use rijndael instead of blowfish because of faster key setup.

break swap paritions into sections, each section has own
encryption key.  if a section's key becomes unreferenced, erase it.

4 files changed, 234 insertions, 104 deletions

diff --git a/sys/uvm/uvm.h b/sys/uvm/uvm.h
index 6cdb784715f..dde898ab7c2 100644
--- a/sys/uvm/uvm.h
+++ b/sys/uvm/uvm.h
@@ -57,6 +57,9 @@
 #include <uvm/uvm_pager.h>
 #include <uvm/uvm_pdaemon.h>
 #include <uvm/uvm_swap.h>
+#ifdef UVM_SWAP_ENCRYPT
+#include <uvm/uvm_swap_encrypt.h>
+#endif
 
 /*
  * pull in VM_NFREELIST
diff --git a/sys/uvm/uvm_swap.c b/sys/uvm/uvm_swap.c
index ae519285c46..00f8789b829 100644
--- a/sys/uvm/uvm_swap.c
+++ b/sys/uvm/uvm_swap.c
@@ -53,7 +53,7 @@
 
 #include <uvm/uvm.h>
 #ifdef UVM_SWAP_ENCRYPT
-#include <uvm/uvm_swap_encrypt.h>
+#include <sys/syslog.h>
 #endif
 
 #include <miscfs/specfs/specdev.h>
@@ -154,6 +154,9 @@ struct swapdev {
 	struct ucred		*swd_cred;	/* cred for file access */
 #endif
 #ifdef UVM_SWAP_ENCRYPT
+#define SWD_KEY_SHIFT		7		/* One key per 0.5 MByte */
+#define SWD_KEY(x,y)		&((x)->swd_keys[((y) - (x)->swd_drumoffset) >> SWD_KEY_SHIFT])
+
 #define SWD_DCRYPT_SHIFT	5
 #define SWD_DCRYPT_BITS		32
 #define SWD_DCRYPT_MASK		(SWD_DCRYPT_BITS - 1)
@@ -161,6 +164,8 @@ struct swapdev {
 #define SWD_DCRYPT_BIT(x)	((x) & SWD_DCRYPT_MASK)
 #define SWD_DCRYPT_SIZE(x)	(SWD_DCRYPT_OFF((x) + SWD_DCRYPT_MASK) * sizeof(u_int32_t))
 	u_int32_t		*swd_decrypt;	/* bitmap for decryption */
+	struct swap_key		*swd_keys;	/* keys for different parts */
+	int			swd_nkeys;	/* active keys */
 #endif
 };
 
@@ -390,6 +395,10 @@ uvm_swap_initcrypt(struct swapdev *sdp, int npages)
 	 */
 	sdp->swd_decrypt = malloc(SWD_DCRYPT_SIZE(npages), M_VMSWAP, M_WAITOK);
 	bzero(sdp->swd_decrypt, SWD_DCRYPT_SIZE(npages));
+	sdp->swd_keys = malloc((npages >> SWD_KEY_SHIFT) * sizeof(struct swap_key),
+			       M_VMSWAP, M_WAITOK);
+	bzero(sdp->swd_keys, (npages >> SWD_KEY_SHIFT) * sizeof(struct swap_key));
+	sdp->swd_nkeys = 0;
 }
 
 boolean_t
@@ -1247,8 +1256,11 @@ swap_off(p, sdp)
 	return ENODEV;
 
 #ifdef UVM_SWAP_ENCRYPT
-	if (sdp->swd_decrypt)
+	if (sdp->swd_decrypt) {
 		free(sdp->swd_decrypt);
+		bzero(sdp->swd_keys, (sdp->swd_npages >> SWD_KEY_SHIFT) * sizeof(struct swap_key));
+		free(sdp->swd_keys);
+	}
 #endif
 	extent_free(swapmap, sdp->swd_mapoffset, sdp->swd_mapsize, EX_WAITOK);
 	name = sdp->swd_ex->ex_name;
@@ -1826,6 +1838,20 @@ uvm_swap_free(startslot, nslots)
 	if (sdp->swd_npginuse < 0)
 		panic("uvm_swap_free: inuse < 0");
 #endif
+#ifdef UVM_SWAP_ENCRYPT
+	{
+		int i;
+		if (swap_encrypt_initalized) {
+			/* Dereference keys */
+			for (i = 0; i < nslots; i++)
+				if (uvm_swap_needdecrypt(sdp, startslot + i))
+					SWAP_KEY_PUT(sdp, SWD_KEY(sdp, startslot + i));
+
+			/* Mark range as not decrypt */
+			uvm_swap_markdecrypt(sdp, startslot, nslots, 0);
+		}
+	}
+#endif UVM_SWAP_ENCRYPT
 	simple_unlock(&uvm.swap_data_lock);
 }
 
@@ -1937,14 +1963,7 @@ uvm_swap_io(pps, startslot, npages, flags)
 		return (VM_PAGER_AGAIN);
 
 #ifdef UVM_SWAP_ENCRYPT
-	/* 
-	 * encrypt to swap
-	 */
 	if ((flags & B_READ) == 0) {
-		int i, opages;
-		caddr_t src, dst;
-		u_int64_t block;
-
 		/*
 		 * Check if we need to do swap encryption on old pages.
 		 * Later we need a different scheme, that swap encrypts
@@ -1953,8 +1972,31 @@ uvm_swap_io(pps, startslot, npages, flags)
 		 * in the cluster, and avoid the memory overheard in 
 		 * swapping.
 		 */
-		if (!uvm_doswapencrypt)
-				goto noswapencrypt;
+		if (uvm_doswapencrypt)
+			encrypt = 1;
+	}
+
+	if (swap_encrypt_initalized  || encrypt) { 
+		/*
+		 * we need to know the swap device that we are swapping to/from
+		 * to see if the pages need to be marked for decryption or
+		 * actually need to be decrypted.
+		 * XXX - does this information stay the same over the whole 
+		 * execution of this function?
+		 */
+		simple_lock(&uvm.swap_data_lock);
+		sdp = swapdrum_getsdp(startslot);
+		simple_unlock(&uvm.swap_data_lock);
+	}
+
+	/* 
+	 * encrypt to swap
+	 */
+	if ((flags & B_READ) == 0 && encrypt) {
+		int i, opages;
+		caddr_t src, dst;
+		struct swap_key *key;
+		u_int64_t block;
 
 		if (!uvm_swap_allocpages(tpps, npages)) {
 			uvm_pagermapout(kva, npages);
@@ -1972,9 +2014,12 @@ uvm_swap_io(pps, startslot, npages, flags)
 		dst = (caddr_t) dstkva;
 		block = startblk;
 		for (i = 0; i < npages; i++) {
+			key = SWD_KEY(sdp, startslot + i);
+			SWAP_KEY_GET(sdp, key);	/* add reference */
+
 			/* mark for async writes */
 			tpps[i]->pqflags |= PQ_ENCRYPT;
-			swap_encrypt(src, dst, block, 1 << PAGE_SHIFT);
+			swap_encrypt(key, src, dst, block, 1 << PAGE_SHIFT);
 			src += 1 << PAGE_SHIFT;
 			dst += 1 << PAGE_SHIFT;
 			block += btodb(1 << PAGE_SHIFT);
@@ -1988,9 +2033,6 @@ uvm_swap_io(pps, startslot, npages, flags)
 				      PGO_PDFREECLUST, 0);
 
 		kva = dstkva;
-
-		encrypt = 1;
-	noswapencrypt:
 	}
 #endif /* UVM_SWAP_ENCRYPT */
 
@@ -2011,7 +2053,12 @@ uvm_swap_io(pps, startslot, npages, flags)
 	if (sbp == NULL) {
 #ifdef UVM_SWAP_ENCRYPT
 		if ((flags & B_READ) == 0 && encrypt) {
+			int i;
+
 			/* swap encrypt needs cleanup */
+			for (i = 0; i < npages; i++)
+				SWAP_KEY_PUT(sdp, SWD_KEY(sdp, startslot + i));
+
 			uvm_pagermapout(kva, npages);
 			uvm_swap_freepages(tpps, npages);
 		}
@@ -2050,21 +2097,6 @@ uvm_swap_io(pps, startslot, npages, flags)
 		bp->b_dev = swapdev_vp->v_rdev;
 	bp->b_bcount = npages << PAGE_SHIFT;
 
-#ifdef UVM_SWAP_ENCRYPT
-	if (swap_encrypt_initalized) { 
-		/*
-		 * we need to know the swap device that we are swapping to/from
-		 * to see if the pages need to be marked for decryption or
-		 * actually need to be decrypted.
-		 * XXX - does this information stay the same over the whole 
-		 * execution of this function?
-		 */
-		simple_lock(&uvm.swap_data_lock);
-		sdp = swapdrum_getsdp(startslot);
-		simple_unlock(&uvm.swap_data_lock);
-	}
-#endif
-
 	/* 
 	 * for pageouts we must set "dirtyoff" [NFS client code needs it].
 	 * and we bump v_numoutput (counter of number of active outputs).
@@ -2121,11 +2153,15 @@ uvm_swap_io(pps, startslot, npages, flags)
 		int i;
 		caddr_t data = bp->b_data;
 		u_int64_t block = startblk;
+		struct swap_key *key = NULL;
+
 		for (i = 0; i < npages; i++) {
 			/* Check if we need to decrypt */
-			if (uvm_swap_needdecrypt(sdp, startslot + i))
-				swap_decrypt(data, data, block,
+			if (uvm_swap_needdecrypt(sdp, startslot + i)) {
+				key = SWD_KEY(sdp, startslot + i);
+				swap_decrypt(key, data, data, block,
 					     1 << PAGE_SHIFT);
+			}
 			data += 1 << PAGE_SHIFT;
 			block += btodb(1 << PAGE_SHIFT);
 		}
diff --git a/sys/uvm/uvm_swap_encrypt.c b/sys/uvm/uvm_swap_encrypt.c
index c995bef8240..97fefd244f2 100644
--- a/sys/uvm/uvm_swap_encrypt.c
+++ b/sys/uvm/uvm_swap_encrypt.c
@@ -30,34 +30,47 @@
 
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/kernel.h>
+#include <sys/malloc.h>
+#include <sys/time.h>
 #include <dev/rndvar.h>
-#include <crypto/blf.h>
+#include <crypto/rijndael.h>
 
-#include <uvm/uvm_swap_encrypt.h>
+#include <vm/vm.h>
+#include <vm/vm_conf.h>
 
-blf_ctx swap_key;
+#include <uvm/uvm.h>
+
+struct swap_key *kcur = NULL;
+rijndael_ctx swap_key;
 
 int uvm_doswapencrypt = 0;
-int swap_encrypt_initalized = 0;
+u_int uvm_swpkeyscreated = 0;
+u_int uvm_swpkeysdeleted = 0;
 
-/*
- * Initalize the key from the kernel random number generator.  This is
- * done once on startup.
- */
+int swap_encrypt_initalized = 0;
 
 void
-swap_encrypt_init(caddr_t data, size_t len)
+swap_key_create(struct swap_key *key)
 {
 	int i;
-	u_int32_t *key = (u_int32_t *)data;
+	u_int32_t *p = key->key;
 
-	if (swap_encrypt_initalized)
-		return;
+	key->refcount = 0;
+	for (i = 0; i < sizeof(key->key) / sizeof(u_int32_t); i++)
+		*p++ = arc4random();
+
+	uvm_swpkeyscreated++;
+}
 
-	for (i = 0; i < len / sizeof(u_int32_t); i++)
-		*key++ = arc4random();
+void
+swap_key_delete(struct swap_key *key)
+{
+	/* Make sure that this key gets removed if we just used it */
+	swap_key_cleanup(key);
 
-	swap_encrypt_initalized = 1;
+	bzero(key, sizeof(*key));
+	uvm_swpkeysdeleted++;
 }
 
 /*
@@ -66,34 +79,43 @@ swap_encrypt_init(caddr_t data, size_t len)
  */
 
 void
-swap_encrypt(caddr_t src, caddr_t dst, u_int64_t block, size_t count)
+swap_encrypt(struct swap_key *key, caddr_t src, caddr_t dst,
+	     u_int64_t block, size_t count)
 {
-  u_int32_t *dsrc = (u_int32_t *)src;
-  u_int32_t *ddst = (u_int32_t *)dst;
-  u_int32_t iv[2];
-  u_int32_t iv1, iv2;
-
-  if (!swap_encrypt_initalized)
-	swap_encrypt_init((caddr_t)&swap_key, sizeof(swap_key));
-
-  count /= sizeof(u_int32_t);
-
-  iv[0] = block >> 32; iv[1] = block;
-  Blowfish_encipher(&swap_key, iv);
-  iv1 = iv[0]; iv2 = iv[1];
-  for (; count > 0; count -= 2) {
-    ddst[0] = dsrc[0] ^ iv1;
-    ddst[1] = dsrc[1] ^ iv2;
-    /*
-     * Do not worry about endianess, it only needs to decrypt on this machine
-     */
-    Blowfish_encipher(&swap_key, ddst);
-    iv1 = ddst[0];
-    iv2 = ddst[1];
-
-    dsrc += 2;
-    ddst += 2;
-  }
+	u_int32_t *dsrc = (u_int32_t *)src;
+	u_int32_t *ddst = (u_int32_t *)dst;
+	u_int32_t iv[4];
+	u_int32_t iv1, iv2, iv3, iv4;
+
+	if (!swap_encrypt_initalized)
+		swap_encrypt_initalized = 1;
+
+	swap_key_prepare(key, 1);
+
+	count /= sizeof(u_int32_t);
+
+	iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1];
+	rijndael_encrypt(&swap_key, iv, iv); 
+	iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3];
+
+	for (; count > 0; count -= 4) {
+		ddst[0] = dsrc[0] ^ iv1;
+		ddst[1] = dsrc[1] ^ iv2;
+		ddst[2] = dsrc[2] ^ iv3;
+		ddst[3] = dsrc[3] ^ iv4;
+		/*
+		 * Do not worry about endianess, it only needs to decrypt
+		 * on this machine
+		 */
+		rijndael_encrypt(&swap_key, ddst, ddst);
+		iv1 = ddst[0];
+		iv2 = ddst[1];
+		iv3 = ddst[2];
+		iv4 = ddst[3];
+
+		dsrc += 4;
+		ddst += 4;
+	}
 }
 
 /*
@@ -102,32 +124,76 @@ swap_encrypt(caddr_t src, caddr_t dst, u_int64_t block, size_t count)
  */
 
 void
-swap_decrypt(caddr_t src, caddr_t dst, u_int64_t block, size_t count)
+swap_decrypt(struct swap_key *key, caddr_t src, caddr_t dst,
+	     u_int64_t block, size_t count)
+{
+	u_int32_t *dsrc = (u_int32_t *)src;
+	u_int32_t *ddst = (u_int32_t *)dst;
+	u_int32_t iv[4];
+	u_int32_t iv1, iv2, iv3, iv4, niv1, niv2, niv3, niv4;
+
+	if (!swap_encrypt_initalized)
+		panic("swap_decrypt: key not initalized");
+
+	swap_key_prepare(key, 0);
+
+	count /= sizeof(u_int32_t);
+
+	iv[0] = block >> 32; iv[1] = block; iv[2] = ~iv[0]; iv[3] = ~iv[1];
+	rijndael_encrypt(&swap_key, iv, iv); 
+	iv1 = iv[0]; iv2 = iv[1]; iv3 = iv[2]; iv4 = iv[3];
+
+	for (; count > 0; count -= 4) {
+		ddst[0] = niv1 = dsrc[0];
+		ddst[1] = niv2 = dsrc[1];
+		ddst[2] = niv3 = dsrc[2];
+		ddst[3] = niv4 = dsrc[3];
+		rijndael_decrypt(&swap_key, ddst, ddst);
+		ddst[0] ^= iv1;
+		ddst[1] ^= iv2;
+		ddst[2] ^= iv3;
+		ddst[3] ^= iv4;
+
+		iv1 = niv1;
+		iv2 = niv2;
+		iv3 = niv3;
+		iv4 = niv4;
+
+		dsrc += 4;
+		ddst += 4;
+	}
+}
+
+void
+swap_key_prepare(struct swap_key *key, int encrypt)
 {
-  u_int32_t *dsrc = (u_int32_t *)src;
-  u_int32_t *ddst = (u_int32_t *)dst;
-  u_int32_t iv[2];
-  u_int32_t iv1, iv2, niv1, niv2;
-
-  if (!swap_encrypt_initalized)
-    panic("swap_decrypt: key not initalized");
-
-  count /= sizeof(u_int32_t);
-
-  iv[0] = block >> 32; iv[1] = block;
-  Blowfish_encipher(&swap_key, iv);
-  iv1 = iv[0]; iv2 = iv[1];
-  for (; count > 0; count -= 2) {
-    ddst[0] = niv1 = dsrc[0];
-    ddst[1] = niv2 = dsrc[1];
-    Blowfish_decipher(&swap_key, ddst);
-    ddst[0] ^= iv1;
-    ddst[1] ^= iv2;
-
-    iv1 = niv1;
-    iv2 = niv2;
-
-    dsrc += 2;
-    ddst += 2;
-  }
+	/* Check if we have prepared for this key already,
+	 * if we only have the encryption schedule, we have
+	 * to recompute ang get the decryption schedule also
+	 */
+	if (kcur == key && (encrypt || swap_key.decrypt))
+		return;
+
+	rijndael_set_key(&swap_key, key->key,
+			 sizeof(key->key) * 8,
+			 encrypt);
+
+	kcur = key;
+}
+
+/*
+ * Make sure that a specific key is no longer available.
+ */
+
+void
+swap_key_cleanup(struct swap_key *key)
+{
+	/* Check if we have a key */
+	if (kcur == NULL || kcur != key)
+		return;
+
+	/* Zero out the subkeys */
+	bzero(&swap_key, sizeof(swap_key));
+
+	kcur = NULL;
 }
diff --git a/sys/uvm/uvm_swap_encrypt.h b/sys/uvm/uvm_swap_encrypt.h
index 1eb03550158..842cfa5b381 100644
--- a/sys/uvm/uvm_swap_encrypt.h
+++ b/sys/uvm/uvm_swap_encrypt.h
@@ -31,11 +31,36 @@
 #ifndef _UVM_SWAP_ENCRYPT_H
 #define _UVM_SWAP_ENCRYPT_H
 
-void swap_encrypt_init __P((caddr_t, size_t));
-void swap_encrypt __P((caddr_t, caddr_t, u_int64_t, size_t));
-void swap_decrypt __P((caddr_t, caddr_t, u_int64_t, size_t));
+#define SWAP_KEY_EXPIRE (120 /*60 * 60*/)	/* time after that keys expire */
+#define SWAP_KEY_SIZE	4		/* 128-bit keys */
+
+struct swap_key {
+	u_int32_t key[SWAP_KEY_SIZE];	/* secret key for swap range */
+	u_int16_t refcount;		/* pages that still need it */
+};
+
+void swap_encrypt __P((struct swap_key *,caddr_t, caddr_t, u_int64_t, size_t));
+void swap_decrypt __P((struct swap_key *,caddr_t, caddr_t, u_int64_t, size_t));
+
+void swap_key_cleanup __P((struct swap_key *));
+void swap_key_prepare __P((struct swap_key *, int));
+
+#define SWAP_KEY_GET(s,x) do { if ((x)->refcount == 0) {\
+					swap_key_create(x); \
+			       } \
+			       (x)->refcount++; } while(0);
+#define SWAP_KEY_PUT(s,x) do { (x)->refcount--; \
+			       if ((x)->refcount == 0) { \
+					swap_key_delete(x); \
+			       } \
+			     } while(0);
+
+void swap_key_create __P((struct swap_key *));
+void swap_key_delete __P((struct swap_key *));
 
 extern int uvm_doswapencrypt;		/* swapencrypt enabled/disabled */
+extern int uvm_swprekeyprint;
+extern u_int uvm_swpkeyexpire;		/* expiry time for keys (tR) */
 extern int swap_encrypt_initalized;
 
 #endif /* _UVM_SWAP_ENCRYPT_H */