LXR qemu/crypto/block-qcow.c

   1/*
   2 * QEMU Crypto block device encryption QCow/QCow2 AES-CBC format
   3 *
   4 * Copyright (c) 2015-2016 Red Hat, Inc.
   5 *
   6 * This library is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU Lesser General Public
   8 * License as published by the Free Software Foundation; either
   9 * version 2 of the License, or (at your option) any later version.
  10 *
  11 * This library is distributed in the hope that it will be useful,
  12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14 * Lesser General Public License for more details.
  15 *
  16 * You should have received a copy of the GNU Lesser General Public
  17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  18 *
  19 */
  20
  21/*
  22 * Note that the block encryption implemented in this file is broken
  23 * by design. This exists only to allow data to be liberated from
  24 * existing qcow[2] images and should not be used in any new areas.
  25 */
  26
  27#include "qemu/osdep.h"
  28#include "qapi/error.h"
  29
  30#include "crypto/block-qcow.h"
  31#include "crypto/secret.h"
  32
  33#define QCRYPTO_BLOCK_QCOW_SECTOR_SIZE 512
  34
  35
  36static bool
  37qcrypto_block_qcow_has_format(const uint8_t *buf G_GNUC_UNUSED,
  38                              size_t buf_size G_GNUC_UNUSED)
  39{
  40    return false;
  41}
  42
  43
  44static int
  45qcrypto_block_qcow_init(QCryptoBlock *block,
  46                        const char *keysecret,
  47                        Error **errp)
  48{
  49    char *password;
  50    int ret;
  51    uint8_t keybuf[16];
  52    int len;
  53
  54    memset(keybuf, 0, 16);
  55
  56    password = qcrypto_secret_lookup_as_utf8(keysecret, errp);
  57    if (!password) {
  58        return -1;
  59    }
  60
  61    len = strlen(password);
  62    memcpy(keybuf, password, MIN(len, sizeof(keybuf)));
  63    g_free(password);
  64
  65    block->niv = qcrypto_cipher_get_iv_len(QCRYPTO_CIPHER_ALG_AES_128,
  66                                           QCRYPTO_CIPHER_MODE_CBC);
  67    block->ivgen = qcrypto_ivgen_new(QCRYPTO_IVGEN_ALG_PLAIN64,
  68                                     0, 0, NULL, 0, errp);
  69    if (!block->ivgen) {
  70        ret = -ENOTSUP;
  71        goto fail;
  72    }
  73
  74    block->cipher = qcrypto_cipher_new(QCRYPTO_CIPHER_ALG_AES_128,
  75                                       QCRYPTO_CIPHER_MODE_CBC,
  76                                       keybuf, G_N_ELEMENTS(keybuf),
  77                                       errp);
  78    if (!block->cipher) {
  79        ret = -ENOTSUP;
  80        goto fail;
  81    }
  82
  83    block->payload_offset = 0;
  84
  85    return 0;
  86
  87 fail:
  88    qcrypto_cipher_free(block->cipher);
  89    qcrypto_ivgen_free(block->ivgen);
  90    return ret;
  91}
  92
  93
  94static int
  95qcrypto_block_qcow_open(QCryptoBlock *block,
  96                        QCryptoBlockOpenOptions *options,
  97                        QCryptoBlockReadFunc readfunc G_GNUC_UNUSED,
  98                        void *opaque G_GNUC_UNUSED,
  99                        unsigned int flags,
 100                        Error **errp)
 101{
 102    if (flags & QCRYPTO_BLOCK_OPEN_NO_IO) {
 103        return 0;
 104    } else {
 105        if (!options->u.qcow.key_secret) {
 106            error_setg(errp,
 107                       "Parameter 'key-secret' is required for cipher");
 108            return -1;
 109        }
 110        return qcrypto_block_qcow_init(block,
 111                                       options->u.qcow.key_secret, errp);
 112    }
 113}
 114
 115
 116static int
 117qcrypto_block_qcow_create(QCryptoBlock *block,
 118                          QCryptoBlockCreateOptions *options,
 119                          QCryptoBlockInitFunc initfunc G_GNUC_UNUSED,
 120                          QCryptoBlockWriteFunc writefunc G_GNUC_UNUSED,
 121                          void *opaque G_GNUC_UNUSED,
 122                          Error **errp)
 123{
 124    if (!options->u.qcow.key_secret) {
 125        error_setg(errp, "Parameter 'key-secret' is required for cipher");
 126        return -1;
 127    }
 128    /* QCow2 has no special header, since everything is hardwired */
 129    return qcrypto_block_qcow_init(block, options->u.qcow.key_secret, errp);
 130}
 131
 132
 133static void
 134qcrypto_block_qcow_cleanup(QCryptoBlock *block)
 135{
 136}
 137
 138
 139static int
 140qcrypto_block_qcow_decrypt(QCryptoBlock *block,
 141                           uint64_t startsector,
 142                           uint8_t *buf,
 143                           size_t len,
 144                           Error **errp)
 145{
 146    return qcrypto_block_decrypt_helper(block->cipher,
 147                                        block->niv, block->ivgen,
 148                                        QCRYPTO_BLOCK_QCOW_SECTOR_SIZE,
 149                                        startsector, buf, len, errp);
 150}
 151
 152
 153static int
 154qcrypto_block_qcow_encrypt(QCryptoBlock *block,
 155                           uint64_t startsector,
 156                           uint8_t *buf,
 157                           size_t len,
 158                           Error **errp)
 159{
 160    return qcrypto_block_encrypt_helper(block->cipher,
 161                                        block->niv, block->ivgen,
 162                                        QCRYPTO_BLOCK_QCOW_SECTOR_SIZE,
 163                                        startsector, buf, len, errp);
 164}
 165
 166
 167const QCryptoBlockDriver qcrypto_block_driver_qcow = {
 168    .open = qcrypto_block_qcow_open,
 169    .create = qcrypto_block_qcow_create,
 170    .cleanup = qcrypto_block_qcow_cleanup,
 171    .decrypt = qcrypto_block_qcow_decrypt,
 172    .encrypt = qcrypto_block_qcow_encrypt,
 173    .has_format = qcrypto_block_qcow_has_format,
 174};
 175