mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-10 18:30:00 +01:00
0a6f89cfa6
This patch adds support for Linux kernel (since version 5.11) dm-integrity fixes that disables integrity recalculation if keyed algorithms (HMAC) is used. Original dm-integrity superblock version <=4 is recalculation offset field not protected by HMAC. An attacker can move this pointer and force the kernel to recalculate the data area, ignoring original HMAC tags. N.B. dm-integrity was not intended to protect against intentional changes. Better use authenticated encryption (AEAD) in combination with dm-crypt. It is designed to protect against random data corruption caused by hardware or storage medium faults. Despite that, we try to keep the system secure if keyed algorithms are used. There are two possible keyed algorithms in dm-integrity - algorithm used to protect journal and superblock (--journal-integrity) and algorithms for protecting data (--integrity). The dm-integrity superblock is guarded by --journal-integrity, so if you want to protect data with HMAC, you should always also use HMAC for --journal-integrity. The keys are independent. If HMAC is used for data but not for the journal, recalculation is disabled by default. For new kernel dm-integrity, the HMAC option also uses salt in superblock to avoid an easy way to distinguish that the HMAC key is the same for two devices (if data are the same). The new HMAC and superblock are enabled automatically if the kernel supports it (you can see superblock version 5 and fix_hmac flag in dump command). If you need to use (insecure) backward compatibility, then two new integritysetup options are introduced: Use --integrity-legacy-recalc (instead of --integrity-recalc) to allow recalculation on legacy devices. Use --integrity-legacy-hmac in format action to force old insecure version format (with HMAC). Libcryptsetup API also introduces flags CRYPT_COMPAT_LEGACY_INTEGRITY_HMAC and CRYPT_COMPAT_LEGACY_INTEGRITY_RECALC to set these through crypt_set_compatibility() call.
104 lines
3.3 KiB
C
104 lines
3.3 KiB
C
/*
|
|
* Integrity header definition
|
|
*
|
|
* Copyright (C) 2016-2021 Milan Broz
|
|
*
|
|
* This file is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This file is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this file; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*/
|
|
|
|
#ifndef _CRYPTSETUP_INTEGRITY_H
|
|
#define _CRYPTSETUP_INTEGRITY_H
|
|
|
|
#include <stdint.h>
|
|
|
|
struct crypt_device;
|
|
struct device;
|
|
struct crypt_params_integrity;
|
|
struct volume_key;
|
|
struct crypt_dm_active_device;
|
|
|
|
/* dm-integrity helper */
|
|
#define SB_MAGIC "integrt"
|
|
#define SB_VERSION_1 1
|
|
#define SB_VERSION_2 2
|
|
#define SB_VERSION_3 3
|
|
#define SB_VERSION_4 4
|
|
#define SB_VERSION_5 5
|
|
|
|
#define SB_FLAG_HAVE_JOURNAL_MAC (1 << 0)
|
|
#define SB_FLAG_RECALCULATING (1 << 1) /* V2 only */
|
|
#define SB_FLAG_DIRTY_BITMAP (1 << 2) /* V3 only */
|
|
#define SB_FLAG_FIXED_PADDING (1 << 3) /* V4 only */
|
|
#define SB_FLAG_FIXED_HMAC (1 << 4) /* V5 only */
|
|
|
|
struct superblock {
|
|
uint8_t magic[8];
|
|
uint8_t version;
|
|
int8_t log2_interleave_sectors;
|
|
uint16_t integrity_tag_size;
|
|
uint32_t journal_sections;
|
|
uint64_t provided_data_sectors;
|
|
uint32_t flags;
|
|
uint8_t log2_sectors_per_block;
|
|
uint8_t log2_blocks_per_bitmap_bit; /* V3 only */
|
|
uint8_t pad[2];
|
|
uint64_t recalc_sector; /* V2 only */
|
|
} __attribute__ ((packed));
|
|
|
|
int INTEGRITY_read_sb(struct crypt_device *cd,
|
|
struct crypt_params_integrity *params,
|
|
uint32_t *flags);
|
|
|
|
int INTEGRITY_dump(struct crypt_device *cd, struct device *device, uint64_t offset);
|
|
|
|
int INTEGRITY_data_sectors(struct crypt_device *cd,
|
|
struct device *device, uint64_t offset,
|
|
uint64_t *data_sectors);
|
|
int INTEGRITY_key_size(struct crypt_device *cd,
|
|
const char *integrity);
|
|
int INTEGRITY_tag_size(struct crypt_device *cd,
|
|
const char *integrity,
|
|
const char *cipher,
|
|
const char *cipher_mode);
|
|
int INTEGRITY_hash_tag_size(const char *integrity);
|
|
|
|
int INTEGRITY_format(struct crypt_device *cd,
|
|
const struct crypt_params_integrity *params,
|
|
struct volume_key *journal_crypt_key,
|
|
struct volume_key *journal_mac_key);
|
|
|
|
int INTEGRITY_activate(struct crypt_device *cd,
|
|
const char *name,
|
|
const struct crypt_params_integrity *params,
|
|
struct volume_key *vk,
|
|
struct volume_key *journal_crypt_key,
|
|
struct volume_key *journal_mac_key,
|
|
uint32_t flags, uint32_t sb_flags);
|
|
|
|
int INTEGRITY_create_dmd_device(struct crypt_device *cd,
|
|
const struct crypt_params_integrity *params,
|
|
struct volume_key *vk,
|
|
struct volume_key *journal_crypt_key,
|
|
struct volume_key *journal_mac_key,
|
|
struct crypt_dm_active_device *dmd,
|
|
uint32_t flags, uint32_t sb_flags);
|
|
|
|
int INTEGRITY_activate_dmd_device(struct crypt_device *cd,
|
|
const char *name,
|
|
const char *type,
|
|
struct crypt_dm_active_device *dmd,
|
|
uint32_t sb_flags);
|
|
#endif
|