uvm_swap_encrypt.c revision 1.22
1/* $OpenBSD: uvm_swap_encrypt.c,v 1.22 2015/05/06 04:00:10 dlg Exp $ */ 2 3/* 4 * Copyright 1999 Niels Provos <provos@citi.umich.edu> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Niels Provos. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33#include <sys/param.h> 34#include <sys/systm.h> 35#include <sys/kernel.h> 36#include <sys/malloc.h> 37#include <sys/sysctl.h> 38#include <sys/time.h> 39#include <crypto/rijndael.h> 40 41#include <uvm/uvm.h> 42#include <uvm/uvm_swap_encrypt.h> 43 44struct swap_key *kcur = NULL; 45rijndael_ctx swap_ctxt; 46 47int uvm_doswapencrypt = 1; 48u_int uvm_swpkeyscreated = 0; 49u_int uvm_swpkeysdeleted = 0; 50 51int swap_encrypt_initialized = 0; 52 53int 54swap_encrypt_ctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, 55 void *newp, size_t newlen, struct proc *p) 56{ 57 /* all sysctl names at this level are terminal */ 58 if (namelen != 1) 59 return (ENOTDIR); /* overloaded */ 60 61 switch (name[0]) { 62 case SWPENC_ENABLE: { 63 int doencrypt = uvm_doswapencrypt; 64 int result; 65 66 result = sysctl_int(oldp, oldlenp, newp, newlen, &doencrypt); 67 if (result) 68 return result; 69 70 /* 71 * Swap Encryption has been turned on, we need to 72 * initialize state for swap devices that have been 73 * added. 74 */ 75 if (doencrypt) 76 uvm_swap_initcrypt_all(); 77 uvm_doswapencrypt = doencrypt; 78 return (0); 79 } 80 case SWPENC_CREATED: 81 return (sysctl_rdint(oldp, oldlenp, newp, uvm_swpkeyscreated)); 82 case SWPENC_DELETED: 83 return (sysctl_rdint(oldp, oldlenp, newp, uvm_swpkeysdeleted)); 84 default: 85 return (EOPNOTSUPP); 86 } 87 /* NOTREACHED */ 88} 89 90void 91swap_key_create(struct swap_key *key) 92{ 93 arc4random_buf(key->key, sizeof(key->key)); 94 uvm_swpkeyscreated++; 95} 96 97void 98swap_key_delete(struct swap_key *key) 99{ 100 /* Make sure that this key gets removed if we just used it */ 101 swap_key_cleanup(key); 102 103 explicit_bzero(key, sizeof(*key)); 104 uvm_swpkeysdeleted++; 105} 106 107/* 108 * Encrypt the data before it goes to swap, the size should be 64-bit 109 * aligned. 110 */ 111 112void 113swap_encrypt(struct swap_key *key, caddr_t src, caddr_t dst, u_int64_t block, 114 size_t count) 115{ 116 u_int32_t *dsrc = (u_int32_t *)src; 117 u_int32_t *ddst = (u_int32_t *)dst; 118 u_int32_t iv[4]; 119 u_int32_t iv1, iv2, iv3, iv4; 120 121 if (!swap_encrypt_initialized) 122 swap_encrypt_initialized = 1; 123 124 swap_key_prepare(key, 1); 125 126 count /= sizeof(u_int32_t); 127 128 iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1]; 129 rijndael_encrypt(&swap_ctxt, (u_char *)iv, (u_char *)iv); 130 iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3]; 131 132 for (; count > 0; count -= 4) { 133 ddst[0] = dsrc[0] ^ iv1; 134 ddst[1] = dsrc[1] ^ iv2; 135 ddst[2] = dsrc[2] ^ iv3; 136 ddst[3] = dsrc[3] ^ iv4; 137 /* 138 * Do not worry about endianess, it only needs to decrypt 139 * on this machine. 140 */ 141 rijndael_encrypt(&swap_ctxt, (u_char *)ddst, (u_char *)ddst); 142 iv1 = ddst[0]; 143 iv2 = ddst[1]; 144 iv3 = ddst[2]; 145 iv4 = ddst[3]; 146 147 dsrc += 4; 148 ddst += 4; 149 } 150} 151 152/* 153 * Decrypt the data after we retrieved it from swap, the size should be 64-bit 154 * aligned. 155 */ 156 157void 158swap_decrypt(struct swap_key *key, caddr_t src, caddr_t dst, u_int64_t block, 159 size_t count) 160{ 161 u_int32_t *dsrc = (u_int32_t *)src; 162 u_int32_t *ddst = (u_int32_t *)dst; 163 u_int32_t iv[4]; 164 u_int32_t iv1, iv2, iv3, iv4, niv1, niv2, niv3, niv4; 165 166 if (!swap_encrypt_initialized) 167 panic("swap_decrypt: key not initialized"); 168 169 swap_key_prepare(key, 0); 170 171 count /= sizeof(u_int32_t); 172 173 iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1]; 174 rijndael_encrypt(&swap_ctxt, (u_char *)iv, (u_char *)iv); 175 iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3]; 176 177 for (; count > 0; count -= 4) { 178 ddst[0] = niv1 = dsrc[0]; 179 ddst[1] = niv2 = dsrc[1]; 180 ddst[2] = niv3 = dsrc[2]; 181 ddst[3] = niv4 = dsrc[3]; 182 rijndael_decrypt(&swap_ctxt, (u_char *)ddst, (u_char *)ddst); 183 ddst[0] ^= iv1; 184 ddst[1] ^= iv2; 185 ddst[2] ^= iv3; 186 ddst[3] ^= iv4; 187 188 iv1 = niv1; 189 iv2 = niv2; 190 iv3 = niv3; 191 iv4 = niv4; 192 193 dsrc += 4; 194 ddst += 4; 195 } 196} 197 198void 199swap_key_prepare(struct swap_key *key, int encrypt) 200{ 201 /* 202 * Check if we have prepared for this key already, 203 * if we only have the encryption schedule, we have 204 * to recompute and get the decryption schedule also. 205 */ 206 if (kcur == key && (encrypt || !swap_ctxt.enc_only)) 207 return; 208 209 if (encrypt) 210 rijndael_set_key_enc_only(&swap_ctxt, (u_char *)key->key, 211 sizeof(key->key) * 8); 212 else 213 rijndael_set_key(&swap_ctxt, (u_char *)key->key, 214 sizeof(key->key) * 8); 215 216 kcur = key; 217} 218 219/* 220 * Make sure that a specific key is no longer available. 221 */ 222 223void 224swap_key_cleanup(struct swap_key *key) 225{ 226 /* Check if we have a key */ 227 if (kcur == NULL || kcur != key) 228 return; 229 230 /* Zero out the subkeys */ 231 explicit_bzero(&swap_ctxt, sizeof(swap_ctxt)); 232 233 kcur = NULL; 234} 235