Add basic support for system TCRYPT device.

Rename option hidden to tcrypt-hidden.

diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
index 051875c..e77c1dd 100644 (file)
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -396,6 +396,8 @@ struct crypt_params_verity {
 #define CRYPT_TCRYPT_HIDDEN_HEADER   (1 << 1)
 /** Try to load backup header */
 #define CRYPT_TCRYPT_BACKUP_HEADER   (1 << 2)
 #define CRYPT_TCRYPT_HIDDEN_HEADER   (1 << 1)
 /** Try to load backup header */
 #define CRYPT_TCRYPT_BACKUP_HEADER   (1 << 2)

+/** Device contains encrypted system (with boot loader) */
+#define CRYPT_TCRYPT_SYSTEM_HEADER   (1 << 3)

 
 struct crypt_params_tcrypt {
        const char *passphrase;    /**< passphrase to unlock header (input only) */
 
 struct crypt_params_tcrypt {
        const char *passphrase;    /**< passphrase to unlock header (input only) */

diff --git a/lib/tcrypt/tcrypt.c b/lib/tcrypt/tcrypt.c
index b1ebd05..661b54d 100644 (file)
--- a/lib/tcrypt/tcrypt.c
+++ b/lib/tcrypt/tcrypt.c
@@ -568,7 +568,11 @@ int TCRYPT_read_phdr(struct crypt_device *cd,
        }
 
        r = -EIO;
        }
 
        r = -EIO;

-       if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
+       if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
+               if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 &&
+                   read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
+                       r = TCRYPT_init_hdr(cd, hdr, params);
+       } else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {

                if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
                        if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
                            read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
                if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
                        if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
                            read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)


@@ -854,7 +858,11 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
 
        /* No real header loaded, initialized by active device */
        if (!hdr->d.version)
 
        /* No real header loaded, initialized by active device */
        if (!hdr->d.version)

-               return hdr->d.mk_offset / hdr->d.sector_size;
+               goto hdr_offset;
+
+       /* Mapping through whole device, not partition! */
+       if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
+               goto hdr_offset;

 
        if (params->mode && !strncmp(params->mode, "xts", 3)) {
                if (hdr->d.version < 3)
 
        if (params->mode && !strncmp(params->mode, "xts", 3)) {
                if (hdr->d.version < 3)


@@ -868,7 +876,7 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
                        return (size - hdr->d.hidden_volume_size +
                                (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
                }
                        return (size - hdr->d.hidden_volume_size +
                                (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
                }

-               return (hdr->d.mk_offset / hdr->d.sector_size);
+               goto hdr_offset;

        }
 
        if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
        }
 
        if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {


@@ -878,7 +886,7 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
                        (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
        }
 
                        (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
        }
 

-       // FIXME: system vol.
+hdr_offset:

        return hdr->d.mk_offset / hdr->d.sector_size;
 }
 
        return hdr->d.mk_offset / hdr->d.sector_size;
 }
 

diff --git a/lib/tcrypt/tcrypt.h b/lib/tcrypt/tcrypt.h
index 2cc4db0..6b45dbe 100644 (file)
--- a/lib/tcrypt/tcrypt.h
+++ b/lib/tcrypt/tcrypt.h
@@ -36,6 +36,8 @@
 #define TCRYPT_HDR_HIDDEN_OFFSET_BCK -65536
 #define TCRYPT_HDR_OFFSET_BCK -131072
 
 #define TCRYPT_HDR_HIDDEN_OFFSET_BCK -65536
 #define TCRYPT_HDR_OFFSET_BCK -131072
 

+#define TCRYPT_HDR_SYSTEM_OFFSET 31744
+

 #define TCRYPT_LRW_IKEY_LEN 16
 #define TCRYPT_KEY_POOL_LEN 64
 #define TCRYPT_KEYFILE_LEN  1048576
 #define TCRYPT_LRW_IKEY_LEN 16
 #define TCRYPT_KEY_POOL_LEN 64
 #define TCRYPT_KEYFILE_LEN  1048576

diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
index 5a294df..202c0de 100644 (file)
--- a/man/cryptsetup.8
+++ b/man/cryptsetup.8
@@ -397,8 +397,12 @@ using LRW or XTS encryption modes.
 The \fBtcryptDump\fR command should work for all recognized TCRYPT devices
 and doesn't require superuser privilege.
 
