]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/home/homework-luks.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #14901 from w-simon/fix-tests
[thirdparty/systemd.git] / src / home / homework-luks.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <libfdisk.h>
4 #include <linux/loop.h>
5 #include <poll.h>
6 #include <sys/file.h>
7 #include <sys/ioctl.h>
8
9 #include "blkid-util.h"
10 #include "blockdev-util.h"
11 #include "chattr-util.h"
12 #include "dm-util.h"
13 #include "errno-util.h"
14 #include "fd-util.h"
15 #include "fileio.h"
16 #include "fs-util.h"
17 #include "fsck-util.h"
18 #include "homework-luks.h"
19 #include "homework-mount.h"
20 #include "id128-util.h"
21 #include "io-util.h"
22 #include "memory-util.h"
23 #include "missing_magic.h"
24 #include "mkdir.h"
25 #include "mount-util.h"
26 #include "openssl-util.h"
27 #include "parse-util.h"
28 #include "path-util.h"
29 #include "process-util.h"
30 #include "random-util.h"
31 #include "resize-fs.h"
32 #include "stat-util.h"
33 #include "strv.h"
34 #include "tmpfile-util.h"
35
36 /* Round down to the nearest 1K size. Note that Linux generally handles block devices with 512 blocks only,
37 * but actually doesn't accept uneven numbers in many cases. To avoid any confusion around this we'll
38 * strictly round disk sizes down to the next 1K boundary.*/
39 #define DISK_SIZE_ROUND_DOWN(x) ((x) & ~UINT64_C(1023))
40
41 static bool supported_fstype(const char *fstype) {
42 /* Limit the set of supported file systems a bit, as protection against little tested kernel file
43 * systems. Also, we only support the resize ioctls for these file systems. */
44 return STR_IN_SET(fstype, "ext4", "btrfs", "xfs");
45 }
46
47 static int probe_file_system_by_fd(
48 int fd,
49 char **ret_fstype,
50 sd_id128_t *ret_uuid) {
51
52 _cleanup_(blkid_free_probep) blkid_probe b = NULL;
53 _cleanup_free_ char *s = NULL;
54 const char *fstype = NULL, *uuid = NULL;
55 sd_id128_t id;
56 int r;
57
58 assert(fd >= 0);
59 assert(ret_fstype);
60 assert(ret_uuid);
61
62 b = blkid_new_probe();
63 if (!b)
64 return -ENOMEM;
65
66 errno = 0;
67 r = blkid_probe_set_device(b, fd, 0, 0);
68 if (r != 0)
69 return errno > 0 ? -errno : -ENOMEM;
70
71 (void) blkid_probe_enable_superblocks(b, 1);
72 (void) blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE|BLKID_SUBLKS_UUID);
73
74 errno = 0;
75 r = blkid_do_safeprobe(b);
76 if (IN_SET(r, -2, 1)) /* nothing found or ambiguous result */
77 return -ENOPKG;
78 if (r != 0)
79 return errno > 0 ? -errno : -EIO;
80
81 (void) blkid_probe_lookup_value(b, "TYPE", &fstype, NULL);
82 if (!fstype)
83 return -ENOPKG;
84
85 (void) blkid_probe_lookup_value(b, "UUID", &uuid, NULL);
86 if (!uuid)
87 return -ENOPKG;
88
89 r = sd_id128_from_string(uuid, &id);
90 if (r < 0)
91 return r;
92
93 s = strdup(fstype);
94 if (!s)
95 return -ENOMEM;
96
97 *ret_fstype = TAKE_PTR(s);
98 *ret_uuid = id;
99
100 return 0;
101 }
102
103 static int probe_file_system_by_path(const char *path, char **ret_fstype, sd_id128_t *ret_uuid) {
104 _cleanup_close_ int fd = -1;
105
106 fd = open(path, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
107 if (fd < 0)
108 return -errno;
109
110 return probe_file_system_by_fd(fd, ret_fstype, ret_uuid);
111 }
112
113 static int block_get_size_by_fd(int fd, uint64_t *ret) {
114 struct stat st;
115
116 assert(fd >= 0);
117 assert(ret);
118
119 if (fstat(fd, &st) < 0)
120 return -errno;
121
122 if (!S_ISBLK(st.st_mode))
123 return -ENOTBLK;
124
125 if (ioctl(fd, BLKGETSIZE64, ret) < 0)
126 return -errno;
127
128 return 0;
129 }
130
131 static int block_get_size_by_path(const char *path, uint64_t *ret) {
132 _cleanup_close_ int fd = -1;
133
134 fd = open(path, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
135 if (fd < 0)
136 return -errno;
137
138 return block_get_size_by_fd(fd, ret);
139 }
140
141 static int run_fsck(const char *node, const char *fstype) {
142 int r, exit_status;
143 pid_t fsck_pid;
144
145 assert(node);
146 assert(fstype);
147
148 r = fsck_exists(fstype);
149 if (r < 0)
150 return log_error_errno(r, "Failed to check if fsck for file system %s exists: %m", fstype);
151 if (r == 0) {
152 log_warning("No fsck for file system %s installed, ignoring.", fstype);
153 return 0;
154 }
155
156 r = safe_fork("(fsck)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_STDOUT_TO_STDERR, &fsck_pid);
157 if (r < 0)
158 return r;
159 if (r == 0) {
160 /* Child */
161 execl("/sbin/fsck", "/sbin/fsck", "-aTl", node, NULL);
162 log_error_errno(errno, "Failed to execute fsck: %m");
163 _exit(FSCK_OPERATIONAL_ERROR);
164 }
165
166 exit_status = wait_for_terminate_and_check("fsck", fsck_pid, WAIT_LOG_ABNORMAL);
167 if (exit_status < 0)
168 return exit_status;
169 if ((exit_status & ~FSCK_ERROR_CORRECTED) != 0) {
170 log_warning("fsck failed with exit status %i.", exit_status);
171
172 if ((exit_status & (FSCK_SYSTEM_SHOULD_REBOOT|FSCK_ERRORS_LEFT_UNCORRECTED)) != 0)
173 return log_error_errno(SYNTHETIC_ERRNO(EIO), "File system is corrupted, refusing.");
174
175 log_warning("Ignoring fsck error.");
176 }
177
178 log_info("File system check completed.");
179
180 return 1;
181 }
182
183 static int luks_try_passwords(
184 struct crypt_device *cd,
185 char **passwords,
186 void *volume_key,
187 size_t *volume_key_size) {
188
189 char **pp;
190 int r;
191
192 assert(cd);
193
194 STRV_FOREACH(pp, passwords) {
195 size_t vks = *volume_key_size;
196
197 r = crypt_volume_key_get(
198 cd,
199 CRYPT_ANY_SLOT,
200 volume_key,
201 &vks,
202 *pp,
203 strlen(*pp));
204 if (r >= 0) {
205 *volume_key_size = vks;
206 return 0;
207 }
208
209 log_debug_errno(r, "Password %zu didn't work for unlocking LUKS superblock: %m", (size_t) (pp - passwords));
210 }
211
212 return -ENOKEY;
213 }
214
215 static int luks_setup(
216 const char *node,
217 const char *dm_name,
218 sd_id128_t uuid,
219 const char *cipher,
220 const char *cipher_mode,
221 uint64_t volume_key_size,
222 char **passwords,
223 char **pkcs11_decrypted_passwords,
224 bool discard,
225 struct crypt_device **ret,
226 sd_id128_t *ret_found_uuid,
227 void **ret_volume_key,
228 size_t *ret_volume_key_size) {
229
230 _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
231 _cleanup_(erase_and_freep) void *vk = NULL;
232 sd_id128_t p;
233 size_t vks;
234 int r;
235
236 assert(node);
237 assert(dm_name);
238 assert(ret);
239
240 r = crypt_init(&cd, node);
241 if (r < 0)
242 return log_error_errno(r, "Failed to allocate libcryptsetup context: %m");
243
244 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
245
246 r = crypt_load(cd, CRYPT_LUKS2, NULL);
247 if (r < 0)
248 return log_error_errno(r, "Failed to load LUKS superblock: %m");
249
250 r = crypt_get_volume_key_size(cd);
251 if (r <= 0)
252 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine LUKS volume key size");
253 vks = (size_t) r;
254
255 if (!sd_id128_is_null(uuid) || ret_found_uuid) {
256 const char *s;
257
258 s = crypt_get_uuid(cd);
259 if (!s)
260 return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE), "LUKS superblock has no UUID.");
261
262 r = sd_id128_from_string(s, &p);
263 if (r < 0)
264 return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE), "LUKS superblock has invalid UUID.");
265
266 /* Check that the UUID matches, if specified */
267 if (!sd_id128_is_null(uuid) &&
268 !sd_id128_equal(uuid, p))
269 return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE), "LUKS superblock has wrong UUID.");
270 }
271
272 if (cipher && !streq_ptr(cipher, crypt_get_cipher(cd)))
273 return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE), "LUKS superblock declares wrong cipher.");
274
275 if (cipher_mode && !streq_ptr(cipher_mode, crypt_get_cipher_mode(cd)))
276 return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE), "LUKS superblock declares wrong cipher mode.");
277
278 if (volume_key_size != UINT64_MAX && vks != volume_key_size)
279 return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE), "LUKS superblock declares wrong volume key size.");
280
281 vk = malloc(vks);
282 if (!vk)
283 return log_oom();
284
285 r = luks_try_passwords(cd, pkcs11_decrypted_passwords, vk, &vks);
286 if (r == -ENOKEY) {
287 r = luks_try_passwords(cd, passwords, vk, &vks);
288 if (r == -ENOKEY)
289 return log_error_errno(r, "No valid password for LUKS superblock.");
290 }
291 if (r < 0)
292 return log_error_errno(r, "Failed to unlocks LUKS superblock: %m");
293
294 r = crypt_activate_by_volume_key(
295 cd,
296 dm_name,
297 vk, vks,
298 discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0);
299 if (r < 0)
300 return log_error_errno(r, "Failed to unlock LUKS superblock: %m");
301
302 log_info("Setting up LUKS device /dev/mapper/%s completed.", dm_name);
303
304 *ret = TAKE_PTR(cd);
305
306 if (ret_found_uuid) /* Return the UUID actually found if the caller wants to know */
307 *ret_found_uuid = p;
308 if (ret_volume_key)
309 *ret_volume_key = TAKE_PTR(vk);
310 if (ret_volume_key_size)
311 *ret_volume_key_size = vks;
312
313 return 0;
314 }
315
316 static int luks_open(
317 const char *dm_name,
318 char **passwords,
319 char **pkcs11_decrypted_passwords,
320 struct crypt_device **ret,
321 sd_id128_t *ret_found_uuid,
322 void **ret_volume_key,
323 size_t *ret_volume_key_size) {
324
325 _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
326 _cleanup_(erase_and_freep) void *vk = NULL;
327 sd_id128_t p;
328 size_t vks;
329 int r;
330
331 assert(dm_name);
332 assert(ret);
333
334 /* Opens a LUKS device that is already set up. Re-validates the password while doing so (which also
335 * provides us with the volume key, which we want). */
336
337 r = crypt_init_by_name(&cd, dm_name);
338 if (r < 0)
339 return log_error_errno(r, "Failed to initialize cryptsetup context for %s: %m", dm_name);
340
341 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
342
343 r = crypt_load(cd, CRYPT_LUKS2, NULL);
344 if (r < 0)
345 return log_error_errno(r, "Failed to load LUKS superblock: %m");
346
347 r = crypt_get_volume_key_size(cd);
348 if (r <= 0)
349 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine LUKS volume key size");
350 vks = (size_t) r;
351
352 if (ret_found_uuid) {
353 const char *s;
354
355 s = crypt_get_uuid(cd);
356 if (!s)
357 return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE), "LUKS superblock has no UUID.");
358
359 r = sd_id128_from_string(s, &p);
360 if (r < 0)
361 return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE), "LUKS superblock has invalid UUID.");
362 }
363
364 vk = malloc(vks);
365 if (!vk)
366 return log_oom();
367
368 r = luks_try_passwords(cd, pkcs11_decrypted_passwords, vk, &vks);
369 if (r == -ENOKEY) {
370 r = luks_try_passwords(cd, passwords, vk, &vks);
371 if (r == -ENOKEY)
372 return log_error_errno(r, "No valid password for LUKS superblock.");
373 }
374 if (r < 0)
375 return log_error_errno(r, "Failed to unlocks LUKS superblock: %m");
376
377 log_info("Discovered used LUKS device /dev/mapper/%s, and validated password.", dm_name);
378
379 /* This is needed so that crypt_resize() can operate correctly for pre-existing LUKS devices. We need
380 * to tell libcryptsetup the volume key explicitly, so that it is in the kernel keyring. */
381 r = crypt_activate_by_volume_key(cd, NULL, vk, vks, CRYPT_ACTIVATE_KEYRING_KEY);
382 if (r < 0)
383 return log_error_errno(r, "Failed to upload volume key again: %m");
384
385 log_info("Successfully re-activated LUKS device.");
386
387 *ret = TAKE_PTR(cd);
388
389 if (ret_found_uuid)
390 *ret_found_uuid = p;
391 if (ret_volume_key)
392 *ret_volume_key = TAKE_PTR(vk);
393 if (ret_volume_key_size)
394 *ret_volume_key_size = vks;
395
396 return 0;
397 }
398
399 static int fs_validate(
400 const char *dm_node,
401 sd_id128_t uuid,
402 char **ret_fstype,
403 sd_id128_t *ret_found_uuid) {
404
405 _cleanup_free_ char *fstype = NULL;
406 sd_id128_t u;
407 int r;
408
409 assert(dm_node);
410 assert(ret_fstype);
411
412 r = probe_file_system_by_path(dm_node, &fstype, &u);
413 if (r < 0)
414 return log_error_errno(r, "Failed to probe file system: %m");
415
416 /* Limit the set of supported file systems a bit, as protection against little tested kernel file
417 * systems. Also, we only support the resize ioctls for these file systems. */
418 if (!supported_fstype(fstype))
419 return log_error_errno(SYNTHETIC_ERRNO(EPROTONOSUPPORT), "Image contains unsupported file system: %s", strna(fstype));
420
421 if (!sd_id128_is_null(uuid) &&
422 !sd_id128_equal(uuid, u))
423 return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE), "File system has wrong UUID.");
424
425 log_info("Probing file system completed (found %s).", fstype);
426
427 *ret_fstype = TAKE_PTR(fstype);
428
429 if (ret_found_uuid) /* Return the UUID actually found if the caller wants to know */
430 *ret_found_uuid = u;
431
432 return 0;
433 }
434
435 static int make_dm_names(const char *user_name, char **ret_dm_name, char **ret_dm_node) {
436 _cleanup_free_ char *name = NULL, *node = NULL;
437
438 assert(user_name);
439 assert(ret_dm_name);
440 assert(ret_dm_node);
441
442 name = strjoin("home-", user_name);
443 if (!name)
444 return log_oom();
445
446 node = path_join("/dev/mapper/", name);
447 if (!node)
448 return log_oom();
449
450 *ret_dm_name = TAKE_PTR(name);
451 *ret_dm_node = TAKE_PTR(node);
452 return 0;
453 }
454
455 static int luks_validate(
456 int fd,
457 const char *label,
458 sd_id128_t partition_uuid,
459 sd_id128_t *ret_partition_uuid,
460 uint64_t *ret_offset,
461 uint64_t *ret_size) {
462
463 _cleanup_(blkid_free_probep) blkid_probe b = NULL;
464 sd_id128_t found_partition_uuid = SD_ID128_NULL;
465 const char *fstype = NULL, *pttype = NULL;
466 blkid_loff_t offset = 0, size = 0;
467 blkid_partlist pl;
468 bool found = false;
469 int r, i, n;
470
471 assert(fd >= 0);
472 assert(label);
473 assert(ret_offset);
474 assert(ret_size);
475
476 b = blkid_new_probe();
477 if (!b)
478 return -ENOMEM;
479
480 errno = 0;
481 r = blkid_probe_set_device(b, fd, 0, 0);
482 if (r != 0)
483 return errno > 0 ? -errno : -ENOMEM;
484
485 (void) blkid_probe_enable_superblocks(b, 1);
486 (void) blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
487 (void) blkid_probe_enable_partitions(b, 1);
488 (void) blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
489
490 errno = 0;
491 r = blkid_do_safeprobe(b);
492 if (IN_SET(r, -2, 1)) /* nothing found or ambiguous result */
493 return -ENOPKG;
494 if (r != 0)
495 return errno > 0 ? -errno : -EIO;
496
497 (void) blkid_probe_lookup_value(b, "TYPE", &fstype, NULL);
498 if (streq_ptr(fstype, "crypto_LUKS")) {
499 /* Directly a LUKS image */
500 *ret_offset = 0;
501 *ret_size = UINT64_MAX; /* full disk */
502 *ret_partition_uuid = SD_ID128_NULL;
503 return 0;
504 } else if (fstype)
505 return -ENOPKG;
506
507 (void) blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
508 if (!streq_ptr(pttype, "gpt"))
509 return -ENOPKG;
510
511 errno = 0;
512 pl = blkid_probe_get_partitions(b);
513 if (!pl)
514 return errno > 0 ? -errno : -ENOMEM;
515
516 errno = 0;
517 n = blkid_partlist_numof_partitions(pl);
518 if (n < 0)
519 return errno > 0 ? -errno : -EIO;
520
521 for (i = 0; i < n; i++) {
522 blkid_partition pp;
523 sd_id128_t id;
524 const char *sid;
525
526 errno = 0;
527 pp = blkid_partlist_get_partition(pl, i);
528 if (!pp)
529 return errno > 0 ? -errno : -EIO;
530
531 if (!streq_ptr(blkid_partition_get_type_string(pp), "773f91ef-66d4-49b5-bd83-d683bf40ad16"))
532 continue;
533
534 if (!streq_ptr(blkid_partition_get_name(pp), label))
535 continue;
536
537 sid = blkid_partition_get_uuid(pp);
538 if (sid) {
539 r = sd_id128_from_string(sid, &id);
540 if (r < 0)
541 log_debug_errno(r, "Couldn't parse partition UUID %s, weird: %m", sid);
542
543 if (!sd_id128_is_null(partition_uuid) && !sd_id128_equal(id, partition_uuid))
544 continue;
545 }
546
547 if (found)
548 return -ENOPKG;
549
550 offset = blkid_partition_get_start(pp);
551 size = blkid_partition_get_size(pp);
552 found_partition_uuid = id;
553
554 found = true;
555 }
556
557 if (!found)
558 return -ENOPKG;
559
560 if (offset < 0)
561 return -EINVAL;
562 if ((uint64_t) offset > UINT64_MAX / 512U)
563 return -EINVAL;
564 if (size <= 0)
565 return -EINVAL;
566 if ((uint64_t) size > UINT64_MAX / 512U)
567 return -EINVAL;
568
569 *ret_offset = offset * 512U;
570 *ret_size = size * 512U;
571 *ret_partition_uuid = found_partition_uuid;
572
573 return 0;
574 }
575
576 static int crypt_device_to_evp_cipher(struct crypt_device *cd, const EVP_CIPHER **ret) {
577 _cleanup_free_ char *cipher_name = NULL;
578 const char *cipher, *cipher_mode, *e;
579 size_t key_size, key_bits;
580 const EVP_CIPHER *cc;
581 int r;
582
583 assert(cd);
584
585 /* Let's find the right OpenSSL EVP_CIPHER object that matches the encryption settings of the LUKS
586 * device */
587
588 cipher = crypt_get_cipher(cd);
589 if (!cipher)
590 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot get cipher from LUKS device.");
591
592 cipher_mode = crypt_get_cipher_mode(cd);
593 if (!cipher_mode)
594 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot get cipher mode from LUKS device.");
595
596 e = strchr(cipher_mode, '-');
597 if (e)
598 cipher_mode = strndupa(cipher_mode, e - cipher_mode);
599
600 r = crypt_get_volume_key_size(cd);
601 if (r <= 0)
602 return log_error_errno(r < 0 ? r : SYNTHETIC_ERRNO(EINVAL), "Cannot get volume key size from LUKS device.");
603
604 key_size = r;
605 key_bits = key_size * 8;
606 if (streq(cipher_mode, "xts"))
607 key_bits /= 2;
608
609 if (asprintf(&cipher_name, "%s-%zu-%s", cipher, key_bits, cipher_mode) < 0)
610 return log_oom();
611
612 cc = EVP_get_cipherbyname(cipher_name);
613 if (!cc)
614 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Selected cipher mode '%s' not supported, can't encrypt JSON record.", cipher_name);
615
616 /* Verify that our key length calculations match what OpenSSL thinks */
617 r = EVP_CIPHER_key_length(cc);
618 if (r < 0 || (uint64_t) r != key_size)
619 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Key size of selected cipher doesn't meet out expectations.");
620
621 *ret = cc;
622 return 0;
623 }
624
625 static int luks_validate_home_record(
626 struct crypt_device *cd,
627 UserRecord *h,
628 const void *volume_key,
629 char ***pkcs11_decrypted_passwords,
630 UserRecord **ret_luks_home_record) {
631
632 int r, token;
633
634 assert(cd);
635 assert(h);
636
637 for (token = 0;; token++) {
638 _cleanup_(json_variant_unrefp) JsonVariant *v = NULL, *rr = NULL;
639 _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
640 _cleanup_(user_record_unrefp) UserRecord *lhr = NULL;
641 _cleanup_free_ void *encrypted = NULL, *iv = NULL;
642 size_t decrypted_size, encrypted_size, iv_size;
643 int decrypted_size_out1, decrypted_size_out2;
644 _cleanup_free_ char *decrypted = NULL;
645 const char *text, *type;
646 crypt_token_info state;
647 JsonVariant *jr, *jiv;
648 unsigned line, column;
649 const EVP_CIPHER *cc;
650
651 state = crypt_token_status(cd, token, &type);
652 if (state == CRYPT_TOKEN_INACTIVE) /* First unconfigured token, give up */
653 break;
654 if (IN_SET(state, CRYPT_TOKEN_INTERNAL, CRYPT_TOKEN_INTERNAL_UNKNOWN, CRYPT_TOKEN_EXTERNAL))
655 continue;
656 if (state != CRYPT_TOKEN_EXTERNAL_UNKNOWN)
657 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unexpected token state of token %i: %i", token, (int) state);
658
659 if (!streq(type, "systemd-homed"))
660 continue;
661
662 r = crypt_token_json_get(cd, token, &text);
663 if (r < 0)
664 return log_error_errno(r, "Failed to read LUKS token %i: %m", token);
665
666 r = json_parse(text, JSON_PARSE_SENSITIVE, &v, &line, &column);
667 if (r < 0)
668 return log_error_errno(r, "Failed to parse LUKS token JSON data %u:%u: %m", line, column);
669
670 jr = json_variant_by_key(v, "record");
671 if (!jr)
672 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "LUKS token lacks 'record' field.");
673 jiv = json_variant_by_key(v, "iv");
674 if (!jiv)
675 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "LUKS token lacks 'iv' field.");
676
677 r = json_variant_unbase64(jr, &encrypted, &encrypted_size);
678 if (r < 0)
679 return log_error_errno(r, "Failed to base64 decode record: %m");
680
681 r = json_variant_unbase64(jiv, &iv, &iv_size);
682 if (r < 0)
683 return log_error_errno(r, "Failed to base64 decode IV: %m");
684
685 r = crypt_device_to_evp_cipher(cd, &cc);
686 if (r < 0)
687 return r;
688 if (iv_size > INT_MAX || EVP_CIPHER_iv_length(cc) != (int) iv_size)
689 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "IV size doesn't match.");
690
691 context = EVP_CIPHER_CTX_new();
692 if (!context)
693 return log_oom();
694
695 if (EVP_DecryptInit_ex(context, cc, NULL, volume_key, iv) != 1)
696 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize decryption context.");
697
698 decrypted_size = encrypted_size + EVP_CIPHER_key_length(cc) * 2;
699 decrypted = new(char, decrypted_size);
700 if (!decrypted)
701 return log_oom();
702
703 if (EVP_DecryptUpdate(context, (uint8_t*) decrypted, &decrypted_size_out1, encrypted, encrypted_size) != 1)
704 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to decrypt JSON record.");
705
706 assert((size_t) decrypted_size_out1 <= decrypted_size);
707
708 if (EVP_DecryptFinal_ex(context, (uint8_t*) decrypted + decrypted_size_out1, &decrypted_size_out2) != 1)
709 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finish decryption of JSON record.");
710
711 assert((size_t) decrypted_size_out1 + (size_t) decrypted_size_out2 < decrypted_size);
712 decrypted_size = (size_t) decrypted_size_out1 + (size_t) decrypted_size_out2;
713
714 if (memchr(decrypted, 0, decrypted_size))
715 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Inner NUL byte in JSON record, refusing.");
716
717 decrypted[decrypted_size] = 0;
718
719 r = json_parse(decrypted, JSON_PARSE_SENSITIVE, &rr, NULL, NULL);
720 if (r < 0)
721 return log_error_errno(r, "Failed to parse decrypted JSON record, refusing.");
722
723 lhr = user_record_new();
724 if (!lhr)
725 return log_oom();
726
727 r = user_record_load(lhr, rr, USER_RECORD_LOAD_EMBEDDED);
728 if (r < 0)
729 return log_error_errno(r, "Failed to parse user record: %m");
730
731 if (!user_record_compatible(h, lhr))
732 return log_error_errno(SYNTHETIC_ERRNO(EREMCHG), "LUKS home record not compatible with host record, refusing.");
733
734 r = user_record_authenticate(lhr, h, pkcs11_decrypted_passwords);
735 if (r < 0)
736 return r;
737
738 *ret_luks_home_record = TAKE_PTR(lhr);
739 return 0;
740 }
741
742 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Couldn't find home record in LUKS2 header, refusing.");
743 }
744
745 static int format_luks_token_text(
746 struct crypt_device *cd,
747 UserRecord *hr,
748 const void *volume_key,
749 char **ret) {
750
751 int r, encrypted_size_out1 = 0, encrypted_size_out2 = 0, iv_size, key_size;
752 _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
753 _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
754 _cleanup_free_ void *iv = NULL, *encrypted = NULL;
755 size_t text_length, encrypted_size;
756 _cleanup_free_ char *text = NULL;
757 const EVP_CIPHER *cc;
758
759 assert(cd);
760 assert(hr);
761 assert(volume_key);
762 assert(ret);
763
764 r = crypt_device_to_evp_cipher(cd, &cc);
765 if (r < 0)
766 return r;
767
768 key_size = EVP_CIPHER_key_length(cc);
769 iv_size = EVP_CIPHER_iv_length(cc);
770
771 if (iv_size > 0) {
772 iv = malloc(iv_size);
773 if (!iv)
774 return log_oom();
775
776 r = genuine_random_bytes(iv, iv_size, RANDOM_BLOCK);
777 if (r < 0)
778 return log_error_errno(r, "Failed to generate IV: %m");
779 }
780
781 context = EVP_CIPHER_CTX_new();
782 if (!context)
783 return log_oom();
784
785 if (EVP_EncryptInit_ex(context, cc, NULL, volume_key, iv) != 1)
786 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize encryption context.");
787
788 r = json_variant_format(hr->json, 0, &text);
789 if (r < 0)
790 return log_error_errno(r,"Failed to format user record for LUKS: %m");
791
792 text_length = strlen(text);
793 encrypted_size = text_length + 2*key_size - 1;
794
795 encrypted = malloc(encrypted_size);
796 if (!encrypted)
797 return log_oom();
798
799 if (EVP_EncryptUpdate(context, encrypted, &encrypted_size_out1, (uint8_t*) text, text_length) != 1)
800 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt JSON record.");
801
802 assert((size_t) encrypted_size_out1 <= encrypted_size);
803
804 if (EVP_EncryptFinal_ex(context, (uint8_t*) encrypted + encrypted_size_out1, &encrypted_size_out2) != 1)
805 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finish encryption of JSON record. ");
806
807 assert((size_t) encrypted_size_out1 + (size_t) encrypted_size_out2 <= encrypted_size);
808
809 r = json_build(&v,
810 JSON_BUILD_OBJECT(
811 JSON_BUILD_PAIR("type", JSON_BUILD_STRING("systemd-homed")),
812 JSON_BUILD_PAIR("keyslots", JSON_BUILD_EMPTY_ARRAY),
813 JSON_BUILD_PAIR("record", JSON_BUILD_BASE64(encrypted, encrypted_size_out1 + encrypted_size_out2)),
814 JSON_BUILD_PAIR("iv", JSON_BUILD_BASE64(iv, iv_size))));
815 if (r < 0)
816 return log_error_errno(r, "Failed to prepare LUKS JSON token object: %m");
817
818 r = json_variant_format(v, 0, ret);
819 if (r < 0)
820 return log_error_errno(r, "Failed to format encrypted user record for LUKS: %m");
821
822 return 0;
823 }
824
825 int home_store_header_identity_luks(
826 UserRecord *h,
827 HomeSetup *setup,
828 UserRecord *old_home) {
829
830 _cleanup_(user_record_unrefp) UserRecord *header_home = NULL;
831 _cleanup_free_ char *text = NULL;
832 int token = 0, r;
833
834 assert(h);
835
836 if (!setup->crypt_device)
837 return 0;
838
839 assert(setup->volume_key);
840
841 /* Let's store the user's identity record in the LUKS2 "token" header data fields, in an encrypted
842 * fashion. Why that? If we'd rely on the record being embedded in the payload file system itself we
843 * would have to mount the file system before we can validate the JSON record, its signatures and
844 * whether it matches what we are looking for. However, kernel file system implementations are
845 * generally not ready to be used on untrusted media. Hence let's store the record independently of
846 * the file system, so that we can validate it first, and only then mount the file system. To keep
847 * things simple we use the same encryption settings for this record as for the file system itself. */
848
849 r = user_record_clone(h, USER_RECORD_EXTRACT_EMBEDDED, &header_home);
850 if (r < 0)
851 return log_error_errno(r, "Failed to determine new header record: %m");
852
853 if (old_home && user_record_equal(old_home, header_home)) {
854 log_debug("Not updating header home record.");
855 return 0;
856 }
857
858 r = format_luks_token_text(setup->crypt_device, header_home, setup->volume_key, &text);
859 if (r < 0)
860 return r;
861
862 for (;; token++) {
863 crypt_token_info state;
864 const char *type;
865
866 state = crypt_token_status(setup->crypt_device, token, &type);
867 if (state == CRYPT_TOKEN_INACTIVE) /* First unconfigured token, we are done */
868 break;
869 if (IN_SET(state, CRYPT_TOKEN_INTERNAL, CRYPT_TOKEN_INTERNAL_UNKNOWN, CRYPT_TOKEN_EXTERNAL))
870 continue; /* Not ours */
871 if (state != CRYPT_TOKEN_EXTERNAL_UNKNOWN)
872 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unexpected token state of token %i: %i", token, (int) state);
873
874 if (!streq(type, "systemd-homed"))
875 continue;
876
877 r = crypt_token_json_set(setup->crypt_device, token, text);
878 if (r < 0)
879 return log_error_errno(r, "Failed to set JSON token for slot %i: %m", token);
880
881 /* Now, let's free the text so that for all further matching tokens we all crypt_json_token_set()
882 * with a NULL text in order to invalidate the tokens. */
883 text = mfree(text);
884 token++;
885 }
886
887 if (text)
888 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Didn't find any record token to update.");
889
890 log_info("Wrote LUKS header user record.");
891
892 return 1;
893 }
894
895 static int run_fitrim(int root_fd) {
896 char buf[FORMAT_BYTES_MAX];
897 struct fstrim_range range = {
898 .len = UINT64_MAX,
899 };
900
901 /* If discarding is on, discard everything right after mounting, so that the discard setting takes
902 * effect on activation. */
903
904 assert(root_fd >= 0);
905
906 if (ioctl(root_fd, FITRIM, &range) < 0) {
907 if (IN_SET(errno, ENOTTY, EOPNOTSUPP, EBADF)) {
908 log_debug_errno(errno, "File system does not support FITRIM, not trimming.");
909 return 0;
910 }
911
912 return log_warning_errno(errno, "Failed to invoke FITRIM, ignoring: %m");
913 }
914
915 log_info("Discarded unused %s.",
916 format_bytes(buf, sizeof(buf), range.len));
917 return 1;
918 }
919
920 static int run_fallocate(int backing_fd, const struct stat *st) {
921 char buf[FORMAT_BYTES_MAX];
922
923 assert(backing_fd >= 0);
924 assert(st);
925
926 /* If discarding is off, let's allocate the whole image before mounting, so that the setting takes
927 * effect on activation */
928
929 if (!S_ISREG(st->st_mode))
930 return 0;
931
932 if (st->st_blocks >= DIV_ROUND_UP(st->st_size, 512)) {
933 log_info("Backing file is fully allocated already.");
934 return 0;
935 }
936
937 if (fallocate(backing_fd, FALLOC_FL_KEEP_SIZE, 0, st->st_size) < 0) {
938
939 if (ERRNO_IS_NOT_SUPPORTED(errno)) {
940 log_debug_errno(errno, "fallocate() not supported on file system, ignoring.");
941 return 0;
942 }
943
944 if (ERRNO_IS_DISK_SPACE(errno)) {
945 log_debug_errno(errno, "Not enough disk space to fully allocate home.");
946 return -ENOSPC; /* make recognizable */
947 }
948
949 return log_error_errno(errno, "Failed to allocate backing file blocks: %m");
950 }
951
952 log_info("Allocated additional %s.",
953 format_bytes(buf, sizeof(buf), (DIV_ROUND_UP(st->st_size, 512) - st->st_blocks) * 512));
954 return 1;
955 }
956
957 int home_prepare_luks(
958 UserRecord *h,
959 bool already_activated,
960 const char *force_image_path,
961 char ***pkcs11_decrypted_passwords,
962 HomeSetup *setup,
963 UserRecord **ret_luks_home) {
964
965 sd_id128_t found_partition_uuid, found_luks_uuid, found_fs_uuid;
966 _cleanup_(user_record_unrefp) UserRecord *luks_home = NULL;
967 _cleanup_(loop_device_unrefp) LoopDevice *loop = NULL;
968 _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
969 _cleanup_(erase_and_freep) void *volume_key = NULL;
970 bool dm_activated = false, mounted = false;
971 _cleanup_close_ int root_fd = -1;
972 size_t volume_key_size = 0;
973 uint64_t offset, size;
974 int r;
975
976 assert(h);
977 assert(setup);
978 assert(setup->dm_name);
979 assert(setup->dm_node);
980
981 assert(user_record_storage(h) == USER_LUKS);
982
983 if (already_activated) {
984 struct loop_info64 info;
985 const char *n;
986
987 r = luks_open(setup->dm_name,
988 h->password,
989 pkcs11_decrypted_passwords ? *pkcs11_decrypted_passwords : NULL,
990 &cd,
991 &found_luks_uuid,
992 &volume_key,
993 &volume_key_size);
994 if (r < 0)
995 return r;
996
997 r = luks_validate_home_record(cd, h, volume_key, pkcs11_decrypted_passwords, &luks_home);
998 if (r < 0)
999 return r;
1000
1001 n = crypt_get_device_name(cd);
1002 if (!n)
1003 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine backing device for DM %s.", setup->dm_name);
1004
1005 r = loop_device_open(n, O_RDWR, &loop);
1006 if (r < 0)
1007 return log_error_errno(r, "Failed to open loopback device %s: %m", n);
1008
1009 if (ioctl(loop->fd, LOOP_GET_STATUS64, &info) < 0) {
1010 _cleanup_free_ char *sysfs = NULL;
1011 struct stat st;
1012
1013 if (!IN_SET(errno, ENOTTY, EINVAL))
1014 return log_error_errno(errno, "Failed to get block device metrics of %s: %m", n);
1015
1016 if (ioctl(loop->fd, BLKGETSIZE64, &size) < 0)
1017 return log_error_errno(r, "Failed to read block device size of %s: %m", n);
1018
1019 if (fstat(loop->fd, &st) < 0)
1020 return log_error_errno(r, "Failed to stat block device %s: %m", n);
1021 assert(S_ISBLK(st.st_mode));
1022
1023 if (asprintf(&sysfs, "/sys/dev/block/%u:%u/partition", major(st.st_rdev), minor(st.st_rdev)) < 0)
1024 return log_oom();
1025
1026 if (access(sysfs, F_OK) < 0) {
1027 if (errno != ENOENT)
1028 return log_error_errno(errno, "Failed to determine whether %s exists: %m", sysfs);
1029
1030 offset = 0;
1031 } else {
1032 _cleanup_free_ char *buffer = NULL;
1033
1034 if (asprintf(&sysfs, "/sys/dev/block/%u:%u/start", major(st.st_rdev), minor(st.st_rdev)) < 0)
1035 return log_oom();
1036
1037 r = read_one_line_file(sysfs, &buffer);
1038 if (r < 0)
1039 return log_error_errno(r, "Failed to read partition start offset: %m");
1040
1041 r = safe_atou64(buffer, &offset);
1042 if (r < 0)
1043 return log_error_errno(r, "Failed to parse partition start offset: %m");
1044
1045 if (offset > UINT64_MAX / 512U)
1046 return log_error_errno(SYNTHETIC_ERRNO(E2BIG), "Offset too large for 64 byte range, refusing.");
1047
1048 offset *= 512U;
1049 }
1050 } else {
1051 offset = info.lo_offset;
1052 size = info.lo_sizelimit;
1053 }
1054
1055 found_partition_uuid = found_fs_uuid = SD_ID128_NULL;
1056
1057 log_info("Discovered used loopback device %s.", loop->node);
1058
1059 root_fd = open(user_record_home_directory(h), O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW);
1060 if (root_fd < 0) {
1061 r = log_error_errno(r, "Failed to open home directory: %m");
1062 goto fail;
1063 }
1064 } else {
1065 _cleanup_free_ char *fstype = NULL, *subdir = NULL;
1066 _cleanup_close_ int fd = -1;
1067 const char *ip;
1068 struct stat st;
1069
1070 ip = force_image_path ?: user_record_image_path(h);
1071
1072 subdir = path_join("/run/systemd/user-home-mount/", user_record_user_name_and_realm(h));
1073 if (!subdir)
1074 return log_oom();
1075
1076 fd = open(ip, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
1077 if (fd < 0)
1078 return log_error_errno(errno, "Failed to open image file %s: %m", ip);
1079
1080 if (fstat(fd, &st) < 0)
1081 return log_error_errno(errno, "Failed to fstat() image file: %m");
1082 if (!S_ISREG(st.st_mode) && !S_ISBLK(st.st_mode))
1083 return log_error_errno(errno, "Image file %s is not a regular file or block device: %m", ip);
1084
1085 r = luks_validate(fd, user_record_user_name_and_realm(h), h->partition_uuid, &found_partition_uuid, &offset, &size);
1086 if (r < 0)
1087 return log_error_errno(r, "Failed to validate disk label: %m");
1088
1089 if (!user_record_luks_discard(h)) {
1090 r = run_fallocate(fd, &st);
1091 if (r < 0)
1092 return r;
1093 }
1094
1095 r = loop_device_make(fd, O_RDWR, offset, size, 0, &loop);
1096 if (r == -ENOENT) {
1097 log_error_errno(r, "Loopback block device support is not available on this system.");
1098 return -ENOLINK; /* make recognizable */
1099 }
1100 if (r < 0)
1101 return log_error_errno(r, "Failed to allocate loopback context: %m");
1102
1103 log_info("Setting up loopback device %s completed.", loop->node ?: ip);
1104
1105 r = luks_setup(loop->node ?: ip,
1106 setup->dm_name,
1107 h->luks_uuid,
1108 h->luks_cipher,
1109 h->luks_cipher_mode,
1110 h->luks_volume_key_size,
1111 h->password,
1112 pkcs11_decrypted_passwords ? *pkcs11_decrypted_passwords : NULL,
1113 user_record_luks_discard(h),
1114 &cd,
1115 &found_luks_uuid,
1116 &volume_key,
1117 &volume_key_size);
1118 if (r < 0)
1119 return r;
1120
1121 dm_activated = true;
1122
1123 r = luks_validate_home_record(cd, h, volume_key, pkcs11_decrypted_passwords, &luks_home);
1124 if (r < 0)
1125 goto fail;
1126
1127 r = fs_validate(setup->dm_node, h->file_system_uuid, &fstype, &found_fs_uuid);
1128 if (r < 0)
1129 goto fail;
1130
1131 r = run_fsck(setup->dm_node, fstype);
1132 if (r < 0)
1133 goto fail;
1134
1135 r = home_unshare_and_mount(setup->dm_node, fstype, user_record_luks_discard(h));
1136 if (r < 0)
1137 goto fail;
1138
1139 mounted = true;
1140
1141 root_fd = open(subdir, O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW);
1142 if (root_fd < 0) {
1143 r = log_error_errno(r, "Failed to open home directory: %m");
1144 goto fail;
1145 }
1146
1147 if (user_record_luks_discard(h))
1148 (void) run_fitrim(root_fd);
1149 }
1150
1151 setup->loop = TAKE_PTR(loop);
1152 setup->crypt_device = TAKE_PTR(cd);
1153 setup->root_fd = TAKE_FD(root_fd);
1154 setup->found_partition_uuid = found_partition_uuid;
1155 setup->found_luks_uuid = found_luks_uuid;
1156 setup->found_fs_uuid = found_fs_uuid;
1157 setup->partition_offset = offset;
1158 setup->partition_size = size;
1159 setup->volume_key = TAKE_PTR(volume_key);
1160 setup->volume_key_size = volume_key_size;
1161
1162 setup->undo_mount = mounted;
1163 setup->undo_dm = dm_activated;
1164
1165 if (ret_luks_home)
1166 *ret_luks_home = TAKE_PTR(luks_home);
1167
1168 return 0;
1169
1170 fail:
1171 if (mounted)
1172 (void) umount_verbose("/run/systemd/user-home-mount");
1173
1174 if (dm_activated)
1175 (void) crypt_deactivate(cd, setup->dm_name);
1176
1177 return r;
1178 }
1179
1180 static void print_size_summary(uint64_t host_size, uint64_t encrypted_size, struct statfs *sfs) {
1181 char buffer1[FORMAT_BYTES_MAX], buffer2[FORMAT_BYTES_MAX], buffer3[FORMAT_BYTES_MAX], buffer4[FORMAT_BYTES_MAX];
1182
1183 assert(sfs);
1184
1185 log_info("Image size is %s, file system size is %s, file system payload size is %s, file system free is %s.",
1186 format_bytes(buffer1, sizeof(buffer1), host_size),
1187 format_bytes(buffer2, sizeof(buffer2), encrypted_size),
1188 format_bytes(buffer3, sizeof(buffer3), (uint64_t) sfs->f_blocks * (uint64_t) sfs->f_frsize),
1189 format_bytes(buffer4, sizeof(buffer4), (uint64_t) sfs->f_bfree * (uint64_t) sfs->f_frsize));
1190 }
1191
1192 int home_activate_luks(
1193 UserRecord *h,
1194 char ***pkcs11_decrypted_passwords,
1195 UserRecord **ret_home) {
1196
1197 _cleanup_(user_record_unrefp) UserRecord *new_home = NULL, *luks_home_record = NULL;
1198 _cleanup_(home_setup_undo) HomeSetup setup = HOME_SETUP_INIT;
1199 uint64_t host_size, encrypted_size;
1200 const char *hdo, *hd;
1201 struct statfs sfs;
1202 int r;
1203
1204 assert(h);
1205 assert(user_record_storage(h) == USER_LUKS);
1206 assert(ret_home);
1207
1208 assert_se(hdo = user_record_home_directory(h));
1209 hd = strdupa(hdo); /* copy the string out, since it might change later in the home record object */
1210
1211 r = make_dm_names(h->user_name, &setup.dm_name, &setup.dm_node);
1212 if (r < 0)
1213 return r;
1214
1215 r = access(setup.dm_node, F_OK);
1216 if (r < 0) {
1217 if (errno != ENOENT)
1218 return log_error_errno(errno, "Failed to determine whether %s exists: %m", setup.dm_node);
1219 } else
1220 return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Device mapper device %s already exists, refusing.", setup.dm_node);
1221
1222 r = home_prepare_luks(
1223 h,
1224 false,
1225 NULL,
1226 pkcs11_decrypted_passwords,
1227 &setup,
1228 &luks_home_record);
1229 if (r < 0)
1230 return r;
1231
1232 r = block_get_size_by_fd(setup.loop->fd, &host_size);
1233 if (r < 0)
1234 return log_error_errno(r, "Failed to get loopback block device size: %m");
1235
1236 r = block_get_size_by_path(setup.dm_node, &encrypted_size);
1237 if (r < 0)
1238 return log_error_errno(r, "Failed to get LUKS block device size: %m");
1239
1240 r = home_refresh(
1241 h,
1242 &setup,
1243 luks_home_record,
1244 pkcs11_decrypted_passwords,
1245 &sfs,
1246 &new_home);
1247 if (r < 0)
1248 return r;
1249
1250 r = home_extend_embedded_identity(new_home, h, &setup);
1251 if (r < 0)
1252 return r;
1253
1254 setup.root_fd = safe_close(setup.root_fd);
1255
1256 r = home_move_mount(user_record_user_name_and_realm(h), hd);
1257 if (r < 0)
1258 return r;
1259
1260 setup.undo_mount = false;
1261
1262 loop_device_relinquish(setup.loop);
1263
1264 r = dm_deferred_remove(setup.dm_name);
1265 if (r < 0)
1266 log_warning_errno(r, "Failed to relinquish dm device, ignoring: %m");
1267
1268 setup.undo_dm = false;
1269
1270 log_info("Everything completed.");
1271
1272 print_size_summary(host_size, encrypted_size, &sfs);
1273
1274 *ret_home = TAKE_PTR(new_home);
1275 return 1;
1276 }
1277
1278 int home_deactivate_luks(UserRecord *h) {
1279 _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
1280 _cleanup_free_ char *dm_name = NULL, *dm_node = NULL;
1281 int r;
1282
1283 /* Note that the DM device and loopback device are set to auto-detach, hence strictly speaking we
1284 * don't have to explicitly have to detach them. However, we do that nonetheless (in case of the DM
1285 * device), to avoid races: by explicitly detaching them we know when the detaching is complete. We
1286 * don't bother about the loopback device because unlike the DM device it doesn't have a fixed
1287 * name. */
1288
1289 r = make_dm_names(h->user_name, &dm_name, &dm_node);
1290 if (r < 0)
1291 return r;
1292
1293 r = crypt_init_by_name(&cd, dm_name);
1294 if (IN_SET(r, -ENODEV, -EINVAL, -ENOENT)) {
1295 log_debug_errno(r, "LUKS device %s is already detached.", dm_name);
1296 return false;
1297 } else if (r < 0)
1298 return log_error_errno(r, "Failed to initialize cryptsetup context for %s: %m", dm_name);
1299
1300 log_info("Discovered used LUKS device %s.", dm_node);
1301
1302 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
1303
1304 r = crypt_deactivate(cd, dm_name);
1305 if (IN_SET(r, -ENODEV, -EINVAL, -ENOENT))
1306 log_debug_errno(r, "LUKS device %s is already detached.", dm_node);
1307 else if (r < 0)
1308 return log_info_errno(r, "LUKS device %s couldn't be deactivated: %m", dm_node);
1309
1310 log_info("LUKS device detaching completed.");
1311 return true;
1312 }
1313
1314 static int run_mkfs(
1315 const char *node,
1316 const char *fstype,
1317 const char *label,
1318 sd_id128_t uuid,
1319 bool discard) {
1320
1321 int r;
1322
1323 assert(node);
1324 assert(fstype);
1325 assert(label);
1326
1327 r = mkfs_exists(fstype);
1328 if (r < 0)
1329 return log_error_errno(r, "Failed to check if mkfs for file system %s exists: %m", fstype);
1330 if (r == 0)
1331 return log_error_errno(SYNTHETIC_ERRNO(EPROTONOSUPPORT), "Nt mkfs for file system %s installed.", fstype);
1332
1333 r = safe_fork("(mkfs)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_WAIT|FORK_STDOUT_TO_STDERR, NULL);
1334 if (r < 0)
1335 return r;
1336 if (r == 0) {
1337 const char *mkfs;
1338 char suuid[37];
1339
1340 /* Child */
1341
1342 mkfs = strjoina("mkfs.", fstype);
1343 id128_to_uuid_string(uuid, suuid);
1344
1345 if (streq(fstype, "ext4"))
1346 execlp(mkfs, mkfs,
1347 "-L", label,
1348 "-U", suuid,
1349 "-I", "256",
1350 "-O", "has_journal",
1351 "-m", "0",
1352 "-E", discard ? "lazy_itable_init=1,discard" : "lazy_itable_init=1,nodiscard",
1353 node, NULL);
1354 else if (streq(fstype, "btrfs")) {
1355 if (discard)
1356 execlp(mkfs, mkfs, "-L", label, "-U", suuid, node, NULL);
1357 else
1358 execlp(mkfs, mkfs, "-L", label, "-U", suuid, "--nodiscard", node, NULL);
1359 } else if (streq(fstype, "xfs")) {
1360 const char *j;
1361
1362 j = strjoina("uuid=", suuid);
1363 if (discard)
1364 execlp(mkfs, mkfs, "-L", label, "-m", j, "-m", "reflink=1", node, NULL);
1365 else
1366 execlp(mkfs, mkfs, "-L", label, "-m", j, "-m", "reflink=1", "-K", node, NULL);
1367 } else {
1368 log_error("Cannot make file system: %s", fstype);
1369 _exit(EXIT_FAILURE);
1370 }
1371
1372 log_error_errno(errno, "Failed to execute %s: %m", mkfs);
1373 _exit(EXIT_FAILURE);
1374 }
1375
1376 return 0;
1377 }
1378
1379 static struct crypt_pbkdf_type* build_good_pbkdf(struct crypt_pbkdf_type *buffer, UserRecord *hr) {
1380 assert(buffer);
1381 assert(hr);
1382
1383 *buffer = (struct crypt_pbkdf_type) {
1384 .hash = user_record_luks_pbkdf_hash_algorithm(hr),
1385 .type = user_record_luks_pbkdf_type(hr),
1386 .time_ms = user_record_luks_pbkdf_time_cost_usec(hr) / USEC_PER_MSEC,
1387 .max_memory_kb = user_record_luks_pbkdf_memory_cost(hr) / 1024,
1388 .parallel_threads = user_record_luks_pbkdf_parallel_threads(hr),
1389 };
1390
1391 return buffer;
1392 }
1393
1394 static struct crypt_pbkdf_type* build_minimal_pbkdf(struct crypt_pbkdf_type *buffer, UserRecord *hr) {
1395 assert(buffer);
1396 assert(hr);
1397
1398 /* For PKCS#11 derived keys (which are generated randomly and are of high quality already) we use a
1399 * minimal PBKDF */
1400 *buffer = (struct crypt_pbkdf_type) {
1401 .hash = user_record_luks_pbkdf_hash_algorithm(hr),
1402 .type = CRYPT_KDF_PBKDF2,
1403 .iterations = 1,
1404 .time_ms = 1,
1405 };
1406
1407 return buffer;
1408 }
1409
1410 static int luks_format(
1411 const char *node,
1412 const char *dm_name,
1413 sd_id128_t uuid,
1414 const char *label,
1415 char **pkcs11_decrypted_passwords,
1416 char **effective_passwords,
1417 bool discard,
1418 UserRecord *hr,
1419 struct crypt_device **ret) {
1420
1421 _cleanup_(user_record_unrefp) UserRecord *reduced = NULL;
1422 _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
1423 _cleanup_(erase_and_freep) void *volume_key = NULL;
1424 struct crypt_pbkdf_type good_pbkdf, minimal_pbkdf;
1425 _cleanup_free_ char *text = NULL;
1426 size_t volume_key_size;
1427 char suuid[37], **pp;
1428 int slot = 0, r;
1429
1430 assert(node);
1431 assert(dm_name);
1432 assert(hr);
1433 assert(ret);
1434
1435 r = crypt_init(&cd, node);
1436 if (r < 0)
1437 return log_error_errno(r, "Failed to allocate libcryptsetup context: %m");
1438
1439 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
1440
1441 /* Normally we'd, just leave volume key generation to libcryptsetup. However, we can't, since we
1442 * can't extract the volume key from the library again, but we need it in order to encrypt the JSON
1443 * record. Hence, let's generate it on our own, so that we can keep track of it. */
1444
1445 volume_key_size = user_record_luks_volume_key_size(hr);
1446 volume_key = malloc(volume_key_size);
1447 if (!volume_key)
1448 return log_oom();
1449
1450 r = genuine_random_bytes(volume_key, volume_key_size, RANDOM_BLOCK);
1451 if (r < 0)
1452 return log_error_errno(r, "Failed to generate volume key: %m");
1453
1454 #if HAVE_CRYPT_SET_METADATA_SIZE
1455 /* Increase the metadata space to 4M, the largest LUKS2 supports */
1456 r = crypt_set_metadata_size(cd, 4096U*1024U, 0);
1457 if (r < 0)
1458 return log_error_errno(r, "Failed to change LUKS2 metadata size: %m");
1459 #endif
1460
1461 build_good_pbkdf(&good_pbkdf, hr);
1462 build_minimal_pbkdf(&minimal_pbkdf, hr);
1463
1464 r = crypt_format(cd,
1465 CRYPT_LUKS2,
1466 user_record_luks_cipher(hr),
1467 user_record_luks_cipher_mode(hr),
1468 id128_to_uuid_string(uuid, suuid),
1469 volume_key,
1470 volume_key_size,
1471 &(struct crypt_params_luks2) {
1472 .label = label,
1473 .subsystem = "systemd-home",
1474 .sector_size = 512U,
1475 .pbkdf = &good_pbkdf,
1476 });
1477 if (r < 0)
1478 return log_error_errno(r, "Failed to format LUKS image: %m");
1479
1480 log_info("LUKS formatting completed.");
1481
1482 STRV_FOREACH(pp, effective_passwords) {
1483
1484 if (strv_contains(pkcs11_decrypted_passwords, *pp)) {
1485 log_debug("Using minimal PBKDF for slot %i", slot);
1486 r = crypt_set_pbkdf_type(cd, &minimal_pbkdf);
1487 } else {
1488 log_debug("Using good PBKDF for slot %i", slot);
1489 r = crypt_set_pbkdf_type(cd, &good_pbkdf);
1490 }
1491 if (r < 0)
1492 return log_error_errno(r, "Failed to tweak PBKDF for slot %i: %m", slot);
1493
1494 r = crypt_keyslot_add_by_volume_key(
1495 cd,
1496 slot,
1497 volume_key,
1498 volume_key_size,
1499 *pp,
1500 strlen(*pp));
1501 if (r < 0)
1502 return log_error_errno(r, "Failed to set up LUKS password for slot %i: %m", slot);
1503
1504 log_info("Writing password to LUKS keyslot %i completed.", slot);
1505 slot++;
1506 }
1507
1508 r = crypt_activate_by_volume_key(
1509 cd,
1510 dm_name,
1511 volume_key,
1512 volume_key_size,
1513 discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0);
1514 if (r < 0)
1515 return log_error_errno(r, "Failed to activate LUKS superblock: %m");
1516
1517 log_info("LUKS activation by volume key succeeded.");
1518
1519 r = user_record_clone(hr, USER_RECORD_EXTRACT_EMBEDDED, &reduced);
1520 if (r < 0)
1521 return log_error_errno(r, "Failed to prepare home record for LUKS: %m");
1522
1523 r = format_luks_token_text(cd, reduced, volume_key, &text);
1524 if (r < 0)
1525 return r;
1526
1527 r = crypt_token_json_set(cd, CRYPT_ANY_TOKEN, text);
1528 if (r < 0)
1529 return log_error_errno(r, "Failed to set LUKS JSON token: %m");
1530
1531 log_info("Writing user record as LUKS token completed.");
1532
1533 if (ret)
1534 *ret = TAKE_PTR(cd);
1535
1536 return 0;
1537 }
1538
1539 DEFINE_TRIVIAL_CLEANUP_FUNC(struct fdisk_context*, fdisk_unref_context);
1540 DEFINE_TRIVIAL_CLEANUP_FUNC(struct fdisk_partition*, fdisk_unref_partition);
1541 DEFINE_TRIVIAL_CLEANUP_FUNC(struct fdisk_parttype*, fdisk_unref_parttype);
1542 DEFINE_TRIVIAL_CLEANUP_FUNC(struct fdisk_table*, fdisk_unref_table);
1543
1544 static int make_partition_table(
1545 int fd,
1546 const char *label,
1547 sd_id128_t uuid,
1548 uint64_t *ret_offset,
1549 uint64_t *ret_size,
1550 sd_id128_t *ret_disk_uuid) {
1551
1552 _cleanup_(fdisk_unref_partitionp) struct fdisk_partition *p = NULL, *q = NULL;
1553 _cleanup_(fdisk_unref_parttypep) struct fdisk_parttype *t = NULL;
1554 _cleanup_(fdisk_unref_contextp) struct fdisk_context *c = NULL;
