Add basic support for system TCRYPT device.

Rename option hidden to tcrypt-hidden.

diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
index 051875c..e77c1dd 100644 (file)
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -396,6 +396,8 @@ struct crypt_params_verity {
 #define CRYPT_TCRYPT_HIDDEN_HEADER   (1 << 1)
 /** Try to load backup header */
 #define CRYPT_TCRYPT_BACKUP_HEADER   (1 << 2)
+/** Device contains encrypted system (with boot loader) */
+#define CRYPT_TCRYPT_SYSTEM_HEADER   (1 << 3)
 
 struct crypt_params_tcrypt {
        const char *passphrase;    /**< passphrase to unlock header (input only) */

diff --git a/lib/tcrypt/tcrypt.c b/lib/tcrypt/tcrypt.c
index b1ebd05..661b54d 100644 (file)
--- a/lib/tcrypt/tcrypt.c
+++ b/lib/tcrypt/tcrypt.c
@@ -568,7 +568,11 @@ int TCRYPT_read_phdr(struct crypt_device *cd,
        }
 
        r = -EIO;
-       if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
+       if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
+               if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 &&
+                   read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
+                       r = TCRYPT_init_hdr(cd, hdr, params);
+       } else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
                if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
                        if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
                            read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
@@ -854,7 +858,11 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
 
        /* No real header loaded, initialized by active device */
        if (!hdr->d.version)
-               return hdr->d.mk_offset / hdr->d.sector_size;
+               goto hdr_offset;
+
+       /* Mapping through whole device, not partition! */
+       if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
+               goto hdr_offset;
 
        if (params->mode && !strncmp(params->mode, "xts", 3)) {
                if (hdr->d.version < 3)
@@ -868,7 +876,7 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
                        return (size - hdr->d.hidden_volume_size +
                                (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
                }
-               return (hdr->d.mk_offset / hdr->d.sector_size);
+               goto hdr_offset;
        }
 
        if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
@@ -878,7 +886,7 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
                        (TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
        }
 
-       // FIXME: system vol.
+hdr_offset:
        return hdr->d.mk_offset / hdr->d.sector_size;
 }
 

diff --git a/lib/tcrypt/tcrypt.h b/lib/tcrypt/tcrypt.h
index 2cc4db0..6b45dbe 100644 (file)
--- a/lib/tcrypt/tcrypt.h
+++ b/lib/tcrypt/tcrypt.h
@@ -36,6 +36,8 @@
 #define TCRYPT_HDR_HIDDEN_OFFSET_BCK -65536
 #define TCRYPT_HDR_OFFSET_BCK -131072
 
+#define TCRYPT_HDR_SYSTEM_OFFSET 31744
+
 #define TCRYPT_LRW_IKEY_LEN 16
 #define TCRYPT_KEY_POOL_LEN 64
 #define TCRYPT_KEYFILE_LEN  1048576

diff --git a/man/cryptsetup.8 b/man/cryptsetup.8
index 5a294df..202c0de 100644 (file)
--- a/man/cryptsetup.8
+++ b/man/cryptsetup.8
@@ -397,8 +397,12 @@ using LRW or XTS encryption modes.
 The \fBtcryptDump\fR command should work for all recognized TCRYPT devices
 and doesn't require superuser privilege.
 
+To map system device (device with boot loader where the whole encrypted
+system resides) use \fB\-\-tcrypt-system\fR option. Use the whole
+device not the system partition as the device parameter.
+
 To use hidden header (and map hidden device, if available),
-use \fB\-\-hidden\fR option.
+use \fB\-\-tcrypt-hidden\fR option.
 .PP
 \fIopen\fR \-\-type tcrypt <device> <name>
 .br
@@ -406,8 +410,8 @@ use \fB\-\-hidden\fR option.
 .IP
 Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.
 
-\fB<options>\fR can be [\-\-key-file, \-\-hidden, \-\-readonly,
-\-\-test-passphrase].
+\fB<options>\fR can be [\-\-key-file, \-\-tcrypt-hidden, \-\-tcrypt-system,
+\-\-readonly, \-\-test-passphrase].
 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated. Note that using keyfiles is compatible
@@ -425,7 +429,8 @@ a passphrase.
 This means that if the master key is compromised, the whole device has
 to be erased to prevent further access. Use this option carefully.
 
