bitlk: Add support for activating BITLK devices using volume key

Both with "crypt_activate_by_volume_key" and using cli with --master-key option.
2025-12-05 16:00:05 +01:00 · 2020-11-10 16:04:05 +01:00
parent 406d2d8b0a
commit 652081426b
4 changed files with 135 additions and 62 deletions
--- a/lib/bitlk/bitlk.c
+++ b/lib/bitlk/bitlk.c
@@ -1216,10 +1216,36 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 	return 0;
 }

-int BITLK_activate(struct crypt_device *cd,
+static int _activate_check(struct crypt_device *cd,
+		           const struct bitlk_metadata *params)
+{
+	const struct bitlk_vmk *next_vmk = NULL;
+
+	if (!params->state) {
+		log_err(cd, _("This BITLK device is in an unsupported state and cannot be activated."));
+		return -ENOTSUP;
+	}
+
+	if (params->type != BITLK_ENCRYPTION_TYPE_NORMAL) {
+		log_err(cd, _("BITLK devices with type '%s' cannot be activated."), get_bitlk_type_string(params->type));
+		return -ENOTSUP;
+	}
+
+	next_vmk = params->vmks;
+	while (next_vmk) {
+		if (next_vmk->protection == BITLK_PROTECTION_CLEAR_KEY) {
+			log_err(cd, _("Activation of partially decrypted BITLK device is not supported."));
+			return -ENOTSUP;
+		}
+		next_vmk = next_vmk->next;
+	}
+
+	return 0;
+}
+
+static int _activate(struct crypt_device *cd,
 		     const char *name,
-		   const char *password,
-		   size_t passwordLen,
+		     struct volume_key *open_fvek_key,
 		     const struct bitlk_metadata *params,
 		     uint32_t flags)
 {
@@ -1232,8 +1258,6 @@ int BITLK_activate(struct crypt_device *cd,
 		.flags = flags,
 	};
 	struct dm_target *next_segment = NULL;
-	struct volume_key *open_fvek_key = NULL;
-	const struct bitlk_vmk *next_vmk = NULL;
 	struct segment segments[MAX_BITLK_SEGMENTS] = {};
 	struct segment temp;
 	uint64_t next_start = 0;
@@ -1241,44 +1265,14 @@ int BITLK_activate(struct crypt_device *cd,
 	uint64_t last_segment = 0;
 	uint32_t dmt_flags;

-	if (!params->state) {
-		log_err(cd, _("This BITLK device is in an unsupported state and cannot be activated."));
-		r = -ENOTSUP;
-		goto out;
-	}
-
-	if (params->type != BITLK_ENCRYPTION_TYPE_NORMAL) {
-		log_err(cd, _("BITLK devices with type '%s' cannot be activated."), get_bitlk_type_string(params->type));
-		r = -ENOTSUP;
-		goto out;
-	}
-
-	r = BITLK_get_volume_key(cd, password, passwordLen, params, &open_fvek_key);
-	if (r < 0)
+	r = _activate_check(cd, params);
+	if (r)
 		return r;

-	/* Password verify only */
-	if (!name) {
-		crypt_free_volume_key(open_fvek_key);
-		return r;
-	}
-
-	next_vmk = params->vmks;
-	while (next_vmk) {
-		if (next_vmk->protection == BITLK_PROTECTION_CLEAR_KEY) {
-			crypt_free_volume_key(open_fvek_key);
-			log_err(cd, _("Activation of partially decrypted BITLK device is not supported."));
-			return -ENOTSUP;
-		}
-		next_vmk = next_vmk->next;
-	}
-
 	r = device_block_adjust(cd, crypt_data_device(cd), DEV_EXCL,
 				0, &dmd.size, &dmd.flags);
-	if (r) {
-		crypt_free_volume_key(open_fvek_key);
+	if (r)
 		return r;
-	}

 	/* there will be always 4 dm-zero segments: 3x metadata, 1x FS header */
 	for (i = 0; i < 3; i++) {
@@ -1413,6 +1407,57 @@ int BITLK_activate(struct crypt_device *cd,
 	}
 out:
 	dm_targets_free(cd, &dmd);
+	return r;
+}
+
+int BITLK_activate_by_passphrase(struct crypt_device *cd,
+				 const char *name,
+				 const char *password,
+				 size_t passwordLen,
+				 const struct bitlk_metadata *params,
+				 uint32_t flags)
+{
+	int r = 0;
+	struct volume_key *open_fvek_key = NULL;
+
+	r = _activate_check(cd, params);
+	if (r)
+		return r;
+
+	r = BITLK_get_volume_key(cd, password, passwordLen, params, &open_fvek_key);
+	if (r < 0)
+		goto out;
+
+	/* Password verify only */
+	if (!name)
+		goto out;
+
+	r = _activate(cd, name, open_fvek_key, params, flags);
+out:
+	crypt_free_volume_key(open_fvek_key);
+	return r;
+}
+
+int BITLK_activate_by_volume_key(struct crypt_device *cd,
+				 const char *name,
+				 const char *volume_key,
+				 size_t volume_key_size,
+				 const struct bitlk_metadata *params,
+				 uint32_t flags)
+{
+	int r = 0;
+	struct volume_key *open_fvek_key = NULL;
+
+	r = _activate_check(cd, params);
+	if (r)
+		return r;
+
+	open_fvek_key = crypt_alloc_volume_key(volume_key_size, volume_key);
+	if (!open_fvek_key)
+		return -ENOMEM;
+
+	r = _activate(cd, name, open_fvek_key, params, flags);
+
 	crypt_free_volume_key(open_fvek_key);
 	return r;
 }
--- a/lib/bitlk/bitlk.h
+++ b/lib/bitlk/bitlk.h
@@ -123,13 +123,20 @@ int BITLK_get_volume_key(struct crypt_device *cd,
 			 const struct bitlk_metadata *params,
 			 struct volume_key **open_fvek_key);

-int BITLK_activate(struct crypt_device *cd,
+int BITLK_activate_by_passphrase(struct crypt_device *cd,
 				 const char *name,
 				 const char *password,
 				 size_t passwordLen,
 				 const struct bitlk_metadata *params,
 				 uint32_t flags);

+int BITLK_activate_by_volume_key(struct crypt_device *cd,
+				 const char *name,
+				 const char *volume_key,
+				 size_t volume_key_size,
+				 const struct bitlk_metadata *params,
+				 uint32_t flags);
+
 void BITLK_bitlk_fvek_free(struct bitlk_fvek *fvek);
 void BITLK_bitlk_vmk_free(struct bitlk_vmk *vmk);
 void BITLK_bitlk_metadata_free(struct bitlk_metadata *params);
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -4121,7 +4121,7 @@ static int _activate_by_passphrase(struct crypt_device *cd,
 		r = _open_and_activate_luks2(cd, keyslot, name, passphrase, passphrase_size, flags);
 		keyslot = r;
 	} else if (isBITLK(cd->type)) {
-		r = BITLK_activate(cd, name, passphrase, passphrase_size,
+		r = BITLK_activate_by_passphrase(cd, name, passphrase, passphrase_size,
 						 &cd->u.bitlk.params, flags);
 		keyslot = 0;
 	} else {
@@ -4381,6 +4381,9 @@ int crypt_activate_by_volume_key(struct crypt_device *cd,
 				       cd->u.integrity.journal_crypt_key,
 				       cd->u.integrity.journal_mac_key, flags,
 				       cd->u.integrity.sb_flags);
+	} else if (isBITLK(cd->type)) {
+		r = BITLK_activate_by_volume_key(cd, name, volume_key, volume_key_size,
+						 &cd->u.bitlk.params, flags);
 	} else {
 		log_err(cd, _("Device type is not properly initialized."));
 		r = -EINVAL;
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -482,8 +482,9 @@ static int action_open_bitlk(void)
 	struct crypt_device *cd = NULL;
 	const char *activated_name;
 	uint32_t activate_flags = 0;
-	int r, tries;
+	int r, tries, keysize;
 	char *password = NULL;
+	char *key = NULL;
 	size_t passwordLen;

 	activated_name = ARG_SET(OPT_TEST_PASSPHRASE_ID) ? NULL : action_argv[1];
@@ -498,6 +499,21 @@ static int action_open_bitlk(void)
 	}
 	_set_activation_flags(&activate_flags);

+	if (ARG_SET(OPT_MASTER_KEY_FILE_ID)) {
+		keysize = crypt_get_volume_key_size(cd);
+		if (!keysize && !ARG_SET(OPT_KEY_SIZE_ID)) {
+			log_err(_("Cannot determine volume key size for BITLK, please use --key-size option."));
+			r = -EINVAL;
+			goto out;
+		} else if (!keysize)
+			keysize = ARG_UINT32(OPT_KEY_SIZE_ID) / 8;
+
+		r = crypt_cli_read_mk(cd, ARG_STR(OPT_MASTER_KEY_FILE_ID), &key, keysize);
+		if (r < 0)
+			goto out;
+		r = crypt_activate_by_volume_key(cd, activated_name,
+						 key, keysize, activate_flags);
+	} else {
 		tries = (tools_is_stdin(ARG_STR(OPT_KEY_FILE_ID)) && isatty(STDIN_FILENO)) ? ARG_UINT32(OPT_TRIES_ID) : 1;
 		do {
 			r = tools_get_key(NULL, &password, &passwordLen,
@@ -513,8 +529,10 @@ static int action_open_bitlk(void)
 			crypt_safe_free(password);
 			password = NULL;
 		} while ((r == -EPERM || r == -ERANGE) && (--tries > 0));
+	}
 out:
 	crypt_safe_free(password);
+	crypt_safe_free(key);
 	crypt_free(cd);
 	return r;
 }