From: Maxim Levitsky <mlevitsk@redhat.com>
To: Max Reitz <mreitz@redhat.com>, qemu-devel@nongnu.org
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
qemu-block@nongnu.org, "John Snow" <jsnow@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>
Subject: Re: [PATCH v6 02/14] qcrypto/luks: implement encryption key management
Date: Sun, 17 May 2020 11:13:49 +0300 [thread overview]
Message-ID: <07063bb064e00eab5966f015f9cf8767f8afe10e.camel@redhat.com> (raw)
In-Reply-To: <48813eda-4fa9-6988-296d-58793e8b812f@redhat.com>
On Thu, 2020-05-14 at 13:56 +0200, Max Reitz wrote:
> On 10.05.20 15:40, Maxim Levitsky wrote:
> > Next few patches will expose that functionality to the user.
> >
> > Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
> > Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > crypto/block-luks.c | 395 +++++++++++++++++++++++++++++++++++++++++++-
> > qapi/crypto.json | 61 ++++++-
> > 2 files changed, 452 insertions(+), 4 deletions(-)
> >
> > diff --git a/crypto/block-luks.c b/crypto/block-luks.c
> > index 4861db810c..967d382882 100644
> > --- a/crypto/block-luks.c
> > +++ b/crypto/block-luks.c
>
> [...]
>
> > @@ -1069,6 +1076,119 @@ qcrypto_block_luks_find_key(QCryptoBlock *block,
> > return -1;
> > }
> >
> > +/*
> > + * Returns true if a slot i is marked as active
> > + * (contains encrypted copy of the master key)
> > + */
> > +static bool
> > +qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks,
> > + unsigned int slot_idx)
> > +{
> > + uint32_t val = luks->header.key_slots[slot_idx].active;
> > + return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
>
> One space too many after the ==.
Fixed, thanks!
>
> [...]
>
> > +/*
> > + * Erases an keyslot given its index
> > + * Returns:
> > + * 0 if the keyslot was erased successfully
> > + * -1 if a error occurred while erasing the keyslot
> > + *
> > + */
> > +static int
> > +qcrypto_block_luks_erase_key(QCryptoBlock *block,
> > + unsigned int slot_idx,
> > + QCryptoBlockWriteFunc writefunc,
> > + void *opaque,
> > + Error **errp)
> > +{
> > + QCryptoBlockLUKS *luks = block->opaque;
> > + QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[slot_idx];
> > + g_autofree uint8_t *garbagesplitkey = NULL;
> > + size_t splitkeylen = luks->header.master_key_len * slot->stripes;
>
> This accesses header.key_slots[slot_idx] before...
>
> > + size_t i;
> > + Error *local_err = NULL;
> > + int ret;
> > +
> > + assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
>
> ...we assert that slot_idx is in bounds.
Fixed, thanks as well!
There are few more places where I didn't place this assert,
and I added it just in case.
>
> I suppose that’s kind of fine, because assertions aren’t meant to fire
> either, but this basically makes the assertion useless.
>
> > + assert(splitkeylen > 0);
> > + garbagesplitkey = g_new0(uint8_t, splitkeylen);
> > +
> > + /* Reset the key slot header */
> > + memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN);
> > + slot->iterations = 0;
> > + slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
> > +
> > + ret = qcrypto_block_luks_store_header(block, writefunc,
>
> Superfluous space after the comma.
True, fixed.
>
> > + opaque, &local_err);
> > +
> > + if (ret < 0) {
> > + error_propagate(errp, local_err);
> > + }
>
> error_propagate() is a no-op with local_err == NULL, so you could do
> without checking @ret (just calling error_propagate() unconditionally).
>
> (But who cares, we need to set @ret anyway, so we might as well check it.)
Yep.
>
> [...]
>
> > +static int
> > +qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block,
> > + QCryptoBlockReadFunc readfunc,
> > + QCryptoBlockWriteFunc writefunc,
> > + void *opaque,
> > + QCryptoBlockAmendOptionsLUKS *opts_luks,
> > + bool force,
> > + Error **errp)
> > +{
> > + QCryptoBlockLUKS *luks = block->opaque;
> > + uint64_t iter_time = opts_luks->has_iter_time ?
> > + opts_luks->iter_time :
> > + QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
> > + int keyslot;
> > + g_autofree char *old_password = NULL;
> > + g_autofree char *new_password = NULL;
> > + g_autofree uint8_t *master_key = NULL;
>
> (I assume we don’t really care about purging secrets from memory after use)
Yep, I tried once fixing this but I decided to just leave it as is,
and later fix in independent patch series, which would need to touch
much that luks (we for example keep the qcrypto secrets in memory as well).
>
> [...]
>
> > +static int
> > +qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block,
> > + QCryptoBlockReadFunc readfunc,
> > + QCryptoBlockWriteFunc writefunc,
> > + void *opaque,
> > + QCryptoBlockAmendOptionsLUKS *opts_luks,
> > + bool force,
> > + Error **errp)
> > +{
>
> [...]
>
> > + for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
> > + int rv = qcrypto_block_luks_load_key(block,
> > + i,
> > + old_password,
> > + tmpkey,
> > + readfunc,
> > + opaque,
> > + errp);
> > + if (rv == -1) {
> > + return -1;
> > + } else if (rv == 1) {
> > + bitmap_set(&slots_to_erase_bitmap, i, 1);
>
> We should assert that QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <=
> sizeof(slots_to_erase_bitmap) * 8. As it is, this looks like a possible
> out-of-bounds access on first glance.
OK, fixed.
>
> [...]
>
> > +static int
> > +qcrypto_block_luks_amend_options(QCryptoBlock *block,
> > + QCryptoBlockReadFunc readfunc,
> > + QCryptoBlockWriteFunc writefunc,
> > + void *opaque,
> > + QCryptoBlockAmendOptions *options,
> > + bool force,
> > + Error **errp)
> > +{
> > + QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks;
> > +
> > + if (opts_luks->state == Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE) {
>
> switch { case } might be nicer to catch unhandled cases. Or else if +
> else { g_assert_not_reached() }.
>
> > + return qcrypto_block_luks_amend_add_keyslot(block, readfunc,
> > + writefunc, opaque,
> > + opts_luks, force, errp);
> > + } else {
> > + return qcrypto_block_luks_amend_erase_keyslots(block, readfunc,
> > + writefunc, opaque,
> > + opts_luks, force, errp);
> > + }
> > +}
This function used to contain the whole thing, and was converted to a wrapper at the
final minute, so yeh, I agree, a switch will be nice here.
Done.
>
> [...]
>
> > diff --git a/qapi/crypto.json b/qapi/crypto.json
> > index aeb6c7ef7b..29276e5e5e 100644
> > --- a/qapi/crypto.json
> > +++ b/qapi/crypto.json
> > @@ -1,6 +1,8 @@
> > # -*- Mode: Python -*-
> > #
> >
> > +{ 'include': 'common.json' }
> > +
>
> Why? Seems to compile without it just fine.
Lefover from the days of me using the StrOrNull
Fixed.
>
> Max
>
Thanks for the review!
Best regards,
Maxim Levitsky
next prev parent reply other threads:[~2020-05-17 8:15 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-10 13:40 [PATCH v6 00/14] LUKS: encryption slot management using amend interface Maxim Levitsky
2020-05-10 13:40 ` [PATCH v6 01/14] qcrypto/core: add generic infrastructure for crypto options amendment Maxim Levitsky
2020-05-10 13:40 ` [PATCH v6 02/14] qcrypto/luks: implement encryption key management Maxim Levitsky
2020-05-14 11:56 ` Max Reitz
2020-05-17 8:13 ` Maxim Levitsky [this message]
2020-05-10 13:40 ` [PATCH v6 03/14] block/amend: add 'force' option Maxim Levitsky
2020-05-14 12:18 ` Max Reitz
2020-05-17 8:15 ` Maxim Levitsky
2020-05-10 13:40 ` [PATCH v6 04/14] block/amend: separate amend and create options for qemu-img Maxim Levitsky
2020-05-14 12:28 ` Max Reitz
2020-05-14 16:10 ` Eric Blake
2020-05-15 6:22 ` Max Reitz
2020-05-15 17:24 ` Eric Blake
2020-05-17 8:47 ` Maxim Levitsky
2020-05-17 8:54 ` Maxim Levitsky
2020-05-10 13:40 ` [PATCH v6 05/14] block/amend: refactor qcow2 amend options Maxim Levitsky
2020-05-14 13:36 ` Max Reitz
2020-05-17 17:52 ` Maxim Levitsky
2020-05-10 13:40 ` [PATCH v6 06/14] block/crypto: rename two functions Maxim Levitsky
2020-05-10 13:40 ` [PATCH v6 07/14] block/crypto: implement the encryption key management Maxim Levitsky
2020-05-14 14:09 ` Max Reitz
2020-05-14 14:14 ` Daniel P. Berrangé
2020-05-14 14:32 ` Max Reitz
2020-05-17 17:56 ` Maxim Levitsky
2020-05-10 13:40 ` [PATCH v6 08/14] block/qcow2: extend qemu-img amend interface with crypto options Maxim Levitsky
2020-05-14 14:30 ` Max Reitz
2020-05-17 18:03 ` Maxim Levitsky
2020-05-10 13:40 ` [PATCH v6 09/14] iotests: filter few more luks specific create options Maxim Levitsky
2020-05-14 14:49 ` Max Reitz
2020-05-17 18:50 ` Maxim Levitsky
2020-05-10 13:40 ` [PATCH v6 10/14] iotests: qemu-img tests for luks key management Maxim Levitsky
2020-05-10 13:40 ` [PATCH v6 11/14] block/core: add generic infrastructure for x-blockdev-amend qmp command Maxim Levitsky
2020-05-14 15:47 ` Max Reitz
2020-05-18 10:48 ` Maxim Levitsky
2020-05-10 13:40 ` [PATCH v6 12/14] block/crypto: implement blockdev-amend Maxim Levitsky
2020-05-14 16:05 ` Max Reitz
2020-05-10 13:40 ` [PATCH v6 13/14] block/qcow2: " Maxim Levitsky
2020-05-14 16:05 ` Max Reitz
2020-05-10 13:40 ` [PATCH v6 14/14] iotests: add tests for blockdev-amend Maxim Levitsky
2020-05-10 14:37 ` [PATCH v6 00/14] LUKS: encryption slot management using amend interface no-reply
2020-05-10 15:14 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=07063bb064e00eab5966f015f9cf8767f8afe10e.camel@redhat.com \
--to=mlevitsk@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).