security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity
gnupg/g13/g13-syshelp.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

97 lines
3.3 KiB
C
Raw Normal View History

g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
/* g130syshelp.h - Global definitions for G13-SYSHELP.
* Copyright (C) 2015 Werner Koch
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
Change all http://www.gnu.org in license notices to https:// --
2016-11-05 12:02:19 +01:00
* along with this program; if not, see <https://www.gnu.org/licenses/>.
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
*/
#ifndef G13_SYSHELP_H
#define G13_SYSHELP_H
#include "g13-common.h"
g13: Second chunk of code to support dm-crypt. * g13/be-dmcrypt.c, g13/be-dmcrypt.h: New. * g13/Makefile.am (g13_SOURCES): Add them. * g13/backend.c: Include be-dmcrypt.h and call-syshelp.h. (no_such_backend): Rename to _no_such_backend and provide replacement macro. (be_is_supported_conttype): Support DM-Crypt. (be_take_lock_for_create): Call set_segvice for DM-Crypt. (be_create_new_keys): Make it a dummy for DM-Crypt. (be_create_container): Call be_dmcrypt_create_container. (be_mount_container): call be_dmcrypt_mount_container. * g13/g13-syshelp.c (main): Enable verbose mode. * g13/g13tuple.c (get_tupledesc_data): New. * g13/g13tuple.h (unref_tupledesc): New. * g13/g13.h (server_control_): Add field "recipients". * g13/g13.c (main): Fix setting of recipients via cmdline. (g13_deinit_default_ctrl): Release recipients list. (g13_request_shutdown): New. Replace all direct update of shutdown_pending by calls this function. * g13/server.c (server_local_s): Remove field recipients which is now part of CTRL. (reset_notify, cmd_recipient, cmd_create): Adjust for this change. * g13/create.c (encrypt_keyblob): Rename to g13_encrypt_keyblob. (g13_create_container): Support DM-Crypt. * g13/mount.c (parse_header): Allow for meta data copies. (g13_mount_container): Support DM-Crypt. * g13/sh-cmd.c (cmd_create): Make it work. (cmd_mount): New. * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Make it work. (sh_dmcrypt_mount_container): New. -- With this patch we can now create an encrypted partition and partly mount it (i.e. setup keys and create the mapped device). We do not yet create a file system or mount that file system Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:01:45 +01:00
#include "g13tuple.h"
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
struct tab_item_s;
typedef struct tab_item_s *tab_item_t;
struct tab_item_s
{
tab_item_t next;
char *label; /* Optional malloced label for that entry. */
char *mountpoint; /* NULL or a malloced mountpoint. */
char blockdev[1]; /* String with the name of the block device. If
Clean up word replication. -- This fixes extra word repetitions (like "the the" or "is is") in the code and docs. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-20 22:19:50 +01:00
it starts with a slash it is a regular device
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
name, otherwise it is a PARTUUID. */
};
/* Forward declaration for an object defined in g13-sh-cmd.c. */
struct server_local_s;
/* Session control object. This object is passed down to most
functions. The default values for it are set by
g13_syshelp_init_default_ctrl(). */
struct server_control_s
{
int no_server; /* We are not running under server control */
int status_fd; /* Only for non-server mode */
struct server_local_s *server_local;
struct {
uid_t uid; /* UID of the client calling use. */
char *uname;
tab_item_t tab;/* Linked list with the g13tab items for this user. */
} client;
/* Flag indicating that we should fail all commands. */
int fail_all_cmds;
/* Type of the current container. See the CONTTYPE_ constants. */
int conttype;
/* A pointer into client.tab with the selected tab line or NULL. */
tab_item_t devti;
};
/*-- g13-syshelp.c --*/
void g13_syshelp_init_default_ctrl (struct server_control_s *ctrl);
g13: Require a confirmation before g13 is used for DM-Crypt. * g13/g13-syshelp.c (g13_syshelp_i_know_what_i_am_doing): * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Call it. (sh_dmcrypt_mount_container): Call it. Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:30:14 +01:00
void g13_syshelp_i_know_what_i_am_doing (void);
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
/*-- sh-cmd.c --*/
gpg_error_t syshelp_server (ctrl_t ctrl);
gpg_error_t sh_encrypt_keyblob (ctrl_t ctrl,
const void *keyblob, size_t keybloblen,
char **r_enckeyblob, size_t *r_enckeybloblen);
/*-- sh-blockdev.c --*/
gpg_error_t sh_blockdev_getsz (const char *name, unsigned long long *r_nblocks);
gpg_error_t sh_is_empty_partition (const char *name);
/*-- sh-dmcrypt.c --*/
gpg_error_t sh_dmcrypt_create_container (ctrl_t ctrl, const char *devname,
estream_t devfp);
g13: Second chunk of code to support dm-crypt. * g13/be-dmcrypt.c, g13/be-dmcrypt.h: New. * g13/Makefile.am (g13_SOURCES): Add them. * g13/backend.c: Include be-dmcrypt.h and call-syshelp.h. (no_such_backend): Rename to _no_such_backend and provide replacement macro. (be_is_supported_conttype): Support DM-Crypt. (be_take_lock_for_create): Call set_segvice for DM-Crypt. (be_create_new_keys): Make it a dummy for DM-Crypt. (be_create_container): Call be_dmcrypt_create_container. (be_mount_container): call be_dmcrypt_mount_container. * g13/g13-syshelp.c (main): Enable verbose mode. * g13/g13tuple.c (get_tupledesc_data): New. * g13/g13tuple.h (unref_tupledesc): New. * g13/g13.h (server_control_): Add field "recipients". * g13/g13.c (main): Fix setting of recipients via cmdline. (g13_deinit_default_ctrl): Release recipients list. (g13_request_shutdown): New. Replace all direct update of shutdown_pending by calls this function. * g13/server.c (server_local_s): Remove field recipients which is now part of CTRL. (reset_notify, cmd_recipient, cmd_create): Adjust for this change. * g13/create.c (encrypt_keyblob): Rename to g13_encrypt_keyblob. (g13_create_container): Support DM-Crypt. * g13/mount.c (parse_header): Allow for meta data copies. (g13_mount_container): Support DM-Crypt. * g13/sh-cmd.c (cmd_create): Make it work. (cmd_mount): New. * g13/sh-dmcrypt.c (sh_dmcrypt_create_container): Make it work. (sh_dmcrypt_mount_container): New. -- With this patch we can now create an encrypted partition and partly mount it (i.e. setup keys and create the mapped device). We do not yet create a file system or mount that file system Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-13 17:01:45 +01:00
gpg_error_t sh_dmcrypt_mount_container (ctrl_t ctrl, const char *devname,
g13: New option --no-mount. * g13/g13.c (oNoMount): New. (opts): Add --no-mount. (main): Implement this. * g13/g13-common.h (opt): Add field no_mount. * common/status.h (STATUS_PLAINDEV): New. * g13/sh-cmd.c (has_option): Uncomment. (cmd_mount): Add option --no-mount and pass down. * g13/sh-dmcrypt.c (sh_dmcrypt_mount_container): Add arg nomount and emit PLAINDEV status line. (sh_dmcrypt_umount_container): Rund findmnt before umount. -- This option can be used to decrypt a device but not to mount it. For example to run fsck first. A command or option to run fsck before a mount will eventually be added. The use of findmnt is needed so that we can easily remove a device which has not been mounted.
2024-01-09 19:52:04 +01:00
tupledesc_t keyblob, int nomount);
g13: Implement --umount for dm-crypt. * g13/g13.c (main): Implement command --umount. * g13/mount.c (g13_umount_container): use the syshelper if needed. * g13/backend.c (be_umount_container): New. * g13/be-dmcrypt.c (be_dmcrypt_umount_container): New. * g13/call-syshelp.c (call_syshelp_run_umount): New. * g13/sh-cmd.c (cmd_umount): New. (register_commands): Register UMOUNT. * g13/sh-dmcrypt.c (sh_dmcrypt_umount_container): New. Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-14 20:17:51 +02:00
gpg_error_t sh_dmcrypt_umount_container (ctrl_t ctrl, const char *devname);
g13: Add commands --suspend and --remove. * g13/g13.c (aSuspend, aResume): New. (opts): Add commands --suspend and --resume. (main): Implement dummy command aUmount. Implement commands aResume and aSuspend. * g13/sh-cmd.c (cmd_suspend): New. (cmd_resume): New. (register_commands): Add commands RESUME and SUSPEND. * g13/server.c (cmd_suspend): New. (cmd_resume): New. (register_commands): Add commands RESUME and SUSPEND. * g13/be-dmcrypt.c (be_dmcrypt_suspend_container): New. (be_dmcrypt_resume_container): New. * g13/backend.c (be_suspend_container): New. (be_resume_container): New. * g13/suspend.c, g13/suspend.h: New. * g13/mount.c (parse_header, read_keyblob_prefix, read_keyblob) (decrypt_keyblob, g13_is_container): Move to ... * g13/keyblob.c: new file. (keyblob_read): Rename to g13_keyblob_read and make global. (keyblob_decrypt): Rename to g13_keyblob_decrypt and make global. * g13/sh-dmcrypt.c (check_blockdev): Add arg expect_busy. (sh_dmcrypt_suspend_container): New. (sh_dmcrypt_resume_container): New. * g13/call-syshelp.c (call_syshelp_run_suspend): New. (call_syshelp_run_resume): New. -- The --suspend command can be used before a hibernate operation to make the encrypted partition inaccessible and wipe the key from the memory. Before --suspend is called a sync(1) should be run to make sure that their are no dirty buffers (dmsetup, as called by g13, actually does this for you but it does not harm to do it anyway. After the partition has been suspended a echo 3 >proc/sys/vm/drop_caches required to flush all caches which may still have content from the encrypted partition. The --resume command reverses the effect of the suspend but to do this it needs to decrypt again. Now, if the .gnupg directory lives on the encrypted partition this will be problematic because due to the suspend all processes accessing data on the encrypted partition will be put into an uninterruptible sleep (ps(1) shows a state of 'D'). This needs to be avoided. A workaround is to have a separate GnuPG home directory (say, "~/.gnupg-fallback") with only the public keys required to decrypt the partition along with a properly setup conf files. A GNUPGHOME=$(pwd)/.gnupg-fallback g13 --resume should then be able to resume the encrypted partition using the private key stored on a smartcard. The implementation is pretty basic right now but useful to me. Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-23 14:32:46 +01:00
gpg_error_t sh_dmcrypt_suspend_container (ctrl_t ctrl, const char *devname);
gpg_error_t sh_dmcrypt_resume_container (ctrl_t ctrl, const char *devname,
tupledesc_t keyblob);
g13: First chunk of code to support dm-crypt. * g13/call-syshelp.c, g13/call-syshelp.h: New. * g13/g13-syshelp.c, g13/g13-syshelp.h: New. * g13/sh-cmd.c: New. * g13/sh-blockdev.c: New. * g13/sh-exectool.c: New. * g13/sh-dmcrypt.c: New. * g13/Makefile.am (sbin_PROGRAMS): Add g13-syshelp.c (g13_syshelp_SOURCES): New. (g13_syshelp_LDADD): New. * g13/g13.c (opts): Add option --type. (g13_deinit_default_ctrl): New. (main): Implement that option. Call g13_deinit_default_ctrl. * g13/g13.h (struct call_syshelp_s): New declaration. (server_control_s): Add field syshelp_local. * g13/keyblob.h (KEYBLOB_TAG_CREATED): New. (KEYBLOB_TAG_ALGOSTR): New. (KEYBLOB_TAG_HDRCOPY): New. * g13/backend.c (be_parse_conttype_name): New. (be_get_detached_name): Add CONTTYPE_DM_CRYPT. Signed-off-by: Werner Koch <wk@gnupg.org>
2015-10-21 08:38:10 +02:00
#endif /*G13_SYSHELP_H*/