkeylen,
+ errp,
+ opaque) != splitkeylen) {
+ goto error;
+ }
+
+ memset(masterkey, 0, luks->header.key_bytes);
+ g_free(masterkey);
+ memset(slotkey, 0, luks->header.key_bytes);
+ g_free(slotkey);
+ g_free(password);
+ g_free(cipher_mode_spec);
+
+ return 0;
+
+ error:
+ if (masterkey) {
+ memset(masterkey, 0, luks->header.key_bytes);
+ }
+ g_free(masterkey);
+ if (slotkey) {
+ memset(slotkey, 0, luks->header.key_bytes);
+ }
+ g_free(slotkey);
+ g_free(password);
+ g_free(cipher_mode_spec);
+
+ qcrypto_ivgen_free(ivgen);
+ qcrypto_cipher_free(cipher);
+
+ g_free(luks);
+ return -1;
+}
+
+
+static void qcrypto_block_luks_cleanup(QCryptoBlock *block)
+{
+ g_free(block->opaque);
+}
+
+
+static int
+qcrypto_block_luks_decrypt(QCryptoBlock *block,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp)
+{
+ return qcrypto_block_decrypt_helper(block->cipher,
+ block->niv, block->ivgen,
+ startsector, buf, len, errp);
+}
+
+
+static int
+qcrypto_block_luks_encrypt(QCryptoBlock *block,
+ uint64_t startsector,
+ uint8_t *buf,
+ size_t len,
+ Error **errp)
+{
+ return qcrypto_block_encrypt_helper(block->cipher,
+ block->niv, block->ivgen,
+ startsector, buf, len, errp);
+}
+
+
+const QCryptoBlockDriver qcrypto_block_driver_luks = {
+ .open = qcrypto_block_luks_open,
+ .create = qcrypto_block_luks_create,
+ .cleanup = qcrypto_block_luks_cleanup,
+ .decrypt = qcrypto_block_luks_decrypt,
+ .encrypt = qcrypto_block_luks_encrypt,
+ .has_format = qcrypto_block_luks_has_format,
+};
diff --git a/crypto/block-luks.h b/crypto/block-luks.h
new file mode 100644
index 0000000..0dd5261
--- /dev/null
+++ b/crypto/block-luks.h
@@ -0,0 +1,28 @@
+/*
+ * QEMU Crypto block device encryption LUKS format
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef QCRYPTO_BLOCK_LUKS_H__
+#define QCRYPTO_BLOCK_LUKS_H__
+
+#include "crypto/blockpriv.h"
+
+extern const QCryptoBlockDriver qcrypto_block_driver_luks;
+
+#endif /* QCRYPTO_BLOCK_LUKS_H__ */
diff --git a/crypto/block.c b/crypto/block.c
index 657f4a9..11a9dfc 100644
--- a/crypto/block.c
+++ b/crypto/block.c
@@ -20,9 +20,11 @@
#include "crypto/blockpriv.h"
#include "crypto/block-qcowaes.h"
+#include "crypto/block-luks.h"
static const QCryptoBlockDriver *qcrypto_block_drivers[] = {
[Q_CRYPTO_BLOCK_FORMAT_QCOWAES] = &qcrypto_block_driver_qcowaes,
+ [Q_CRYPTO_BLOCK_FORMAT_LUKS] = &qcrypto_block_driver_luks,
};
diff --git a/qapi/crypto.json b/qapi/crypto.json
index 07b9b46..dc45352 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -101,12 +101,13 @@
# The supported full disk encryption formats
#
# @qcowaes: QCow/QCow2 built-in AES-CBC encryption. Do not use
+# @luks: LUKS encryption format. Recommended
#
# Since: 2.6
##
{ 'enum': 'QCryptoBlockFormat',
# 'prefix': 'QCRYPTO_BLOCK_FORMAT',
- 'data': ['qcowaes']}
+ 'data': ['qcowaes', 'luks']}
##
# QCryptoBlockOptionsBase:
@@ -134,6 +135,39 @@
'data': { '*key-id': 'str' }}
##
+# QCryptoBlockOptionsLUKS:
+#
+# The options that apply to LUKS encryption format
+#
+# @key-id: the ID of a QCryptoSecret object providing the decryption key
+# Since: 2.6
+##
+{ 'struct': 'QCryptoBlockOptionsLUKS',
+ 'data': { '*key-id': 'str' }}
+
+
+##
+# QCryptoBlockCreateOptionsLUKS:
+#
+# The options that apply to LUKS encryption format initialization
+#
+# @cipher-alg: (optional) the cipher algorithm for data encryption
+# @cipher-mode: (optional) the cipher mode for data encryption
+# @ivgen-alg: (optional) the initialization vector generator
+# @ivgen-hash-alg: (optional) the initialization vector generator hash
+# @hash-alg: (optional) the master key hash algorithm
+# Since: 2.6
+##
+{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
+ 'base': 'QCryptoBlockOptionsLUKS',
+ 'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
+ '*cipher-mode': 'QCryptoCipherMode',
+ '*ivgen-alg': 'QCryptoIVGenAlgorithm',
+ '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
+ '*hash-alg': 'QCryptoHashAlgorithm'}}
+
+
+##
# QCryptoBlockOpenOptions:
#
# The options that are available for all encryption formats
@@ -144,7 +178,8 @@
{ 'union': 'QCryptoBlockOpenOptions',
'base': 'QCryptoBlockOptionsBase',
'discriminator': 'format',
- 'data': { 'qcowaes': 'QCryptoBlockOptionsQCowAES' } }
+ 'data': { 'qcowaes': 'QCryptoBlockOptionsQCowAES',
+ 'luks': 'QCryptoBlockOptionsLUKS' } }
##
@@ -158,4 +193,5 @@
{ 'union': 'QCryptoBlockCreateOptions',
'base': 'QCryptoBlockOptionsBase',
'discriminator': 'format',
- 'data': { 'qcowaes': 'QCryptoBlockOptionsQCowAES' } }
+ 'data': { 'qcowaes': 'QCryptoBlockOptionsQCowAES',
+ 'luks': 'QCryptoBlockCreateOptionsLUKS' } }
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 07/15] block: add flag to indicate that no I/O will be performed
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (5 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 06/15] crypto: implement the LUKS block encryption format Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-13 17:44 ` [Qemu-devel] [Qemu-block] " Kevin Wolf
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 08/15] block: add generic full disk encryption driver Daniel P. Berrange
` (7 subsequent siblings)
14 siblings, 1 reply; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
When opening an image it is useful to know whether the caller
intends to perform I/O on the image or not. In the case of
encrypted images this will allow the block driver to avoid
having to prompt for decryption keys when we merely want to
query header metadata about the image. eg qemu-img info
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
include/block/block.h | 1 +
qemu-img.c | 33 +++++++++++++++++----------------
2 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/include/block/block.h b/include/block/block.h
index c96923d..73ffbd5 100644
--- a/include/block/block.h
+++ b/include/block/block.h
@@ -91,6 +91,7 @@ typedef struct HDGeometry {
#define BDRV_O_PROTOCOL 0x8000 /* if no block driver is explicitly given:
select an appropriate protocol driver,
ignoring the format layer */
+#define BDRV_O_NO_IO 0x10000 /* don't initialize for I/O */
#define BDRV_O_CACHE_MASK (BDRV_O_NOCACHE | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH)
diff --git a/qemu-img.c b/qemu-img.c
index afe88ed..e965e7d 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -267,7 +267,7 @@ static BlockBackend *img_open_opts(const char *id,
static BlockBackend *img_open_file(const char *id, const char *filename,
const char *fmt, int flags,
- bool require_io, bool quiet)
+ bool quiet)
{
BlockBackend *blk;
BlockDriverState *bs;
@@ -289,7 +289,7 @@ static BlockBackend *img_open_file(const char *id, const char *filename,
}
bs = blk_bs(blk);
- if (bdrv_is_encrypted(bs) && require_io) {
+ if (bdrv_is_encrypted(bs) && !(flags & BDRV_O_NO_IO)) {
qprintf(quiet, "Disk image '%s' is encrypted.\n", filename);
if (qemu_read_password(password, sizeof(password)) < 0) {
error_report("No password given");
@@ -683,7 +683,7 @@ static int img_check(int argc, char **argv)
}
blk = img_open_opts("image", opts, flags);
} else {
- blk = img_open_file("image", filename, fmt, flags, true, quiet);
+ blk = img_open_file("image", filename, fmt, flags, quiet);
}
if (!blk) {
return 1;
@@ -888,7 +888,7 @@ static int img_commit(int argc, char **argv)
}
blk = img_open_opts("image", opts, flags);
} else {
- blk = img_open_file("image", filename, fmt, flags, true, quiet);
+ blk = img_open_file("image", filename, fmt, flags, quiet);
}
if (!blk) {
return 1;
@@ -1250,13 +1250,13 @@ static int img_compare(int argc, char **argv)
goto out3;
}
} else {
- blk1 = img_open_file("image_1", filename1, fmt1, flags, true, quiet);
+ blk1 = img_open_file("image_1", filename1, fmt1, flags, quiet);
if (!blk1) {
ret = 2;
goto out3;
}
- blk2 = img_open_file("image_2", filename2, fmt2, flags, true, quiet);
+ blk2 = img_open_file("image_2", filename2, fmt2, flags, quiet);
if (!blk2) {
ret = 2;
goto out2;
@@ -1936,7 +1936,7 @@ static int img_convert(int argc, char **argv)
blk[bs_i] = img_open_opts(id, opts, src_flags);
} else {
blk[bs_i] = img_open_file(id, argv[optind + bs_i], fmt, src_flags,
- true, quiet);
+ quiet);
}
g_free(id);
if (!blk[bs_i]) {
@@ -2086,7 +2086,7 @@ static int img_convert(int argc, char **argv)
* the bdrv_create() call which takes different params
*/
out_blk = img_open_file("target", out_filename,
- out_fmt, flags, true, quiet);
+ out_fmt, flags, quiet);
if (!out_blk) {
ret = -1;
goto out;
@@ -2290,12 +2290,13 @@ static ImageInfoList *collect_image_info_list(bool image_opts,
goto err;
}
blk = img_open_opts("image", opts,
- BDRV_O_FLAGS | BDRV_O_NO_BACKING);
+ BDRV_O_FLAGS | BDRV_O_NO_BACKING |
+ BDRV_O_NO_IO);
opts = NULL;
} else {
blk = img_open_file("image", filename, fmt,
- BDRV_O_FLAGS | BDRV_O_NO_BACKING,
- false, false);
+ BDRV_O_FLAGS | BDRV_O_NO_BACKING |
+ BDRV_O_NO_IO, false);
}
if (!blk) {
goto err;
@@ -2612,7 +2613,7 @@ static int img_map(int argc, char **argv)
}
blk = img_open_opts("image", opts, BDRV_O_FLAGS);
} else {
- blk = img_open_file("image", filename, fmt, BDRV_O_FLAGS, true, false);
+ blk = img_open_file("image", filename, fmt, BDRV_O_FLAGS, false);
}
if (!blk) {
return 1;
@@ -2769,7 +2770,7 @@ static int img_snapshot(int argc, char **argv)
}
blk = img_open_opts("image", opts, bdrv_oflags);
} else {
- blk = img_open_file("image", filename, NULL, bdrv_oflags, true, quiet);
+ blk = img_open_file("image", filename, NULL, bdrv_oflags, quiet);
}
if (!blk) {
return 1;
@@ -2955,7 +2956,7 @@ static int img_rebase(int argc, char **argv)
}
blk = img_open_opts("image", opts, flags);
} else {
- blk = img_open_file("image", filename, fmt, flags, true, quiet);
+ blk = img_open_file("image", filename, fmt, flags, quiet);
}
if (!blk) {
ret = -1;
@@ -3309,7 +3310,7 @@ static int img_resize(int argc, char **argv)
blk = img_open_opts("image", opts, BDRV_O_FLAGS | BDRV_O_RDWR);
} else {
blk = img_open_file("image", filename, fmt, BDRV_O_FLAGS | BDRV_O_RDWR,
- true, quiet);
+ quiet);
}
if (!blk) {
ret = -1;
@@ -3480,7 +3481,7 @@ static int img_amend(int argc, char **argv)
}
blk = img_open_opts("image", opts, BDRV_O_FLAGS | BDRV_O_RDWR);
} else {
- blk = img_open_file("image", filename, fmt, flags, true, quiet);
+ blk = img_open_file("image", filename, fmt, flags, quiet);
}
if (!blk) {
ret = -1;
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 08/15] block: add generic full disk encryption driver
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (6 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 07/15] block: add flag to indicate that no I/O will be performed Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-13 23:47 ` Eric Blake
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 09/15] qcow2: make qcow2_encrypt_sectors encrypt in place Daniel P. Berrange
` (6 subsequent siblings)
14 siblings, 1 reply; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
Add a block driver that is capable of supporting any full disk
encryption format. This utilizes the previously added block
encryption code, and at this time supports the LUKS format.
The driver code is capable of supporting any format supported
by the QCryptoBlock module, so it registers one block driver
for each format.
At this time, the "luks" driver is registered. New LUKS
compatible volume can be formatted using qemu-img
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-id=sec0,cipher-alg=aes-256,\
cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha256 \
demo.luks 10G
And query its size
$ qemu-img info --object secret,data=123456,id=sec0 --source demo.luks,driver=luks,keyid=sec0
image: json:{"key-id": "sec0", "driver": "luks", "file": {"driver": "file", "filename": "demo.luks"}}
file format: luks
virtual size: 10.0G (10737416192 bytes)
disk size: 132K
All volumes created by this new 'luks' driver should be
capable of being opened by the kernel dm-crypt driver.
With this initial impl, not all volumes created with
dm-crypt can be opened by the QEMU 'luks' driver. This
is due to lack of support for certain algorithms, in
particular the 'xts' cipher mode. These limitations will
be addressed in a later series of patches, with the
intent that QEMU should be able to open anything that
dm-crypt LUKS supports.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
block/Makefile.objs | 2 +
block/fde.c | 538 +++++++++++++++++++++++++++++++++++++++++++++++++++
qapi/block-core.json | 18 +-
3 files changed, 557 insertions(+), 1 deletion(-)
create mode 100644 block/fde.c
diff --git a/block/Makefile.objs b/block/Makefile.objs
index 58ef2ef..4f997c9 100644
--- a/block/Makefile.objs
+++ b/block/Makefile.objs
@@ -23,6 +23,8 @@ block-obj-$(CONFIG_LIBSSH2) += ssh.o
block-obj-y += accounting.o
block-obj-y += write-threshold.o
+block-obj-y += fde.o
+
common-obj-y += stream.o
common-obj-y += commit.o
common-obj-y += backup.o
diff --git a/block/fde.c b/block/fde.c
new file mode 100644
index 0000000..ec588a6
--- /dev/null
+++ b/block/fde.c
@@ -0,0 +1,538 @@
+/*
+ * QEMU block full disk encryption
+ *
+ * Copyright (c) 2015 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "config-host.h"
+
+#include "block/block_int.h"
+#include "crypto/block.h"
+#include "qapi/opts-visitor.h"
+#include "qapi-visit.h"
+
+#define FDE_OPT_LUKS_KEY_ID "key-id"
+#define FDE_OPT_LUKS_CIPHER_ALG "cipher-alg"
+#define FDE_OPT_LUKS_CIPHER_MODE "cipher-mode"
+#define FDE_OPT_LUKS_IVGEN_ALG "ivgen-alg"
+#define FDE_OPT_LUKS_IVGEN_HASH_ALG "ivgen-hash-alg"
+#define FDE_OPT_LUKS_HASH_ALG "hash-alg"
+
+typedef struct QBlockFDE QBlockFDE;
+
+struct QBlockFDE {
+ QCryptoBlock *block;
+ CoMutex lock;
+};
+
+
+static int qblock_fde_probe_generic(QCryptoBlockFormat format,
+ const uint8_t *buf,
+ int buf_size,
+ const char *filename)
+{
+ if (qcrypto_block_has_format(format,
+ buf, buf_size)) {
+ return 100;
+ } else {
+ return 0;
+ }
+}
+
+
+static ssize_t qblock_fde_read_func(QCryptoBlock *block,
+ size_t offset,
+ uint8_t *buf,
+ size_t buflen,
+ Error **errp,
+ void *opaque)
+{
+ BlockDriverState *bs = opaque;
+ ssize_t ret;
+
+ ret = bdrv_pread(bs->file->bs, offset, buf, buflen);
+ if (ret < 0) {
+ error_setg_errno(errp, -ret, "Could not read encryption header");
+ return ret;
+ }
+ return ret;
+}
+
+
+static ssize_t qblock_fde_write_func(QCryptoBlock *block,
+ size_t offset,
+ const uint8_t *buf,
+ size_t buflen,
+ Error **errp,
+ void *opaque)
+{
+ BlockDriverState *bs = opaque;
+ ssize_t ret;
+
+ ret = bdrv_pwrite(bs, offset, buf, buflen);
+ if (ret < 0) {
+ error_setg_errno(errp, -ret, "Could not write encryption header");
+ return ret;
+ }
+ return ret;
+}
+
+
+static ssize_t qblock_fde_init_func(QCryptoBlock *block,
+ size_t headerlen,
+ Error **errp,
+ void *opaque)
+{
+ /* We don't need to do anything special to reserve space */
+ return 0;
+}
+
+
+static QemuOptsList qblock_fde_runtime_opts_luks = {
+ .name = "fde",
+ .head = QTAILQ_HEAD_INITIALIZER(qblock_fde_runtime_opts_luks.head),
+ .desc = {
+ {
+ .name = FDE_OPT_LUKS_KEY_ID,
+ .type = QEMU_OPT_STRING,
+ .help = "ID of the secret that provides the encryption key",
+ },
+ { /* end of list */ }
+ },
+};
+
+
+static QemuOptsList qblock_fde_create_opts_luks = {
+ .name = "fde",
+ .head = QTAILQ_HEAD_INITIALIZER(qblock_fde_create_opts_luks.head),
+ .desc = {
+ {
+ .name = BLOCK_OPT_SIZE,
+ .type = QEMU_OPT_SIZE,
+ .help = "Virtual disk size"
+ },
+ {
+ .name = FDE_OPT_LUKS_KEY_ID,
+ .type = QEMU_OPT_STRING,
+ .help = "ID of the secret that provides the encryption key",
+ },
+ {
+ .name = FDE_OPT_LUKS_CIPHER_ALG,
+ .type = QEMU_OPT_STRING,
+ .help = "Name of encryption cipher algorithm",
+ },
+ {
+ .name = FDE_OPT_LUKS_CIPHER_MODE,
+ .type = QEMU_OPT_STRING,
+ .help = "Name of encryption cipher mode",
+ },
+ {
+ .name = FDE_OPT_LUKS_IVGEN_ALG,
+ .type = QEMU_OPT_STRING,
+ .help = "Name of IV generator algorithm",
+ },
+ {
+ .name = FDE_OPT_LUKS_IVGEN_HASH_ALG,
+ .type = QEMU_OPT_STRING,
+ .help = "Name of IV generator hash algorithm",
+ },
+ {
+ .name = FDE_OPT_LUKS_HASH_ALG,
+ .type = QEMU_OPT_STRING,
+ .help = "Name of encryption hash algorithm",
+ },
+ { /* end of list */ }
+ },
+};
+
+
+static QCryptoBlockOpenOptions *
+qblock_fde_open_opts_init(QCryptoBlockFormat format,
+ QemuOpts *opts,
+ Error **errp)
+{
+ OptsVisitor *ov;
+ QCryptoBlockOpenOptions *ret;
+ Error *local_err = NULL;
+
+ ret = g_new0(QCryptoBlockOpenOptions, 1);
+ ret->format = format;
+
+ ov = opts_visitor_new(opts);
+
+ switch (format) {
+ case Q_CRYPTO_BLOCK_FORMAT_LUKS:
+ ret->u.luks = g_new0(QCryptoBlockOptionsLUKS, 1);
+ visit_type_QCryptoBlockOptionsLUKS(opts_get_visitor(ov),
+ &ret->u.luks, "luks", &local_err);
+ break;
+
+ default:
+ error_setg(&local_err, "Unsupported block format %d", format);
+ break;
+ }
+
+ if (local_err) {
+ error_propagate(errp, local_err);
+ opts_visitor_cleanup(ov);
+ qapi_free_QCryptoBlockOpenOptions(ret);
+ return NULL;
+ }
+
+ opts_visitor_cleanup(ov);
+ return ret;
+}
+
+
+static QCryptoBlockCreateOptions *
+qblock_fde_create_opts_init(QCryptoBlockFormat format,
+ QemuOpts *opts,
+ Error **errp)
+{
+ OptsVisitor *ov;
+ QCryptoBlockCreateOptions *ret;
+ Error *local_err = NULL;
+
+ ret = g_new0(QCryptoBlockCreateOptions, 1);
+ ret->format = format;
+
+ ov = opts_visitor_new(opts);
+
+ switch (format) {
+ case Q_CRYPTO_BLOCK_FORMAT_LUKS:
+ ret->u.luks = g_new0(QCryptoBlockCreateOptionsLUKS, 1);
+ visit_type_QCryptoBlockCreateOptionsLUKS(
+ opts_get_visitor(ov),
+ &ret->u.luks, "luks", &local_err);
+ break;
+
+ default:
+ error_setg(&local_err, "Unsupported block format %d", format);
+ break;
+ }
+
+ if (local_err) {
+ error_propagate(errp, local_err);
+ opts_visitor_cleanup(ov);
+ qapi_free_QCryptoBlockCreateOptions(ret);
+ return NULL;
+ }
+
+ opts_visitor_cleanup(ov);
+ return ret;
+}
+
+
+static int qblock_fde_open_generic(QCryptoBlockFormat format,
+ QemuOptsList *opts_spec,
+ BlockDriverState *bs,
+ QDict *options,
+ int flags,
+ Error **errp)
+{
+ QBlockFDE *fde = bs->opaque;
+ QemuOpts *opts = NULL;
+ Error *local_err = NULL;
+ int ret = -EINVAL;
+ QCryptoBlockOpenOptions *open_opts = NULL;
+ unsigned int cflags = 0;
+
+ opts = qemu_opts_create(opts_spec, NULL, 0, &error_abort);
+ qemu_opts_absorb_qdict(opts, options, &local_err);
+ if (local_err) {
+ error_propagate(errp, local_err);
+ goto cleanup;
+ }
+
+ open_opts = qblock_fde_open_opts_init(format, opts, errp);
+ if (!open_opts) {
+ goto cleanup;
+ }
+
+ if (flags & BDRV_O_NO_IO) {
+ cflags |= QCRYPTO_BLOCK_OPEN_NO_IO;
+ }
+ fde->block = qcrypto_block_open(open_opts,
+ qblock_fde_read_func,
+ bs,
+ cflags,
+ errp);
+
+ if (!fde->block) {
+ ret = -EIO;
+ goto cleanup;
+ }
+
+ qemu_co_mutex_init(&fde->lock);
+
+ ret = 0;
+ cleanup:
+ qapi_free_QCryptoBlockOpenOptions(open_opts);
+ return ret;
+}
+
+
+static int qblock_fde_create_generic(QCryptoBlockFormat format,
+ const char *filename,
+ QemuOpts *opts,
+ Error **errp)
+{
+ int ret = -EINVAL;
+ QCryptoBlockCreateOptions *create_opts = NULL;
+ BlockDriverState *bs = NULL;
+ QCryptoBlock *fde = NULL;
+ uint64_t size = 0;
+
+ size = ROUND_UP(qemu_opt_get_size_del(opts, BLOCK_OPT_SIZE, 0),
+ BDRV_SECTOR_SIZE);
+
+ create_opts = qblock_fde_create_opts_init(format, opts, errp);
+ if (!create_opts) {
+ return -1;
+ }
+
+ /* XXX Should we treat size as being total physical size
+ * of the image (ie payload + encryption header), or just
+ * the logical size of the image (ie payload). If the latter
+ * then we need to extend 'size' to include the header
+ * size */
+ qemu_opt_set_number(opts, BLOCK_OPT_SIZE, size, &error_abort);
+ ret = bdrv_create_file(filename, opts, errp);
+ if (ret < 0) {
+ goto cleanup;
+ }
+
+ ret = bdrv_open(&bs, filename, NULL, NULL, BDRV_O_RDWR | BDRV_O_PROTOCOL,
+ errp);
+ if (ret < 0) {
+ goto cleanup;
+ }
+
+ fde = qcrypto_block_create(create_opts,
+ qblock_fde_init_func,
+ qblock_fde_write_func,
+ bs,
+ errp);
+
+ if (!fde) {
+ ret = -EIO;
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ qcrypto_block_free(fde);
+ bdrv_unref(bs);
+ qapi_free_QCryptoBlockCreateOptions(create_opts);
+ return ret;
+}
+
+static void qblock_fde_close(BlockDriverState *bs)
+{
+ QBlockFDE *fde = bs->opaque;
+ qcrypto_block_free(fde->block);
+}
+
+
+#define QBLOCK_FDE_MAX_SECTORS 32
+
+static coroutine_fn int
+qblock_fde_co_readv(BlockDriverState *bs, int64_t sector_num,
+ int remaining_sectors, QEMUIOVector *qiov)
+{
+ QBlockFDE *fde = bs->opaque;
+ int cur_nr_sectors; /* number of sectors in current iteration */
+ uint64_t bytes_done = 0;
+ uint8_t *cipher_data = NULL;
+ QEMUIOVector hd_qiov;
+ int ret = 0;
+ size_t payload_offset = qcrypto_block_get_payload_offset(fde->block);
+
+ qemu_iovec_init(&hd_qiov, qiov->niov);
+
+ qemu_co_mutex_lock(&fde->lock);
+
+ while (remaining_sectors) {
+ cur_nr_sectors = remaining_sectors;
+
+ if (cur_nr_sectors > QBLOCK_FDE_MAX_SECTORS) {
+ cur_nr_sectors = QBLOCK_FDE_MAX_SECTORS;
+ }
+ cipher_data =
+ qemu_try_blockalign(bs->file->bs, cur_nr_sectors * 512);
+
+ qemu_iovec_reset(&hd_qiov);
+ qemu_iovec_add(&hd_qiov, cipher_data, cur_nr_sectors * 512);
+
+ qemu_co_mutex_unlock(&fde->lock);
+ ret = bdrv_co_readv(bs->file->bs,
+ payload_offset + sector_num,
+ cur_nr_sectors, &hd_qiov);
+ qemu_co_mutex_lock(&fde->lock);
+ if (ret < 0) {
+ goto cleanup;
+ }
+
+ if (qcrypto_block_decrypt(fde->block,
+ sector_num,
+ cipher_data, cur_nr_sectors * 512,
+ NULL) < 0) {
+ ret = -1;
+ goto cleanup;
+ }
+
+ qemu_iovec_from_buf(qiov, bytes_done,
+ cipher_data, cur_nr_sectors * 512);
+
+ remaining_sectors -= cur_nr_sectors;
+ sector_num += cur_nr_sectors;
+ bytes_done += cur_nr_sectors * 512;
+ }
+
+ cleanup:
+ qemu_co_mutex_unlock(&fde->lock);
+
+ qemu_iovec_destroy(&hd_qiov);
+ qemu_vfree(cipher_data);
+
+ return ret;
+}
+
+
+static coroutine_fn int
+qblock_fde_co_writev(BlockDriverState *bs, int64_t sector_num,
+ int remaining_sectors, QEMUIOVector *qiov)
+{
+ QBlockFDE *fde = bs->opaque;
+ int cur_nr_sectors; /* number of sectors in current iteration */
+ uint64_t bytes_done = 0;
+ uint8_t *cipher_data = NULL;
+ QEMUIOVector hd_qiov;
+ int ret = 0;
+ size_t payload_offset = qcrypto_block_get_payload_offset(fde->block);
+
+ qemu_iovec_init(&hd_qiov, qiov->niov);
+
+ qemu_co_mutex_lock(&fde->lock);
+
+ while (remaining_sectors) {
+ cur_nr_sectors = remaining_sectors;
+
+ if (cur_nr_sectors > QBLOCK_FDE_MAX_SECTORS) {
+ cur_nr_sectors = QBLOCK_FDE_MAX_SECTORS;
+ }
+ cipher_data =
+ qemu_try_blockalign(bs->file->bs, cur_nr_sectors * 512);
+
+ qemu_iovec_to_buf(qiov, bytes_done,
+ cipher_data, cur_nr_sectors * 512);
+
+ if (qcrypto_block_encrypt(fde->block,
+ sector_num,
+ cipher_data, cur_nr_sectors * 512,
+ NULL) < 0) {
+ ret = -1;
+ goto cleanup;
+ }
+
+ qemu_iovec_reset(&hd_qiov);
+ qemu_iovec_add(&hd_qiov, cipher_data, cur_nr_sectors * 512);
+
+ qemu_co_mutex_unlock(&fde->lock);
+ ret = bdrv_co_writev(bs->file->bs,
+ payload_offset + sector_num,
+ cur_nr_sectors, &hd_qiov);
+ qemu_co_mutex_lock(&fde->lock);
+ if (ret < 0) {
+ goto cleanup;
+ }
+
+ remaining_sectors -= cur_nr_sectors;
+ sector_num += cur_nr_sectors;
+ bytes_done += cur_nr_sectors * 512;
+ }
+
+ cleanup:
+ qemu_co_mutex_unlock(&fde->lock);
+
+ qemu_iovec_destroy(&hd_qiov);
+ qemu_vfree(cipher_data);
+
+ return ret;
+}
+
+
+static int64_t qblock_fde_getlength(BlockDriverState *bs)
+{
+ QBlockFDE *fde = bs->opaque;
+ int64_t len = bdrv_getlength(bs->file->bs);
+
+ ssize_t offset = qcrypto_block_get_payload_offset(fde->block);
+
+ len -= (offset * 512);
+
+ return len;
+}
+
+#define QBLOCK_FDE_DRIVER(name, format) \
+ static int qblock_fde_probe_ ## name(const uint8_t *buf, \
+ int buf_size, \
+ const char *filename) { \
+ return qblock_fde_probe_generic(format, \
+ buf, buf_size, filename); \
+ } \
+ \
+ static int qblock_fde_open_ ## name(BlockDriverState *bs, \
+ QDict *options, \
+ int flags, \
+ Error **errp) \
+ { \
+ return qblock_fde_open_generic(format, \
+ &qblock_fde_runtime_opts_ ## name, \
+ bs, options, flags, errp); \
+ } \
+ \
+ static int qblock_fde_create_ ## name(const char *filename, \
+ QemuOpts *opts, \
+ Error **errp) \
+ { \
+ return qblock_fde_create_generic(format, \
+ filename, opts, errp); \
+ } \
+ \
+ BlockDriver bdrv_fde_ ## name = { \
+ .format_name = #name, \
+ .instance_size = sizeof(QBlockFDE), \
+ .bdrv_probe = qblock_fde_probe_ ## name, \
+ .bdrv_open = qblock_fde_open_ ## name, \
+ .bdrv_close = qblock_fde_close, \
+ .bdrv_create = qblock_fde_create_ ## name, \
+ .create_opts = &qblock_fde_create_opts_ ## name, \
+ \
+ .bdrv_co_readv = qblock_fde_co_readv, \
+ .bdrv_co_writev = qblock_fde_co_writev, \
+ .bdrv_getlength = qblock_fde_getlength, \
+ }
+
+QBLOCK_FDE_DRIVER(luks, Q_CRYPTO_BLOCK_FORMAT_LUKS);
+
+static void qblock_fde_init(void)
+{
+ bdrv_register(&bdrv_fde_luks);
+}
+
+block_init(qblock_fde_init);
diff --git a/qapi/block-core.json b/qapi/block-core.json
index 0a915ed..200d907 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -1546,7 +1546,7 @@
{ 'enum': 'BlockdevDriver',
'data': [ 'archipelago', 'blkdebug', 'blkverify', 'bochs', 'cloop',
'dmg', 'file', 'ftp', 'ftps', 'host_cdrom', 'host_device',
- 'http', 'https', 'null-aio', 'null-co', 'parallels',
+ 'http', 'https', 'luks', 'null-aio', 'null-co', 'parallels',
'qcow', 'qcow2', 'qed', 'quorum', 'raw', 'tftp', 'vdi', 'vhdx',
'vmdk', 'vpc', 'vvfat' ] }
@@ -1664,6 +1664,21 @@
'data': { 'file': 'BlockdevRef' } }
##
+# @BlockdevOptionsLUKS
+#
+# Driver specific block device options for LUKS.
+#
+# @key-id: #optional the ID of a QCryptoSecret object providing
+# the decryption key (since 2.6)
+#
+# Since: 2.6
+##
+{ 'struct': 'BlockdevOptionsLUKS',
+ 'base': 'BlockdevOptionsGenericFormat',
+ 'data': { '*key-id': 'str' } }
+
+
+##
# @BlockdevOptionsGenericCOWFormat
#
# Driver specific block device options for image format that have no option
@@ -2000,6 +2015,7 @@
'http': 'BlockdevOptionsFile',
'https': 'BlockdevOptionsFile',
# TODO iscsi: Wait for structured options
+ 'luks': 'BlockdevOptionsLUKS',
# TODO nbd: Should take InetSocketAddress for 'host'?
# TODO nfs: Wait for structured options
'null-aio': 'BlockdevOptionsNull',
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 09/15] qcow2: make qcow2_encrypt_sectors encrypt in place
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (7 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 08/15] block: add generic full disk encryption driver Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 10/15] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
` (5 subsequent siblings)
14 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
Instead of requiring separate input/output buffers for
encrypting data, change qcow2_encrypt_sectors() to assume
use of a single buffer, encrypting in place. The current
callers all used the same buffer for input/output already.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
block/qcow2-cluster.c | 17 +++++------------
block/qcow2.c | 5 ++---
block/qcow2.h | 3 +--
3 files changed, 8 insertions(+), 17 deletions(-)
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 34112c3..f5bc4f2 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -341,12 +341,8 @@ static int count_contiguous_clusters_by_type(int nb_clusters,
return i;
}
-/* The crypt function is compatible with the linux cryptoloop
- algorithm for < 4 GB images. NOTE: out_buf == in_buf is
- supported */
int qcow2_encrypt_sectors(BDRVQcow2State *s, int64_t sector_num,
- uint8_t *out_buf, const uint8_t *in_buf,
- int nb_sectors, bool enc,
+ uint8_t *buf, int nb_sectors, bool enc,
Error **errp)
{
union {
@@ -366,14 +362,12 @@ int qcow2_encrypt_sectors(BDRVQcow2State *s, int64_t sector_num,
}
if (enc) {
ret = qcrypto_cipher_encrypt(s->cipher,
- in_buf,
- out_buf,
+ buf, buf,
512,
errp);
} else {
ret = qcrypto_cipher_decrypt(s->cipher,
- in_buf,
- out_buf,
+ buf, buf,
512,
errp);
}
@@ -381,8 +375,7 @@ int qcow2_encrypt_sectors(BDRVQcow2State *s, int64_t sector_num,
return -1;
}
sector_num++;
- in_buf += 512;
- out_buf += 512;
+ buf += 512;
}
return 0;
}
@@ -430,7 +423,7 @@ static int coroutine_fn copy_sectors(BlockDriverState *bs,
Error *err = NULL;
assert(s->cipher);
if (qcow2_encrypt_sectors(s, start_sect + n_start,
- iov.iov_base, iov.iov_base, n,
+ iov.iov_base, n,
true, &err) < 0) {
ret = -EIO;
error_free(err);
diff --git a/block/qcow2.c b/block/qcow2.c
index 1789af4..c0fc259 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1504,7 +1504,7 @@ static coroutine_fn int qcow2_co_readv(BlockDriverState *bs, int64_t sector_num,
assert(s->cipher);
Error *err = NULL;
if (qcow2_encrypt_sectors(s, sector_num, cluster_data,
- cluster_data, cur_nr_sectors, false,
+ cur_nr_sectors, false,
&err) < 0) {
error_free(err);
ret = -EIO;
@@ -1604,8 +1604,7 @@ static coroutine_fn int qcow2_co_writev(BlockDriverState *bs,
qemu_iovec_to_buf(&hd_qiov, 0, cluster_data, hd_qiov.size);
if (qcow2_encrypt_sectors(s, sector_num, cluster_data,
- cluster_data, cur_nr_sectors,
- true, &err) < 0) {
+ cur_nr_sectors, true, &err) < 0) {
error_free(err);
ret = -EIO;
goto fail;
diff --git a/block/qcow2.h b/block/qcow2.h
index a063a3c..ae04285 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -540,8 +540,7 @@ int qcow2_write_l1_entry(BlockDriverState *bs, int l1_index);
void qcow2_l2_cache_reset(BlockDriverState *bs);
int qcow2_decompress_cluster(BlockDriverState *bs, uint64_t cluster_offset);
int qcow2_encrypt_sectors(BDRVQcow2State *s, int64_t sector_num,
- uint8_t *out_buf, const uint8_t *in_buf,
- int nb_sectors, bool enc, Error **errp);
+ uint8_t *buf, int nb_sectors, bool enc, Error **errp);
int qcow2_get_cluster_offset(BlockDriverState *bs, uint64_t offset,
int *num, uint64_t *cluster_offset);
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 10/15] qcow2: convert QCow2 to use QCryptoBlock for encryption
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (8 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 09/15] qcow2: make qcow2_encrypt_sectors encrypt in place Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-13 18:42 ` [Qemu-devel] [Qemu-block] " Kevin Wolf
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 11/15] qcow: make encrypt_sectors encrypt in place Daniel P. Berrange
` (4 subsequent siblings)
14 siblings, 1 reply; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
This converts the qcow2 driver to make use of the QCryptoBlock
APIs for encrypting image content. As well as continued support
for the legacy QCow2 encryption format, the appealing benefit
is that it enables support for the LUKS format inside qcow2.
With the LUKS format it is neccessary to store the LUKS
partition header and key material in the QCow2 file. This
data can be many MB in size, so cannot go into the QCow2
header region directly. Thus the spec is defines a FDE
(Full Disk Encryption) header extension that specifies
the offset of a set of clusters to hold the FDE headers,
as well as the length of that region. The LUKS header is
thus stored in these extra allocated clusters before the
main image payload.
With this change it is now required to use the QCryptoSecret
object for providing passwords, instead of the current block
password APIs / interactive prompting.
$QEMU \
-object secret,id=sec0,filename=/home/berrange/encrypted.pw \
-drive file=/home/berrange/encrypted.qcow2,key-id=sec0
The new LUKS format is set as the new default format when
creating encrypted images. ie
# qemu-img create --object secret,data=123456,id=sec0 \
-f qcow2 -o encryption,key-id=sec0 \
test.qcow2 10G
Results in creation of an image using the LUKS format.
For compatibility the old qcow2 AES format can still be used
via the 'encryption-format' parameter which accepts the
values 'luks' or 'qcowaes'.
# qemu-img create --object secret,data=123456,id=sec0 \
-f qcow2 -o encryption,key-id=sec0,encryption-format=qcowaes \
test.qcow2 10G
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
block/qcow2-cluster.c | 46 +----
block/qcow2.c | 502 +++++++++++++++++++++++++++++++++++++++++++-------
block/qcow2.h | 21 ++-
docs/specs/qcow2.txt | 71 +++++++
qapi/block-core.json | 6 +-
5 files changed, 529 insertions(+), 117 deletions(-)
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index f5bc4f2..33297f8 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -341,45 +341,6 @@ static int count_contiguous_clusters_by_type(int nb_clusters,
return i;
}
-int qcow2_encrypt_sectors(BDRVQcow2State *s, int64_t sector_num,
- uint8_t *buf, int nb_sectors, bool enc,
- Error **errp)
-{
- union {
- uint64_t ll[2];
- uint8_t b[16];
- } ivec;
- int i;
- int ret;
-
- for(i = 0; i < nb_sectors; i++) {
- ivec.ll[0] = cpu_to_le64(sector_num);
- ivec.ll[1] = 0;
- if (qcrypto_cipher_setiv(s->cipher,
- ivec.b, G_N_ELEMENTS(ivec.b),
- errp) < 0) {
- return -1;
- }
- if (enc) {
- ret = qcrypto_cipher_encrypt(s->cipher,
- buf, buf,
- 512,
- errp);
- } else {
- ret = qcrypto_cipher_decrypt(s->cipher,
- buf, buf,
- 512,
- errp);
- }
- if (ret < 0) {
- return -1;
- }
- sector_num++;
- buf += 512;
- }
- return 0;
-}
-
static int coroutine_fn copy_sectors(BlockDriverState *bs,
uint64_t start_sect,
uint64_t cluster_offset,
@@ -421,10 +382,11 @@ static int coroutine_fn copy_sectors(BlockDriverState *bs,
if (bs->encrypted) {
Error *err = NULL;
- assert(s->cipher);
- if (qcow2_encrypt_sectors(s, start_sect + n_start,
+ assert(s->fde);
+ if (qcrypto_block_encrypt(s->fde,
+ start_sect + n_start,
iov.iov_base, n,
- true, &err) < 0) {
+ &err) < 0) {
ret = -EIO;
error_free(err);
goto out;
diff --git a/block/qcow2.c b/block/qcow2.c
index c0fc259..288aada 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -34,6 +34,8 @@
#include "qapi-event.h"
#include "trace.h"
#include "qemu/option_int.h"
+#include "qapi/opts-visitor.h"
+#include "qapi-visit.h"
/*
Differences with QCOW:
@@ -60,6 +62,7 @@ typedef struct {
#define QCOW2_EXT_MAGIC_END 0
#define QCOW2_EXT_MAGIC_BACKING_FORMAT 0xE2792ACA
#define QCOW2_EXT_MAGIC_FEATURE_TABLE 0x6803f857
+#define QCOW2_EXT_MAGIC_FDE_HEADER 0x4c554b53
static int qcow2_probe(const uint8_t *buf, int buf_size, const char *filename)
{
@@ -74,6 +77,83 @@ static int qcow2_probe(const uint8_t *buf, int buf_size, const char *filename)
}
+static ssize_t qcow2_fde_header_read_func(QCryptoBlock *block,
+ size_t offset,
+ uint8_t *buf,
+ size_t buflen,
+ Error **errp,
+ void *opaque)
+{
+ BlockDriverState *bs = opaque;
+ BDRVQcow2State *s = bs->opaque;
+ ssize_t ret;
+
+ if ((offset + buflen) > s->fde_header.length) {
+ error_setg_errno(errp, EINVAL,
+ "Request for data outside of extension header");
+ return -1;
+ }
+
+ ret = bdrv_pread(bs->file->bs,
+ s->fde_header.offset + offset, buf, buflen);
+ if (ret < 0) {
+ error_setg_errno(errp, -ret, "Could not read encryption header");
+ return ret;
+ }
+ return ret;
+}
+
+
+static ssize_t qcow2_fde_header_init_func(QCryptoBlock *block,
+ size_t headerlen,
+ Error **errp,
+ void *opaque)
+{
+ BlockDriverState *bs = opaque;
+ BDRVQcow2State *s = bs->opaque;
+ int64_t ret;
+
+ s->fde_header.length = headerlen + (headerlen % s->cluster_size);
+
+ ret = qcow2_alloc_clusters(bs, s->fde_header.length);
+ if (ret < 0) {
+ s->fde_header.length = 0;
+ error_setg(errp, "Cannot allocate cluster for LUKS header size %zu",
+ headerlen);
+ return -1;
+ }
+
+ s->fde_header.offset = ret;
+ return 0;
+}
+
+
+static ssize_t qcow2_fde_header_write_func(QCryptoBlock *block,
+ size_t offset,
+ const uint8_t *buf,
+ size_t buflen,
+ Error **errp,
+ void *opaque)
+{
+ BlockDriverState *bs = opaque;
+ BDRVQcow2State *s = bs->opaque;
+ ssize_t ret;
+
+ if ((offset + buflen) > s->fde_header.length) {
+ error_setg_errno(errp, EINVAL,
+ "Request for data outside of extension header");
+ return -1;
+ }
+
+ ret = bdrv_pwrite(bs->file->bs, s->fde_header.offset + offset, buf, buflen);
+ if (ret < 0) {
+ error_setg_errno(errp, -ret, "Could not read encryption header");
+ return ret;
+ }
+ return ret;
+}
+
+
/*
* read qcow2 extension and fill bs
* start reading from start_offset
@@ -83,12 +163,14 @@ static int qcow2_probe(const uint8_t *buf, int buf_size, const char *filename)
*/
static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
uint64_t end_offset, void **p_feature_table,
+ int flags,
Error **errp)
{
BDRVQcow2State *s = bs->opaque;
QCowExtension ext;
uint64_t offset;
int ret;
+ unsigned int cflags = 0;
#ifdef DEBUG_EXT
printf("qcow2_read_extensions: start=%ld end=%ld\n", start_offset, end_offset);
@@ -159,6 +241,35 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
}
break;
+ case QCOW2_EXT_MAGIC_FDE_HEADER:
+ if (s->crypt_method_header != QCOW_CRYPT_LUKS) {
+ error_setg(errp, "FDE header extension only "
+ "expected with LUKS encryption method");
+ return -EINVAL;
+ }
+ if (ext.len != sizeof(Qcow2FDEHeaderExtension)) {
+ error_setg(errp, "LUKS header extension size %u, "
+ "but expected size %zu", ext.len,
+ sizeof(Qcow2FDEHeaderExtension));
+ return -EINVAL;
+ }
+
+ ret = bdrv_pread(bs->file->bs, offset, &s->fde_header, ext.len);
+ be64_to_cpu(s->fde_header.offset);
+ be64_to_cpu(s->fde_header.length);
+
+ if (flags & BDRV_O_NO_IO) {
+ cflags |= QCRYPTO_BLOCK_OPEN_NO_IO;
+ }
+ s->fde = qcrypto_block_open(s->fde_opts,
+ qcow2_fde_header_read_func,
+ bs,
+ cflags,
+ errp);
+ if (!s->fde) {
+ return -EINVAL;
+ }
+ break;
default:
/* unknown magic - save it in case we need to rewrite the header */
{
@@ -472,6 +583,11 @@ static QemuOptsList qcow2_runtime_opts = {
.type = QEMU_OPT_NUMBER,
.help = "Clean unused cache entries after this time (in seconds)",
},
+ {
+ .name = QCOW2_OPT_KEY_ID,
+ .type = QEMU_OPT_STRING,
+ .help = "ID of the secret that provides the encryption key",
+ },
{ /* end of list */ }
},
};
@@ -589,6 +705,113 @@ static void read_cache_sizes(BlockDriverState *bs, QemuOpts *opts,
}
}
+
+static QCryptoBlockOpenOptions *
+qcow2_fde_open_opts_init(QCryptoBlockFormat format,
+ QemuOpts *opts,
+ Error **errp)
+{
+ OptsVisitor *ov;
+ QCryptoBlockOpenOptions *ret;
+ Error *local_err = NULL;
+
+ ret = g_new0(QCryptoBlockOpenOptions, 1);
+ ret->format = format;
+
+ ov = opts_visitor_new(opts);
+
+ switch (format) {
+ case Q_CRYPTO_BLOCK_FORMAT_QCOWAES:
+ ret->u.qcowaes = g_new0(QCryptoBlockOptionsQCowAES, 1);
+ visit_type_QCryptoBlockOptionsQCowAES(opts_get_visitor(ov),
+ &ret->u.qcowaes,
+ "qcowaes", &local_err);
+ break;
+
+ case Q_CRYPTO_BLOCK_FORMAT_LUKS:
+ ret->u.luks = g_new0(QCryptoBlockOptionsLUKS, 1);
+ visit_type_QCryptoBlockOptionsLUKS(opts_get_visitor(ov),
+ &ret->u.luks,
+ "luks", &local_err);
+ break;
+
+ default:
+ error_setg(&local_err, "Unsupported block format %d", format);
+ break;
+ }
+
+ if (local_err) {
+ error_propagate(errp, local_err);
+ opts_visitor_cleanup(ov);
+ qapi_free_QCryptoBlockOpenOptions(ret);
+ return NULL;
+ }
+
+ opts_visitor_cleanup(ov);
+ return ret;
+}
+
+
+static QCryptoBlockCreateOptions *
+qcow2_fde_create_opts_init(QCryptoBlockFormat format,
+ QemuOpts *opts,
+ Error **errp)
+{
+ OptsVisitor *ov;
+ QCryptoBlockCreateOptions *ret;
+ Error *local_err = NULL, *end_err = NULL;
+ Visitor *v;
+
+ ret = g_new0(QCryptoBlockCreateOptions, 1);
+ ret->format = format;
+
+ ov = opts_visitor_new(opts);
+ v = opts_get_visitor(ov);
+ visit_start_struct(v, NULL, NULL, NULL, 0, &local_err);
+ if (local_err) {
+ goto cleanup;
+ }
+
+ switch (format) {
+ case Q_CRYPTO_BLOCK_FORMAT_QCOWAES:
+ ret->u.qcowaes = g_new0(QCryptoBlockOptionsQCowAES, 1);
+ visit_type_QCryptoBlockOptionsQCowAES(v, &ret->u.qcowaes,
+ "qcowaes", &local_err);
+ break;
+
+ case Q_CRYPTO_BLOCK_FORMAT_LUKS:
+ ret->u.luks = g_new0(QCryptoBlockCreateOptionsLUKS, 1);
+ visit_type_QCryptoBlockCreateOptionsLUKS(v, &ret->u.luks,
+ "luks", &local_err);
+ break;
+
+ default:
+ error_setg(&local_err, "Unsupported block format %d", format);
+ break;
+ }
+
+ visit_end_struct(v, &end_err);
+ if (end_err) {
+ if (!local_err) {
+ error_propagate(&local_err, end_err);
+ } else {
+ error_free(end_err);
+ }
+ }
+
+ cleanup:
+ if (local_err) {
+ error_propagate(errp, local_err);
+ qapi_free_QCryptoBlockCreateOptions(ret);
+ ret = NULL;
+ return NULL;
+ }
+
+ opts_visitor_cleanup(ov);
+ return ret;
+}
+
+
typedef struct Qcow2ReopenState {
Qcow2Cache *l2_table_cache;
Qcow2Cache *refcount_block_cache;
@@ -596,6 +819,7 @@ typedef struct Qcow2ReopenState {
int overlap_check;
bool discard_passthrough[QCOW2_DISCARD_MAX];
uint64_t cache_clean_interval;
+ QCryptoBlockOpenOptions *fde_opts; /* Disk encryption runtime options */
} Qcow2ReopenState;
static int qcow2_update_options_prepare(BlockDriverState *bs,
@@ -754,6 +978,33 @@ static int qcow2_update_options_prepare(BlockDriverState *bs,
r->discard_passthrough[QCOW2_DISCARD_OTHER] =
qemu_opt_get_bool(opts, QCOW2_OPT_DISCARD_OTHER, false);
+ switch (s->crypt_method_header) {
+ case QCOW_CRYPT_NONE:
+ break;
+
+ case QCOW_CRYPT_AES:
+ r->fde_opts = qcow2_fde_open_opts_init(
+ Q_CRYPTO_BLOCK_FORMAT_QCOWAES,
+ opts,
+ errp);
+ break;
+
+ case QCOW_CRYPT_LUKS:
+ r->fde_opts = qcow2_fde_open_opts_init(
+ Q_CRYPTO_BLOCK_FORMAT_LUKS,
+ opts,
+ errp);
+ break;
+
+ default:
+ g_assert_not_reached();
+ }
+ if (s->crypt_method_header &&
+ !r->fde_opts) {
+ ret = -EINVAL;
+ goto fail;
+ }
+
ret = 0;
fail:
qemu_opts_del(opts);
@@ -788,6 +1039,9 @@ static void qcow2_update_options_commit(BlockDriverState *bs,
s->cache_clean_interval = r->cache_clean_interval;
cache_clean_timer_init(bs, bdrv_get_aio_context(bs));
}
+
+ qapi_free_QCryptoBlockOpenOptions(s->fde_opts);
+ s->fde_opts = r->fde_opts;
}
static void qcow2_update_options_abort(BlockDriverState *bs,
@@ -799,6 +1053,7 @@ static void qcow2_update_options_abort(BlockDriverState *bs,
if (r->refcount_block_cache) {
qcow2_cache_destroy(bs, r->refcount_block_cache);
}
+ qapi_free_QCryptoBlockOpenOptions(r->fde_opts);
}
static int qcow2_update_options(BlockDriverState *bs, QDict *options,
@@ -932,7 +1187,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
if (s->incompatible_features & ~QCOW2_INCOMPAT_MASK) {
void *feature_table = NULL;
qcow2_read_extensions(bs, header.header_length, ext_end,
- &feature_table, NULL);
+ &feature_table, flags, NULL);
report_unsupported_feature(bs, errp, feature_table,
s->incompatible_features &
~QCOW2_INCOMPAT_MASK);
@@ -964,17 +1219,6 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
s->refcount_max = UINT64_C(1) << (s->refcount_bits - 1);
s->refcount_max += s->refcount_max - 1;
- if (header.crypt_method > QCOW_CRYPT_AES) {
- error_setg(errp, "Unsupported encryption method: %" PRIu32,
- header.crypt_method);
- ret = -EINVAL;
- goto fail;
- }
- if (!qcrypto_cipher_supports(QCRYPTO_CIPHER_ALG_AES_128)) {
- error_setg(errp, "AES cipher not available");
- ret = -EINVAL;
- goto fail;
- }
s->crypt_method_header = header.crypt_method;
if (s->crypt_method_header) {
bs->encrypted = 1;
@@ -1104,12 +1348,40 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
/* read qcow2 extensions */
if (qcow2_read_extensions(bs, header.header_length, ext_end, NULL,
- &local_err)) {
+ flags, &local_err)) {
error_propagate(errp, local_err);
ret = -EINVAL;
goto fail;
}
+ /* qcow2_read_extension may have setup FDE context if
+ * the crypt method needs a header region, some methods
+ * don't need header extensions, so must check here
+ */
+ if (s->crypt_method_header &&
+ !s->fde) {
+ if (s->crypt_method_header == QCOW_CRYPT_AES) {
+ unsigned int cflags = 0;
+ if (flags & BDRV_O_NO_IO) {
+ cflags |= QCRYPTO_BLOCK_OPEN_NO_IO;
+ }
+ s->fde = qcrypto_block_open(s->fde_opts,
+ NULL, NULL,
+ cflags,
+ errp);
+ if (!s->fde) {
+ error_setg(errp, "Could not setup encryption layer");
+ ret = -EINVAL;
+ goto fail;
+ }
+ } else if (!(flags & BDRV_O_NO_IO)) {
+ error_setg(errp, "Missing FDE header for crypt method %d",
+ s->crypt_method_header);
+ ret = -EINVAL;
+ goto fail;
+ }
+ }
+
/* read the backing file name */
if (header.backing_file_offset != 0) {
len = header.backing_file_size;
@@ -1199,41 +1471,6 @@ static void qcow2_refresh_limits(BlockDriverState *bs, Error **errp)
bs->bl.write_zeroes_alignment = s->cluster_sectors;
}
-static int qcow2_set_key(BlockDriverState *bs, const char *key)
-{
- BDRVQcow2State *s = bs->opaque;
- uint8_t keybuf[16];
- int len, i;
- Error *err = NULL;
-
- memset(keybuf, 0, 16);
- len = strlen(key);
- if (len > 16)
- len = 16;
- /* XXX: we could compress the chars to 7 bits to increase
- entropy */
- for(i = 0;i < len;i++) {
- keybuf[i] = key[i];
- }
- assert(bs->encrypted);
-
- qcrypto_cipher_free(s->cipher);
- s->cipher = qcrypto_cipher_new(
- QCRYPTO_CIPHER_ALG_AES_128,
- QCRYPTO_CIPHER_MODE_CBC,
- keybuf, G_N_ELEMENTS(keybuf),
- &err);
-
- if (!s->cipher) {
- /* XXX would be nice if errors in this method could
- * be properly propagate to the caller. Would need
- * the bdrv_set_key() API signature to be fixed. */
- error_free(err);
- return -1;
- }
- return 0;
-}
-
static int qcow2_reopen_prepare(BDRVReopenState *state,
BlockReopenQueue *queue, Error **errp)
{
@@ -1345,7 +1582,7 @@ static int64_t coroutine_fn qcow2_co_get_block_status(BlockDriverState *bs,
}
if (cluster_offset != 0 && ret != QCOW2_CLUSTER_COMPRESSED &&
- !s->cipher) {
+ !s->fde) {
index_in_cluster = sector_num & (s->cluster_sectors - 1);
cluster_offset |= (index_in_cluster << BDRV_SECTOR_BITS);
status |= BDRV_BLOCK_OFFSET_VALID | cluster_offset;
@@ -1395,7 +1632,7 @@ static coroutine_fn int qcow2_co_readv(BlockDriverState *bs, int64_t sector_num,
/* prepare next request */
cur_nr_sectors = remaining_sectors;
- if (s->cipher) {
+ if (s->fde) {
cur_nr_sectors = MIN(cur_nr_sectors,
QCOW_MAX_CRYPT_CLUSTERS * s->cluster_sectors);
}
@@ -1467,7 +1704,7 @@ static coroutine_fn int qcow2_co_readv(BlockDriverState *bs, int64_t sector_num,
}
if (bs->encrypted) {
- assert(s->cipher);
+ assert(s->fde);
/*
* For encrypted images, read everything into a temporary
@@ -1501,10 +1738,12 @@ static coroutine_fn int qcow2_co_readv(BlockDriverState *bs, int64_t sector_num,
goto fail;
}
if (bs->encrypted) {
- assert(s->cipher);
+ assert(s->fde);
Error *err = NULL;
- if (qcow2_encrypt_sectors(s, sector_num, cluster_data,
- cur_nr_sectors, false,
+ if (qcrypto_block_decrypt(s->fde,
+ sector_num,
+ cluster_data,
+ cur_nr_sectors,
&err) < 0) {
error_free(err);
ret = -EIO;
@@ -1588,7 +1827,7 @@ static coroutine_fn int qcow2_co_writev(BlockDriverState *bs,
if (bs->encrypted) {
Error *err = NULL;
- assert(s->cipher);
+ assert(s->fde);
if (!cluster_data) {
cluster_data = qemu_try_blockalign(bs->file->bs,
QCOW_MAX_CRYPT_CLUSTERS
@@ -1603,8 +1842,11 @@ static coroutine_fn int qcow2_co_writev(BlockDriverState *bs,
QCOW_MAX_CRYPT_CLUSTERS * s->cluster_size);
qemu_iovec_to_buf(&hd_qiov, 0, cluster_data, hd_qiov.size);
- if (qcow2_encrypt_sectors(s, sector_num, cluster_data,
- cur_nr_sectors, true, &err) < 0) {
+ if (qcrypto_block_encrypt(s->fde,
+ sector_num,
+ cluster_data,
+ cur_nr_sectors,
+ &err) < 0) {
error_free(err);
ret = -EIO;
goto fail;
@@ -1715,8 +1957,8 @@ static void qcow2_close(BlockDriverState *bs)
qcow2_cache_destroy(bs, s->l2_table_cache);
qcow2_cache_destroy(bs, s->refcount_block_cache);
- qcrypto_cipher_free(s->cipher);
- s->cipher = NULL;
+ qcrypto_block_free(s->fde);
+ s->fde = NULL;
g_free(s->unknown_header_fields);
cleanup_unknown_header_ext(bs);
@@ -1734,7 +1976,7 @@ static void qcow2_invalidate_cache(BlockDriverState *bs, Error **errp)
{
BDRVQcow2State *s = bs->opaque;
int flags = s->flags;
- QCryptoCipher *cipher = NULL;
+ QCryptoBlock *fde = NULL;
QDict *options;
Error *local_err = NULL;
int ret;
@@ -1744,8 +1986,8 @@ static void qcow2_invalidate_cache(BlockDriverState *bs, Error **errp)
* that means we don't have to worry about reopening them here.
*/
- cipher = s->cipher;
- s->cipher = NULL;
+ fde = s->fde;
+ s->fde = NULL;
qcow2_close(bs);
@@ -1770,7 +2012,7 @@ static void qcow2_invalidate_cache(BlockDriverState *bs, Error **errp)
return;
}
- s->cipher = cipher;
+ s->fde = fde;
}
static size_t header_ext_add(char *buf, uint32_t magic, const void *s,
@@ -1893,6 +2135,23 @@ int qcow2_update_header(BlockDriverState *bs)
buflen -= ret;
}
+ /* Full disk encryption header pointer extension */
+ if (s->fde_header.offset != 0) {
+ cpu_to_be64(s->fde_header.offset);
+ cpu_to_be64(s->fde_header.length);
+ ret = header_ext_add(buf, QCOW2_EXT_MAGIC_FDE_HEADER,
+ &s->fde_header,
+ sizeof(s->fde_header),
+ buflen);
+ be64_to_cpu(s->fde_header.offset);
+ be64_to_cpu(s->fde_header.length);
+ if (ret < 0) {
+ goto fail;
+ }
+ buf += ret;
+ buflen -= ret;
+ }
+
/* Feature table */
Qcow2Feature features[] = {
{
@@ -2056,6 +2315,10 @@ static int qcow2_create2(const char *filename, int64_t total_size,
{
int cluster_bits;
QDict *options;
+ const char *fdestr;
+ QCryptoBlockCreateOptions *fdeopts = NULL;
+ QCryptoBlock *fde = NULL;
+ size_t i;
/* Calculate cluster_bits */
cluster_bits = ctz32(cluster_size);
@@ -2179,7 +2442,48 @@ static int qcow2_create2(const char *filename, int64_t total_size,
};
if (flags & BLOCK_FLAG_ENCRYPT) {
- header->crypt_method = cpu_to_be32(QCOW_CRYPT_AES);
+ /* Default to LUKS if fde-format is not set */
+ fdestr = qemu_opt_get_del(opts, QCOW2_OPT_ENC_FORMAT);
+ if (fdestr) {
+ for (i = 0; i < Q_CRYPTO_BLOCK_FORMAT__MAX; i++) {
+ if (g_str_equal(QCryptoBlockFormat_lookup[i],
+ fdestr)) {
+ fdeopts = qcow2_fde_create_opts_init(i,
+ opts,
+ errp);
+ if (!fdeopts) {
+ ret = -EINVAL;
+ goto out;
+ }
+ break;
+ }
+ }
+ if (!fdeopts) {
+ error_setg(errp, "Unknown fde format %s", fdestr);
+ ret = -EINVAL;
+ goto out;
+ }
+ } else {
+ fdeopts = qcow2_fde_create_opts_init(
+ Q_CRYPTO_BLOCK_FORMAT_LUKS,
+ opts, errp);
+ if (!fdeopts) {
+ ret = -EINVAL;
+ goto out;
+ }
+ }
+ switch (fdeopts->format) {
+ case Q_CRYPTO_BLOCK_FORMAT_QCOWAES:
+ header->crypt_method = cpu_to_be32(QCOW_CRYPT_AES);
+ break;
+ case Q_CRYPTO_BLOCK_FORMAT_LUKS:
+ header->crypt_method = cpu_to_be32(QCOW_CRYPT_LUKS);
+ break;
+ default:
+ error_setg(errp, "Unsupported fde format %s", fdestr);
+ ret = -EINVAL;
+ goto out;
+ }
} else {
header->crypt_method = cpu_to_be32(QCOW_CRYPT_NONE);
}
@@ -2213,12 +2517,15 @@ static int qcow2_create2(const char *filename, int64_t total_size,
/*
* And now open the image and make it consistent first (i.e. increase the
* refcount of the cluster that is occupied by the header and the refcount
- * table)
+ * table). Using BDRV_O_NO_IO since we've not written any encryption
+ * header yet and thus should not read/write payload data or initialize
+ * the decryption context
*/
options = qdict_new();
qdict_put(options, "driver", qstring_from_str("qcow2"));
ret = bdrv_open(&bs, filename, NULL, options,
- BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH,
+ BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH |
+ BDRV_O_NO_IO,
&local_err);
if (ret < 0) {
error_propagate(errp, local_err);
@@ -2253,6 +2560,24 @@ static int qcow2_create2(const char *filename, int64_t total_size,
}
}
+ /* Want encryption ? There you go.*/
+ if (fdeopts) {
+ fde = qcrypto_block_create(fdeopts,
+ qcow2_fde_header_init_func,
+ qcow2_fde_header_write_func,
+ bs,
+ errp);
+ if (!fde) {
+ ret = -EINVAL;
+ goto out;
+ }
+ ret = qcow2_update_header(bs);
+ if (ret < 0) {
+ error_setg_errno(errp, -ret, "Could not write encryption header");
+ goto out;
+ }
+ }
+
/* And if we're supposed to preallocate metadata, do that now */
if (prealloc != PREALLOC_MODE_OFF) {
BDRVQcow2State *s = bs->opaque;
@@ -2272,7 +2597,8 @@ static int qcow2_create2(const char *filename, int64_t total_size,
options = qdict_new();
qdict_put(options, "driver", qstring_from_str("qcow2"));
ret = bdrv_open(&bs, filename, NULL, options,
- BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_BACKING,
+ BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_BACKING |
+ BDRV_O_NO_IO,
&local_err);
if (local_err) {
error_propagate(errp, local_err);
@@ -3047,10 +3373,10 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
backing_format = qemu_opt_get(opts, BLOCK_OPT_BACKING_FMT);
} else if (!strcmp(desc->name, BLOCK_OPT_ENCRYPT)) {
encrypt = qemu_opt_get_bool(opts, BLOCK_OPT_ENCRYPT,
- !!s->cipher);
+ !!s->fde);
- if (encrypt != !!s->cipher) {
- error_report("Changing the encryption flag is not supported");
+ if (encrypt != !!s->fde) {
+ fprintf(stderr, "Changing the encryption flag is not supported");
return -ENOTSUP;
}
} else if (!strcmp(desc->name, BLOCK_OPT_CLUSTER_SIZE)) {
@@ -3285,6 +3611,41 @@ static QemuOptsList qcow2_create_opts = {
.help = "Width of a reference count entry in bits",
.def_value_str = "16"
},
+ {
+ .name = QCOW2_OPT_ENC_FORMAT,
+ .type = QEMU_OPT_STRING,
+ .help = "Disk encryption format, 'luks' (default) or 'qcowaes' (deprecated)",
+ },
+ {
+ .name = QCOW2_OPT_KEY_ID,
+ .type = QEMU_OPT_STRING,
+ .help = "ID of the secret that provides the encryption key",
+ },
+ {
+ .name = QCOW2_OPT_CIPHER_ALG,
+ .type = QEMU_OPT_STRING,
+ .help = "Name of encryption cipher algorithm",
+ },
+ {
+ .name = QCOW2_OPT_CIPHER_MODE,
+ .type = QEMU_OPT_STRING,
+ .help = "Name of encryption cipher mode",
+ },
+ {
+ .name = QCOW2_OPT_IVGEN_ALG,
+ .type = QEMU_OPT_STRING,
+ .help = "Name of IV generator algorithm",
+ },
+ {
+ .name = QCOW2_OPT_IVGEN_HASH_ALG,
+ .type = QEMU_OPT_STRING,
+ .help = "Name of IV generator hash algorithm",
+ },
+ {
+ .name = QCOW2_OPT_HASH_ALG,
+ .type = QEMU_OPT_STRING,
+ .help = "Name of encryption hash algorithm",
+ },
{ /* end of list */ }
}
};
@@ -3302,7 +3663,6 @@ BlockDriver bdrv_qcow2 = {
.bdrv_create = qcow2_create,
.bdrv_has_zero_init = bdrv_has_zero_init_1,
.bdrv_co_get_block_status = qcow2_co_get_block_status,
- .bdrv_set_key = qcow2_set_key,
.bdrv_co_readv = qcow2_co_readv,
.bdrv_co_writev = qcow2_co_writev,
diff --git a/block/qcow2.h b/block/qcow2.h
index ae04285..d33afb2 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -25,7 +25,7 @@
#ifndef BLOCK_QCOW2_H
#define BLOCK_QCOW2_H
-#include "crypto/cipher.h"
+#include "crypto/block.h"
#include "qemu/coroutine.h"
//#define DEBUG_ALLOC
@@ -36,6 +36,7 @@
#define QCOW_CRYPT_NONE 0
#define QCOW_CRYPT_AES 1
+#define QCOW_CRYPT_LUKS 2
#define QCOW_MAX_CRYPT_CLUSTERS 32
#define QCOW_MAX_SNAPSHOTS 65536
@@ -98,6 +99,15 @@
#define QCOW2_OPT_REFCOUNT_CACHE_SIZE "refcount-cache-size"
#define QCOW2_OPT_CACHE_CLEAN_INTERVAL "cache-clean-interval"
+#define QCOW2_OPT_ENC_FORMAT "encryption-format"
+#define QCOW2_OPT_KEY_ID "key-id"
+#define QCOW2_OPT_CIPHER_ALG "cipher-alg"
+#define QCOW2_OPT_CIPHER_MODE "cipher-mode"
+#define QCOW2_OPT_IVGEN_ALG "ivgen-alg"
+#define QCOW2_OPT_IVGEN_HASH_ALG "ivgen-hash-alg"
+#define QCOW2_OPT_HASH_ALG "hash-alg"
+
+
typedef struct QCowHeader {
uint32_t magic;
uint32_t version;
@@ -163,6 +173,11 @@ typedef struct QCowSnapshot {
struct Qcow2Cache;
typedef struct Qcow2Cache Qcow2Cache;
+typedef struct Qcow2FDEHeaderExtension {
+ uint64_t offset;
+ uint64_t length;
+} Qcow2FDEHeaderExtension;
+
typedef struct Qcow2UnknownHeaderExtension {
uint32_t magic;
uint32_t len;
@@ -256,7 +271,9 @@ typedef struct BDRVQcow2State {
CoMutex lock;
- QCryptoCipher *cipher; /* current cipher, NULL if no key yet */
+ Qcow2FDEHeaderExtension fde_header; /* QCow2 header extension */
+ QCryptoBlockOpenOptions *fde_opts; /* Disk encryption runtime options */
+ QCryptoBlock *fde; /* Disk encryption format driver */
uint32_t crypt_method_header;
uint64_t snapshots_offset;
int snapshots_size;
diff --git a/docs/specs/qcow2.txt b/docs/specs/qcow2.txt
index f236d8c..dcbe3c3 100644
--- a/docs/specs/qcow2.txt
+++ b/docs/specs/qcow2.txt
@@ -45,6 +45,7 @@ The first cluster of a qcow2 image contains the file header:
32 - 35: crypt_method
0 for no encryption
1 for AES encryption
+ 2 for LUKS encryption
36 - 39: l1_size
Number of entries in the active L1 table
@@ -123,6 +124,7 @@ be stored. Each extension has a structure like the following:
0x00000000 - End of the header extension area
0xE2792ACA - Backing file format name
0x6803f857 - Feature name table
+ 0x4c554b53 - Full disk encryption header pointer
other - Unknown header extension, can be safely
ignored
@@ -166,6 +168,75 @@ the header extension data. Each entry look like this:
terminated if it has full length)
+== Full disk encryption (FDE) header pointer ==
+
+For 'crypt_method' header values which require additional header metadata
+to be stored (eg 'LUKS' header), the full disk encryption header pointer
+extension is mandatory. It provides the offset at which the crypt method
+can store its additional data, as well as the length of such data.
+
+ Byte 0 - 7: Offset into the image file at which the encryption
+ header starts. Must be aligned to a cluster boundary.
+ Byte 8 - 16: Length of the encryption header. Must be a multiple
+ of the cluster size.
+
+While the header extension allocates the length as a multiple of the
+cluster size, the encryption header may not consume the full permitted
+allocation.
+
+For the LUKS crypt method, the encryption header works as follows.
+
+The first 592 bytes of the header clusters will contain the LUKS
+partition header. This is then followed by the key material data areas.
+The size of the key material data areas is determined by the number of
+stripes in the key slot and key size. Refer to the LUKS format
+specification ('docs/on-disk-format.pdf' in the cryptsetup source
+package) for details of the LUKS partition header format.
+
+In the LUKS partition header, the "payload-offset" field does not refer
+to the offset of the QCow2 payload. Instead it simply refers to the
+total required length of the LUKS header plus key material regions.
+
+In the LUKS key slots header, the "key-material-offset" is relative
+to the start of the LUKS header clusters in the qcow2 container,
+not the start of the qcow2 file.
+
+Logically the layout looks like
+
+ +-----------------------------+
+ | QCow2 header |
+ +-----------------------------+
+ | QCow2 header extension X |
+ +-----------------------------+
+ | QCow2 header extension FDE |
+ +-----------------------------+
+ | QCow2 header extension ... |
+ +-----------------------------+
+ | QCow2 header extension Z |
+ +-----------------------------+
+ | ....other QCow2 tables.... |
+ . .
+ . .
+ +-----------------------------+
+ | +-------------------------+ |
+ | | LUKS partition header | |
+ | +-------------------------+ |
+ | | LUKS key material 1 | |
+ | +-------------------------+ |
+ | | LUKS key material 2 | |
+ | +-------------------------+ |
+ | | LUKS key material ... | |
+ | +-------------------------+ |
+ | | LUKS key material 8 | |
+ | +-------------------------+ |
+ +-----------------------------+
+ | QCow2 cluster payload |
+ . .
+ . .
+ . .
+ | |
+ +-----------------------------+
+
== Host cluster management ==
qcow2 manages the allocation of host clusters by maintaining a reference count
diff --git a/qapi/block-core.json b/qapi/block-core.json
index 200d907..40fe3ba 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -1789,6 +1789,8 @@
# @cache-clean-interval: #optional clean unused entries in the L2 and refcount
# caches. The interval is in seconds. The default value
# is 0 and it disables this feature (since 2.5)
+# @key-id: #optional the ID of a QCryptoSecret object providing
+# the decryption key (since 2.6)
#
# Since: 1.7
##
@@ -1802,8 +1804,8 @@
'*cache-size': 'int',
'*l2-cache-size': 'int',
'*refcount-cache-size': 'int',
- '*cache-clean-interval': 'int' } }
-
+ '*cache-clean-interval': 'int',
+ '*key-id': 'str' } }
##
# @BlockdevOptionsArchipelago
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 11/15] qcow: make encrypt_sectors encrypt in place
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (9 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 10/15] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 12/15] qcow: convert QCow to use QCryptoBlock for encryption Daniel P. Berrange
` (3 subsequent siblings)
14 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
Instead of requiring separate input/output buffers for
encrypting data, change encrypt_sectors() to assume
use of a single buffer, encrypting in place. One current
caller all uses the same buffer for input/output already
and the other two callers are easily converted todo so.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
block/qcow.c | 31 ++++++++++---------------------
1 file changed, 10 insertions(+), 21 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index 635085e..5a4f310 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -293,12 +293,9 @@ static int qcow_set_key(BlockDriverState *bs, const char *key)
return 0;
}
-/* The crypt function is compatible with the linux cryptoloop
- algorithm for < 4 GB images. NOTE: out_buf == in_buf is
- supported */
static int encrypt_sectors(BDRVQcowState *s, int64_t sector_num,
- uint8_t *out_buf, const uint8_t *in_buf,
- int nb_sectors, bool enc, Error **errp)
+ uint8_t *buf, int nb_sectors, bool enc,
+ Error **errp)
{
union {
uint64_t ll[2];
@@ -317,14 +314,12 @@ static int encrypt_sectors(BDRVQcowState *s, int64_t sector_num,
}
if (enc) {
ret = qcrypto_cipher_encrypt(s->cipher,
- in_buf,
- out_buf,
+ buf, buf,
512,
errp);
} else {
ret = qcrypto_cipher_decrypt(s->cipher,
- in_buf,
- out_buf,
+ buf, buf,
512,
errp);
}
@@ -332,8 +327,7 @@ static int encrypt_sectors(BDRVQcowState *s, int64_t sector_num,
return -1;
}
sector_num++;
- in_buf += 512;
- out_buf += 512;
+ buf += 512;
}
return 0;
}
@@ -453,13 +447,12 @@ static uint64_t get_cluster_offset(BlockDriverState *bs,
uint64_t start_sect;
assert(s->cipher);
start_sect = (offset & ~(s->cluster_size - 1)) >> 9;
- memset(s->cluster_data + 512, 0x00, 512);
+ memset(s->cluster_data, 0x00, 512);
for(i = 0; i < s->cluster_sectors; i++) {
if (i < n_start || i >= n_end) {
Error *err = NULL;
if (encrypt_sectors(s, start_sect + i,
- s->cluster_data,
- s->cluster_data + 512, 1,
+ s->cluster_data, 1,
true, &err) < 0) {
error_free(err);
errno = EIO;
@@ -637,7 +630,7 @@ static coroutine_fn int qcow_co_readv(BlockDriverState *bs, int64_t sector_num,
}
if (bs->encrypted) {
assert(s->cipher);
- if (encrypt_sectors(s, sector_num, buf, buf,
+ if (encrypt_sectors(s, sector_num, buf,
n, false, &err) < 0) {
goto fail;
}
@@ -672,7 +665,6 @@ static coroutine_fn int qcow_co_writev(BlockDriverState *bs, int64_t sector_num,
BDRVQcowState *s = bs->opaque;
int index_in_cluster;
uint64_t cluster_offset;
- const uint8_t *src_buf;
int ret = 0, n;
uint8_t *cluster_data = NULL;
struct iovec hd_iov;
@@ -715,18 +707,15 @@ static coroutine_fn int qcow_co_writev(BlockDriverState *bs, int64_t sector_num,
if (!cluster_data) {
cluster_data = g_malloc0(s->cluster_size);
}
- if (encrypt_sectors(s, sector_num, cluster_data, buf,
+ if (encrypt_sectors(s, sector_num, buf,
n, true, &err) < 0) {
error_free(err);
ret = -EIO;
break;
}
- src_buf = cluster_data;
- } else {
- src_buf = buf;
}
- hd_iov.iov_base = (void *)src_buf;
+ hd_iov.iov_base = (void *)buf;
hd_iov.iov_len = n * 512;
qemu_iovec_init_external(&hd_qiov, &hd_iov, 1);
qemu_co_mutex_unlock(&s->lock);
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 12/15] qcow: convert QCow to use QCryptoBlock for encryption
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (10 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 11/15] qcow: make encrypt_sectors encrypt in place Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 13/15] block: rip out all traces of password prompting Daniel P. Berrange
` (2 subsequent siblings)
14 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
This converts the qcow2 driver to make use of the QCryptoBlock
APIs for encrypting image content. This is only wired up to
permit use of the legacy QCow encryption format. Users who wish
to have the strong LUKS format should switch to qcow2 instead.
With this change it is now required to use the QCryptoSecret
object for providing passwords, instead of the current block
password APIs / interactive prompting.
$QEMU \
-object secret,id=sec0,filename=/home/berrange/encrypted.pw \
-drive file=/home/berrange/encrypted.qcow,key-id=sec0
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
block/qcow.c | 176 +++++++++++++++++++++++----------------------------
qapi/block-core.json | 17 ++++-
2 files changed, 96 insertions(+), 97 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index 5a4f310..a17531f 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -26,7 +26,9 @@
#include "qemu/module.h"
#include <zlib.h>
#include "qapi/qmp/qerror.h"
-#include "crypto/cipher.h"
+#include "crypto/block.h"
+#include "qapi/opts-visitor.h"
+#include "qapi-visit.h"
#include "migration/migration.h"
/**************************************************************/
@@ -40,6 +42,8 @@
#define QCOW_OFLAG_COMPRESSED (1LL << 63)
+#define QCOW_OPT_KEY_ID "key-id"
+
typedef struct QCowHeader {
uint32_t magic;
uint32_t version;
@@ -72,7 +76,7 @@ typedef struct BDRVQcowState {
uint8_t *cluster_cache;
uint8_t *cluster_data;
uint64_t cluster_cache_offset;
- QCryptoCipher *cipher; /* NULL if no key yet */
+ QCryptoBlock *fde; /* Disk encryption format driver */
uint32_t crypt_method_header;
CoMutex lock;
Error *migration_blocker;
@@ -92,6 +96,19 @@ static int qcow_probe(const uint8_t *buf, int buf_size, const char *filename)
return 0;
}
+static QemuOptsList qcow_runtime_opts = {
+ .name = "qcow",
+ .head = QTAILQ_HEAD_INITIALIZER(qcow_runtime_opts.head),
+ .desc = {
+ {
+ .name = QCOW_OPT_KEY_ID,
+ .type = QEMU_OPT_STRING,
+ .help = "ID of the secret that provides the encryption key",
+ },
+ { /* end of list */ }
+ },
+};
+
static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
Error **errp)
{
@@ -99,6 +116,11 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
unsigned int len, i, shift;
int ret;
QCowHeader header;
+ QemuOpts *opts = NULL;
+ Error *local_err = NULL;
+ QCryptoBlockOpenOptions *fde_opts = NULL;
+ unsigned int cflags = 0;
+ OptsVisitor *ov;
ret = bdrv_pread(bs->file->bs, 0, &header, sizeof(header));
if (ret < 0) {
@@ -147,18 +169,50 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
goto fail;
}
- if (header.crypt_method > QCOW_CRYPT_AES) {
- error_setg(errp, "invalid encryption method in qcow header");
- ret = -EINVAL;
- goto fail;
- }
- if (!qcrypto_cipher_supports(QCRYPTO_CIPHER_ALG_AES_128)) {
- error_setg(errp, "AES cipher not available");
+ opts = qemu_opts_create(&qcow_runtime_opts, NULL, 0, &error_abort);
+ qemu_opts_absorb_qdict(opts, options, &local_err);
+ if (local_err) {
+ error_propagate(errp, local_err);
ret = -EINVAL;
goto fail;
}
+
s->crypt_method_header = header.crypt_method;
if (s->crypt_method_header) {
+ if (s->crypt_method_header == QCOW_CRYPT_AES) {
+ ov = opts_visitor_new(opts);
+
+ fde_opts = g_new0(QCryptoBlockOpenOptions, 1);
+ fde_opts->format = Q_CRYPTO_BLOCK_FORMAT_QCOWAES;
+ fde_opts->u.qcowaes = g_new0(QCryptoBlockOptionsQCowAES, 1);
+ visit_type_QCryptoBlockOptionsQCowAES(opts_get_visitor(ov),
+ &fde_opts->u.qcowaes,
+ "qcowaes", &local_err);
+ if (local_err) {
+ error_propagate(errp, local_err);
+ opts_visitor_cleanup(ov);
+ ret = -EINVAL;
+ goto fail;
+ }
+ opts_visitor_cleanup(ov);
+
+ if (flags & BDRV_O_NO_IO) {
+ cflags |= QCRYPTO_BLOCK_OPEN_NO_IO;
+ }
+ s->fde = qcrypto_block_open(fde_opts,
+ NULL, NULL,
+ cflags,
+ errp);
+ if (!s->fde) {
+ error_setg(errp, "Could not setup encryption layer");
+ ret = -EINVAL;
+ goto fail;
+ }
+ } else {
+ error_setg(errp, "invalid encryption method in qcow header");
+ ret = -EINVAL;
+ goto fail;
+ }
bs->encrypted = 1;
}
s->cluster_bits = header.cluster_bits;
@@ -238,6 +292,7 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
bdrv_get_device_or_node_name(bs));
migrate_add_blocker(s->migration_blocker);
+ qapi_free_QCryptoBlockOpenOptions(fde_opts);
qemu_co_mutex_init(&s->lock);
return 0;
@@ -246,6 +301,7 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
qemu_vfree(s->l2_cache);
g_free(s->cluster_cache);
g_free(s->cluster_data);
+ qapi_free_QCryptoBlockOpenOptions(fde_opts);
return ret;
}
@@ -258,79 +314,6 @@ static int qcow_reopen_prepare(BDRVReopenState *state,
return 0;
}
-static int qcow_set_key(BlockDriverState *bs, const char *key)
-{
- BDRVQcowState *s = bs->opaque;
- uint8_t keybuf[16];
- int len, i;
- Error *err;
-
- memset(keybuf, 0, 16);
- len = strlen(key);
- if (len > 16)
- len = 16;
- /* XXX: we could compress the chars to 7 bits to increase
- entropy */
- for(i = 0;i < len;i++) {
- keybuf[i] = key[i];
- }
- assert(bs->encrypted);
-
- qcrypto_cipher_free(s->cipher);
- s->cipher = qcrypto_cipher_new(
- QCRYPTO_CIPHER_ALG_AES_128,
- QCRYPTO_CIPHER_MODE_CBC,
- keybuf, G_N_ELEMENTS(keybuf),
- &err);
-
- if (!s->cipher) {
- /* XXX would be nice if errors in this method could
- * be properly propagate to the caller. Would need
- * the bdrv_set_key() API signature to be fixed. */
- error_free(err);
- return -1;
- }
- return 0;
-}
-
-static int encrypt_sectors(BDRVQcowState *s, int64_t sector_num,
- uint8_t *buf, int nb_sectors, bool enc,
- Error **errp)
-{
- union {
- uint64_t ll[2];
- uint8_t b[16];
- } ivec;
- int i;
- int ret;
-
- for(i = 0; i < nb_sectors; i++) {
- ivec.ll[0] = cpu_to_le64(sector_num);
- ivec.ll[1] = 0;
- if (qcrypto_cipher_setiv(s->cipher,
- ivec.b, G_N_ELEMENTS(ivec.b),
- errp) < 0) {
- return -1;
- }
- if (enc) {
- ret = qcrypto_cipher_encrypt(s->cipher,
- buf, buf,
- 512,
- errp);
- } else {
- ret = qcrypto_cipher_decrypt(s->cipher,
- buf, buf,
- 512,
- errp);
- }
- if (ret < 0) {
- return -1;
- }
- sector_num++;
- buf += 512;
- }
- return 0;
-}
/* 'allocate' is:
*
@@ -445,15 +428,16 @@ static uint64_t get_cluster_offset(BlockDriverState *bs,
if (bs->encrypted &&
(n_end - n_start) < s->cluster_sectors) {
uint64_t start_sect;
- assert(s->cipher);
+ assert(s->fde);
start_sect = (offset & ~(s->cluster_size - 1)) >> 9;
memset(s->cluster_data, 0x00, 512);
for(i = 0; i < s->cluster_sectors; i++) {
if (i < n_start || i >= n_end) {
Error *err = NULL;
- if (encrypt_sectors(s, start_sect + i,
- s->cluster_data, 1,
- true, &err) < 0) {
+ if (qcrypto_block_encrypt(s->fde,
+ start_sect + i,
+ s->cluster_data, 1,
+ &err) < 0) {
error_free(err);
errno = EIO;
return -1;
@@ -498,7 +482,7 @@ static int64_t coroutine_fn qcow_co_get_block_status(BlockDriverState *bs,
if (!cluster_offset) {
return 0;
}
- if ((cluster_offset & QCOW_OFLAG_COMPRESSED) || s->cipher) {
+ if ((cluster_offset & QCOW_OFLAG_COMPRESSED) || s->fde) {
return BDRV_BLOCK_DATA;
}
cluster_offset |= (index_in_cluster << BDRV_SECTOR_BITS);
@@ -629,9 +613,10 @@ static coroutine_fn int qcow_co_readv(BlockDriverState *bs, int64_t sector_num,
break;
}
if (bs->encrypted) {
- assert(s->cipher);
- if (encrypt_sectors(s, sector_num, buf,
- n, false, &err) < 0) {
+ assert(s->fde);
+ if (qcrypto_block_decrypt(s->fde,
+ sector_num, buf,
+ n, &err) < 0) {
goto fail;
}
}
@@ -703,12 +688,12 @@ static coroutine_fn int qcow_co_writev(BlockDriverState *bs, int64_t sector_num,
}
if (bs->encrypted) {
Error *err = NULL;
- assert(s->cipher);
+ assert(s->fde);
if (!cluster_data) {
cluster_data = g_malloc0(s->cluster_size);
}
- if (encrypt_sectors(s, sector_num, buf,
- n, true, &err) < 0) {
+ if (qcrypto_block_encrypt(s->fde, sector_num, buf,
+ n, &err) < 0) {
error_free(err);
ret = -EIO;
break;
@@ -746,8 +731,8 @@ static void qcow_close(BlockDriverState *bs)
{
BDRVQcowState *s = bs->opaque;
- qcrypto_cipher_free(s->cipher);
- s->cipher = NULL;
+ qcrypto_block_free(s->fde);
+ s->fde = NULL;
g_free(s->l1_table);
qemu_vfree(s->l2_cache);
g_free(s->cluster_cache);
@@ -1012,7 +997,6 @@ static BlockDriver bdrv_qcow = {
.bdrv_co_writev = qcow_co_writev,
.bdrv_co_get_block_status = qcow_co_get_block_status,
- .bdrv_set_key = qcow_set_key,
.bdrv_make_empty = qcow_make_empty,
.bdrv_write_compressed = qcow_write_compressed,
.bdrv_get_info = qcow_get_info,
diff --git a/qapi/block-core.json b/qapi/block-core.json
index 40fe3ba..a67820b 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -1756,6 +1756,21 @@
'mode': 'Qcow2OverlapCheckMode' } }
##
+# @BlockdevOptionsQcow
+#
+# Driver specific block device options for qcow.
+#
+# @key-id: #optional ID of the "secret" object providing the
+# AES decryption key.
+#
+# Since: 2.6
+##
+{ 'struct': 'BlockdevOptionsQcow',
+ 'base': 'BlockdevOptionsGenericCOWFormat',
+ 'data': { '*key-id': 'str' } }
+
+
+##
# @BlockdevOptionsQcow2
#
# Driver specific block device options for qcow2.
@@ -2024,7 +2039,7 @@
'null-co': 'BlockdevOptionsNull',
'parallels': 'BlockdevOptionsGenericFormat',
'qcow2': 'BlockdevOptionsQcow2',
- 'qcow': 'BlockdevOptionsGenericCOWFormat',
+ 'qcow': 'BlockdevOptionsQcow',
'qed': 'BlockdevOptionsGenericCOWFormat',
'quorum': 'BlockdevOptionsQuorum',
'raw': 'BlockdevOptionsGenericFormat',
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 13/15] block: rip out all traces of password prompting
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (11 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 12/15] qcow: convert QCow to use QCryptoBlock for encryption Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 14/15] block: remove all encryption handling APIs Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 15/15] block: remove support for legecy AES qcow/qcow2 encryption Daniel P. Berrange
14 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
Now that qcow & qcow2 are wired up to get encryption keys
via the QCryptoSecret object, nothing is relying on the
interactive prompting for passwords. All the code related
to password prompting can thus be ripped out.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
hmp.c | 31 --------------------
hw/usb/dev-storage.c | 34 ----------------------
include/monitor/monitor.h | 7 -----
include/qemu/osdep.h | 2 --
monitor.c | 69 --------------------------------------------
qemu-img.c | 14 ---------
qemu-io.c | 21 --------------
qmp.c | 9 ------
tests/qemu-iotests/087 | 20 +++++++++++++
tests/qemu-iotests/087.out | 2 ++
tests/qemu-iotests/134 | 17 +++++++----
tests/qemu-iotests/134.out | 8 -----
tests/qemu-iotests/common.rc | 4 +--
util/oslib-posix.c | 66 ------------------------------------------
util/oslib-win32.c | 24 ---------------
15 files changed, 36 insertions(+), 292 deletions(-)
diff --git a/hmp.c b/hmp.c
index 6a9c51d..4d7543d 100644
--- a/hmp.c
+++ b/hmp.c
@@ -970,37 +970,12 @@ void hmp_ringbuf_read(Monitor *mon, const QDict *qdict)
g_free(data);
}
-static void hmp_cont_cb(void *opaque, int err)
-{
- if (!err) {
- qmp_cont(NULL);
- }
-}
-
-static bool key_is_missing(const BlockInfo *bdev)
-{
- return (bdev->inserted && bdev->inserted->encryption_key_missing);
-}
-
void hmp_cont(Monitor *mon, const QDict *qdict)
{
- BlockInfoList *bdev_list, *bdev;
Error *err = NULL;
- bdev_list = qmp_query_block(NULL);
- for (bdev = bdev_list; bdev; bdev = bdev->next) {
- if (key_is_missing(bdev->value)) {
- monitor_read_block_device_key(mon, bdev->value->device,
- hmp_cont_cb, NULL);
- goto out;
- }
- }
-
qmp_cont(&err);
hmp_handle_error(mon, &err);
-
-out:
- qapi_free_BlockInfoList(bdev_list);
}
void hmp_system_wakeup(Monitor *mon, const QDict *qdict)
@@ -1387,12 +1362,6 @@ void hmp_change(Monitor *mon, const QDict *qdict)
qmp_blockdev_change_medium(device, target, !!arg, arg,
!!read_only, read_only_mode, &err);
- if (err &&
- error_get_class(err) == ERROR_CLASS_DEVICE_ENCRYPTED) {
- error_free(err);
- monitor_read_block_device_key(mon, device, NULL, NULL);
- return;
- }
}
hmp_handle_error(mon, &err);
diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
index 597d8fd..2122f4f 100644
--- a/hw/usb/dev-storage.c
+++ b/hw/usb/dev-storage.c
@@ -553,21 +553,6 @@ static void usb_msd_handle_data(USBDevice *dev, USBPacket *p)
}
}
-static void usb_msd_password_cb(void *opaque, int err)
-{
- MSDState *s = opaque;
- Error *local_err = NULL;
-
- if (!err) {
- usb_device_attach(&s->dev, &local_err);
- }
-
- if (local_err) {
- error_report_err(local_err);
- qdev_unplug(&s->dev.qdev, NULL);
- }
-}
-
static void *usb_msd_load_request(QEMUFile *f, SCSIRequest *req)
{
MSDState *s = DO_UPCAST(MSDState, dev.qdev, req->bus->qbus.parent);
@@ -613,25 +598,6 @@ static void usb_msd_realize_storage(USBDevice *dev, Error **errp)
return;
}
- if (blk_bs(blk)) {
- bdrv_add_key(blk_bs(blk), NULL, &err);
- if (err) {
- if (monitor_cur_is_qmp()) {
- error_propagate(errp, err);
- return;
- }
- error_free(err);
- err = NULL;
- if (cur_mon) {
- monitor_read_bdrv_key_start(cur_mon, blk_bs(blk),
- usb_msd_password_cb, s);
- s->dev.auto_attach = 0;
- } else {
- autostart = 0;
- }
- }
- }
-
blkconf_serial(&s->conf, &dev->serial);
blkconf_blocksizes(&s->conf);
diff --git a/include/monitor/monitor.h b/include/monitor/monitor.h
index aa0f373..cd38020 100644
--- a/include/monitor/monitor.h
+++ b/include/monitor/monitor.h
@@ -21,13 +21,6 @@ void monitor_init(CharDriverState *chr, int flags);
int monitor_suspend(Monitor *mon);
void monitor_resume(Monitor *mon);
-int monitor_read_bdrv_key_start(Monitor *mon, BlockDriverState *bs,
- BlockCompletionFunc *completion_cb,
- void *opaque);
-int monitor_read_block_device_key(Monitor *mon, const char *device,
- BlockCompletionFunc *completion_cb,
- void *opaque);
-
int monitor_get_fd(Monitor *mon, const char *fdname, Error **errp);
int monitor_fd_param(Monitor *mon, const char *fdname, Error **errp);
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index 84e84ac..a95b85d 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -299,8 +299,6 @@ void qemu_set_tty_echo(int fd, bool echo);
void os_mem_prealloc(int fd, char *area, size_t sz);
-int qemu_read_password(char *buf, int buf_size);
-
/**
* qemu_fork:
*
diff --git a/monitor.c b/monitor.c
index e7e7ae2..9f147f7 100644
--- a/monitor.c
+++ b/monitor.c
@@ -4139,75 +4139,6 @@ void monitor_init(CharDriverState *chr, int flags)
qemu_mutex_unlock(&monitor_lock);
}
-static void bdrv_password_cb(void *opaque, const char *password,
- void *readline_opaque)
-{
- Monitor *mon = opaque;
- BlockDriverState *bs = readline_opaque;
- int ret = 0;
- Error *local_err = NULL;
-
- bdrv_add_key(bs, password, &local_err);
- if (local_err) {
- monitor_printf(mon, "%s\n", error_get_pretty(local_err));
- error_free(local_err);
- ret = -EPERM;
- }
- if (mon->password_completion_cb)
- mon->password_completion_cb(mon->password_opaque, ret);
-
- monitor_read_command(mon, 1);
-}
-
-int monitor_read_bdrv_key_start(Monitor *mon, BlockDriverState *bs,
- BlockCompletionFunc *completion_cb,
- void *opaque)
-{
- int err;
-
- monitor_printf(mon, "%s (%s) is encrypted.\n", bdrv_get_device_name(bs),
- bdrv_get_encrypted_filename(bs));
-
- mon->password_completion_cb = completion_cb;
- mon->password_opaque = opaque;
-
- err = monitor_read_password(mon, bdrv_password_cb, bs);
-
- if (err && completion_cb)
- completion_cb(opaque, err);
-
- return err;
-}
-
-int monitor_read_block_device_key(Monitor *mon, const char *device,
- BlockCompletionFunc *completion_cb,
- void *opaque)
-{
- Error *err = NULL;
- BlockBackend *blk;
-
- blk = blk_by_name(device);
- if (!blk) {
- monitor_printf(mon, "Device not found %s\n", device);
- return -1;
- }
- if (!blk_bs(blk)) {
- monitor_printf(mon, "Device '%s' has no medium\n", device);
- return -1;
- }
-
- bdrv_add_key(blk_bs(blk), NULL, &err);
- if (err) {
- error_free(err);
- return monitor_read_bdrv_key_start(mon, blk_bs(blk), completion_cb, opaque);
- }
-
- if (completion_cb) {
- completion_cb(opaque, 0);
- }
- return 0;
-}
-
QemuOptsList qemu_mon_opts = {
.name = "mon",
.implied_opt_name = "chardev",
diff --git a/qemu-img.c b/qemu-img.c
index e965e7d..d62f2ec 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -270,8 +270,6 @@ static BlockBackend *img_open_file(const char *id, const char *filename,
bool quiet)
{
BlockBackend *blk;
- BlockDriverState *bs;
- char password[256];
Error *local_err = NULL;
QDict *options = NULL;
@@ -288,18 +286,6 @@ static BlockBackend *img_open_file(const char *id, const char *filename,
goto fail;
}
- bs = blk_bs(blk);
- if (bdrv_is_encrypted(bs) && !(flags & BDRV_O_NO_IO)) {
- qprintf(quiet, "Disk image '%s' is encrypted.\n", filename);
- if (qemu_read_password(password, sizeof(password)) < 0) {
- error_report("No password given");
- goto fail;
- }
- if (bdrv_set_key(bs, password) < 0) {
- error_report("invalid password");
- goto fail;
- }
- }
return blk;
fail:
blk_unref(blk);
diff --git a/qemu-io.c b/qemu-io.c
index e8c614d..97e7229 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -56,7 +56,6 @@ static const cmdinfo_t close_cmd = {
static int openfile(char *name, int flags, QDict *opts)
{
Error *local_err = NULL;
- BlockDriverState *bs;
if (qemuio_blk) {
fprintf(stderr, "file open already, try 'help close'\n");
@@ -73,27 +72,7 @@ static int openfile(char *name, int flags, QDict *opts)
return 1;
}
- bs = blk_bs(qemuio_blk);
- if (bdrv_is_encrypted(bs)) {
- char password[256];
- printf("Disk image '%s' is encrypted.\n", name);
- if (qemu_read_password(password, sizeof(password)) < 0) {
- error_report("No password given");
- goto error;
- }
- if (bdrv_set_key(bs, password) < 0) {
- error_report("invalid password");
- goto error;
- }
- }
-
-
return 0;
-
- error:
- blk_unref(qemuio_blk);
- qemuio_blk = NULL;
- return 1;
}
static void open_help(void)
diff --git a/qmp.c b/qmp.c
index 15fee9b..f224d3d 100644
--- a/qmp.c
+++ b/qmp.c
@@ -170,9 +170,7 @@ SpiceInfo *qmp_query_spice(Error **errp)
void qmp_cont(Error **errp)
{
- Error *local_err = NULL;
BlockBackend *blk;
- BlockDriverState *bs;
if (runstate_needs_reset()) {
error_setg(errp, "Resetting the Virtual Machine is required");
@@ -184,13 +182,6 @@ void qmp_cont(Error **errp)
for (blk = blk_next(NULL); blk; blk = blk_next(blk)) {
blk_iostatus_reset(blk);
}
- for (bs = bdrv_next(NULL); bs; bs = bdrv_next(bs)) {
- bdrv_add_key(bs, NULL, &local_err);
- if (local_err) {
- error_propagate(errp, local_err);
- return;
- }
- }
if (runstate_check(RUN_STATE_INMIGRATE)) {
autostart = 1;
diff --git a/tests/qemu-iotests/087 b/tests/qemu-iotests/087
index af44299..a1498b6 100755
--- a/tests/qemu-iotests/087
+++ b/tests/qemu-iotests/087
@@ -187,11 +187,21 @@ echo
_make_test_img -o encryption=on $size
run_qemu -S <<EOF
{ "execute": "qmp_capabilities" }
+{ "execute": "object-add",
+ "arguments": {
+ "qom-type": "secret",
+ "id": "sec0",
+ "props": {
+ "data": "123456"
+ }
+ }
+}
{ "execute": "blockdev-add",
"arguments": {
"options": {
"driver": "$IMGFMT",
"id": "disk",
+ "keyid": "sec0",
"file": {
"driver": "file",
"filename": "$TEST_IMG"
@@ -204,11 +214,21 @@ EOF
run_qemu <<EOF
{ "execute": "qmp_capabilities" }
+{ "execute": "object-add",
+ "arguments": {
+ "qom-type": "secret",
+ "id": "sec0",
+ "props": {
+ "data": "123456"
+ }
+ }
+}
{ "execute": "blockdev-add",
"arguments": {
"options": {
"driver": "$IMGFMT",
"id": "disk",
+ "keyid": "sec0",
"file": {
"driver": "file",
"filename": "$TEST_IMG"
diff --git a/tests/qemu-iotests/087.out b/tests/qemu-iotests/087.out
index 7d62cd5..85752bb 100644
--- a/tests/qemu-iotests/087.out
+++ b/tests/qemu-iotests/087.out
@@ -48,6 +48,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on
Testing: -S
QMP_VERSION
{"return": {}}
+{"return": {}}
Encrypted images are deprecated
Support for them will be removed in a future release.
You can use 'qemu-img convert' to convert your image to an unencrypted one.
@@ -58,6 +59,7 @@ You can use 'qemu-img convert' to convert your image to an unencrypted one.
Testing:
QMP_VERSION
{"return": {}}
+{"return": {}}
Encrypted images are deprecated
Support for them will be removed in a future release.
You can use 'qemu-img convert' to convert your image to an unencrypted one.
diff --git a/tests/qemu-iotests/134 b/tests/qemu-iotests/134
index 1c3820b..d3e40a1 100755
--- a/tests/qemu-iotests/134
+++ b/tests/qemu-iotests/134
@@ -44,23 +44,30 @@ _supported_os Linux
size=128M
-IMGOPTS="encryption=on" _make_test_img $size
+SECRET1=secret,id=sec0,data=astrochicken
+SECRET2=secret,id=sec0,data=platypus
+
+EXTRA_IMG_ARGS="--object $SECRET1" IMGOPTS="encryption=on,fde_format=qcowaes" _make_test_img $size
+
+
+QEMU_IO_OPTIONS=`echo $QEMU_IO_OPTIONS | sed -e 's/-f qcow2//'`
+TEST_IMG="driver=qcow2,file=$TEST_IMG,keyid=sec0"
echo
echo "== reading whole image =="
-echo "astrochicken" | $QEMU_IO -c "read 0 $size" "$TEST_IMG" | _filter_qemu_io | _filter_testdir
+$QEMU_IO --object $SECRET1 -c "read 0 $size" --image-opts "$TEST_IMG" | _filter_qemu_io | _filter_testdir
echo
echo "== rewriting whole image =="
-echo "astrochicken" | $QEMU_IO -c "write -P 0xa 0 $size" "$TEST_IMG" | _filter_qemu_io | _filter_testdir
+$QEMU_IO --object $SECRET1 -c "write -P 0xa 0 $size" --image-opts "$TEST_IMG" | _filter_qemu_io | _filter_testdir
echo
echo "== verify pattern =="
-echo "astrochicken" | $QEMU_IO -c "read -P 0xa 0 $size" "$TEST_IMG" | _filter_qemu_io | _filter_testdir
+$QEMU_IO --object $SECRET1 -c "read -P 0xa 0 $size" --source "$TEST_IMG" | _filter_qemu_io | _filter_testdir
echo
echo "== verify pattern failure with wrong password =="
-echo "platypus" | $QEMU_IO -c "read -P 0xa 0 $size" "$TEST_IMG" | _filter_qemu_io | _filter_testdir
+$QEMU_IO --object $SECRET2 -c "read -P 0xa 0 $size" --source "$TEST_IMG" | _filter_qemu_io | _filter_testdir
# success, all done
diff --git a/tests/qemu-iotests/134.out b/tests/qemu-iotests/134.out
index a16acb8..845aa57 100644
--- a/tests/qemu-iotests/134.out
+++ b/tests/qemu-iotests/134.out
@@ -11,8 +11,6 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on
Encrypted images are deprecated
Support for them will be removed in a future release.
You can use 'qemu-img convert' to convert your image to an unencrypted one.
-Disk image 'TEST_DIR/t.qcow2' is encrypted.
-password:
read 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
@@ -20,8 +18,6 @@ read 134217728/134217728 bytes at offset 0
Encrypted images are deprecated
Support for them will be removed in a future release.
You can use 'qemu-img convert' to convert your image to an unencrypted one.
-Disk image 'TEST_DIR/t.qcow2' is encrypted.
-password:
wrote 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
@@ -29,8 +25,6 @@ wrote 134217728/134217728 bytes at offset 0
Encrypted images are deprecated
Support for them will be removed in a future release.
You can use 'qemu-img convert' to convert your image to an unencrypted one.
-Disk image 'TEST_DIR/t.qcow2' is encrypted.
-password:
read 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
@@ -38,8 +32,6 @@ read 134217728/134217728 bytes at offset 0
Encrypted images are deprecated
Support for them will be removed in a future release.
You can use 'qemu-img convert' to convert your image to an unencrypted one.
-Disk image 'TEST_DIR/t.qcow2' is encrypted.
-password:
Pattern verification failed at offset 0, 134217728 bytes
read 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc
index d9913f8..da78459 100644
--- a/tests/qemu-iotests/common.rc
+++ b/tests/qemu-iotests/common.rc
@@ -135,9 +135,9 @@ _make_test_img()
# XXX(hch): have global image options?
(
if [ $use_backing = 1 ]; then
- $QEMU_IMG create -f $IMGFMT $extra_img_options -b "$backing_file" "$img_name" $image_size 2>&1
+ $QEMU_IMG create $EXTRA_IMG_ARGS -f $IMGFMT $extra_img_options -b "$backing_file" "$img_name" $image_size 2>&1
else
- $QEMU_IMG create -f $IMGFMT $extra_img_options "$img_name" $image_size 2>&1
+ $QEMU_IMG create $EXTRA_IMG_ARGS -f $IMGFMT $extra_img_options "$img_name" $image_size 2>&1
fi
) | _filter_img_create
diff --git a/util/oslib-posix.c b/util/oslib-posix.c
index d25f671..e2c02f6 100644
--- a/util/oslib-posix.c
+++ b/util/oslib-posix.c
@@ -384,72 +384,6 @@ void os_mem_prealloc(int fd, char *area, size_t memory)
}
-static struct termios oldtty;
-
-static void term_exit(void)
-{
- tcsetattr(0, TCSANOW, &oldtty);
-}
-
-static void term_init(void)
-{
- struct termios tty;
-
- tcgetattr(0, &tty);
- oldtty = tty;
-
- tty.c_iflag &= ~(IGNBRK|BRKINT|PARMRK|ISTRIP
- |INLCR|IGNCR|ICRNL|IXON);
- tty.c_oflag |= OPOST;
- tty.c_lflag &= ~(ECHO|ECHONL|ICANON|IEXTEN);
- tty.c_cflag &= ~(CSIZE|PARENB);
- tty.c_cflag |= CS8;
- tty.c_cc[VMIN] = 1;
- tty.c_cc[VTIME] = 0;
-
- tcsetattr(0, TCSANOW, &tty);
-
- atexit(term_exit);
-}
-
-int qemu_read_password(char *buf, int buf_size)
-{
- uint8_t ch;
- int i, ret;
-
- printf("password: ");
- fflush(stdout);
- term_init();
- i = 0;
- for (;;) {
- ret = read(0, &ch, 1);
- if (ret == -1) {
- if (errno == EAGAIN || errno == EINTR) {
- continue;
- } else {
- break;
- }
- } else if (ret == 0) {
- ret = -1;
- break;
- } else {
- if (ch == '\r' ||
- ch == '\n') {
- ret = 0;
- break;
- }
- if (i < (buf_size - 1)) {
- buf[i++] = ch;
- }
- }
- }
- term_exit();
- buf[i] = '\0';
- printf("\n");
- return ret;
-}
-
-
pid_t qemu_fork(Error **errp)
{
sigset_t oldmask, newmask;
diff --git a/util/oslib-win32.c b/util/oslib-win32.c
index 6a47019..6ccc952 100644
--- a/util/oslib-win32.c
+++ b/util/oslib-win32.c
@@ -474,30 +474,6 @@ void os_mem_prealloc(int fd, char *area, size_t memory)
}
-/* XXX: put correct support for win32 */
-int qemu_read_password(char *buf, int buf_size)
-{
- int c, i;
-
- printf("Password: ");
- fflush(stdout);
- i = 0;
- for (;;) {
- c = getchar();
- if (c < 0) {
- buf[i] = '\0';
- return -1;
- } else if (c == '\n') {
- break;
- } else if (i < (buf_size - 1)) {
- buf[i++] = c;
- }
- }
- buf[i] = '\0';
- return 0;
-}
-
-
pid_t qemu_fork(Error **errp)
{
errno = ENOSYS;
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 14/15] block: remove all encryption handling APIs
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (12 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 13/15] block: rip out all traces of password prompting Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 15/15] block: remove support for legecy AES qcow/qcow2 encryption Daniel P. Berrange
14 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
Now that all encryption keys must be provided upfront via
the QCryptoSecret API and associated block driver properties
there is no need for any explicit encryption handling APIs
in the block layer. Encryption can be handled transparently
within the block driver. We only retain an API for querying
whether an image is encrypted or not, since that is a
potentially useful piece of metadata to report to the user.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
block.c | 82 ++--------------------------------------------
block/qapi.c | 2 +-
blockdev.c | 40 ++--------------------
include/block/block.h | 4 ---
include/block/block_int.h | 1 -
tests/qemu-iotests/087.out | 4 +--
6 files changed, 7 insertions(+), 126 deletions(-)
diff --git a/block.c b/block.c
index 01655de..d123cbc 100644
--- a/block.c
+++ b/block.c
@@ -1696,17 +1696,8 @@ static int bdrv_open_inherit(BlockDriverState **pbs, const char *filename,
goto close_and_fail;
}
- if (!bdrv_key_required(bs)) {
- if (bs->blk) {
- blk_dev_change_media_cb(bs->blk, true);
- }
- } else if (!runstate_check(RUN_STATE_PRELAUNCH)
- && !runstate_check(RUN_STATE_INMIGRATE)
- && !runstate_check(RUN_STATE_PAUSED)) { /* HACK */
- error_setg(errp,
- "Guest must be stopped for opening of encrypted image");
- ret = -EBUSY;
- goto close_and_fail;
+ if (bs->blk) {
+ blk_dev_change_media_cb(bs->blk, true);
}
QDECREF(options);
@@ -2193,7 +2184,6 @@ void bdrv_close(BlockDriverState *bs)
bs->backing_format[0] = '\0';
bs->total_sectors = 0;
bs->encrypted = 0;
- bs->valid_key = 0;
bs->sg = 0;
bs->zero_beyond_eof = false;
QDECREF(bs->options);
@@ -2777,74 +2767,6 @@ int bdrv_is_encrypted(BlockDriverState *bs)
return bs->encrypted;
}
-int bdrv_key_required(BlockDriverState *bs)
-{
- BdrvChild *backing = bs->backing;
-
- if (backing && backing->bs->encrypted && !backing->bs->valid_key) {
- return 1;
- }
- return (bs->encrypted && !bs->valid_key);
-}
-
-int bdrv_set_key(BlockDriverState *bs, const char *key)
-{
- int ret;
- if (bs->backing && bs->backing->bs->encrypted) {
- ret = bdrv_set_key(bs->backing->bs, key);
- if (ret < 0)
- return ret;
- if (!bs->encrypted)
- return 0;
- }
- if (!bs->encrypted) {
- return -EINVAL;
- } else if (!bs->drv || !bs->drv->bdrv_set_key) {
- return -ENOMEDIUM;
- }
- ret = bs->drv->bdrv_set_key(bs, key);
- if (ret < 0) {
- bs->valid_key = 0;
- } else if (!bs->valid_key) {
- bs->valid_key = 1;
- if (bs->blk) {
- /* call the change callback now, we skipped it on open */
- blk_dev_change_media_cb(bs->blk, true);
- }
- }
- return ret;
-}
-
-/*
- * Provide an encryption key for @bs.
- * If @key is non-null:
- * If @bs is not encrypted, fail.
- * Else if the key is invalid, fail.
- * Else set @bs's key to @key, replacing the existing key, if any.
- * If @key is null:
- * If @bs is encrypted and still lacks a key, fail.
- * Else do nothing.
- * On failure, store an error object through @errp if non-null.
- */
-void bdrv_add_key(BlockDriverState *bs, const char *key, Error **errp)
-{
- if (key) {
- if (!bdrv_is_encrypted(bs)) {
- error_setg(errp, "Node '%s' is not encrypted",
- bdrv_get_device_or_node_name(bs));
- } else if (bdrv_set_key(bs, key) < 0) {
- error_setg(errp, QERR_INVALID_PASSWORD);
- }
- } else {
- if (bdrv_key_required(bs)) {
- error_set(errp, ERROR_CLASS_DEVICE_ENCRYPTED,
- "'%s' (%s) is encrypted",
- bdrv_get_device_or_node_name(bs),
- bdrv_get_encrypted_filename(bs));
- }
- }
-}
-
const char *bdrv_get_format_name(BlockDriverState *bs)
{
return bs->drv ? bs->drv->format_name : NULL;
diff --git a/block/qapi.c b/block/qapi.c
index 58d3975..639b231 100644
--- a/block/qapi.c
+++ b/block/qapi.c
@@ -42,7 +42,7 @@ BlockDeviceInfo *bdrv_block_device_info(BlockDriverState *bs, Error **errp)
info->ro = bs->read_only;
info->drv = g_strdup(bs->drv->format_name);
info->encrypted = bs->encrypted;
- info->encryption_key_missing = bdrv_key_required(bs);
+ info->encryption_key_missing = false;
info->cache = g_new(BlockdevCacheInfo, 1);
*info->cache = (BlockdevCacheInfo) {
diff --git a/blockdev.c b/blockdev.c
index 2df0c6d..85e436a 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -623,10 +623,6 @@ static BlockBackend *blockdev_init(const char *file, QDict *bs_opts,
bdrv_set_io_limits(bs, &cfg);
}
- if (bdrv_key_required(bs)) {
- autostart = 0;
- }
-
block_acct_init(blk_get_stats(blk), account_invalid, account_failed);
if (!parse_stats_intervals(blk_get_stats(blk), interval_list, errp)) {
@@ -2263,24 +2259,8 @@ void qmp_block_passwd(bool has_device, const char *device,
bool has_node_name, const char *node_name,
const char *password, Error **errp)
{
- Error *local_err = NULL;
- BlockDriverState *bs;
- AioContext *aio_context;
-
- bs = bdrv_lookup_bs(has_device ? device : NULL,
- has_node_name ? node_name : NULL,
- &local_err);
- if (local_err) {
- error_propagate(errp, local_err);
- return;
- }
-
- aio_context = bdrv_get_aio_context(bs);
- aio_context_acquire(aio_context);
-
- bdrv_add_key(bs, password, errp);
-
- aio_context_release(aio_context);
+ error_setg_errno(errp, -ENOSYS,
+ "Setting block passwords directly is no longer supported");
}
void qmp_blockdev_open_tray(const char *device, bool has_force, bool force,
@@ -2507,12 +2487,6 @@ void qmp_blockdev_change_medium(const char *device, const char *filename,
blk_apply_root_state(blk, medium_bs);
- bdrv_add_key(medium_bs, NULL, &err);
- if (err) {
- error_propagate(errp, err);
- goto fail;
- }
-
qmp_blockdev_open_tray(device, false, false, &err);
if (err) {
error_propagate(errp, err);
@@ -3851,16 +3825,6 @@ void qmp_blockdev_add(BlockdevOptions *options, Error **errp)
}
}
- if (bs && bdrv_key_required(bs)) {
- if (blk) {
- blk_unref(blk);
- } else {
- bdrv_unref(bs);
- }
- error_setg(errp, "blockdev-add doesn't support encrypted devices");
- goto fail;
- }
-
fail:
qmp_output_visitor_cleanup(ov);
}
diff --git a/include/block/block.h b/include/block/block.h
index 73ffbd5..379a24c 100644
--- a/include/block/block.h
+++ b/include/block/block.h
@@ -414,10 +414,6 @@ bool bdrv_chain_contains(BlockDriverState *top, BlockDriverState *base);
BlockDriverState *bdrv_next_node(BlockDriverState *bs);
BlockDriverState *bdrv_next(BlockDriverState *bs);
int bdrv_is_encrypted(BlockDriverState *bs);
-int bdrv_key_required(BlockDriverState *bs);
-int bdrv_set_key(BlockDriverState *bs, const char *key);
-void bdrv_add_key(BlockDriverState *bs, const char *key, Error **errp);
-int bdrv_query_missing_keys(void);
void bdrv_iterate_format(void (*it)(void *opaque, const char *name),
void *opaque);
const char *bdrv_get_node_name(const BlockDriverState *bs);
diff --git a/include/block/block_int.h b/include/block/block_int.h
index 256609d..191ce83 100644
--- a/include/block/block_int.h
+++ b/include/block/block_int.h
@@ -374,7 +374,6 @@ struct BlockDriverState {
int read_only; /* if true, the media is read only */
int open_flags; /* flags used to open the file, re-used for re-open */
int encrypted; /* if true, the media is encrypted */
- int valid_key; /* if true, a valid encryption key has been set */
int sg; /* if true, the device is a /dev/sg* */
int copy_on_read; /* if true, copy read backing sectors into image
note this is a reference count */
diff --git a/tests/qemu-iotests/087.out b/tests/qemu-iotests/087.out
index 85752bb..2b55b1b 100644
--- a/tests/qemu-iotests/087.out
+++ b/tests/qemu-iotests/087.out
@@ -52,7 +52,7 @@ QMP_VERSION
Encrypted images are deprecated
Support for them will be removed in a future release.
You can use 'qemu-img convert' to convert your image to an unencrypted one.
-{"error": {"class": "GenericError", "desc": "blockdev-add doesn't support encrypted devices"}}
+{"return": {}}
{"return": {}}
{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN"}
@@ -63,7 +63,7 @@ QMP_VERSION
Encrypted images are deprecated
Support for them will be removed in a future release.
You can use 'qemu-img convert' to convert your image to an unencrypted one.
-{"error": {"class": "GenericError", "desc": "Guest must be stopped for opening of encrypted image"}}
+{"return": {}}
{"return": {}}
{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN"}
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* [Qemu-devel] [PATCH v1 15/15] block: remove support for legecy AES qcow/qcow2 encryption
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
` (13 preceding siblings ...)
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 14/15] block: remove all encryption handling APIs Daniel P. Berrange
@ 2016-01-12 18:56 ` Daniel P. Berrange
14 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-12 18:56 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-block
Refuse to use images with the legacy AES-CBC encryption
format in the system emulators. They are still fully
supported in the qemu-img, qemu-io & qemu-nbd tools in
order to allow data to be liberated and for compatibility
with older QEMU versions. Continued support in these tools
is not a notable burden with the new FDE framework.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
block.c | 12 +++++-------
block/qcow.c | 8 ++++++++
block/qcow2.c | 8 ++++++++
include/block/block.h | 1 +
tests/qemu-iotests/087.out | 18 ------------------
tests/qemu-iotests/134.out | 18 ------------------
6 files changed, 22 insertions(+), 43 deletions(-)
diff --git a/block.c b/block.c
index d123cbc..ebf2fec 100644
--- a/block.c
+++ b/block.c
@@ -312,6 +312,11 @@ static int bdrv_is_whitelisted(BlockDriver *drv, bool read_only)
return 0;
}
+bool bdrv_uses_whitelist(void)
+{
+ return use_bdrv_whitelist;
+}
+
typedef struct CreateCo {
BlockDriver *drv;
char *filename;
@@ -1020,13 +1025,6 @@ static int bdrv_open_common(BlockDriverState *bs, BdrvChild *file,
goto free_and_fail;
}
- if (bs->encrypted) {
- error_report("Encrypted images are deprecated");
- error_printf("Support for them will be removed in a future release.\n"
- "You can use 'qemu-img convert' to convert your image"
- " to an unencrypted one.\n");
- }
-
ret = refresh_total_sectors(bs, bs->total_sectors);
if (ret < 0) {
error_setg_errno(errp, -ret, "Could not refresh total sector count");
diff --git a/block/qcow.c b/block/qcow.c
index a17531f..cda187a 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -180,6 +180,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
s->crypt_method_header = header.crypt_method;
if (s->crypt_method_header) {
if (s->crypt_method_header == QCOW_CRYPT_AES) {
+ if (bdrv_uses_whitelist()) {
+ error_setg(errp,
+ "Use of AES-CBC encrypted qcow images is no longer "
+ "supported. Please use the qcow2 LUKS format instead.");
+ ret = -ENOSYS;
+ goto fail;
+ }
+
ov = opts_visitor_new(opts);
fde_opts = g_new0(QCryptoBlockOpenOptions, 1);
diff --git a/block/qcow2.c b/block/qcow2.c
index 288aada..f0efc0f 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1221,6 +1221,14 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
s->crypt_method_header = header.crypt_method;
if (s->crypt_method_header) {
+ if (bdrv_uses_whitelist() &&
+ s->crypt_method_header == QCOW_CRYPT_AES) {
+ error_setg(errp,
+ "Use of AES-CBC encrypted qcow2 images is no longer "
+ "supported. Please use the qcow2 LUKS format instead.");
+ ret = -ENOSYS;
+ goto fail;
+ }
bs->encrypted = 1;
}
diff --git a/include/block/block.h b/include/block/block.h
index 379a24c..58006d2 100644
--- a/include/block/block.h
+++ b/include/block/block.h
@@ -190,6 +190,7 @@ void bdrv_io_limits_update_group(BlockDriverState *bs, const char *group);
void bdrv_init(void);
void bdrv_init_with_whitelist(void);
+bool bdrv_uses_whitelist(void);
BlockDriver *bdrv_find_protocol(const char *filename,
bool allow_protocol_prefix,
Error **errp);
diff --git a/tests/qemu-iotests/087.out b/tests/qemu-iotests/087.out
index 2b55b1b..19a54c5 100644
--- a/tests/qemu-iotests/087.out
+++ b/tests/qemu-iotests/087.out
@@ -38,20 +38,11 @@ QMP_VERSION
=== Encrypted image ===
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on
Testing: -S
QMP_VERSION
{"return": {}}
{"return": {}}
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
{"return": {}}
{"return": {}}
{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN"}
@@ -60,9 +51,6 @@ Testing:
QMP_VERSION
{"return": {}}
{"return": {}}
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
{"return": {}}
{"return": {}}
{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN"}
@@ -70,12 +58,6 @@ You can use 'qemu-img convert' to convert your image to an unencrypted one.
=== Missing driver ===
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on
Testing: -S
QMP_VERSION
diff --git a/tests/qemu-iotests/134.out b/tests/qemu-iotests/134.out
index 845aa57..a01067d 100644
--- a/tests/qemu-iotests/134.out
+++ b/tests/qemu-iotests/134.out
@@ -1,37 +1,19 @@
QA output created by 134
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on
== reading whole image ==
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
read 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
== rewriting whole image ==
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
wrote 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
== verify pattern ==
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
read 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
== verify pattern failure with wrong password ==
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Pattern verification failed at offset 0, 134217728 bytes
read 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
--
2.5.0
^ permalink raw reply related [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [PATCH v1 01/15] crypto: add cryptographic random byte source
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 01/15] crypto: add cryptographic random byte source Daniel P. Berrange
@ 2016-01-13 2:46 ` Fam Zheng
0 siblings, 0 replies; 32+ messages in thread
From: Fam Zheng @ 2016-01-13 2:46 UTC (permalink / raw)
To: Daniel P. Berrange; +Cc: qemu-devel, qemu-block
On Tue, 01/12 18:56, Daniel P. Berrange wrote:
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
> crypto/Makefile.objs | 1 +
> crypto/random.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++
> include/crypto/random.h | 43 ++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 94 insertions(+)
> create mode 100644 crypto/random.c
> create mode 100644 include/crypto/random.h
>
> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
> index a3135f1..5f38d2d 100644
> --- a/crypto/Makefile.objs
> +++ b/crypto/Makefile.objs
> @@ -8,6 +8,7 @@ crypto-obj-y += tlscredsanon.o
> crypto-obj-y += tlscredsx509.o
> crypto-obj-y += tlssession.o
> crypto-obj-y += secret.o
> +crypto-obj-y += random.o
>
> # Let the userspace emulators avoid linking gnutls/etc
> crypto-aes-obj-y = aes.o
> diff --git a/crypto/random.c b/crypto/random.c
> new file mode 100644
> index 0000000..8257d24
> --- /dev/null
> +++ b/crypto/random.c
> @@ -0,0 +1,50 @@
> +/*
> + * QEMU Crypto random number provider
> + *
> + * Copyright (c) 2015 Red Hat, Inc.
s/2015/2016/
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#include <config-host.h>
> +
> +#include "crypto/random.h"
> +
> +int qcrypto_random_bytes(uint8_t *buf,
> + size_t buflen,
> + Error **errp)
> +{
> + ssize_t ret;
> + int fd = open("/dev/random", O_RDONLY);
> + if (fd < 0) {
> + error_setg_errno(errp, errno,
> + "Unable to open /dev/random");
> + return -1;
> + }
> +
> + while (buflen) {
> + ret = read(fd, buf, buflen);
> + if (ret < 0) {
> + error_setg_errno(errp, errno,
> + "Unable to read random bytes");
> + close(fd);
> + return -1;
> + }
> + buflen -= ret;
> + }
> +
> + close(fd);
> + return 0;
> +}
> diff --git a/include/crypto/random.h b/include/crypto/random.h
> new file mode 100644
> index 0000000..ce1626b
> --- /dev/null
> +++ b/include/crypto/random.h
> @@ -0,0 +1,43 @@
> +/*
> + * QEMU Crypto random number provider
> + *
> + * Copyright (c) 2015 Red Hat, Inc.
s/2015/2016/
> + *
> + * This library is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2 of the License, or (at your option) any later version.
> + *
> + * This library is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with this library; if not, see <http://www.gnu.org/licenses/>.
> + *
> + */
> +
> +#ifndef QCRYPTO_RANDOM_H__
> +#define QCRYPTO_RANDOM_H__
> +
> +#include "qemu-common.h"
> +#include "qapi/error.h"
> +
> +
> +/**
> + * qcrypto_random_bytes:
> + * @buf: the buffer to fill
> + * @buflen: length of @buf in bytes
> + * @errp: pointer to uninitialized error objet
s/objet/object/, but more importantly @errp must be NULL, so it's not exact to
say it "uninitialized".
> + *
> + * Fill @buf with @buflen bytes of random data
> + *
> + * Returns 0 on sucess, -1 on error
> + */
> +int qcrypto_random_bytes(uint8_t *buf,
> + size_t buflen,
> + Error **errp);
> +
> +
> +#endif /* QCRYPTO_RANDOM_H__ */
> --
> 2.5.0
>
>
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [PATCH v1 02/15] crypto: add support for PBKDF2 algorithm
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 02/15] crypto: add support for PBKDF2 algorithm Daniel P. Berrange
@ 2016-01-13 5:53 ` Fam Zheng
2016-01-14 12:17 ` Daniel P. Berrange
0 siblings, 1 reply; 32+ messages in thread
From: Fam Zheng @ 2016-01-13 5:53 UTC (permalink / raw)
To: Daniel P. Berrange; +Cc: qemu-devel, qemu-block
On Tue, 01/12 18:56, Daniel P. Berrange wrote:
> +#if defined CONFIG_NETTLE
> +#include "crypto/pbkdf-nettle.c"
> +#elif defined CONFIG_GCRYPT
> +#include "crypto/pbkdf-gcrypt.c"
> +#else /* ! CONFIG_GCRYPT */
> +#include "crypto/pbkdf-stub.c"
> +#endif /* ! CONFIG_GCRYPT */
I think the convention in QEMU is in crypto/Makefile.objs:
crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o
crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
And move pbkdf-stub.c to stub/pbkdf.c.
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH v1 07/15] block: add flag to indicate that no I/O will be performed
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 07/15] block: add flag to indicate that no I/O will be performed Daniel P. Berrange
@ 2016-01-13 17:44 ` Kevin Wolf
2016-01-13 17:56 ` Daniel P. Berrange
0 siblings, 1 reply; 32+ messages in thread
From: Kevin Wolf @ 2016-01-13 17:44 UTC (permalink / raw)
To: Daniel P. Berrange; +Cc: qemu-devel, qemu-block
Am 12.01.2016 um 19:56 hat Daniel P. Berrange geschrieben:
> When opening an image it is useful to know whether the caller
> intends to perform I/O on the image or not. In the case of
> encrypted images this will allow the block driver to avoid
> having to prompt for decryption keys when we merely want to
> query header metadata about the image. eg qemu-img info
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Would it be worth adding assertions to the block layer I/O functions
(most importantly, bdrv_aligned_preadv/pwritev) that this flag isn't
set?
Kevin
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH v1 07/15] block: add flag to indicate that no I/O will be performed
2016-01-13 17:44 ` [Qemu-devel] [Qemu-block] " Kevin Wolf
@ 2016-01-13 17:56 ` Daniel P. Berrange
0 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-13 17:56 UTC (permalink / raw)
To: Kevin Wolf; +Cc: qemu-devel, qemu-block
On Wed, Jan 13, 2016 at 06:44:41PM +0100, Kevin Wolf wrote:
> Am 12.01.2016 um 19:56 hat Daniel P. Berrange geschrieben:
> > When opening an image it is useful to know whether the caller
> > intends to perform I/O on the image or not. In the case of
> > encrypted images this will allow the block driver to avoid
> > having to prompt for decryption keys when we merely want to
> > query header metadata about the image. eg qemu-img info
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
>
> Would it be worth adding assertions to the block layer I/O functions
> (most importantly, bdrv_aligned_preadv/pwritev) that this flag isn't
> set?
Yes, I think so.
In the read/write code paths that trigger encryption, I'm already doing
an assert that the encryption context is setup, which is indirectly
related to BDRV_O_NO_IO. It is probably worth adding an assertion
explicitly based on the flag at the top level though, as it'd give
a clearer error if it ever got triggered.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH v1 10/15] qcow2: convert QCow2 to use QCryptoBlock for encryption
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 10/15] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
@ 2016-01-13 18:42 ` Kevin Wolf
2016-01-14 12:14 ` Daniel P. Berrange
0 siblings, 1 reply; 32+ messages in thread
From: Kevin Wolf @ 2016-01-13 18:42 UTC (permalink / raw)
To: Daniel P. Berrange; +Cc: qemu-devel, qemu-block
Am 12.01.2016 um 19:56 hat Daniel P. Berrange geschrieben:
> This converts the qcow2 driver to make use of the QCryptoBlock
> APIs for encrypting image content. As well as continued support
> for the legacy QCow2 encryption format, the appealing benefit
> is that it enables support for the LUKS format inside qcow2.
>
> With the LUKS format it is neccessary to store the LUKS
> partition header and key material in the QCow2 file. This
> data can be many MB in size, so cannot go into the QCow2
> header region directly. Thus the spec is defines a FDE
> (Full Disk Encryption) header extension that specifies
> the offset of a set of clusters to hold the FDE headers,
> as well as the length of that region. The LUKS header is
> thus stored in these extra allocated clusters before the
> main image payload.
>
> With this change it is now required to use the QCryptoSecret
> object for providing passwords, instead of the current block
> password APIs / interactive prompting.
>
> $QEMU \
> -object secret,id=sec0,filename=/home/berrange/encrypted.pw \
> -drive file=/home/berrange/encrypted.qcow2,key-id=sec0
>
> The new LUKS format is set as the new default format when
> creating encrypted images. ie
>
> # qemu-img create --object secret,data=123456,id=sec0 \
> -f qcow2 -o encryption,key-id=sec0 \
> test.qcow2 10G
>
> Results in creation of an image using the LUKS format.
>
> For compatibility the old qcow2 AES format can still be used
> via the 'encryption-format' parameter which accepts the
> values 'luks' or 'qcowaes'.
>
> # qemu-img create --object secret,data=123456,id=sec0 \
> -f qcow2 -o encryption,key-id=sec0,encryption-format=qcowaes \
> test.qcow2 10G
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
I think for your additional pointer to some clusters you need to change
some function(s) called by qcow2_check_refcounts(). Otherwise 'qemu-img
check' won't count the reference and helpfully free the "leaked"
cluster.
> diff --git a/block/qcow2.c b/block/qcow2.c
> index c0fc259..288aada 100644
> --- a/block/qcow2.c
> +++ b/block/qcow2.c
> @@ -34,6 +34,8 @@
> #include "qapi-event.h"
> #include "trace.h"
> #include "qemu/option_int.h"
> +#include "qapi/opts-visitor.h"
> +#include "qapi-visit.h"
>
> /*
> Differences with QCOW:
> @@ -60,6 +62,7 @@ typedef struct {
> #define QCOW2_EXT_MAGIC_END 0
> #define QCOW2_EXT_MAGIC_BACKING_FORMAT 0xE2792ACA
> #define QCOW2_EXT_MAGIC_FEATURE_TABLE 0x6803f857
> +#define QCOW2_EXT_MAGIC_FDE_HEADER 0x4c554b53
General naming comment on this series: I would prefer avoiding "FDE" in
favour of "encryption" or "crypt" in the block layer parts. With all
image formats having their own terminology, "FDE" could mean anything.
> static int qcow2_probe(const uint8_t *buf, int buf_size, const char *filename)
> {
> @@ -74,6 +77,83 @@ static int qcow2_probe(const uint8_t *buf, int buf_size, const char *filename)
> }
>
>
> +static ssize_t qcow2_fde_header_read_func(QCryptoBlock *block,
> + size_t offset,
> + uint8_t *buf,
> + size_t buflen,
> + Error **errp,
> + void *opaque)
> +{
> + BlockDriverState *bs = opaque;
> + BDRVQcow2State *s = bs->opaque;
> + ssize_t ret;
> +
> + if ((offset + buflen) > s->fde_header.length) {
> + error_setg_errno(errp, EINVAL,
> + "Request for data outside of extension header");
error_setg_errno() with a constant errno doesn't look very useful.
Better use plain error_setg() in such cases.
> + return -1;
Here returning -EINVAL could be useful, I'm not sure what your crypto
API requires. At least you seem to be returning -errno below and mixing
-1 and -errno is probably a bad idea.
> + }
> +
> + ret = bdrv_pread(bs->file->bs,
> + s->fde_header.offset + offset, buf, buflen);
> + if (ret < 0) {
> + error_setg_errno(errp, -ret, "Could not read encryption header");
> + return ret;
> + }
> + return ret;
return 0? You already processed ret in the if block and two 'return ret'
in a row look odd.
> +}
> +
> +
> +static ssize_t qcow2_fde_header_init_func(QCryptoBlock *block,
> + size_t headerlen,
> + Error **errp,
> + void *opaque)
> +{
> + BlockDriverState *bs = opaque;
> + BDRVQcow2State *s = bs->opaque;
> + int64_t ret;
> +
> + s->fde_header.length = headerlen + (headerlen % s->cluster_size);
> +
> + ret = qcow2_alloc_clusters(bs, s->fde_header.length);
> + if (ret < 0) {
> + s->fde_header.length = 0;
> + error_setg(errp, "Cannot allocate cluster for LUKS header size %zu",
> + headerlen);
I think ret is -errno on failure, so use error_setg_errno()?
> + return -1;
> + }
> +
> + s->fde_header.offset = ret;
> + return 0;
> +}
> +
> +
> +static ssize_t qcow2_fde_header_write_func(QCryptoBlock *block,
> + size_t offset,
> + const uint8_t *buf,
> + size_t buflen,
> + Error **errp,
> + void *opaque)
> +{
> + BlockDriverState *bs = opaque;
> + BDRVQcow2State *s = bs->opaque;
> + ssize_t ret;
> +
> + if ((offset + buflen) > s->fde_header.length) {
> + error_setg_errno(errp, EINVAL,
> + "Request for data outside of extension header");
error_setg(). Probably worth checking all error paths whether there is a
useful errno or not. I won't comment on additional instances.
> + return -1;
> + }
> +
> + ret = bdrv_pwrite(bs->file->bs, s->fde_header.offset + offset, buf, buflen);
> + if (ret < 0) {
> + error_setg_errno(errp, -ret, "Could not read encryption header");
> + return ret;
> + }
> + return ret;
> +}
Mixing -1 and -errno again.
> /*
> * read qcow2 extension and fill bs
> * start reading from start_offset
> @@ -83,12 +163,14 @@ static int qcow2_probe(const uint8_t *buf, int buf_size, const char *filename)
> */
> static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
> uint64_t end_offset, void **p_feature_table,
> + int flags,
> Error **errp)
> {
> BDRVQcow2State *s = bs->opaque;
> QCowExtension ext;
> uint64_t offset;
> int ret;
> + unsigned int cflags = 0;
Should we create a block for QCOW2_EXT_MAGIC_FDE_HEADER and declare it
there?
> #ifdef DEBUG_EXT
> printf("qcow2_read_extensions: start=%ld end=%ld\n", start_offset, end_offset);
> @@ -159,6 +241,35 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
> }
> break;
>
> + case QCOW2_EXT_MAGIC_FDE_HEADER:
> + if (s->crypt_method_header != QCOW_CRYPT_LUKS) {
> + error_setg(errp, "FDE header extension only "
> + "expected with LUKS encryption method");
> + return -EINVAL;
> + }
> + if (ext.len != sizeof(Qcow2FDEHeaderExtension)) {
> + error_setg(errp, "LUKS header extension size %u, "
> + "but expected size %zu", ext.len,
> + sizeof(Qcow2FDEHeaderExtension));
> + return -EINVAL;
> + }
> +
> + ret = bdrv_pread(bs->file->bs, offset, &s->fde_header, ext.len);
No error check?
> + be64_to_cpu(s->fde_header.offset);
> + be64_to_cpu(s->fde_header.length);
> +
> + if (flags & BDRV_O_NO_IO) {
> + cflags |= QCRYPTO_BLOCK_OPEN_NO_IO;
> + }
> + s->fde = qcrypto_block_open(s->fde_opts,
> + qcow2_fde_header_read_func,
> + bs,
> + cflags,
> + errp);
The surrounding code doesn't put every parameter on its own line if the
next parameter can fit on the same line. There are more instances of
this in the patch, I won't comment on each one.
> + if (!s->fde) {
> + return -EINVAL;
> + }
> + break;
> default:
> /* unknown magic - save it in case we need to rewrite the header */
> {
> @@ -472,6 +583,11 @@ static QemuOptsList qcow2_runtime_opts = {
> .type = QEMU_OPT_NUMBER,
> .help = "Clean unused cache entries after this time (in seconds)",
> },
> + {
> + .name = QCOW2_OPT_KEY_ID,
> + .type = QEMU_OPT_STRING,
> + .help = "ID of the secret that provides the encryption key",
> + },
> { /* end of list */ }
> },
> };
> @@ -589,6 +705,113 @@ static void read_cache_sizes(BlockDriverState *bs, QemuOpts *opts,
> }
> }
>
> +
> +static QCryptoBlockOpenOptions *
> +qcow2_fde_open_opts_init(QCryptoBlockFormat format,
> + QemuOpts *opts,
> + Error **errp)
> +{
> + OptsVisitor *ov;
> + QCryptoBlockOpenOptions *ret;
> + Error *local_err = NULL;
> +
> + ret = g_new0(QCryptoBlockOpenOptions, 1);
> + ret->format = format;
> +
> + ov = opts_visitor_new(opts);
> +
> + switch (format) {
> + case Q_CRYPTO_BLOCK_FORMAT_QCOWAES:
> + ret->u.qcowaes = g_new0(QCryptoBlockOptionsQCowAES, 1);
> + visit_type_QCryptoBlockOptionsQCowAES(opts_get_visitor(ov),
> + &ret->u.qcowaes,
> + "qcowaes", &local_err);
> + break;
> +
> + case Q_CRYPTO_BLOCK_FORMAT_LUKS:
> + ret->u.luks = g_new0(QCryptoBlockOptionsLUKS, 1);
> + visit_type_QCryptoBlockOptionsLUKS(opts_get_visitor(ov),
> + &ret->u.luks,
> + "luks", &local_err);
> + break;
> +
> + default:
> + error_setg(&local_err, "Unsupported block format %d", format);
> + break;
> + }
> +
> + if (local_err) {
> + error_propagate(errp, local_err);
> + opts_visitor_cleanup(ov);
> + qapi_free_QCryptoBlockOpenOptions(ret);
> + return NULL;
> + }
> +
> + opts_visitor_cleanup(ov);
> + return ret;
> +}
> +
> +
> +static QCryptoBlockCreateOptions *
> +qcow2_fde_create_opts_init(QCryptoBlockFormat format,
> + QemuOpts *opts,
> + Error **errp)
> +{
> + OptsVisitor *ov;
> + QCryptoBlockCreateOptions *ret;
> + Error *local_err = NULL, *end_err = NULL;
> + Visitor *v;
> +
> + ret = g_new0(QCryptoBlockCreateOptions, 1);
> + ret->format = format;
> +
> + ov = opts_visitor_new(opts);
> + v = opts_get_visitor(ov);
> + visit_start_struct(v, NULL, NULL, NULL, 0, &local_err);
> + if (local_err) {
> + goto cleanup;
> + }
> +
> + switch (format) {
> + case Q_CRYPTO_BLOCK_FORMAT_QCOWAES:
> + ret->u.qcowaes = g_new0(QCryptoBlockOptionsQCowAES, 1);
> + visit_type_QCryptoBlockOptionsQCowAES(v, &ret->u.qcowaes,
> + "qcowaes", &local_err);
> + break;
> +
> + case Q_CRYPTO_BLOCK_FORMAT_LUKS:
> + ret->u.luks = g_new0(QCryptoBlockCreateOptionsLUKS, 1);
> + visit_type_QCryptoBlockCreateOptionsLUKS(v, &ret->u.luks,
> + "luks", &local_err);
> + break;
> +
> + default:
> + error_setg(&local_err, "Unsupported block format %d", format);
> + break;
> + }
> +
> + visit_end_struct(v, &end_err);
> + if (end_err) {
> + if (!local_err) {
> + error_propagate(&local_err, end_err);
> + } else {
> + error_free(end_err);
> + }
> + }
> +
> + cleanup:
> + if (local_err) {
> + error_propagate(errp, local_err);
> + qapi_free_QCryptoBlockCreateOptions(ret);
> + ret = NULL;
> + return NULL;
> + }
> +
> + opts_visitor_cleanup(ov);
> + return ret;
> +}
> +
> +
> typedef struct Qcow2ReopenState {
> Qcow2Cache *l2_table_cache;
> Qcow2Cache *refcount_block_cache;
> @@ -596,6 +819,7 @@ typedef struct Qcow2ReopenState {
> int overlap_check;
> bool discard_passthrough[QCOW2_DISCARD_MAX];
> uint64_t cache_clean_interval;
> + QCryptoBlockOpenOptions *fde_opts; /* Disk encryption runtime options */
> } Qcow2ReopenState;
>
> static int qcow2_update_options_prepare(BlockDriverState *bs,
> @@ -754,6 +978,33 @@ static int qcow2_update_options_prepare(BlockDriverState *bs,
> r->discard_passthrough[QCOW2_DISCARD_OTHER] =
> qemu_opt_get_bool(opts, QCOW2_OPT_DISCARD_OTHER, false);
>
> + switch (s->crypt_method_header) {
> + case QCOW_CRYPT_NONE:
> + break;
> +
> + case QCOW_CRYPT_AES:
> + r->fde_opts = qcow2_fde_open_opts_init(
> + Q_CRYPTO_BLOCK_FORMAT_QCOWAES,
> + opts,
> + errp);
> + break;
> +
> + case QCOW_CRYPT_LUKS:
> + r->fde_opts = qcow2_fde_open_opts_init(
> + Q_CRYPTO_BLOCK_FORMAT_LUKS,
> + opts,
> + errp);
> + break;
> +
> + default:
> + g_assert_not_reached();
> + }
> + if (s->crypt_method_header &&
> + !r->fde_opts) {
> + ret = -EINVAL;
> + goto fail;
> + }
> +
> ret = 0;
> fail:
> qemu_opts_del(opts);
> @@ -788,6 +1039,9 @@ static void qcow2_update_options_commit(BlockDriverState *bs,
> s->cache_clean_interval = r->cache_clean_interval;
> cache_clean_timer_init(bs, bdrv_get_aio_context(bs));
> }
> +
> + qapi_free_QCryptoBlockOpenOptions(s->fde_opts);
> + s->fde_opts = r->fde_opts;
> }
>
> static void qcow2_update_options_abort(BlockDriverState *bs,
> @@ -799,6 +1053,7 @@ static void qcow2_update_options_abort(BlockDriverState *bs,
> if (r->refcount_block_cache) {
> qcow2_cache_destroy(bs, r->refcount_block_cache);
> }
> + qapi_free_QCryptoBlockOpenOptions(r->fde_opts);
> }
>
> static int qcow2_update_options(BlockDriverState *bs, QDict *options,
> @@ -932,7 +1187,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
> if (s->incompatible_features & ~QCOW2_INCOMPAT_MASK) {
> void *feature_table = NULL;
> qcow2_read_extensions(bs, header.header_length, ext_end,
> - &feature_table, NULL);
> + &feature_table, flags, NULL);
> report_unsupported_feature(bs, errp, feature_table,
> s->incompatible_features &
> ~QCOW2_INCOMPAT_MASK);
> @@ -964,17 +1219,6 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
> s->refcount_max = UINT64_C(1) << (s->refcount_bits - 1);
> s->refcount_max += s->refcount_max - 1;
>
> - if (header.crypt_method > QCOW_CRYPT_AES) {
> - error_setg(errp, "Unsupported encryption method: %" PRIu32,
> - header.crypt_method);
> - ret = -EINVAL;
> - goto fail;
> - }
> - if (!qcrypto_cipher_supports(QCRYPTO_CIPHER_ALG_AES_128)) {
> - error_setg(errp, "AES cipher not available");
> - ret = -EINVAL;
> - goto fail;
> - }
> s->crypt_method_header = header.crypt_method;
> if (s->crypt_method_header) {
> bs->encrypted = 1;
> @@ -1104,12 +1348,40 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
>
> /* read qcow2 extensions */
> if (qcow2_read_extensions(bs, header.header_length, ext_end, NULL,
> - &local_err)) {
> + flags, &local_err)) {
> error_propagate(errp, local_err);
> ret = -EINVAL;
> goto fail;
> }
>
> + /* qcow2_read_extension may have setup FDE context if
> + * the crypt method needs a header region, some methods
> + * don't need header extensions, so must check here
> + */
> + if (s->crypt_method_header &&
> + !s->fde) {
Unnecessary line break.
> + if (s->crypt_method_header == QCOW_CRYPT_AES) {
> + unsigned int cflags = 0;
> + if (flags & BDRV_O_NO_IO) {
> + cflags |= QCRYPTO_BLOCK_OPEN_NO_IO;
> + }
> + s->fde = qcrypto_block_open(s->fde_opts,
> + NULL, NULL,
> + cflags,
> + errp);
> + if (!s->fde) {
> + error_setg(errp, "Could not setup encryption layer");
> + ret = -EINVAL;
> + goto fail;
> + }
> + } else if (!(flags & BDRV_O_NO_IO)) {
> + error_setg(errp, "Missing FDE header for crypt method %d",
> + s->crypt_method_header);
> + ret = -EINVAL;
> + goto fail;
> + }
> + }
> +
> /* read the backing file name */
> if (header.backing_file_offset != 0) {
> len = header.backing_file_size;
> @@ -1199,41 +1471,6 @@ static void qcow2_refresh_limits(BlockDriverState *bs, Error **errp)
> bs->bl.write_zeroes_alignment = s->cluster_sectors;
> }
>
> -static int qcow2_set_key(BlockDriverState *bs, const char *key)
> -{
> - BDRVQcow2State *s = bs->opaque;
> - uint8_t keybuf[16];
> - int len, i;
> - Error *err = NULL;
> -
> - memset(keybuf, 0, 16);
> - len = strlen(key);
> - if (len > 16)
> - len = 16;
> - /* XXX: we could compress the chars to 7 bits to increase
> - entropy */
> - for(i = 0;i < len;i++) {
> - keybuf[i] = key[i];
> - }
> - assert(bs->encrypted);
> -
> - qcrypto_cipher_free(s->cipher);
> - s->cipher = qcrypto_cipher_new(
> - QCRYPTO_CIPHER_ALG_AES_128,
> - QCRYPTO_CIPHER_MODE_CBC,
> - keybuf, G_N_ELEMENTS(keybuf),
> - &err);
> -
> - if (!s->cipher) {
> - /* XXX would be nice if errors in this method could
> - * be properly propagate to the caller. Would need
> - * the bdrv_set_key() API signature to be fixed. */
> - error_free(err);
> - return -1;
> - }
> - return 0;
> -}
> -
> static int qcow2_reopen_prepare(BDRVReopenState *state,
> BlockReopenQueue *queue, Error **errp)
> {
> @@ -1345,7 +1582,7 @@ static int64_t coroutine_fn qcow2_co_get_block_status(BlockDriverState *bs,
> }
>
> if (cluster_offset != 0 && ret != QCOW2_CLUSTER_COMPRESSED &&
> - !s->cipher) {
> + !s->fde) {
> index_in_cluster = sector_num & (s->cluster_sectors - 1);
> cluster_offset |= (index_in_cluster << BDRV_SECTOR_BITS);
> status |= BDRV_BLOCK_OFFSET_VALID | cluster_offset;
> @@ -1395,7 +1632,7 @@ static coroutine_fn int qcow2_co_readv(BlockDriverState *bs, int64_t sector_num,
>
> /* prepare next request */
> cur_nr_sectors = remaining_sectors;
> - if (s->cipher) {
> + if (s->fde) {
> cur_nr_sectors = MIN(cur_nr_sectors,
> QCOW_MAX_CRYPT_CLUSTERS * s->cluster_sectors);
> }
> @@ -1467,7 +1704,7 @@ static coroutine_fn int qcow2_co_readv(BlockDriverState *bs, int64_t sector_num,
> }
>
> if (bs->encrypted) {
> - assert(s->cipher);
> + assert(s->fde);
>
> /*
> * For encrypted images, read everything into a temporary
> @@ -1501,10 +1738,12 @@ static coroutine_fn int qcow2_co_readv(BlockDriverState *bs, int64_t sector_num,
> goto fail;
> }
> if (bs->encrypted) {
> - assert(s->cipher);
> + assert(s->fde);
> Error *err = NULL;
> - if (qcow2_encrypt_sectors(s, sector_num, cluster_data,
> - cur_nr_sectors, false,
> + if (qcrypto_block_decrypt(s->fde,
> + sector_num,
> + cluster_data,
> + cur_nr_sectors,
> &err) < 0) {
> error_free(err);
> ret = -EIO;
> @@ -1588,7 +1827,7 @@ static coroutine_fn int qcow2_co_writev(BlockDriverState *bs,
>
> if (bs->encrypted) {
> Error *err = NULL;
> - assert(s->cipher);
> + assert(s->fde);
> if (!cluster_data) {
> cluster_data = qemu_try_blockalign(bs->file->bs,
> QCOW_MAX_CRYPT_CLUSTERS
> @@ -1603,8 +1842,11 @@ static coroutine_fn int qcow2_co_writev(BlockDriverState *bs,
> QCOW_MAX_CRYPT_CLUSTERS * s->cluster_size);
> qemu_iovec_to_buf(&hd_qiov, 0, cluster_data, hd_qiov.size);
>
> - if (qcow2_encrypt_sectors(s, sector_num, cluster_data,
> - cur_nr_sectors, true, &err) < 0) {
> + if (qcrypto_block_encrypt(s->fde,
> + sector_num,
> + cluster_data,
> + cur_nr_sectors,
> + &err) < 0) {
> error_free(err);
> ret = -EIO;
> goto fail;
> @@ -1715,8 +1957,8 @@ static void qcow2_close(BlockDriverState *bs)
> qcow2_cache_destroy(bs, s->l2_table_cache);
> qcow2_cache_destroy(bs, s->refcount_block_cache);
>
> - qcrypto_cipher_free(s->cipher);
> - s->cipher = NULL;
> + qcrypto_block_free(s->fde);
> + s->fde = NULL;
>
> g_free(s->unknown_header_fields);
> cleanup_unknown_header_ext(bs);
> @@ -1734,7 +1976,7 @@ static void qcow2_invalidate_cache(BlockDriverState *bs, Error **errp)
> {
> BDRVQcow2State *s = bs->opaque;
> int flags = s->flags;
> - QCryptoCipher *cipher = NULL;
> + QCryptoBlock *fde = NULL;
> QDict *options;
> Error *local_err = NULL;
> int ret;
> @@ -1744,8 +1986,8 @@ static void qcow2_invalidate_cache(BlockDriverState *bs, Error **errp)
> * that means we don't have to worry about reopening them here.
> */
>
> - cipher = s->cipher;
> - s->cipher = NULL;
> + fde = s->fde;
> + s->fde = NULL;
>
> qcow2_close(bs);
>
> @@ -1770,7 +2012,7 @@ static void qcow2_invalidate_cache(BlockDriverState *bs, Error **errp)
> return;
> }
>
> - s->cipher = cipher;
> + s->fde = fde;
> }
>
> static size_t header_ext_add(char *buf, uint32_t magic, const void *s,
> @@ -1893,6 +2135,23 @@ int qcow2_update_header(BlockDriverState *bs)
> buflen -= ret;
> }
>
> + /* Full disk encryption header pointer extension */
> + if (s->fde_header.offset != 0) {
> + cpu_to_be64(s->fde_header.offset);
> + cpu_to_be64(s->fde_header.length);
> + ret = header_ext_add(buf, QCOW2_EXT_MAGIC_FDE_HEADER,
> + &s->fde_header,
> + sizeof(s->fde_header),
> + buflen);
> + be64_to_cpu(s->fde_header.offset);
> + be64_to_cpu(s->fde_header.length);
> + if (ret < 0) {
> + goto fail;
> + }
> + buf += ret;
> + buflen -= ret;
> + }
> +
> /* Feature table */
> Qcow2Feature features[] = {
> {
> @@ -2056,6 +2315,10 @@ static int qcow2_create2(const char *filename, int64_t total_size,
> {
> int cluster_bits;
> QDict *options;
> + const char *fdestr;
> + QCryptoBlockCreateOptions *fdeopts = NULL;
> + QCryptoBlock *fde = NULL;
> + size_t i;
>
> /* Calculate cluster_bits */
> cluster_bits = ctz32(cluster_size);
> @@ -2179,7 +2442,48 @@ static int qcow2_create2(const char *filename, int64_t total_size,
> };
>
> if (flags & BLOCK_FLAG_ENCRYPT) {
> - header->crypt_method = cpu_to_be32(QCOW_CRYPT_AES);
> + /* Default to LUKS if fde-format is not set */
> + fdestr = qemu_opt_get_del(opts, QCOW2_OPT_ENC_FORMAT);
> + if (fdestr) {
> + for (i = 0; i < Q_CRYPTO_BLOCK_FORMAT__MAX; i++) {
> + if (g_str_equal(QCryptoBlockFormat_lookup[i],
> + fdestr)) {
> + fdeopts = qcow2_fde_create_opts_init(i,
> + opts,
> + errp);
> + if (!fdeopts) {
> + ret = -EINVAL;
> + goto out;
> + }
> + break;
> + }
> + }
> + if (!fdeopts) {
> + error_setg(errp, "Unknown fde format %s", fdestr);
> + ret = -EINVAL;
> + goto out;
> + }
> + } else {
> + fdeopts = qcow2_fde_create_opts_init(
> + Q_CRYPTO_BLOCK_FORMAT_LUKS,
> + opts, errp);
> + if (!fdeopts) {
> + ret = -EINVAL;
> + goto out;
> + }
> + }
> + switch (fdeopts->format) {
> + case Q_CRYPTO_BLOCK_FORMAT_QCOWAES:
> + header->crypt_method = cpu_to_be32(QCOW_CRYPT_AES);
> + break;
> + case Q_CRYPTO_BLOCK_FORMAT_LUKS:
> + header->crypt_method = cpu_to_be32(QCOW_CRYPT_LUKS);
> + break;
> + default:
> + error_setg(errp, "Unsupported fde format %s", fdestr);
> + ret = -EINVAL;
> + goto out;
> + }
> } else {
> header->crypt_method = cpu_to_be32(QCOW_CRYPT_NONE);
> }
> @@ -2213,12 +2517,15 @@ static int qcow2_create2(const char *filename, int64_t total_size,
> /*
> * And now open the image and make it consistent first (i.e. increase the
> * refcount of the cluster that is occupied by the header and the refcount
> - * table)
> + * table). Using BDRV_O_NO_IO since we've not written any encryption
> + * header yet and thus should not read/write payload data or initialize
> + * the decryption context
> */
> options = qdict_new();
> qdict_put(options, "driver", qstring_from_str("qcow2"));
> ret = bdrv_open(&bs, filename, NULL, options,
> - BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH,
> + BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH |
> + BDRV_O_NO_IO,
> &local_err);
Somehow I feel that saying BDRV_O_NO_IO, but doing I/O will bite us
sooner or later.
Why not leave header->crypt_method = 0 initially and only set up
encryption after opening the image with the qcow2 driver?
> if (ret < 0) {
> error_propagate(errp, local_err);
> @@ -2253,6 +2560,24 @@ static int qcow2_create2(const char *filename, int64_t total_size,
> }
> }
>
> + /* Want encryption ? There you go.*/
Move that space character from before '?' to after '.' and it will look
right. ;-)
> + if (fdeopts) {
> + fde = qcrypto_block_create(fdeopts,
> + qcow2_fde_header_init_func,
> + qcow2_fde_header_write_func,
> + bs,
> + errp);
> + if (!fde) {
> + ret = -EINVAL;
> + goto out;
> + }
> + ret = qcow2_update_header(bs);
> + if (ret < 0) {
> + error_setg_errno(errp, -ret, "Could not write encryption header");
> + goto out;
> + }
> + }
> +
> /* And if we're supposed to preallocate metadata, do that now */
> if (prealloc != PREALLOC_MODE_OFF) {
> BDRVQcow2State *s = bs->opaque;
> @@ -2272,7 +2597,8 @@ static int qcow2_create2(const char *filename, int64_t total_size,
> options = qdict_new();
> qdict_put(options, "driver", qstring_from_str("qcow2"));
> ret = bdrv_open(&bs, filename, NULL, options,
> - BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_BACKING,
> + BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_BACKING |
> + BDRV_O_NO_IO,
> &local_err);
> if (local_err) {
> error_propagate(errp, local_err);
> @@ -3047,10 +3373,10 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
> backing_format = qemu_opt_get(opts, BLOCK_OPT_BACKING_FMT);
> } else if (!strcmp(desc->name, BLOCK_OPT_ENCRYPT)) {
> encrypt = qemu_opt_get_bool(opts, BLOCK_OPT_ENCRYPT,
> - !!s->cipher);
> + !!s->fde);
>
> - if (encrypt != !!s->cipher) {
> - error_report("Changing the encryption flag is not supported");
> + if (encrypt != !!s->fde) {
> + fprintf(stderr, "Changing the encryption flag is not supported");
> return -ENOTSUP;
> }
> } else if (!strcmp(desc->name, BLOCK_OPT_CLUSTER_SIZE)) {
> @@ -3285,6 +3611,41 @@ static QemuOptsList qcow2_create_opts = {
> .help = "Width of a reference count entry in bits",
> .def_value_str = "16"
> },
> + {
> + .name = QCOW2_OPT_ENC_FORMAT,
> + .type = QEMU_OPT_STRING,
> + .help = "Disk encryption format, 'luks' (default) or 'qcowaes' (deprecated)",
> + },
> + {
> + .name = QCOW2_OPT_KEY_ID,
> + .type = QEMU_OPT_STRING,
> + .help = "ID of the secret that provides the encryption key",
> + },
> + {
> + .name = QCOW2_OPT_CIPHER_ALG,
> + .type = QEMU_OPT_STRING,
> + .help = "Name of encryption cipher algorithm",
> + },
> + {
> + .name = QCOW2_OPT_CIPHER_MODE,
> + .type = QEMU_OPT_STRING,
> + .help = "Name of encryption cipher mode",
> + },
> + {
> + .name = QCOW2_OPT_IVGEN_ALG,
> + .type = QEMU_OPT_STRING,
> + .help = "Name of IV generator algorithm",
> + },
> + {
> + .name = QCOW2_OPT_IVGEN_HASH_ALG,
> + .type = QEMU_OPT_STRING,
> + .help = "Name of IV generator hash algorithm",
> + },
> + {
> + .name = QCOW2_OPT_HASH_ALG,
> + .type = QEMU_OPT_STRING,
> + .help = "Name of encryption hash algorithm",
> + },
> { /* end of list */ }
> }
> };
> @@ -3302,7 +3663,6 @@ BlockDriver bdrv_qcow2 = {
> .bdrv_create = qcow2_create,
> .bdrv_has_zero_init = bdrv_has_zero_init_1,
> .bdrv_co_get_block_status = qcow2_co_get_block_status,
> - .bdrv_set_key = qcow2_set_key,
>
> .bdrv_co_readv = qcow2_co_readv,
> .bdrv_co_writev = qcow2_co_writev,
> diff --git a/block/qcow2.h b/block/qcow2.h
> index ae04285..d33afb2 100644
> --- a/block/qcow2.h
> +++ b/block/qcow2.h
> @@ -25,7 +25,7 @@
> #ifndef BLOCK_QCOW2_H
> #define BLOCK_QCOW2_H
>
> -#include "crypto/cipher.h"
> +#include "crypto/block.h"
> #include "qemu/coroutine.h"
>
> //#define DEBUG_ALLOC
> @@ -36,6 +36,7 @@
>
> #define QCOW_CRYPT_NONE 0
> #define QCOW_CRYPT_AES 1
> +#define QCOW_CRYPT_LUKS 2
>
> #define QCOW_MAX_CRYPT_CLUSTERS 32
> #define QCOW_MAX_SNAPSHOTS 65536
> @@ -98,6 +99,15 @@
> #define QCOW2_OPT_REFCOUNT_CACHE_SIZE "refcount-cache-size"
> #define QCOW2_OPT_CACHE_CLEAN_INTERVAL "cache-clean-interval"
>
> +#define QCOW2_OPT_ENC_FORMAT "encryption-format"
> +#define QCOW2_OPT_KEY_ID "key-id"
> +#define QCOW2_OPT_CIPHER_ALG "cipher-alg"
> +#define QCOW2_OPT_CIPHER_MODE "cipher-mode"
> +#define QCOW2_OPT_IVGEN_ALG "ivgen-alg"
> +#define QCOW2_OPT_IVGEN_HASH_ALG "ivgen-hash-alg"
> +#define QCOW2_OPT_HASH_ALG "hash-alg"
> +
> +
> typedef struct QCowHeader {
> uint32_t magic;
> uint32_t version;
> @@ -163,6 +173,11 @@ typedef struct QCowSnapshot {
> struct Qcow2Cache;
> typedef struct Qcow2Cache Qcow2Cache;
>
> +typedef struct Qcow2FDEHeaderExtension {
> + uint64_t offset;
> + uint64_t length;
> +} Qcow2FDEHeaderExtension;
Packed? It seems to be read directly from the file.
> typedef struct Qcow2UnknownHeaderExtension {
> uint32_t magic;
> uint32_t len;
> @@ -256,7 +271,9 @@ typedef struct BDRVQcow2State {
>
> CoMutex lock;
>
> - QCryptoCipher *cipher; /* current cipher, NULL if no key yet */
> + Qcow2FDEHeaderExtension fde_header; /* QCow2 header extension */
> + QCryptoBlockOpenOptions *fde_opts; /* Disk encryption runtime options */
> + QCryptoBlock *fde; /* Disk encryption format driver */
> uint32_t crypt_method_header;
> uint64_t snapshots_offset;
> int snapshots_size;
> diff --git a/docs/specs/qcow2.txt b/docs/specs/qcow2.txt
> index f236d8c..dcbe3c3 100644
> --- a/docs/specs/qcow2.txt
> +++ b/docs/specs/qcow2.txt
> @@ -45,6 +45,7 @@ The first cluster of a qcow2 image contains the file header:
> 32 - 35: crypt_method
> 0 for no encryption
> 1 for AES encryption
> + 2 for LUKS encryption
>
> 36 - 39: l1_size
> Number of entries in the active L1 table
> @@ -123,6 +124,7 @@ be stored. Each extension has a structure like the following:
> 0x00000000 - End of the header extension area
> 0xE2792ACA - Backing file format name
> 0x6803f857 - Feature name table
> + 0x4c554b53 - Full disk encryption header pointer
> other - Unknown header extension, can be safely
> ignored
>
> @@ -166,6 +168,75 @@ the header extension data. Each entry look like this:
> terminated if it has full length)
>
>
> +== Full disk encryption (FDE) header pointer ==
> +
> +For 'crypt_method' header values which require additional header metadata
> +to be stored (eg 'LUKS' header), the full disk encryption header pointer
> +extension is mandatory.
I think you want to make that "is present if, and only if, the
'crypt_method' header value requires metadata".
At least, we need to forbid it for the existing AES images, because old
qemu-img version would stll fix the "leaked clusters", without removing
the header extension that refers to them.
> It provides the offset at which the crypt method
> +can store its additional data, as well as the length of such data.
> +
> + Byte 0 - 7: Offset into the image file at which the encryption
> + header starts. Must be aligned to a cluster boundary.
> + Byte 8 - 16: Length of the encryption header. Must be a multiple
> + of the cluster size.
> +
> +While the header extension allocates the length as a multiple of the
> +cluster size, the encryption header may not consume the full permitted
> +allocation.
> +
> +For the LUKS crypt method, the encryption header works as follows.
> +
> +The first 592 bytes of the header clusters will contain the LUKS
> +partition header. This is then followed by the key material data areas.
> +The size of the key material data areas is determined by the number of
> +stripes in the key slot and key size. Refer to the LUKS format
> +specification ('docs/on-disk-format.pdf' in the cryptsetup source
> +package) for details of the LUKS partition header format.
> +
> +In the LUKS partition header, the "payload-offset" field does not refer
> +to the offset of the QCow2 payload. Instead it simply refers to the
> +total required length of the LUKS header plus key material regions.
> +
> +In the LUKS key slots header, the "key-material-offset" is relative
> +to the start of the LUKS header clusters in the qcow2 container,
> +not the start of the qcow2 file.
> +
> +Logically the layout looks like
> +
> + +-----------------------------+
> + | QCow2 header |
> + +-----------------------------+
> + | QCow2 header extension X |
> + +-----------------------------+
> + | QCow2 header extension FDE |
> + +-----------------------------+
> + | QCow2 header extension ... |
> + +-----------------------------+
> + | QCow2 header extension Z |
> + +-----------------------------+
> + | ....other QCow2 tables.... |
> + . .
> + . .
> + +-----------------------------+
> + | +-------------------------+ |
> + | | LUKS partition header | |
> + | +-------------------------+ |
> + | | LUKS key material 1 | |
> + | +-------------------------+ |
> + | | LUKS key material 2 | |
> + | +-------------------------+ |
> + | | LUKS key material ... | |
> + | +-------------------------+ |
> + | | LUKS key material 8 | |
> + | +-------------------------+ |
> + +-----------------------------+
> + | QCow2 cluster payload |
> + . .
> + . .
> + . .
> + | |
> + +-----------------------------+
> +
> == Host cluster management ==
>
> qcow2 manages the allocation of host clusters by maintaining a reference count
> diff --git a/qapi/block-core.json b/qapi/block-core.json
> index 200d907..40fe3ba 100644
> --- a/qapi/block-core.json
> +++ b/qapi/block-core.json
> @@ -1789,6 +1789,8 @@
> # @cache-clean-interval: #optional clean unused entries in the L2 and refcount
> # caches. The interval is in seconds. The default value
> # is 0 and it disables this feature (since 2.5)
> +# @key-id: #optional the ID of a QCryptoSecret object providing
> +# the decryption key (since 2.6)
> #
> # Since: 1.7
> ##
> @@ -1802,8 +1804,8 @@
> '*cache-size': 'int',
> '*l2-cache-size': 'int',
> '*refcount-cache-size': 'int',
> - '*cache-clean-interval': 'int' } }
> -
> + '*cache-clean-interval': 'int',
> + '*key-id': 'str' } }
>
> ##
> # @BlockdevOptionsArchipelago
> --
> 2.5.0
>
>
Kevin
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [PATCH v1 05/15] crypto: add block encryption framework
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 05/15] crypto: add block encryption framework Daniel P. Berrange
@ 2016-01-13 23:40 ` Eric Blake
2016-01-14 12:16 ` Daniel P. Berrange
0 siblings, 1 reply; 32+ messages in thread
From: Eric Blake @ 2016-01-13 23:40 UTC (permalink / raw)
To: Daniel P. Berrange, qemu-devel; +Cc: qemu-block
[-- Attachment #1: Type: text/plain, Size: 1903 bytes --]
On 01/12/2016 11:56 AM, Daniel P. Berrange wrote:
> Add a generic framework for support different block encryption
> formats. Upon instantiating a QCryptoBlock object, it will read
> the encryption header and extract the encryption keys. It is
> then possible to call methods to encrypt/decrypt data buffers.
>
> There is also a mode whereby it will create/initialize a new
> encryption header on a previously unformatted volume.
>
> The initial framework comes with support for the legacy QCow
> AES based encryption. This enables code in the QCow driver to
> be consolidated later.
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
> +++ b/qapi/crypto.json
> @@ -94,3 +94,68 @@
> { 'enum': 'QCryptoIVGenAlgorithm',
> 'prefix': 'QCRYPTO_IVGEN_ALG',
> 'data': ['plain', 'plain64', 'essiv']}
> +
> +##
> +# QCryptoBlockFormat:
> +#
> +# The supported full disk encryption formats
> +#
> +# @qcowaes: QCow/QCow2 built-in AES-CBC encryption. Do not use
> +#
Well, the only reason to use it would be to read data off an old
insecurely-encrypted qcow2 file; so maybe it should read "Do not use on
new files"
> +# Since: 2.6
> +##
> +{ 'enum': 'QCryptoBlockFormat',
> +# 'prefix': 'QCRYPTO_BLOCK_FORMAT',
> + 'data': ['qcowaes']}
Would 'qcow-aes' be any easier to read?
> +
> +##
> +# QCryptoBlockOptionsBase:
> +#
> +# The common options that apply to all full disk
> +# encryption formats
> +#
> +# @format: the encryption format
> +#
> +# Since: 2.6
> +##
> +{ 'struct': 'QCryptoBlockOptionsBase',
> + 'data': { 'format': 'QCryptoBlockFormat' }}
My pending series to add anonymous flat union base types can simplify
this a bit; I've added it to my list of cleanups that are awaiting merge
of my code.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [PATCH v1 06/15] crypto: implement the LUKS block encryption format
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 06/15] crypto: implement the LUKS block encryption format Daniel P. Berrange
@ 2016-01-13 23:43 ` Eric Blake
2016-01-14 10:14 ` Daniel P. Berrange
0 siblings, 1 reply; 32+ messages in thread
From: Eric Blake @ 2016-01-13 23:43 UTC (permalink / raw)
To: Daniel P. Berrange, qemu-devel; +Cc: qemu-block
[-- Attachment #1: Type: text/plain, Size: 2119 bytes --]
On 01/12/2016 11:56 AM, Daniel P. Berrange wrote:
> Provide a block encryption implementation that follows the
> LUKS/dm-crypt specification.
>
> This supports all combinations of hash, cipher algorithm,
> cipher mode and iv generator that are implemented by the
> current crypto layer.
>
> The notable missing feature is support for the 'xts'
> cipher mode, which is commonly used for disk encryption
> instead of 'cbc'. This is because it is not provided by
> either nettle or libgcrypt. A suitable implementation
> will be identified & integrated later.
>
> There is support for opening existing volumes formatted
> by dm-crypt, and for formatting new volumes. In the latter
> case it will only use key slot 0.
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
> +++ b/qapi/crypto.json
> @@ -101,12 +101,13 @@
> # The supported full disk encryption formats
> #
> # @qcowaes: QCow/QCow2 built-in AES-CBC encryption. Do not use
> +# @luks: LUKS encryption format. Recommended
> #
> # Since: 2.6
> ##
> { 'enum': 'QCryptoBlockFormat',
> # 'prefix': 'QCRYPTO_BLOCK_FORMAT',
> - 'data': ['qcowaes']}
> + 'data': ['qcowaes', 'luks']}
>
> ##
> # QCryptoBlockOptionsBase:
> @@ -134,6 +135,39 @@
> 'data': { '*key-id': 'str' }}
>
> ##
> +# QCryptoBlockOptionsLUKS:
> +#
> +# The options that apply to LUKS encryption format
> +#
> +# @key-id: the ID of a QCryptoSecret object providing the decryption key
Is the key-id really optional? If so, missing the '#optional' tag.
> +# Since: 2.6
> +##
> +{ 'struct': 'QCryptoBlockOptionsLUKS',
> + 'data': { '*key-id': 'str' }}
> +
> +
> +##
> +# QCryptoBlockCreateOptionsLUKS:
> +#
> +# The options that apply to LUKS encryption format initialization
> +#
> +# @cipher-alg: (optional) the cipher algorithm for data encryption
Marc-Andre's pending patches to auto-generate docs from the .json files
want this to be s/(optional)/#optional/ (here and elsewhere).
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [PATCH v1 08/15] block: add generic full disk encryption driver
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 08/15] block: add generic full disk encryption driver Daniel P. Berrange
@ 2016-01-13 23:47 ` Eric Blake
2016-01-14 10:15 ` Daniel P. Berrange
0 siblings, 1 reply; 32+ messages in thread
From: Eric Blake @ 2016-01-13 23:47 UTC (permalink / raw)
To: Daniel P. Berrange, qemu-devel; +Cc: qemu-block
[-- Attachment #1: Type: text/plain, Size: 1320 bytes --]
On 01/12/2016 11:56 AM, Daniel P. Berrange wrote:
> Add a block driver that is capable of supporting any full disk
> encryption format. This utilizes the previously added block
> encryption code, and at this time supports the LUKS format.
>
> The driver code is capable of supporting any format supported
> by the QCryptoBlock module, so it registers one block driver
> for each format.
>
> At this time, the "luks" driver is registered. New LUKS
> compatible volume can be formatted using qemu-img
>
> $ qemu-img create --object secret,data=123456,id=sec0 \
> -f luks -o key-id=sec0,cipher-alg=aes-256,\
> cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha256 \
> demo.luks 10G
>
> @@ -1664,6 +1664,21 @@
> 'data': { 'file': 'BlockdevRef' } }
>
> ##
> +# @BlockdevOptionsLUKS
> +#
> +# Driver specific block device options for LUKS.
> +#
> +# @key-id: #optional the ID of a QCryptoSecret object providing
> +# the decryption key (since 2.6)
> +#
> +# Since: 2.6
> +##
> +{ 'struct': 'BlockdevOptionsLUKS',
> + 'base': 'BlockdevOptionsGenericFormat',
> + 'data': { '*key-id': 'str' } }
And if key-id is omitted, how does it work?
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [PATCH v1 06/15] crypto: implement the LUKS block encryption format
2016-01-13 23:43 ` Eric Blake
@ 2016-01-14 10:14 ` Daniel P. Berrange
0 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-14 10:14 UTC (permalink / raw)
To: Eric Blake; +Cc: qemu-devel, qemu-block
On Wed, Jan 13, 2016 at 04:43:15PM -0700, Eric Blake wrote:
> On 01/12/2016 11:56 AM, Daniel P. Berrange wrote:
> > Provide a block encryption implementation that follows the
> > LUKS/dm-crypt specification.
> >
> > This supports all combinations of hash, cipher algorithm,
> > cipher mode and iv generator that are implemented by the
> > current crypto layer.
> >
> > The notable missing feature is support for the 'xts'
> > cipher mode, which is commonly used for disk encryption
> > instead of 'cbc'. This is because it is not provided by
> > either nettle or libgcrypt. A suitable implementation
> > will be identified & integrated later.
> >
> > There is support for opening existing volumes formatted
> > by dm-crypt, and for formatting new volumes. In the latter
> > case it will only use key slot 0.
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
>
> > +++ b/qapi/crypto.json
> > @@ -101,12 +101,13 @@
> > # The supported full disk encryption formats
> > #
> > # @qcowaes: QCow/QCow2 built-in AES-CBC encryption. Do not use
> > +# @luks: LUKS encryption format. Recommended
> > #
> > # Since: 2.6
> > ##
> > { 'enum': 'QCryptoBlockFormat',
> > # 'prefix': 'QCRYPTO_BLOCK_FORMAT',
> > - 'data': ['qcowaes']}
> > + 'data': ['qcowaes', 'luks']}
> >
> > ##
> > # QCryptoBlockOptionsBase:
> > @@ -134,6 +135,39 @@
> > 'data': { '*key-id': 'str' }}
> >
> > ##
> > +# QCryptoBlockOptionsLUKS:
> > +#
> > +# The options that apply to LUKS encryption format
> > +#
> > +# @key-id: the ID of a QCryptoSecret object providing the decryption key
>
> Is the key-id really optional? If so, missing the '#optional' tag.
Yes & no. It is not optional if you actually want to open the disk
and do I/O, but we want 'qemu-img info' to be able to report on data
when using the BDRV_O_NO_IO flag, so we have to declare it optional
to allow that to work. This is why we have an explicit check for
key_id being non-NULL in the code at time of use.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [PATCH v1 08/15] block: add generic full disk encryption driver
2016-01-13 23:47 ` Eric Blake
@ 2016-01-14 10:15 ` Daniel P. Berrange
0 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-14 10:15 UTC (permalink / raw)
To: Eric Blake; +Cc: qemu-devel, qemu-block
On Wed, Jan 13, 2016 at 04:47:47PM -0700, Eric Blake wrote:
> On 01/12/2016 11:56 AM, Daniel P. Berrange wrote:
> > Add a block driver that is capable of supporting any full disk
> > encryption format. This utilizes the previously added block
> > encryption code, and at this time supports the LUKS format.
> >
> > The driver code is capable of supporting any format supported
> > by the QCryptoBlock module, so it registers one block driver
> > for each format.
> >
> > At this time, the "luks" driver is registered. New LUKS
> > compatible volume can be formatted using qemu-img
> >
> > $ qemu-img create --object secret,data=123456,id=sec0 \
> > -f luks -o key-id=sec0,cipher-alg=aes-256,\
> > cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha256 \
> > demo.luks 10G
> >
>
> > @@ -1664,6 +1664,21 @@
> > 'data': { 'file': 'BlockdevRef' } }
> >
> > ##
> > +# @BlockdevOptionsLUKS
> > +#
> > +# Driver specific block device options for LUKS.
> > +#
> > +# @key-id: #optional the ID of a QCryptoSecret object providing
> > +# the decryption key (since 2.6)
> > +#
> > +# Since: 2.6
> > +##
> > +{ 'struct': 'BlockdevOptionsLUKS',
> > + 'base': 'BlockdevOptionsGenericFormat',
> > + 'data': { '*key-id': 'str' } }
>
> And if key-id is omitted, how does it work?
You can only omit it if using BDRV_O_NO_IO, which is used by qemu-img info
to report info about the disk without needing to decrypt any payload.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH v1 10/15] qcow2: convert QCow2 to use QCryptoBlock for encryption
2016-01-13 18:42 ` [Qemu-devel] [Qemu-block] " Kevin Wolf
@ 2016-01-14 12:14 ` Daniel P. Berrange
2016-01-14 12:58 ` Kevin Wolf
0 siblings, 1 reply; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-14 12:14 UTC (permalink / raw)
To: Kevin Wolf; +Cc: qemu-devel, qemu-block
On Wed, Jan 13, 2016 at 07:42:20PM +0100, Kevin Wolf wrote:
> Am 12.01.2016 um 19:56 hat Daniel P. Berrange geschrieben:
> > This converts the qcow2 driver to make use of the QCryptoBlock
> > APIs for encrypting image content. As well as continued support
> > for the legacy QCow2 encryption format, the appealing benefit
> > is that it enables support for the LUKS format inside qcow2.
> >
> > With the LUKS format it is neccessary to store the LUKS
> > partition header and key material in the QCow2 file. This
> > data can be many MB in size, so cannot go into the QCow2
> > header region directly. Thus the spec is defines a FDE
> > (Full Disk Encryption) header extension that specifies
> > the offset of a set of clusters to hold the FDE headers,
> > as well as the length of that region. The LUKS header is
> > thus stored in these extra allocated clusters before the
> > main image payload.
> >
> > With this change it is now required to use the QCryptoSecret
> > object for providing passwords, instead of the current block
> > password APIs / interactive prompting.
> >
> > $QEMU \
> > -object secret,id=sec0,filename=/home/berrange/encrypted.pw \
> > -drive file=/home/berrange/encrypted.qcow2,key-id=sec0
> >
> > The new LUKS format is set as the new default format when
> > creating encrypted images. ie
> >
> > # qemu-img create --object secret,data=123456,id=sec0 \
> > -f qcow2 -o encryption,key-id=sec0 \
> > test.qcow2 10G
> >
> > Results in creation of an image using the LUKS format.
> >
> > For compatibility the old qcow2 AES format can still be used
> > via the 'encryption-format' parameter which accepts the
> > values 'luks' or 'qcowaes'.
> >
> > # qemu-img create --object secret,data=123456,id=sec0 \
> > -f qcow2 -o encryption,key-id=sec0,encryption-format=qcowaes \
> > test.qcow2 10G
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
>
> I think for your additional pointer to some clusters you need to change
> some function(s) called by qcow2_check_refcounts(). Otherwise 'qemu-img
> check' won't count the reference and helpfully free the "leaked"
> cluster.
Opps, yes, having those garbage collected would be a very bad
thing for your ability to decrypt your data :-)
> > @@ -60,6 +62,7 @@ typedef struct {
> > #define QCOW2_EXT_MAGIC_END 0
> > #define QCOW2_EXT_MAGIC_BACKING_FORMAT 0xE2792ACA
> > #define QCOW2_EXT_MAGIC_FEATURE_TABLE 0x6803f857
> > +#define QCOW2_EXT_MAGIC_FDE_HEADER 0x4c554b53
>
> General naming comment on this series: I would prefer avoiding "FDE" in
> favour of "encryption" or "crypt" in the block layer parts. With all
> image formats having their own terminology, "FDE" could mean anything.
Ok, will rename this - wasn't too happy with FDE myself either.
> > static int qcow2_probe(const uint8_t *buf, int buf_size, const char *filename)
> > {
> > @@ -74,6 +77,83 @@ static int qcow2_probe(const uint8_t *buf, int buf_size, const char *filename)
> > }
> >
> >
> > +static ssize_t qcow2_fde_header_read_func(QCryptoBlock *block,
> > + size_t offset,
> > + uint8_t *buf,
> > + size_t buflen,
> > + Error **errp,
> > + void *opaque)
> > +{
> > + BlockDriverState *bs = opaque;
> > + BDRVQcow2State *s = bs->opaque;
> > + ssize_t ret;
> > +
> > + if ((offset + buflen) > s->fde_header.length) {
> > + error_setg_errno(errp, EINVAL,
> > + "Request for data outside of extension header");
>
> error_setg_errno() with a constant errno doesn't look very useful.
> Better use plain error_setg() in such cases.
I wasn't too sure - I figured since the block layer seems to
propagate errno's around alot, that I ought to report an
errno here, but will happiyl drop it.
> > + return -1;
>
> Here returning -EINVAL could be useful, I'm not sure what your crypto
> API requires. At least you seem to be returning -errno below and mixing
> -1 and -errno is probably a bad idea.
The crypto API doesn't deal with errno's at all - it uses the
Error object exclusively, so yeah, I can drop it from the
place below.
>
> > + }
> > +
> > + ret = bdrv_pread(bs->file->bs,
> > + s->fde_header.offset + offset, buf, buflen);
> > + if (ret < 0) {
> > + error_setg_errno(errp, -ret, "Could not read encryption header");
> > + return ret;
> > + }
> > + return ret;
>
> return 0? You already processed ret in the if block and two 'return ret'
> in a row look odd.
>
> > +}
> > +
> > +
> > +static ssize_t qcow2_fde_header_init_func(QCryptoBlock *block,
> > + size_t headerlen,
> > + Error **errp,
> > + void *opaque)
> > +{
> > + BlockDriverState *bs = opaque;
> > + BDRVQcow2State *s = bs->opaque;
> > + int64_t ret;
> > +
> > + s->fde_header.length = headerlen + (headerlen % s->cluster_size);
> > +
> > + ret = qcow2_alloc_clusters(bs, s->fde_header.length);
> > + if (ret < 0) {
> > + s->fde_header.length = 0;
> > + error_setg(errp, "Cannot allocate cluster for LUKS header size %zu",
> > + headerlen);
>
> I think ret is -errno on failure, so use error_setg_errno()?
Ok.
>
> > + return -1;
> > + }
> > +
> > + s->fde_header.offset = ret;
> > + return 0;
> > +}
> > +
> > +
> > +static ssize_t qcow2_fde_header_write_func(QCryptoBlock *block,
> > + size_t offset,
> > + const uint8_t *buf,
> > + size_t buflen,
> > + Error **errp,
> > + void *opaque)
> > +{
> > + BlockDriverState *bs = opaque;
> > + BDRVQcow2State *s = bs->opaque;
> > + ssize_t ret;
> > +
> > + if ((offset + buflen) > s->fde_header.length) {
> > + error_setg_errno(errp, EINVAL,
> > + "Request for data outside of extension header");
>
> error_setg(). Probably worth checking all error paths whether there is a
> useful errno or not. I won't comment on additional instances.
>
> > + return -1;
> > + }
> > +
> > + ret = bdrv_pwrite(bs->file->bs, s->fde_header.offset + offset, buf, buflen);
> > + if (ret < 0) {
> > + error_setg_errno(errp, -ret, "Could not read encryption header");
> > + return ret;
> > + }
> > + return ret;
> > +}
>
> Mixing -1 and -errno again.
Will fix as per the read_func() above.
> > @@ -83,12 +163,14 @@ static int qcow2_probe(const uint8_t *buf, int buf_size, const char *filename)
> > */
> > static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
> > uint64_t end_offset, void **p_feature_table,
> > + int flags,
> > Error **errp)
> > {
> > BDRVQcow2State *s = bs->opaque;
> > QCowExtension ext;
> > uint64_t offset;
> > int ret;
> > + unsigned int cflags = 0;
>
> Should we create a block for QCOW2_EXT_MAGIC_FDE_HEADER and declare it
> there?
Yep, I can do that.
> > #ifdef DEBUG_EXT
> > printf("qcow2_read_extensions: start=%ld end=%ld\n", start_offset, end_offset);
> > @@ -159,6 +241,35 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
> > }
> > break;
> >
> > + case QCOW2_EXT_MAGIC_FDE_HEADER:
> > + if (s->crypt_method_header != QCOW_CRYPT_LUKS) {
> > + error_setg(errp, "FDE header extension only "
> > + "expected with LUKS encryption method");
> > + return -EINVAL;
> > + }
> > + if (ext.len != sizeof(Qcow2FDEHeaderExtension)) {
> > + error_setg(errp, "LUKS header extension size %u, "
> > + "but expected size %zu", ext.len,
> > + sizeof(Qcow2FDEHeaderExtension));
> > + return -EINVAL;
> > + }
> > +
> > + ret = bdrv_pread(bs->file->bs, offset, &s->fde_header, ext.len);
>
> No error check?
>
> > + be64_to_cpu(s->fde_header.offset);
> > + be64_to_cpu(s->fde_header.length);
> > +
> > + if (flags & BDRV_O_NO_IO) {
> > + cflags |= QCRYPTO_BLOCK_OPEN_NO_IO;
> > + }
> > + s->fde = qcrypto_block_open(s->fde_opts,
> > + qcow2_fde_header_read_func,
> > + bs,
> > + cflags,
> > + errp);
>
> The surrounding code doesn't put every parameter on its own line if the
> next parameter can fit on the same line. There are more instances of
> this in the patch, I won't comment on each one.
Ok, that's just my habit from libvirt - where we either put everything
on one line, or everything on a separate line and don't mix.
> > @@ -2213,12 +2517,15 @@ static int qcow2_create2(const char *filename, int64_t total_size,
> > /*
> > * And now open the image and make it consistent first (i.e. increase the
> > * refcount of the cluster that is occupied by the header and the refcount
> > - * table)
> > + * table). Using BDRV_O_NO_IO since we've not written any encryption
> > + * header yet and thus should not read/write payload data or initialize
> > + * the decryption context
> > */
> > options = qdict_new();
> > qdict_put(options, "driver", qstring_from_str("qcow2"));
> > ret = bdrv_open(&bs, filename, NULL, options,
> > - BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH,
> > + BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH |
> > + BDRV_O_NO_IO,
> > &local_err);
>
> Somehow I feel that saying BDRV_O_NO_IO, but doing I/O will bite us
> sooner or later.
Indeed, once I add the assertions you suggested in the previous
patch this will probably break horribly.
> Why not leave header->crypt_method = 0 initially and only set up
> encryption after opening the image with the qcow2 driver?
Oh yes, good idea.
> > diff --git a/block/qcow2.h b/block/qcow2.h
> > index ae04285..d33afb2 100644
> > --- a/block/qcow2.h
> > +++ b/block/qcow2.h
> > @@ -25,7 +25,7 @@
> > #ifndef BLOCK_QCOW2_H
> > #define BLOCK_QCOW2_H
> >
> > -#include "crypto/cipher.h"
> > +#include "crypto/block.h"
> > #include "qemu/coroutine.h"
> >
> > //#define DEBUG_ALLOC
> > @@ -36,6 +36,7 @@
> >
> > #define QCOW_CRYPT_NONE 0
> > #define QCOW_CRYPT_AES 1
> > +#define QCOW_CRYPT_LUKS 2
> >
> > #define QCOW_MAX_CRYPT_CLUSTERS 32
> > #define QCOW_MAX_SNAPSHOTS 65536
> > @@ -98,6 +99,15 @@
> > #define QCOW2_OPT_REFCOUNT_CACHE_SIZE "refcount-cache-size"
> > #define QCOW2_OPT_CACHE_CLEAN_INTERVAL "cache-clean-interval"
> >
> > +#define QCOW2_OPT_ENC_FORMAT "encryption-format"
> > +#define QCOW2_OPT_KEY_ID "key-id"
> > +#define QCOW2_OPT_CIPHER_ALG "cipher-alg"
> > +#define QCOW2_OPT_CIPHER_MODE "cipher-mode"
> > +#define QCOW2_OPT_IVGEN_ALG "ivgen-alg"
> > +#define QCOW2_OPT_IVGEN_HASH_ALG "ivgen-hash-alg"
> > +#define QCOW2_OPT_HASH_ALG "hash-alg"
> > +
> > +
> > typedef struct QCowHeader {
> > uint32_t magic;
> > uint32_t version;
> > @@ -163,6 +173,11 @@ typedef struct QCowSnapshot {
> > struct Qcow2Cache;
> > typedef struct Qcow2Cache Qcow2Cache;
> >
> > +typedef struct Qcow2FDEHeaderExtension {
> > + uint64_t offset;
> > + uint64_t length;
> > +} Qcow2FDEHeaderExtension;
>
> Packed? It seems to be read directly from the file.
Yes
> > @@ -166,6 +168,75 @@ the header extension data. Each entry look like this:
> > terminated if it has full length)
> >
> >
> > +== Full disk encryption (FDE) header pointer ==
> > +
> > +For 'crypt_method' header values which require additional header metadata
> > +to be stored (eg 'LUKS' header), the full disk encryption header pointer
> > +extension is mandatory.
>
> I think you want to make that "is present if, and only if, the
> 'crypt_method' header value requires metadata".
>
> At least, we need to forbid it for the existing AES images, because old
> qemu-img version would stll fix the "leaked clusters", without removing
> the header extension that refers to them.
Yes, we shouldn't be using the header with the AES crypt method,
only the LUKS method for now.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [PATCH v1 05/15] crypto: add block encryption framework
2016-01-13 23:40 ` Eric Blake
@ 2016-01-14 12:16 ` Daniel P. Berrange
2016-01-18 19:48 ` Eric Blake
0 siblings, 1 reply; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-14 12:16 UTC (permalink / raw)
To: Eric Blake; +Cc: qemu-devel, qemu-block
On Wed, Jan 13, 2016 at 04:40:31PM -0700, Eric Blake wrote:
> On 01/12/2016 11:56 AM, Daniel P. Berrange wrote:
> > Add a generic framework for support different block encryption
> > formats. Upon instantiating a QCryptoBlock object, it will read
> > the encryption header and extract the encryption keys. It is
> > then possible to call methods to encrypt/decrypt data buffers.
> >
> > There is also a mode whereby it will create/initialize a new
> > encryption header on a previously unformatted volume.
> >
> > The initial framework comes with support for the legacy QCow
> > AES based encryption. This enables code in the QCow driver to
> > be consolidated later.
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
>
> > +++ b/qapi/crypto.json
> > @@ -94,3 +94,68 @@
> > { 'enum': 'QCryptoIVGenAlgorithm',
> > 'prefix': 'QCRYPTO_IVGEN_ALG',
> > 'data': ['plain', 'plain64', 'essiv']}
> > +
> > +##
> > +# QCryptoBlockFormat:
> > +#
> > +# The supported full disk encryption formats
> > +#
> > +# @qcowaes: QCow/QCow2 built-in AES-CBC encryption. Do not use
> > +#
>
> Well, the only reason to use it would be to read data off an old
> insecurely-encrypted qcow2 file; so maybe it should read "Do not use on
> new files"
Yep
> > +# Since: 2.6
> > +##
> > +{ 'enum': 'QCryptoBlockFormat',
> > +# 'prefix': 'QCRYPTO_BLOCK_FORMAT',
> > + 'data': ['qcowaes']}
>
> Would 'qcow-aes' be any easier to read?
Or just shorten to 'qcow' perhaps ?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [PATCH v1 02/15] crypto: add support for PBKDF2 algorithm
2016-01-13 5:53 ` Fam Zheng
@ 2016-01-14 12:17 ` Daniel P. Berrange
0 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-14 12:17 UTC (permalink / raw)
To: Fam Zheng; +Cc: qemu-devel, qemu-block
On Wed, Jan 13, 2016 at 01:53:27PM +0800, Fam Zheng wrote:
> On Tue, 01/12 18:56, Daniel P. Berrange wrote:
> > +#if defined CONFIG_NETTLE
> > +#include "crypto/pbkdf-nettle.c"
> > +#elif defined CONFIG_GCRYPT
> > +#include "crypto/pbkdf-gcrypt.c"
> > +#else /* ! CONFIG_GCRYPT */
> > +#include "crypto/pbkdf-stub.c"
> > +#endif /* ! CONFIG_GCRYPT */
>
> I think the convention in QEMU is in crypto/Makefile.objs:
>
> crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o
> crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
Ok, that's fine.
> And move pbkdf-stub.c to stub/pbkdf.c.
I'd rather key the source in the crypto/ directory since it matches
up with MAINTAINER file rules. I can still add it to stub-obj-y in
the makefile though, so that has same end effect on the build.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [Qemu-block] [PATCH v1 10/15] qcow2: convert QCow2 to use QCryptoBlock for encryption
2016-01-14 12:14 ` Daniel P. Berrange
@ 2016-01-14 12:58 ` Kevin Wolf
0 siblings, 0 replies; 32+ messages in thread
From: Kevin Wolf @ 2016-01-14 12:58 UTC (permalink / raw)
To: Daniel P. Berrange; +Cc: qemu-devel, qemu-block
Am 14.01.2016 um 13:14 hat Daniel P. Berrange geschrieben:
> On Wed, Jan 13, 2016 at 07:42:20PM +0100, Kevin Wolf wrote:
> > Am 12.01.2016 um 19:56 hat Daniel P. Berrange geschrieben:
> > > +static ssize_t qcow2_fde_header_read_func(QCryptoBlock *block,
> > > + size_t offset,
> > > + uint8_t *buf,
> > > + size_t buflen,
> > > + Error **errp,
> > > + void *opaque)
> > > +{
> > > + BlockDriverState *bs = opaque;
> > > + BDRVQcow2State *s = bs->opaque;
> > > + ssize_t ret;
> > > +
> > > + if ((offset + buflen) > s->fde_header.length) {
> > > + error_setg_errno(errp, EINVAL,
> > > + "Request for data outside of extension header");
> >
> > error_setg_errno() with a constant errno doesn't look very useful.
> > Better use plain error_setg() in such cases.
>
> I wasn't too sure - I figured since the block layer seems to
> propagate errno's around alot, that I ought to report an
> errno here, but will happiyl drop it.
error_setg_errno() doesn't keep the error code around for the callers to
inspect, but just adds the error string to the message. And you already
have a much more useful error message than "Invalid argument".
> > > + return -1;
> >
> > Here returning -EINVAL could be useful, I'm not sure what your crypto
> > API requires. At least you seem to be returning -errno below and mixing
> > -1 and -errno is probably a bad idea.
>
> The crypto API doesn't deal with errno's at all - it uses the
> Error object exclusively, so yeah, I can drop it from the
> place below.
Then you could probably just make the function void. I genereally prefer
to use only one mechanism to return errors instead of both an int return
value and an Error** argument, but there are many places in qemu which
use both. So whatever feels right to you.
Kevin
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [PATCH v1 05/15] crypto: add block encryption framework
2016-01-14 12:16 ` Daniel P. Berrange
@ 2016-01-18 19:48 ` Eric Blake
2016-01-19 9:41 ` Daniel P. Berrange
0 siblings, 1 reply; 32+ messages in thread
From: Eric Blake @ 2016-01-18 19:48 UTC (permalink / raw)
To: Daniel P. Berrange; +Cc: qemu-devel, qemu-block
[-- Attachment #1: Type: text/plain, Size: 784 bytes --]
On 01/14/2016 05:16 AM, Daniel P. Berrange wrote:
>>> +# @qcowaes: QCow/QCow2 built-in AES-CBC encryption. Do not use
>>> +#
>>
>> Well, the only reason to use it would be to read data off an old
>> insecurely-encrypted qcow2 file; so maybe it should read "Do not use on
>> new files"
>
> Yep
>
>>> +# Since: 2.6
>>> +##
>>> +{ 'enum': 'QCryptoBlockFormat',
>>> +# 'prefix': 'QCRYPTO_BLOCK_FORMAT',
>>> + 'data': ['qcowaes']}
>>
>> Would 'qcow-aes' be any easier to read?
>
> Or just shorten to 'qcow' perhaps ?
Or maybe 'old-qcow' to emphasize that it is old? At this point, we're
painting the bikeshed, so I'll live with whatever you like.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [Qemu-devel] [PATCH v1 05/15] crypto: add block encryption framework
2016-01-18 19:48 ` Eric Blake
@ 2016-01-19 9:41 ` Daniel P. Berrange
0 siblings, 0 replies; 32+ messages in thread
From: Daniel P. Berrange @ 2016-01-19 9:41 UTC (permalink / raw)
To: Eric Blake; +Cc: qemu-devel, qemu-block
On Mon, Jan 18, 2016 at 12:48:56PM -0700, Eric Blake wrote:
> On 01/14/2016 05:16 AM, Daniel P. Berrange wrote:
>
> >>> +# @qcowaes: QCow/QCow2 built-in AES-CBC encryption. Do not use
> >>> +#
> >>
> >> Well, the only reason to use it would be to read data off an old
> >> insecurely-encrypted qcow2 file; so maybe it should read "Do not use on
> >> new files"
> >
> > Yep
> >
> >>> +# Since: 2.6
> >>> +##
> >>> +{ 'enum': 'QCryptoBlockFormat',
> >>> +# 'prefix': 'QCRYPTO_BLOCK_FORMAT',
> >>> + 'data': ['qcowaes']}
> >>
> >> Would 'qcow-aes' be any easier to read?
> >
> > Or just shorten to 'qcow' perhaps ?
>
> Or maybe 'old-qcow' to emphasize that it is old? At this point, we're
> painting the bikeshed, so I'll live with whatever you like.
I've gone for just 'qcow', since that's also what libvirt calls it,
and it avoids a need for further debate as to whether to hyphenate
the two words or underscore or neither ;-P
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
^ permalink raw reply [flat|nested] 32+ messages in thread
end of thread, other threads:[~2016-01-19 9:41 UTC | newest]
Thread overview: 32+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-12 18:56 [Qemu-devel] [PATCH v1 00/15] Support LUKS encryption in block devices Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 01/15] crypto: add cryptographic random byte source Daniel P. Berrange
2016-01-13 2:46 ` Fam Zheng
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 02/15] crypto: add support for PBKDF2 algorithm Daniel P. Berrange
2016-01-13 5:53 ` Fam Zheng
2016-01-14 12:17 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 03/15] crypto: add support for generating initialization vectors Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 04/15] crypto: add support for anti-forensic split algorithm Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 05/15] crypto: add block encryption framework Daniel P. Berrange
2016-01-13 23:40 ` Eric Blake
2016-01-14 12:16 ` Daniel P. Berrange
2016-01-18 19:48 ` Eric Blake
2016-01-19 9:41 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 06/15] crypto: implement the LUKS block encryption format Daniel P. Berrange
2016-01-13 23:43 ` Eric Blake
2016-01-14 10:14 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 07/15] block: add flag to indicate that no I/O will be performed Daniel P. Berrange
2016-01-13 17:44 ` [Qemu-devel] [Qemu-block] " Kevin Wolf
2016-01-13 17:56 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 08/15] block: add generic full disk encryption driver Daniel P. Berrange
2016-01-13 23:47 ` Eric Blake
2016-01-14 10:15 ` Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 09/15] qcow2: make qcow2_encrypt_sectors encrypt in place Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 10/15] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
2016-01-13 18:42 ` [Qemu-devel] [Qemu-block] " Kevin Wolf
2016-01-14 12:14 ` Daniel P. Berrange
2016-01-14 12:58 ` Kevin Wolf
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 11/15] qcow: make encrypt_sectors encrypt in place Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 12/15] qcow: convert QCow to use QCryptoBlock for encryption Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 13/15] block: rip out all traces of password prompting Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 14/15] block: remove all encryption handling APIs Daniel P. Berrange
2016-01-12 18:56 ` [Qemu-devel] [PATCH v1 15/15] block: remove support for legecy AES qcow/qcow2 encryption Daniel P. Berrange
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.