From 6ec9bb6fde9450387f7a9d50735304f6423ec9c2 Mon Sep 17 00:00:00 2001 From: Joel Sing Date: Sun, 11 Sep 2016 17:52:48 +0000 Subject: Switch i386 boot code to libsa MI softraid. --- sys/arch/i386/stand/boot/Makefile | 5 +- sys/arch/i386/stand/cdboot/Makefile | 5 +- sys/arch/i386/stand/libsa/biosdev.c | 3 +- sys/arch/i386/stand/libsa/dev_i386.c | 3 +- sys/arch/i386/stand/libsa/exec_i386.c | 3 +- sys/arch/i386/stand/libsa/softraid_i386.c | 204 +----------------------------- sys/arch/i386/stand/libsa/softraid_i386.h | 8 +- sys/arch/i386/stand/pxeboot/Makefile | 5 +- 8 files changed, 18 insertions(+), 218 deletions(-) diff --git a/sys/arch/i386/stand/boot/Makefile b/sys/arch/i386/stand/boot/Makefile index fe16556ad45..1cd16b18a89 100644 --- a/sys/arch/i386/stand/boot/Makefile +++ b/sys/arch/i386/stand/boot/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.62 2016/09/11 15:54:11 jsing Exp $ +# $OpenBSD: Makefile,v 1.63 2016/09/11 17:52:47 jsing Exp $ COPTS?= MAN?= boot.8 @@ -44,7 +44,8 @@ SRCS+= close.c closeall.c cons.c cread.c dev.c disklabel.c dkcksum.c fstat.c \ SRCS+= elf32.c elf64.c loadfile.c SRCS+= ufs.c .if ${SOFTRAID:L} == "yes" -SRCS+= aes_xts.c explicit_bzero.c hmac_sha1.c pkcs5_pbkdf2.c rijndael.c sha1.c +SRCS+= aes_xts.c explicit_bzero.c hmac_sha1.c pkcs5_pbkdf2.c rijndael.c \ + sha1.c softraid.c .endif .PATH: ${S}/lib/libkern diff --git a/sys/arch/i386/stand/cdboot/Makefile b/sys/arch/i386/stand/cdboot/Makefile index 25c85b45000..3964fecb2b6 100644 --- a/sys/arch/i386/stand/cdboot/Makefile +++ b/sys/arch/i386/stand/cdboot/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.27 2016/09/11 15:54:11 jsing Exp $ +# $OpenBSD: Makefile,v 1.28 2016/09/11 17:52:47 jsing Exp $ MAN= cdboot.8 @@ -34,7 +34,8 @@ SRCS+= close.c closeall.c cons.c cread.c dev.c disklabel.c dkcksum.c fstat.c \ lseek.c open.c read.c readdir.c stat.c SRCS+= elf32.c elf64.c loadfile.c SRCS+= cd9660.c ufs.c -SRCS+= aes_xts.c explicit_bzero.c hmac_sha1.c pkcs5_pbkdf2.c rijndael.c sha1.c +SRCS+= aes_xts.c explicit_bzero.c hmac_sha1.c pkcs5_pbkdf2.c rijndael.c \ + sha1.c softraid.c .PATH: ${S}/lib/libkern/arch/i386 SRCS+= moddi3.c divdi3.c qdivrem.c diff --git a/sys/arch/i386/stand/libsa/biosdev.c b/sys/arch/i386/stand/libsa/biosdev.c index e2f06b28986..b7b4e3a48fd 100644 --- a/sys/arch/i386/stand/libsa/biosdev.c +++ b/sys/arch/i386/stand/libsa/biosdev.c @@ -1,4 +1,4 @@ -/* $OpenBSD: biosdev.c,v 1.93 2016/09/11 15:54:11 jsing Exp $ */ +/* $OpenBSD: biosdev.c,v 1.94 2016/09/11 17:52:47 jsing Exp $ */ /* * Copyright (c) 1996 Michael Shalayeff @@ -43,6 +43,7 @@ #ifdef SOFTRAID #include +#include #include "softraid_i386.h" #endif diff --git a/sys/arch/i386/stand/libsa/dev_i386.c b/sys/arch/i386/stand/libsa/dev_i386.c index 7d37b7d898d..fdb0311abec 100644 --- a/sys/arch/i386/stand/libsa/dev_i386.c +++ b/sys/arch/i386/stand/libsa/dev_i386.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dev_i386.c,v 1.42 2016/09/11 15:54:11 jsing Exp $ */ +/* $OpenBSD: dev_i386.c,v 1.43 2016/09/11 17:52:47 jsing Exp $ */ /* * Copyright (c) 1996-1999 Michael Shalayeff @@ -38,6 +38,7 @@ #ifdef SOFTRAID #include #include +#include #include "softraid_i386.h" #endif diff --git a/sys/arch/i386/stand/libsa/exec_i386.c b/sys/arch/i386/stand/libsa/exec_i386.c index 157902d49d4..4364a3c0295 100644 --- a/sys/arch/i386/stand/libsa/exec_i386.c +++ b/sys/arch/i386/stand/libsa/exec_i386.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exec_i386.c,v 1.43 2016/09/11 15:54:11 jsing Exp $ */ +/* $OpenBSD: exec_i386.c,v 1.44 2016/09/11 17:52:47 jsing Exp $ */ /* * Copyright (c) 1997-1998 Michael Shalayeff @@ -40,6 +40,7 @@ #ifdef SOFTRAID #include +#include #include "softraid_i386.h" #endif diff --git a/sys/arch/i386/stand/libsa/softraid_i386.c b/sys/arch/i386/stand/libsa/softraid_i386.c index 82f0985f593..25182119eac 100644 --- a/sys/arch/i386/stand/libsa/softraid_i386.c +++ b/sys/arch/i386/stand/libsa/softraid_i386.c @@ -1,4 +1,4 @@ -/* $OpenBSD: softraid_i386.c,v 1.1 2016/09/11 15:54:11 jsing Exp $ */ +/* $OpenBSD: softraid_i386.c,v 1.2 2016/09/11 17:52:47 jsing Exp $ */ /* * Copyright (c) 2012 Joel Sing @@ -25,26 +25,12 @@ #include #include -#include -#include -#include +#include #include "libsa.h" #include "disk.h" #include "softraid_i386.h" -/* List of softraid volumes. */ -struct sr_boot_volume_head sr_volumes; - -/* Metadata from keydisks. */ -struct sr_boot_keydisk { - struct sr_uuid kd_uuid; - u_int8_t kd_key[SR_CRYPTO_MAXKEYBYTES]; - SLIST_ENTRY(sr_boot_keydisk) kd_link; -}; -SLIST_HEAD(sr_boot_keydisk_head, sr_boot_keydisk); -struct sr_boot_keydisk_head sr_keydisks; - void srprobe_meta_opt_load(struct sr_metadata *sm, struct sr_meta_opt_head *som) { @@ -437,189 +423,3 @@ sr_getdisklabel(struct sr_boot_volume *bv, struct disklabel *label) /* Fill in disklabel */ return (getdisklabel(buf, label)); } - - -#define RIJNDAEL128_BLOCK_LEN 16 -#define PASSPHRASE_LENGTH 1024 - -#define SR_CRYPTO_KEYBLOCK_BYTES SR_CRYPTO_MAXKEYS * SR_CRYPTO_KEYBYTES - -#ifdef BIOS_DEBUG -void -printhex(const char *s, const u_int8_t *buf, size_t len) -{ - u_int8_t n1, n2; - size_t i; - - printf("%s: ", s); - for (i = 0; i < len; i++) { - n1 = buf[i] & 0x0f; - n2 = buf[i] >> 4; - printf("%c", n2 > 9 ? n2 + 'a' - 10 : n2 + '0'); - printf("%c", n1 > 9 ? n1 + 'a' - 10 : n1 + '0'); - } - printf("\n"); -} -#endif - -void -sr_clear_keys(void) -{ - struct sr_boot_volume *bv; - struct sr_boot_keydisk *kd; - - SLIST_FOREACH(bv, &sr_volumes, sbv_link) { - if (bv->sbv_level != 'C') - continue; - if (bv->sbv_keys != NULL) { - explicit_bzero(bv->sbv_keys, SR_CRYPTO_KEYBLOCK_BYTES); - free(bv->sbv_keys, 0); - bv->sbv_keys = NULL; - } - if (bv->sbv_maskkey != NULL) { - explicit_bzero(bv->sbv_maskkey, SR_CRYPTO_MAXKEYBYTES); - free(bv->sbv_maskkey, 0); - bv->sbv_maskkey = NULL; - } - } - SLIST_FOREACH(kd, &sr_keydisks, kd_link) { - explicit_bzero(kd, sizeof(*kd)); - free(kd, 0); - } -} - -void -sr_crypto_calculate_check_hmac_sha1(u_int8_t *maskkey, int maskkey_size, - u_int8_t *key, int key_size, u_char *check_digest) -{ - u_int8_t check_key[SHA1_DIGEST_LENGTH]; - SHA1_CTX shactx; - - explicit_bzero(check_key, sizeof(check_key)); - explicit_bzero(&shactx, sizeof(shactx)); - - /* k = SHA1(mask_key) */ - SHA1Init(&shactx); - SHA1Update(&shactx, maskkey, maskkey_size); - SHA1Final(check_key, &shactx); - - /* mac = HMAC_SHA1_k(unencrypted key) */ - hmac_sha1(key, key_size, check_key, sizeof(check_key), check_digest); - - explicit_bzero(check_key, sizeof(check_key)); - explicit_bzero(&shactx, sizeof(shactx)); -} - -int -sr_crypto_decrypt_keys(struct sr_boot_volume *bv) -{ - struct sr_meta_crypto *cm; - struct sr_boot_keydisk *kd; - struct sr_meta_opt_item *omi; - struct sr_crypto_pbkdf *kdfhint; - struct sr_crypto_kdfinfo kdfinfo; - char passphrase[PASSPHRASE_LENGTH]; - u_int8_t digest[SHA1_DIGEST_LENGTH]; - u_int8_t *keys = NULL; - u_int8_t *kp, *cp; - rijndael_ctx ctx; - int rv = -1; - int c, i; - - SLIST_FOREACH(omi, &bv->sbv_meta_opt, omi_link) - if (omi->omi_som->som_type == SR_OPT_CRYPTO) - break; - - if (omi == NULL) { - printf("Crypto metadata not found!\n"); - goto done; - } - - cm = (struct sr_meta_crypto *)omi->omi_som; - kdfhint = (struct sr_crypto_pbkdf *)&cm->scm_kdfhint; - - switch (cm->scm_mask_alg) { - case SR_CRYPTOM_AES_ECB_256: - break; - default: - printf("unsupported encryption algorithm %u\n", - cm->scm_mask_alg); - goto done; - } - - SLIST_FOREACH(kd, &sr_keydisks, kd_link) { - if (bcmp(&kd->kd_uuid, &bv->sbv_uuid, sizeof(kd->kd_uuid)) == 0) - break; - } - if (kd) { - bcopy(&kd->kd_key, &kdfinfo.maskkey, sizeof(kdfinfo.maskkey)); - } else { - printf("Passphrase: "); - for (i = 0; i < PASSPHRASE_LENGTH - 1; i++) { - c = cngetc(); - if (c == '\r' || c == '\n') - break; - else if (c == '\b') { - i = i > 0 ? i - 2 : -1; - continue; - } - passphrase[i] = (c & 0xff); - } - passphrase[i] = 0; - printf("\n"); - -#ifdef BIOS_DEBUG - printf("Got passphrase: %s with len %d\n", - passphrase, strlen(passphrase)); -#endif - - if (pkcs5_pbkdf2(passphrase, strlen(passphrase), kdfhint->salt, - sizeof(kdfhint->salt), kdfinfo.maskkey, - sizeof(kdfinfo.maskkey), kdfhint->rounds) != 0) { - printf("pbkdf2 failed\n"); - goto done; - } - } - - /* kdfinfo->maskkey now has key. */ - - /* Decrypt disk keys. */ - keys = alloc(SR_CRYPTO_KEYBLOCK_BYTES); - bzero(keys, SR_CRYPTO_KEYBLOCK_BYTES); - - if (rijndael_set_key(&ctx, kdfinfo.maskkey, 256) != 0) - goto done; - - cp = (u_int8_t *)cm->scm_key; - kp = keys; - for (i = 0; i < SR_CRYPTO_KEYBLOCK_BYTES; i += RIJNDAEL128_BLOCK_LEN) - rijndael_decrypt(&ctx, (u_char *)(cp + i), (u_char *)(kp + i)); - - /* Check that the key decrypted properly. */ - sr_crypto_calculate_check_hmac_sha1(kdfinfo.maskkey, - sizeof(kdfinfo.maskkey), keys, SR_CRYPTO_KEYBLOCK_BYTES, digest); - - if (bcmp(digest, cm->chk_hmac_sha1.sch_mac, sizeof(digest))) { - printf("incorrect passphrase or keydisk\n"); - goto done; - } - - /* Keys and keydisks will be cleared before boot and from _rtt. */ - bv->sbv_keys = keys; - bv->sbv_maskkey = alloc(sizeof(kdfinfo.maskkey)); - bcopy(&kdfinfo.maskkey, bv->sbv_maskkey, sizeof(kdfinfo.maskkey)); - - rv = 0; - -done: - explicit_bzero(passphrase, PASSPHRASE_LENGTH); - explicit_bzero(&kdfinfo, sizeof(kdfinfo)); - explicit_bzero(digest, sizeof(digest)); - - if (keys != NULL && rv != 0) { - explicit_bzero(keys, SR_CRYPTO_KEYBLOCK_BYTES); - free(keys, 0); - } - - return (rv); -} diff --git a/sys/arch/i386/stand/libsa/softraid_i386.h b/sys/arch/i386/stand/libsa/softraid_i386.h index 756d4ef3a45..9294e687e8a 100644 --- a/sys/arch/i386/stand/libsa/softraid_i386.h +++ b/sys/arch/i386/stand/libsa/softraid_i386.h @@ -1,4 +1,4 @@ -/* $OpenBSD: softraid_i386.h,v 1.2 2016/09/11 16:02:04 jsing Exp $ */ +/* $OpenBSD: softraid_i386.h,v 1.3 2016/09/11 17:52:47 jsing Exp $ */ /* * Copyright (c) 2012 Joel Sing @@ -25,10 +25,4 @@ const char *sr_getdisklabel(struct sr_boot_volume *, struct disklabel *); int sr_strategy(struct sr_boot_volume *, int, daddr32_t, size_t, void *, size_t *); -int sr_crypto_decrypt_keys(struct sr_boot_volume *); -void sr_clear_keys(void); - -/* List of softraid volumes. */ -extern struct sr_boot_volume_head sr_volumes; - #endif /* _SOFTRAID_I386_H */ diff --git a/sys/arch/i386/stand/pxeboot/Makefile b/sys/arch/i386/stand/pxeboot/Makefile index 68479a3740e..c0e7ac2cf0a 100644 --- a/sys/arch/i386/stand/pxeboot/Makefile +++ b/sys/arch/i386/stand/pxeboot/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.24 2016/09/11 15:54:11 jsing Exp $ +# $OpenBSD: Makefile,v 1.25 2016/09/11 17:52:47 jsing Exp $ MAN= pxeboot.8 @@ -36,7 +36,8 @@ SRCS+= close.c closeall.c cons.c cread.c dev.c disklabel.c dkcksum.c fstat.c \ SRCS+= elf32.c elf64.c loadfile.c SRCS+= nfs.c ufs.c tftp.c SRCS+= bootp.c ether.c net.c netif.c rpc.c -SRCS+= aes_xts.c explicit_bzero.c hmac_sha1.c pkcs5_pbkdf2.c rijndael.c sha1.c +SRCS+= aes_xts.c explicit_bzero.c hmac_sha1.c pkcs5_pbkdf2.c rijndael.c \ + sha1.c softraid.c .PATH: ${S}/lib/libkern/arch/i386 SRCS+= divdi3.c moddi3.c qdivrem.c udivdi3.c umoddi3.c -- cgit v1.2.3