Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/geom/bde/g_bde_crypt.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2002 Poul-Henning Kamp 5 * Copyright (c) 2002 Networks Associates Technology, Inc. 6 * All rights reserved. 7 * 8 * This software was developed for the FreeBSD Project by Poul-Henning Kamp 9 * and NAI Labs, the Security Research Division of Network Associates, Inc. 10 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 11 * DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 /* This source file contains the functions responsible for the crypto, keying 37 * and mapping operations on the I/O requests. 38 * 39 */ 40 41 #include <sys/param.h> 42 #include <sys/bio.h> 43 #include <sys/lock.h> 44 #include <sys/mutex.h> 45 #include <sys/queue.h> 46 #include <sys/malloc.h> 47 #include <sys/libkern.h> 48 #include <sys/endian.h> 49 #include <sys/md5.h> 50 51 #include <crypto/rijndael/rijndael-api-fst.h> 52 #include <crypto/sha2/sha512.h> 53 54 #include <geom/geom.h> 55 #include <geom/bde/g_bde.h> 56 57 /* 58 * XXX: Debugging DO NOT ENABLE 59 */ 60 #undef MD5_KEY 61 62 /* 63 * Derive kkey from mkey + sector offset. 64 * 65 * Security objective: Derive a potentially very large number of distinct skeys 66 * from the comparatively small key material in our mkey, in such a way that 67 * if one, more or even many of the kkeys are compromised, this does not 68 * significantly help an attack on other kkeys and in particular does not 69 * weaken or compromise the mkey. 70 * 71 * First we MD5 hash the sectornumber with the salt from the lock sector. 72 * The salt prevents the precalculation and statistical analysis of the MD5 73 * output which would be possible if we only gave it the sectornumber. 74 * 75 * The MD5 hash is used to pick out 16 bytes from the masterkey, which 76 * are then hashed with MD5 together with the sector number. 77 * 78 * The resulting MD5 hash is the kkey. 79 */ 80 81 static void 82 g_bde_kkey(struct g_bde_softc *sc, keyInstance *ki, int dir, off_t sector) 83 { 84 u_int t; 85 MD5_CTX ct; 86 u_char buf[16]; 87 u_char buf2[8]; 88 89 /* We have to be architecture neutral */ 90 le64enc(buf2, sector); 91 92 MD5Init(&ct); 93 MD5Update(&ct, sc->key.salt, 8); 94 MD5Update(&ct, buf2, sizeof buf2); 95 MD5Update(&ct, sc->key.salt + 8, 8); 96 MD5Final(buf, &ct); 97 98 MD5Init(&ct); 99 for (t = 0; t < 16; t++) { 100 MD5Update(&ct, &sc->key.mkey[buf[t]], 1); 101 if (t == 8) 102 MD5Update(&ct, buf2, sizeof buf2); 103 } 104 bzero(buf2, sizeof buf2); 105 MD5Final(buf, &ct); 106 bzero(&ct, sizeof ct); 107 AES_makekey(ki, dir, G_BDE_KKEYBITS, buf); 108 bzero(buf, sizeof buf); 109 } 110 111 /* 112 * Encryption work for read operation. 113 * 114 * Security objective: Find the kkey, find the skey, decrypt the sector data. 115 */ 116 117 void 118 g_bde_crypt_read(struct g_bde_work *wp) 119 { 120 struct g_bde_softc *sc; 121 u_char *d; 122 u_int n; 123 off_t o; 124 u_char skey[G_BDE_SKEYLEN]; 125 keyInstance ki; 126 cipherInstance ci; 127 128 AES_init(&ci); 129 sc = wp->softc; 130 o = 0; 131 for (n = 0; o < wp->length; n++, o += sc->sectorsize) { 132 d = (u_char *)wp->ksp->data + wp->ko + n * G_BDE_SKEYLEN; 133 g_bde_kkey(sc, &ki, DIR_DECRYPT, wp->offset + o); 134 AES_decrypt(&ci, &ki, d, skey, sizeof skey); 135 d = (u_char *)wp->data + o; 136 AES_makekey(&ki, DIR_DECRYPT, G_BDE_SKEYBITS, skey); 137 AES_decrypt(&ci, &ki, d, d, sc->sectorsize); 138 } 139 bzero(skey, sizeof skey); 140 bzero(&ci, sizeof ci); 141 bzero(&ki, sizeof ki); 142 } 143 144 /* 145 * Encryption work for write operation. 146 * 147 * Security objective: Create random skey, encrypt sector data, 148 * encrypt skey with the kkey. 149 */ 150 151 void 152 g_bde_crypt_write(struct g_bde_work *wp) 153 { 154 u_char *s, *d; 155 struct g_bde_softc *sc; 156 u_int n; 157 off_t o; 158 u_char skey[G_BDE_SKEYLEN]; 159 keyInstance ki; 160 cipherInstance ci; 161 162 sc = wp->softc; 163 AES_init(&ci); 164 o = 0; 165 for (n = 0; o < wp->length; n++, o += sc->sectorsize) { 166 s = (u_char *)wp->data + o; 167 d = (u_char *)wp->sp->data + o; 168 arc4rand(skey, sizeof skey, 0); 169 AES_makekey(&ki, DIR_ENCRYPT, G_BDE_SKEYBITS, skey); 170 AES_encrypt(&ci, &ki, s, d, sc->sectorsize); 171 172 d = (u_char *)wp->ksp->data + wp->ko + n * G_BDE_SKEYLEN; 173 g_bde_kkey(sc, &ki, DIR_ENCRYPT, wp->offset + o); 174 AES_encrypt(&ci, &ki, skey, d, sizeof skey); 175 bzero(skey, sizeof skey); 176 } 177 bzero(skey, sizeof skey); 178 bzero(&ci, sizeof ci); 179 bzero(&ki, sizeof ki); 180 } 181 182 /* 183 * Encryption work for delete operation. 184 * 185 * Security objective: Write random data to the sectors. 186 * 187 * XXX: At a hit in performance we would trash the encrypted skey as well. 188 * XXX: This would add frustration to the cleaning lady attack by making 189 * XXX: deletes look like writes. 190 */ 191 192 void 193 g_bde_crypt_delete(struct g_bde_work *wp) 194 { 195 struct g_bde_softc *sc; 196 u_char *d; 197 off_t o; 198 u_char skey[G_BDE_SKEYLEN]; 199 keyInstance ki; 200 cipherInstance ci; 201 202 sc = wp->softc; 203 d = wp->sp->data; 204 AES_init(&ci); 205 /* 206 * Do not unroll this loop! 207 * Our zone may be significantly wider than the amount of random 208 * bytes arc4rand likes to give in one reseeding, whereas our 209 * sectorsize is far more likely to be in the same range. 210 */ 211 for (o = 0; o < wp->length; o += sc->sectorsize) { 212 arc4rand(d, sc->sectorsize, 0); 213 arc4rand(skey, sizeof skey, 0); 214 AES_makekey(&ki, DIR_ENCRYPT, G_BDE_SKEYBITS, skey); 215 AES_encrypt(&ci, &ki, d, d, sc->sectorsize); 216 d += sc->sectorsize; 217 } 218 /* 219 * Having written a long random sequence to disk here, we want to 220 * force a reseed, to avoid weakening the next time we use random 221 * data for something important. 222 */ 223 arc4rand(&o, sizeof o, 1); 224 } 225 226 /* 227 * Calculate the total payload size of the encrypted device. 228 * 229 * Security objectives: none. 230 * 231 * This function needs to agree with g_bde_map_sector() about things. 232 */ 233 234 uint64_t 235 g_bde_max_sector(struct g_bde_key *kp) 236 { 237 uint64_t maxsect; 238 239 maxsect = kp->media_width; 240 maxsect /= kp->zone_width; 241 maxsect *= kp->zone_cont; 242 return (maxsect); 243 } 244 245 /* 246 * Convert an unencrypted side offset to offsets on the encrypted side. 247 * 248 * Security objective: Make it harder to identify what sectors contain what 249 * on a "cold" disk image. 250 * 251 * We do this by adding the "keyoffset" from the lock to the physical sector 252 * number modulus the available number of sectors. Since all physical sectors 253 * presumably look the same cold, this will do. 254 * 255 * As part of the mapping we have to skip the lock sectors which we know 256 * the physical address off. We also truncate the work packet, respecting 257 * zone boundaries and lock sectors, so that we end up with a sequence of 258 * sectors which are physically contiguous. 259 * 260 * Shuffling things further is an option, but the incremental frustration is 261 * not currently deemed worth the run-time performance hit resulting from the 262 * increased number of disk arm movements it would incur. 263 * 264 * This function offers nothing but a trivial diversion for an attacker able 265 * to do "the cleaning lady attack" in its current static mapping form. 266 */ 267 268 void 269 g_bde_map_sector(struct g_bde_work *wp) 270 { 271 272 u_int zone, zoff, u, len; 273 uint64_t ko; 274 struct g_bde_softc *sc; 275 struct g_bde_key *kp; 276 277 sc = wp->softc; 278 kp = &sc->key; 279 280 /* find which zone and the offset in it */ 281 zone = wp->offset / kp->zone_cont; 282 zoff = wp->offset % kp->zone_cont; 283 284 /* Calculate the offset of the key in the key sector */ 285 wp->ko = (zoff / kp->sectorsize) * G_BDE_SKEYLEN; 286 287 /* restrict length to that zone */ 288 len = kp->zone_cont - zoff; 289 290 /* ... and in general */ 291 if (len > DFLTPHYS) 292 len = DFLTPHYS; 293 294 if (len < wp->length) 295 wp->length = len; 296 297 /* Find physical sector address */ 298 wp->so = zone * kp->zone_width + zoff; 299 wp->so += kp->keyoffset; 300 wp->so %= kp->media_width; 301 if (wp->so + wp->length > kp->media_width) 302 wp->length = kp->media_width - wp->so; 303 wp->so += kp->sector0; 304 305 /* The key sector is the last in this zone. */ 306 wp->kso = zone * kp->zone_width + kp->zone_cont; 307 wp->kso += kp->keyoffset; 308 wp->kso %= kp->media_width; 309 wp->kso += kp->sector0; 310 311 /* Compensate for lock sectors */ 312 for (u = 0; u < G_BDE_MAXKEYS; u++) { 313 /* Find the start of this lock sector */ 314 ko = rounddown2(kp->lsector[u], (uint64_t)kp->sectorsize); 315 316 if (wp->kso >= ko) 317 wp->kso += kp->sectorsize; 318 319 if (wp->so >= ko) { 320 /* lock sector before work packet */ 321 wp->so += kp->sectorsize; 322 } else if ((wp->so + wp->length) > ko) { 323 /* lock sector in work packet, truncate */ 324 wp->length = ko - wp->so; 325 } 326 } 327 328 #if 0 329 printf("off %jd len %jd so %jd ko %jd kso %u\n", 330 (intmax_t)wp->offset, 331 (intmax_t)wp->length, 332 (intmax_t)wp->so, 333 (intmax_t)wp->kso, 334 wp->ko); 335 #endif 336 KASSERT(wp->so + wp->length <= kp->sectorN, 337 ("wp->so (%jd) + wp->length (%jd) > EOM (%jd), offset = %jd", 338 (intmax_t)wp->so, 339 (intmax_t)wp->length, 340 (intmax_t)kp->sectorN, 341 (intmax_t)wp->offset)); 342 343 KASSERT(wp->kso + kp->sectorsize <= kp->sectorN, 344 ("wp->kso (%jd) + kp->sectorsize > EOM (%jd), offset = %jd", 345 (intmax_t)wp->kso, 346 (intmax_t)kp->sectorN, 347 (intmax_t)wp->offset)); 348 349 KASSERT(wp->so >= kp->sector0, 350 ("wp->so (%jd) < BOM (%jd), offset = %jd", 351 (intmax_t)wp->so, 352 (intmax_t)kp->sector0, 353 (intmax_t)wp->offset)); 354 355 KASSERT(wp->kso >= kp->sector0, 356 ("wp->kso (%jd) <BOM (%jd), offset = %jd", 357 (intmax_t)wp->kso, 358 (intmax_t)kp->sector0, 359 (intmax_t)wp->offset)); 360 }
Cache object: 0e2bde4e80e9560d1091ca0b8f5034af
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]