-\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-hidden].
+\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-tcrypt-hidden,
+\-\-tcrypt-system].
 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated.

diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 3659b73..30c5a16 100644 (file)
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -57,7 +57,8 @@ static int opt_dump_master_key = 0;
 static int opt_shared = 0;
 static int opt_allow_discards = 0;
 static int opt_test_passphrase = 0;
-static int opt_hidden = 0;
+static int opt_tcrypt_hidden = 0;
+static int opt_tcrypt_system = 0;
 
 static const char **action_argv;
 static int action_argc;
@@ -231,9 +232,12 @@ static int action_open_tcrypt(void)
        if (r < 0)
                goto out;
 
-       if (opt_hidden)
+       if (opt_tcrypt_hidden)
                params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
 
+       if (opt_tcrypt_system)
+               params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
+
        r = crypt_load(cd, CRYPT_TCRYPT, &params);
        check_signal(&r);
        if (r < 0)
@@ -313,9 +317,12 @@ static int action_tcryptDump(void)
        if (r < 0)
                goto out;
 
-       if (opt_hidden)
+       if (opt_tcrypt_hidden)
                params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
 
+       if (opt_tcrypt_system)
+               params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
+
        r = crypt_load(cd, CRYPT_TCRYPT, &params);
        check_signal(&r);
        if (r < 0)
@@ -1368,9 +1375,10 @@ int main(int argc, const char **argv)
                { "allow-discards",    '\0', POPT_ARG_NONE, &opt_allow_discards,        0, N_("Allow discards (aka TRIM) requests for device."), NULL },
                { "header",            '\0', POPT_ARG_STRING, &opt_header_device,       0, N_("Device or file with separated LUKS header."), NULL },
                { "test-passphrase",   '\0', POPT_ARG_NONE, &opt_test_passphrase,       0, N_("Do not activate device, just check passphrase."), NULL },
-               { "hidden",            '\0', POPT_ARG_NONE, &opt_hidden,                0, N_("Use hidden header (hidden TCRYPT device) ."), NULL },
+               { "tcrypt-hidden",     '\0', POPT_ARG_NONE, &opt_tcrypt_hidden,         0, N_("Use hidden header (hidden TCRYPT device)."), NULL },
+               { "tcrypt-system",     '\0', POPT_ARG_NONE, &opt_tcrypt_system,         0, N_("Device is system TCRYPT drive (with bootloader)."), NULL },
                { "type",               'M', POPT_ARG_STRING, &opt_type,                0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL },
-               { "force-password",    '\0', POPT_ARG_NONE, &opt_force_password,         0, N_("Disable password quality check (if enabled)."), NULL },
+               { "force-password",    '\0', POPT_ARG_NONE, &opt_force_password,        0, N_("Disable password quality check (if enabled)."), NULL },
                POPT_TABLEEND
        };
        poptContext popt_context;
@@ -1570,10 +1578,10 @@ int main(int argc, const char **argv)
                _("Option --offset is supported only for open of plain and loopaes devices.\n"),
                poptGetInvocationName(popt_context));
 
-       if (opt_hidden && strcmp(aname, "tcryptDump") &&
+       if ((opt_tcrypt_hidden || opt_tcrypt_system) && strcmp(aname, "tcryptDump") &&
            (strcmp(aname, "open") || strcmp(opt_type, "tcrypt")))
                usage(popt_context, EXIT_FAILURE,
-               _("Option --hidden is supported only for TCRYPT device.\n"),
+               _("Option --tcrypt-hidden or --tcrypt-system is supported only for TCRYPT device.\n"),
                poptGetInvocationName(popt_context));
 
        if (opt_debug) {

diff --git a/tests/tcrypt-compat-test b/tests/tcrypt-compat-test
index 1e587b8..93af99a 100755 (executable)
--- a/tests/tcrypt-compat-test
+++ b/tests/tcrypt-compat-test
@@ -72,13 +72,13 @@ done
 echo "HEADER CHECK (HIDDEN)"
 for file in $(ls $TST_DIR/tc_*-hidden) ; do
        echo -n " $file (hidden)"
-       echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --hidden $file >/dev/null || fail
+       echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden $file >/dev/null || fail
        echo " [OK]"
 done
 
 echo "HEADER KEYFILES CHECK"
 for file in $(ls $TST_DIR/tck_*) ; do
-       echo -n " $file (hidden)"
+       echo -n " $file"
        echo $PASSWORD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 $file >/dev/null || fail
        echo " [OK]"
 done
@@ -102,7 +102,7 @@ done
 echo "ACTIVATION FS UUID (HIDDEN) CHECK (LRW/XTS modes only)"
 for file in $(ls $TST_DIR/tc_*-lrw-*-hidden $TST_DIR/tc_*-xts-*-hidden) ; do
        echo -n " $file"
-       echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --hidden || fail
+       echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --tcrypt-hidden || fail
        UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
        $CRYPTSETUP remove $MAP || fail
        [ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed."