1 files changed, 282 insertions, 6 deletions

diff --git a/lib/libcryptsetup.h b/lib/libcryptsetup.h
index e899829..82d042f 100644
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -3,8 +3,8 @@
  *
  * Copyright (C) 2004 Jana Saout <jana@saout.de>
  * Copyright (C) 2004-2007 Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2023 Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2023 Milan Broz
+ * Copyright (C) 2009-2024 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2024 Milan Broz
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -273,7 +273,7 @@ struct crypt_pbkdf_type {
 
 /** Iteration time set by crypt_set_iteration_time(), for compatibility only. */
 #define CRYPT_PBKDF_ITER_TIME_SET   (UINT32_C(1) << 0)
-/** Never run benchmarks, use pre-set value or defaults. */
+/** Never run benchmarks or limit by system resources, use pre-set values or defaults. */
 #define CRYPT_PBKDF_NO_BENCHMARK    (UINT32_C(1) << 1)
 
 /** PBKDF2 according to RFC2898, LUKS1 legacy */
@@ -451,6 +451,34 @@ const char *crypt_get_type(struct crypt_device *cd);
 const char *crypt_get_default_type(void);
 
 /**
+ * @defgroup crypt-hw-encryption-types HW encryption type
+ * @addtogroup crypt-hw-encryption-types
+ * @{
+ */
+/** SW encryption, no OPAL encryption in place (default) */
+#define CRYPT_SW_ONLY        INT16_C(0)
+/** OPAL HW encryption only (no SW encryption!) */
+#define CRYPT_OPAL_HW_ONLY   INT16_C(1)
+/** SW encryption stacked over OPAL HW encryption  */
+#define CRYPT_SW_AND_OPAL_HW INT16_C(2)
+/** @} */
+
+/**
+ * Get HW encryption type
+ *
+ * @return HW encryption type (see @link crypt-hw-encryption-types @endlink)
+ *         or negative errno otherwise.
+ */
+int crypt_get_hw_encryption_type(struct crypt_device *cd);
+
+/**
+ * Get HW encryption (like OPAL) key size (in bytes)
+ *
+ * @return key size or 0 if no HW encryption is used.
+ */
+int crypt_get_hw_encryption_key_size(struct crypt_device *cd);
+
+/**
  *
  * Structure used as parameter for PLAIN device type.
  *
@@ -609,6 +637,18 @@ struct crypt_params_luks2 {
 	const char *label;       /**< header label or @e NULL*/
 	const char *subsystem;   /**< header subsystem label or @e NULL*/
 };
+
+/**
+ * Structure used as parameter for OPAL (HW encrypted) device type.
+ *
+ * @see crypt_format_luks2_opal
+ *
+ */
+struct crypt_params_hw_opal {
+	const char *admin_key;   /**< admin key */
+	size_t admin_key_size;   /**< admin key size in bytes */
+	size_t user_key_size;    /**< user authority key size part in bytes */
+};
 /** @} */
 
 /**
@@ -649,6 +689,34 @@ int crypt_format(struct crypt_device *cd,
 	void *params);
 
 /**
+ * Create (format) new LUKS2 crypt device over HW OPAL device but do not activate it.
+ *
+ * @pre @e cd contains initialized and not formatted device context (device type must @b not be set)
+ *
+ * @param cd crypt device handle
+ * @param cipher for SW encryption (e.g. "aes") or NULL for HW encryption only
+ * @param cipher_mode including IV specification (e.g. "xts-plain") or NULL for HW encryption only
+ * @param uuid requested UUID or @e NULL if it should be generated
+ * @param volume_keys pre-generated volume keys or @e NULL if it should be generated (only for LUKS2 SW encryption)
+ * @param volume_keys_size size of volume keys in bytes (only for SW encryption).
+ * @param params LUKS2 crypt type specific parameters (see @link crypt-type @endlink)
+ * @param opal_params OPAL specific parameters
+ *
+ * @returns @e 0 on success or negative errno value otherwise.
+ *
+ * @note Note that crypt_format_luks2_opal does not create LUKS keyslot.
+ *       To create keyslot call any crypt_keyslot_add_* function.
+ */
+int crypt_format_luks2_opal(struct crypt_device *cd,
+	const char *cipher,
+	const char *cipher_mode,
+	const char *uuid,
+	const char *volume_keys,
+	size_t volume_keys_size,
+	struct crypt_params_luks2 *params,
+	struct crypt_params_hw_opal *opal_params);
+
+/**
  * Set format compatibility flags.
  *
  * @param cd crypt device handle
@@ -941,6 +1009,23 @@ int crypt_resume_by_token_pin(struct crypt_device *cd,
 	const char *pin,
 	size_t pin_size,
 	void *usrptr);
+
+/**
+ * Resume crypt device using keyslot context.
+ *
+ * @param cd crypt device handle
+ * @param name name of device to resume
+ * @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT, keyslot is
+ *        ignored for unlock methods not based on passphrase
+ * @param kc keyslot context providing volume key or passphrase.
+ *
+ * @return unlocked key slot number for passphrase-based unlock, zero for other
+ *         unlock methods (e.g. volume key context) or negative errno on error.
+ */
+int crypt_resume_by_keyslot_context(struct crypt_device *cd,
+			       const char *name,
+			       int keyslot,
+			       struct crypt_keyslot_context *kc);
 /** @} */
 
 /**
@@ -1099,7 +1184,7 @@ int crypt_keyslot_add_by_volume_key(struct crypt_device *cd,
  * @warning CRYPT_VOLUME_KEY_SET flag force updates volume key. It is @b not @b reencryption!
  * 	    By doing so you will most probably destroy your ciphertext data device. It's supposed
  * 	    to be used only in wrapped keys scheme for key refresh process where real (inner) volume
- * 	    key stays untouched. It may be involed on active @e keyslot which makes the (previously
+ * 	    key stays untouched. It may be involved on active @e keyslot which makes the (previously
  * 	    unbound) keyslot new regular keyslot.
  */
 int crypt_keyslot_add_by_key(struct crypt_device *cd,
@@ -1195,6 +1280,59 @@ int crypt_keyslot_context_init_by_volume_key(struct crypt_device *cd,
 	struct crypt_keyslot_context **kc);
 
 /**
+ * Initialize keyslot context via signed key.
+ *
+ * @param cd crypt device handle initialized to device context
+ *
+ * @param volume_key provided volume key
+ * @param volume_key_size size of volume_key
+ * @param signature buffer with signature for the key
+ * @param signature_size bsize of signature buffer
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_SIGNED_KEY
+ *
+ * @return zero on success or negative errno otherwise.
+ *
+ * @note currently supported only with VERITY devices.
+ */
+int crypt_keyslot_context_init_by_signed_key(struct crypt_device *cd,
+	const char *volume_key,
+	size_t volume_key_size,
+	const char *signature,
+	size_t signature_size,
+	struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via passphrase stored in a keyring.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ *
+ * @param key_description kernel keyring key description library should look
+ *        for passphrase in
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYRING
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_keyring(struct crypt_device *cd,
+	const char *key_description,
+	struct crypt_keyslot_context **kc);
+
+/**
+ * Initialize keyslot context via volume key stored in a keyring.
+ *
+ * @param cd crypt device handle initialized to LUKS device context
+ *
+ * @param key_description kernel keyring key description library should look
+ *        for passphrase in. The key can be passed either as number in ASCII,
+ *        or a text representation in the form "%<key_type>:<key_name>"
+ * @param kc returns crypt keyslot context handle type CRYPT_KC_TYPE_KEYRING
+ *
+ * @return zero on success or negative errno otherwise.
+ */
+int crypt_keyslot_context_init_by_vk_in_keyring(struct crypt_device *cd,
+	const char *key_description,
+	struct crypt_keyslot_context **kc);
+
+/**
  * Get error code per keyslot context from last failed call.
  *
  * @note If @link crypt_keyslot_add_by_keyslot_context @endlink passed with
@@ -1225,7 +1363,7 @@ int crypt_keyslot_context_set_pin(struct crypt_device *cd,
 	struct crypt_keyslot_context *kc);
 
 /**
- * @defgroup crypt-keyslot-context-types Crypt keyslot context
+ * @defgroup crypt-keyslot-context-types Crypt keyslot context types
  * @addtogroup crypt-keyslot-context-types
  * @{
  */
@@ -1237,6 +1375,16 @@ int crypt_keyslot_context_set_pin(struct crypt_device *cd,
 #define CRYPT_KC_TYPE_TOKEN      INT16_C(3)
 /** keyslot context initialized by volume key or unbound key (@link crypt_keyslot_context_init_by_volume_key @endlink) */
 #define CRYPT_KC_TYPE_KEY        INT16_C(4)
+/** keyslot context initialized by description of a keyring key
+ * (@link crypt_keyslot_context_init_by_keyring @endlink)
+ */
+#define CRYPT_KC_TYPE_KEYRING    INT16_C(5)
+/** keyslot context initialized by description of a keyring key containing the volume key
+ * (@link crypt_keyslot_context_init_by_vk_in_keyring @endlink)
+ */
+#define CRYPT_KC_TYPE_VK_KEYRING    INT16_C(6)
+/** keyslot context initialized by signed key (@link crypt_keyslot_context_init_by_signed_key @endlink) */
+#define CRYPT_KC_TYPE_SIGNED_KEY    INT16_C(7)
 /** @} */
 
 /**
@@ -1281,7 +1429,7 @@ int crypt_keyslot_context_get_type(const struct crypt_keyslot_context *kc);
  * @warning CRYPT_VOLUME_KEY_SET flag force updates volume key. It is @b not @b reencryption!
  * 	    By doing so you will most probably destroy your ciphertext data device. It's supposed
  * 	    to be used only in wrapped keys scheme for key refresh process where real (inner) volume
- * 	    key stays untouched. It may be involed on active @e keyslot which makes the (previously
+ * 	    key stays untouched. It may be involved on active @e keyslot which makes the (previously
  * 	    unbound) keyslot new regular keyslot.
  */
 int crypt_keyslot_add_by_keyslot_context(struct crypt_device *cd,
@@ -1420,6 +1568,8 @@ uint64_t crypt_get_active_integrity_failures(struct crypt_device *cd,
 #define CRYPT_REQUIREMENT_OFFLINE_REENCRYPT	(UINT32_C(1) << 0)
 /** Online reencryption in-progress */
 #define CRYPT_REQUIREMENT_ONLINE_REENCRYPT	(UINT32_C(1) << 1)
+/** Device configured with OPAL support */
+#define CRYPT_REQUIREMENT_OPAL			(UINT32_C(1) << 2)
 /** unknown requirement in header (output only) */
 #define CRYPT_REQUIREMENT_UNKNOWN		(UINT32_C(1) << 31)
 
@@ -1474,6 +1624,39 @@ int crypt_persistent_flags_get(struct crypt_device *cd,
  */
 
 /**
+ * Activate device or check using keyslot context. In some cases (device under
+ * reencryption), more than one keyslot context is required (e.g. one for the old
+ * volume key and one for the new volume key). The order of the keyslot
+ * contexts does not matter. When less keyslot contexts are supplied than
+ * required to unlock the device an -ESRCH error code is returned and you
+ * should call the function again with an additional keyslot context specified.
+ *
+ * NOTE: the API at the moment fully works for single keyslot context only,
+ * the additional keyslot context currently works only with
+ * @e CRYPT_KC_TYPE_VK_KEYRING or @e CRYPT_KC_TYPE_KEY contexts.
+ *
+ * @param cd crypt device handle
+ * @param name name of device to create, if @e NULL only check passphrase
+ * @param keyslot requested keyslot to check or @e CRYPT_ANY_SLOT, keyslot is
+ *        ignored for unlock methods not based on passphrase
+ * @param kc keyslot context providing volume key or passphrase.
+ * @param additional_keyslot requested additional keyslot to check or @e CRYPT_ANY_SLOT
+ * @param additional_kc keyslot context providing additional volume key or
+ *        passphrase (e.g. old volume key for device under reencryption).
+ * @param flags activation flags
+ *
+ * @return unlocked key slot number for passphrase-based unlock, zero for other
+ *         unlock methods (e.g. volume key context) or negative errno on error.
+ */
+int crypt_activate_by_keyslot_context(struct crypt_device *cd,
+	const char *name,
+	int keyslot,
+	struct crypt_keyslot_context *kc,
+	int additional_keyslot,
+	struct crypt_keyslot_context *additional_kc,
+	uint32_t flags);
+
+/**
  * Activate device or check passphrase.
  *
  * @param cd crypt device handle
@@ -1553,6 +1736,9 @@ int crypt_activate_by_keyfile(struct crypt_device *cd,
  * 	 CRYPT_ACTIVATE_READONLY flag always.
  * @note For TCRYPT the volume key should be always NULL
  * 	 the key from decrypted header is used instead.
+ * @note For BITLK the name cannot be @e NULL checking volume key is not
+ * 	 supported for BITLK, the device will be activated even if the
+ * 	 provided key is not correct.
  */
 int crypt_activate_by_volume_key(struct crypt_device *cd,
 	const char *name,
@@ -2259,6 +2445,36 @@ int crypt_wipe(struct crypt_device *cd,
 
 /** Use direct-io */
 #define CRYPT_WIPE_NO_DIRECT_IO (UINT32_C(1) << 0)
+
+enum {
+	CRYPT_LUKS2_SEGMENT = -2,
+	CRYPT_NO_SEGMENT = -1,
+};
+
+/**
+ * Safe erase of a partition or an entire OPAL device. WARNING: ALL DATA ON
+ * PARTITION/DISK WILL BE LOST. If the CRYPT_NO_SEGMENT is passed as the segment
+ * parameter, the entire device will be wiped, not just what is included in the
+ * LUKS2 device/partition.
+ *
+ * @param cd crypt device handle
+ * @param segment the segment number to wipe (0..8), or CRYPT_LUKS2_SEGMENT
+ *        to wipe the segment configured in the LUKS2 header, or CRYPT_NO_SEGMENT
+ *        to wipe the entire device via a factory reset.
+ * @param password admin password/PSID (for factory reset) to wipe the
+ *        partition/device
+ * @param password_size length of password/PSID
+ * @param flags (currently unused)
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_wipe_hw_opal(struct crypt_device *cd,
+	int segment, /* 0..8, CRYPT_LUKS2_SEGMENT -2, CRYPT_NO_SEGMENT -1 */
+	const char *password, /* Admin1 PIN or PSID */
+	size_t password_size,
+	uint32_t flags /* currently unused */
+);
+
 /** @} */
 
 /**
@@ -2567,6 +2783,17 @@ int crypt_token_register(const crypt_token_handler *handler);
 const char *crypt_token_external_path(void);
 
 /**
+ * Override configured external token handlers path for the library.
+ *
+ * @param path Absolute path (starts with '/') to new external token handlers directory or @e NULL.
+ *
+ * @note if @e path is @e NULL the external token path is reset to default path.
+ *
+ * @return @e 0 on success or negative errno value otherwise.
+ */
+int crypt_token_set_external_path(const char *path);
+
+/**
  * Disable external token handlers (plugins) support
  * If disabled, it cannot be enabled again.
  */
@@ -2875,6 +3102,55 @@ void crypt_safe_memzero(void *data, size_t size);
 
 /** @} */
 
+/**
+ * @defgroup crypt-keyring Kernel keyring manipulation
+ * @addtogroup crypt-keyring
+ * @{
+ */
+
+/**
+ * Link the volume key to the specified kernel keyring.
+ *
+ * The volume can have one or two keys. Normally, the device has one key.
+ * However if reencryption was started and not finished yet, the volume will
+ * have two volume keys (the new VK for the already reencrypted segment and old
+ * VK for the not yet reencrypted segment).
+ *
+ * The @e old_key_description argument is required only for
+ * devices that are in re-encryption and have two volume keys at the same time
+ * (old and new). You can set the @e old_key_description to NULL,
+ * but if you supply number of keys less than required, the function will
+ * return -ESRCH.  In that case you need to call the function again and set
+ * the missing key description. When supplying just one key description, make
+ * sure to supply it in the @e key_description.
+ *
+ * @param cd crypt device handle
+ * @param key_description the key description of the volume key linked in desired keyring.
+ * @param old_key_description the key description of the old volume key linked in desired keyring
+ *	  (for devices in re-encryption).
+ * @param key_type_desc the key type used for the volume key. Currently only "user" and "logon" types are
+ *	  supported. if @e NULL is specified the default "user" type is applied.
+ * @param keyring_to_link_vk the keyring description of the keyring in which volume key should
+ *	  be linked, if @e NULL is specified, linking will be disabled.
+ *
+ * @note keyring_to_link_vk may be passed in various string formats:
+ * 	 It can be kernel key numeric id of existing keyring written as a string,
+ * 	 keyring name prefixed optionally be either "%:" or "%keyring:" substrings or keyctl
+ * 	 special values for keyrings "@t", "@p", "@s" and so on. See keyctl(1) man page,
+ * 	 section KEY IDENTIFIERS for more information. All other prefixes starting "%<type>:"
+ * 	 are ignored.
+ *
+ * @note key_description "%<type>:" prefixes are ignored. Type is applied based on key_type parameter
+ * 	 value.
+ */
+int crypt_set_keyring_to_link(struct crypt_device* cd,
+	const char* key_description,
+	const char* old_key_description,
+	const char* key_type_desc,
+	const char* keyring_to_link_vk);
+
+/** @} */
+
 #ifdef __cplusplus
 }
 #endif