From owner-svn-src-all@freebsd.org Sat Apr 1 05:05:25 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12DAFD28205; Sat, 1 Apr 2017 05:05:25 +0000 (UTC) (envelope-from allanjude@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CF9C86A0; Sat, 1 Apr 2017 05:05:24 +0000 (UTC) (envelope-from allanjude@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v3155Ouu053379; Sat, 1 Apr 2017 05:05:24 GMT (envelope-from allanjude@FreeBSD.org) Received: (from allanjude@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v3155MCZ053360; Sat, 1 Apr 2017 05:05:22 GMT (envelope-from allanjude@FreeBSD.org) Message-Id: <201704010505.v3155MCZ053360@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: allanjude set sender to allanjude@FreeBSD.org using -f From: Allan Jude Date: Sat, 1 Apr 2017 05:05:22 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r316343 - in head/sys: boot/geli boot/i386/common boot/i386/gptboot boot/i386/libi386 boot/i386/loader boot/i386/zfsboot boot/zfs crypto geom/eli opencrypto sys X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2017 05:05:25 -0000 Author: allanjude Date: Sat Apr 1 05:05:22 2017 New Revision: 316343 URL: https://svnweb.freebsd.org/changeset/base/316343 Log: Implement boot-time encryption key passing (keybuf) This patch adds a general mechanism for providing encryption keys to the kernel from the boot loader. This is intended to enable GELI support at boot time, providing a better mechanism for passing keys to the kernel than environment variables. It is designed to be extensible to other applications, and can easily handle multiple encrypted volumes with different keys. This mechanism is currently used by the pending GELI EFI work. Additionally, this mechanism can potentially be used to interface with GRUB, opening up options for coreboot+GRUB configurations with completely encrypted disks. Another benefit over the existing system is that it does not require re-deriving the user key from the password at each boot stage. Most of this patch was written by Eric McCorkle. It was extended by Allan Jude with a number of minor enhancements and extending the keybuf feature into boot2. GELI user keys are now derived once, in boot2, then passed to the loader, which reuses the key, then passes it to the kernel, where the GELI module destroys the keybuf after decrypting the volumes. Submitted by: Eric McCorkle (Original Version) Reviewed by: oshogbo (earlier version), cem (earlier version) MFC after: 3 weeks Relnotes: yes Sponsored by: ScaleEngine Inc. Differential Revision: https://reviews.freebsd.org/D9575 Added: head/sys/boot/geli/geliboot_internal.h (contents, props changed) head/sys/crypto/intake.h (contents, props changed) Modified: head/sys/boot/geli/Makefile head/sys/boot/geli/geliboot.c head/sys/boot/geli/geliboot.h head/sys/boot/geli/geliboot_crypto.c head/sys/boot/i386/common/bootargs.h head/sys/boot/i386/gptboot/Makefile head/sys/boot/i386/gptboot/gptboot.c head/sys/boot/i386/libi386/biosdisk.c head/sys/boot/i386/libi386/bootinfo32.c head/sys/boot/i386/libi386/bootinfo64.c head/sys/boot/i386/loader/Makefile head/sys/boot/i386/loader/main.c head/sys/boot/i386/zfsboot/zfsboot.c head/sys/boot/zfs/libzfs.h head/sys/geom/eli/g_eli.c head/sys/geom/eli/g_eli.h head/sys/opencrypto/crypto.c head/sys/sys/linker.h Modified: head/sys/boot/geli/Makefile ============================================================================== --- head/sys/boot/geli/Makefile Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/geli/Makefile Sat Apr 1 05:05:22 2017 (r316343) @@ -39,6 +39,7 @@ SRCS+= md5c.c # AES implementation from sys/crypto .PATH: ${.CURDIR}/../../crypto/rijndael CFLAGS+= -I${.CURDIR}/../../ +CFLAGS+= -I${.CURDIR}/../common/ # Remove asserts CFLAGS+= -DNDEBUG SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael-api.c Modified: head/sys/boot/geli/geliboot.c ============================================================================== --- head/sys/boot/geli/geliboot.c Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/geli/geliboot.c Sat Apr 1 05:05:22 2017 (r316343) @@ -27,17 +27,75 @@ * $FreeBSD$ */ +#include "geliboot_internal.h" #include "geliboot.h" SLIST_HEAD(geli_list, geli_entry) geli_head = SLIST_HEAD_INITIALIZER(geli_head); struct geli_list *geli_headp; +typedef u_char geli_ukey[G_ELI_USERKEYLEN]; + +static geli_ukey saved_keys[GELI_MAX_KEYS]; +static unsigned int nsaved_keys = 0; + +/* + * Copy keys from local storage to the keybuf struct. + * Destroy the local storage when finished. + */ +void +geli_fill_keybuf(struct keybuf *fkeybuf) +{ + unsigned int i; + + for (i = 0; i < nsaved_keys; i++) { + fkeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_GELI; + memcpy(fkeybuf->kb_ents[i].ke_data, saved_keys[i], + G_ELI_USERKEYLEN); + } + fkeybuf->kb_nents = nsaved_keys; + explicit_bzero(saved_keys, sizeof(saved_keys)); +} + +/* + * Copy keys from a keybuf struct into local storage. + * Zero out the keybuf. + */ +void +geli_save_keybuf(struct keybuf *skeybuf) +{ + unsigned int i; + + for (i = 0; i < skeybuf->kb_nents && i < GELI_MAX_KEYS; i++) { + memcpy(saved_keys[i], skeybuf->kb_ents[i].ke_data, + G_ELI_USERKEYLEN); + explicit_bzero(skeybuf->kb_ents[i].ke_data, + G_ELI_USERKEYLEN); + skeybuf->kb_ents[i].ke_type = KEYBUF_TYPE_NONE; + } + nsaved_keys = skeybuf->kb_nents; + skeybuf->kb_nents = 0; +} + +static void +save_key(geli_ukey key) +{ + + /* + * If we run out of key space, the worst that will happen is + * it will ask the user for the password again. + */ + if (nsaved_keys < GELI_MAX_KEYS) { + memcpy(saved_keys[nsaved_keys], key, G_ELI_USERKEYLEN); + nsaved_keys++; + } +} + static int geli_same_device(struct geli_entry *ge, struct dsk *dskp) { - if (geli_e->dsk->drive == dskp->drive && - dskp->part == 255 && geli_e->dsk->part == dskp->slice) { + if (ge->dsk->drive == dskp->drive && + dskp->part == 255 && ge->dsk->part == dskp->slice) { /* * Sometimes slice = slice, and sometimes part = slice * If the incoming struct dsk has part=255, it means look at @@ -47,15 +105,39 @@ geli_same_device(struct geli_entry *ge, } /* Is this the same device? */ - if (geli_e->dsk->drive != dskp->drive || - geli_e->dsk->slice != dskp->slice || - geli_e->dsk->part != dskp->part) { + if (ge->dsk->drive != dskp->drive || + ge->dsk->slice != dskp->slice || + ge->dsk->part != dskp->part) { return (1); } return (0); } +static int +geli_findkey(struct geli_entry *ge, struct dsk *dskp, u_char *mkey) +{ + u_int keynum; + int i; + + if (ge->keybuf_slot >= 0) { + if (g_eli_mkey_decrypt(&ge->md, saved_keys[ge->keybuf_slot], + mkey, &keynum) == 0) { + return (0); + } + } + + for (i = 0; i < nsaved_keys; i++) { + if (g_eli_mkey_decrypt(&ge->md, saved_keys[i], mkey, + &keynum) == 0) { + ge->keybuf_slot = i; + return (0); + } + } + + return (1); +} + void geli_init(void) { @@ -123,6 +205,7 @@ geli_taste(int read_func(void *vdev, voi if (dskp->part == 255) { geli_e->dsk->part = dskp->slice; } + geli_e->keybuf_slot = -1; geli_e->md = md; eli_metadata_softc(&geli_e->sc, &md, DEV_BSIZE, @@ -138,18 +221,27 @@ geli_taste(int read_func(void *vdev, voi * Attempt to decrypt the device */ int -geli_attach(struct dsk *dskp, const char *passphrase) +geli_attach(struct dsk *dskp, const char *passphrase, const u_char *mkeyp) { u_char key[G_ELI_USERKEYLEN], mkey[G_ELI_DATAIVKEYLEN], *mkp; u_int keynum; struct hmac_ctx ctx; int error; + if (mkeyp != NULL) { + memcpy(&mkey, mkeyp, G_ELI_DATAIVKEYLEN); + explicit_bzero(mkeyp, G_ELI_DATAIVKEYLEN); + } + SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) { if (geli_same_device(geli_e, dskp) != 0) { continue; } + if (mkeyp != NULL || geli_findkey(geli_e, dskp, mkey) == 0) { + goto found_key; + } + g_eli_crypto_hmac_init(&ctx, NULL, 0); /* * Prepare Derived-Key from the user passphrase. @@ -179,17 +271,23 @@ geli_attach(struct dsk *dskp, const char g_eli_crypto_hmac_final(&ctx, key, 0); error = g_eli_mkey_decrypt(&geli_e->md, key, mkey, &keynum); - explicit_bzero(key, sizeof(key)); if (error == -1) { explicit_bzero(mkey, sizeof(mkey)); - printf("Bad GELI key: %d\n", error); + explicit_bzero(key, sizeof(key)); + printf("Bad GELI key: bad password?\n"); return (error); } else if (error != 0) { explicit_bzero(mkey, sizeof(mkey)); - printf("Failed to decrypt GELI master key: %d\n", error); + explicit_bzero(key, sizeof(key)); + printf("Failed to decrypt GELI master key: %d\n", error); return (error); - } + } else { + /* Add key to keychain */ + save_key(key); + explicit_bzero(&key, sizeof(key)); + } +found_key: /* Store the keys */ bcopy(mkey, geli_e->sc.sc_mkey, sizeof(geli_e->sc.sc_mkey)); bcopy(mkey, geli_e->sc.sc_ivkey, sizeof(geli_e->sc.sc_ivkey)); @@ -231,7 +329,7 @@ is_geli(struct dsk *dskp) return (0); } } - + return (1); } @@ -294,6 +392,27 @@ geli_read(struct dsk *dskp, off_t offset } int +geli_havekey(struct dsk *dskp) +{ + u_char mkey[G_ELI_DATAIVKEYLEN]; + + SLIST_FOREACH_SAFE(geli_e, &geli_head, entries, geli_e_tmp) { + if (geli_same_device(geli_e, dskp) != 0) { + continue; + } + + if (geli_findkey(geli_e, dskp, mkey) == 0) { + if (geli_attach(dskp, NULL, mkey) == 0) { + return (0); + } + } + } + explicit_bzero(mkey, sizeof(mkey)); + + return (1); +} + +int geli_passphrase(char *pw, int disk, int parttype, int part, struct dsk *dskp) { int i; @@ -302,14 +421,14 @@ geli_passphrase(char *pw, int disk, int for (i = 0; i < 3; i++) { /* Try cached passphrase */ if (i == 0 && pw[0] != '\0') { - if (geli_attach(dskp, pw) == 0) { + if (geli_attach(dskp, pw, NULL) == 0) { return (0); } } printf("GELI Passphrase for disk%d%c%d: ", disk, parttype, part); pwgets(pw, GELI_PW_MAXLEN); printf("\n"); - if (geli_attach(dskp, pw) == 0) { + if (geli_attach(dskp, pw, NULL) == 0) { return (0); } } Modified: head/sys/boot/geli/geliboot.h ============================================================================== --- head/sys/boot/geli/geliboot.h Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/geli/geliboot.h Sat Apr 1 05:05:22 2017 (r316343) @@ -27,32 +27,11 @@ * $FreeBSD$ */ -#include -#include +#include #ifndef _GELIBOOT_H_ #define _GELIBOOT_H_ -#define _STRING_H_ -#define _STRINGS_H_ -#define _STDIO_H_ - -#include -#include - -/* Pull in the md5, sha256, and sha512 implementations */ -#include -#include -#include - -/* Pull in AES implementation */ -#include - -/* AES-XTS implementation */ -#define _STAND -#define STAND_H /* We don't want stand.h in {gpt,zfs,gptzfs}boot */ -#include - #ifndef DEV_BSIZE #define DEV_BSIZE 512 #endif @@ -64,30 +43,26 @@ #define MIN(a,b) (((a) < (b)) ? (a) : (b)) #endif +#define GELI_MAX_KEYS 64 #define GELI_PW_MAXLEN 256 -extern void pwgets(char *buf, int n); - -struct geli_entry { - struct dsk *dsk; - off_t part_end; - struct g_eli_softc sc; - struct g_eli_metadata md; - SLIST_ENTRY(geli_entry) entries; -} *geli_e, *geli_e_tmp; -int geli_count; +extern void pwgets(char *buf, int n); void geli_init(void); int geli_taste(int read_func(void *vdev, void *priv, off_t off, void *buf, size_t bytes), struct dsk *dsk, daddr_t lastsector); -int geli_attach(struct dsk *dskp, const char *passphrase); +int geli_attach(struct dsk *dskp, const char *passphrase, const u_char *mkeyp); int is_geli(struct dsk *dsk); int geli_read(struct dsk *dsk, off_t offset, u_char *buf, size_t bytes); int geli_decrypt(u_int algo, u_char *data, size_t datasize, const u_char *key, size_t keysize, const uint8_t* iv); +int geli_havekey(struct dsk *dskp); int geli_passphrase(char *pw, int disk, int parttype, int part, struct dsk *dskp); int geliboot_crypt(u_int algo, int enc, u_char *data, size_t datasize, const u_char *key, size_t keysize, u_char *iv); +void geli_fill_keybuf(struct keybuf *keybuf); +void geli_save_keybuf(struct keybuf *keybuf); + #endif /* _GELIBOOT_H_ */ Modified: head/sys/boot/geli/geliboot_crypto.c ============================================================================== --- head/sys/boot/geli/geliboot_crypto.c Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/geli/geliboot_crypto.c Sat Apr 1 05:05:22 2017 (r316343) @@ -31,6 +31,7 @@ #include #include +#include "geliboot_internal.h" #include "geliboot.h" int Added: head/sys/boot/geli/geliboot_internal.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sys/boot/geli/geliboot_internal.h Sat Apr 1 05:05:22 2017 (r316343) @@ -0,0 +1,69 @@ +/*- + * Copyright (c) 2015 Allan Jude + * Copyright (c) 2005-2011 Pawel Jakub Dawidek + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _GELIBOOT_INTERNAL_H_ +#define _GELIBOOT_INTERNAL_H_ + +#define _STRING_H_ +#define _STRINGS_H_ +#define _STDIO_H_ + +#include +#include + +#include +#include + +#include + +/* Pull in the md5, sha256, and sha512 implementations */ +#include +#include +#include + +/* Pull in AES implementation */ +#include + +/* AES-XTS implementation */ +#define _STAND +#define STAND_H /* We don't want stand.h in {gpt,zfs,gptzfs}boot */ +#include + +struct geli_entry { + struct dsk *dsk; + off_t part_end; + struct g_eli_softc sc; + struct g_eli_metadata md; + int keybuf_slot; + SLIST_ENTRY(geli_entry) entries; +} *geli_e, *geli_e_tmp; + +static int geli_count; + +#endif /* _GELIBOOT_INTERNAL_H_ */ Modified: head/sys/boot/i386/common/bootargs.h ============================================================================== --- head/sys/boot/i386/common/bootargs.h Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/i386/common/bootargs.h Sat Apr 1 05:05:22 2017 (r316343) @@ -64,10 +64,28 @@ struct bootargs */ }; +#ifdef LOADER_GELI_SUPPORT +#include +#endif + struct geli_boot_args { uint32_t size; - char gelipw[256]; + union { + char gelipw[256]; + struct { + char notapw; /* + * single null byte to stop keybuf + * being interpreted as a password + */ + uint32_t keybuf_sentinel; +#ifdef LOADER_GELI_SUPPORT + struct keybuf *keybuf; +#else + void *keybuf; +#endif + }; + }; }; #endif /*__ASSEMBLER__*/ Modified: head/sys/boot/i386/gptboot/Makefile ============================================================================== --- head/sys/boot/i386/gptboot/Makefile Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/i386/gptboot/Makefile Sat Apr 1 05:05:22 2017 (r316343) @@ -42,6 +42,7 @@ CFLAGS.gcc+= --param max-inline-insns-si .if !defined(LOADER_NO_GELI_SUPPORT) CFLAGS+= -DLOADER_GELI_SUPPORT CFLAGS+= -I${.CURDIR}/../../geli +CFLAGS+= -I${.CURDIR}/../../.. LIBGELIBOOT= ${.OBJDIR}/../../geli/libgeliboot.a .PATH: ${.CURDIR}/../../../opencrypto OPENCRYPTO_XTS= xform_aes_xts.o Modified: head/sys/boot/i386/gptboot/gptboot.c ============================================================================== --- head/sys/boot/i386/gptboot/gptboot.c Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/i386/gptboot/gptboot.c Sat Apr 1 05:05:22 2017 (r316343) @@ -103,7 +103,7 @@ static char *heap_end; void exit(int); static void load(void); -static int parse(char *, int *); +static int parse_cmds(char *, int *); static int dskread(void *, daddr_t, unsigned); void *malloc(size_t n); void free(void *ptr); @@ -139,6 +139,7 @@ free(void *ptr) #ifdef LOADER_GELI_SUPPORT #include "geliboot.c" static char gelipw[GELI_PW_MAXLEN]; +static struct keybuf *gelibuf; #endif static inline int @@ -253,7 +254,8 @@ gptinit(void) #ifdef LOADER_GELI_SUPPORT if (geli_taste(vdev_read, &dsk, (gpttable[curent].ent_lba_end - gpttable[curent].ent_lba_start)) == 0) { - if (geli_passphrase(&gelipw, dsk.unit, 'p', curent + 1, &dsk) != 0) { + if (geli_havekey(&dsk) != 0 && geli_passphrase(&gelipw, + dsk.unit, 'p', curent + 1, &dsk) != 0) { printf("%s: unable to decrypt GELI key\n", BOOTPROG); return (-1); } @@ -318,7 +320,7 @@ main(void) } if (*cmd != '\0') { memcpy(cmdtmp, cmd, sizeof(cmdtmp)); - if (parse(cmdtmp, &dskupdated)) + if (parse_cmds(cmdtmp, &dskupdated)) break; if (dskupdated && gptinit() != 0) break; @@ -368,7 +370,7 @@ main(void) getstr(cmd, sizeof(cmd)); else if (!OPT_CHECK(RBX_QUIET)) putchar('\n'); - if (parse(cmd, &dskupdated)) { + if (parse_cmds(cmd, &dskupdated)) { putchar('\a'); continue; } @@ -480,8 +482,12 @@ load(void) bootinfo.bi_bios_dev = dsk.drive; #ifdef LOADER_GELI_SUPPORT geliargs.size = sizeof(geliargs); - bcopy(gelipw, geliargs.gelipw, sizeof(geliargs.gelipw)); explicit_bzero(gelipw, sizeof(gelipw)); + gelibuf = malloc(sizeof(struct keybuf) + (GELI_MAX_KEYS * sizeof(struct keybuf_ent))); + geli_fill_keybuf(gelibuf); + geliargs.notapw = '\0'; + geliargs.keybuf_sentinel = KEYBUF_SENTINEL; + geliargs.keybuf = gelibuf; #endif __exec((caddr_t)addr, RB_BOOTINFO | (opts & RBX_MASK), MAKEBOOTDEV(dev_maj[dsk.type], dsk.part + 1, dsk.unit, 0xff), @@ -493,7 +499,7 @@ load(void) } static int -parse(char *cmdstr, int *dskupdated) +parse_cmds(char *cmdstr, int *dskupdated) { char *arg = cmdstr; char *ep, *p, *q; Modified: head/sys/boot/i386/libi386/biosdisk.c ============================================================================== --- head/sys/boot/i386/libi386/biosdisk.c Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/i386/libi386/biosdisk.c Sat Apr 1 05:05:22 2017 (r316343) @@ -472,6 +472,11 @@ bd_open(struct open_file *f, ...) } if (geli_taste(bios_read, &dskp, entry->part.end - entry->part.start) == 0) { + if (geli_havekey(&dskp) == 0) { + geli_status[dev->d_unit][dskp.slice] = ISGELI_YES; + geli_part++; + continue; + } if ((passphrase = getenv("kern.geom.eli.passphrase")) != NULL) { /* Use the cached passphrase */ @@ -484,6 +489,7 @@ bd_open(struct open_file *f, ...) bzero(gelipw, sizeof(gelipw)); geli_status[dev->d_unit][dskp.slice] = ISGELI_YES; geli_part++; + continue; } } else geli_status[dev->d_unit][dskp.slice] = ISGELI_NO; Modified: head/sys/boot/i386/libi386/bootinfo32.c ============================================================================== --- head/sys/boot/i386/libi386/bootinfo32.c Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/i386/libi386/bootinfo32.c Sat Apr 1 05:05:22 2017 (r316343) @@ -32,10 +32,18 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include "bootstrap.h" #include "libi386.h" #include "btxv86.h" +#ifdef LOADER_GELI_SUPPORT +#include "geliboot.h" + +static const size_t keybuf_size = sizeof(struct keybuf) + + (GELI_MAX_KEYS * sizeof(struct keybuf_ent)); +#endif + static struct bootinfo bi; /* @@ -146,11 +154,15 @@ bi_load32(char *args, int *howtop, int * int bootdevnr, i, howto; char *kernelname; const char *kernelpath; +#ifdef LOADER_GELI_SUPPORT + char buf[keybuf_size]; + struct keybuf *keybuf = (struct keybuf *)buf; +#endif howto = bi_getboothowto(args); - /* - * Allow the environment variable 'rootdev' to override the supplied device + /* + * Allow the environment variable 'rootdev' to override the supplied device * This should perhaps go to MI code and/or have $rootdev tested/set by * MI code before launching the kernel. */ @@ -185,7 +197,7 @@ bi_load32(char *args, int *howtop, int * case DEVT_NET: case DEVT_ZFS: break; - + default: printf("WARNING - don't know how to boot from device type %d\n", rootdev->d_type); } @@ -221,6 +233,11 @@ bi_load32(char *args, int *howtop, int * file_addmetadata(kfp, MODINFOMD_ENVP, sizeof envp, &envp); file_addmetadata(kfp, MODINFOMD_KERNEND, sizeof kernend, &kernend); bios_addsmapdata(kfp); +#ifdef LOADER_GELI_SUPPORT + geli_fill_keybuf(keybuf); + file_addmetadata(kfp, MODINFOMD_KEYBUF, keybuf_size, buf); + bzero(buf, sizeof(buf)); +#endif /* Figure out the size and location of the metadata */ *modulep = addr; Modified: head/sys/boot/i386/libi386/bootinfo64.c ============================================================================== --- head/sys/boot/i386/libi386/bootinfo64.c Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/i386/libi386/bootinfo64.c Sat Apr 1 05:05:22 2017 (r316343) @@ -40,6 +40,13 @@ __FBSDID("$FreeBSD$"); #include "libi386.h" #include "btxv86.h" +#ifdef LOADER_GELI_SUPPORT +#include "geliboot.h" + +static const size_t keybuf_size = sizeof(struct keybuf) + + (GELI_MAX_KEYS * sizeof(struct keybuf_ent)); +#endif + /* * Copy module-related data into the load area, where it can be * used as a directory for loaded modules. @@ -189,6 +196,10 @@ bi_load64(char *args, vm_offset_t addr, vm_offset_t size; char *rootdevname; int howto; +#ifdef LOADER_GELI_SUPPORT + char buf[keybuf_size]; + struct keybuf *keybuf = (struct keybuf *)buf; +#endif if (!bi_checkcpu()) { printf("CPU doesn't support long mode\n"); @@ -197,8 +208,8 @@ bi_load64(char *args, vm_offset_t addr, howto = bi_getboothowto(args); - /* - * Allow the environment variable 'rootdev' to override the supplied device + /* + * Allow the environment variable 'rootdev' to override the supplied device * This should perhaps go to MI code and/or have $rootdev tested/set by * MI code before launching the kernel. */ @@ -238,6 +249,12 @@ bi_load64(char *args, vm_offset_t addr, if (add_smap != 0) bios_addsmapdata(kfp); +#ifdef LOADER_GELI_SUPPORT + geli_fill_keybuf(keybuf); + file_addmetadata(kfp, MODINFOMD_KEYBUF, keybuf_size, buf); + bzero(buf, sizeof(buf)); +#endif + size = bi_copymodules64(0); /* copy our environment */ Modified: head/sys/boot/i386/loader/Makefile ============================================================================== --- head/sys/boot/i386/loader/Makefile Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/i386/loader/Makefile Sat Apr 1 05:05:22 2017 (r316343) @@ -61,6 +61,7 @@ CFLAGS+= -DLOADER_NANDFS_SUPPORT .endif .if !defined(LOADER_NO_GELI_SUPPORT) CFLAGS+= -DLOADER_GELI_SUPPORT +CFLAGS+= -I${.CURDIR}/../../geli LIBGELIBOOT= ${.OBJDIR}/../../geli/libgeliboot.a .PATH: ${.CURDIR}/../../../opencrypto SRCS+= xform_aes_xts.c Modified: head/sys/boot/i386/loader/main.c ============================================================================== --- head/sys/boot/i386/loader/main.c Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/i386/loader/main.c Sat Apr 1 05:05:22 2017 (r316343) @@ -39,6 +39,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include "bootstrap.h" #include "common/bootargs.h" @@ -69,6 +70,7 @@ static int isa_inb(int port); static void isa_outb(int port, int value); void exit(int code); #ifdef LOADER_GELI_SUPPORT +#include "geliboot.h" struct geli_boot_args *gargs; #endif #ifdef LOADER_ZFS_SUPPORT @@ -173,6 +175,10 @@ main(void) if ((kargs->bootflags & KARGS_FLAGS_EXTARG) != 0) { zargs = (struct zfs_boot_args *)(kargs + 1); if (zargs != NULL && zargs->size >= offsetof(struct zfs_boot_args, gelipw)) { + if (zargs->size >= offsetof(struct zfs_boot_args, keybuf_sentinel) && + zargs->keybuf_sentinel == KEYBUF_SENTINEL) { + geli_save_keybuf(zargs->keybuf); + } if (zargs->gelipw[0] != '\0') { setenv("kern.geom.eli.passphrase", zargs->gelipw, 1); explicit_bzero(zargs->gelipw, sizeof(zargs->gelipw)); @@ -185,6 +191,9 @@ main(void) if ((kargs->bootflags & KARGS_FLAGS_EXTARG) != 0) { gargs = (struct geli_boot_args *)(kargs + 1); if (gargs != NULL && gargs->size >= offsetof(struct geli_boot_args, gelipw)) { + if (gargs->keybuf_sentinel == KEYBUF_SENTINEL) { + geli_save_keybuf(gargs->keybuf); + } if (gargs->gelipw[0] != '\0') { setenv("kern.geom.eli.passphrase", gargs->gelipw, 1); explicit_bzero(gargs->gelipw, sizeof(gargs->gelipw)); Modified: head/sys/boot/i386/zfsboot/zfsboot.c ============================================================================== --- head/sys/boot/i386/zfsboot/zfsboot.c Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/i386/zfsboot/zfsboot.c Sat Apr 1 05:05:22 2017 (r316343) @@ -121,7 +121,7 @@ static struct dmadat *dmadat; void exit(int); void reboot(void); static void load(void); -static int parse(void); +static int parse_cmd(void); static void bios_getmem(void); void *malloc(size_t n); void free(void *ptr); @@ -159,6 +159,7 @@ strdup(const char *s) #ifdef LOADER_GELI_SUPPORT #include "geliboot.c" static char gelipw[GELI_PW_MAXLEN]; +static struct keybuf *gelibuf; #endif #include "zfsimpl.c" @@ -502,7 +503,8 @@ probe_drive(struct dsk *dsk) elba--; } if (geli_taste(vdev_read, dsk, elba) == 0) { - if (geli_passphrase(&gelipw, dsk->unit, ':', 0, dsk) == 0) { + if (geli_havekey(dsk) == 0 || geli_passphrase(&gelipw, dsk->unit, + ':', 0, dsk) == 0) { if (vdev_probe(vdev_read, dsk, NULL) == 0) { return; } @@ -559,7 +561,8 @@ probe_drive(struct dsk *dsk) #ifdef LOADER_GELI_SUPPORT else if (geli_taste(vdev_read, dsk, ent->ent_lba_end - ent->ent_lba_start) == 0) { - if (geli_passphrase(&gelipw, dsk->unit, 'p', dsk->slice, dsk) == 0) { + if (geli_havekey(dsk) == 0 || geli_passphrase(&gelipw, + dsk->unit, 'p', dsk->slice, dsk) == 0) { /* * This slice has GELI, check it for ZFS. */ @@ -597,7 +600,8 @@ trymbr: #ifdef LOADER_GELI_SUPPORT else if (geli_taste(vdev_read, dsk, dp[i].dp_size - dp[i].dp_start) == 0) { - if (geli_passphrase(&gelipw, dsk->unit, 's', i, dsk) == 0) { + if (geli_havekey(dsk) == 0 || geli_passphrase(&gelipw, dsk->unit, + 's', i, dsk) == 0) { /* * This slice has GELI, check it for ZFS. */ @@ -729,7 +733,7 @@ main(void) */ nextboot = 1; memcpy(cmddup, cmd, sizeof(cmd)); - if (parse()) { + if (parse_cmd()) { printf("failed to parse pad2 area of primary vdev\n"); reboot(); } @@ -756,11 +760,11 @@ main(void) if (*cmd) { /* - * Note that parse() is destructive to cmd[] and we also want + * Note that parse_cmd() is destructive to cmd[] and we also want * to honor RBX_QUIET option that could be present in cmd[]. */ memcpy(cmddup, cmd, sizeof(cmd)); - if (parse()) + if (parse_cmd()) autoboot = 0; if (!OPT_CHECK(RBX_QUIET)) printf("%s: %s\n", PATH_CONFIG, cmddup); @@ -810,7 +814,7 @@ main(void) else if (!autoboot || !OPT_CHECK(RBX_QUIET)) putchar('\n'); autoboot = 0; - if (parse()) + if (parse_cmd()) putchar('\a'); else load(); @@ -925,8 +929,12 @@ load(void) zfsargs.root = zfsmount.rootobj; zfsargs.primary_pool = primary_spa->spa_guid; #ifdef LOADER_GELI_SUPPORT - bcopy(gelipw, zfsargs.gelipw, sizeof(zfsargs.gelipw)); explicit_bzero(gelipw, sizeof(gelipw)); + gelibuf = malloc(sizeof(struct keybuf) + (GELI_MAX_KEYS * sizeof(struct keybuf_ent))); + geli_fill_keybuf(gelibuf); + zfsargs.notapw = '\0'; + zfsargs.keybuf_sentinel = KEYBUF_SENTINEL; + zfsargs.keybuf = gelibuf; #else zfsargs.gelipw[0] = '\0'; #endif @@ -979,7 +987,7 @@ zfs_mount_ds(char *dsname) } static int -parse(void) +parse_cmd(void) { char *arg = cmd; char *ep, *p, *q; Modified: head/sys/boot/zfs/libzfs.h ============================================================================== --- head/sys/boot/zfs/libzfs.h Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/boot/zfs/libzfs.h Sat Apr 1 05:05:22 2017 (r316343) @@ -47,6 +47,10 @@ struct zfs_devdesc uint64_t root_guid; }; +#ifdef LOADER_GELI_SUPPORT +#include +#endif + struct zfs_boot_args { uint32_t size; @@ -55,7 +59,21 @@ struct zfs_boot_args uint64_t root; uint64_t primary_pool; uint64_t primary_vdev; - char gelipw[256]; + union { + char gelipw[256]; + struct { + char notapw; /* + * single null byte to stop keybuf + * being interpreted as a password + */ + uint32_t keybuf_sentinel; +#ifdef LOADER_GELI_SUPPORT + struct keybuf *keybuf; +#else + void *keybuf; +#endif + }; + }; }; int zfs_parsedev(struct zfs_devdesc *dev, const char *devspec, Added: head/sys/crypto/intake.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sys/crypto/intake.h Sat Apr 1 05:05:22 2017 (r316343) @@ -0,0 +1,64 @@ +/*- + * Copyright (c) 2016 Eric McCorkle + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _INTAKE_H_ +#define _INTAKE_H_ + +#include + +/* + * This file provides an interface for providing keys to the kernel + * during boot time. + */ + +#define MAX_KEY_BITS 4096 +#define MAX_KEY_BYTES (MAX_KEY_BITS / NBBY) + +#define KEYBUF_SENTINEL 0xcee54b5d /* KEYS4BSD */ + +enum { + KEYBUF_TYPE_NONE, + KEYBUF_TYPE_GELI +}; + +struct keybuf_ent { + unsigned int ke_type; + char ke_data[MAX_KEY_BYTES]; +}; + +struct keybuf { + unsigned int kb_nents; + struct keybuf_ent kb_ents[]; +}; + +#ifdef _KERNEL +/* Get the key intake buffer */ +extern struct keybuf* get_keybuf(void); +#endif + +#endif Modified: head/sys/geom/eli/g_eli.c ============================================================================== --- head/sys/geom/eli/g_eli.c Sat Apr 1 04:42:35 2017 (r316342) +++ head/sys/geom/eli/g_eli.c Sat Apr 1 05:05:22 2017 (r316343) @@ -53,6 +53,8 @@ __FBSDID("$FreeBSD$"); #include #include +#include + FEATURE(geom_eli, "GEOM crypto module"); MALLOC_DEFINE(M_ELI, "eli data", "GEOM_ELI Data"); @@ -111,13 +113,39 @@ fetch_loader_passphrase(void * dummy) } SYSINIT(geli_fetch_loader_passphrase, SI_SUB_KMEM + 1, SI_ORDER_ANY, fetch_loader_passphrase, NULL); + static void -zero_boot_passcache(void * dummy) +zero_boot_passcache(void) { - memset(cached_passphrase, 0, sizeof(cached_passphrase)); + explicit_bzero(cached_passphrase, sizeof(cached_passphrase)); +} + +static void +zero_geli_intake_keys(void) +{ + struct keybuf *keybuf; + int i; + + if ((keybuf = get_keybuf()) != NULL) { + /* Scan the key buffer, clear all GELI keys. */ + for (i = 0; i < keybuf->kb_nents; i++) { + if (keybuf->kb_ents[i].ke_type == KEYBUF_TYPE_GELI) { + explicit_bzero(keybuf->kb_ents[i].ke_data, + sizeof(keybuf->kb_ents[i].ke_data)); + keybuf->kb_ents[i].ke_type = KEYBUF_TYPE_NONE; + } + } + } +} + +static void +zero_intake_passcache(void *dummy) +{ + zero_boot_passcache(); + zero_geli_intake_keys(); } -EVENTHANDLER_DEFINE(mountroot, zero_boot_passcache, NULL, 0); +EVENTHANDLER_DEFINE(mountroot, zero_intake_passcache, NULL, 0); static eventhandler_tag g_eli_pre_sync = NULL; @@ -997,6 +1025,7 @@ g_eli_taste(struct g_class *mp, struct g u_char key[G_ELI_USERKEYLEN], mkey[G_ELI_DATAIVKEYLEN]; u_int i, nkey, nkeyfiles, tries; int error; + struct keybuf *keybuf; g_trace(G_T_TOPOLOGY, "%s(%s, %s)", __func__, mp->name, pp->name); g_topology_assert(); @@ -1035,97 +1064,114 @@ g_eli_taste(struct g_class *mp, struct g tries = g_eli_tries; } - for (i = 0; i <= tries; i++) { - g_eli_crypto_hmac_init(&ctx, NULL, 0); - - /* - * Load all key files. - */ - nkeyfiles = g_eli_keyfiles_load(&ctx, pp->name); - - if (nkeyfiles == 0 && md.md_iterations == -1) { - /* - * No key files and no passphrase, something is - * definitely wrong here. - * geli(8) doesn't allow for such situation, so assume - * that there was really no passphrase and in that case - * key files are no properly defined in loader.conf. - */ - G_ELI_DEBUG(0, - "Found no key files in loader.conf for %s.", - pp->name); - return (NULL); - } - - /* Ask for the passphrase if defined. */ - if (md.md_iterations >= 0) { - /* Try first with cached passphrase. */ *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***