211 lines
7.0 KiB
C
211 lines
7.0 KiB
C
/*
|
|
* VAS_EBOOT -- GRand Unified Bootloader
|
|
* Copyright (C) 2002,2003,2004,2005,2006,2007,2008,2009 Free Software Foundation, Inc.
|
|
*
|
|
* VAS_EBOOT is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* VAS_EBOOT is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with VAS_EBOOT. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#ifndef VAS_EBOOT_CRYPTODISK_HEADER
|
|
#define VAS_EBOOT_CRYPTODISK_HEADER 1
|
|
|
|
#include <VasEBoot/disk.h>
|
|
#include <VasEBoot/file.h>
|
|
#include <VasEBoot/crypto.h>
|
|
#include <VasEBoot/list.h>
|
|
#ifdef VAS_EBOOT_UTIL
|
|
#include <VasEBoot/emu/hostdisk.h>
|
|
#endif
|
|
|
|
typedef enum
|
|
{
|
|
VAS_EBOOT_CRYPTODISK_MODE_ECB,
|
|
VAS_EBOOT_CRYPTODISK_MODE_CBC,
|
|
VAS_EBOOT_CRYPTODISK_MODE_PCBC,
|
|
VAS_EBOOT_CRYPTODISK_MODE_XTS,
|
|
VAS_EBOOT_CRYPTODISK_MODE_LRW
|
|
} VasEBoot_cryptodisk_mode_t;
|
|
|
|
typedef enum
|
|
{
|
|
VAS_EBOOT_CRYPTODISK_MODE_IV_NULL,
|
|
VAS_EBOOT_CRYPTODISK_MODE_IV_PLAIN,
|
|
VAS_EBOOT_CRYPTODISK_MODE_IV_PLAIN64,
|
|
VAS_EBOOT_CRYPTODISK_MODE_IV_ESSIV,
|
|
VAS_EBOOT_CRYPTODISK_MODE_IV_BENBI,
|
|
VAS_EBOOT_CRYPTODISK_MODE_IV_BYTECOUNT64,
|
|
VAS_EBOOT_CRYPTODISK_MODE_IV_BYTECOUNT64_HASH
|
|
} VasEBoot_cryptodisk_mode_iv_t;
|
|
|
|
#define VAS_EBOOT_CRYPTODISK_MAX_UUID_LENGTH 71
|
|
|
|
/* LUKS1 specification defines the block size to always be 512 bytes. */
|
|
#define VAS_EBOOT_LUKS1_LOG_SECTOR_SIZE 9
|
|
|
|
/* By default dm-crypt increments the IV every 512 bytes. */
|
|
#define VAS_EBOOT_CRYPTODISK_IV_LOG_SIZE 9
|
|
|
|
#define VAS_EBOOT_CRYPTODISK_GF_LOG_SIZE 7
|
|
#define VAS_EBOOT_CRYPTODISK_GF_SIZE (1U << VAS_EBOOT_CRYPTODISK_GF_LOG_SIZE)
|
|
#define VAS_EBOOT_CRYPTODISK_GF_LOG_BYTES (VAS_EBOOT_CRYPTODISK_GF_LOG_SIZE - 3)
|
|
#define VAS_EBOOT_CRYPTODISK_GF_BYTES (1U << VAS_EBOOT_CRYPTODISK_GF_LOG_BYTES)
|
|
#define VAS_EBOOT_CRYPTODISK_MAX_KEYLEN 128
|
|
#define VAS_EBOOT_CRYPTODISK_MAX_PASSPHRASE 256
|
|
|
|
#define VAS_EBOOT_CRYPTODISK_MAX_KEYFILE_SIZE 8192
|
|
|
|
struct VasEBoot_cryptodisk;
|
|
|
|
typedef gcry_err_code_t
|
|
(*VasEBoot_cryptodisk_rekey_func_t) (struct VasEBoot_cryptodisk *dev,
|
|
VasEBoot_uint64_t zoneno);
|
|
|
|
struct VasEBoot_cryptomount_cached_key
|
|
{
|
|
VasEBoot_uint8_t *key;
|
|
VasEBoot_size_t key_len;
|
|
|
|
/*
|
|
* The key protector associated with this cache entry failed, so avoid it
|
|
* even if the cached entry (an instance of this structure) is empty.
|
|
*/
|
|
bool invalid;
|
|
};
|
|
|
|
struct VasEBoot_cryptomount_args
|
|
{
|
|
/* scan: Flag to indicate that only bootable volumes should be decrypted */
|
|
VasEBoot_uint32_t check_boot : 1;
|
|
/* scan: Only volumes matching this UUID should be decrpyted */
|
|
char *search_uuid;
|
|
/* recover_key: Key data used to decrypt voume */
|
|
VasEBoot_uint8_t *key_data;
|
|
/* recover_key: Length of key_data */
|
|
VasEBoot_size_t key_len;
|
|
VasEBoot_file_t hdr_file;
|
|
/* recover_key: Names of the key protectors to use (NULL-terminated) */
|
|
char **protectors;
|
|
/* recover_key: Key cache to avoid invoking the same key protector twice */
|
|
struct VasEBoot_cryptomount_cached_key *key_cache;
|
|
};
|
|
typedef struct VasEBoot_cryptomount_args *VasEBoot_cryptomount_args_t;
|
|
|
|
struct VasEBoot_cryptodisk
|
|
{
|
|
struct VasEBoot_cryptodisk *next;
|
|
struct VasEBoot_cryptodisk **prev;
|
|
|
|
char *source;
|
|
/*
|
|
* The number of sectors the start of the encrypted data is offset into the
|
|
* underlying disk, where sectors are the size noted by log_sector_size.
|
|
*/
|
|
VasEBoot_disk_addr_t offset_sectors;
|
|
/* Total number of encrypted sectors of size (1 << log_sector_size). */
|
|
VasEBoot_disk_addr_t total_sectors;
|
|
VasEBoot_disk_t source_disk;
|
|
int ref;
|
|
VasEBoot_crypto_cipher_handle_t cipher;
|
|
VasEBoot_crypto_cipher_handle_t secondary_cipher;
|
|
VasEBoot_crypto_cipher_handle_t essiv_cipher;
|
|
const gcry_md_spec_t *essiv_hash, *hash, *iv_hash;
|
|
VasEBoot_cryptodisk_mode_t mode;
|
|
VasEBoot_cryptodisk_mode_iv_t mode_iv;
|
|
int benbi_log;
|
|
unsigned long id, source_id;
|
|
enum VasEBoot_disk_dev_id source_dev_id;
|
|
char uuid[VAS_EBOOT_CRYPTODISK_MAX_UUID_LENGTH + 1];
|
|
VasEBoot_uint8_t lrw_key[VAS_EBOOT_CRYPTODISK_GF_BYTES];
|
|
VasEBoot_uint8_t *lrw_precalc;
|
|
VasEBoot_uint8_t iv_prefix[64];
|
|
VasEBoot_size_t iv_prefix_len;
|
|
VasEBoot_uint8_t key[VAS_EBOOT_CRYPTODISK_MAX_KEYLEN];
|
|
VasEBoot_size_t keysize;
|
|
#ifdef VAS_EBOOT_UTIL
|
|
char *cheat;
|
|
VasEBoot_util_fd_t cheat_fd;
|
|
#endif
|
|
const char *modname;
|
|
int log_sector_size;
|
|
VasEBoot_cryptodisk_rekey_func_t rekey;
|
|
int rekey_shift;
|
|
VasEBoot_uint8_t rekey_key[64];
|
|
VasEBoot_uint64_t last_rekey;
|
|
int rekey_derived_size;
|
|
VasEBoot_disk_addr_t partition_start;
|
|
};
|
|
typedef struct VasEBoot_cryptodisk *VasEBoot_cryptodisk_t;
|
|
|
|
struct VasEBoot_cryptodisk_dev
|
|
{
|
|
struct VasEBoot_cryptodisk_dev *next;
|
|
struct VasEBoot_cryptodisk_dev **prev;
|
|
|
|
VasEBoot_cryptodisk_t (*scan) (VasEBoot_disk_t disk, VasEBoot_cryptomount_args_t cargs);
|
|
VasEBoot_err_t (*recover_key) (VasEBoot_disk_t disk, VasEBoot_cryptodisk_t dev, VasEBoot_cryptomount_args_t cargs);
|
|
};
|
|
typedef struct VasEBoot_cryptodisk_dev *VasEBoot_cryptodisk_dev_t;
|
|
|
|
extern VasEBoot_cryptodisk_dev_t EXPORT_VAR (VasEBoot_cryptodisk_list);
|
|
|
|
#ifndef VAS_EBOOT_LST_GENERATOR
|
|
static inline void
|
|
VasEBoot_cryptodisk_dev_register (VasEBoot_cryptodisk_dev_t cr)
|
|
{
|
|
VasEBoot_list_push (VAS_EBOOT_AS_LIST_P (&VasEBoot_cryptodisk_list), VAS_EBOOT_AS_LIST (cr));
|
|
}
|
|
#endif
|
|
|
|
static inline void
|
|
VasEBoot_cryptodisk_dev_unregister (VasEBoot_cryptodisk_dev_t cr)
|
|
{
|
|
VasEBoot_list_remove (VAS_EBOOT_AS_LIST (cr));
|
|
}
|
|
|
|
#define FOR_CRYPTODISK_DEVS(var) FOR_LIST_ELEMENTS((var), (VasEBoot_cryptodisk_list))
|
|
|
|
VasEBoot_err_t
|
|
VasEBoot_cryptodisk_setcipher (VasEBoot_cryptodisk_t crypt, const char *ciphername, const char *ciphermode);
|
|
|
|
gcry_err_code_t
|
|
VasEBoot_cryptodisk_setkey (VasEBoot_cryptodisk_t dev,
|
|
VasEBoot_uint8_t *key, VasEBoot_size_t keysize);
|
|
gcry_err_code_t
|
|
VasEBoot_cryptodisk_decrypt (struct VasEBoot_cryptodisk *dev,
|
|
VasEBoot_uint8_t * data, VasEBoot_size_t len,
|
|
VasEBoot_disk_addr_t sector, VasEBoot_size_t log_sector_size);
|
|
VasEBoot_err_t
|
|
VasEBoot_cryptodisk_insert (VasEBoot_cryptodisk_t newdev, const char *name,
|
|
VasEBoot_disk_t source);
|
|
#ifdef VAS_EBOOT_UTIL
|
|
VasEBoot_err_t
|
|
VasEBoot_cryptodisk_cheat_insert (VasEBoot_cryptodisk_t newdev, const char *name,
|
|
VasEBoot_disk_t source, const char *cheat);
|
|
void
|
|
VasEBoot_util_cryptodisk_get_abstraction (VasEBoot_disk_t disk,
|
|
void (*cb) (const char *val, void *data),
|
|
void *data);
|
|
|
|
char *
|
|
VasEBoot_util_get_geli_uuid (const char *dev);
|
|
#endif
|
|
|
|
VasEBoot_cryptodisk_t VasEBoot_cryptodisk_get_by_uuid (const char *uuid);
|
|
VasEBoot_cryptodisk_t VasEBoot_cryptodisk_get_by_source_disk (VasEBoot_disk_t disk);
|
|
|
|
#ifdef VAS_EBOOT_MACHINE_EFI
|
|
VasEBoot_err_t VasEBoot_cryptodisk_challenge_password (void);
|
|
void VasEBoot_cryptodisk_erasesecrets (void);
|
|
#endif
|
|
#endif
|