geliboot.c revision 344397 
11539Srgrimes/*-
21539Srgrimes * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org>
31539Srgrimes * Copyright (c) 2005-2011 Pawel Jakub Dawidek <pawel@dawidek.net>
41539Srgrimes * All rights reserved.
51539Srgrimes *
61539Srgrimes * Redistribution and use in source and binary forms, with or without
71539Srgrimes * modification, are permitted provided that the following conditions
81539Srgrimes * are met:
91539Srgrimes * 1. Redistributions of source code must retain the above copyright
101539Srgrimes *    notice, this list of conditions and the following disclaimer.
111539Srgrimes * 2. Redistributions in binary form must reproduce the above copyright
121539Srgrimes *    notice, this list of conditions and the following disclaimer in the
13203964Simp *    documentation and/or other materials provided with the distribution.
141539Srgrimes *
151539Srgrimes * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
161539Srgrimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
171539Srgrimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
181539Srgrimes * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
191539Srgrimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
201539Srgrimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
211539Srgrimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
221539Srgrimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
231539Srgrimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
241539Srgrimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
251539Srgrimes * SUCH DAMAGE.
261539Srgrimes *
271539Srgrimes * $FreeBSD: stable/11/stand/libsa/geli/geliboot.c 344397 2019-02-20 23:42:03Z kevans $
281539Srgrimes */
2923650Speter
3078169Sru#include "geliboot_internal.h"
311539Srgrimes#include "geliboot.h"
321539Srgrimes
331539SrgrimesSLIST_HEAD(geli_list, geli_entry) geli_head = SLIST_HEAD_INITIALIZER(geli_head);
341539Srgrimesstruct geli_list *geli_headp;
351539Srgrimes
36250887Sedtypedef u_char geli_ukey[G_ELI_USERKEYLEN];
37250887Sed
381539Srgrimesstatic geli_ukey saved_keys[GELI_MAX_KEYS];
391539Srgrimesstatic unsigned int nsaved_keys = 0;
401539Srgrimes
411539Srgrimes/*
42250887Sed * Copy keys from local storage to the keybuf struct.
431539Srgrimes * Destroy the local storage when finished.
441539Srgrimes */
45250887Sedvoid
46250887Sedgeli_fill_keybuf(struct keybuf *fkeybuf)
4778169Sru{
48103726Swollman	unsigned int i;
491539Srgrimes
501539Srgrimes	for (i = 0; i < nsaved_keys; i++) {
511539Srgrimes		fkeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_GELI;
521539Srgrimes		memcpy(fkeybuf->kb_ents[i].ke_data, saved_keys[i],
531539Srgrimes		    G_ELI_USERKEYLEN);
541539Srgrimes	}
551539Srgrimes	fkeybuf->kb_nents = nsaved_keys;
561539Srgrimes	explicit_bzero(saved_keys, sizeof(saved_keys));
5723650Speter}
5823650Speter
591539Srgrimes/*
6023650Speter * Copy keys from a keybuf struct into local storage.
6123650Speter * Zero out the keybuf.
621539Srgrimes */
63103726Swollmanvoid
641539Srgrimesgeli_save_keybuf(struct keybuf *skeybuf)
651539Srgrimes{
661539Srgrimes	unsigned int i;
671539Srgrimes
681539Srgrimes	for (i = 0; i < skeybuf->kb_nents && i < GELI_MAX_KEYS; i++) {
691539Srgrimes		memcpy(saved_keys[i], skeybuf->kb_ents[i].ke_data,
70175688Syar		    G_ELI_USERKEYLEN);
71175688Syar		explicit_bzero(skeybuf->kb_ents[i].ke_data,
72175688Syar		    G_ELI_USERKEYLEN);
731539Srgrimes		skeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_NONE;
741539Srgrimes	}
751539Srgrimes	nsaved_keys = skeybuf->kb_nents;
761539Srgrimes	skeybuf->kb_nents = 0;
77250887Sed}
78250887Sed
791539Srgrimesstatic void
80250887Sedsave_key(geli_ukey key)
81250887Sed{
82250887Sed
831539Srgrimes	/*
841539Srgrimes	 * If we run out of key space, the worst that will happen is
851539Srgrimes	 * it will ask the user for the password again.
86175688Syar	 */
871539Srgrimes	if (nsaved_keys < GELI_MAX_KEYS) {
881539Srgrimes		memcpy(saved_keys[nsaved_keys], key, G_ELI_USERKEYLEN);
891539Srgrimes		nsaved_keys++;
901539Srgrimes	}
911539Srgrimes}
921539Srgrimes
931539Srgrimesstatic int
941539Srgrimesgeli_same_device(struct geli_entry *ge, struct dsk *dskp)
951539Srgrimes{
961539Srgrimes
971539Srgrimes	if (ge->dsk->drive == dskp->drive &&
981539Srgrimes	    dskp->part == 255 && ge->dsk->part == dskp->slice) {
991539Srgrimes		/*
1001539Srgrimes		 * Sometimes slice = slice, and sometimes part = slice
10123650Speter		 * If the incoming struct dsk has part=255, it means look at
102175688Syar		 * the slice instead of the part number
1031539Srgrimes		 */
1041539Srgrimes		return (0);
1051539Srgrimes	}
10623650Speter
107175688Syar	/* Is this the same device? */
1081539Srgrimes	if (ge->dsk->drive != dskp->drive ||
1091539Srgrimes	    ge->dsk->slice != dskp->slice ||
1101539Srgrimes	    ge->dsk->part != dskp->part) {
1111539Srgrimes		return (1);
1121539Srgrimes	}
113175688Syar
1141539Srgrimes	return (0);
1151539Srgrimes}
116103726Swollman
117103726Swollmanstatic int
1181539Srgrimesgeli_findkey(struct geli_entry *ge, struct dsk *dskp, u_char *mkey)
1191539Srgrimes{
1201539Srgrimes	u_int keynum;
1211539Srgrimes	int i;
1221539Srgrimes
12393032Simp	if (ge->keybuf_slot >= 0) {
12493032Simp		if (g_eli_mkey_decrypt_any(&ge->md, saved_keys[ge->keybuf_slot],
125103726Swollman		    mkey, &keynum) == 0) {
126103726Swollman			return (0);
127103726Swollman		}
128103726Swollman	}
12993032Simp
130103726Swollman	for (i = 0; i < nsaved_keys; i++) {
13193032Simp		if (g_eli_mkey_decrypt_any(&ge->md, saved_keys[i], mkey,
13293032Simp		    &keynum) == 0) {
133103726Swollman			ge->keybuf_slot = i;
1341539Srgrimes			return (0);
1351539Srgrimes		}
1361539Srgrimes	}
137
138	return (1);
139}
140
141void
142geli_init(void)
143{
144
145	geli_count = 0;
146	SLIST_INIT(&geli_head);
147}
148
149/*
150 * Read the last sector of the drive or partition pointed to by dsk and see
151 * if it is GELI encrypted
152 */
153int
154geli_taste(int read_func(void *vdev, void *priv, off_t off, void *buf,
155    size_t bytes), struct dsk *dskp, daddr_t lastsector)
156{
157	struct g_eli_metadata md;
158	u_char buf[DEV_GELIBOOT_BSIZE];
159	int error;
160	off_t alignsector;
161
162	alignsector = rounddown2(lastsector * DEV_BSIZE, DEV_GELIBOOT_BSIZE);
163	if (alignsector + DEV_GELIBOOT_BSIZE > ((lastsector + 1) * DEV_BSIZE)) {
164		/* Don't read past the end of the disk */
165		alignsector = (lastsector * DEV_BSIZE) + DEV_BSIZE
166		    - DEV_GELIBOOT_BSIZE;
167	}
168	error = read_func(NULL, dskp, alignsector, &buf, DEV_GELIBOOT_BSIZE);
169	if (error != 0) {
170		return (error);
171	}
172	/* Extract the last 4k sector of the disk. */
173	error = eli_metadata_decode(buf, &md);
174	if (error != 0) {
175		/* Try the last 512 byte sector instead. */
176		error = eli_metadata_decode(buf +
177		    (DEV_GELIBOOT_BSIZE - DEV_BSIZE), &md);
178		if (error != 0) {
179			return (error);
180		}
181	}
182
183	if (!(md.md_flags & G_ELI_FLAG_GELIBOOT)) {
184		/* The GELIBOOT feature is not activated */
185		return (1);
186	}
187	if ((md.md_flags & G_ELI_FLAG_ONETIME)) {
188		/* Swap device, skip it. */
189		return (1);
190	}
191	if (md.md_iterations < 0) {
192		/* XXX TODO: Support loading key files. */
