lib/utils_wipe.c

   1 /*
   2  * utils_wipe - wipe a device
   3  *
   4  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
   5  * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
   6  * Copyright (C) 2009-2023 Milan Broz
   7  *
   8  * This program is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU General Public License
  10  * as published by the Free Software Foundation; either version 2
  11  * of the License, or (at your option) any later version.
  12  *
  13  * This program is distributed in the hope that it will be useful,
  14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  * GNU General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License
  19  * along with this program; if not, write to the Free Software
  20  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21  */
  22
  23 #include <stdlib.h>
  24 #include <errno.h>
  25 #include <sys/ioctl.h>
  26 #include <sys/stat.h>
  27 #include <linux/fs.h>
  28 #include "internal.h"
  29
  30 /* block device zeroout ioctls, introduced in Linux kernel 3.7 */
  31 #ifndef BLKZEROOUT
  32 #define BLKZEROOUT _IO(0x12,127)
  33 #endif
  34
  35 static int wipe_zeroout(struct crypt_device *cd, int devfd,
  36                         uint64_t offset, uint64_t length)
  37 {
  38         static bool zeroout_available = true;
  39         uint64_t range[2] = { offset, length };
  40         int r;
  41
  42         if (!zeroout_available)
  43                 return -ENOTSUP;
  44
  45         r = ioctl(devfd, BLKZEROOUT, &range);
  46         if (r < 0) {
  47                 log_dbg(cd, "BLKZEROOUT ioctl not available (error %i), disabling.", r);
  48                 zeroout_available = false;
  49                 return -ENOTSUP;
  50         }
  51
  52         return 0;
  53 }
  54
  55 /*
  56  * Wipe using Peter Gutmann method described in
  57  * https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
  58  * Note: used only for rotational device (and even there it is not needed today...)
  59  */
  60 static void wipeSpecial(char *buffer, size_t buffer_size, unsigned int turn)
  61 {
  62         unsigned int i;
  63
  64         unsigned char write_modes[][3] = {
  65                 {"\x55\x55\x55"}, {"\xaa\xaa\xaa"}, {"\x92\x49\x24"},
  66                 {"\x49\x24\x92"}, {"\x24\x92\x49"}, {"\x00\x00\x00"},
  67                 {"\x11\x11\x11"}, {"\x22\x22\x22"}, {"\x33\x33\x33"},
  68                 {"\x44\x44\x44"}, {"\x55\x55\x55"}, {"\x66\x66\x66"},
  69                 {"\x77\x77\x77"}, {"\x88\x88\x88"}, {"\x99\x99\x99"},
  70                 {"\xaa\xaa\xaa"}, {"\xbb\xbb\xbb"}, {"\xcc\xcc\xcc"},
  71                 {"\xdd\xdd\xdd"}, {"\xee\xee\xee"}, {"\xff\xff\xff"},
  72                 {"\x92\x49\x24"}, {"\x49\x24\x92"}, {"\x24\x92\x49"},
  73                 {"\x6d\xb6\xdb"}, {"\xb6\xdb\x6d"}, {"\xdb\x6d\xb6"}
  74         };
  75
  76         for (i = 0; i < buffer_size / 3; ++i) {
  77                 memcpy(buffer, write_modes[turn], 3);
  78                 buffer += 3;
  79         }
  80 }
  81
  82 static int crypt_wipe_special(struct crypt_device *cd, int fd, size_t bsize,
  83                               size_t alignment, char *buffer,
  84                               uint64_t offset, size_t size)
  85 {
  86         int r = 0;
  87         unsigned int i;
  88         ssize_t written;
  89
  90         for (i = 0; i < 39; ++i) {
  91                 if (i <  5) {
  92                         r = crypt_random_get(cd, buffer, size, CRYPT_RND_NORMAL);
  93                 } else if (i >=  5 && i < 32) {
  94                         wipeSpecial(buffer, size, i - 5);
  95                         r = 0;
  96                 } else if (i >= 32 && i < 38) {
  97                         r = crypt_random_get(cd, buffer, size, CRYPT_RND_NORMAL);
  98                 } else if (i >= 38 && i < 39) {
  99                         memset(buffer, 0xFF, size);
 100                         r = 0;
 101                 }
 102                 if (r < 0)
 103                         return -EIO;
 104
 105                 written = write_lseek_blockwise(fd, bsize, alignment,
 106                                                 buffer, size, offset);
 107                 if (written < 0 || written != (ssize_t)size)
 108                         return -EIO;
 109         }
 110
 111         /* Rewrite it finally with random */
 112         if (crypt_random_get(cd, buffer, size, CRYPT_RND_NORMAL) < 0)
 113                 return -EIO;
 114
 115         written = write_lseek_blockwise(fd, bsize, alignment, buffer, size, offset);
 116         if (written < 0 || written != (ssize_t)size)
 117                 return -EIO;
 118
 119         return 0;
 120 }
 121
 122 static int wipe_block(struct crypt_device *cd, int devfd, crypt_wipe_pattern pattern,
 123                       char *sf, size_t device_block_size, size_t alignment,
 124                       size_t wipe_block_size, uint64_t offset, bool *need_block_init,
 125                       bool blockdev)
 126 {
 127         int r;
 128
 129         if (pattern == CRYPT_WIPE_SPECIAL)
 130                 return crypt_wipe_special(cd, devfd, device_block_size, alignment,
 131                                           sf, offset, wipe_block_size);
 132
 133         if (*need_block_init) {
 134                 if (pattern == CRYPT_WIPE_ZERO) {
 135                         memset(sf, 0, wipe_block_size);
 136                         *need_block_init = false;
 137                         r = 0;
 138                 } else if (pattern == CRYPT_WIPE_RANDOM ||
 139                            pattern == CRYPT_WIPE_ENCRYPTED_ZERO) {
 140                         r = crypt_random_get(cd, sf, wipe_block_size,
 141                                              CRYPT_RND_NORMAL) ? -EIO : 0;
 142                         *need_block_init = true;
 143                 } else
 144                         r = -EINVAL;
 145
 146                 if (r)
 147                         return r;
 148         }
 149
 150         if (blockdev && pattern == CRYPT_WIPE_ZERO &&
 151             !wipe_zeroout(cd, devfd, offset, wipe_block_size)) {
 152                 /* zeroout ioctl does not move offset */
 153                 if (lseek(devfd, offset + wipe_block_size, SEEK_SET) < 0) {
 154                         log_err(cd, _("Cannot seek to device offset."));
 155                         return -EINVAL;
 156                 }
 157                 return 0;
 158         }
 159
 160         if (write_blockwise(devfd, device_block_size, alignment, sf,
 161                             wipe_block_size) == (ssize_t)wipe_block_size)
 162                 return 0;
 163
 164         return -EIO;
 165 }
 166
 167 int crypt_wipe_device(struct crypt_device *cd,
 168         struct device *device,
 169         crypt_wipe_pattern pattern,
 170         uint64_t offset,
 171         uint64_t length,
 172         size_t wipe_block_size,
 173         int (*progress)(uint64_t size, uint64_t offset, void *usrptr),
 174         void *usrptr)
 175 {
 176         int r, devfd;
 177         struct stat st;
 178         size_t bsize, alignment;
 179         char *sf = NULL;
 180         uint64_t dev_size;
 181         bool need_block_init = true;
 182
 183         /* Note: LUKS1 calls it with wipe_block not aligned to multiple of bsize */
 184         bsize = device_block_size(cd, device);
 185         alignment = device_alignment(device);
 186         if (!bsize || !alignment || !wipe_block_size)
 187                 return -EINVAL;
 188
 189         /* if wipe_block_size < bsize, then a wipe is highly ineffective */
 190
 191         /* Everything must be aligned to SECTOR_SIZE */
 192         if (MISALIGNED_512(offset) || MISALIGNED_512(length) || MISALIGNED_512(wipe_block_size))
 193                 return -EINVAL;
 194
 195         if (device_is_locked(device))
 196                 devfd = device_open_locked(cd, device, O_RDWR);
 197         else
 198                 devfd = device_open(cd, device, O_RDWR);
 199         if (devfd < 0)
 200                 return errno ? -errno : -EINVAL;
 201
 202         if (fstat(devfd, &st) < 0) {
 203                 r = -EINVAL;
 204                 goto out;
 205         }
 206
 207         if (length)
 208                 dev_size = offset + length;
 209         else {
 210                 r = device_size(device, &dev_size);
 211                 if (r)
 212                         goto out;
 213
 214                 if (dev_size <= offset) {
 215                         r = -EINVAL;
 216                         goto out;
 217                 }
 218         }
 219
 220         r = posix_memalign((void **)&sf, alignment, wipe_block_size);
 221         if (r)
 222                 goto out;
 223
 224         if (lseek(devfd, offset, SEEK_SET) < 0) {
 225                 log_err(cd, _("Cannot seek to device offset."));
 226                 r = -EINVAL;
 227                 goto out;
 228         }
 229
 230         if (progress && progress(dev_size, offset, usrptr)) {
 231                 r = -EINVAL; /* No change yet, treat this as a parameter error */
 232                 goto out;
 233         }
 234
 235         if (pattern == CRYPT_WIPE_SPECIAL && !device_is_rotational(device)) {
 236                 log_dbg(cd, "Non-rotational device, using random data wipe mode.");
 237                 pattern = CRYPT_WIPE_RANDOM;
 238         }
 239
 240         while (offset < dev_size) {
 241                 if ((offset + wipe_block_size) > dev_size)
 242                         wipe_block_size = dev_size - offset;
 243
 244                 r = wipe_block(cd, devfd, pattern, sf, bsize, alignment,
 245                                wipe_block_size, offset, &need_block_init, S_ISBLK(st.st_mode));
 246                 if (r) {
 247                         log_err(cd,_("Device wipe error, offset %" PRIu64 "."), offset);
 248                         break;
 249                 }
 250
 251                 offset += wipe_block_size;
 252
 253                 if (progress && progress(dev_size, offset, usrptr)) {
 254                         r = -EINTR;
 255                         break;
 256                 }
 257         }
 258
 259         device_sync(cd, device);
 260 out:
 261         free(sf);
 262         return r;
 263 }
 264
 265 int crypt_wipe(struct crypt_device *cd,
 266         const char *dev_path,
 267         crypt_wipe_pattern pattern,
 268         uint64_t offset,
 269         uint64_t length,
 270         size_t wipe_block_size,
 271         uint32_t flags,
 272         int (*progress)(uint64_t size, uint64_t offset, void *usrptr),
 273         void *usrptr)
 274 {
 275         struct device *device;
 276         int r;
 277
 278         if (!cd)
 279                 return -EINVAL;
 280
 281         r = init_crypto(cd);
 282         if (r < 0)
 283                 return r;
 284
 285         if (!dev_path)
 286                 device = crypt_data_device(cd);
 287         else {
 288                 r = device_alloc_no_check(&device, dev_path);
 289                 if (r < 0)
 290                         return r;
 291
 292                 if (flags & CRYPT_WIPE_NO_DIRECT_IO)
 293                         device_disable_direct_io(device);
 294         }
 295         if (!device)
 296                 return -EINVAL;
 297
 298         if (!wipe_block_size)
 299                 wipe_block_size = 1024*1024;
 300
 301         log_dbg(cd, "Wipe [%u] device %s, offset %" PRIu64 ", length %" PRIu64 ", block %zu.",
 302                 (unsigned)pattern, device_path(device), offset, length, wipe_block_size);
 303
 304         r = crypt_wipe_device(cd, device, pattern, offset, length,
 305                               wipe_block_size, progress, usrptr);
 306
 307         if (dev_path)
 308                 device_free(cd, device);
 309
 310         return r;
 311 }