AB#2103 Derive key from LUKS UUID instead of disk name (#156)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-10-01 01:36:09 -04:00 · 2022-05-19 08:47:17 +02:00 · 2022-05-19 08:47:17 +02:00 · 0a24de24ee
commit 0a24de24ee
parent daf356d88e
3 changed files with 216 additions and 116 deletions
--- a/mount/cryptmapper/cryptmapper.go
+++ b/mount/cryptmapper/cryptmapper.go
@ -68,6 +68,8 @@ type DeviceMapper interface {
 	Free() bool
 	// GetDeviceName gets the path to the underlying device.
 	GetDeviceName() string
+	// GetUUID gets the devices UUID
+	GetUUID() string
 	// Load loads crypt device parameters from the on-disk header.
 	// Returns nil on success, or an error otherwise.
 	Load(cryptsetup.DeviceType) error
@ -171,18 +173,8 @@ func (c *CryptMapper) CloseCryptDevice(volumeID string) error {
 // OpenCryptDevice maps the volume at source to the crypt device identified by volumeID.
 // The key used to encrypt the volume is fetched using CryptMapper's kms client.
 func (c *CryptMapper) OpenCryptDevice(ctx context.Context, source, volumeID string, integrity bool) (string, error) {
-	klog.V(4).Infof("Fetching data encryption key for volume %q", volumeID)
-
-	passphrase, err := c.kms.GetDEK(ctx, volumeID, constants.StateDiskKeyLength)
-	if err != nil {
-		return "", err
-	}
-	if len(passphrase) != constants.StateDiskKeyLength {
-		return "", fmt.Errorf("expected key length to be [%d] but got [%d]", constants.StateDiskKeyLength, len(passphrase))
-	}
-
 	m := &mount.SafeFormatAndMount{Exec: utilexec.New()}
-	return openCryptDevice(c.mapper, source, volumeID, string(passphrase), integrity, m.GetDiskFormat)
+	return openCryptDevice(ctx, c.mapper, source, volumeID, integrity, c.kms.GetDEK, m.GetDiskFormat)
 }

 // ResizeCryptDevice resizes the underlying crypt device and returns the mapped device path.
@ -228,7 +220,9 @@ func closeCryptDevice(device DeviceMapper, source, volumeID, deviceType string)
 }

 // openCryptDevice maps the volume at source to the crypt device identified by volumeID.
-func openCryptDevice(device DeviceMapper, source, volumeID, passphrase string, integrity bool, diskInfo func(disk string) (string, error)) (string, error) {
+func openCryptDevice(ctx context.Context, device DeviceMapper, source, volumeID string, integrity bool,
+	getKey func(ctx context.Context, keyID string, keySize int) ([]byte, error), diskInfo func(disk string) (string, error),
+) (string, error) {
 	packageLock.Lock()
 	defer packageLock.Unlock()

@ -248,7 +242,7 @@ func openCryptDevice(device DeviceMapper, source, volumeID, passphrase string, i
 	}
 	defer device.Free()

-	needWipe := false
+	var passphrase []byte
 	// Try to load LUKS headers
 	// If this fails, the device is either not formatted at all, or already formatted with a different FS
 	if err := device.Load(cryptsetup.LUKS2{}); err != nil {
@ -287,22 +281,41 @@ func openCryptDevice(device DeviceMapper, source, volumeID, passphrase string, i
 			return "", fmt.Errorf("formatting device %q failed: %w", source, err)
 		}

+		uuid := device.GetUUID()
+		klog.V(4).Infof("Fetching data encryption key for volume %q", volumeID)
+		passphrase, err = getKey(ctx, uuid, constants.StateDiskKeyLength)
+		if err != nil {
+			return "", err
+		}
+		if len(passphrase) != constants.StateDiskKeyLength {
+			return "", fmt.Errorf("expected key length to be [%d] but got [%d]", constants.StateDiskKeyLength, len(passphrase))
+		}
+
 		// Add a new keyslot using the internal volume key
-		if err := device.KeyslotAddByVolumeKey(0, "", passphrase); err != nil {
+		if err := device.KeyslotAddByVolumeKey(0, "", string(passphrase)); err != nil {
 			return "", fmt.Errorf("adding keyslot: %w", err)
 		}
-		needWipe = true
-	}

-	if integrity && needWipe {
-		if err := performWipe(device, volumeID); err != nil {
-			return "", fmt.Errorf("wiping device: %w", err)
+		if integrity {
+			if err := performWipe(device, volumeID); err != nil {
+				return "", fmt.Errorf("wiping device: %w", err)
+			}
+		}
+	} else {
+		uuid := device.GetUUID()
+		klog.V(4).Infof("Fetching data encryption key for volume %q", volumeID)
+		passphrase, err = getKey(ctx, uuid, constants.StateDiskKeyLength)
+		if err != nil {
+			return "", err
+		}
+		if len(passphrase) != constants.StateDiskKeyLength {
+			return "", fmt.Errorf("expected key length to be [%d] but got [%d]", constants.StateDiskKeyLength, len(passphrase))
 		}
 	}

 	klog.V(4).Infof("Activating LUKS2 device %q", cryptPrefix+volumeID)

-	if err := device.ActivateByPassphrase(volumeID, 0, passphrase, 0); err != nil {
+	if err := device.ActivateByPassphrase(volumeID, 0, string(passphrase), 0); err != nil {
 		klog.Errorf("Trying to activate dm-crypt volume: %s", err)
 		return "", fmt.Errorf("trying to activate dm-crypt volume: %w", err)
 	}
--- a/mount/cryptmapper/cryptmapper_test.go
+++ b/mount/cryptmapper/cryptmapper_test.go
@ -10,19 +10,9 @@ import (
 	"github.com/stretchr/testify/assert"
 )

-var testDEK = []byte{
-	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
-	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
-	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
-	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
-	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
-	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
-	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
-	0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
-}
-
 type stubCryptDevice struct {
 	deviceName       string
+	uuid             string
 	initErr          error
 	initByNameErr    error
 	activateErr      error
@ -68,6 +58,10 @@ func (c *stubCryptDevice) GetDeviceName() string {
 	return c.deviceName
 }

+func (c *stubCryptDevice) GetUUID() string {
+	return c.uuid
+}
+
 func (c *stubCryptDevice) Load(cryptsetup.DeviceType) error {
 	return c.loadErr
 }
@ -124,116 +118,156 @@ func TestCloseCryptDevice(t *testing.T) {

 func TestOpenCryptDevice(t *testing.T) {
 	someErr := errors.New("error")
+	getKeyFunc := func(context.Context, string, int) ([]byte, error) {
+		return []byte{
+			0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
+			0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
+			0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
+			0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
+		}, nil
+	}

 	testCases := map[string]struct {
-		source     string
-		volumeID   string
-		passphrase string
-		integrity  bool
-		mapper     *stubCryptDevice
-		diskInfo   func(disk string) (string, error)
-		wantErr    bool
+		source    string
+		volumeID  string
+		integrity bool
+		mapper    *stubCryptDevice
+		getKey    func(context.Context, string, int) ([]byte, error)
+		diskInfo  func(disk string) (string, error)
+		wantErr   bool
 	}{
 		"success with Load": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(testDEK),
-			mapper:     &stubCryptDevice{},
-			diskInfo:   func(disk string) (string, error) { return "", nil },
-			wantErr:    false,
+			source:   "/dev/some-device",
+			volumeID: "volume0",
+			mapper:   &stubCryptDevice{},
+			getKey:   getKeyFunc,
+			diskInfo: func(disk string) (string, error) { return "", nil },
+			wantErr:  false,
 		},
 		"success with error on Load": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(testDEK),
-			mapper:     &stubCryptDevice{loadErr: someErr},
-			diskInfo:   func(disk string) (string, error) { return "", nil },
-			wantErr:    false,
+			source:   "/dev/some-device",
+			volumeID: "volume0",
+			mapper:   &stubCryptDevice{loadErr: someErr},
+			getKey:   getKeyFunc,
+			diskInfo: func(disk string) (string, error) { return "", nil },
+			wantErr:  false,
 		},
 		"success with integrity": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(append(testDEK, testDEK[:32]...)),
-			integrity:  true,
-			mapper:     &stubCryptDevice{loadErr: someErr},
-			diskInfo:   func(disk string) (string, error) { return "", nil },
-			wantErr:    false,
+			source:    "/dev/some-device",
+			volumeID:  "volume0",
+			integrity: true,
+			mapper:    &stubCryptDevice{loadErr: someErr},
+			getKey:    getKeyFunc,
+			diskInfo:  func(disk string) (string, error) { return "", nil },
+			wantErr:   false,
 		},
 		"error on Init": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(testDEK),
-			mapper:     &stubCryptDevice{initErr: someErr},
-			diskInfo:   func(disk string) (string, error) { return "", nil },
-			wantErr:    true,
+			source:   "/dev/some-device",
+			volumeID: "volume0",
+			mapper:   &stubCryptDevice{initErr: someErr},
+			getKey:   getKeyFunc,
+			diskInfo: func(disk string) (string, error) { return "", nil },
+			wantErr:  true,
 		},
 		"error on Format": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(testDEK),
-			mapper:     &stubCryptDevice{loadErr: someErr, formatErr: someErr},
-			diskInfo:   func(disk string) (string, error) { return "", nil },
-			wantErr:    true,
+			source:   "/dev/some-device",
+			volumeID: "volume0",
+			mapper:   &stubCryptDevice{loadErr: someErr, formatErr: someErr},
+			getKey:   getKeyFunc,
+			diskInfo: func(disk string) (string, error) { return "", nil },
+			wantErr:  true,
 		},
 		"error on Activate": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(testDEK),
-			mapper:     &stubCryptDevice{activatePassErr: someErr},
-			diskInfo:   func(disk string) (string, error) { return "", nil },
-			wantErr:    true,
+			source:   "/dev/some-device",
+			volumeID: "volume0",
+			mapper:   &stubCryptDevice{activatePassErr: someErr},
+			getKey:   getKeyFunc,
+			diskInfo: func(disk string) (string, error) { return "", nil },
+			wantErr:  true,
 		},
 		"error on diskInfo": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(testDEK),
-			mapper:     &stubCryptDevice{loadErr: someErr},
-			diskInfo:   func(disk string) (string, error) { return "", someErr },
-			wantErr:    true,
+			source:   "/dev/some-device",
+			volumeID: "volume0",
+			mapper:   &stubCryptDevice{loadErr: someErr},
+			getKey:   getKeyFunc,
+			diskInfo: func(disk string) (string, error) { return "", someErr },
+			wantErr:  true,
 		},
 		"disk is already formatted": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(testDEK),
-			mapper:     &stubCryptDevice{loadErr: someErr},
-			diskInfo:   func(disk string) (string, error) { return "ext4", nil },
-			wantErr:    true,
+			source:   "/dev/some-device",
+			volumeID: "volume0",
+			mapper:   &stubCryptDevice{loadErr: someErr},
+			getKey:   getKeyFunc,
+			diskInfo: func(disk string) (string, error) { return "ext4", nil },
+			wantErr:  true,
 		},
 		"error with integrity on wipe": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(append(testDEK, testDEK[:32]...)),
-			integrity:  true,
-			mapper:     &stubCryptDevice{loadErr: someErr, wipeErr: someErr},
-			diskInfo:   func(disk string) (string, error) { return "", nil },
-			wantErr:    true,
+			source:    "/dev/some-device",
+			volumeID:  "volume0",
+			integrity: true,
+			mapper:    &stubCryptDevice{loadErr: someErr, wipeErr: someErr},
+			getKey:    getKeyFunc,
+			diskInfo:  func(disk string) (string, error) { return "", nil },
+			wantErr:   true,
 		},
 		"error with integrity on activate": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(append(testDEK, testDEK[:32]...)),
-			integrity:  true,
-			mapper:     &stubCryptDevice{loadErr: someErr, activateErr: someErr},
-			diskInfo:   func(disk string) (string, error) { return "", nil },
-			wantErr:    true,
+			source:    "/dev/some-device",
+			volumeID:  "volume0",
+			integrity: true,
+			mapper:    &stubCryptDevice{loadErr: someErr, activateErr: someErr},
+			getKey:    getKeyFunc,
+			diskInfo:  func(disk string) (string, error) { return "", nil },
+			wantErr:   true,
 		},
 		"error with integrity on deactivate": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(append(testDEK, testDEK[:32]...)),
-			integrity:  true,
-			mapper:     &stubCryptDevice{loadErr: someErr, deactivateErr: someErr},
-			diskInfo:   func(disk string) (string, error) { return "", nil },
-			wantErr:    true,
+			source:    "/dev/some-device",
+			volumeID:  "volume0",
+			integrity: true,
+			mapper:    &stubCryptDevice{loadErr: someErr, deactivateErr: someErr},
+			getKey:    getKeyFunc,
+			diskInfo:  func(disk string) (string, error) { return "", nil },
+			wantErr:   true,
 		},
 		"error on adding keyslot": {
-			source:     "/dev/some-device",
-			volumeID:   "volume0",
-			passphrase: string(testDEK),
+			source:   "/dev/some-device",
+			volumeID: "volume0",
 			mapper: &stubCryptDevice{
 				loadErr:       someErr,
 				keySlotAddErr: someErr,
 			},
+			getKey:   getKeyFunc,
+			diskInfo: func(disk string) (string, error) { return "", nil },
+			wantErr:  true,
+		},
+		"incorrect key length": {
+			source:   "/dev/some-device",
+			volumeID: "volume0",
+			mapper:   &stubCryptDevice{},
+			getKey:   func(ctx context.Context, s string, i int) ([]byte, error) { return []byte{0x1, 0x2, 0x3}, nil },
+			diskInfo: func(disk string) (string, error) { return "", nil },
+			wantErr:  true,
+		},
+		"incorrect key length with error on Load": {
+			source:   "/dev/some-device",
+			volumeID: "volume0",
+			mapper:   &stubCryptDevice{loadErr: someErr},
+			getKey:   func(ctx context.Context, s string, i int) ([]byte, error) { return []byte{0x1, 0x2, 0x3}, nil },
+			diskInfo: func(disk string) (string, error) { return "", nil },
+			wantErr:  true,
+		},
+		"getKey fails": {
+			source:   "/dev/some-device",
+			volumeID: "volume0",
+			mapper:   &stubCryptDevice{},
+			getKey:   func(ctx context.Context, s string, i int) ([]byte, error) { return nil, someErr },
+			diskInfo: func(disk string) (string, error) { return "", nil },
+			wantErr:  true,
+		},
+		"getKey fails with error on Load": {
+			source:   "/dev/some-device",
+			volumeID: "volume0",
+			mapper:   &stubCryptDevice{loadErr: someErr},
+			getKey:   func(ctx context.Context, s string, i int) ([]byte, error) { return nil, someErr },
 			diskInfo: func(disk string) (string, error) { return "", nil },
 			wantErr:  true,
 		},
@ -243,7 +277,15 @@ func TestOpenCryptDevice(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			assert := assert.New(t)

-			out, err := openCryptDevice(tc.mapper, tc.source, tc.volumeID, tc.passphrase, tc.integrity, tc.diskInfo)
+			out, err := openCryptDevice(
+				context.Background(),
+				tc.mapper,
+				tc.source,
+				tc.volumeID,
+				tc.integrity,
+				tc.getKey,
+				tc.diskInfo,
+			)
 			if tc.wantErr {
 				assert.Error(err)
 			} else {
--- a/mount/test/mount_integration_test.go
+++ b/mount/test/mount_integration_test.go
@ -25,8 +25,12 @@ func setup() {
 	exec.Command("/bin/dd", "if=/dev/zero", fmt.Sprintf("of=%s", DevicePath), "bs=64M", "count=1").Run()
 }

-func teardown() {
-	exec.Command("/bin/rm", "-f", DevicePath).Run()
+func teardown(devicePath string) {
+	exec.Command("/bin/rm", "-f", devicePath).Run()
+}
+
+func copy(source, target string) error {
+	return exec.Command("cp", source, target).Run()
 }

 func resize() {
@ -50,7 +54,7 @@ func TestOpenAndClose(t *testing.T) {
 	assert := assert.New(t)
 	require := require.New(t)
 	setup()
-	defer teardown()
+	defer teardown(DevicePath)

 	kms := kms.NewStaticKMS()
 	mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
@ -78,13 +82,18 @@ func TestOpenAndClose(t *testing.T) {
 	// assert crypt device got removed
 	_, err = os.Stat(newPath)
 	assert.True(os.IsNotExist(err))
+
+	// check if we can reopen the device
+	_, err = mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true)
+	assert.NoError(err)
+	assert.NoError(mapper.CloseCryptDevice(DeviceName))
 }

 func TestOpenAndCloseIntegrity(t *testing.T) {
 	assert := assert.New(t)
 	require := require.New(t)
 	setup()
-	defer teardown()
+	defer teardown(DevicePath)

 	kms := kms.NewStaticKMS()
 	mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
@ -113,4 +122,40 @@ func TestOpenAndCloseIntegrity(t *testing.T) {
 	// assert integrity device got removed
 	_, err = os.Stat(newPath + "_dif")
 	assert.True(os.IsNotExist(err))
+
+	// check if we can reopen the device
+	_, err = mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true)
+	assert.NoError(err)
+	assert.NoError(mapper.CloseCryptDevice(DeviceName))
+}
+
+func TestDeviceCloning(t *testing.T) {
+	assert := assert.New(t)
+	require := require.New(t)
+	setup()
+	defer teardown(DevicePath)
+
+	mapper := cryptmapper.New(&dynamicKMS{}, &cryptmapper.CryptDevice{})
+
+	_, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, false)
+	assert.NoError(err)
+
+	require.NoError(copy(DevicePath, DevicePath+"-copy"))
+	defer teardown(DevicePath + "-copy")
+
+	_, err = mapper.OpenCryptDevice(context.Background(), DevicePath+"-copy", DeviceName+"-copy", false)
+	assert.NoError(err)
+
+	assert.NoError(mapper.CloseCryptDevice(DeviceName))
+	assert.NoError(mapper.CloseCryptDevice(DeviceName + "-copy"))
+}
+
+type dynamicKMS struct{}
+
+func (k *dynamicKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
+	key := make([]byte, dekSize)
+	for i := range key {
+		key[i] = 0x41 ^ dekID[i%len(dekID)]
+	}
+	return key, nil
 }