From e4c4049741b12a3283af4c87de1ffccc0f7c36fe Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Sat, 22 Dec 2012 22:34:09 +0100 Subject: [PATCH 1/1] Add basic support for system TCRYPT device. Rename option hidden to tcrypt-hidden. --- lib/libcryptsetup.h | 2 ++ lib/tcrypt/tcrypt.c | 16 ++++++++++++---- lib/tcrypt/tcrypt.h | 2 ++ man/cryptsetup.8 | 13 +++++++++---- src/cryptsetup.c | 22 +++++++++++++++------- tests/tcrypt-compat-test | 6 +++--- 6 files changed, 43 insertions(+), 18 deletions(-) diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h index 051875c..e77c1dd 100644 --- a/lib/libcryptsetup.h +++ b/lib/libcryptsetup.h @@ -396,6 +396,8 @@ struct crypt_params_verity { #define CRYPT_TCRYPT_HIDDEN_HEADER (1 << 1) /** Try to load backup header */ #define CRYPT_TCRYPT_BACKUP_HEADER (1 << 2) +/** Device contains encrypted system (with boot loader) */ +#define CRYPT_TCRYPT_SYSTEM_HEADER (1 << 3) struct crypt_params_tcrypt { const char *passphrase; /**< passphrase to unlock header (input only) */ diff --git a/lib/tcrypt/tcrypt.c b/lib/tcrypt/tcrypt.c index b1ebd05..661b54d 100644 --- a/lib/tcrypt/tcrypt.c +++ b/lib/tcrypt/tcrypt.c @@ -568,7 +568,11 @@ int TCRYPT_read_phdr(struct crypt_device *cd, } r = -EIO; - if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) { + if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) { + if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 && + read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) + r = TCRYPT_init_hdr(cd, hdr, params); + } else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) { if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) { if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 && read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size) @@ -854,7 +858,11 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd, /* No real header loaded, initialized by active device */ if (!hdr->d.version) - return hdr->d.mk_offset / hdr->d.sector_size; + goto hdr_offset; + + /* Mapping through whole device, not partition! */ + if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) + goto hdr_offset; if (params->mode && !strncmp(params->mode, "xts", 3)) { if (hdr->d.version < 3) @@ -868,7 +876,7 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd, return (size - hdr->d.hidden_volume_size + (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size; } - return (hdr->d.mk_offset / hdr->d.sector_size); + goto hdr_offset; } if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) { @@ -878,7 +886,7 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd, (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size; } - // FIXME: system vol. +hdr_offset: return hdr->d.mk_offset / hdr->d.sector_size; } diff --git a/lib/tcrypt/tcrypt.h b/lib/tcrypt/tcrypt.h index 2cc4db0..6b45dbe 100644 --- a/lib/tcrypt/tcrypt.h +++ b/lib/tcrypt/tcrypt.h @@ -36,6 +36,8 @@ #define TCRYPT_HDR_HIDDEN_OFFSET_BCK -65536 #define TCRYPT_HDR_OFFSET_BCK -131072 +#define TCRYPT_HDR_SYSTEM_OFFSET 31744 + #define TCRYPT_LRW_IKEY_LEN 16 #define TCRYPT_KEY_POOL_LEN 64 #define TCRYPT_KEYFILE_LEN 1048576 diff --git a/man/cryptsetup.8 b/man/cryptsetup.8 index 5a294df..202c0de 100644 --- a/man/cryptsetup.8 +++ b/man/cryptsetup.8 @@ -397,8 +397,12 @@ using LRW or XTS encryption modes. The \fBtcryptDump\fR command should work for all recognized TCRYPT devices and doesn't require superuser privilege. +To map system device (device with boot loader where the whole encrypted +system resides) use \fB\-\-tcrypt-system\fR option. Use the whole +device not the system partition as the device parameter. + To use hidden header (and map hidden device, if available), -use \fB\-\-hidden\fR option. +use \fB\-\-tcrypt-hidden\fR option. .PP \fIopen\fR \-\-type tcrypt .br @@ -406,8 +410,8 @@ use \fB\-\-hidden\fR option. .IP Opens the TCRYPT (a TrueCrypt-compatible) and sets up a mapping . -\fB\fR can be [\-\-key-file, \-\-hidden, \-\-readonly, -\-\-test-passphrase]. +\fB\fR can be [\-\-key-file, \-\-tcrypt-hidden, \-\-tcrypt-system, +\-\-readonly, \-\-test-passphrase]. The keyfile parameter allows combination of file content with the passphrase and can be repeated. Note that using keyfiles is compatible @@ -425,7 +429,8 @@ a passphrase. This means that if the master key is compromised, the whole device has to be erased to prevent further access. Use this option carefully. -\fB\fR can be [\-\-dump-master-key, \-\-key-file, \-\-hidden]. +\fB\fR can be [\-\-dump-master-key, \-\-key-file, \-\-tcrypt-hidden, +\-\-tcrypt-system]. The keyfile parameter allows combination of file content with the passphrase and can be repeated. diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 3659b73..30c5a16 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -57,7 +57,8 @@ static int opt_dump_master_key = 0; static int opt_shared = 0; static int opt_allow_discards = 0; static int opt_test_passphrase = 0; -static int opt_hidden = 0; +static int opt_tcrypt_hidden = 0; +static int opt_tcrypt_system = 0; static const char **action_argv; static int action_argc; @@ -231,9 +232,12 @@ static int action_open_tcrypt(void) if (r < 0) goto out; - if (opt_hidden) + if (opt_tcrypt_hidden) params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER; + if (opt_tcrypt_system) + params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER; + r = crypt_load(cd, CRYPT_TCRYPT, ¶ms); check_signal(&r); if (r < 0) @@ -313,9 +317,12 @@ static int action_tcryptDump(void) if (r < 0) goto out; - if (opt_hidden) + if (opt_tcrypt_hidden) params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER; + if (opt_tcrypt_system) + params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER; + r = crypt_load(cd, CRYPT_TCRYPT, ¶ms); check_signal(&r); if (r < 0) @@ -1368,9 +1375,10 @@ int main(int argc, const char **argv) { "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL }, { "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL }, { "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL }, - { "hidden", '\0', POPT_ARG_NONE, &opt_hidden, 0, N_("Use hidden header (hidden TCRYPT device) ."), NULL }, + { "tcrypt-hidden", '\0', POPT_ARG_NONE, &opt_tcrypt_hidden, 0, N_("Use hidden header (hidden TCRYPT device)."), NULL }, + { "tcrypt-system", '\0', POPT_ARG_NONE, &opt_tcrypt_system, 0, N_("Device is system TCRYPT drive (with bootloader)."), NULL }, { "type", 'M', POPT_ARG_STRING, &opt_type, 0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL }, - { "force-password", '\0', POPT_ARG_NONE, &opt_force_password, 0, N_("Disable password quality check (if enabled)."), NULL }, + { "force-password", '\0', POPT_ARG_NONE, &opt_force_password, 0, N_("Disable password quality check (if enabled)."), NULL }, POPT_TABLEEND }; poptContext popt_context; @@ -1570,10 +1578,10 @@ int main(int argc, const char **argv) _("Option --offset is supported only for open of plain and loopaes devices.\n"), poptGetInvocationName(popt_context)); - if (opt_hidden && strcmp(aname, "tcryptDump") && + if ((opt_tcrypt_hidden || opt_tcrypt_system) && strcmp(aname, "tcryptDump") && (strcmp(aname, "open") || strcmp(opt_type, "tcrypt"))) usage(popt_context, EXIT_FAILURE, - _("Option --hidden is supported only for TCRYPT device.\n"), + _("Option --tcrypt-hidden or --tcrypt-system is supported only for TCRYPT device.\n"), poptGetInvocationName(popt_context)); if (opt_debug) { diff --git a/tests/tcrypt-compat-test b/tests/tcrypt-compat-test index 1e587b8..93af99a 100755 --- a/tests/tcrypt-compat-test +++ b/tests/tcrypt-compat-test @@ -72,13 +72,13 @@ done echo "HEADER CHECK (HIDDEN)" for file in $(ls $TST_DIR/tc_*-hidden) ; do echo -n " $file (hidden)" - echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --hidden $file >/dev/null || fail + echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden $file >/dev/null || fail echo " [OK]" done echo "HEADER KEYFILES CHECK" for file in $(ls $TST_DIR/tck_*) ; do - echo -n " $file (hidden)" + echo -n " $file" echo $PASSWORD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 $file >/dev/null || fail echo " [OK]" done @@ -102,7 +102,7 @@ done echo "ACTIVATION FS UUID (HIDDEN) CHECK (LRW/XTS modes only)" for file in $(ls $TST_DIR/tc_*-lrw-*-hidden $TST_DIR/tc_*-xts-*-hidden) ; do echo -n " $file" - echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --hidden || fail + echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --tcrypt-hidden || fail UUID=$(lsblk -n -o UUID /dev/mapper/$MAP) $CRYPTSETUP remove $MAP || fail [ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed." -- 2.7.4