1 /* $OpenBSD: uvm_swap_encrypt.c,v 1.12 2003/12/26 10:04:49 markus Exp $ */ 2 3 /* 4 * Copyright 1999 Niels Provos <provos@citi.umich.edu> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by Niels Provos. 18 * 4. The name of the author may not be used to endorse or promote products 19 * derived from this software without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/param.h> 34 #include <sys/systm.h> 35 #include <sys/kernel.h> 36 #include <sys/malloc.h> 37 #include <sys/sysctl.h> 38 #include <sys/time.h> 39 #include <sys/conf.h> 40 #include <dev/rndvar.h> 41 #include <crypto/rijndael.h> 42 43 #include <uvm/uvm.h> 44 45 struct swap_key *kcur = NULL; 46 rijndael_ctx swap_ctxt; 47 48 int uvm_doswapencrypt = 0; 49 u_int uvm_swpkeyscreated = 0; 50 u_int uvm_swpkeysdeleted = 0; 51 52 int swap_encrypt_initialized = 0; 53 54 int 55 swap_encrypt_ctl(name, namelen, oldp, oldlenp, newp, newlen, p) 56 int *name; 57 u_int namelen; 58 void *oldp; 59 size_t *oldlenp; 60 void *newp; 61 size_t newlen; 62 struct proc *p; 63 { 64 /* all sysctl names at this level are terminal */ 65 if (namelen != 1) 66 return (ENOTDIR); /* overloaded */ 67 68 switch (name[0]) { 69 case SWPENC_ENABLE: { 70 int doencrypt = uvm_doswapencrypt; 71 int result; 72 73 result = sysctl_int(oldp, oldlenp, newp, newlen, &doencrypt); 74 if (result) 75 return result; 76 77 /* Swap Encryption has been turned on, we need to 78 * initialize state for swap devices that have been 79 * added 80 */ 81 if (doencrypt) 82 uvm_swap_initcrypt_all(); 83 uvm_doswapencrypt = doencrypt; 84 return (0); 85 } 86 case SWPENC_CREATED: 87 return (sysctl_rdint(oldp, oldlenp, newp, uvm_swpkeyscreated)); 88 case SWPENC_DELETED: 89 return (sysctl_rdint(oldp, oldlenp, newp, uvm_swpkeysdeleted)); 90 default: 91 return (EOPNOTSUPP); 92 } 93 /* NOTREACHED */ 94 } 95 96 void 97 swap_key_create(struct swap_key *key) 98 { 99 int i; 100 u_int32_t *p = key->key; 101 102 key->refcount = 0; 103 for (i = 0; i < sizeof(key->key) / sizeof(u_int32_t); i++) 104 *p++ = arc4random(); 105 106 uvm_swpkeyscreated++; 107 } 108 109 void 110 swap_key_delete(struct swap_key *key) 111 { 112 /* Make sure that this key gets removed if we just used it */ 113 swap_key_cleanup(key); 114 115 memset(key, 0, sizeof(*key)); 116 uvm_swpkeysdeleted++; 117 } 118 119 /* 120 * Encrypt the data before it goes to swap, the size should be 64-bit 121 * aligned. 122 */ 123 124 void 125 swap_encrypt(struct swap_key *key, caddr_t src, caddr_t dst, 126 u_int64_t block, size_t count) 127 { 128 u_int32_t *dsrc = (u_int32_t *)src; 129 u_int32_t *ddst = (u_int32_t *)dst; 130 u_int32_t iv[4]; 131 u_int32_t iv1, iv2, iv3, iv4; 132 133 if (!swap_encrypt_initialized) 134 swap_encrypt_initialized = 1; 135 136 swap_key_prepare(key, 1); 137 138 count /= sizeof(u_int32_t); 139 140 iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1]; 141 rijndael_encrypt(&swap_ctxt, (u_char *)iv, (u_char *)iv); 142 iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3]; 143 144 for (; count > 0; count -= 4) { 145 ddst[0] = dsrc[0] ^ iv1; 146 ddst[1] = dsrc[1] ^ iv2; 147 ddst[2] = dsrc[2] ^ iv3; 148 ddst[3] = dsrc[3] ^ iv4; 149 /* 150 * Do not worry about endianess, it only needs to decrypt 151 * on this machine 152 */ 153 rijndael_encrypt(&swap_ctxt, (u_char *)ddst, (u_char *)ddst); 154 iv1 = ddst[0]; 155 iv2 = ddst[1]; 156 iv3 = ddst[2]; 157 iv4 = ddst[3]; 158 159 dsrc += 4; 160 ddst += 4; 161 } 162 } 163 164 /* 165 * Decrypt the data after we retrieved it from swap, the size should be 64-bit 166 * aligned. 167 */ 168 169 void 170 swap_decrypt(struct swap_key *key, caddr_t src, caddr_t dst, 171 u_int64_t block, size_t count) 172 { 173 u_int32_t *dsrc = (u_int32_t *)src; 174 u_int32_t *ddst = (u_int32_t *)dst; 175 u_int32_t iv[4]; 176 u_int32_t iv1, iv2, iv3, iv4, niv1, niv2, niv3, niv4; 177 178 if (!swap_encrypt_initialized) 179 panic("swap_decrypt: key not initialized"); 180 181 swap_key_prepare(key, 0); 182 183 count /= sizeof(u_int32_t); 184 185 iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1]; 186 rijndael_encrypt(&swap_ctxt, (u_char *)iv, (u_char *)iv); 187 iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3]; 188 189 for (; count > 0; count -= 4) { 190 ddst[0] = niv1 = dsrc[0]; 191 ddst[1] = niv2 = dsrc[1]; 192 ddst[2] = niv3 = dsrc[2]; 193 ddst[3] = niv4 = dsrc[3]; 194 rijndael_decrypt(&swap_ctxt, (u_char *)ddst, (u_char *)ddst); 195 ddst[0] ^= iv1; 196 ddst[1] ^= iv2; 197 ddst[2] ^= iv3; 198 ddst[3] ^= iv4; 199 200 iv1 = niv1; 201 iv2 = niv2; 202 iv3 = niv3; 203 iv4 = niv4; 204 205 dsrc += 4; 206 ddst += 4; 207 } 208 } 209 210 void 211 swap_key_prepare(struct swap_key *key, int encrypt) 212 { 213 /* Check if we have prepared for this key already, 214 * if we only have the encryption schedule, we have 215 * to recompute and get the decryption schedule also 216 */ 217 if (kcur == key && (encrypt || !swap_ctxt.enc_only)) 218 return; 219 220 if (encrypt) 221 rijndael_set_key_enc_only(&swap_ctxt, (u_char *)key->key, 222 sizeof(key->key) * 8); 223 else 224 rijndael_set_key(&swap_ctxt, (u_char *)key->key, 225 sizeof(key->key) * 8); 226 227 kcur = key; 228 } 229 230 /* 231 * Make sure that a specific key is no longer available. 232 */ 233 234 void 235 swap_key_cleanup(struct swap_key *key) 236 { 237 /* Check if we have a key */ 238 if (kcur == NULL || kcur != key) 239 return; 240 241 /* Zero out the subkeys */ 242 memset(&swap_ctxt, 0, sizeof(swap_ctxt)); 243 244 kcur = NULL; 245 } 246