Add basic support for system TCRYPT device.

Rename option hidden to tcrypt-hidden.

lib/libcryptsetup.h

@@ -396,6 +396,8 @@ struct crypt_params_verity {
 #define CRYPT_TCRYPT_HIDDEN_HEADER   (1 << 1)
 /** Try to load backup header */
 #define CRYPT_TCRYPT_BACKUP_HEADER   (1 << 2)
+/** Device contains encrypted system (with boot loader) */
+#define CRYPT_TCRYPT_SYSTEM_HEADER   (1 << 3)
 
 struct crypt_params_tcrypt {
 	const char *passphrase;    /**< passphrase to unlock header (input only) */

lib/tcrypt/tcrypt.c

@@ -568,7 +568,11 @@ int TCRYPT_read_phdr(struct crypt_device *cd,
 	}
 
 	r = -EIO;
-	if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
+	if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
+		if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 &&
+		    read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
+			r = TCRYPT_init_hdr(cd, hdr, params);
+	} else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
 		if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
 			if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
 			    read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
@@ -854,7 +858,11 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
 
 	/* No real header loaded, initialized by active device */
 	if (!hdr->d.version)
-		return hdr->d.mk_offset / hdr->d.sector_size;
+		goto hdr_offset;
+
+	/* Mapping through whole device, not partition! */
+	if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
+		goto hdr_offset;
 
 	if (params->mode && !strncmp(params->mode, "xts", 3)) {
 		if (hdr->d.version < 3)
@@ -868,7 +876,7 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
 			return (size - hdr->d.hidden_volume_size +
 				(TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
 		}
-		return (hdr->d.mk_offset / hdr->d.sector_size);
+		goto hdr_offset;
 	}
 
 	if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
@@ -878,7 +886,7 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
 			(TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
 	}
 
-	// FIXME: system vol.
+hdr_offset:
 	return hdr->d.mk_offset / hdr->d.sector_size;
 }
 

lib/tcrypt/tcrypt.h

@@ -36,6 +36,8 @@
 #define TCRYPT_HDR_HIDDEN_OFFSET_BCK -65536
 #define TCRYPT_HDR_OFFSET_BCK -131072
 
+#define TCRYPT_HDR_SYSTEM_OFFSET 31744
+
 #define TCRYPT_LRW_IKEY_LEN 16
 #define TCRYPT_KEY_POOL_LEN 64
 #define TCRYPT_KEYFILE_LEN  1048576

man/cryptsetup.8

@@ -397,8 +397,12 @@ using LRW or XTS encryption modes.
 The \fBtcryptDump\fR command should work for all recognized TCRYPT devices
 and doesn't require superuser privilege.
 
+To map system device (device with boot loader where the whole encrypted
+system resides) use \fB\-\-tcrypt-system\fR option. Use the whole
+device not the system partition as the device parameter.
+
 To use hidden header (and map hidden device, if available),
-use \fB\-\-hidden\fR option.
+use \fB\-\-tcrypt-hidden\fR option.
 .PP
 \fIopen\fR \-\-type tcrypt <device> <name>
 .br
@@ -406,8 +410,8 @@ use \fB\-\-hidden\fR option.
 .IP
 Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.
 
-\fB<options>\fR can be [\-\-key-file, \-\-hidden, \-\-readonly,
-\-\-test-passphrase].
+\fB<options>\fR can be [\-\-key-file, \-\-tcrypt-hidden, \-\-tcrypt-system,
+\-\-readonly, \-\-test-passphrase].
 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated. Note that using keyfiles is compatible
@@ -425,7 +429,8 @@ a passphrase.
 This means that if the master key is compromised, the whole device has
 to be erased to prevent further access. Use this option carefully.
 
-\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-hidden].
+\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-tcrypt-hidden,
+\-\-tcrypt-system].
 
 The keyfile parameter allows combination of file content with the
 passphrase and can be repeated.

src/cryptsetup.c

@@ -57,7 +57,8 @@ static int opt_dump_master_key = 0;
 static int opt_shared = 0;
 static int opt_allow_discards = 0;
 static int opt_test_passphrase = 0;
-static int opt_hidden = 0;
+static int opt_tcrypt_hidden = 0;
+static int opt_tcrypt_system = 0;
 
 static const char **action_argv;
 static int action_argc;
@@ -231,9 +232,12 @@ static int action_open_tcrypt(void)
 	if (r < 0)
 		goto out;
 
-	if (opt_hidden)
+	if (opt_tcrypt_hidden)
 		params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
 
+	if (opt_tcrypt_system)
+		params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
+
 	r = crypt_load(cd, CRYPT_TCRYPT, &params);
 	check_signal(&r);
 	if (r < 0)
@@ -313,9 +317,12 @@ static int action_tcryptDump(void)
 	if (r < 0)
 		goto out;
 
-	if (opt_hidden)
+	if (opt_tcrypt_hidden)
 		params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
 
+	if (opt_tcrypt_system)
+		params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
+
 	r = crypt_load(cd, CRYPT_TCRYPT, &params);
 	check_signal(&r);
 	if (r < 0)
@@ -1368,9 +1375,10 @@ int main(int argc, const char **argv)
 		{ "allow-discards",    '\0', POPT_ARG_NONE, &opt_allow_discards,        0, N_("Allow discards (aka TRIM) requests for device."), NULL },
 		{ "header",            '\0', POPT_ARG_STRING, &opt_header_device,       0, N_("Device or file with separated LUKS header."), NULL },
 		{ "test-passphrase",   '\0', POPT_ARG_NONE, &opt_test_passphrase,       0, N_("Do not activate device, just check passphrase."), NULL },
-		{ "hidden",            '\0', POPT_ARG_NONE, &opt_hidden,                0, N_("Use hidden header (hidden TCRYPT device) ."), NULL },
+		{ "tcrypt-hidden",     '\0', POPT_ARG_NONE, &opt_tcrypt_hidden,         0, N_("Use hidden header (hidden TCRYPT device)."), NULL },
+		{ "tcrypt-system",     '\0', POPT_ARG_NONE, &opt_tcrypt_system,         0, N_("Device is system TCRYPT drive (with bootloader)."), NULL },
 		{ "type",               'M', POPT_ARG_STRING, &opt_type,                0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL },
-		{ "force-password",    '\0', POPT_ARG_NONE, &opt_force_password,         0, N_("Disable password quality check (if enabled)."), NULL },
+		{ "force-password",    '\0', POPT_ARG_NONE, &opt_force_password,        0, N_("Disable password quality check (if enabled)."), NULL },
 		POPT_TABLEEND
 	};
 	poptContext popt_context;
@@ -1570,10 +1578,10 @@ int main(int argc, const char **argv)
 		_("Option --offset is supported only for open of plain and loopaes devices.\n"),
 		poptGetInvocationName(popt_context));
 
-	if (opt_hidden && strcmp(aname, "tcryptDump") &&
+	if ((opt_tcrypt_hidden || opt_tcrypt_system) && strcmp(aname, "tcryptDump") &&
 	    (strcmp(aname, "open") || strcmp(opt_type, "tcrypt")))
 		usage(popt_context, EXIT_FAILURE,
-		_("Option --hidden is supported only for TCRYPT device.\n"),
+		_("Option --tcrypt-hidden or --tcrypt-system is supported only for TCRYPT device.\n"),
 		poptGetInvocationName(popt_context));
 
 	if (opt_debug) {

tests/tcrypt-compat-test

@@ -72,13 +72,13 @@ done
 echo "HEADER CHECK (HIDDEN)"
 for file in $(ls $TST_DIR/tc_*-hidden) ; do
 	echo -n " $file (hidden)"
-	echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --hidden $file >/dev/null || fail
+	echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden $file >/dev/null || fail
 	echo " [OK]"
 done
 
 echo "HEADER KEYFILES CHECK"
 for file in $(ls $TST_DIR/tck_*) ; do
-	echo -n " $file (hidden)"
+	echo -n " $file"
 	echo $PASSWORD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 $file >/dev/null || fail
 	echo " [OK]"
 done
@@ -102,7 +102,7 @@ done
 echo "ACTIVATION FS UUID (HIDDEN) CHECK (LRW/XTS modes only)"
 for file in $(ls $TST_DIR/tc_*-lrw-*-hidden $TST_DIR/tc_*-xts-*-hidden) ; do
 	echo -n " $file"
-	echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --hidden || fail
+	echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --tcrypt-hidden || fail
 	UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
 	$CRYPTSETUP remove $MAP || fail
 	[ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed."