crypto: implement the LUKS block encryption format
Provide a block encryption implementation that follows the LUKS/dm-crypt specification. This supports all combinations of hash, cipher algorithm, cipher mode and iv generator that are implemented by the current crypto layer. There is support for opening existing volumes formatted by dm-crypt, and for formatting new volumes. In the latter case it will only use key slot 0. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
parent
7d9690148a
commit
3e308f20ed
@ -21,6 +21,7 @@ crypto-obj-y += afsplit.o
|
||||
crypto-obj-y += xts.o
|
||||
crypto-obj-y += block.o
|
||||
crypto-obj-y += block-qcow.o
|
||||
crypto-obj-y += block-luks.o
|
||||
|
||||
# Let the userspace emulators avoid linking gnutls/etc
|
||||
crypto-aes-obj-y = aes.o
|
||||
|
1328
crypto/block-luks.c
Normal file
1328
crypto/block-luks.c
Normal file
File diff suppressed because it is too large
Load Diff
28
crypto/block-luks.h
Normal file
28
crypto/block-luks.h
Normal file
@ -0,0 +1,28 @@
|
||||
/*
|
||||
* QEMU Crypto block device encryption LUKS format
|
||||
*
|
||||
* Copyright (c) 2015-2016 Red Hat, Inc.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef QCRYPTO_BLOCK_LUKS_H__
|
||||
#define QCRYPTO_BLOCK_LUKS_H__
|
||||
|
||||
#include "crypto/blockpriv.h"
|
||||
|
||||
extern const QCryptoBlockDriver qcrypto_block_driver_luks;
|
||||
|
||||
#endif /* QCRYPTO_BLOCK_LUKS_H__ */
|
@ -21,9 +21,11 @@
|
||||
#include "qemu/osdep.h"
|
||||
#include "crypto/blockpriv.h"
|
||||
#include "crypto/block-qcow.h"
|
||||
#include "crypto/block-luks.h"
|
||||
|
||||
static const QCryptoBlockDriver *qcrypto_block_drivers[] = {
|
||||
[Q_CRYPTO_BLOCK_FORMAT_QCOW] = &qcrypto_block_driver_qcow,
|
||||
[Q_CRYPTO_BLOCK_FORMAT_LUKS] = &qcrypto_block_driver_luks,
|
||||
};
|
||||
|
||||
|
||||
|
@ -117,12 +117,13 @@
|
||||
#
|
||||
# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only
|
||||
# for liberating data from old images.
|
||||
# @luks: LUKS encryption format. Recommended for new images
|
||||
#
|
||||
# Since: 2.6
|
||||
##
|
||||
{ 'enum': 'QCryptoBlockFormat',
|
||||
# 'prefix': 'QCRYPTO_BLOCK_FORMAT',
|
||||
'data': ['qcow']}
|
||||
'data': ['qcow', 'luks']}
|
||||
|
||||
##
|
||||
# QCryptoBlockOptionsBase:
|
||||
@ -151,6 +152,46 @@
|
||||
{ 'struct': 'QCryptoBlockOptionsQCow',
|
||||
'data': { '*key-secret': 'str' }}
|
||||
|
||||
##
|
||||
# QCryptoBlockOptionsLUKS:
|
||||
#
|
||||
# The options that apply to LUKS encryption format
|
||||
#
|
||||
# @key-secret: #optional the ID of a QCryptoSecret object providing the
|
||||
# decryption key. Mandatory except when probing image for
|
||||
# metadata only.
|
||||
# Since: 2.6
|
||||
##
|
||||
{ 'struct': 'QCryptoBlockOptionsLUKS',
|
||||
'data': { '*key-secret': 'str' }}
|
||||
|
||||
|
||||
##
|
||||
# QCryptoBlockCreateOptionsLUKS:
|
||||
#
|
||||
# The options that apply to LUKS encryption format initialization
|
||||
#
|
||||
# @cipher-alg: #optional the cipher algorithm for data encryption
|
||||
# Currently defaults to 'aes'.
|
||||
# @cipher-mode: #optional the cipher mode for data encryption
|
||||
# Currently defaults to 'cbc'
|
||||
# @ivgen-alg: #optional the initialization vector generator
|
||||
# Currently defaults to 'essiv'
|
||||
# @ivgen-hash-alg: #optional the initialization vector generator hash
|
||||
# Currently defaults to 'sha256'
|
||||
# @hash-alg: #optional the master key hash algorithm
|
||||
# Currently defaults to 'sha256'
|
||||
# Since: 2.6
|
||||
##
|
||||
{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
|
||||
'base': 'QCryptoBlockOptionsLUKS',
|
||||
'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
|
||||
'*cipher-mode': 'QCryptoCipherMode',
|
||||
'*ivgen-alg': 'QCryptoIVGenAlgorithm',
|
||||
'*ivgen-hash-alg': 'QCryptoHashAlgorithm',
|
||||
'*hash-alg': 'QCryptoHashAlgorithm'}}
|
||||
|
||||
|
||||
##
|
||||
# QCryptoBlockOpenOptions:
|
||||
#
|
||||
@ -162,7 +203,8 @@
|
||||
{ 'union': 'QCryptoBlockOpenOptions',
|
||||
'base': 'QCryptoBlockOptionsBase',
|
||||
'discriminator': 'format',
|
||||
'data': { 'qcow': 'QCryptoBlockOptionsQCow' } }
|
||||
'data': { 'qcow': 'QCryptoBlockOptionsQCow',
|
||||
'luks': 'QCryptoBlockOptionsLUKS' } }
|
||||
|
||||
|
||||
##
|
||||
@ -176,4 +218,5 @@
|
||||
{ 'union': 'QCryptoBlockCreateOptions',
|
||||
'base': 'QCryptoBlockOptionsBase',
|
||||
'discriminator': 'format',
|
||||
'data': { 'qcow': 'QCryptoBlockOptionsQCow' } }
|
||||
'data': { 'qcow': 'QCryptoBlockOptionsQCow',
|
||||
'luks': 'QCryptoBlockCreateOptionsLUKS' } }
|
||||
|
@ -23,6 +23,15 @@
|
||||
#include "crypto/block.h"
|
||||
#include "qemu/buffer.h"
|
||||
#include "crypto/secret.h"
|
||||
#ifndef _WIN32
|
||||
#include <sys/resource.h>
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_UUID) && (defined(_WIN32) || defined RUSAGE_THREAD)
|
||||
#define TEST_LUKS
|
||||
#else
|
||||
#undef TEST_LUKS
|
||||
#endif
|
||||
|
||||
static QCryptoBlockCreateOptions qcow_create_opts = {
|
||||
.format = Q_CRYPTO_BLOCK_FORMAT_QCOW,
|
||||
@ -40,6 +49,63 @@ static QCryptoBlockOpenOptions qcow_open_opts = {
|
||||
},
|
||||
};
|
||||
|
||||
|
||||
#ifdef TEST_LUKS
|
||||
static QCryptoBlockOpenOptions luks_open_opts = {
|
||||
.format = Q_CRYPTO_BLOCK_FORMAT_LUKS,
|
||||
.u.luks = {
|
||||
.has_key_secret = true,
|
||||
.key_secret = (char *)"sec0",
|
||||
},
|
||||
};
|
||||
|
||||
|
||||
/* Creation with all default values */
|
||||
static QCryptoBlockCreateOptions luks_create_opts_default = {
|
||||
.format = Q_CRYPTO_BLOCK_FORMAT_LUKS,
|
||||
.u.luks = {
|
||||
.has_key_secret = true,
|
||||
.key_secret = (char *)"sec0",
|
||||
},
|
||||
};
|
||||
|
||||
|
||||
/* ...and with explicit values */
|
||||
static QCryptoBlockCreateOptions luks_create_opts_aes256_cbc_plain64 = {
|
||||
.format = Q_CRYPTO_BLOCK_FORMAT_LUKS,
|
||||
.u.luks = {
|
||||
.has_key_secret = true,
|
||||
.key_secret = (char *)"sec0",
|
||||
.has_cipher_alg = true,
|
||||
.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256,
|
||||
.has_cipher_mode = true,
|
||||
.cipher_mode = QCRYPTO_CIPHER_MODE_CBC,
|
||||
.has_ivgen_alg = true,
|
||||
.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64,
|
||||
},
|
||||
};
|
||||
|
||||
|
||||
static QCryptoBlockCreateOptions luks_create_opts_aes256_cbc_essiv = {
|
||||
.format = Q_CRYPTO_BLOCK_FORMAT_LUKS,
|
||||
.u.luks = {
|
||||
.has_key_secret = true,
|
||||
.key_secret = (char *)"sec0",
|
||||
.has_cipher_alg = true,
|
||||
.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256,
|
||||
.has_cipher_mode = true,
|
||||
.cipher_mode = QCRYPTO_CIPHER_MODE_CBC,
|
||||
.has_ivgen_alg = true,
|
||||
.ivgen_alg = QCRYPTO_IVGEN_ALG_ESSIV,
|
||||
.has_ivgen_hash_alg = true,
|
||||
.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256,
|
||||
.has_hash_alg = true,
|
||||
.hash_alg = QCRYPTO_HASH_ALG_SHA1,
|
||||
},
|
||||
};
|
||||
#endif /* TEST_LUKS */
|
||||
|
||||
|
||||
static struct QCryptoBlockTestData {
|
||||
const char *path;
|
||||
QCryptoBlockCreateOptions *create_opts;
|
||||
@ -52,7 +118,9 @@ static struct QCryptoBlockTestData {
|
||||
QCryptoHashAlgorithm hash_alg;
|
||||
|
||||
QCryptoIVGenAlgorithm ivgen_alg;
|
||||
QCryptoCipherAlgorithm ivgen_hash;
|
||||
QCryptoHashAlgorithm ivgen_hash;
|
||||
|
||||
bool slow;
|
||||
} test_data[] = {
|
||||
{
|
||||
.path = "/crypto/block/qcow",
|
||||
@ -66,6 +134,54 @@ static struct QCryptoBlockTestData {
|
||||
|
||||
.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64,
|
||||
},
|
||||
#ifdef TEST_LUKS
|
||||
{
|
||||
.path = "/crypto/block/luks/default",
|
||||
.create_opts = &luks_create_opts_default,
|
||||
.open_opts = &luks_open_opts,
|
||||
|
||||
.expect_header = true,
|
||||
|
||||
.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256,
|
||||
.cipher_mode = QCRYPTO_CIPHER_MODE_XTS,
|
||||
.hash_alg = QCRYPTO_HASH_ALG_SHA256,
|
||||
|
||||
.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64,
|
||||
|
||||
.slow = true,
|
||||
},
|
||||
{
|
||||
.path = "/crypto/block/luks/aes-256-cbc-plain64",
|
||||
.create_opts = &luks_create_opts_aes256_cbc_plain64,
|
||||
.open_opts = &luks_open_opts,
|
||||
|
||||
.expect_header = true,
|
||||
|
||||
.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256,
|
||||
.cipher_mode = QCRYPTO_CIPHER_MODE_CBC,
|
||||
.hash_alg = QCRYPTO_HASH_ALG_SHA256,
|
||||
|
||||
.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64,
|
||||
|
||||
.slow = true,
|
||||
},
|
||||
{
|
||||
.path = "/crypto/block/luks/aes-256-cbc-essiv",
|
||||
.create_opts = &luks_create_opts_aes256_cbc_essiv,
|
||||
.open_opts = &luks_open_opts,
|
||||
|
||||
.expect_header = true,
|
||||
|
||||
.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256,
|
||||
.cipher_mode = QCRYPTO_CIPHER_MODE_CBC,
|
||||
.hash_alg = QCRYPTO_HASH_ALG_SHA1,
|
||||
|
||||
.ivgen_alg = QCRYPTO_IVGEN_ALG_ESSIV,
|
||||
.ivgen_hash = QCRYPTO_HASH_ALG_SHA256,
|
||||
|
||||
.slow = true,
|
||||
},
|
||||
#endif
|
||||
};
|
||||
|
||||
|
||||
@ -232,8 +348,15 @@ int main(int argc, char **argv)
|
||||
g_assert(qcrypto_init(NULL) == 0);
|
||||
|
||||
for (i = 0; i < G_N_ELEMENTS(test_data); i++) {
|
||||
if (test_data[i].open_opts->format == Q_CRYPTO_BLOCK_FORMAT_LUKS &&
|
||||
!qcrypto_hash_supports(test_data[i].hash_alg)) {
|
||||
continue;
|
||||
}
|
||||
if (!test_data[i].slow ||
|
||||
g_test_slow()) {
|
||||
g_test_add_data_func(test_data[i].path, &test_data[i], test_block);
|
||||
}
|
||||
}
|
||||
|
||||
return g_test_run();
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user