193		/* Disk does not have a passphrase, skip it. */
194		return (1);
195	}
196	geli_e = malloc(sizeof(struct geli_entry));
197	if (geli_e == NULL)
198		return (2);
199
200	geli_e->dsk = malloc(sizeof(struct dsk));
201	if (geli_e->dsk == NULL)
202		return (2);
203	memcpy(geli_e->dsk, dskp, sizeof(struct dsk));
204	geli_e->part_end = lastsector;
205	if (dskp->part == 255) {
206		geli_e->dsk->part = dskp->slice;
207	}
208	geli_e->keybuf_slot = -1;
209
210	geli_e->md = md;
211	eli_metadata_softc(&geli_e->sc, &md, DEV_BSIZE,
212	    (lastsector + DEV_BSIZE) * DEV_BSIZE);
213
214	SLIST_INSERT_HEAD(&geli_head, geli_e, entries);
215	geli_count++;
216
217	return (0);
218}
219
220/*
221 * Attempt to decrypt the device
222 */
223static int
224geli_attach(struct geli_entry *ge, struct dsk *dskp, const char *passphrase,
225    u_char *mkeyp)
226{
227	u_char key[G_ELI_USERKEYLEN], mkey[G_ELI_DATAIVKEYLEN], *mkp;
228	u_int keynum;
229	struct hmac_ctx ctx;
230	int error;
231
232	if (mkeyp != NULL) {
233		memcpy(&mkey, mkeyp, G_ELI_DATAIVKEYLEN);
234		explicit_bzero(mkeyp, G_ELI_DATAIVKEYLEN);
235	}
236
237	if (mkeyp != NULL || geli_findkey(ge, dskp, mkey) == 0) {
238		goto found_key;
239	}
240
241	g_eli_crypto_hmac_init(&ctx, NULL, 0);
242	/*
243	 * Prepare Derived-Key from the user passphrase.
244	 */
245	if (geli_e->md.md_iterations < 0) {
246		/* XXX TODO: Support loading key files. */
247		return (1);
248	} else if (geli_e->md.md_iterations == 0) {
249		g_eli_crypto_hmac_update(&ctx, geli_e->md.md_salt,
250		    sizeof(geli_e->md.md_salt));
251		g_eli_crypto_hmac_update(&ctx, (const uint8_t *)passphrase,
252		    strlen(passphrase));
253	} else if (geli_e->md.md_iterations > 0) {
254		printf("Calculating GELI Decryption Key disk%dp%d @ %d"
255		    " iterations...\n", dskp->unit,
256		    (dskp->slice > 0 ? dskp->slice : dskp->part),
257		    geli_e->md.md_iterations);
258		u_char dkey[G_ELI_USERKEYLEN];
259
260		pkcs5v2_genkey(dkey, sizeof(dkey), geli_e->md.md_salt,
261		    sizeof(geli_e->md.md_salt), passphrase,
262		    geli_e->md.md_iterations);
263		g_eli_crypto_hmac_update(&ctx, dkey, sizeof(dkey));
264		explicit_bzero(dkey, sizeof(dkey));
265	}
266
267	g_eli_crypto_hmac_final(&ctx, key, 0);
268
269	error = g_eli_mkey_decrypt_any(&geli_e->md, key, mkey, &keynum);
270	if (error == -1) {
271		explicit_bzero(mkey, sizeof(mkey));
272		explicit_bzero(key, sizeof(key));
273		printf("Bad GELI key: bad password?\n");
274		return (error);
275	} else if (error != 0) {
276		explicit_bzero(mkey, sizeof(mkey));
277		explicit_bzero(key, sizeof(key));
278		printf("Failed to decrypt GELI master key: %d\n", error);
279		return (error);
280	} else {
281		/* Add key to keychain */
282		save_key(key);
283		explicit_bzero(&key, sizeof(key));
284	}
285
286found_key:
287	/* Store the keys */
288	bcopy(mkey, geli_e->sc.sc_mkey, sizeof(geli_e->sc.sc_mkey));
289	bcopy(mkey, geli_e->sc.sc_ivkey, sizeof(geli_e->sc.sc_ivkey));
290	mkp = mkey + sizeof(geli_e->sc.sc_ivkey);
291	if ((geli_e->sc.sc_flags & G_ELI_FLAG_AUTH) == 0) {
292		bcopy(mkp, geli_e->sc.sc_ekey, G_ELI_DATAKEYLEN);
293	} else {
294		/*
295		 * The encryption key is: ekey = HMAC_SHA512(Data-Key, 0x10)
296		 */
297		g_eli_crypto_hmac(mkp, G_ELI_MAXKEYLEN, (const uint8_t *)"\x10", 1,
298		    geli_e->sc.sc_ekey, 0);
299	}
300	explicit_bzero(mkey, sizeof(mkey));
