Commit e4c40497 authored by Milan Broz's avatar Milan Broz

Add basic support for system TCRYPT device.

Rename option hidden to tcrypt-hidden.
parent 83f02e66
......@@ -396,6 +396,8 @@ struct crypt_params_verity {
#define CRYPT_TCRYPT_HIDDEN_HEADER (1 << 1)
/** Try to load backup header */
#define CRYPT_TCRYPT_BACKUP_HEADER (1 << 2)
/** Device contains encrypted system (with boot loader) */
#define CRYPT_TCRYPT_SYSTEM_HEADER (1 << 3)
struct crypt_params_tcrypt {
const char *passphrase; /**< passphrase to unlock header (input only) */
......
......@@ -568,7 +568,11 @@ int TCRYPT_read_phdr(struct crypt_device *cd,
}
r = -EIO;
if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER) {
if (lseek(devfd, TCRYPT_HDR_SYSTEM_OFFSET, SEEK_SET) >= 0 &&
read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
r = TCRYPT_init_hdr(cd, hdr, params);
} else if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
if (params->flags & CRYPT_TCRYPT_BACKUP_HEADER) {
if (lseek(devfd, TCRYPT_HDR_HIDDEN_OFFSET_BCK, SEEK_END) >= 0 &&
read_blockwise(devfd, bs, hdr, hdr_size) == hdr_size)
......@@ -854,7 +858,11 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
/* No real header loaded, initialized by active device */
if (!hdr->d.version)
return hdr->d.mk_offset / hdr->d.sector_size;
goto hdr_offset;
/* Mapping through whole device, not partition! */
if (params->flags & CRYPT_TCRYPT_SYSTEM_HEADER)
goto hdr_offset;
if (params->mode && !strncmp(params->mode, "xts", 3)) {
if (hdr->d.version < 3)
......@@ -868,7 +876,7 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
return (size - hdr->d.hidden_volume_size +
(TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
}
return (hdr->d.mk_offset / hdr->d.sector_size);
goto hdr_offset;
}
if (params->flags & CRYPT_TCRYPT_HIDDEN_HEADER) {
......@@ -878,7 +886,7 @@ uint64_t TCRYPT_get_data_offset(struct crypt_device *cd,
(TCRYPT_HDR_HIDDEN_OFFSET_OLD)) / hdr->d.sector_size;
}
// FIXME: system vol.
hdr_offset:
return hdr->d.mk_offset / hdr->d.sector_size;
}
......
......@@ -36,6 +36,8 @@
#define TCRYPT_HDR_HIDDEN_OFFSET_BCK -65536
#define TCRYPT_HDR_OFFSET_BCK -131072
#define TCRYPT_HDR_SYSTEM_OFFSET 31744
#define TCRYPT_LRW_IKEY_LEN 16
#define TCRYPT_KEY_POOL_LEN 64
#define TCRYPT_KEYFILE_LEN 1048576
......
......@@ -397,8 +397,12 @@ using LRW or XTS encryption modes.
The \fBtcryptDump\fR command should work for all recognized TCRYPT devices
and doesn't require superuser privilege.
To map system device (device with boot loader where the whole encrypted
system resides) use \fB\-\-tcrypt-system\fR option. Use the whole
device not the system partition as the device parameter.
To use hidden header (and map hidden device, if available),
use \fB\-\-hidden\fR option.
use \fB\-\-tcrypt-hidden\fR option.
.PP
\fIopen\fR \-\-type tcrypt <device> <name>
.br
......@@ -406,8 +410,8 @@ use \fB\-\-hidden\fR option.
.IP
Opens the TCRYPT (a TrueCrypt-compatible) <device> and sets up a mapping <name>.
\fB<options>\fR can be [\-\-key-file, \-\-hidden, \-\-readonly,
\-\-test-passphrase].
\fB<options>\fR can be [\-\-key-file, \-\-tcrypt-hidden, \-\-tcrypt-system,
\-\-readonly, \-\-test-passphrase].
The keyfile parameter allows combination of file content with the
passphrase and can be repeated. Note that using keyfiles is compatible
......@@ -425,7 +429,8 @@ a passphrase.
This means that if the master key is compromised, the whole device has
to be erased to prevent further access. Use this option carefully.
\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-hidden].
\fB<options>\fR can be [\-\-dump-master-key, \-\-key-file, \-\-tcrypt-hidden,
\-\-tcrypt-system].
The keyfile parameter allows combination of file content with the
passphrase and can be repeated.
......
