summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBill Richardson <wfrichar@chromium.org>2013-02-28 10:10:29 -0800
committerChromeBot <chrome-bot@google.com>2013-02-28 14:48:12 -0800
commitc7c6e5d2f7076fe512b692411f0d05d4bf76d91f (patch)
treebf2f034f16a0a1e828dfd4c5cca8c8ce082cd8c6
parent2f8ac1588601437ef00fa985a3ad3a7df7e8ed03 (diff)
downloadvboot-c7c6e5d2f7076fe512b692411f0d05d4bf76d91f.tar.gz
Remove the mount-encrypted utility from vboot_reference
This utility sets up the encrypted directories for Chrome OS at boot time. It uses some of the TPM-related libraries from vboot_reference, but it isn't really part of the verified boot process itself so I'm moving it into the cryptohome repo where it belongs. This CL just removes the code from vboot_reference. Another CL will put it into cryptohome, and yet another will change the ebuilds to notices. BUG=chromium-os:39264 BRANCH=none TEST=auto CQ-DEPEND=CL:44301, CL:44302 This is just refactoring, not a new feature. After all the CLs are in, the platform_EncryptedStateful autotest should continue to pass as before. Change-Id: I6bb436ae57140e89581cb0be5dc2385b8f3ff5e2 Signed-off-by: Bill Richardson <wfrichar@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/44303 Reviewed-by: Kees Cook <keescook@chromium.org>
-rw-r--r--Makefile53
-rw-r--r--utility/mount-encrypted.c1349
-rw-r--r--utility/mount-encrypted.h144
-rw-r--r--utility/mount-helpers.c803
-rw-r--r--utility/mount-helpers.h42
5 files changed, 3 insertions, 2388 deletions
diff --git a/Makefile b/Makefile
index 315e70e2..73520a47 100644
--- a/Makefile
+++ b/Makefile
@@ -305,7 +305,7 @@ ALL_OBJS += ${FWLIB_OBJS}
# Library to build the utilities. "HOST" mostly means "userspace".
-HOSTLIB = ${BUILD}/vboot_host.a
+HOSTLIB = ${BUILD}/libvboot_host.a
HOSTLIB_SRCS = \
host/arch/${ARCH}/lib/crossystem_arch.c \
@@ -400,10 +400,6 @@ endif
UTIL_BINS_STATIC := $(addprefix ${BUILD}/utility/,${UTIL_NAMES_STATIC})
UTIL_BINS = $(addprefix ${BUILD}/utility/,${UTIL_NAMES})
-ifneq (${IN_CHROOT},)
-UTIL_SBINS = $(addprefix ${BUILD}/utility/,mount-encrypted)
-endif
-
ALL_DEPS += $(addsuffix .d,${UTIL_BINS})
@@ -700,20 +696,15 @@ ${BUILD}/utility/%: INCLUDES += -Ihost/include -Iutility/include
${UTIL_BINS_STATIC}: LDFLAGS += -static
.PHONY: utils
-utils: ${UTIL_BINS} ${UTIL_SCRIPTS} ${UTIL_SBINS}
+utils: ${UTIL_BINS} ${UTIL_SCRIPTS}
${Q}cp -f ${UTIL_SCRIPTS} ${BUILD}/utility
${Q}chmod a+rx $(patsubst %,${BUILD}/%,${UTIL_SCRIPTS})
.PHONY: utils_install
-utils_install: ${UTIL_BINS} ${UTIL_SCRIPTS} ${UTIL_SBINS}
+utils_install: ${UTIL_BINS} ${UTIL_SCRIPTS}
@printf " INSTALL UTILS\n"
${Q}mkdir -p ${UB_DIR}
${Q}${INSTALL} -t ${UB_DIR} ${UTIL_BINS} ${UTIL_SCRIPTS}
-ifneq (${UTIL_SBINS},)
- ${Q}mkdir -p ${SB_DIR}
- ${Q}${INSTALL} -t ${SB_DIR} ${UTIL_SBINS}
-endif
-
# And some signing stuff for the target
.PHONY: signing_install
@@ -745,44 +736,6 @@ futil_install: ${FUTIL_BIN}
# ----------------------------------------------------------------------------
-# Mount-encrypted utility for cryptohome
-
-# TODO: mount-encrypted should move to cryptohome and just link against
-# vboot-host.a for tlcl and crossystem.
-
-# The embedded libcrypto conflicts with the shipped openssl,
-# so mount-* builds without the common CFLAGS (and those includes).
-
-${BUILD}/utility/mount-helpers.o: \
- utility/mount-helpers.c \
- utility/mount-helpers.h \
- utility/mount-encrypted.h
- @printf " CCm-e $(subst ${BUILD}/,,$@)\n"
- ${Q}${CC} -Wall -Werror -O2 -D_FORTIFY_SOURCE=2 -fstack-protector \
- ${COV_FLAGS} \
- $(shell ${PKG_CONFIG} --cflags glib-2.0 openssl) \
- -c $< -o $@
-
-${BUILD}/utility/mount-encrypted: \
- utility/mount-encrypted.c \
- utility/mount-encrypted.h \
- ${BUILD}/utility/mount-helpers.o ${LIBS}
- @printf " CCm-exe $(subst ${BUILD}/,,$@)\n"
- ${Q}${CC} -Wall -Werror -O2 -D_FORTIFY_SOURCE=2 -fstack-protector \
- $(shell ${PKG_CONFIG} --cflags glib-2.0 openssl) \
- -Ifirmware/include \
- -Ihost/include \
- ${COV_FLAGS} \
- ${LDFLAGS} \
- $< -o $@ \
- ${BUILD}/utility/mount-helpers.o ${LIBS} \
- $(shell ${PKG_CONFIG} --libs glib-2.0 openssl) \
- -lm
-ifneq (${COV},)
- ${Q}mv -f mount-encrypted.gcno ${BUILD}/utility
-endif
-
-# ----------------------------------------------------------------------------
# Utility to generate TLCL structure definition header file.
${BUILD}/utility/tlcl_generator: CFLAGS += -fpack-struct
diff --git a/utility/mount-encrypted.c b/utility/mount-encrypted.c
deleted file mode 100644
index 9dbedc2a..00000000
--- a/utility/mount-encrypted.c
+++ /dev/null
@@ -1,1349 +0,0 @@
-/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- *
- * This tool will attempt to mount or create the encrypted stateful partition,
- * and the various bind mountable subdirectories.
- *
- */
-#define _GNU_SOURCE
-#define _FILE_OFFSET_BITS 64
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <inttypes.h>
-#include <grp.h>
-#include <pwd.h>
-#include <sys/ioctl.h>
-#include <sys/stat.h>
-#include <sys/statvfs.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <sys/mount.h>
-#include <linux/fs.h>
-
-#include <glib.h>
-
-#include <openssl/rand.h>
-
-#define CHROMEOS_ENVIRONMENT
-#include "tlcl.h"
-#include "crossystem.h"
-
-#include "mount-encrypted.h"
-#include "mount-helpers.h"
-
-#define STATEFUL_MNT "mnt/stateful_partition"
-#define ENCRYPTED_MNT STATEFUL_MNT "/encrypted"
-#define BUF_SIZE 1024
-#define PROP_SIZE 64
-#define LOCKBOX_SIZE_MAX 0x45
-
-static const gchar * const kKernelCmdline = "/proc/cmdline";
-static const gchar * const kKernelCmdlineOption = " encrypted-stateful-key=";
-static const gchar * const kEncryptedFSType = "ext4";
-static const gchar * const kCryptDevName = "encstateful";
-static const gchar * const kTpmDev = "/dev/tpm0";
-static const gchar * const kNullDev = "/dev/null";
-static const gchar * const kNvramExport = "/tmp/lockbox.nvram";
-static const float kSizePercent = 0.3;
-static const float kMigrationSizeMultiplier = 1.1;
-static const uint32_t kLockboxIndex = 0x20000004;
-static const uint32_t kLockboxSizeV1 = 0x2c;
-static const uint32_t kLockboxSizeV2 = LOCKBOX_SIZE_MAX;
-static const uint32_t kLockboxSaltOffset = 0x5;
-static const uint64_t kSectorSize = 512;
-static const uint64_t kExt4BlockSize = 4096;
-static const uint64_t kExt4MinBytes = 16 * 1024 * 1024;
-static const char * const kStaticKeyDefault = "default unsafe static key";
-static const char * const kStaticKeyFactory = "factory unsafe static key";
-static const char * const kStaticKeyFinalizationNeeded = "needs finalization";
-static const int kModeProduction = 0;
-static const int kModeFactory = 1;
-static const int kCryptAllowDiscard = 1;
-
-enum migration_method {
- MIGRATE_TEST_ONLY,
- MIGRATE_FOR_REAL,
-};
-
-enum bind_dir {
- BIND_SOURCE,
- BIND_DEST,
-};
-
-static struct bind_mount {
- char * src; /* Location of bind source. */
- char * dst; /* Destination of bind. */
- char * previous; /* Migratable prior bind source. */
- char * pending; /* Location for pending deletion. */
- char * owner;
- char * group;
- mode_t mode;
- int submount; /* Submount is bound already. */
-} bind_mounts_default[] = {
- { ENCRYPTED_MNT "/var", "var",
- STATEFUL_MNT "/var", STATEFUL_MNT "/.var",
- "root", "root",
- S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH, 0 },
- { ENCRYPTED_MNT "/chronos", "home/chronos",
- STATEFUL_MNT "/home/chronos", STATEFUL_MNT "/home/.chronos",
- "chronos", "chronos",
- S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH, 1 },
- { },
-};
-
-#if DEBUG_ENABLED
-struct timeval tick = { };
-struct timeval tick_start = { };
-#endif
-
-static struct bind_mount *bind_mounts = NULL;
-static gchar *rootdir = NULL;
-static gchar *stateful_mount = NULL;
-static gchar *key_path = NULL;
-static gchar *needs_finalization_path = NULL;
-static gchar *block_path = NULL;
-static gchar *encrypted_mount = NULL;
-static gchar *dmcrypt_name = NULL;
-static gchar *dmcrypt_dev = NULL;
-static int has_tpm = 0;
-static int tpm_init_called = 0;
-static uint8_t nvram_data[LOCKBOX_SIZE_MAX];
-static uint32_t nvram_size = 0;
-
-static void tpm_init(void)
-{
- uint32_t result;
-
- if (tpm_init_called)
- return;
-
- DEBUG("Opening TPM");
-
- setenv("TPM_NO_EXIT", "1", 1);
- result = TlclLibInit();
-
- tpm_init_called = 1;
- has_tpm = (result == TPM_SUCCESS);
- INFO("TPM %s", has_tpm ? "ready" : "not available");
-}
-
-/* Returns TPM result status code, and on TPM_SUCCESS, stores ownership
- * flag to "owned".
