2 * LUKS - Linux Unified Key Setup
4 * Copyright (C) 2004-2006 Clemens Fruhwirth <clemens@endorphin.org>
5 * Copyright (C) 2009-2020 Red Hat, Inc. All rights reserved.
6 * Copyright (C) 2012-2020 Milan Broz
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
31 static void _error_hint(struct crypt_device *ctx, const char *device,
32 const char *cipher, const char *mode, size_t keyLength)
34 char *c, cipher_spec[MAX_CIPHER_LEN * 3];
36 if (snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, mode) < 0)
39 log_err(ctx, _("Failed to setup dm-crypt key mapping for device %s.\n"
40 "Check that kernel supports %s cipher (check syslog for more info)."),
43 if (!strncmp(mode, "xts", 3) && (keyLength != 256 && keyLength != 512))
44 log_err(ctx, _("Key size in XTS mode must be 256 or 512 bits."));
45 else if (!(c = strchr(mode, '-')) || strlen(c) < 4)
46 log_err(ctx, _("Cipher specification should be in [cipher]-[mode]-[iv] format."));
49 static int LUKS_endec_template(char *src, size_t srcLength,
50 const char *cipher, const char *cipher_mode,
51 struct volume_key *vk,
53 ssize_t (*func)(int, size_t, size_t, void *, size_t),
55 struct crypt_device *ctx)
57 char name[PATH_MAX], path[PATH_MAX];
58 char cipher_spec[MAX_CIPHER_LEN * 3];
59 struct crypt_dm_active_device dmd = {
60 .flags = CRYPT_ACTIVATE_PRIVATE,
62 int r, devfd = -1, remove_dev = 0;
63 size_t bsize, keyslot_alignment, alignment;
65 log_dbg(ctx, "Using dmcrypt to access keyslot area.");
67 bsize = device_block_size(ctx, crypt_metadata_device(ctx));
68 alignment = device_alignment(crypt_metadata_device(ctx));
69 if (!bsize || !alignment)
72 if (bsize > LUKS_ALIGN_KEYSLOTS)
73 keyslot_alignment = LUKS_ALIGN_KEYSLOTS;
75 keyslot_alignment = bsize;
76 dmd.size = size_round_up(srcLength, keyslot_alignment) / SECTOR_SIZE;
79 dmd.flags |= CRYPT_ACTIVATE_READONLY;
81 if (snprintf(name, sizeof(name), "temporary-cryptsetup-%d", getpid()) < 0)
83 if (snprintf(path, sizeof(path), "%s/%s", dm_get_dir(), name) < 0)
85 if (snprintf(cipher_spec, sizeof(cipher_spec), "%s-%s", cipher, cipher_mode) < 0)
88 r = device_block_adjust(ctx, crypt_metadata_device(ctx), DEV_OK,
89 sector, &dmd.size, &dmd.flags);
91 log_err(ctx, _("Device %s does not exist or access denied."),
92 device_path(crypt_metadata_device(ctx)));
96 if (mode != O_RDONLY && dmd.flags & CRYPT_ACTIVATE_READONLY) {
97 log_err(ctx, _("Cannot write to device %s, permission denied."),
98 device_path(crypt_metadata_device(ctx)));
102 r = dm_crypt_target_set(&dmd.segment, 0, dmd.size,
103 crypt_metadata_device(ctx), vk, cipher_spec, 0, sector,
104 NULL, 0, SECTOR_SIZE);
108 r = dm_create_device(ctx, name, "TEMP", &dmd);
110 if (r != -EACCES && r != -ENOTSUP)
111 _error_hint(ctx, device_path(crypt_metadata_device(ctx)),
112 cipher, cipher_mode, vk->keylength * 8);
118 devfd = open(path, mode | O_DIRECT | O_SYNC);
120 log_err(ctx, _("Failed to open temporary keystore device."));
125 r = func(devfd, bsize, alignment, src, srcLength);
127 log_err(ctx, _("Failed to access temporary keystore device."));
132 dm_targets_free(ctx, &dmd);
136 dm_remove_device(ctx, name, CRYPT_DEACTIVATE_FORCE);
140 int LUKS_encrypt_to_storage(char *src, size_t srcLength,
142 const char *cipher_mode,
143 struct volume_key *vk,
145 struct crypt_device *ctx)
147 struct device *device = crypt_metadata_device(ctx);
148 struct crypt_storage *s;
151 /* Only whole sector writes supported */
152 if (MISALIGNED_512(srcLength))
156 r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength);
159 log_dbg(ctx, "Userspace crypto wrapper cannot use %s-%s (%d).",
160 cipher, cipher_mode, r);
162 /* Fallback to old temporary dmcrypt device */
163 if (r == -ENOTSUP || r == -ENOENT)
164 return LUKS_endec_template(src, srcLength, cipher, cipher_mode,
165 vk, sector, write_blockwise, O_RDWR, ctx);
168 _error_hint(ctx, device_path(device), cipher, cipher_mode,
173 log_dbg(ctx, "Using userspace crypto wrapper to access keyslot area.");
175 r = crypt_storage_encrypt(s, 0, srcLength, src);
176 crypt_storage_destroy(s);
183 /* Write buffer to device */
184 if (device_is_locked(device))
185 devfd = device_open_locked(ctx, device, O_RDWR);
187 devfd = device_open(ctx, device, O_RDWR);
191 if (write_lseek_blockwise(devfd, device_block_size(ctx, device),
192 device_alignment(device), src, srcLength,
193 sector * SECTOR_SIZE) < 0)
198 device_sync(ctx, device);
200 log_err(ctx, _("IO error while encrypting keyslot."));
205 int LUKS_decrypt_from_storage(char *dst, size_t dstLength,
207 const char *cipher_mode,
208 struct volume_key *vk,
210 struct crypt_device *ctx)
212 struct device *device = crypt_metadata_device(ctx);
213 struct crypt_storage *s;
217 /* Only whole sector reads supported */
218 if (MISALIGNED_512(dstLength))
221 r = crypt_storage_init(&s, SECTOR_SIZE, cipher, cipher_mode, vk->key, vk->keylength);
224 log_dbg(ctx, "Userspace crypto wrapper cannot use %s-%s (%d).",
225 cipher, cipher_mode, r);
227 /* Fallback to old temporary dmcrypt device */
228 if (r == -ENOTSUP || r == -ENOENT)
229 return LUKS_endec_template(dst, dstLength, cipher, cipher_mode,
230 vk, sector, read_blockwise, O_RDONLY, ctx);
233 _error_hint(ctx, device_path(device), cipher, cipher_mode,
238 log_dbg(ctx, "Using userspace crypto wrapper to access keyslot area.");
240 /* Read buffer from device */
241 if (device_is_locked(device))
242 devfd = device_open_locked(ctx, device, O_RDONLY);
244 devfd = device_open(ctx, device, O_RDONLY);
246 log_err(ctx, _("Cannot open device %s."), device_path(device));
247 crypt_storage_destroy(s);
251 if (read_lseek_blockwise(devfd, device_block_size(ctx, device),
252 device_alignment(device), dst, dstLength,
253 sector * SECTOR_SIZE) < 0) {
254 if (!fstat(devfd, &st) && (st.st_size < (off_t)dstLength))
255 log_err(ctx, _("Device %s is too small."), device_path(device));
257 log_err(ctx, _("IO error while decrypting keyslot."));
259 crypt_storage_destroy(s);
264 r = crypt_storage_decrypt(s, 0, dstLength, dst);
265 crypt_storage_destroy(s);