 The \fBtcryptDump\fR command should work for all recognized TCRYPT devices
 and doesn't require superuser privilege.
 

+To map system device (device with boot loader where the whole encrypted
+system resides) use \fB\-\-tcrypt-system\fR option. Use the whole
+device not the system partition as the device parameter.
+

 To use hidden header (and map hidden device, if available),
 To use hidden header (and map hidden device, if available),

-use \fB\-\-hidden\fR option.
+use \fB\-\-tcrypt-hidden\fR option.

 .PP
 \fIopen\fR \-\-type tcrypt <device> <name>
 .br
 .PP
 \fIopen\fR \-\-type tcrypt <device> <name>
 .br


@@ -406,8 +410,8 @@ use \fB\-\-hidden\fR option.
 .IP
 Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.
 
 .IP
 Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.
 

-\fB<options>\fR can be [\-\-key-file, \-\-hidden, \-\-readonly,
-\-\-test-passphrase].
+\fB<options>\fR can be [\-\-key-file, \-\-tcrypt-hidden, \-\-tcrypt-system,
+\-\-readonly, \-\-test-passphrase].

 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated. Note that using keyfiles is compatible
 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated. Note that using keyfiles is compatible


@@ -425,7 +429,8 @@ a passphrase.
 This means that if the master key is compromised, the whole device has
 to be erased to prevent further access. Use this option carefully.
 
 This means that if the master key is compromised, the whole device has
 to be erased to prevent further access. Use this option carefully.
 

-\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-hidden].
+\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-tcrypt-hidden,
+\-\-tcrypt-system].

 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated.
 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated.

diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 3659b73..30c5a16 100644 (file)
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -57,7 +57,8 @@ static int opt_dump_master_key = 0;
 static int opt_shared = 0;
 static int opt_allow_discards = 0;
 static int opt_test_passphrase = 0;
 static int opt_shared = 0;
 static int opt_allow_discards = 0;
 static int opt_test_passphrase = 0;

-static int opt_hidden = 0;
+static int opt_tcrypt_hidden = 0;
+static int opt_tcrypt_system = 0;

 
 static const char **action_argv;
 static int action_argc;
 
 static const char **action_argv;
 static int action_argc;


@@ -231,9 +232,12 @@ static int action_open_tcrypt(void)
        if (r < 0)
                goto out;
 
        if (r < 0)
                goto out;
 

-       if (opt_hidden)
+       if (opt_tcrypt_hidden)

                params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
 
                params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
 

+       if (opt_tcrypt_system)
+               params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
+

        r = crypt_load(cd, CRYPT_TCRYPT, &params);
        check_signal(&r);
        if (r < 0)
        r = crypt_load(cd, CRYPT_TCRYPT, &params);
        check_signal(&r);
        if (r < 0)


@@ -313,9 +317,12 @@ static int action_tcryptDump(void)
        if (r < 0)
                goto out;
 
        if (r < 0)
                goto out;
 

-       if (opt_hidden)
+       if (opt_tcrypt_hidden)

                params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
 
                params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
 

+       if (opt_tcrypt_system)
+               params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
+

        r = crypt_load(cd, CRYPT_TCRYPT, &params);
        check_signal(&r);
        if (r < 0)
        r = crypt_load(cd, CRYPT_TCRYPT, &params);
        check_signal(&r);
        if (r < 0)


@@ -1368,9 +1375,10 @@ int main(int argc, const char **argv)
                { "allow-discards",    '\0', POPT_ARG_NONE, &opt_allow_discards,        0, N_("Allow discards (aka TRIM) requests for device."), NULL },
                { "header",            '\0', POPT_ARG_STRING, &opt_header_device,       0, N_("Device or file with separated LUKS header."), NULL },
                { "test-passphrase",   '\0', POPT_ARG_NONE, &opt_test_passphrase,       0, N_("Do not activate device, just check passphrase."), NULL },
                { "allow-discards",    '\0', POPT_ARG_NONE, &opt_allow_discards,        0, N_("Allow discards (aka TRIM) requests for device."), NULL },
                { "header",            '\0', POPT_ARG_STRING, &opt_header_device,       0, N_("Device or file with separated LUKS header."), NULL },
                { "test-passphrase",   '\0', POPT_ARG_NONE, &opt_test_passphrase,       0, N_("Do not activate device, just check passphrase."), NULL },

-               { "hidden",            '\0', POPT_ARG_NONE, &opt_hidden,                0, N_("Use hidden header (hidden TCRYPT device) ."), NULL },
+               { "tcrypt-hidden",     '\0', POPT_ARG_NONE, &opt_tcrypt_hidden,         0, N_("Use hidden header (hidden TCRYPT device)."), NULL },
+               { "tcrypt-system",     '\0', POPT_ARG_NONE, &opt_tcrypt_system,         0, N_("Device is system TCRYPT drive (with bootloader)."), NULL },

                { "type",               'M', POPT_ARG_STRING, &opt_type,                0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL },
                { "type",               'M', POPT_ARG_STRING, &opt_type,                0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL },

-               { "force-password",    '\0', POPT_ARG_NONE, &opt_force_password,         0, N_("Disable password quality check (if enabled)."), NULL },
+               { "force-password",    '\0', POPT_ARG_NONE, &opt_force_password,        0, N_("Disable password quality check (if enabled)."), NULL },

                POPT_TABLEEND
        };
        poptContext popt_context;
                POPT_TABLEEND
        };
        poptContext popt_context;


@@ -1570,10 +1578,10 @@ int main(int argc, const char **argv)
                _("Option --offset is supported only for open of plain and loopaes devices.\n"),
                poptGetInvocationName(popt_context));
 
                _("Option --offset is supported only for open of plain and loopaes devices.\n"),
                poptGetInvocationName(popt_context));
 

-       if (opt_hidden && strcmp(aname, "tcryptDump") &&
+       if ((opt_tcrypt_hidden || opt_tcrypt_system) && strcmp(aname, "tcryptDump") &&

            (strcmp(aname, "open") || strcmp(opt_type, "tcrypt")))
                usage(popt_context, EXIT_FAILURE,
            (strcmp(aname, "open") || strcmp(opt_type, "tcrypt")))
                usage(popt_context, EXIT_FAILURE,

-               _("Option --hidden is supported only for TCRYPT device.\n"),
+               _("Option --tcrypt-hidden or --tcrypt-system is supported only for TCRYPT device.\n"),

                poptGetInvocationName(popt_context));
 
        if (opt_debug) {
                poptGetInvocationName(popt_context));
 
        if (opt_debug) {

diff --git a/tests/tcrypt-compat-test b/tests/tcrypt-compat-test
index 1e587b8..93af99a 100755 (executable)
--- a/tests/tcrypt-compat-test
+++ b/tests/tcrypt-compat-test
@@ -72,13 +72,13 @@ done
 echo "HEADER CHECK (HIDDEN)"
 for file in $(ls $TST_DIR/tc_*-hidden) ; do
        echo -n " $file (hidden)"
 echo "HEADER CHECK (HIDDEN)"
 for file in $(ls $TST_DIR/tc_*-hidden) ; do
        echo -n " $file (hidden)"

-       echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --hidden $file >/dev/null || fail
+       echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden $file >/dev/null || fail

        echo " [OK]"
 done
 
 echo "HEADER KEYFILES CHECK"
 for file in $(ls $TST_DIR/tck_*) ; do
        echo " [OK]"
 done
 
 echo "HEADER KEYFILES CHECK"
 for file in $(ls $TST_DIR/tck_*) ; do

-       echo -n " $file (hidden)"
+       echo -n " $file"

        echo $PASSWORD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 $file >/dev/null || fail
        echo " [OK]"
 done
        echo $PASSWORD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 $file >/dev/null || fail
        echo " [OK]"
 done


@@ -102,7 +102,7 @@ done
 echo "ACTIVATION FS UUID (HIDDEN) CHECK (LRW/XTS modes only)"
 for file in $(ls $TST_DIR/tc_*-lrw-*-hidden $TST_DIR/tc_*-xts-*-hidden) ; do
        echo -n " $file"
 echo "ACTIVATION FS UUID (HIDDEN) CHECK (LRW/XTS modes only)"
 for file in $(ls $TST_DIR/tc_*-lrw-*-hidden $TST_DIR/tc_*-xts-*-hidden) ; do
        echo -n " $file"

-       echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --hidden || fail
+       echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --tcrypt-hidden || fail

        UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
        $CRYPTSETUP remove $MAP || fail
        [ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed."
        UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
        $CRYPTSETUP remove $MAP || fail
        [ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed."