mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-08-07 06:22:17 -04:00
cryptsetup: unify code (#2043)
* Add common backend for interacting with cryptsetup * Use common cryptsetup backend in bootstrapper * Use common cryptsetup backend in disk-mapper * Use common cryptsetup backend in csi lib --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße
GitHub
parent
f52c6752e2
commit
ac1128d07f
34 changed files with 1061 additions and 1307 deletions
|
|
@ -5,14 +5,78 @@ Copyright (c) Edgeless Systems GmbH
|
|||
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
// Package cryptsetup contains CGO bindings for cryptsetup.
|
||||
package cryptsetup
|
||||
|
||||
// #include <libcryptsetup.h>
|
||||
import "C"
|
||||
|
||||
import (
|
||||
"errors"
|
||||
|
||||
"github.com/martinjungblut/go-cryptsetup"
|
||||
)
|
||||
|
||||
const (
|
||||
// ReadWriteQueueBypass is a flag to disable the write and read workqueues for a crypt device.
|
||||
ReadWriteQueueBypass = C.CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE | C.CRYPT_ACTIVATE_NO_READ_WORKQUEUE
|
||||
wipeFlags = cryptsetup.CRYPT_ACTIVATE_PRIVATE | cryptsetup.CRYPT_ACTIVATE_NO_JOURNAL
|
||||
wipePattern = cryptsetup.CRYPT_WIPE_ZERO
|
||||
)
|
||||
|
||||
var errInvalidType = errors.New("device is not a *cryptsetup.Device")
|
||||
|
||||
func format(device cryptDevice, integrity bool) error {
|
||||
switch d := device.(type) {
|
||||
case cgoFormatter:
|
||||
luks2Params := cryptsetup.LUKS2{
|
||||
SectorSize: 4096,
|
||||
PBKDFType: &cryptsetup.PbkdfType{
|
||||
// Use low memory recommendation from https://datatracker.ietf.org/doc/html/rfc9106#section-7
|
||||
Type: "argon2id",
|
||||
TimeMs: 2000,
|
||||
Iterations: 3,
|
||||
ParallelThreads: 4,
|
||||
MaxMemoryKb: 65536, // ~64MiB
|
||||
},
|
||||
}
|
||||
genericParams := cryptsetup.GenericParams{
|
||||
Cipher: "aes",
|
||||
CipherMode: "xts-plain64",
|
||||
VolumeKeySize: 64, // 32*2 bytes for aes-xts-plain64 encryption
|
||||
}
|
||||
|
||||
if integrity {
|
||||
luks2Params.Integrity = "hmac(sha256)"
|
||||
genericParams.VolumeKeySize += 32 // 32 bytes for hmac(sha256) integrity
|
||||
}
|
||||
|
||||
return d.Format(luks2Params, genericParams)
|
||||
default:
|
||||
return errInvalidType
|
||||
}
|
||||
}
|
||||
|
||||
func initByDevicePath(devicePath string) (cryptDevice, error) {
|
||||
return cryptsetup.Init(devicePath)
|
||||
}
|
||||
|
||||
func initByName(name string) (cryptDevice, error) {
|
||||
return cryptsetup.InitByName(name)
|
||||
}
|
||||
|
||||
func loadLUKS2(device cryptDevice) error {
|
||||
switch d := device.(type) {
|
||||
case cgoLoader:
|
||||
return d.Load(cryptsetup.LUKS2{})
|
||||
default:
|
||||
return errInvalidType
|
||||
}
|
||||
}
|
||||
|
||||
type cgoFormatter interface {
|
||||
Format(deviceType cryptsetup.DeviceType, genericParams cryptsetup.GenericParams) error
|
||||
}
|
||||
|
||||
type cgoLoader interface {
|
||||
Load(deviceType cryptsetup.DeviceType) error
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue