eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

bitlk: Add support for activating BITLK devices using volume key

Browse Source 
Both with "crypt_activate_by_volume_key" and using cli with
--master-key option.
This commit is contained in:
Vojtech Trefny
2020-11-10 16:04:05 +01:00
committed by Milan Broz
parent 406d2d8b0a
commit 652081426b
4 changed files with 135 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
lib/bitlk/bitlk.c
View File

@@ -1216,12 +1216,38 @@ int BITLK_get_volume_key(struct crypt_device *cd,
return 0; return 0;
} }
int BITLK_activate(struct crypt_device *cd, static int _activate_check(struct crypt_device *cd,
const char *name, const struct bitlk_metadata *params)
const char *password, {
size_t passwordLen, const struct bitlk_vmk *next_vmk = NULL;
const struct bitlk_metadata *params,
uint32_t flags) if (!params->state) {
log_err(cd, _("This BITLK device is in an unsupported state and cannot be activated."));
return -ENOTSUP;
}
if (params->type != BITLK_ENCRYPTION_TYPE_NORMAL) {
log_err(cd, _("BITLK devices with type '%s' cannot be activated."), get_bitlk_type_string(params->type));
return -ENOTSUP;
}
next_vmk = params->vmks;
while (next_vmk) {
if (next_vmk->protection == BITLK_PROTECTION_CLEAR_KEY) {
log_err(cd, _("Activation of partially decrypted BITLK device is not supported."));
return -ENOTSUP;
}
next_vmk = next_vmk->next;
}
return 0;
}
static int _activate(struct crypt_device *cd,
const char *name,
struct volume_key *open_fvek_key,
const struct bitlk_metadata *params,
uint32_t flags)
{ {
int r = 0; int r = 0;
int i = 0; int i = 0;
@@ -1232,8 +1258,6 @@ int BITLK_activate(struct crypt_device *cd,
.flags = flags, .flags = flags,
}; };
struct dm_target *next_segment = NULL; struct dm_target *next_segment = NULL;
struct volume_key *open_fvek_key = NULL;
const struct bitlk_vmk *next_vmk = NULL;
struct segment segments[MAX_BITLK_SEGMENTS] = {}; struct segment segments[MAX_BITLK_SEGMENTS] = {};
struct segment temp; struct segment temp;
uint64_t next_start = 0; uint64_t next_start = 0;
@@ -1241,44 +1265,14 @@ int BITLK_activate(struct crypt_device *cd,
uint64_t last_segment = 0; uint64_t last_segment = 0;
uint32_t dmt_flags; uint32_t dmt_flags;
if (!params->state) { r = _activate_check(cd, params);
log_err(cd, _("This BITLK device is in an unsupported state and cannot be activated.")); if (r)
r = -ENOTSUP;
goto out;
}
if (params->type != BITLK_ENCRYPTION_TYPE_NORMAL) {
log_err(cd, _("BITLK devices with type '%s' cannot be activated."), get_bitlk_type_string(params->type));
r = -ENOTSUP;
goto out;
}
r = BITLK_get_volume_key(cd, password, passwordLen, params, &open_fvek_key);
if (r < 0)
return r; return r;
/* Password verify only */
if (!name) {
crypt_free_volume_key(open_fvek_key);
return r;
}
next_vmk = params->vmks;
while (next_vmk) {
if (next_vmk->protection == BITLK_PROTECTION_CLEAR_KEY) {
crypt_free_volume_key(open_fvek_key);
log_err(cd, _("Activation of partially decrypted BITLK device is not supported."));
return -ENOTSUP;
}
next_vmk = next_vmk->next;
}
r = device_block_adjust(cd, crypt_data_device(cd), DEV_EXCL, r = device_block_adjust(cd, crypt_data_device(cd), DEV_EXCL,
0, &dmd.size, &dmd.flags); 0, &dmd.size, &dmd.flags);
if (r) { if (r)
crypt_free_volume_key(open_fvek_key);
return r; return r;
}
/* there will be always 4 dm-zero segments: 3x metadata, 1x FS header */ /* there will be always 4 dm-zero segments: 3x metadata, 1x FS header */
for (i = 0; i < 3; i++) { for (i = 0; i < 3; i++) {
@@ -1413,6 +1407,57 @@ int BITLK_activate(struct crypt_device *cd,
} }
out: out:
dm_targets_free(cd, &dmd); dm_targets_free(cd, &dmd);
return r;
}
int BITLK_activate_by_passphrase(struct crypt_device *cd,
const char *name,
const char *password,
size_t passwordLen,
const struct bitlk_metadata *params,
uint32_t flags)
{
int r = 0;
struct volume_key *open_fvek_key = NULL;
r = _activate_check(cd, params);
if (r)
return r;
r = BITLK_get_volume_key(cd, password, passwordLen, params, &open_fvek_key);
if (r < 0)
goto out;
/* Password verify only */
if (!name)
goto out;
r = _activate(cd, name, open_fvek_key, params, flags);
out:
crypt_free_volume_key(open_fvek_key);
return r;
}
int BITLK_activate_by_volume_key(struct crypt_device *cd,
const char *name,
const char *volume_key,
size_t volume_key_size,
const struct bitlk_metadata *params,
uint32_t flags)
{
int r = 0;
struct volume_key *open_fvek_key = NULL;
r = _activate_check(cd, params);
if (r)
return r;
open_fvek_key = crypt_alloc_volume_key(volume_key_size, volume_key);
if (!open_fvek_key)
return -ENOMEM;
r = _activate(cd, name, open_fvek_key, params, flags);
crypt_free_volume_key(open_fvek_key); crypt_free_volume_key(open_fvek_key);
return r; return r;
} }

19
lib/bitlk/bitlk.h
View File

@@ -123,12 +123,19 @@ int BITLK_get_volume_key(struct crypt_device *cd,
const struct bitlk_metadata *params, const struct bitlk_metadata *params,
struct volume_key **open_fvek_key); struct volume_key **open_fvek_key);
int BITLK_activate(struct crypt_device *cd, int BITLK_activate_by_passphrase(struct crypt_device *cd,
const char *name, const char *name,
const char *password, const char *password,
size_t passwordLen, size_t passwordLen,
const struct bitlk_metadata *params, const struct bitlk_metadata *params,
uint32_t flags); uint32_t flags);
int BITLK_activate_by_volume_key(struct crypt_device *cd,
const char *name,
const char *volume_key,
size_t volume_key_size,
const struct bitlk_metadata *params,
uint32_t flags);
void BITLK_bitlk_fvek_free(struct bitlk_fvek *fvek); void BITLK_bitlk_fvek_free(struct bitlk_fvek *fvek);
void BITLK_bitlk_vmk_free(struct bitlk_vmk *vmk); void BITLK_bitlk_vmk_free(struct bitlk_vmk *vmk);

7
lib/setup.c
View File

@@ -4121,8 +4121,8 @@ static int _activate_by_passphrase(struct crypt_device *cd,
r = _open_and_activate_luks2(cd, keyslot, name, passphrase, passphrase_size, flags); r = _open_and_activate_luks2(cd, keyslot, name, passphrase, passphrase_size, flags);
keyslot = r; keyslot = r;
} else if (isBITLK(cd->type)) { } else if (isBITLK(cd->type)) {
r = BITLK_activate(cd, name, passphrase, passphrase_size, r = BITLK_activate_by_passphrase(cd, name, passphrase, passphrase_size,
&cd->u.bitlk.params, flags); &cd->u.bitlk.params, flags);
keyslot = 0; keyslot = 0;
} else { } else {
log_err(cd, _("Device type is not properly initialized.")); log_err(cd, _("Device type is not properly initialized."));
@@ -4381,6 +4381,9 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
cd->u.integrity.journal_crypt_key, cd->u.integrity.journal_crypt_key,
cd->u.integrity.journal_mac_key, flags, cd->u.integrity.journal_mac_key, flags,
cd->u.integrity.sb_flags); cd->u.integrity.sb_flags);
} else if (isBITLK(cd->type)) {
r = BITLK_activate_by_volume_key(cd, name, volume_key, volume_key_size,
&cd->u.bitlk.params, flags);
} else { } else {
log_err(cd, _("Device type is not properly initialized.")); log_err(cd, _("Device type is not properly initialized."));
r = -EINVAL; r = -EINVAL;

44
src/cryptsetup.c
View File

@@ -482,8 +482,9 @@ static int action_open_bitlk(void)
struct crypt_device *cd = NULL; struct crypt_device *cd = NULL;
const char *activated_name; const char *activated_name;
uint32_t activate_flags = 0; uint32_t activate_flags = 0;
int r, tries; int r, tries, keysize;
char *password = NULL; char *password = NULL;
char *key = NULL;
size_t passwordLen; size_t passwordLen;
activated_name = ARG_SET(OPT_TEST_PASSPHRASE_ID) ? NULL : action_argv[1]; activated_name = ARG_SET(OPT_TEST_PASSPHRASE_ID) ? NULL : action_argv[1];
@@ -498,23 +499,40 @@ static int action_open_bitlk(void)
} }
_set_activation_flags(&activate_flags); _set_activation_flags(&activate_flags);
tries = (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1; if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
do { keysize = crypt_get_volume_key_size(cd);
r = tools_get_key(NULL, &password, &passwordLen, if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) {
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID), log_err(_("Cannot determine volume key size for BITLK, please use --key-size option."));
ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd); r = -EINVAL;
goto out;
} else if (!keysize)
keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
r = crypt_cli_read_mk(cd, ARG_STR(OPT_MASTER_KEY_FILE_ID), &key, keysize);
if (r < 0) if (r < 0)
goto out; goto out;
r = crypt_activate_by_volume_key(cd, activated_name,
key, keysize, activate_flags);
} else {
tries = (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1;
do {
r = tools_get_key(NULL, &password, &passwordLen,
ARG_UINT64(OPT_KEYFILE_OFFSET_ID), ARG_UINT32(OPT_KEYFILE_SIZE_ID), ARG_STR(OPT_KEY_FILE_ID),
ARG_UINT32(OPT_TIMEOUT_ID), _verify_passphrase(0), 0, cd);
if (r < 0)
goto out;
r = crypt_activate_by_passphrase(cd, activated_name, CRYPT_ANY_SLOT, r = crypt_activate_by_passphrase(cd, activated_name, CRYPT_ANY_SLOT,
password, passwordLen, activate_flags); password, passwordLen, activate_flags);
tools_passphrase_msg(r); tools_passphrase_msg(r);
check_signal(&r); check_signal(&r);
crypt_safe_free(password); crypt_safe_free(password);
password = NULL; password = NULL;
} while ((r == -EPERM || r == -ERANGE) && (--tries > 0)); } while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
}
out: out:
crypt_safe_free(password); crypt_safe_free(password);
crypt_safe_free(key);
crypt_free(cd); crypt_free(cd);
return r; return r;
} }