* - with direct-io reads old device and copy to new device in defined steps
* - keps simple off in file (allows restart)
* - there is several windows when corruption can happen
+ *
+ * null target
+ * dmsetup create x --table "0 $(blockdev --getsz DEV) crypt cipher_null-ecb-null - 0 DEV 0"
*/
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
+#include <sys/time.h>
#include <linux/fs.h>
#include <fcntl.h>
#include <limits.h>
static int opt_version_mode = 0;
static int opt_random = 0;
static int opt_urandom = 0;
+static int opt_bsize = 4;
+static int opt_new = 0;
+static int opt_directio = 0;
+static int opt_write_log = 0;
+static const char *opt_new_file = NULL;
static const char **action_argv;
sigset_t signals_open;
char *device_uuid;
uint64_t device_size;
uint64_t device_offset;
+ uint64_t device_shift;
int in_progress:1;
+ enum { FORWARD = 0, BACKWARD = 1 } reencrypt_direction;
char header_file_org[PATH_MAX];
char header_file_new[PATH_MAX];
char *password;
size_t passwordLen;
int keyslot;
+
+ struct timeval start_time, end_time;
} rnc;
char MAGIC[] = {'L','U','K','S', 0xba, 0xbe};
_log(level, msg, usrptr);
}
+/* The difference in seconds between two times in "timeval" format. */
+double time_diff(struct timeval start, struct timeval end)
+{
+ return (end.tv_sec - start.tv_sec)
+ + (end.tv_usec - start.tv_usec) / 1E6;
+}
+
static int alignment(int fd)
{
int alignment;
static int write_log(void)
{
static char buf[512];
+ ssize_t r;
//log_dbg("Updating LUKS reencryption log offset %" PRIu64 ".", offset);
memset(buf, 0, sizeof(buf));
snprintf(buf, sizeof(buf), "# LUKS reencryption log, DO NOT EDIT OR DELETE.\n"
- "version = %d\nUUID = %s\noffset = %" PRIu64 "\n# EOF\n",
- 1, rnc.device_uuid, rnc.device_offset);
+ "version = %d\nUUID = %s\ndirection = %d\n"
+ "offset = %" PRIu64 "\nshift = %" PRIu64 "\n# EOF\n",
+ 1, rnc.device_uuid, rnc.reencrypt_direction,
+ rnc.device_offset, rnc.device_shift);
lseek(rnc.log_fd, 0, SEEK_SET);
- write(rnc.log_fd, buf, sizeof(buf));
+ r = write(rnc.log_fd, buf, sizeof(buf));
+ if (r < 0 || r != sizeof(buf))
+ return -EIO;
+
return 0;
}
log_dbg("Log: Unexpected UUID %s", s);
return -EINVAL;
}
+ } else if (sscanf(line, "direction = %d", &i) == 1) {
+ log_dbg("Log: direction = %i", i);
+ rnc.reencrypt_direction = i;
} else if (sscanf(line, "offset = %" PRIu64, &u64) == 1) {
log_dbg("Log: offset = %" PRIu64, u64);
rnc.device_offset = u64;
+ } else if (sscanf(line, "shift = %" PRIu64, &u64) == 1) {
+ log_dbg("Log: shift = %" PRIu64, u64);
+ rnc.device_shift = u64;
} else
return -EINVAL;
static int open_log(void)
{
+ int flags;
struct stat st;
if(stat(rnc.log_file, &st) < 0) {
log_dbg("Creating LUKS reencryption log file %s.", rnc.log_file);
- rnc.log_fd = open(rnc.log_file, O_RDWR|O_CREAT|O_DIRECT, S_IRUSR|S_IWUSR);
+
+ // FIXME: move that somewhere else
+ rnc.reencrypt_direction = BACKWARD;
+
+ flags = opt_directio ? O_RDWR|O_CREAT|O_DIRECT : O_RDWR|O_CREAT;
+ rnc.log_fd = open(rnc.log_file, flags, S_IRUSR|S_IWUSR);
if (rnc.log_fd == -1)
return -EINVAL;
if (write_log() < 0)
return -EIO;
} else {
log_dbg("Log file %s exists, restarting.", rnc.log_file);
- rnc.log_fd = open(rnc.log_file, O_RDWR|O_DIRECT);
+ flags = opt_directio ? O_RDWR|O_DIRECT : O_RDWR;
+ rnc.log_fd = open(rnc.log_file, flags);
if (rnc.log_fd == -1)
return -EINVAL;
rnc.in_progress = 1;
return r;
}
+void print_progress(uint64_t bytes, int final)
+{
+ uint64_t mbytes = bytes / 1024 / 1024;
+ struct timeval now_time;
+ double tdiff;
+
+ gettimeofday(&now_time, NULL);
+ if (!final && time_diff(rnc.end_time, now_time) < 0.5)
+ return;
+
+ rnc.end_time = now_time;
+
+ if (opt_batch_mode)
+ return;
+
+ tdiff = time_diff(rnc.start_time, rnc.end_time);
+ if (!tdiff)
+ return;
+
+ log_err("\33[2K\rProgress: %5.1f%%, time elapsed %3.1f seconds, %4"
+ PRIu64 " MB written, speed %5.2f MB/s%s",
+ (double)bytes / rnc.device_size * 100,
+ time_diff(rnc.start_time, rnc.end_time),
+ mbytes, (double)(mbytes) / tdiff,
+ final ? "\n" :"");
+}
+
+static int copy_data_forward(int fd_old, int fd_new, size_t block_size, void *buf, uint64_t *bytes)
+{
+ ssize_t s1, s2;
+
+ *bytes = 0;
+ while (rnc.device_offset < rnc.device_size) {
+ s1 = read(fd_old, buf, block_size);
+ if (s1 < 0 || (s1 != block_size && (rnc.device_offset + s1) != rnc.device_size)) {
+ log_err("Read error, expecting %d, got %d.\n", (int)block_size, (int)s1);
+ return -EIO;
+ }
+ s2 = write(fd_new, buf, s1);
+ if (s2 < 0) {
+ log_err("Write error, expecting %d, got %d.\n", (int)block_size, (int)s2);
+ return -EIO;
+ }
+ rnc.device_offset += s1;
+ if (opt_write_log && write_log() < 0) {
+ log_err("Log write error, some data are perhaps lost.\n");
+ return -EIO;
+ }
+
+ *bytes += (uint64_t)s2;
+ print_progress(*bytes, 0);
+ }
+
+ return 0;
+}
+
+static int copy_data_backward(int fd_old, int fd_new, size_t block_size, void *buf, uint64_t *bytes)
+{
+ ssize_t s1, s2, working_offset, working_block;
+
+ *bytes = 0;
+ while (rnc.device_offset) {
+ if (rnc.device_offset < block_size) {
+ working_offset = 0;
+ working_block = rnc.device_offset;
+ } else {
+ working_offset = rnc.device_offset - block_size;
+ working_block = block_size;
+ }
+
+ if (lseek(fd_old, working_offset, SEEK_SET) < 0 ||
+ lseek(fd_new, working_offset, SEEK_SET) < 0)
+ return -EIO;
+//log_err("off: %06d, size %06d\n", working_offset, block_size);
+
+ s1 = read(fd_old, buf, working_block);
+ if (s1 < 0 || (s1 != working_block)) {
+ log_err("Read error, expecting %d, got %d.\n", (int)block_size, (int)s1);
+ return -EIO;
+ }
+ s2 = write(fd_new, buf, working_block);
+ if (s2 < 0) {
+ log_err("Write error, expecting %d, got %d.\n", (int)block_size, (int)s2);
+ return -EIO;
+ }
+ rnc.device_offset -= s1;
+ if (opt_write_log && write_log() < 0) {
+ log_err("Log write error, some data are perhaps lost.\n");
+ return -EIO;
+ }
+
+ *bytes += (uint64_t)s2;
+ print_progress(*bytes, 0);
+ }
+
+ return 0;
+}
+
static int copy_data(void)
{
- int fd_old = -1, fd_new = -1, j;
- size_t block_size = 1024 *1024;
+ size_t block_size = opt_bsize * 1024 * 1024;
+ int fd_old = -1, fd_new = -1;
int r = -EINVAL;
void *buf = NULL;
- ssize_t s1, s2;
+ uint64_t bytes = 0;
- fd_old = open(rnc.crypt_path_org, O_RDONLY | O_DIRECT);
+ fd_old = open(rnc.crypt_path_org, O_RDONLY | (opt_directio ? O_DIRECT : 0));
if (fd_old == -1)
goto out;
- fd_new = open(rnc.crypt_path_new, O_WRONLY | O_DIRECT);
+ fd_new = open(rnc.crypt_path_new, O_WRONLY | (opt_directio ? O_DIRECT : 0));
if (fd_new == -1)
goto out;
goto out;
}
- log_err("Reencrypting [");
- j = 0;
- while (rnc.device_offset < rnc.device_size) {
- s1 = read(fd_old, buf, block_size);
- if (s1 != block_size)
- log_err("Read error, expecting %d, got %d.\n", (int)block_size, (int)s1);
- if (s1 < 0)
- goto out;
- s2 = write(fd_new, buf, s1);
- if (s2 != block_size)
- log_err("Write error, expecting %d, got %d.\n", (int)block_size, (int)s2);
- rnc.device_offset += s1;
- write_log();
- if (rnc.device_offset > (j * (rnc.device_size / 10))) {
- log_err("-");
- j++;
- }
- }
- log_err("] Done.\n");
- r = 0;
+ // FIXME: all this should be in init
+ if (!rnc.in_progress && rnc.reencrypt_direction == BACKWARD)
+ rnc.device_offset = rnc.device_size;
+
+ gettimeofday(&rnc.start_time, NULL);
+
+ if (rnc.reencrypt_direction == FORWARD)
+ r = copy_data_forward(fd_old, fd_new, block_size, buf, &bytes);
+ else
+ r = copy_data_backward(fd_old, fd_new, block_size, buf, &bytes);
+ print_progress(bytes, 1);
+
+ if (r < 0)
+ log_err("ERROR during reencryption.\n");
+
+ if (write_log() < 0)
+ log_err("Log write error, ignored.\n");
out:
if (fd_old != -1)
if (!(rnc.device = strndup(device, PATH_MAX)))
return -ENOMEM;
-
- if (initialize_uuid())
+/*
+ if (opt_new_file && !create_uuid()) {
+ log_err("Cannot create fake header.\n");
return -EINVAL;
+ }
+*/
+ if (initialize_uuid()) {
+ log_err("No header found on device.\n");
+ return -EINVAL;
+ }
/* Prepare device names */
if (snprintf(rnc.log_file, PATH_MAX,
close_log();
remove_headers();
- if (rnc.device_offset == rnc.device_size) {
+ if ((rnc.reencrypt_direction == FORWARD &&
+ rnc.device_offset == rnc.device_size) ||
+ rnc.device_offset == 0) {
unlink(rnc.log_file);
unlink(rnc.header_file_org);
unlink(rnc.header_file_new);
{ "version", '\0', POPT_ARG_NONE, &opt_version_mode, 0, N_("Print package version"), NULL },
{ "verbose", 'v', POPT_ARG_NONE, &opt_verbose, 0, N_("Shows more detailed error messages"), NULL },
{ "debug", '\0', POPT_ARG_NONE, &opt_debug, 0, N_("Show debug messages"), NULL },
+ { "block-size", 'B', POPT_ARG_INT, &opt_bsize, 0, N_("Reencryption block size"), N_("MB") },
+ { "new-header", 'N', POPT_ARG_INT, &opt_new, 0, N_("Create new header, need size on the end of device"), N_("MB") },
+ { "new-crypt", 'f', POPT_ARG_STRING, &opt_new_file, 0, N_("Log suffix for new reencryption file."), NULL },
{ "cipher", 'c', POPT_ARG_STRING, &opt_cipher, 0, N_("The cipher used to encrypt the disk (see /proc/crypto)"), NULL },
{ "hash", 'h', POPT_ARG_STRING, &opt_hash, 0, N_("The hash used to create the encryption key from the passphrase"), NULL },
{ "key-file", 'd', POPT_ARG_STRING, &opt_key_file, 0, N_("Read the key from a file."), NULL },
{ "batch-mode", 'q', POPT_ARG_NONE, &opt_batch_mode, 0, N_("Do not ask for confirmation"), NULL },
{ "use-random", '\0', POPT_ARG_NONE, &opt_random, 0, N_("Use /dev/random for generating volume key."), NULL },
{ "use-urandom", '\0', POPT_ARG_NONE, &opt_urandom, 0, N_("Use /dev/urandom for generating volume key."), NULL },
+ { "use-directio", '\0', POPT_ARG_NONE, &opt_directio, 0, N_("Use direct-io when accesing devices."), NULL },
+ { "write-log", '\0', POPT_ARG_NONE, &opt_write_log, 0, N_("Update log file after every block."), NULL },
POPT_TABLEEND
};
poptContext popt_context;
popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
poptSetOtherOptionHelp(popt_context,
- N_("[OPTION...] <action> <action-specific>]"));
+ N_("[OPTION...] <device>]"));
while((r = poptGetNextOpt(popt_context)) > 0) {
if (r < 0)
usage(popt_context, EXIT_FAILURE, _("Only one of --use-[u]random options is allowed."),
poptGetInvocationName(popt_context));
+ if (opt_new && !opt_new_file)
+ usage(popt_context, EXIT_FAILURE, _("You have to use -f with -N."),
+ poptGetInvocationName(popt_context));
+
if (opt_debug) {
opt_verbose = 1;
crypt_set_debug_level(-1);