- */
-static uint32_t tpm_owned(uint8_t *owned)
-{
- uint32_t result;
-
- tpm_init();
- DEBUG("Reading TPM Ownership Flag");
- if (!has_tpm)
- result = TPM_E_NO_DEVICE;
- else
- result = TlclGetOwnership(owned);
- DEBUG("TPM Ownership Flag returned: %s", result ? "FAIL" : "ok");
-
- return result;
-}
-
-static void tpm_close(void)
-{
- if (!has_tpm || !tpm_init_called)
- return;
- TlclLibClose();
- tpm_init_called = 0;
-}
-
-static void sha256(char *string, uint8_t *digest)
-{
- SHA256((unsigned char *)string, strlen(string), digest);
-}
-
-/* Extract the desired system key from the kernel's boot command line. */
-static int get_key_from_cmdline(uint8_t *digest)
-{
- int result = 0;
- gchar *buffer;
- gsize length;
- char *cmdline, *option_end;
- /* Option name without the leading space. */
- const gchar *option = kKernelCmdlineOption + 1;
-
- if (!g_file_get_contents(kKernelCmdline, &buffer, &length, NULL)) {
- PERROR(kKernelCmdline);
- return 0;
- }
-
- /* Find a string match either at start of string or following
- * a space.
- */
- cmdline = buffer;
- if (strncmp(cmdline, option, strlen(option)) == 0 ||
- (cmdline = strstr(cmdline, kKernelCmdlineOption))) {
- /* The "=" exists because it is in kKernelCmdlineOption. */
- cmdline = strstr(cmdline, "=");
- /* strchrnul() cannot return NULL. */
- option_end = strchrnul(cmdline, ' ');
- *option_end = '\0';
- sha256(cmdline, digest);
- debug_dump_hex("system key", digest, DIGEST_LENGTH);
- result = 1;
- }
-
- g_free(buffer);
- return result;
-}
-
-static int get_system_property(const char *prop, char *buf, size_t length)
-{
- const char *rc;
-
- DEBUG("Fetching System Property '%s'", prop);
- rc = VbGetSystemPropertyString(prop, buf, length);
- DEBUG("Got System Property 'mainfw_type': %s", rc ? buf : "FAIL");
-
- return rc != NULL;
-}
-
-static int has_chromefw(void)
-{
- static int state = -1;
- char fw[PROP_SIZE];
-
- /* Cache the state so we don't have to perform the query again. */
- if (state != -1)
- return state;
-
- if (!get_system_property("mainfw_type", fw, sizeof(fw)))
- state = 0;
- else
- state = strcmp(fw, "nonchrome") != 0;
- return state;
-}
-
-static int is_cr48(void)
-{
- static int state = -1;
- char hwid[PROP_SIZE];
-
- /* Cache the state so we don't have to perform the query again. */
- if (state != -1)
- return state;
-
- if (!get_system_property("hwid", hwid, sizeof(hwid)))
- state = 0;
- else
- state = strstr(hwid, "MARIO") != NULL;
- return state;
-}
-
-static uint32_t
-_read_nvram(uint8_t *buffer, size_t len, uint32_t index, uint32_t size)
-{
- uint32_t result;
-
- if (size > len) {
- ERROR("NVRAM size (0x%x > 0x%zx) is too big", size, len);
- return 0;
- }
-
- tpm_init();
- DEBUG("Reading NVRAM area 0x%x (size %u)", index, size);
- if (!has_tpm)
- result = TPM_E_NO_DEVICE;
- else
- result = TlclRead(index, buffer, size);
- DEBUG("NVRAM read returned: %s", result == TPM_SUCCESS ? "ok"
- : "FAIL");
-
- return result;
-}
-
-/*
- * TPM cases:
- * - does not exist at all (disabled in test firmware or non-chrome device).
- * - exists (below).
- *
- * TPM ownership cases:
- * - unowned (OOBE):
- * - expect modern lockbox (no migration allowed).
- * - owned: depends on NVRAM area (below).
- *
- * NVRAM area cases:
- * - no NVRAM area at all:
- * - interrupted install (cryptohome has the TPM password)
- * - ancient device (cr48, cryptohome has thrown away TPM password)
- * - broken device (cryptohome has thrown away/never had TPM password)
- * - must expect worst-case: no lockbox ever, and migration allowed.
- * - defined NVRAM area, but not written to ("Finalized"); interrupted OOBE:
- * - if legacy size, allow migration.
- * - if not, disallow migration.
- * - written ("Finalized") NVRAM area:
- * - if legacy size, allow migration.
- * - if not, disallow migration.
- *
- * When returning 1: (NVRAM area found and used)
- * - *digest populated with NVRAM area entropy.
- * - *migrate is 1 for NVRAM v1, 0 for NVRAM v2.
- * When returning 0: (NVRAM missing or error)
- * - *digest untouched.
- * - *migrate always 1
- */
-static int get_nvram_key(uint8_t *digest, int *migrate)
-{
- uint8_t owned = 0;
- uint8_t value[kLockboxSizeV2], bytes_anded, bytes_ored;
- uint32_t size, result, i;
- uint8_t *rand_bytes;
- uint32_t rand_size;
-
- /* Default to allowing migration (disallow when owned with NVRAMv2). */
- *migrate = 1;
-
- /* Ignore unowned TPM's NVRAM area. */
- result = tpm_owned(&owned);
- if (result != TPM_SUCCESS) {
- INFO("Could not read TPM Permanent Flags: error 0x%02x.",
- result);
- return 0;
- }
- if (!owned) {
- INFO("TPM not Owned, ignoring NVRAM area.");
- return 0;
- }
-
- /* Reading the NVRAM takes 40ms. Instead of querying the NVRAM area
- * for its size (which takes time), just read the expected size. If
- * it fails, then fall back to the older size. This means cleared
- * devices take 80ms (2 failed reads), legacy devices take 80ms
- * (1 failed read, 1 good read), and populated devices take 40ms,
- * which is the minimum possible time (instead of 40ms + time to
- * query NVRAM size).
- */
- size = kLockboxSizeV2;
- result = _read_nvram(value, sizeof(value), kLockboxIndex, size);
- if (result != TPM_SUCCESS) {
- size = kLockboxSizeV1;
- result = _read_nvram(value, sizeof(value), kLockboxIndex, size);
- if (result != TPM_SUCCESS) {
- /* No NVRAM area at all. */
- INFO("No NVRAM area defined: error 0x%02x", result);
- return 0;
- }
- /* Legacy NVRAM area. */
- INFO("Version 1 NVRAM area found.");
- } else {
- *migrate = 0;
- INFO("Version 2 NVRAM area found.");
- }
-
- debug_dump_hex("nvram", value, size);
-
- /* Ignore defined but unwritten NVRAM area. */
- bytes_ored = 0x0;
- bytes_anded = 0xff;
- for (i = 0; i < size; ++i) {
- bytes_ored |= value[i];
- bytes_anded &= value[i];
- }
- if (bytes_ored == 0x0 || bytes_anded == 0xff) {
- INFO("NVRAM area has been defined but not written.");
- return 0;
- }
-
- /* "Export" nvram data for use after the helper. */
- if (size <= sizeof(nvram_data)) {
- nvram_size = size;
- memcpy(nvram_data, value, size);
- }
-
- /* Choose random bytes to use based on NVRAM version. */
- if (*migrate) {
- rand_bytes = value;
- rand_size = size;
- } else {
- rand_bytes = value + kLockboxSaltOffset;
- if (kLockboxSaltOffset + DIGEST_LENGTH > size) {
- INFO("Impossibly small NVRAM area size (%d).", size);
- return 0;
- }
- rand_size = DIGEST_LENGTH;
- }
- if (rand_size < DIGEST_LENGTH) {
- INFO("Impossibly small rand_size (%d).", rand_size);
- return 0;
- }
- debug_dump_hex("rand_bytes", rand_bytes, rand_size);
-
- SHA256(rand_bytes, rand_size, digest);
- debug_dump_hex("system key", digest, DIGEST_LENGTH);
-
- return 1;
-}
-
-/* Find the system key used for decrypting the stored encryption key.
- * ChromeOS devices are required to use the NVRAM area, all the rest will
- * fallback through various places (kernel command line, BIOS UUID, and
- * finally a static value) for a system key.
- */
-static int find_system_key(int mode, uint8_t *digest, int *migration_allowed)
-{
- gchar *key;
- gsize length;
-
- /* By default, do not allow migration. */
- *migration_allowed = 0;
-
- /* Factory mode uses a static system key. */
- if (mode == kModeFactory) {
- INFO("Using factory insecure system key.");
- sha256((char *)kStaticKeyFactory, digest);
- debug_dump_hex("system key", digest, DIGEST_LENGTH);
- return 1;
- }
-
- /* Force ChromeOS devices into requiring the system key come from
- * NVRAM.
- */
- if (has_chromefw()) {
- int rc;
- rc = get_nvram_key(digest, migration_allowed);
-
- if (rc) {
- INFO("Using NVRAM as system key; already populated%s.",
- *migration_allowed ? " (legacy)" : "");
- } else {
- INFO("Using NVRAM as system key; finalization needed.");
- }
- return rc;
- }
-
- if (get_key_from_cmdline(digest)) {
- INFO("Using kernel command line argument as system key.");
- return 1;
- }
- if (g_file_get_contents("/sys/class/dmi/id/product_uuid",
- &key, &length, NULL)) {
- sha256(key, digest);
- debug_dump_hex("system key", digest, DIGEST_LENGTH);
- g_free(key);
- INFO("Using UUID as system key.");
- return 1;
- }
-
- INFO("Using default insecure system key.");
- sha256((char *)kStaticKeyDefault, digest);
- debug_dump_hex("system key", digest, DIGEST_LENGTH);
- return 1;
-}
-
-/* Returns 1 on success, 0 on failure. */
-static int get_random_bytes_tpm(unsigned char *buffer, int wanted)
-{
- uint32_t remaining = wanted;
-
- tpm_init();
- /* Read random bytes from TPM, which can return short reads. */
- while (remaining) {
- uint32_t result, size;
-
- result = TlclGetRandom(buffer + (wanted - remaining),
- remaining, &size);
- if (result != TPM_SUCCESS || size > remaining) {
- ERROR("TPM GetRandom failed: error 0x%02x.", result);
- return 0;
- }
- remaining -= size;
- }
-
- return 1;
-}
-
-/* Returns 1 on success, 0 on failure. */
-static int get_random_bytes(unsigned char *buffer, int wanted)
-{
- if (has_tpm && get_random_bytes_tpm(buffer, wanted))
- return 1;
-
- if (RAND_bytes(buffer, wanted))
- return 1;
- SSL_ERROR("RAND_bytes");
-
- return 0;
-}
-
-static char *choose_encryption_key(void)
-{
- unsigned char rand_bytes[DIGEST_LENGTH];
- unsigned char digest[DIGEST_LENGTH];
-
- if (!get_random_bytes(rand_bytes, sizeof(rand_bytes)))
- ERROR("No entropy source found -- using uninitialized stack");
-
- SHA256(rand_bytes, DIGEST_LENGTH, digest);
- debug_dump_hex("encryption key", digest, DIGEST_LENGTH);
-
- return stringify_hex(digest, DIGEST_LENGTH);
-}
-
-static int check_bind(struct bind_mount *bind, enum bind_dir dir)
-{
- struct passwd *user;
- struct group *group;
- const gchar *target;
-
- if (dir == BIND_SOURCE)
- target = bind->src;
- else
- target = bind->dst;
-
- if (access(target, R_OK) && mkdir(target, bind->mode)) {
- PERROR("mkdir(%s)", target);
- return -1;
- }
-
- /* Destination may be on read-only filesystem, so skip tweaks. */
- if (dir == BIND_DEST)
- return 0;
-
- if (!(user = getpwnam(bind->owner))) {
- PERROR("getpwnam(%s)", bind->owner);
- return -1;
- }
- if (!(group = getgrnam(bind->group))) {
- PERROR("getgrnam(%s)", bind->group);
- return -1;
- }
-
- /* Must do explicit chmod since mkdir()'s mode respects umask. */
- if (chmod(target, bind->mode)) {
- PERROR("chmod(%s)", target);
- return -1;
- }
- if (chown(target, user->pw_uid, group->gr_gid)) {
- PERROR("chown(%s)", target);
- return -1;
- }
-
- return 0;
-}
-
-static int migrate_contents(struct bind_mount *bind,
- enum migration_method method)
-{
- const gchar *previous = NULL;
- const gchar *pending = NULL;
- gchar *dotdir;
-
- /* Skip migration if the previous bind sources are missing. */
- if (bind->pending && access(bind->pending, R_OK) == 0)
- pending = bind->pending;
- if (bind->previous && access(bind->previous, R_OK) == 0)
- previous = bind->previous;
- if (!pending && !previous)
- return 0;
-
- /* Pretend migration happened. */
- if (method == MIGRATE_TEST_ONLY)
- return 1;
-
- check_bind(bind, BIND_SOURCE);
-
- /* Prefer the pending-delete location when doing migration. */
- if (!(dotdir = g_strdup_printf("%s/.", pending ? pending : previous))) {
- PERROR("g_strdup_printf");
- goto mark_for_removal;
- }
-
- INFO("Migrating bind mount contents %s to %s.", dotdir, bind->src);
- const gchar *cp[] = {
- "/bin/cp", "-a",
- dotdir,
- bind->src,
- NULL
- };
-
- if (runcmd(cp, NULL) != 0) {
- /* If the copy failed, it may have partially populated the
- * new source, so we need to remove the new source and
- * rebuild it. Regardless, the previous source must be removed
- * as well.
- */
- INFO("Failed to migrate %s to %s!", dotdir, bind->src);
- remove_tree(bind->src);
- check_bind(bind, BIND_SOURCE);
- }
-
-mark_for_removal:
- g_free(dotdir);
-
- /* The removal of the previous directory needs to happen at finalize
- * time, otherwise /var state gets lost on a migration if the
- * system is powered off before the encryption key is saved. Instead,
- * relocate the directory so it can be removed (or re-migrated).
- */
-
- if (previous) {
- /* If both pending and previous directory exists, we must
- * remove previous entirely now so it stops taking up disk
- * space. The pending area will stay pending to be deleted
- * later.
- */
- if (pending)
- remove_tree(pending);
- if (rename(previous, bind->pending)) {
- PERROR("rename(%s,%s)", previous, bind->pending);
- }
- }
-
- /* As noted above, failures are unrecoverable, so getting here means
- * "we're done" more than "it worked".
- */
- return 1;
-}
-
-static void finalized(void)
-{
- /* TODO(keescook): once ext4 supports secure delete, just unlink. */
- if (access(needs_finalization_path, R_OK) == 0) {
- /* This is nearly useless on SSDs. */
- shred(needs_finalization_path);
- unlink(needs_finalization_path);
- }
-}
-
-static void finalize(uint8_t *system_key, char *encryption_key)
-{
- struct bind_mount *bind;
-
- INFO("Writing keyfile %s.", key_path);
- if (!keyfile_write(key_path, system_key, encryption_key)) {
- ERROR("Failed to write %s -- aborting.", key_path);
- return;
- }
-
- finalized();
-
- for (bind = bind_mounts; bind->src; ++ bind) {
- if (!bind->pending || access(bind->pending, R_OK))
- continue;
- INFO("Removing %s.", bind->pending);
-#if DEBUG_ENABLED
- continue;
-#endif
- remove_tree(bind->pending);
- }
-}
-
-static void needs_finalization(char *encryption_key)
-{
- uint8_t useless_key[DIGEST_LENGTH];
- sha256((char *)kStaticKeyFinalizationNeeded, useless_key);
-
- INFO("Writing finalization intent %s.", needs_finalization_path);
- if (!keyfile_write(needs_finalization_path, useless_key,
- encryption_key)) {
- ERROR("Failed to write %s -- aborting.",
- needs_finalization_path);
- return;
- }
-}
-
-/* This triggers the live encryption key to be written to disk, encrypted
- * by the system key. It is intended to be called by Cryptohome once the
- * TPM is done being set up. If the system key is passed as an argument,
- * use it, otherwise attempt to query the TPM again.
- */
-static int finalize_from_cmdline(char *key)
-{
- uint8_t system_key[DIGEST_LENGTH];
- char *encryption_key;
- int migrate;
-
- /* Early sanity-check to see if the encrypted device exists,
- * instead of failing at the end of this function.
- */
- if (access(dmcrypt_dev, R_OK)) {
- ERROR("'%s' does not exist, giving up.", dmcrypt_dev);
- return EXIT_FAILURE;
- }
-
- if (key) {
- if (strlen(key) != 2 * DIGEST_LENGTH) {
- ERROR("Invalid key length.");
- return EXIT_FAILURE;
- }
-
- if (!hexify_string(key, system_key, DIGEST_LENGTH)) {
- ERROR("Failed to convert hex string to byte array");
- return EXIT_FAILURE;
- }
- } else {
- /* Factory mode will never call finalize from the command
- * line, so force Production mode here.
- */
- if (!find_system_key(kModeProduction, system_key, &migrate)) {
- ERROR("Could not locate system key.");
- return EXIT_FAILURE;
- }
- }
-
- encryption_key = dm_get_key(dmcrypt_dev);
- if (!encryption_key) {
- ERROR("Could not locate encryption key for %s.", dmcrypt_dev);
- return EXIT_FAILURE;
- }
-
- finalize(system_key, encryption_key);
-
- return EXIT_SUCCESS;
-}
-
-static void spawn_resizer(const char *device, uint64_t blocks,
- uint64_t blocks_max)
-{
- pid_t pid;
-
- /* Skip resize before forking, if it's not going to happen. */
- if (blocks >= blocks_max) {
- INFO("Resizing skipped. blocks:%" PRIu64 " >= blocks_max:%" PRIu64,
- blocks, blocks_max);
- return;
- }
-
- fflush(NULL);
- pid = fork();
- if (pid < 0) {
- PERROR("fork");
- return;
- }
- if (pid != 0) {
- INFO("Started filesystem resizing process %d.", pid);
- return;
- }
-
- /* Child */
- tpm_close();
- INFO_INIT("Resizer spawned.");
-
- if (daemon(0, 1)) {
- PERROR("daemon");
- goto out;
- }
-
- filesystem_resize(device, blocks, blocks_max);
-
-out:
- INFO_DONE("Done.");
- exit(0);
-}
-
-/* Do all the work needed to actually set up the encrypted partition.
- * Takes "mode" argument to help determine where the system key should
- * come from.
- */
-static int setup_encrypted(int mode)
-{
- int has_system_key;
- uint8_t system_key[DIGEST_LENGTH];
- char *encryption_key = NULL;
- int migrate_allowed = 0, migrate_needed = 0, rebuild = 0;
- gchar *lodev = NULL;
- uint64_t sectors;
- struct bind_mount *bind;
- int sparsefd;
- struct statvfs stateful_statbuf;
- uint64_t blocks_min, blocks_max;
- int valid_keyfile = 0;
-
- /* Use the "system key" to decrypt the "encryption key" stored in
- * the stateful partition.
- */
- has_system_key = find_system_key(mode, system_key, &migrate_allowed);
- if (has_system_key) {
- encryption_key = keyfile_read(key_path, system_key);
- } else {
- INFO("No usable system key found.");
- }
-
- if (encryption_key) {
- /* If we found a stored encryption key, we've already
- * finished a complete login and Cryptohome Finalize
- * so migration is finished.
- */
- migrate_allowed = 0;
- valid_keyfile = 1;
- } else {
- uint8_t useless_key[DIGEST_LENGTH];
- sha256((char *)kStaticKeyFinalizationNeeded, useless_key);
- encryption_key = keyfile_read(needs_finalization_path,
- useless_key);
- if (!encryption_key) {
- /* This is a brand new system with no keys. */
- INFO("Generating new encryption key.");
- encryption_key = choose_encryption_key();
- if (!encryption_key)
- return 0;
- rebuild = 1;
- } else {
- ERROR("Finalization unfinished! " \
- "Encryption key still on disk!");
- }
- }
-
- if (rebuild) {
- uint64_t fs_bytes_max;
-
- /* Wipe out the old files, and ignore errors. */
- unlink(key_path);
- unlink(block_path);
-
- /* Calculate the desired size of the new partition. */
- if (statvfs(stateful_mount, &stateful_statbuf)) {
- PERROR(stateful_mount);
- return 0;
- }
- fs_bytes_max = stateful_statbuf.f_blocks;
- fs_bytes_max *= kSizePercent;
- fs_bytes_max *= stateful_statbuf.f_frsize;
-
- INFO("Creating sparse backing file with size %" PRIu64 ".",
- fs_bytes_max);
-
- /* Create the sparse file. */
- sparsefd = sparse_create(block_path, fs_bytes_max);
- if (sparsefd < 0) {
- PERROR(block_path);
- return 0;
- }
- } else {
- sparsefd = open(block_path, O_RDWR | O_NOFOLLOW);
- if (sparsefd < 0) {
- PERROR(block_path);
- return 0;
- }
- }
-
- /* Set up loopback device. */
- INFO("Loopback attaching %s (named %s).", block_path, dmcrypt_name);
- lodev = loop_attach(sparsefd, dmcrypt_name);
- if (!lodev || strlen(lodev) == 0) {
- ERROR("loop_attach failed");
- goto failed;
- }
-
- /* Get size as seen by block device. */
- sectors = blk_size(lodev) / kSectorSize;
- if (!sectors) {
- ERROR("Failed to read device size");
- goto lo_cleanup;
- }
-
- /* Mount loopback device with dm-crypt using the encryption key. */
- INFO("Setting up dm-crypt %s as %s.", lodev, dmcrypt_dev);
- if (!dm_setup(sectors, encryption_key, dmcrypt_name, lodev,
- dmcrypt_dev, kCryptAllowDiscard)) {
- /* If dm_setup() fails, it could be due to lacking
- * "allow_discard" support, so try again with discard
- * disabled. There doesn't seem to be a way to query
- * the kernel for this feature short of a fallible
- * version test or just trying to set up the dm table
- * again, so do the latter.
- */
- if (!dm_setup(sectors, encryption_key, dmcrypt_name, lodev,
- dmcrypt_dev, !kCryptAllowDiscard)) {
- ERROR("dm_setup failed");
- goto lo_cleanup;
- }
- INFO("%s: dm-crypt does not support discard; disabling.",
- dmcrypt_dev);
- }
-
- /* Decide now if any migration will happen. If so, we will not
- * grow the new filesystem in the background, since we need to
- * copy the contents over before /var is valid again.
- */
- if (!rebuild)
- migrate_allowed = 0;
- if (migrate_allowed) {
- for (bind = bind_mounts; bind->src; ++ bind) {
- if (migrate_contents(bind, MIGRATE_TEST_ONLY))
- migrate_needed = 1;
- }
- }
-
- /* Calculate filesystem min/max size. */
- blocks_max = sectors / (kExt4BlockSize / kSectorSize);
- blocks_min = kExt4MinBytes / kExt4BlockSize;
- if (migrate_needed && migrate_allowed) {
- uint64_t fs_bytes_min;
- uint64_t calc_blocks_min;
- /* When doing a migration, the new filesystem must be
- * large enough to hold what we're going to migrate.
- * Instead of walking the bind mount sources, which would
- * be IO and time expensive, just read the bytes-used
- * value from statvfs (plus 10% for overhead). It will
- * be too large, since it includes the eCryptFS data, so
- * we must cap at the max filesystem size just in case.
- */
-
- /* Bytes used in stateful partition plus 10%. */
- fs_bytes_min = stateful_statbuf.f_blocks -
- stateful_statbuf.f_bfree;
- fs_bytes_min *= stateful_statbuf.f_frsize;
- DEBUG("Stateful bytes used: %" PRIu64 "", fs_bytes_min);
- fs_bytes_min *= kMigrationSizeMultiplier;
-
- /* Minimum blocks needed for that many bytes. */
- calc_blocks_min = fs_bytes_min / kExt4BlockSize;
- /* Do not use more than blocks_max. */
- if (calc_blocks_min > blocks_max)
- calc_blocks_min = blocks_max;
- /* Do not use less than blocks_min. */
- else if (calc_blocks_min < blocks_min)
- calc_blocks_min = blocks_min;
-
- DEBUG("Maximum fs blocks: %" PRIu64 "", blocks_max);
- DEBUG("Minimum fs blocks: %" PRIu64 "", blocks_min);
- DEBUG("Migration blocks chosen: %" PRIu64 "", calc_blocks_min);
- blocks_min = calc_blocks_min;
- }
-
- if (rebuild) {
- INFO("Building filesystem on %s "
- "(blocksize:%" PRIu64 ", min:%" PRIu64 ", max:%" PRIu64 ").",
- dmcrypt_dev, kExt4BlockSize, blocks_min, blocks_max);
- if (!filesystem_build(dmcrypt_dev, kExt4BlockSize,
- blocks_min, blocks_max))
- goto dm_cleanup;
- }
-
- /* Mount the dm-crypt partition finally. */
- INFO("Mounting %s onto %s.", dmcrypt_dev, encrypted_mount);
- if (access(encrypted_mount, R_OK) &&
- mkdir(encrypted_mount, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH)) {
- PERROR(dmcrypt_dev);
- goto dm_cleanup;
- }
- if (mount(dmcrypt_dev, encrypted_mount, kEncryptedFSType,
- MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RELATIME,
- "discard,commit=600")) {
- PERROR("mount(%s,%s)", dmcrypt_dev, encrypted_mount);
- goto dm_cleanup;
- }
-
- /* Always spawn filesystem resizer, in case growth was interrupted. */
- /* TODO(keescook): if already full size, don't resize. */
- spawn_resizer(dmcrypt_dev, blocks_min, blocks_max);
-
- /* If the legacy lockbox NVRAM area exists, we've rebuilt the
- * filesystem, and there are old bind sources on disk, attempt
- * migration.
- */
- if (migrate_needed && migrate_allowed) {
- /* Migration needs to happen before bind mounting because
- * some partitions were not already on the stateful partition,
- * and would be over-mounted by the new bind mount.
- */
- for (bind = bind_mounts; bind->src; ++ bind)
- migrate_contents(bind, MIGRATE_FOR_REAL);
- }
-
- /* Perform bind mounts. */
- for (bind = bind_mounts; bind->src; ++ bind) {
- INFO("Bind mounting %s onto %s.", bind->src, bind->dst);
- if (check_bind(bind, BIND_SOURCE) ||
- check_bind(bind, BIND_DEST))
- goto unbind;
- if (mount(bind->src, bind->dst, "none", MS_BIND, NULL)) {
- PERROR("mount(%s,%s)", bind->src, bind->dst);
- goto unbind;
- }
- }
-
- /* When we are creating the encrypted mount for the first time,
- * either finalize immediately, or write the encryption key to
- * disk (*sigh*) to handle the seemingly endless broken or
- * wedged TPM states.
- */
- if (rebuild) {
- /* Devices that already have the NVRAM area populated and
- * are being rebuilt don't need to wait for Cryptohome
- * because the NVRAM area isn't going to change.
- *
- * Devices that do not have the NVRAM area populated
- * may potentially never have the NVRAM area populated,
- * which means we have to write the encryption key to
- * disk until we finalize. Once secure deletion is
- * supported on ext4, this won't be as horrible.
- */
- if (has_system_key)
- finalize(system_key, encryption_key);
- else
- needs_finalization(encryption_key);
- } else {
- /* If we're not rebuilding and we have a sane system
- * key, then we must either need finalization (if we
- * failed to finalize in Cryptohome), or we have already
- * finalized, but maybe failed to clean up.
- */
- if (has_system_key) {
- if (!valid_keyfile)
- finalize(system_key, encryption_key);
- else
- finalized();
- }
- }
-
- free(lodev);
- return 1;
-
-unbind:
- for (bind = bind_mounts; bind->src; ++ bind) {
- INFO("Unmounting %s.", bind->dst);
- umount(bind->dst);
- }
-
- INFO("Unmounting %s.", encrypted_mount);
- umount(encrypted_mount);
-
-dm_cleanup:
- INFO("Removing %s.", dmcrypt_dev);
- /* TODO(keescook): something holds this open briefly on mkfs failure
- * and I haven't been able to catch it yet. Adding an "fuser" call
- * here is sufficient to lose the race. Instead, just sleep during
- * the error path.
- */
- sleep(1);
- dm_teardown(dmcrypt_dev);
-
-lo_cleanup:
- INFO("Unlooping %s.", lodev);
- loop_detach(lodev);
-
-failed:
- free(lodev);
-
- return 0;
-}
-
-/* Clean up all bind mounts, mounts, attaches, etc. Only the final
- * action informs the return value. This makes it so that failures
- * can be cleaned up from, and continue the shutdown process on a
- * second call. If the loopback cannot be found, claim success.
- */
-static int shutdown(void)
-{
- struct bind_mount *bind;
-
- for (bind = bind_mounts; bind->src; ++ bind) {
- INFO("Unmounting %s.", bind->dst);
- errno = 0;
- /* Allow either success or a "not mounted" failure. */
- if (umount(bind->dst)) {
- if (errno != EINVAL) {
- PERROR("umount(%s)", bind->dst);
- return EXIT_FAILURE;
- }
- }
- }
-
- INFO("Unmounting %s.", encrypted_mount);
- errno = 0;
- /* Allow either success or a "not mounted" failure. */
- if (umount(encrypted_mount)) {
- if (errno != EINVAL) {
- PERROR("umount(%s)", encrypted_mount);
- return EXIT_FAILURE;
- }
- }
-
- /*
- * Force syncs to make sure we don't tickle racey/buggy kernel
- * routines that might be causing crosbug.com/p/17610.
- */
- sync();
-
- /* Optionally run fsck on the device after umount. */
- if (getenv("MOUNT_ENCRYPTED_FSCK")) {
- char *cmd;
-
- if (asprintf(&cmd, "fsck -a %s", dmcrypt_dev) == -1)
- PERROR("asprintf");
- else {
- int rc;
-
- rc = system(cmd);
- if (rc != 0)
- ERROR("'%s' failed: %d", cmd, rc);
- }
- }
-
- INFO("Removing %s.", dmcrypt_dev);
- if (!dm_teardown(dmcrypt_dev))
- ERROR("dm_teardown(%s)", dmcrypt_dev);
- sync();
-
- INFO("Unlooping %s (named %s).", block_path, dmcrypt_name);
- if (!loop_detach_name(dmcrypt_name)) {
- ERROR("loop_detach_name(%s)", dmcrypt_name);
- return EXIT_FAILURE;
- }
- sync();
-
- return EXIT_SUCCESS;
-}
-
-static void check_mount_states(void)
-{
- struct bind_mount *bind;
-
- /* Verify stateful partition exists. */
- if (access(stateful_mount, R_OK)) {
- INFO("%s does not exist.", stateful_mount);
- exit(1);
- }
- /* Verify stateful is either a separate mount, or that the
- * root directory is writable (i.e. a factory install, dev mode
- * where root remounted rw, etc).
- */
- if (same_vfs(stateful_mount, rootdir) && access(rootdir, W_OK)) {
- INFO("%s is not mounted.", stateful_mount);
- exit(1);
- }
-
- /* Verify encrypted partition is missing or not already mounted. */
- if (access(encrypted_mount, R_OK) == 0 &&
- !same_vfs(encrypted_mount, stateful_mount)) {
- INFO("%s already appears to be mounted.", encrypted_mount);
- exit(0);
- }
-
- /* Verify that bind mount targets exist. */
- for (bind = bind_mounts; bind->src; ++ bind) {
- if (access(bind->dst, R_OK)) {
- PERROR("%s mount point is missing.", bind->dst);
- exit(1);
- }
- }
-
- /* Verify that old bind mounts on stateful haven't happened yet. */
- for (bind = bind_mounts; bind->src; ++ bind) {
- if (bind->submount)
- continue;
-
- if (same_vfs(bind->dst, stateful_mount)) {
- INFO("%s already bind mounted.", bind->dst);
- exit(1);
- }
- }
-
- INFO("VFS mount state sanity check ok.");
-}
-
-static int report_info(void)
-{
- uint8_t system_key[DIGEST_LENGTH];
- uint8_t owned = 0;
- struct bind_mount *mnt;
- int migrate = -1;
-
- printf("TPM: %s\n", has_tpm ? "yes" : "no");
- if (has_tpm) {
- printf("TPM Owned: %s\n", tpm_owned(&owned) != TPM_SUCCESS ?
- "fail" : (owned ? "yes" : "no"));
- }
- printf("ChromeOS: %s\n", has_chromefw() ? "yes" : "no");
- printf("CR48: %s\n", is_cr48() ? "yes" : "no");
- if (has_chromefw()) {
- int rc;
- rc = get_nvram_key(system_key, &migrate);
- if (!rc)
- printf("NVRAM: missing.\n");
- else {
- printf("NVRAM: %s, %s.\n",
- migrate ? "legacy" : "modern",
- rc ? "available" : "ignored");
- }
- }
- else {
- printf("NVRAM: not present\n");
- }
-
- printf("rootdir: %s\n", rootdir);
- printf("stateful_mount: %s\n", stateful_mount);
- printf("key_path: %s\n", key_path);
- printf("block_path: %s\n", block_path);
- printf("encrypted_mount: %s\n", encrypted_mount);
- printf("dmcrypt_name: %s\n", dmcrypt_name);
- printf("dmcrypt_dev: %s\n", dmcrypt_dev);
- printf("bind mounts:\n");
- for (mnt = bind_mounts; mnt->src; ++mnt) {
- printf("\tsrc:%s\n", mnt->src);
- printf("\tdst:%s\n", mnt->dst);
- printf("\tprevious:%s\n", mnt->previous);
- printf("\tpending:%s\n", mnt->pending);
- printf("\towner:%s\n", mnt->owner);
- printf("\tmode:%o\n", mnt->mode);
- printf("\tsubmount:%d\n", mnt->submount);
- printf("\n");
- }
-
- return EXIT_SUCCESS;
-}
-
-/* This expects "mnt" to be allocated and initialized to NULL bytes. */
-static int dup_bind_mount(struct bind_mount *mnt, struct bind_mount *old,
- char *dir)
-{
- if (old->src && asprintf(&mnt->src, "%s%s", dir, old->src) == -1)
- goto fail;
- if (old->dst && asprintf(&mnt->dst, "%s%s", dir, old->dst) == -1)
- goto fail;
- if (old->previous && asprintf(&mnt->previous, "%s%s", dir,
- old->previous) == -1)
- goto fail;
- if (old->pending && asprintf(&mnt->pending, "%s%s", dir,
- old->pending) == -1)
- goto fail;
- if (!(mnt->owner = strdup(old->owner)))
- goto fail;
- if (!(mnt->group = strdup(old->group)))
- goto fail;
- mnt->mode = old->mode;
- mnt->submount = old->submount;
-
- return 0;
-
-fail:
- perror(__FUNCTION__);
- return 1;
-}
-
-static void prepare_paths(void)
-{
- char *dir = NULL;
- struct bind_mount *old;
- struct bind_mount *mnt;
-
- mnt = bind_mounts = calloc(sizeof(bind_mounts_default) /
- sizeof(*bind_mounts_default),
- sizeof(*bind_mounts_default));
- if (!mnt) {
- perror("calloc");
- exit(1);
- }
-
- if ((dir = getenv("MOUNT_ENCRYPTED_ROOT")) != NULL) {
- unsigned char digest[DIGEST_LENGTH];
- gchar *hex;
-
- if (asprintf(&rootdir, "%s/", dir) == -1)
- goto fail;
-
- /* Generate a shortened hash for non-default cryptnames,
- * which will get re-used in the loopback name, which
- * must be less than 64 (LO_NAME_SIZE) bytes. */
- sha256(dir, digest);
- hex = stringify_hex(digest, sizeof(digest));
- hex[17] = '\0';
- if (asprintf(&dmcrypt_name, "%s_%s", kCryptDevName,
- hex) == -1)
- goto fail;
- g_free(hex);
- } else {
- rootdir = "/";
- if (!(dmcrypt_name = strdup(kCryptDevName)))
- goto fail;
- }
-
- if (asprintf(&stateful_mount, "%s%s", rootdir, STATEFUL_MNT) == -1)
- goto fail;
- if (asprintf(&key_path, "%s%s", rootdir,
- STATEFUL_MNT "/encrypted.key") == -1)
- goto fail;
- if (asprintf(&needs_finalization_path, "%s%s", rootdir,
- STATEFUL_MNT "/encrypted.needs-finalization") == -1)
- goto fail;
- if (asprintf(&block_path, "%s%s", rootdir,
- STATEFUL_MNT "/encrypted.block") == -1)
- goto fail;
- if (asprintf(&encrypted_mount, "%s%s", rootdir, ENCRYPTED_MNT) == -1)
- goto fail;
- if (asprintf(&dmcrypt_dev, "/dev/mapper/%s", dmcrypt_name) == -1)
- goto fail;
-
- for (old = bind_mounts_default; old->src; ++old) {
- if (dup_bind_mount(mnt++, old, rootdir))
- exit(1);
- }
-
- return;
-
-fail:
- perror("asprintf");
- exit(1);
-}
-
-/* Exports NVRAM contents to tmpfs for use by install attributes */
-void nvram_export(uint8_t *data, uint32_t size)
-{
- int fd;
- DEBUG("Export NVRAM contents");
- if (!size || !data)
- return;
- fd = open(kNvramExport, O_WRONLY|O_CREAT|O_EXCL, S_IRUSR|S_IWUSR);
- if (fd < 0) {
- perror("open(nvram_export)");
- return;
- }
- if (write(fd, data, size) != size) {
- /* Don't leave broken files around */
- unlink(kNvramExport);
- }
- close(fd);
-}
-
-int main(int argc, char *argv[])
-{
- int okay;
- int mode = kModeProduction;
-
- INFO_INIT("Starting.");
- prepare_paths();
-
- if (argc > 1) {
- if (!strcmp(argv[1], "umount"))
- return shutdown();
- else if (!strcmp(argv[1], "info"))
- return report_info();
- else if (!strcmp(argv[1], "finalize"))
- return finalize_from_cmdline(argc > 2 ? argv[2] : NULL);
- else if (!strcmp(argv[1], "factory"))
- mode = kModeFactory;
- else {
- fprintf(stderr,
- "Usage: %s [info|finalize|umount|factory]\n",
- argv[0]);
- return 1;
- }
- }
-
- check_mount_states();
-
- okay = setup_encrypted(mode);
- /* If we fail, let chromeos_startup handle the stateful wipe. */
-
- if (okay)
- nvram_export(nvram_data, nvram_size);
-
- INFO_DONE("Done.");
-
- /* Continue boot. */
- return okay ? EXIT_SUCCESS : EXIT_FAILURE;
-}
diff --git a/utility/mount-encrypted.h b/utility/mount-encrypted.h
deleted file mode 100644
index e48617d9..00000000
--- a/utility/mount-encrypted.h
+++ /dev/null
@@ -1,144 +0,0 @@
-/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- *
- * Private header file for mount-encrypted helper tool.
- */
-#ifndef _MOUNT_ENCRYPTED_H_
-#define _MOUNT_ENCRYPTED_H_
-
-/* #define DEBUG_ENABLED 1 */
-#define DEBUG_TIME_DELTA 1
-
-#include <openssl/err.h>
-#include <openssl/sha.h>
-
-#define DIGEST_LENGTH SHA256_DIGEST_LENGTH
-
-#define _ERROR(f, a...) do { \
- fprintf(stderr, "ERROR[pid:%d] %s (%s, %d): ", \
- getpid(), __func__, __FILE__, __LINE__); \
- fprintf(stderr, f, ## a); \
-} while (0)
-#define ERROR(f, a...) do { \
- _ERROR(f, ## a); \
- fprintf(stderr, "\n"); \
- fflush(stderr); \
-} while (0)
-#define PERROR(f, a...) do { \
- _ERROR(f, ## a); \
- fprintf(stderr, ": %s\n", strerror(errno)); \
- fflush(stderr); \
-} while (0)
-
-#define SSL_ERROR(f, a...) do { \
- ERR_load_crypto_strings(); \
- _ERROR(f, ## a); \
- fprintf(stderr, "%s\n", ERR_error_string(ERR_get_error(), NULL)); \
- fflush(stderr); \
-} while (0)
-
-#if DEBUG_ENABLED
-extern struct timeval tick;
-extern struct timeval tick_start;
-# define TICK_INIT() do { \
- gettimeofday(&tick, NULL); \
- tick_start = tick; \
-} while (0)
-# ifdef DEBUG_TIME_DELTA
-/* This timeval helper copied from glibc manual. */
-static inline int timeval_subtract(struct timeval *result,
- struct timeval *x,
- struct timeval *y)
-{
- /* Perform the carry for the later subtraction by updating y. */
- if (x->tv_usec < y->tv_usec) {
- int nsec = (y->tv_usec - x->tv_usec) / 1000000 + 1;
- y->tv_usec -= 1000000 * nsec;
- y->tv_sec += nsec;
- }
- if (x->tv_usec - y->tv_usec > 1000000) {
- int nsec = (x->tv_usec - y->tv_usec) / 1000000;
- y->tv_usec += 1000000 * nsec;
- y->tv_sec -= nsec;
- }
-
- /* Compute the time remaining to wait.
- * tv_usec is certainly positive.
- */
- result->tv_sec = x->tv_sec - y->tv_sec;
- result->tv_usec = x->tv_usec - y->tv_usec;
-
- /* Return 1 if result is negative. */
- return x->tv_sec < y->tv_sec;
-}
-# define TICK_REPORT() do { \
- struct timeval now, diff; \
- gettimeofday(&now, NULL); \
- timeval_subtract(&diff, &now, &tick); \
- printf("\tTook: [pid:%d, %2lu.%06lus]\n", getpid(), \
- (unsigned long)diff.tv_sec, (unsigned long)diff.tv_usec); \
- tick = now; \
-} while (0)
-# else
-# define TICK_REPORT() do { \
- gettimeofday(&tick, NULL); \
- printf("[%2d.%06d] ", (int)tick.tv_sec, (int)tick.tv_usec); \
-} while (0)
-# endif
-# define TICK_DONE() do { \
- struct timeval tick_done; \
- TICK_REPORT(); \
- timeval_subtract(&tick_done, &tick, &tick_start); \
- printf("Process Lifetime: [pid:%d, %2d.%06ds]\n", getpid(), \
- (int)tick_done.tv_sec, (int)tick_done.tv_usec); \
-} while (0)
-#else
-# define TICK_INIT() do { } while (0)
-# define TICK_REPORT() do { } while (0)
-# define TICK_DONE() do { } while (0)
-#endif
-
-#define _INFO(f, a...) do { \
- printf("[pid:%d] ", getpid()); \
- printf(f, ## a); \
- printf("\n"); \
- fflush(stdout); \
-} while (0)
-#define INFO(f, a...) do { \
- TICK_REPORT(); \
- _INFO(f, ## a); \
-} while (0)
-#define INFO_INIT(f, a...) do { \
- TICK_INIT(); \
- INFO(f, ## a); \
-} while (0)
-#define INFO_DONE(f, a...) do { \
- TICK_DONE(); \
- INFO(f, ## a); \
-} while (0)
-#if DEBUG_ENABLED
-# define DEBUG(f, a...) do { \
- TICK_REPORT(); \
- _INFO(f, ## a); \
-} while (0)
-#else
-# define DEBUG(f, a...) do { } while (0)
-#endif
-
-#if DEBUG_ENABLED
-static inline void debug_dump_hex(const char *name, uint8_t *data,
- uint32_t size)
-{
- int i;
- printf("%s: ", name);
- for (i = 0; i < size; i++) {
- printf("%02x ", data[i]);
- }
- printf("\n");
-}
-#else
-# define debug_dump_hex(n, d, s) do { } while (0)
-#endif
-
-#endif /* _MOUNT_ENCRYPTED_H_ */
diff --git a/utility/mount-helpers.c b/utility/mount-helpers.c
deleted file mode 100644
index aed5ef06..00000000
--- a/utility/mount-helpers.c
+++ /dev/null
@@ -1,803 +0,0 @@
-/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- *
- * This is a collection of helper utilities for use with the "mount-encrypted"
- * utility.
- *
- */
-#define _GNU_SOURCE
-#define _FILE_OFFSET_BITS 64
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <inttypes.h>
-#include <math.h>
-#include <sys/ioctl.h>
-#include <sys/stat.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <sys/mount.h>
-#include <linux/fs.h>
-#include <linux/loop.h>
-
-#include <glib.h>
-#include <glib/gstdio.h>
-
-#include <openssl/evp.h>
-
-#include "mount-encrypted.h"
-#include "mount-helpers.h"
-
-static const gchar * const kRootDir = "/";
-static const gchar * const kLoopTemplate = "/dev/loop%d";
-static const int kLoopMajor = 7;
-static const int kLoopMax = 8;
-static const unsigned int kResizeStepSeconds = 2;
-static const uint64_t kResizeBlocks = 32768 * 10;
-static const uint64_t kBlocksPerGroup = 32768;
-static const uint64_t kInodeRatioDefault = 16384;
-static const uint64_t kInodeRatioMinimum = 2048;
-static const gchar * const kExt4ExtendedOptions = "discard,lazy_itable_init";
-
-int remove_tree(const char *tree)
-{
- const gchar *rm[] = {
- "/bin/rm", "-rf", tree,
- NULL
- };
-
- return runcmd(rm, NULL);
-}
-
-uint64_t blk_size(const char *device)
-{
- uint64_t bytes;
- int fd;
- if ((fd = open(device, O_RDONLY | O_NOFOLLOW)) < 0) {
- PERROR("open(%s)", device);
- return 0;
- }
- if (ioctl(fd, BLKGETSIZE64, &bytes)) {
- PERROR("ioctl(%s, BLKGETSIZE64)", device);
- return 0;
- }
- close(fd);
- return bytes;
-}
-
-int runcmd(const gchar *argv[], gchar **output)
-{
- gint rc;
- gchar *out = NULL, *errout = NULL;
- GError *err = NULL;
-
- g_spawn_sync(kRootDir, (gchar **)argv, NULL, 0, NULL, NULL,
- &out, &errout, &rc, &err);
- if (err) {
- ERROR("%s: %s", argv[0], err->message);
- g_error_free(err);
- return -1;
- }
-
- if (rc)
- ERROR("%s failed (%d)\n%s\n%s", argv[0], rc, out, errout);
-
- if (output)
- *output = out;
- else
- g_free(out);
- g_free(errout);
-
- return rc;
-}
-
-int same_vfs(const char *mnt_a, const char *mnt_b)
-{
- struct stat stat_a, stat_b;
-
- if (lstat(mnt_a, &stat_a)) {
- PERROR("lstat(%s)", mnt_a);
- exit(1);
- }
- if (lstat(mnt_b, &stat_b)) {
- PERROR("lstat(%s)", mnt_b);
- exit(1);
- }
- return (stat_a.st_dev == stat_b.st_dev);
-}
-
-/* Returns allocated string that holds [length]*2 + 1 characters. */
-char *stringify_hex(uint8_t *binary, size_t length)
-{
- char *string;
- size_t i;
-
- string = malloc(length * 2 + 1);
- if (!string) {
- PERROR("malloc");
- return NULL;
- }
- for (i = 0; i < length; ++i)
- sprintf(string + (i * 2), "%02x", binary[i]);
- string[length * 2] = '\0';
-
- return string;
-}
-
-/* Returns allocated byte array that holds strlen([string])/2 bytes. */
-uint8_t *hexify_string(char *string, uint8_t *binary, size_t length)
-{
- size_t bytes, i;
-
- bytes = strlen(string) / 2;
- if (bytes > length) {
- ERROR("Hex string too long (%zu) for byte array (%zu)",
- bytes, length);
- return NULL;
- }
-
- for (i = 0; i < bytes; ++i) {
- if (sscanf(&string[i * 2], "%2hhx", &binary[i]) != 1) {
- ERROR("Invalid hex code at byte %zu.", i);
- return NULL;
- }
- }
-
- return binary;
-}
-
-/* Overwrite file contents. Useless on SSD. :( */
-void shred(const char *pathname)
-{
- uint8_t patterns[] = { 0xA5, 0x5A, 0xFF, 0x00 };
- FILE *target;
- struct stat info;
- uint8_t *pattern;
- int fd, i;
-
- /* Give up if we can't safely open or stat the target. */
- if ((fd = open(pathname, O_WRONLY | O_NOFOLLOW)) < 0) {
- PERROR(pathname);
- return;
- }
- if (fstat(fd, &info)) {
- close(fd);
- PERROR(pathname);
- return;
- }
- if (!(target = fdopen(fd, "w"))) {
- close(fd);
- PERROR(pathname);
- return;
- }
- /* Ignore errors here, since there's nothing we can really do. */
- pattern = malloc(info.st_size);
- for (i = 0; i < sizeof(patterns); ++i) {
- memset(pattern, patterns[i], info.st_size);
- if (fseek(target, 0, SEEK_SET))
- PERROR(pathname);
- if (fwrite(pattern, info.st_size, 1, target) != 1)
- PERROR(pathname);
- if (fflush(target))
- PERROR(pathname);
- if (fdatasync(fd))
- PERROR(pathname);
- }
- free(pattern);
- /* fclose() closes the fd too. */
- fclose(target);
-}
-
-static int is_loop_device(int fd)
-{
- struct stat info;
-
- return (fstat(fd, &info) == 0 && S_ISBLK(info.st_mode) &&
- major(info.st_rdev) == kLoopMajor);
-}
-
-static int loop_is_attached(int fd, struct loop_info64 *info)
-{
- struct loop_info64 local_info;
-
- return ioctl(fd, LOOP_GET_STATUS64, info ? info : &local_info) == 0;
-}
-
-/* Returns either the matching loopback name, or next available, if NULL. */
-static int loop_locate(gchar **loopback, const char *name)
-{
- int i, fd, namelen = 0;
-
- if (name) {
- namelen = strlen(name);
- if (namelen >= LO_NAME_SIZE) {
- ERROR("'%s' too long (>= %d)", name, LO_NAME_SIZE);
- return -1;
- }
- }
-
- *loopback = NULL;
- for (i = 0; i < kLoopMax; ++i) {
- struct loop_info64 info;
- int attached;
-
- g_free(*loopback);
- *loopback = g_strdup_printf(kLoopTemplate, i);
- if (!*loopback) {
- PERROR("g_strdup_printf");
- return -1;
- }
-
- fd = open(*loopback, O_RDONLY | O_NOFOLLOW);
- if (fd < 0) {
- PERROR("open(%s)", *loopback);
- goto failed;
- }
- if (!is_loop_device(fd)) {
- close(fd);
- continue;
- }
-
- memset(&info, 0, sizeof(info));
- attached = loop_is_attached(fd, &info);
- close(fd);
-
- if (attached)
- DEBUG("Saw %s on %s", info.lo_file_name, *loopback);
-
- if ((attached && name &&
- strncmp((char *)info.lo_file_name, name, namelen) == 0) ||
- (!attached && !name)) {
- DEBUG("Using %s", *loopback);
- /* Reopen for working on it. */
- fd = open(*loopback, O_RDWR | O_NOFOLLOW);
- if (is_loop_device(fd) &&
- loop_is_attached(fd, NULL) == attached)
- return fd;
- }
- }
- ERROR("Ran out of loopback devices");
-
-failed:
- g_free(*loopback);
- *loopback = NULL;
- return -1;
-}
-
-static int loop_detach_fd(int fd)
-{
- if (ioctl(fd, LOOP_CLR_FD, 0)) {
- PERROR("LOOP_CLR_FD");
- return 0;
- }
- return 1;
-}
-
-int loop_detach(const gchar *loopback)
-{
- int fd, rc = 1;
-
- fd = open(loopback, O_RDONLY | O_NOFOLLOW);
- if (fd < 0) {
- PERROR("open(%s)", loopback);
- return 0;
- }
- if (!is_loop_device(fd) || !loop_is_attached(fd, NULL) ||
- !loop_detach_fd(fd))
- rc = 0;
-
- close (fd);
- return rc;
-}
-
-int loop_detach_name(const char *name)
-{
- gchar *loopback = NULL;
- int loopfd, rc;
-
- loopfd = loop_locate(&loopback, name);
- if (loopfd < 0)
- return 0;
- rc = loop_detach_fd(loopfd);
-
- close(loopfd);
- g_free(loopback);
- return rc;
-}
-
-/* Closes fd, returns name of loopback device pathname. */
-gchar *loop_attach(int fd, const char *name)
-{
- gchar *loopback = NULL;
- int loopfd;
- struct loop_info64 info;
-
- loopfd = loop_locate(&loopback, NULL);
- if (loopfd < 0)
- return NULL;
- if (ioctl(loopfd, LOOP_SET_FD, fd) < 0) {
- PERROR("LOOP_SET_FD");
- goto failed;
- }
-
- memset(&info, 0, sizeof(info));
- strncpy((char*)info.lo_file_name, name, LO_NAME_SIZE);
- if (ioctl(loopfd, LOOP_SET_STATUS64, &info)) {
- PERROR("LOOP_SET_STATUS64");
- goto failed;
- }
-
- close(loopfd);
- close(fd);
- return loopback;
-failed:
- close(loopfd);
- close(fd);
- g_free(loopback);
- return 0;
-}
-
-int dm_setup(uint64_t sectors, const gchar *encryption_key, const char *name,
- const gchar *device, const char *path, int discard)
-{
- /* Mount loopback device with dm-crypt using the encryption key. */
- gchar *table = g_strdup_printf("0 %" PRIu64 " crypt " \
- "aes-cbc-essiv:sha256 %s " \
- "0 %s 0%s",
- sectors,
- encryption_key,
- device,
- discard ? " 1 allow_discards" : "");
- if (!table) {
- PERROR("g_strdup_printf");
- return 0;
- }
-
- const gchar *argv[] = {
- "/sbin/dmsetup",
- "create", name,
- "--noudevrules", "--noudevsync",
- "--table", table,
- NULL
- };
-
- /* TODO(keescook): replace with call to libdevmapper. */
- if (runcmd(argv, NULL) != 0) {
- g_free(table);
- return 0;
- }
- g_free(table);
-
- /* Make sure the dm-crypt device showed up. */
- if (access(path, R_OK)) {
- ERROR("%s does not exist", path);
- return 0;
- }
-
- return 1;
-}
-
-int dm_teardown(const gchar *device)
-{
- const char *argv[] = {
- "/sbin/dmsetup",
- "remove", device,
- "--noudevrules", "--noudevsync",
- NULL
- };
- /* TODO(keescook): replace with call to libdevmapper. */
- if (runcmd(argv, NULL) != 0)
- return 0;
- return 1;
-}
-
-char *dm_get_key(const gchar *device)
-{
- gchar *output = NULL;
- char *key;
- int i;
- const char *argv[] = {
- "/sbin/dmsetup",
- "table", "--showkeys",
- device,
- NULL
- };
- /* TODO(keescook): replace with call to libdevmapper. */
- if (runcmd(argv, &output) != 0)
- return NULL;
-
- /* Key is 4th field in the output. */
- for (i = 0, key = strtok(output, " ");
- i < 4 && key;
- ++i, key = strtok(NULL, " ")) { }
-
- /* Create a copy of the key and free the output buffer. */
- if (key) {
- key = strdup(key);
- g_free(output);
- }
-
- return key;
-}
-
-int sparse_create(const char *path, uint64_t bytes)
-{
- int sparsefd;
-
- sparsefd = open(path, O_RDWR | O_CREAT | O_EXCL | O_NOFOLLOW,
- S_IRUSR | S_IWUSR);
- if (sparsefd < 0)
- goto out;
-
- if (ftruncate(sparsefd, bytes)) {
- int saved_errno = errno;
-
- close(sparsefd);
- unlink(path);
- errno = saved_errno;
-
- sparsefd = -1;
- }
-
-out:
- return sparsefd;
-}
-
-/* When creating a filesystem that will grow, the inode ratio is calculated
- * using the starting size not the hinted "resize" size, which means the
- * number of inodes can be highly constrained on tiny starting filesystems.
- * Instead, calculate what the correct inode ratio should be for a given
- * filesystem based on its expected starting and ending sizes.
- *
- * inode-ratio_mkfs =
- *
- * ceil(blocks_max / group-ratio) * size_mkfs
- * ------------------------------------------------------------------
- * ceil(size_max / inode-ratio_max) * ceil(blocks_mkfs / group-ratio)
- */
-static uint64_t get_inode_ratio(uint64_t block_bytes_in,
- uint64_t blocks_mkfs_in,
- uint64_t blocks_max_in)
-{
- double block_bytes = (double)block_bytes_in;
- double blocks_mkfs = (double)blocks_mkfs_in;
- double blocks_max = (double)blocks_max_in;
-
- double size_max, size_mkfs, groups_max, groups_mkfs, inodes_max;
- double denom, inode_ratio_mkfs;
-
- size_max = block_bytes * blocks_max;
- size_mkfs = block_bytes * blocks_mkfs;
-
- groups_max = ceil(blocks_max / kBlocksPerGroup);
- groups_mkfs = ceil(blocks_mkfs / kBlocksPerGroup);
-
- inodes_max = ceil(size_max / kInodeRatioDefault);
-
- denom = inodes_max * groups_mkfs;
- /* Make sure we never trigger divide-by-zero. */
- if (denom == 0.0)
- goto failure;
- inode_ratio_mkfs = (groups_max * size_mkfs) / denom;
-
- /* Make sure we never calculate anything totally huge. */
- if (inode_ratio_mkfs > blocks_mkfs)
- goto failure;
- /* Make sure we never calculate anything totally tiny. */
- if (inode_ratio_mkfs < kInodeRatioMinimum)
- goto failure;
-
- return (uint64_t)inode_ratio_mkfs;
-
-failure:
- return kInodeRatioDefault;
-}
-
-/* Creates an ext4 filesystem.
- * device: path to block device to create filesystem on.
- * block_bytes: bytes per block to use for filesystem.
- * blocks_min: starting number of blocks on filesystem.
- * blocks_max: largest expected size in blocks of filesystem, for growth hints.
- *
- * Returns 1 on success, 0 on failure.
- */
-int filesystem_build(const char *device, uint64_t block_bytes,
- uint64_t blocks_min, uint64_t blocks_max)
-{
- int rc = 0;
- uint64_t inode_ratio;
-
- gchar *blocksize = g_strdup_printf("%" PRIu64, block_bytes);
- if (!blocksize) {
- PERROR("g_strdup_printf");
- goto out;
- }
-
- gchar *blocks_str;
- blocks_str = g_strdup_printf("%" PRIu64, blocks_min);
- if (!blocks_str) {
- PERROR("g_strdup_printf");
- goto free_blocksize;
- }
-
- gchar *extended;
- if (blocks_min < blocks_max) {
- extended = g_strdup_printf("%s,resize=%" PRIu64,
- kExt4ExtendedOptions, blocks_max);
- } else {
- extended = g_strdup_printf("%s", kExt4ExtendedOptions);
- }
- if (!extended) {
- PERROR("g_strdup_printf");
- goto free_blocks_str;
- }
-
- inode_ratio = get_inode_ratio(block_bytes, blocks_min, blocks_max);
- gchar *inode_ratio_str = g_strdup_printf("%" PRIu64, inode_ratio);
- if (!inode_ratio_str) {
- PERROR("g_strdup_printf");
- goto free_extended;
- }
-
- const gchar *mkfs[] = {
- "/sbin/mkfs.ext4",
- "-T", "default",
- "-b", blocksize,
- "-m", "0",
- "-O", "^huge_file,^flex_bg",
- "-i", inode_ratio_str,
- "-E", extended,
- device,
- blocks_str,
- NULL
- };
-
- rc = (runcmd(mkfs, NULL) == 0);
- if (!rc)
- goto free_inode_ratio_str;
-
- const gchar *tune2fs[] = {
- "/sbin/tune2fs",
- "-c", "0",
- "-i", "0",
- device,
- NULL
- };
- rc = (runcmd(tune2fs, NULL) == 0);
-
-free_inode_ratio_str:
- g_free(inode_ratio_str);
-free_extended:
- g_free(extended);
-free_blocks_str:
- g_free(blocks_str);
-free_blocksize:
- g_free(blocksize);
-out:
- return rc;
-}
-
-/* Spawns a filesystem resizing process. */
-int filesystem_resize(const char *device, uint64_t blocks, uint64_t blocks_max)
-{
- /* Ignore resizing if we know the filesystem was built to max size. */
- if (blocks >= blocks_max) {
- INFO("Resizing aborted. blocks:%" PRIu64 " >= blocks_max:%" PRIu64,
- blocks, blocks_max);
- return 1;
- }
-
- /* TODO(keescook): Read superblock to find out the current size of
- * the filesystem (since statvfs does not report the correct value).
- * For now, instead of doing multi-step resizing, just resize to the
- * full size of the block device in one step.
- */
- blocks = blocks_max;
-
- INFO("Resizing started in %d second steps.", kResizeStepSeconds);
-
- do {
- gchar *blocks_str;
-
- sleep(kResizeStepSeconds);
-
- blocks += kResizeBlocks;
- if (blocks > blocks_max)
- blocks = blocks_max;
-
- blocks_str = g_strdup_printf("%" PRIu64, blocks);
- if (!blocks_str) {
- PERROR("g_strdup_printf");
- return 0;
- }
-
- const gchar *resize[] = {
- "/sbin/resize2fs",
- "-f",
- device,
- blocks_str,
- NULL
- };
-
- INFO("Resizing filesystem on %s to %" PRIu64 ".", device, blocks);
- if (runcmd(resize, NULL)) {
- ERROR("resize2fs failed");
- return 0;
- }
- g_free(blocks_str);
- } while (blocks < blocks_max);
-
- INFO("Resizing finished.");
- return 1;
-}
-
-char *keyfile_read(const char *keyfile, uint8_t *system_key)
-{
- char *key = NULL;
- unsigned char *cipher = NULL;
- gsize length;
- uint8_t *plain = NULL;
- int plain_length, final_len;
- GError *error = NULL;
- EVP_CIPHER_CTX ctx;
- const EVP_CIPHER *algo = EVP_aes_256_cbc();
-
- DEBUG("Reading keyfile %s", keyfile);
- if (EVP_CIPHER_key_length(algo) != DIGEST_LENGTH) {
- ERROR("cipher key size mismatch (got %d, want %d)",
- EVP_CIPHER_key_length(algo), DIGEST_LENGTH);
- goto out;
- }
-
- if (access(keyfile, R_OK)) {
- /* This file being missing is handled in caller, so
- * do not emit error message.
- */
- INFO("%s does not exist.", keyfile);
- goto out;
- }
-
- if (!g_file_get_contents(keyfile, (gchar **)&cipher, &length,
- &error)) {
- ERROR("Unable to read %s: %s", keyfile, error->message);
- g_error_free(error);
- goto out;
- }
- plain = malloc(length + EVP_CIPHER_block_size(algo));
- if (!plain) {
- PERROR("malloc");
- goto free_cipher;
- }
-
- DEBUG("Decrypting keyfile %s", keyfile);
- /* Use the default IV. */
- if (!EVP_DecryptInit(&ctx, algo, system_key, NULL)) {
- SSL_ERROR("EVP_DecryptInit");
- goto free_plain;
- }
- if (!EVP_DecryptUpdate(&ctx, plain, &plain_length, cipher, length)) {
- SSL_ERROR("EVP_DecryptUpdate");
- goto free_ctx;
- }
- if (!EVP_DecryptFinal(&ctx, plain+plain_length, &final_len)) {
- SSL_ERROR("EVP_DecryptFinal");
- goto free_ctx;
- }
- plain_length += final_len;
-
- if (plain_length != DIGEST_LENGTH) {
- ERROR("Decrypted encryption key length (%d) is not %d.",
- plain_length, DIGEST_LENGTH);
- goto free_ctx;
- }
-
- debug_dump_hex("encryption key", plain, DIGEST_LENGTH);
-
- key = stringify_hex(plain, DIGEST_LENGTH);
-
-free_ctx:
- EVP_CIPHER_CTX_cleanup(&ctx);
-free_plain:
- free(plain);
-free_cipher:
- g_free(cipher);
-out:
- DEBUG("key:%p", key);
- return key;
-}
-
-int keyfile_write(const char *keyfile, uint8_t *system_key, char *string)
-{
- int rc = 0;
- size_t length;
- uint8_t plain[DIGEST_LENGTH];
- uint8_t *cipher = NULL;
- int cipher_length, final_len;
- GError *error = NULL;
- EVP_CIPHER_CTX ctx;
- const EVP_CIPHER *algo = EVP_aes_256_cbc();
- mode_t mask;
-
- DEBUG("Staring to process keyfile %s", keyfile);
- /* Have key file be read/write only by root user. */
- mask = umask(0077);
-
- if (EVP_CIPHER_key_length(algo) != DIGEST_LENGTH) {
- ERROR("cipher key size mismatch (got %d, want %d)",
- EVP_CIPHER_key_length(algo), DIGEST_LENGTH);
- goto out;
- }
-
- if (access(keyfile, R_OK) == 0) {
- ERROR("%s already exists.", keyfile);
- goto out;
- }
-
- length = strlen(string);
- if (length != sizeof(plain) * 2) {
- ERROR("Encryption key string length (%zu) is not %zu.",
- length, sizeof(plain) * 2);
- goto out;
- }
-
- length = sizeof(plain);
- if (!hexify_string(string, plain, length)) {
- ERROR("Failed to convert encryption key to byte array");
- goto out;
- }
-
- debug_dump_hex("encryption key", plain, DIGEST_LENGTH);
-
- cipher = malloc(length + EVP_CIPHER_block_size(algo));
- if (!cipher) {
- PERROR("malloc");
- goto out;
- }
-
- DEBUG("Encrypting keyfile %s", keyfile);
- /* Use the default IV. */
- if (!EVP_EncryptInit(&ctx, algo, system_key, NULL)) {
- SSL_ERROR("EVP_EncryptInit");
- goto free_cipher;
- }
- if (!EVP_EncryptUpdate(&ctx, cipher, &cipher_length,
- (unsigned char *)plain, length)) {
- SSL_ERROR("EVP_EncryptUpdate");
- goto free_ctx;
- }
- if (!EVP_EncryptFinal(&ctx, cipher+cipher_length, &final_len)) {
- SSL_ERROR("EVP_EncryptFinal");
- goto free_ctx;
- }
- length = cipher_length + final_len;
-
- DEBUG("Writing %zu bytes to %s", length, keyfile);
- /* TODO(keescook): use fd here, and set secure delete. Unsupported
- * by ext4 currently. :(
- * int f;
- * ioctl(fd, EXT2_IOC_GETFLAGS, &f);
- * f |= EXT2_SECRM_FL;
- * ioctl(fd, EXT2_IOC_SETFLAGS, &f);
- */
- if (!g_file_set_contents(keyfile, (gchar *)cipher, length, &error)) {
- ERROR("Unable to write %s: %s", keyfile, error->message);
- g_error_free(error);
- goto free_ctx;
- }
-
- rc = 1;
-
-free_ctx:
- EVP_CIPHER_CTX_cleanup(&ctx);
-free_cipher:
- free(cipher);
-out:
- umask(mask);
- DEBUG("keyfile write rc:%d", rc);
- return rc;
-}
diff --git a/utility/mount-helpers.h b/utility/mount-helpers.h
deleted file mode 100644
index d2aa1795..00000000
--- a/utility/mount-helpers.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- *
- * Header file for mount helpers.
- */
-#ifndef _MOUNT_HELPERS_H_
-#define _MOUNT_HELPERS_H_
-
-/* General utility functions. */
-uint64_t blk_size(const char *device);
-int remove_tree(const char *tree);
-int runcmd(const gchar *argv[], gchar **output);
-int same_vfs(const char *mnt_a, const char *mnt_b);
-char *stringify_hex(uint8_t *binary, size_t length);
-uint8_t *hexify_string(char *string, uint8_t *binary, size_t length);
-void shred(const char *keyfile);
-
-/* Loopback device attach/detach helpers. */
-gchar *loop_attach(int fd, const char *name);
-int loop_detach(const gchar *loopback);
-int loop_detach_name(const char *name);
-
-/* Encrypted device mapper setup/teardown. */
-int dm_setup(uint64_t bytes, const gchar *encryption_key, const char *name,
- const gchar *device, const char *path, int discard);
-int dm_teardown(const gchar *device);
-char *dm_get_key(const gchar *device);
-
-/* Sparse file creation. */
-int sparse_create(const char *path, uint64_t bytes);
-
-/* Filesystem creation. */
-int filesystem_build(const char *device, uint64_t block_bytes,
- uint64_t blocks_min, uint64_t blocks_max);
-int filesystem_resize(const char *device, uint64_t blocks, uint64_t blocks_max);
-
-/* Encrypted keyfile handling. */
-char *keyfile_read(const char *keyfile, uint8_t *system_key);
-int keyfile_write(const char *keyfile, uint8_t *system_key, char *plain);
-
-#endif /* _MOUNT_HELPERS_H_ */