geliboot.c revision 344397
11539Srgrimes/*- 21539Srgrimes * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org> 31539Srgrimes * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net> 41539Srgrimes * All rights reserved. 51539Srgrimes * 61539Srgrimes * Redistribution and use in source and binary forms, with or without 71539Srgrimes * modification, are permitted provided that the following conditions 81539Srgrimes * are met: 91539Srgrimes * 1. Redistributions of source code must retain the above copyright 101539Srgrimes * notice, this list of conditions and the following disclaimer. 111539Srgrimes * 2. Redistributions in binary form must reproduce the above copyright 121539Srgrimes * notice, this list of conditions and the following disclaimer in the 13203964Simp * documentation and/or other materials provided with the distribution. 141539Srgrimes * 151539Srgrimes * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 161539Srgrimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 171539Srgrimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 181539Srgrimes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 191539Srgrimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 201539Srgrimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 211539Srgrimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 221539Srgrimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 231539Srgrimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 241539Srgrimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 251539Srgrimes * SUCH DAMAGE. 261539Srgrimes * 271539Srgrimes * $FreeBSD: stable/11/stand/libsa/geli/geliboot.c 344397 2019-02-20 23:42:03Z kevans $ 281539Srgrimes */ 2923650Speter 3078169Sru#include "geliboot_internal.h" 311539Srgrimes#include "geliboot.h" 321539Srgrimes 331539SrgrimesSLIST_HEAD(geli_list, geli_entry) geli_head = SLIST_HEAD_INITIALIZER(geli_head); 341539Srgrimesstruct geli_list *geli_headp; 351539Srgrimes 36250887Sedtypedef u_char geli_ukey[G_ELI_USERKEYLEN]; 37250887Sed 381539Srgrimesstatic geli_ukey saved_keys[GELI_MAX_KEYS]; 391539Srgrimesstatic unsigned int nsaved_keys = 0; 401539Srgrimes 411539Srgrimes/* 42250887Sed * Copy keys from local storage to the keybuf struct. 431539Srgrimes * Destroy the local storage when finished. 441539Srgrimes */ 45250887Sedvoid 46250887Sedgeli_fill_keybuf(struct keybuf *fkeybuf) 4778169Sru{ 48103726Swollman unsigned int i; 491539Srgrimes 501539Srgrimes for (i = 0; i < nsaved_keys; i++) { 511539Srgrimes fkeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_GELI; 521539Srgrimes memcpy(fkeybuf->kb_ents[i].ke_data, saved_keys[i], 531539Srgrimes G_ELI_USERKEYLEN); 541539Srgrimes } 551539Srgrimes fkeybuf->kb_nents = nsaved_keys; 561539Srgrimes explicit_bzero(saved_keys, sizeof(saved_keys)); 5723650Speter} 5823650Speter 591539Srgrimes/* 6023650Speter * Copy keys from a keybuf struct into local storage. 6123650Speter * Zero out the keybuf. 621539Srgrimes */ 63103726Swollmanvoid 641539Srgrimesgeli_save_keybuf(struct keybuf *skeybuf) 651539Srgrimes{ 661539Srgrimes unsigned int i; 671539Srgrimes 681539Srgrimes for (i = 0; i < skeybuf->kb_nents && i < GELI_MAX_KEYS; i++) { 691539Srgrimes memcpy(saved_keys[i], skeybuf->kb_ents[i].ke_data, 70175688Syar G_ELI_USERKEYLEN); 71175688Syar explicit_bzero(skeybuf->kb_ents[i].ke_data, 72175688Syar G_ELI_USERKEYLEN); 731539Srgrimes skeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_NONE; 741539Srgrimes } 751539Srgrimes nsaved_keys = skeybuf->kb_nents; 761539Srgrimes skeybuf->kb_nents = 0; 77250887Sed} 78250887Sed 791539Srgrimesstatic void 80250887Sedsave_key(geli_ukey key) 81250887Sed{ 82250887Sed 831539Srgrimes /* 841539Srgrimes * If we run out of key space, the worst that will happen is 851539Srgrimes * it will ask the user for the password again. 86175688Syar */ 871539Srgrimes if (nsaved_keys < GELI_MAX_KEYS) { 881539Srgrimes memcpy(saved_keys[nsaved_keys], key, G_ELI_USERKEYLEN); 891539Srgrimes nsaved_keys++; 901539Srgrimes } 911539Srgrimes} 921539Srgrimes 931539Srgrimesstatic int 941539Srgrimesgeli_same_device(struct geli_entry *ge, struct dsk *dskp) 951539Srgrimes{ 961539Srgrimes 971539Srgrimes if (ge->dsk->drive == dskp->drive && 981539Srgrimes dskp->part == 255 && ge->dsk->part == dskp->slice) { 991539Srgrimes /* 1001539Srgrimes * Sometimes slice = slice, and sometimes part = slice 10123650Speter * If the incoming struct dsk has part=255, it means look at 102175688Syar * the slice instead of the part number 1031539Srgrimes */ 1041539Srgrimes return (0); 1051539Srgrimes } 10623650Speter 107175688Syar /* Is this the same device? */ 1081539Srgrimes if (ge->dsk->drive != dskp->drive || 1091539Srgrimes ge->dsk->slice != dskp->slice || 1101539Srgrimes ge->dsk->part != dskp->part) { 1111539Srgrimes return (1); 1121539Srgrimes } 113175688Syar 1141539Srgrimes return (0); 1151539Srgrimes} 116103726Swollman 117103726Swollmanstatic int 1181539Srgrimesgeli_findkey(struct geli_entry *ge, struct dsk *dskp, u_char *mkey) 1191539Srgrimes{ 1201539Srgrimes u_int keynum; 1211539Srgrimes int i; 1221539Srgrimes 12393032Simp if (ge->keybuf_slot >= 0) { 12493032Simp if (g_eli_mkey_decrypt_any(&ge->md, saved_keys[ge->keybuf_slot], 125103726Swollman mkey, &keynum) == 0) { 126103726Swollman return (0); 127103726Swollman } 128103726Swollman } 12993032Simp 130103726Swollman for (i = 0; i < nsaved_keys; i++) { 13193032Simp if (g_eli_mkey_decrypt_any(&ge->md, saved_keys[i], mkey, 13293032Simp &keynum) == 0) { 133103726Swollman ge->keybuf_slot = i; 1341539Srgrimes return (0); 1351539Srgrimes } 1361539Srgrimes } 137 138 return (1); 139} 140 141void 142geli_init(void) 143{ 144 145 geli_count = 0; 146 SLIST_INIT(&geli_head); 147} 148 149/* 150 * Read the last sector of the drive or partition pointed to by dsk and see 151 * if it is GELI encrypted 152 */ 153int 154geli_taste(int read_func(void *vdev, void *priv, off_t off, void *buf, 155 size_t bytes), struct dsk *dskp, daddr_t lastsector) 156{ 157 struct g_eli_metadata md; 158 u_char buf[DEV_GELIBOOT_BSIZE]; 159 int error; 160 off_t alignsector; 161 162 alignsector = rounddown2(lastsector * DEV_BSIZE, DEV_GELIBOOT_BSIZE); 163 if (alignsector + DEV_GELIBOOT_BSIZE > ((lastsector + 1) * DEV_BSIZE)) { 164 /* Don't read past the end of the disk */ 165 alignsector = (lastsector * DEV_BSIZE) + DEV_BSIZE 166 - DEV_GELIBOOT_BSIZE; 167 } 168 error = read_func(NULL, dskp, alignsector, &buf, DEV_GELIBOOT_BSIZE); 169 if (error != 0) { 170 return (error); 171 } 172 /* Extract the last 4k sector of the disk. */ 173 error = eli_metadata_decode(buf, &md); 174 if (error != 0) { 175 /* Try the last 512 byte sector instead. */ 176 error = eli_metadata_decode(buf + 177 (DEV_GELIBOOT_BSIZE - DEV_BSIZE), &md); 178 if (error != 0) { 179 return (error); 180 } 181 } 182 183 if (!(md.md_flags & G_ELI_FLAG_GELIBOOT)) { 184 /* The GELIBOOT feature is not activated */ 185 return (1); 186 } 187 if ((md.md_flags & G_ELI_FLAG_ONETIME)) { 188 /* Swap device, skip it. */ 189 return (1); 190 } 191 if (md.md_iterations < 0) { 192 /* XXX TODO: Support loading key files. */ 193 /* Disk does not have a passphrase, skip it. */ 194 return (1); 195 } 196 geli_e = malloc(sizeof(struct geli_entry)); 197 if (geli_e == NULL) 198 return (2); 199 200 geli_e->dsk = malloc(sizeof(struct dsk)); 201 if (geli_e->dsk == NULL) 202 return (2); 203 memcpy(geli_e->dsk, dskp, sizeof(struct dsk)); 204 geli_e->part_end = lastsector; 205 if (dskp->part == 255) { 206 geli_e->dsk->part = dskp->slice; 207 } 208 geli_e->keybuf_slot = -1; 209 210 geli_e->md = md; 211 eli_metadata_softc(&geli_e->sc, &md, DEV_BSIZE, 212 (lastsector + DEV_BSIZE) * DEV_BSIZE); 213 214 SLIST_INSERT_HEAD(&geli_head, geli_e, entries); 215 geli_count++; 216 217 return (0); 218} 219 220/* 221 * Attempt to decrypt the device 222 */ 223static int 224geli_attach(struct geli_entry *ge, struct dsk *dskp, const char *passphrase, 225 u_char *mkeyp) 226{ 227 u_char key[G_ELI_USERKEYLEN], mkey[G_ELI_DATAIVKEYLEN], *mkp; 228 u_int keynum; 229 struct hmac_ctx ctx; 230 int error; 231 232 if (mkeyp != NULL) { 233 memcpy(&mkey, mkeyp, G_ELI_DATAIVKEYLEN); 234 explicit_bzero(mkeyp, G_ELI_DATAIVKEYLEN); 235 } 236 237 if (mkeyp != NULL || geli_findkey(ge, dskp, mkey) == 0) { 238 goto found_key; 239 } 240 241 g_eli_crypto_hmac_init(&ctx, NULL, 0); 242 /* 243 * Prepare Derived-Key from the user passphrase. 244 */ 245 if (geli_e->md.md_iterations < 0) { 246 /* XXX TODO: Support loading key files. */ 247 return (1); 248 } else if (geli_e->md.md_iterations == 0) { 249 g_eli_crypto_hmac_update(&ctx, geli_e->md.md_salt, 250 sizeof(geli_e->md.md_salt)); 251 g_eli_crypto_hmac_update(&ctx, (const uint8_t *)passphrase, 252 strlen(passphrase)); 253 } else if (geli_e->md.md_iterations > 0) { 254 printf("Calculating GELI Decryption Key disk%dp%d @ %d" 255 " iterations...\n", dskp->unit, 256 (dskp->slice > 0 ? dskp->slice : dskp->part), 257 geli_e->md.md_iterations); 258 u_char dkey[G_ELI_USERKEYLEN]; 259 260 pkcs5v2_genkey(dkey, sizeof(dkey), geli_e->md.md_salt, 261 sizeof(geli_e->md.md_salt), passphrase, 262 geli_e->md.md_iterations); 263 g_eli_crypto_hmac_update(&ctx, dkey, sizeof(dkey)); 264 explicit_bzero(dkey, sizeof(dkey)); 265 } 266 267 g_eli_crypto_hmac_final(&ctx, key, 0); 268 269 error = g_eli_mkey_decrypt_any(&geli_e->md, key, mkey, &keynum); 270 if (error == -1) { 271 explicit_bzero(mkey, sizeof(mkey)); 272 explicit_bzero(key, sizeof(key)); 273 printf("Bad GELI key: bad password?\n"); 274 return (error); 275 } else if (error != 0) { 276 explicit_bzero(mkey, sizeof(mkey)); 277 explicit_bzero(key, sizeof(key)); 278 printf("Failed to decrypt GELI master key: %d\n", error); 279 return (error); 280 } else { 281 /* Add key to keychain */ 282 save_key(key); 283 explicit_bzero(&key, sizeof(key)); 284 } 285 286found_key: 287 /* Store the keys */ 288 bcopy(mkey, geli_e->sc.sc_mkey, sizeof(geli_e->sc.sc_mkey)); 289 bcopy(mkey, geli_e->sc.sc_ivkey, sizeof(geli_e->sc.sc_ivkey)); 290 mkp = mkey + sizeof(geli_e->sc.sc_ivkey); 291 if ((geli_e->sc.sc_flags & G_ELI_FLAG_AUTH) == 0) { 292 bcopy(mkp, geli_e->sc.sc_ekey, G_ELI_DATAKEYLEN); 293 } else { 294 /* 295 * The encryption key is: ekey = HMAC_SHA512(Data-Key, 0x10) 296 */ 297 g_eli_crypto_hmac(mkp, G_ELI_MAXKEYLEN, (const uint8_t *)"\x10", 1, 298 geli_e->sc.sc_ekey, 0); 299 } 300 explicit_bzero(mkey, sizeof(mkey)); 301 302 /* Initialize the per-sector IV. */ 303 switch (geli_e->sc.sc_ealgo) { 304 case CRYPTO_AES_XTS: 305 break; 306 default: 307 SHA256_Init(&geli_e->sc.sc_ivctx); 308 SHA256_Update(&geli_e->sc.sc_ivctx, geli_e->sc.sc_ivkey, 309 sizeof(geli_e->sc.sc_ivkey)); 310 break; 311 } 312 313 return (0); 314} 315 316int 317is_geli(struct dsk *dskp) 318{ 319 SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) { 320 if (geli_same_device(geli_e, dskp) == 0) { 321 return (0); 322 } 323 } 324 325 return (1); 326} 327 328int 329geli_read(struct dsk *dskp, off_t offset, u_char *buf, size_t bytes) 330{ 331 u_char iv[G_ELI_IVKEYLEN]; 332 u_char *pbuf; 333 int error; 334 off_t dstoff; 335 uint64_t keyno; 336 size_t n, nsec, secsize; 337 struct g_eli_key gkey; 338 339 pbuf = buf; 340 SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) { 341 if (geli_same_device(geli_e, dskp) != 0) { 342 continue; 343 } 344 345 secsize = geli_e->sc.sc_sectorsize; 346 nsec = bytes / secsize; 347 if (nsec == 0) { 348 /* 349 * A read of less than the GELI sector size has been 350 * requested. The caller provided destination buffer may 351 * not be big enough to boost the read to a full sector, 352 * so just attempt to decrypt the truncated sector. 353 */ 354 secsize = bytes; 355 nsec = 1; 356 } 357 358 for (n = 0, dstoff = offset; n < nsec; n++, dstoff += secsize) { 359 360 g_eli_crypto_ivgen(&geli_e->sc, dstoff, iv, 361 G_ELI_IVKEYLEN); 362 363 /* Get the key that corresponds to this offset. */ 364 keyno = (dstoff >> G_ELI_KEY_SHIFT) / secsize; 365 g_eli_key_fill(&geli_e->sc, &gkey, keyno); 366 367 error = geliboot_crypt(geli_e->sc.sc_ealgo, 0, pbuf, 368 secsize, gkey.gek_key, 369 geli_e->sc.sc_ekeylen, iv); 370 371 if (error != 0) { 372 explicit_bzero(&gkey, sizeof(gkey)); 373 printf("Failed to decrypt in geli_read()!"); 374 return (error); 375 } 376 pbuf += secsize; 377 } 378 explicit_bzero(&gkey, sizeof(gkey)); 379 return (0); 380 } 381 382 printf("GELI provider not found\n"); 383 return (1); 384} 385 386int 387geli_havekey(struct dsk *dskp) 388{ 389 u_char mkey[G_ELI_DATAIVKEYLEN]; 390 391 SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) { 392 if (geli_same_device(geli_e, dskp) != 0) { 393 continue; 394 } 395 396 if (geli_findkey(geli_e, dskp, mkey) == 0) { 397 if (geli_attach(geli_e, dskp, NULL, mkey) == 0) { 398 return (0); 399 } 400 } 401 } 402 explicit_bzero(mkey, sizeof(mkey)); 403 404 return (1); 405} 406 407int 408geli_passphrase(char *pw, int disk, int parttype, int part, struct dsk *dskp) 409{ 410 int i; 411 412 SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) { 413 if (geli_same_device(geli_e, dskp) != 0) { 414 continue; 415 } 416 417 /* TODO: Implement GELI keyfile(s) support */ 418 for (i = 0; i < 3; i++) { 419 /* Try cached passphrase */ 420 if (i == 0 && pw[0] != '\0') { 421 if (geli_attach(geli_e, dskp, pw, NULL) == 0) { 422 return (0); 423 } 424 } 425 printf("GELI Passphrase for disk%d%c%d: ", disk, 426 parttype, part); 427 pwgets(pw, GELI_PW_MAXLEN, 428 (geli_e->md.md_flags & G_ELI_FLAG_GELIDISPLAYPASS) == 0); 429 printf("\n"); 430 if (geli_attach(geli_e, dskp, pw, NULL) == 0) { 431 return (0); 432 } 433 } 434 } 435 436 return (1); 437} 438