Changeset 51342 in vbox for trunk/src/VBox/Devices/Storage

Timestamp:

May 22, 2014 10:24:53 AM (11 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

93828

Message:

Main,DrvVD: Interface to pass the keys to the disk encryption module from Main

Location:

trunk/src/VBox/Devices/Storage

Files:

• DevAHCI.cpp (modified) (1 diff)
• DevATA.cpp (modified) (1 diff)
• DrvSCSI.cpp (modified) (1 diff)
• DrvVD.cpp (modified) (13 diffs)

trunk/src/VBox/Devices/Storage/DevAHCI.cpp

@@ -5740 +5740 @@
         return true;
     }
+    if (rc == VERR_VD_DEK_MISSING)
+    {
+        /* Error message already set. */
+        ASMAtomicCmpXchgBool(&pAhciPort->fRedo, true, false);
+        return true;
+    }
+
     return false;
 }

trunk/src/VBox/Devices/Storage/DevATA.cpp

@@ -1541 +1541 @@
         return true;
     }
+    if (rc == VERR_VD_DEK_MISSING)
+    {
+        /* Error message already set. */
+        pCtl->fRedoIdle = true;
+        return true;
+    }
+
     return false;
 }

trunk/src/VBox/Devices/Storage/DrvSCSI.cpp

@@ -123 +123 @@
         || rc == VERR_FILE_TOO_BIG
         || rc == VERR_BROKEN_PIPE
-        || rc == VERR_NET_CONNECTION_REFUSED)
+        || rc == VERR_NET_CONNECTION_REFUSED
+        || rc == VERR_VD_DEK_MISSING)
         return true;
 

trunk/src/VBox/Devices/Storage/DrvVD.cpp

@@ -186 +186 @@
     /** The block cache handle if configured. */
     PPDMBLKCACHE             pBlkCache;
+
+    /** Cryptographic support
+     * @{ */
+    /** Used algorithm, NULL means no encryption. */
+    char                    *pszEncryptionAlgorithm;
+    /** Config interface for the encryption filter. */
+    VDINTERFACECONFIG        VDIfCfg;
+    /** Flag whether the DEK was provided. */
+    bool                     fDekProvided;
+    /** Pointer to the key material - temporary. */
+    const uint8_t           *pbKey;
+    /** Size of the key material in bytes. */
+    size_t                   cbKey;
+    /** @} */
 } VBOXDISK, *PVBOXDISK;
 
@@ -621 +635 @@
 }
 
+
+/*******************************************************************************
+*   VD Configuration interface implementation for the encryption support       *
+*******************************************************************************/
+
+static bool drvvdCfgEncAreKeysValid(void *pvUser, const char *pszValid)
+{
+    return true;
+}
+
+static int drvvdCfgEncQuerySize(void *pvUser, const char *pszName, size_t *pcb)
+{
+    PVBOXDISK pThis = (PVBOXDISK)pvUser;
+    int rc = VINF_SUCCESS;
+
+    if (!strcmp(pszName, "Algorithm"))
+        *pcb = strlen(pThis->pszEncryptionAlgorithm) + 1;
+    else if (!strcmp(pszName, "Key"))
+        *pcb = pThis->cbKey;
+    else
+        rc = VERR_NOT_SUPPORTED;
+
+    return rc;
+}
+
+static int drvvdCfgEncQuery(void *pvUser, const char *pszName, char *pszString, size_t cchString)
+{
+    PVBOXDISK pThis = (PVBOXDISK)pvUser;
+    int rc = VINF_SUCCESS;
+
+    if (!strcmp(pszName, "Algorithm"))
+        rc = RTStrCopy(pszString, cchString, pThis->pszEncryptionAlgorithm);
+    else
+        rc = VERR_NOT_SUPPORTED;
+
+    return rc;
+}
+
+static int drvvdCfgEncQueryBytes(void *pvUser, const char *pszName, void *pvData, size_t cbData)
+{
+    PVBOXDISK pThis = (PVBOXDISK)pvUser;
+    int rc = VINF_SUCCESS;
+
+    if (!strcmp(pszName, "Key"))
+        if (pThis->cbKey > cbData)
+            rc = VERR_BUFFER_OVERFLOW;
+        else
+            memcpy(pvData, pThis->pbKey, pThis->cbKey);
+    else
+        rc = VERR_NOT_SUPPORTED;
+
+    return rc;
+    
+}
 
 #ifdef VBOX_WITH_INIP
@@ -1505 +1573 @@
     PVBOXDISK pThis = PDMIMEDIA_2_VBOXDISK(pInterface);
 
+    if (   pThis->pszEncryptionAlgorithm
+        && !pThis->fDekProvided)
+    {
+        rc = PDMDrvHlpVMSetRuntimeError(pThis->pDrvIns, VMSETRTERR_FLAGS_SUSPEND | VMSETRTERR_FLAGS_NO_WAIT, "DrvVD_DEKMISSING",
+                                        N_("VD: The DEK for this disk is missing"));
+        AssertRC(rc);
+        return VERR_VD_DEK_MISSING;
+    }
+
     if (!pThis->fBootAccelActive)
         rc = VDRead(pThis->pDisk, off, pvBuf, cbRead);
@@ -1555 +1632 @@
     Log2(("%s: off=%#llx pvBuf=%p cbWrite=%d\n%.*Rhxd\n", __FUNCTION__,
           off, pvBuf, cbWrite, cbWrite, pvBuf));
+
+    if (   pThis->pszEncryptionAlgorithm
+        && !pThis->fDekProvided)
+    {
+        int rc = PDMDrvHlpVMSetRuntimeError(pThis->pDrvIns, VMSETRTERR_FLAGS_SUSPEND | VMSETRTERR_FLAGS_NO_WAIT, "DrvVD_DEKMISSING",
+                                            N_("VD: The DEK for this disk is missing"));
+        AssertRC(rc);
+        return VERR_VD_DEK_MISSING;
+    }
 
     /* Invalidate any buffer if boot acceleration is enabled. */
@@ -1613 +1699 @@
 }
 
+/** @copydoc PDMIMEDIA::pfnSetKey */
+static DECLCALLBACK(int) drvvdSetKey(PPDMIMEDIA pInterface, const uint8_t *pbKey,
+                                     size_t cbKey)
+{
+    LogFlowFunc(("\n"));
+    PVBOXDISK pThis = PDMIMEDIA_2_VBOXDISK(pInterface);
+    int rc = VINF_SUCCESS;
+
+    if (pThis->pszEncryptionAlgorithm)
+    {
+        PVDINTERFACE pVDIfFilter = NULL;
+
+        pThis->pbKey = pbKey;
+        pThis->cbKey = cbKey;
+
+        rc = VDInterfaceAdd(&pThis->VDIfCfg.Core, "DrvVD_Config", VDINTERFACETYPE_CONFIG,
+                            pThis, sizeof(VDINTERFACECONFIG), &pVDIfFilter);
+        AssertRC(rc);
+
+        /* Load the crypt filter plugin. */
+        rc = VDFilterAdd(pThis->pDisk, "CRYPT", pVDIfFilter);
+        if (RT_SUCCESS(rc))
+            pThis->fDekProvided = true;
+
+        pThis->pbKey = NULL;
+        pThis->cbKey = 0;
+    }
+    else
+        rc = VERR_NOT_SUPPORTED;
+
+    LogFlowFunc(("returns %Rrc\n", rc));
+    return rc;
+}
+
 /** @copydoc PDMIMEDIA::pfnGetSize */
 static DECLCALLBACK(uint64_t) drvvdGetSize(PPDMIMEDIA pInterface)
@@ -1774 +1894 @@
     PVBOXDISK pThis = PDMIMEDIAASYNC_2_VBOXDISK(pInterface);
 
+    if (   pThis->pszEncryptionAlgorithm
+        && !pThis->fDekProvided)
+    {
+        rc = PDMDrvHlpVMSetRuntimeError(pThis->pDrvIns, VMSETRTERR_FLAGS_SUSPEND | VMSETRTERR_FLAGS_NO_WAIT, "DrvVD_DEKMISSING",
+                                        N_("VD: The DEK for this disk is missing"));
+        AssertRC(rc);
+        return VERR_VD_DEK_MISSING;
+    }
+
     pThis->fBootAccelActive = false;
 
@@ -1803 +1932 @@
     PVBOXDISK pThis = PDMIMEDIAASYNC_2_VBOXDISK(pInterface);
 
+    if (   pThis->pszEncryptionAlgorithm
+        && !pThis->fDekProvided)
+    {
+        rc = PDMDrvHlpVMSetRuntimeError(pThis->pDrvIns, VMSETRTERR_FLAGS_SUSPEND | VMSETRTERR_FLAGS_NO_WAIT, "DrvVD_DEKMISSING",
+                                        N_("VD: The DEK for this disk is missing"));
+        AssertRC(rc);
+        return VERR_VD_DEK_MISSING;
+    }
+
     pThis->fBootAccelActive = false;
 
@@ -1886 +2024 @@
     int rc = VINF_SUCCESS;
     PVBOXDISK pThis = PDMINS_2_DATA(pDrvIns, PVBOXDISK);
+
+    Assert (!pThis->pszEncryptionAlgorithm);
 
     switch (enmXferDir)
@@ -2173 +2313 @@
         pThis->pszBwGroup = NULL;
     }
+    if (pThis->pszEncryptionAlgorithm)
+    {
+        MMR3HeapFree(pThis->pszEncryptionAlgorithm);
+        pThis->pszBwGroup = NULL;
+    }
 }
 
@@ -2208 +2353 @@
     pThis->uMergeSource                 = VD_LAST_IMAGE;
     pThis->uMergeTarget                 = VD_LAST_IMAGE;
+    pThis->pszEncryptionAlgorithm       = NULL;
+    pThis->fDekProvided                 = false;
 
     /* IMedia */
@@ -2214 +2361 @@
     pThis->IMedia.pfnFlush              = drvvdFlush;
     pThis->IMedia.pfnMerge              = drvvdMerge;
+    pThis->IMedia.pfnSetKey             = drvvdSetKey;
     pThis->IMedia.pfnGetSize            = drvvdGetSize;
     pThis->IMedia.pfnGetSectorSize      = drvvdGetSectorSize;
@@ -2612 +2760 @@
                             pCfgVDConfig, sizeof(VDINTERFACECONFIG), &pImage->pVDIfsImage);
         AssertRC(rc);
+
+        /* Check VDConfig for encryption config. */
+        if (pCfgVDConfig)
+        {
+            rc = CFGMR3QueryStringAlloc(pCfgVDConfig, "EncryptionAlgorithm", &pThis->pszEncryptionAlgorithm);
+            if (RT_FAILURE(rc) && rc != VERR_CFGM_VALUE_NOT_FOUND)
+            {
+                rc = PDMDRV_SET_ERROR(pDrvIns, rc,
+                                      N_("DrvVD: Configuration error: Querying \"EncryptionAlgorithm\" as string failed"));
+                break;
+            }
+            else
+                rc = VINF_SUCCESS;
+        }
+
+        if (pThis->pszEncryptionAlgorithm)
+        {
+            /* Setup VDConfig interface for disk encryption support. */
+            pThis->VDIfCfg.pfnAreKeysValid = drvvdCfgEncAreKeysValid;
+            pThis->VDIfCfg.pfnQuerySize    = drvvdCfgEncQuerySize;
+            pThis->VDIfCfg.pfnQuery        = drvvdCfgEncQuery;
+            pThis->VDIfCfg.pfnQueryBytes   = drvvdCfgEncQueryBytes;
+        }
 
         /* Unconditionally insert the TCPNET interface, don't bother to check
@@ -2850 +3021 @@
         && !pThis->fShareable
         && !fDiscard
+        && !pThis->pszEncryptionAlgorithm /* Disk encryption disables the block cache for security reasons */
         && RT_SUCCESS(rc))
     {