301
302	/* Initialize the per-sector IV. */
303	switch (geli_e->sc.sc_ealgo) {
304	case CRYPTO_AES_XTS:
305		break;
306	default:
307		SHA256_Init(&geli_e->sc.sc_ivctx);
308		SHA256_Update(&geli_e->sc.sc_ivctx, geli_e->sc.sc_ivkey,
309		    sizeof(geli_e->sc.sc_ivkey));
310		break;
311	}
312
313	return (0);
314}
315
316int
317is_geli(struct dsk *dskp)
318{
319	SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) {
320		if (geli_same_device(geli_e, dskp) == 0) {
321			return (0);
322		}
323	}
324
325	return (1);
326}
327
328int
329geli_read(struct dsk *dskp, off_t offset, u_char *buf, size_t bytes)
330{
331	u_char iv[G_ELI_IVKEYLEN];
332	u_char *pbuf;
333	int error;
334	off_t dstoff;
335	uint64_t keyno;
336	size_t n, nsec, secsize;
337	struct g_eli_key gkey;
338
339	pbuf = buf;
340	SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) {
341		if (geli_same_device(geli_e, dskp) != 0) {
342			continue;
343		}
344
345		secsize = geli_e->sc.sc_sectorsize;
346		nsec = bytes / secsize;
347		if (nsec == 0) {
348			/*
349			 * A read of less than the GELI sector size has been
350			 * requested. The caller provided destination buffer may
351			 * not be big enough to boost the read to a full sector,
352			 * so just attempt to decrypt the truncated sector.
353			 */
354			secsize = bytes;
355			nsec = 1;
356		}
357
358		for (n = 0, dstoff = offset; n < nsec; n++, dstoff += secsize) {
359
360			g_eli_crypto_ivgen(&geli_e->sc, dstoff, iv,
361			    G_ELI_IVKEYLEN);
362
363			/* Get the key that corresponds to this offset. */
364			keyno = (dstoff >> G_ELI_KEY_SHIFT) / secsize;
365			g_eli_key_fill(&geli_e->sc, &gkey, keyno);
366
367			error = geliboot_crypt(geli_e->sc.sc_ealgo, 0, pbuf,
368			    secsize, gkey.gek_key,
369			    geli_e->sc.sc_ekeylen, iv);
370
371			if (error != 0) {
372				explicit_bzero(&gkey, sizeof(gkey));
373				printf("Failed to decrypt in geli_read()!");
374				return (error);
375			}
376			pbuf += secsize;
377		}
378		explicit_bzero(&gkey, sizeof(gkey));
379		return (0);
380	}
381
382	printf("GELI provider not found\n");
383	return (1);
384}
385
386int
387geli_havekey(struct dsk *dskp)
388{
389	u_char mkey[G_ELI_DATAIVKEYLEN];
390
391	SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) {
392		if (geli_same_device(geli_e, dskp) != 0) {
393			continue;
394		}
395
396		if (geli_findkey(geli_e, dskp, mkey) == 0) {
397			if (geli_attach(geli_e, dskp, NULL, mkey) == 0) {
398				return (0);
399			}
400		}
401	}
402	explicit_bzero(mkey, sizeof(mkey));
403
404	return (1);
405}
406
407int
408geli_passphrase(char *pw, int disk, int parttype, int part, struct dsk *dskp)
409{
410	int i;
411
412	SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) {
413		if (geli_same_device(geli_e, dskp) != 0) {
414			continue;
415		}
416
417		/* TODO: Implement GELI keyfile(s) support */
418		for (i = 0; i < 3; i++) {
419			/* Try cached passphrase */
420			if (i == 0 && pw[0] != '\0') {
421				if (geli_attach(geli_e, dskp, pw, NULL) == 0) {
422					return (0);
423				}
424			}
425			printf("GELI Passphrase for disk%d%c%d: ", disk,
426			    parttype, part);
427			pwgets(pw, GELI_PW_MAXLEN,
428			    (geli_e->md.md_flags & G_ELI_FLAG_GELIDISPLAYPASS) == 0);
429			printf("\n");
430			if (geli_attach(geli_e, dskp, pw, NULL) == 0) {
431				return (0);
432			}
433		}
434	}
435
436	return (1);
437}
438