......@@ -57,7 +57,8 @@ static int opt_dump_master_key = 0;
static int opt_shared = 0;
static int opt_allow_discards = 0;
static int opt_test_passphrase = 0;
static int opt_hidden = 0;
static int opt_tcrypt_hidden = 0;
static int opt_tcrypt_system = 0;
static const char **action_argv;
static int action_argc;
......@@ -231,9 +232,12 @@ static int action_open_tcrypt(void)
if (r < 0)
goto out;
if (opt_hidden)
if (opt_tcrypt_hidden)
params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
if (opt_tcrypt_system)
params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
r = crypt_load(cd, CRYPT_TCRYPT, &params);
check_signal(&r);
if (r < 0)
......@@ -313,9 +317,12 @@ static int action_tcryptDump(void)
if (r < 0)
goto out;
if (opt_hidden)
if (opt_tcrypt_hidden)
params.flags |= CRYPT_TCRYPT_HIDDEN_HEADER;
if (opt_tcrypt_system)
params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
r = crypt_load(cd, CRYPT_TCRYPT, &params);
check_signal(&r);
if (r < 0)
......@@ -1368,9 +1375,10 @@ int main(int argc, const char **argv)
{ "allow-discards", '\0', POPT_ARG_NONE, &opt_allow_discards, 0, N_("Allow discards (aka TRIM) requests for device."), NULL },
{ "header", '\0', POPT_ARG_STRING, &opt_header_device, 0, N_("Device or file with separated LUKS header."), NULL },
{ "test-passphrase", '\0', POPT_ARG_NONE, &opt_test_passphrase, 0, N_("Do not activate device, just check passphrase."), NULL },
{ "hidden", '\0', POPT_ARG_NONE, &opt_hidden, 0, N_("Use hidden header (hidden TCRYPT device) ."), NULL },
{ "tcrypt-hidden", '\0', POPT_ARG_NONE, &opt_tcrypt_hidden, 0, N_("Use hidden header (hidden TCRYPT device)."), NULL },
{ "tcrypt-system", '\0', POPT_ARG_NONE, &opt_tcrypt_system, 0, N_("Device is system TCRYPT drive (with bootloader)."), NULL },
{ "type", 'M', POPT_ARG_STRING, &opt_type, 0, N_("Type of device metadata: luks, plain, loopaes, tcrypt."), NULL },
{ "force-password", '\0', POPT_ARG_NONE, &opt_force_password, 0, N_("Disable password quality check (if enabled)."), NULL },
{ "force-password", '\0', POPT_ARG_NONE, &opt_force_password, 0, N_("Disable password quality check (if enabled)."), NULL },
POPT_TABLEEND
};
poptContext popt_context;
......@@ -1570,10 +1578,10 @@ int main(int argc, const char **argv)
_("Option --offset is supported only for open of plain and loopaes devices.\n"),
poptGetInvocationName(popt_context));
if (opt_hidden && strcmp(aname, "tcryptDump") &&
if ((opt_tcrypt_hidden || opt_tcrypt_system) && strcmp(aname, "tcryptDump") &&
(strcmp(aname, "open") || strcmp(opt_type, "tcrypt")))
usage(popt_context, EXIT_FAILURE,
_("Option --hidden is supported only for TCRYPT device.\n"),
_("Option --tcrypt-hidden or --tcrypt-system is supported only for TCRYPT device.\n"),
poptGetInvocationName(popt_context));
if (opt_debug) {
......
......@@ -72,13 +72,13 @@ done
echo "HEADER CHECK (HIDDEN)"
for file in $(ls $TST_DIR/tc_*-hidden) ; do
echo -n " $file (hidden)"
echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --hidden $file >/dev/null || fail
echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden $file >/dev/null || fail
echo " [OK]"
done
echo "HEADER KEYFILES CHECK"
for file in $(ls $TST_DIR/tck_*) ; do
echo -n " $file (hidden)"
echo -n " $file"
echo $PASSWORD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 $file >/dev/null || fail
echo " [OK]"
done
......@@ -102,7 +102,7 @@ done
echo "ACTIVATION FS UUID (HIDDEN) CHECK (LRW/XTS modes only)"
for file in $(ls $TST_DIR/tc_*-lrw-*-hidden $TST_DIR/tc_*-xts-*-hidden) ; do
echo -n " $file"
echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --hidden || fail
echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --tcrypt-hidden || fail
UUID=$(lsblk -n -o UUID /dev/mapper/$MAP)
$CRYPTSETUP remove $MAP || fail
[ "$UUID" != "CAFE-BABE" ] && fail "UUID check failed."
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment