src/security/zxcrypt/fdio-volume.h - fuchsia - Git at Google

 // Copyright 2019 The Fuchsia Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef SRC_SECURITY_ZXCRYPT_FDIO_VOLUME_H_
 #define SRC_SECURITY_ZXCRYPT_FDIO_VOLUME_H_

 #include <lib/fdio/fdio.h>
 #include <lib/zx/channel.h>

 #include <memory>

 #include <fbl/string.h>
 #include <fbl/unique_fd.h>

 #include "src/security/fcrypto/secret.h"
 #include "src/security/zxcrypt/volume.h"

 namespace zxcrypt {

 // |zxcrypt::FdioVolume| is a zxcrypt volume which does IO via a file descriptor
 // to an underlying block device without any support from the zxcrypt driver
 // implementation.  It can be used on the host to prepare zxcrypt images, and is
 // often more convenient for testing.
 class __EXPORT FdioVolume final : public Volume {
  public:
   explicit FdioVolume(fbl::unique_fd&& block_dev_fd);

   // Creates a new zxcrypt volume associated with the given file descriptor,
   // |block_dev_fd|, and returns it via |out|, if provided.  This will format
   // the block device as zxcrypt using the given |key|, which will be
   // associated with key slot 0.  This method takes ownership of
   // |block_dev_fd|.  Note that |key| is not strengthened
   // and MUST have cryptographic key length of at least 128 bits.
   static zx_status_t Create(fbl::unique_fd block_dev_fd, const crypto::Secret& key,
                             std::unique_ptr<FdioVolume>* out = nullptr);

   // Opens a zxcrypt volume on the block device described by |block_dev_fd|
   // using the |key| corresponding to given key |slot|.  This method takes
   // ownership of |block_dev_fd|.  Note that |key| is not strengthened and MUST
   // have cryptographic key length of at least 128 bits.  This is a convenience
   // method that calls |Init()| and then |FdioVolume::Unlock()|.
   static zx_status_t Unlock(fbl::unique_fd block_dev_fd, const crypto::Secret& key, key_slot_t slot,
                             std::unique_ptr<FdioVolume>* out);

   // Returns a new volume object corresponding to the block device given by
   // |block_dev_fd| and populated with the block and FVM information.
   static zx_status_t Init(fbl::unique_fd block_dev_fd, std::unique_ptr<FdioVolume>* out = nullptr);

   // Opens a zxcrypt volume on the block device described by |fd| using the |key| corresponding to
   // given key |slot|.
   zx_status_t Unlock(const crypto::Secret& key, key_slot_t slot);

   // Adds a given |key| to the given key |slot|.  This key can then be used to |Open| the
   // zxcrypt device.  This method can only be called if the volume belongs to libzxcrypt.
   zx_status_t Enroll(const crypto::Secret& key, key_slot_t slot);

   // Removes the root key in the given key |slot|.  This key can no longer be used to |Open| the
   // zxcrypt device.  This method can only be called if the volume belongs to libzxcrypt.
   zx_status_t Revoke(key_slot_t slot);

  private:
   friend class testing::TestDevice;

   // Retrieves the block and FVM information and adjusts it
   zx_status_t Init();

   zx_status_t GetBlockInfo(BlockInfo* out);
   zx_status_t GetFvmSliceSize(uint64_t* out);
   zx_status_t DoBlockFvmVsliceQuery(uint64_t vslice_start, SliceRegion ranges[MAX_SLICE_REGIONS],
                                     uint64_t* slice_count);
   zx_status_t DoBlockFvmExtend(uint64_t start_slice, uint64_t slice_count);

   // Reads a block from the current offset on the underlying device.
   zx_status_t Read();

   // Writes a block to the current offset on the underlying device.
   zx_status_t Write();

   // Flushes all pending writes to the underlying device.
   zx_status_t Flush();

   // The underlying block device, accessed over FDIO
   fbl::unique_fd block_dev_fd_;
 };

 }  // namespace zxcrypt

 #endif  // SRC_SECURITY_ZXCRYPT_FDIO_VOLUME_H_
	// Copyright 2019 The Fuchsia Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef SRC_SECURITY_ZXCRYPT_FDIO_VOLUME_H_
	#define SRC_SECURITY_ZXCRYPT_FDIO_VOLUME_H_

	#include <lib/fdio/fdio.h>
	#include <lib/zx/channel.h>

	#include <memory>

	#include <fbl/string.h>
	#include <fbl/unique_fd.h>

	#include "src/security/fcrypto/secret.h"
	#include "src/security/zxcrypt/volume.h"

	namespace zxcrypt {

	// \|zxcrypt::FdioVolume\| is a zxcrypt volume which does IO via a file descriptor
	// to an underlying block device without any support from the zxcrypt driver
	// implementation. It can be used on the host to prepare zxcrypt images, and is
	// often more convenient for testing.
	class __EXPORT FdioVolume final : public Volume {
	public:
	explicit FdioVolume(fbl::unique_fd&& block_dev_fd);

	// Creates a new zxcrypt volume associated with the given file descriptor,
	// \|block_dev_fd\|, and returns it via \|out\|, if provided. This will format
	// the block device as zxcrypt using the given \|key\|, which will be
	// associated with key slot 0. This method takes ownership of
	// \|block_dev_fd\|. Note that \|key\| is not strengthened
	// and MUST have cryptographic key length of at least 128 bits.
	static zx_status_t Create(fbl::unique_fd block_dev_fd, const crypto::Secret& key,
	std::unique_ptr<FdioVolume>* out = nullptr);

	// Opens a zxcrypt volume on the block device described by \|block_dev_fd\|
	// using the \|key\| corresponding to given key \|slot\|. This method takes
	// ownership of \|block_dev_fd\|. Note that \|key\| is not strengthened and MUST
	// have cryptographic key length of at least 128 bits. This is a convenience
	// method that calls \|Init()\| and then \|FdioVolume::Unlock()\|.
	static zx_status_t Unlock(fbl::unique_fd block_dev_fd, const crypto::Secret& key, key_slot_t slot,
	std::unique_ptr<FdioVolume>* out);

	// Returns a new volume object corresponding to the block device given by
	// \|block_dev_fd\| and populated with the block and FVM information.
	static zx_status_t Init(fbl::unique_fd block_dev_fd, std::unique_ptr<FdioVolume>* out = nullptr);

	// Opens a zxcrypt volume on the block device described by \|fd\| using the \|key\| corresponding to
	// given key \|slot\|.
	zx_status_t Unlock(const crypto::Secret& key, key_slot_t slot);

	// Adds a given \|key\| to the given key \|slot\|. This key can then be used to \|Open\| the
	// zxcrypt device. This method can only be called if the volume belongs to libzxcrypt.
	zx_status_t Enroll(const crypto::Secret& key, key_slot_t slot);

	// Removes the root key in the given key \|slot\|. This key can no longer be used to \|Open\| the
	// zxcrypt device. This method can only be called if the volume belongs to libzxcrypt.
	zx_status_t Revoke(key_slot_t slot);

	private:
	friend class testing::TestDevice;

	// Retrieves the block and FVM information and adjusts it
	zx_status_t Init();

	zx_status_t GetBlockInfo(BlockInfo* out);
	zx_status_t GetFvmSliceSize(uint64_t* out);
	zx_status_t DoBlockFvmVsliceQuery(uint64_t vslice_start, SliceRegion ranges[MAX_SLICE_REGIONS],
	uint64_t* slice_count);
	zx_status_t DoBlockFvmExtend(uint64_t start_slice, uint64_t slice_count);

	// Reads a block from the current offset on the underlying device.
	zx_status_t Read();

	// Writes a block to the current offset on the underlying device.
	zx_status_t Write();

	// Flushes all pending writes to the underlying device.
	zx_status_t Flush();

	// The underlying block device, accessed over FDIO
	fbl::unique_fd block_dev_fd_;
	};

	} // namespace zxcrypt

	#endif // SRC_SECURITY_ZXCRYPT_FDIO_VOLUME_H_