mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-03 11:50:57 -05:00
ac1128d07f
* Add common backend for interacting with cryptsetup * Use common cryptsetup backend in bootstrapper * Use common cryptsetup backend in disk-mapper * Use common cryptsetup backend in csi lib --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
83 lines
2.0 KiB
Go
83 lines
2.0 KiB
Go
//go:build linux && cgo
|
|
|
|
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
package cryptsetup
|
|
|
|
// #include <libcryptsetup.h>
|
|
import "C"
|
|
|
|
import (
|
|
"errors"
|
|
|
|
"github.com/martinjungblut/go-cryptsetup"
|
|
)
|
|
|
|
const (
|
|
// ReadWriteQueueBypass is a flag to disable the write and read workqueues for a crypt device.
|
|
ReadWriteQueueBypass = C.CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE | C.CRYPT_ACTIVATE_NO_READ_WORKQUEUE
|
|
wipeFlags = cryptsetup.CRYPT_ACTIVATE_PRIVATE | cryptsetup.CRYPT_ACTIVATE_NO_JOURNAL
|
|
wipePattern = cryptsetup.CRYPT_WIPE_ZERO
|
|
)
|
|
|
|
var errInvalidType = errors.New("device is not a *cryptsetup.Device")
|
|
|
|
func format(device cryptDevice, integrity bool) error {
|
|
switch d := device.(type) {
|
|
case cgoFormatter:
|
|
luks2Params := cryptsetup.LUKS2{
|
|
SectorSize: 4096,
|
|
PBKDFType: &cryptsetup.PbkdfType{
|
|
// Use low memory recommendation from https://datatracker.ietf.org/doc/html/rfc9106#section-7
|
|
Type: "argon2id",
|
|
TimeMs: 2000,
|
|
Iterations: 3,
|
|
ParallelThreads: 4,
|
|
MaxMemoryKb: 65536, // ~64MiB
|
|
},
|
|
}
|
|
genericParams := cryptsetup.GenericParams{
|
|
Cipher: "aes",
|
|
CipherMode: "xts-plain64",
|
|
VolumeKeySize: 64, // 32*2 bytes for aes-xts-plain64 encryption
|
|
}
|
|
|
|
if integrity {
|
|
luks2Params.Integrity = "hmac(sha256)"
|
|
genericParams.VolumeKeySize += 32 // 32 bytes for hmac(sha256) integrity
|
|
}
|
|
|
|
return d.Format(luks2Params, genericParams)
|
|
default:
|
|
return errInvalidType
|
|
}
|
|
}
|
|
|
|
func initByDevicePath(devicePath string) (cryptDevice, error) {
|
|
return cryptsetup.Init(devicePath)
|
|
}
|
|
|
|
func initByName(name string) (cryptDevice, error) {
|
|
return cryptsetup.InitByName(name)
|
|
}
|
|
|
|
func loadLUKS2(device cryptDevice) error {
|
|
switch d := device.(type) {
|
|
case cgoLoader:
|
|
return d.Load(cryptsetup.LUKS2{})
|
|
default:
|
|
return errInvalidType
|
|
}
|
|
}
|
|
|
|
type cgoFormatter interface {
|
|
Format(deviceType cryptsetup.DeviceType, genericParams cryptsetup.GenericParams) error
|
|
}
|
|
|
|
type cgoLoader interface {
|
|
Load(deviceType cryptsetup.DeviceType) error
|
|
}
|