1555 _cleanup_free_ char *path = NULL, *disk_uuid_as_string = NULL;
1556 uint64_t offset, size;
1557 sd_id128_t disk_uuid;
1558 char uuids[37];
1559 int r;
1560
1561 assert(fd >= 0);
1562 assert(label);
1563 assert(ret_offset);
1564 assert(ret_size);
1565
1566 t = fdisk_new_parttype();
1567 if (!t)
1568 return log_oom();
1569
1570 r = fdisk_parttype_set_typestr(t, "773f91ef-66d4-49b5-bd83-d683bf40ad16");
1571 if (r < 0)
1572 return log_error_errno(r, "Failed to initialize partition type: %m");
1573
1574 c = fdisk_new_context();
1575 if (!c)
1576 return log_oom();
1577
1578 if (asprintf(&path, "/proc/self/fd/%i", fd) < 0)
1579 return log_oom();
1580
1581 r = fdisk_assign_device(c, path, 0);
1582 if (r < 0)
1583 return log_error_errno(r, "Failed to open device: %m");
1584
1585 r = fdisk_create_disklabel(c, "gpt");
1586 if (r < 0)
1587 return log_error_errno(r, "Failed to create gpt disk label: %m");
1588
1589 p = fdisk_new_partition();
1590 if (!p)
1591 return log_oom();
1592
1593 r = fdisk_partition_set_type(p, t);
1594 if (r < 0)
1595 return log_error_errno(r, "Failed to set partition type: %m");
1596
1597 r = fdisk_partition_start_follow_default(p, 1);
1598 if (r < 0)
1599 return log_error_errno(r, "Failed to place partition at beginning of space: %m");
1600
1601 r = fdisk_partition_partno_follow_default(p, 1);
1602 if (r < 0)
1603 return log_error_errno(r, "Failed to place partition at first free partition index: %m");
1604
1605 r = fdisk_partition_end_follow_default(p, 1);
1606 if (r < 0)
1607 return log_error_errno(r, "Failed to make partition cover all free space: %m");
1608
1609 r = fdisk_partition_set_name(p, label);
1610 if (r < 0)
1611 return log_error_errno(r, "Failed to set partition name: %m");
1612
1613 r = fdisk_partition_set_uuid(p, id128_to_uuid_string(uuid, uuids));
1614 if (r < 0)
1615 return log_error_errno(r, "Failed to set partition UUID: %m");
1616
1617 r = fdisk_add_partition(c, p, NULL);
1618 if (r < 0)
1619 return log_error_errno(r, "Failed to add partition: %m");
1620
1621 r = fdisk_write_disklabel(c);
1622 if (r < 0)
1623 return log_error_errno(r, "Failed to write disk label: %m");
1624
1625 r = fdisk_get_disklabel_id(c, &disk_uuid_as_string);
1626 if (r < 0)
1627 return log_error_errno(r, "Failed to determine disk label UUID: %m");
1628
1629 r = sd_id128_from_string(disk_uuid_as_string, &disk_uuid);
1630 if (r < 0)
1631 return log_error_errno(r, "Failed to parse disk label UUID: %m");
1632
1633 r = fdisk_get_partition(c, 0, &q);
1634 if (r < 0)
1635 return log_error_errno(r, "Failed to read created partition metadata: %m");
1636
1637 assert(fdisk_partition_has_start(q));
1638 offset = fdisk_partition_get_start(q);
1639 if (offset > UINT64_MAX / 512U)
1640 return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Partition offset too large.");
1641
1642 assert(fdisk_partition_has_size(q));
1643 size = fdisk_partition_get_size(q);
1644 if (size > UINT64_MAX / 512U)
1645 return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Partition size too large.");
1646
1647 *ret_offset = offset * 512U;
1648 *ret_size = size * 512U;
1649 *ret_disk_uuid = disk_uuid;
1650
1651 return 0;
1652 }
1653
1654 static bool supported_fs_size(const char *fstype, uint64_t host_size) {
1655 uint64_t m;
1656
1657 m = minimal_size_by_fs_name(fstype);
1658 if (m == UINT64_MAX)
1659 return false;
1660
1661 return host_size >= m;
1662 }
1663
1664 static int wait_for_devlink(const char *path) {
1665 _cleanup_close_ int inotify_fd = -1;
1666 usec_t until;
1667 int r;
1668
1669 /* let's wait for a device link to show up in /dev, with a time-out. This is good to do since we
1670 * return a /dev/disk/by-uuid/… link to our callers and they likely want to access it right-away,
1671 * hence let's wait until udev has caught up with our changes, and wait for the symlink to be
1672 * created. */
1673
1674 until = usec_add(now(CLOCK_MONOTONIC), 45 * USEC_PER_SEC);
1675
1676 for (;;) {
1677 _cleanup_free_ char *dn = NULL;
1678 usec_t w;
1679
1680 if (laccess(path, F_OK) < 0) {
1681 if (errno != ENOENT)
1682 return log_error_errno(errno, "Failed to determine whether %s exists: %m", path);
1683 } else
1684 return 0; /* Found it */
1685
1686 if (inotify_fd < 0) {
1687 /* We need to wait for the device symlink to show up, let's create an inotify watch for it */
1688 inotify_fd = inotify_init1(IN_NONBLOCK|IN_CLOEXEC);
1689 if (inotify_fd < 0)
1690 return log_error_errno(errno, "Failed to allocate inotify fd: %m");
1691 }
1692
1693 dn = dirname_malloc(path);
1694 for (;;) {
1695 if (!dn)
1696 return log_oom();
1697
1698 log_info("Watching %s", dn);
1699
1700 if (inotify_add_watch(inotify_fd, dn, IN_CREATE|IN_MOVED_TO|IN_ONLYDIR|IN_DELETE_SELF|IN_MOVE_SELF) < 0) {
1701 if (errno != ENOENT)
1702 return log_error_errno(errno, "Failed to add watch on %s: %m", dn);
1703 } else
1704 break;
1705
1706 if (empty_or_root(dn))
1707 break;
1708
1709 dn = dirname_malloc(dn);
1710 }
1711
1712 w = now(CLOCK_MONOTONIC);
1713 if (w >= until)
1714 return log_error_errno(SYNTHETIC_ERRNO(ETIMEDOUT), "Device link %s still hasn't shown up, giving up.", path);
1715
1716 r = fd_wait_for_event(inotify_fd, POLLIN, usec_sub_unsigned(until, w));
1717 if (r < 0)
1718 return log_error_errno(r, "Failed to watch inotify: %m");
1719
1720 (void) flush_fd(inotify_fd);
1721 }
1722 }
1723
1724 static int calculate_disk_size(UserRecord *h, const char *parent_dir, uint64_t *ret) {
1725 char buf[FORMAT_BYTES_MAX];
1726 struct statfs sfs;
1727 uint64_t m;
1728
1729 assert(h);
1730 assert(parent_dir);
1731 assert(ret);
1732
1733 if (h->disk_size != UINT64_MAX) {
1734 *ret = DISK_SIZE_ROUND_DOWN(h->disk_size);
1735 return 0;
1736 }
1737
1738 if (statfs(parent_dir, &sfs) < 0)
1739 return log_error_errno(errno, "statfs() on %s failed: %m", parent_dir);
1740
1741 m = sfs.f_bsize * sfs.f_bavail;
1742
1743 if (h->disk_size_relative == UINT64_MAX) {
1744
1745 if (m > UINT64_MAX / USER_DISK_SIZE_DEFAULT_PERCENT)
1746 return log_error_errno(SYNTHETIC_ERRNO(EOVERFLOW), "Disk size too large.");
1747
1748 *ret = DISK_SIZE_ROUND_DOWN(m * USER_DISK_SIZE_DEFAULT_PERCENT / 100);
1749
1750 log_info("Sizing home to %u%% of available disk space, which is %s.",
1751 USER_DISK_SIZE_DEFAULT_PERCENT,
1752 format_bytes(buf, sizeof(buf), *ret));
1753 } else {
1754 *ret = DISK_SIZE_ROUND_DOWN((uint64_t) ((double) m * (double) h->disk_size_relative / (double) UINT32_MAX));
1755
1756 log_info("Sizing home to %" PRIu64 ".%01" PRIu64 "%% of available disk space, which is %s.",
1757 (h->disk_size_relative * 100) / UINT32_MAX,
1758 ((h->disk_size_relative * 1000) / UINT32_MAX) % 10,
1759 format_bytes(buf, sizeof(buf), *ret));
1760 }
1761
1762 if (*ret < USER_DISK_SIZE_MIN)
1763 *ret = USER_DISK_SIZE_MIN;
1764
1765 return 0;
1766 }
1767
1768 int home_create_luks(
1769 UserRecord *h,
1770 char **pkcs11_decrypted_passwords,
1771 char **effective_passwords,
1772 UserRecord **ret_home) {
1773
1774 _cleanup_free_ char *dm_name = NULL, *dm_node = NULL, *subdir = NULL, *disk_uuid_path = NULL, *temporary_image_path = NULL;
1775 uint64_t host_size, encrypted_size, partition_offset, partition_size;
1776 bool image_created = false, dm_activated = false, mounted = false;
1777 _cleanup_(user_record_unrefp) UserRecord *new_home = NULL;
1778 sd_id128_t partition_uuid, fs_uuid, luks_uuid, disk_uuid;
1779 _cleanup_(loop_device_unrefp) LoopDevice *loop = NULL;
1780 _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
1781 _cleanup_close_ int image_fd = -1, root_fd = -1;
1782 const char *fstype, *ip;
1783 struct statfs sfs;
1784 int r;
1785
1786 assert(h);
1787 assert(h->storage < 0 || h->storage == USER_LUKS);
1788 assert(ret_home);
1789
1790 assert_se(ip = user_record_image_path(h));
1791
1792 fstype = user_record_file_system_type(h);
1793 if (!supported_fstype(fstype))
1794 return log_error_errno(SYNTHETIC_ERRNO(EPROTONOSUPPORT), "Unsupported file system type: %s", h->file_system_type);
1795
1796 if (sd_id128_is_null(h->partition_uuid)) {
1797 r = sd_id128_randomize(&partition_uuid);
1798 if (r < 0)
1799 return log_error_errno(r, "Failed to acquire partition UUID: %m");
1800 } else
1801 partition_uuid = h->partition_uuid;
1802
1803 if (sd_id128_is_null(h->luks_uuid)) {
1804 r = sd_id128_randomize(&luks_uuid);
1805 if (r < 0)
1806 return log_error_errno(r, "Failed to acquire LUKS UUID: %m");
1807 } else
1808 luks_uuid = h->luks_uuid;
1809
1810 if (sd_id128_is_null(h->file_system_uuid)) {
1811 r = sd_id128_randomize(&fs_uuid);
1812 if (r < 0)
1813 return log_error_errno(r, "Failed to acquire file system UUID: %m");
1814 } else
1815 fs_uuid = h->file_system_uuid;
1816
1817 r = make_dm_names(h->user_name, &dm_name, &dm_node);
1818 if (r < 0)
1819 return r;
1820
1821 r = access(dm_node, F_OK);
1822 if (r < 0) {
1823 if (errno != ENOENT)
1824 return log_error_errno(errno, "Failed to determine whether %s exists: %m", dm_node);
1825 } else
1826 return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Device mapper device %s already exists, refusing.", dm_node);
1827
1828 if (path_startswith(ip, "/dev/")) {
1829 _cleanup_free_ char *sysfs = NULL;
1830 uint64_t block_device_size;
1831 struct stat st;
1832
1833 /* Let's place the home directory on a real device, i.e. an USB stick or such */
1834
1835 image_fd = open(ip, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
1836 if (image_fd < 0)
1837 return log_error_errno(errno, "Failed to open device %s: %m", ip);
1838
1839 if (fstat(image_fd, &st) < 0)
1840 return log_error_errno(errno, "Failed to stat device %s: %m", ip);
1841 if (!S_ISBLK(st.st_mode))
1842 return log_error_errno(SYNTHETIC_ERRNO(ENOTBLK), "Device is not a block device, refusing.");
1843
1844 if (asprintf(&sysfs, "/sys/dev/block/%u:%u/partition", major(st.st_rdev), minor(st.st_rdev)) < 0)
1845 return log_oom();
1846 if (access(sysfs, F_OK) < 0) {
1847 if (errno != ENOENT)
1848 return log_error_errno(errno, "Failed to check whether %s exists: %m", sysfs);
1849 } else
1850 return log_error_errno(SYNTHETIC_ERRNO(ENOTBLK), "Operating on partitions is currently not supported, sorry. Please specify a top-level block device.");
1851
1852 if (flock(image_fd, LOCK_EX) < 0) /* make sure udev doesn't read from it while we operate on the device */
1853 return log_error_errno(errno, "Failed to lock block device %s: %m", ip);
1854
1855 if (ioctl(image_fd, BLKGETSIZE64, &block_device_size) < 0)
1856 return log_error_errno(errno, "Failed to read block device size: %m");
1857
1858 if (h->disk_size == UINT64_MAX) {
1859
1860 /* If a relative disk size is requested, apply it relative to the block device size */
1861 if (h->disk_size_relative < UINT32_MAX)
1862 host_size = CLAMP(DISK_SIZE_ROUND_DOWN(block_device_size * h->disk_size_relative / UINT32_MAX),
1863 USER_DISK_SIZE_MIN, USER_DISK_SIZE_MAX);
1864 else
1865 host_size = block_device_size; /* Otherwise, take the full device */
1866
1867 } else if (h->disk_size > block_device_size)
1868 return log_error_errno(SYNTHETIC_ERRNO(EMSGSIZE), "Selected disk size larger than backing block device, refusing.");
1869 else
1870 host_size = DISK_SIZE_ROUND_DOWN(h->disk_size);
1871
1872 if (!supported_fs_size(fstype, host_size))
1873 return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Selected file system size too small for %s.", h->file_system_type);
1874
1875 /* After creation we should reference this partition by its UUID instead of the block
1876 * device. That's preferable since the user might have specified a device node such as
1877 * /dev/sdb to us, which might look very different when replugged. */
1878 if (asprintf(&disk_uuid_path, "/dev/disk/by-uuid/" SD_ID128_UUID_FORMAT_STR, SD_ID128_FORMAT_VAL(luks_uuid)) < 0)
1879 return log_oom();
1880
1881 if (user_record_luks_discard(h)) {
1882 if (ioctl(image_fd, BLKDISCARD, (uint64_t[]) { 0, block_device_size }) < 0)
1883 log_full_errno(errno == EOPNOTSUPP ? LOG_DEBUG : LOG_WARNING, errno,
1884 "Failed to issue full-device BLKDISCARD on device, ignoring: %m");
1885 else
1886 log_info("Full device discard completed.");
1887 }
1888 } else {
1889 _cleanup_free_ char *parent = NULL;
1890
1891 parent = dirname_malloc(ip);
1892 if (!parent)
1893 return log_oom();
1894
1895 r = mkdir_p(parent, 0755);
1896 if (r < 0)
1897 return log_error_errno(r, "Failed to create parent directory %s: %m", parent);
1898
1899 r = calculate_disk_size(h, parent, &host_size);
1900 if (r < 0)
1901 return r;
1902
1903 if (!supported_fs_size(fstype, host_size))
1904 return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Selected file system size too small for %s.", h->file_system_type);
1905
1906 r = tempfn_random(ip, "homework", &temporary_image_path);
1907 if (r < 0)
1908 return log_error_errno(r, "Failed to derive temporary file name for %s: %m", ip);
1909
1910 image_fd = open(temporary_image_path, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0600);
1911 if (image_fd < 0)
1912 return log_error_errno(errno, "Failed to create home image %s: %m", temporary_image_path);
1913
1914 image_created = true;
1915
1916 r = chattr_fd(image_fd, FS_NOCOW_FL, FS_NOCOW_FL, NULL);
1917 if (r < 0)
1918 log_warning_errno(r, "Failed to set file attributes on %s, ignoring: %m", temporary_image_path);
1919
1920 if (user_record_luks_discard(h))
1921 r = ftruncate(image_fd, host_size);
1922 else
1923 r = fallocate(image_fd, 0, 0, host_size);
1924 if (r < 0) {
1925 if (ERRNO_IS_DISK_SPACE(errno)) {
1926 log_debug_errno(errno, "Not enough disk space to allocate home.");
1927 r = -ENOSPC; /* make recognizable */
1928 goto fail;
1929 }
1930
1931 r = log_error_errno(errno, "Failed to truncate home image %s: %m", temporary_image_path);
1932 goto fail;
1933 }
1934
1935 log_info("Allocating image file completed.");
1936 }
1937
1938 r = make_partition_table(
1939 image_fd,
1940 user_record_user_name_and_realm(h),
1941 partition_uuid,
1942 &partition_offset,
1943 &partition_size,
1944 &disk_uuid);
1945 if (r < 0)
1946 goto fail;
1947
1948 log_info("Writing of partition table completed.");
1949
1950 r = loop_device_make(image_fd, O_RDWR, partition_offset, partition_size, 0, &loop);
1951 if (r < 0) {
1952 if (r == -ENOENT) { /* this means /dev/loop-control doesn't exist, i.e. we are in a container
1953 * or similar and loopback bock devices are not available, return a
1954 * recognizable error in this case. */
1955 log_error_errno(r, "Loopback block device support is not available on this system.");
1956 r = -ENOLINK;
1957 goto fail;
1958 }
1959
1960 log_error_errno(r, "Failed to set up loopback device for %s: %m", temporary_image_path);
1961 goto fail;
1962 }
1963
1964 r = loop_device_flock(loop, LOCK_EX); /* make sure udev won't read before we are done */
1965 if (r < 0) {
1966 log_error_errno(r, "Failed to take lock on loop device: %m");
1967 goto fail;
1968 }
1969
1970 log_info("Setting up loopback device %s completed.", loop->node ?: ip);
1971
1972 r = luks_format(loop->node,
1973 dm_name,
1974 luks_uuid,
1975 user_record_user_name_and_realm(h),
1976 pkcs11_decrypted_passwords,
1977 effective_passwords,
1978 user_record_luks_discard(h),
1979 h,
1980 &cd);
1981 if (r < 0)
1982 goto fail;
1983
1984 dm_activated = true;
1985
1986 r = block_get_size_by_path(dm_node, &encrypted_size);
1987 if (r < 0) {
1988 log_error_errno(r, "Failed to get encrypted block device size: %m");
1989 goto fail;
1990 }
1991
1992 log_info("Setting up LUKS device %s completed.", dm_node);
1993
1994 r = run_mkfs(dm_node, fstype, user_record_user_name_and_realm(h), fs_uuid, user_record_luks_discard(h));
1995 if (r < 0)
1996 goto fail;
1997
1998 log_info("Formatting file system completed.");
1999
2000 r = home_unshare_and_mount(dm_node, fstype, user_record_luks_discard(h));
2001 if (r < 0)
2002 goto fail;
2003
2004 mounted = true;
2005
2006 subdir = path_join("/run/systemd/user-home-mount/", user_record_user_name_and_realm(h));
2007 if (!subdir) {
2008 r = log_oom();
2009 goto fail;
2010 }
2011
2012 if (mkdir(subdir, 0700) < 0) {
2013 r = log_error_errno(errno, "Failed to create user directory in mounted image file: %m");
2014 goto fail;
2015 }
2016
2017 root_fd = open(subdir, O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW);
2018 if (root_fd < 0) {
2019 r = log_error_errno(errno, "Failed to open user directory in mounted image file: %m");
2020 goto fail;
2021 }
2022
2023 r = home_populate(h, root_fd);
2024 if (r < 0)
2025 goto fail;
2026
2027 r = home_sync_and_statfs(root_fd, &sfs);
2028 if (r < 0)
2029 goto fail;
2030
2031 r = user_record_clone(h, USER_RECORD_LOAD_MASK_SECRET|USER_RECORD_LOG, &new_home);
2032 if (r < 0) {
2033 log_error_errno(r, "Failed to clone record: %m");
2034 goto fail;
2035 }
2036
2037 r = user_record_add_binding(
2038 new_home,
2039 USER_LUKS,
2040 disk_uuid_path ?: ip,
2041 partition_uuid,
2042 luks_uuid,
2043 fs_uuid,
2044 crypt_get_cipher(cd),
2045 crypt_get_cipher_mode(cd),
2046 luks_volume_key_size_convert(cd),
2047 fstype,
2048 NULL,
2049 h->uid,
2050 (gid_t) h->uid);
2051 if (r < 0) {
2052 log_error_errno(r, "Failed to add binding to record: %m");
2053 goto fail;
2054 }
2055
2056 root_fd = safe_close(root_fd);
2057
2058 r = umount_verbose("/run/systemd/user-home-mount");
2059 if (r < 0)
2060 goto fail;
2061
2062 mounted = false;
2063
2064 r = crypt_deactivate(cd, dm_name);
2065 if (r < 0) {
2066 log_error_errno(r, "Failed to deactivate LUKS device: %m");
2067 goto fail;
2068 }
2069
2070 dm_activated = false;
2071
2072 loop = loop_device_unref(loop);
2073
2074 if (disk_uuid_path)
2075 (void) ioctl(image_fd, BLKRRPART, 0);
2076
2077 /* Let's close the image fd now. If we are operating on a real block device this will release the BSD
2078 * lock that ensures udev doesn't interfere with what we are doing */
2079 image_fd = safe_close(image_fd);
2080
2081 if (temporary_image_path) {
2082 if (rename(temporary_image_path, ip) < 0) {
2083 log_error_errno(errno, "Failed to rename image file: %m");
2084 goto fail;
2085 }
2086
2087 log_info("Moved image file into place.");
2088 }
2089
2090 if (disk_uuid_path)
2091 (void) wait_for_devlink(disk_uuid_path);
2092
2093 log_info("Everything completed.");
2094
2095 print_size_summary(host_size, encrypted_size, &sfs);
2096
2097 *ret_home = TAKE_PTR(new_home);
2098 return 0;
2099
2100 fail:
2101 /* Let's close all files before we unmount the file system, to avoid EBUSY */
2102 root_fd = safe_close(root_fd);
2103
2104 if (mounted)
2105 (void) umount_verbose("/run/systemd/user-home-mount");
2106
2107 if (dm_activated)
2108 (void) crypt_deactivate(cd, dm_name);
2109
2110 loop = loop_device_unref(loop);
2111
2112 if (image_created)
2113 (void) unlink(temporary_image_path);
2114
2115 return r;
2116 }
2117
2118 int home_validate_update_luks(UserRecord *h, HomeSetup *setup) {
2119 _cleanup_free_ char *dm_name = NULL, *dm_node = NULL;
2120 int r;
2121
2122 assert(h);
2123 assert(setup);
2124
2125 r = make_dm_names(h->user_name, &dm_name, &dm_node);
2126 if (r < 0)
2127 return r;
2128
2129 r = access(dm_node, F_OK);
2130 if (r < 0 && errno != ENOENT)
2131 return log_error_errno(errno, "Failed to determine whether %s exists: %m", dm_node);
2132
2133 free_and_replace(setup->dm_name, dm_name);
2134 free_and_replace(setup->dm_node, dm_node);
2135
2136 return r >= 0;
2137 }
2138
2139 enum {
2140 CAN_RESIZE_ONLINE,
2141 CAN_RESIZE_OFFLINE,
2142 };
2143
2144 static int can_resize_fs(int fd, uint64_t old_size, uint64_t new_size) {
2145 struct statfs sfs;
2146
2147 assert(fd >= 0);
2148
2149 /* Filter out bogus requests early */
2150 if (old_size == 0 || old_size == UINT64_MAX ||
2151 new_size == 0 || new_size == UINT64_MAX)
2152 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid resize parameters.");
2153
2154 if ((old_size & 511) != 0 || (new_size & 511) != 0)
2155 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Resize parameters not multiple of 512.");
2156
2157 if (fstatfs(fd, &sfs) < 0)
2158 return log_error_errno(errno, "Failed to fstatfs() file system: %m");
2159
2160 if (is_fs_type(&sfs, BTRFS_SUPER_MAGIC)) {
2161
2162 if (new_size < BTRFS_MINIMAL_SIZE)
2163 return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "New file system size too small for btrfs (needs to be 256M at least.");
2164
2165 /* btrfs can grow and shrink online */
2166
2167 } else if (is_fs_type(&sfs, XFS_SB_MAGIC)) {
2168
2169 if (new_size < XFS_MINIMAL_SIZE)
2170 return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "New file system size too small for xfs (needs to be 14M at least).");
2171
2172 /* XFS can grow, but not shrink */
2173 if (new_size < old_size)
2174 return log_error_errno(SYNTHETIC_ERRNO(EMSGSIZE), "Shrinking this type of file system is not supported.");
2175
2176 } else if (is_fs_type(&sfs, EXT4_SUPER_MAGIC)) {
2177
2178 if (new_size < EXT4_MINIMAL_SIZE)
2179 return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "New file system size too small for ext4 (needs to be 1M at least).");
2180
2181 /* ext4 can grow online, and shrink offline */
2182 if (new_size < old_size)
2183 return CAN_RESIZE_OFFLINE;
2184
2185 } else
2186 return log_error_errno(SYNTHETIC_ERRNO(ESOCKTNOSUPPORT), "Resizing this type of file system is not supported.");
2187
2188 return CAN_RESIZE_ONLINE;
2189 }
2190
2191 static int ext4_offline_resize_fs(HomeSetup *setup, uint64_t new_size, bool discard) {
2192 _cleanup_free_ char *size_str = NULL;
2193 bool re_open = false, re_mount = false;
2194 pid_t resize_pid, fsck_pid;
2195 int r, exit_status;
2196
2197 assert(setup);
2198 assert(setup->dm_node);
2199
2200 /* First, unmount the file system */
2201 if (setup->root_fd >= 0) {
2202 setup->root_fd = safe_close(setup->root_fd);
2203 re_open = true;
2204 }
2205
2206 if (setup->undo_mount) {
2207 r = umount_verbose("/run/systemd/user-home-mount");
2208 if (r < 0)
2209 return r;
2210
2211 setup->undo_mount = false;
2212 re_mount = true;
2213 }
2214
2215 log_info("Temporarary unmounting of file system completed.");
2216
2217 /* resize2fs requires that the file system is force checked first, do so. */
2218 r = safe_fork("(e2fsck)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_STDOUT_TO_STDERR, &fsck_pid);
2219 if (r < 0)
2220 return r;
2221 if (r == 0) {
2222 /* Child */
2223 execlp("e2fsck" ,"e2fsck", "-fp", setup->dm_node, NULL);
2224 log_error_errno(errno, "Failed to execute e2fsck: %m");
2225 _exit(EXIT_FAILURE);
2226 }
2227
2228 exit_status = wait_for_terminate_and_check("e2fsck", fsck_pid, WAIT_LOG_ABNORMAL);
2229 if (exit_status < 0)
2230 return exit_status;
2231 if ((exit_status & ~FSCK_ERROR_CORRECTED) != 0) {
2232 log_warning("e2fsck failed with exit status %i.", exit_status);
2233
2234 if ((exit_status & (FSCK_SYSTEM_SHOULD_REBOOT|FSCK_ERRORS_LEFT_UNCORRECTED)) != 0)
2235 return log_error_errno(SYNTHETIC_ERRNO(EIO), "File system is corrupted, refusing.");
2236
2237 log_warning("Ignoring fsck error.");
2238 }
2239
2240 log_info("Forced file system check completed.");
2241
2242 /* We use 512 sectors here, because resize2fs doesn't do byte sizes */
2243 if (asprintf(&size_str, "%" PRIu64 "s", new_size / 512) < 0)
2244 return log_oom();
2245
2246 /* Resize the thing */
2247 r = safe_fork("(e2resize)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_WAIT|FORK_STDOUT_TO_STDERR, &resize_pid);
2248 if (r < 0)
2249 return r;
2250 if (r == 0) {
2251 /* Child */
2252 execlp("resize2fs" ,"resize2fs", setup->dm_node, size_str, NULL);
2253 log_error_errno(errno, "Failed to execute resize2fs: %m");
2254 _exit(EXIT_FAILURE);
2255 }
2256
2257 log_info("Offline file system resize completed.");
2258
2259 /* Re-establish mounts and reopen the directory */
2260 if (re_mount) {
2261 r = home_mount_node(setup->dm_node, "ext4", discard);
2262 if (r < 0)
2263 return r;
2264
2265 setup->undo_mount = true;
2266 }
2267
2268 if (re_open) {
2269 setup->root_fd = open("/run/systemd/user-home-mount", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW);
2270 if (setup->root_fd < 0)
2271 return log_error_errno(errno, "Failed to reopen file system: %m");
2272 }
2273
2274 log_info("File system mounted again.");
2275
2276 return 0;
2277 }
2278
2279 static int prepare_resize_partition(
2280 int fd,
2281 uint64_t partition_offset,
2282 uint64_t old_partition_size,
2283 uint64_t new_partition_size,
2284 sd_id128_t *ret_disk_uuid,
2285 struct fdisk_table **ret_table) {
2286
2287 _cleanup_(fdisk_unref_contextp) struct fdisk_context *c = NULL;
2288 _cleanup_(fdisk_unref_tablep) struct fdisk_table *t = NULL;
2289 _cleanup_free_ char *path = NULL, *disk_uuid_as_string = NULL;
2290 size_t n_partitions, i;
2291 sd_id128_t disk_uuid;
2292 bool found = false;
2293 int r;
2294
2295 assert(fd >= 0);
2296 assert(ret_disk_uuid);
2297 assert(ret_table);
2298
2299 assert((partition_offset & 511) == 0);
2300 assert((old_partition_size & 511) == 0);
2301 assert((new_partition_size & 511) == 0);
2302 assert(UINT64_MAX - old_partition_size >= partition_offset);
2303 assert(UINT64_MAX - new_partition_size >= partition_offset);
2304
2305 if (partition_offset == 0) {
2306 /* If the offset is at the beginning we assume no partition table, let's exit early. */
2307 log_debug("Not rewriting partition table, operating on naked device.");
2308 *ret_disk_uuid = SD_ID128_NULL;
2309 *ret_table = NULL;
2310 return 0;
2311 }
2312
2313 c = fdisk_new_context();
2314 if (!c)
2315 return log_oom();
2316
2317 if (asprintf(&path, "/proc/self/fd/%i", fd) < 0)
2318 return log_oom();
2319
2320 r = fdisk_assign_device(c, path, 0);
2321 if (r < 0)
2322 return log_error_errno(r, "Failed to open device: %m");
2323
2324 if (!fdisk_is_labeltype(c, FDISK_DISKLABEL_GPT))
2325 return log_error_errno(SYNTHETIC_ERRNO(ENOMEDIUM), "Disk has no GPT partition table.");
2326
2327 r = fdisk_get_disklabel_id(c, &disk_uuid_as_string);
2328 if (r < 0)
2329 return log_error_errno(r, "Failed to acquire disk UUID: %m");
2330
2331 r = sd_id128_from_string(disk_uuid_as_string, &disk_uuid);
2332 if (r < 0)
2333 return log_error_errno(r, "Failed parse disk UUID: %m");
2334
2335 r = fdisk_get_partitions(c, &t);
2336 if (r < 0)
2337 return log_error_errno(r, "Failed to acquire partition table: %m");
2338
2339 n_partitions = fdisk_table_get_nents(t);
2340 for (i = 0; i < n_partitions; i++) {
2341 struct fdisk_partition *p;
2342
2343 p = fdisk_table_get_partition(t, i);
2344 if (!p)
2345 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to read partition metadata: %m");
2346
2347 if (fdisk_partition_is_used(p) <= 0)
2348 continue;
2349 if (fdisk_partition_has_start(p) <= 0 || fdisk_partition_has_size(p) <= 0 || fdisk_partition_has_end(p) <= 0)
2350 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Found partition without a size.");
2351
2352 if (fdisk_partition_get_start(p) == partition_offset / 512U &&
2353 fdisk_partition_get_size(p) == old_partition_size / 512U) {
2354
2355 if (found)
2356 return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ), "Partition found twice, refusing.");
2357
2358 /* Found our partition, now patch it */
2359 r = fdisk_partition_size_explicit(p, 1);
2360 if (r < 0)
2361 return log_error_errno(r, "Failed to enable explicit partition size: %m");
2362
2363 r = fdisk_partition_set_size(p, new_partition_size / 512U);
2364 if (r < 0)
2365 return log_error_errno(r, "Failed to change partition size: %m");
2366
2367 found = true;
2368 continue;
2369
2370 } else {
2371 if (fdisk_partition_get_start(p) < partition_offset + new_partition_size / 512U &&
2372 fdisk_partition_get_end(p) >= partition_offset / 512)
2373 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Can't extend, conflicting partition found.");
2374 }
2375 }
2376
2377 if (!found)
2378 return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "Failed to find matching partition to resize.");
2379
2380 *ret_table = TAKE_PTR(t);
2381 *ret_disk_uuid = disk_uuid;
2382
2383 return 1;
2384 }
2385
2386 static int ask_cb(struct fdisk_context *c, struct fdisk_ask *ask, void *userdata) {
2387 char *result;
2388
2389 assert(c);
2390
2391 switch (fdisk_ask_get_type(ask)) {
2392
2393 case FDISK_ASKTYPE_STRING:
2394 result = new(char, 37);
2395 if (!result)
2396 return log_oom();
2397
2398 fdisk_ask_string_set_result(ask, id128_to_uuid_string(*(sd_id128_t*) userdata, result));
2399 break;
2400
2401 default:
2402 log_debug("Unexpected question from libfdisk, ignoring.");
2403 }
2404
2405 return 0;
2406 }
2407
2408 static int apply_resize_partition(int fd, sd_id128_t disk_uuids, struct fdisk_table *t) {
2409 _cleanup_(fdisk_unref_contextp) struct fdisk_context *c = NULL;
2410 _cleanup_free_ void *two_zero_lbas = NULL;
2411 _cleanup_free_ char *path = NULL;
2412 ssize_t n;
2413 int r;
2414
2415 assert(fd >= 0);
2416
2417 if (!t) /* no partition table to apply, exit early */
2418 return 0;
2419
2420 two_zero_lbas = malloc0(1024U);
2421 if (!two_zero_lbas)
2422 return log_oom();
2423
2424 /* libfdisk appears to get confused by the existing PMBR. Let's explicitly flush it out. */
2425 n = pwrite(fd, two_zero_lbas, 1024U, 0);
2426 if (n < 0)
2427 return log_error_errno(errno, "Failed to wipe partition table: %m");
2428 if (n != 1024)
2429 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short write while whiping partition table.");
2430
2431 c = fdisk_new_context();
2432 if (!c)
2433 return log_oom();
2434
2435 if (asprintf(&path, "/proc/self/fd/%i", fd) < 0)
2436 return log_oom();
2437
2438 r = fdisk_assign_device(c, path, 0);
2439 if (r < 0)
2440 return log_error_errno(r, "Failed to open device: %m");
2441
2442 r = fdisk_create_disklabel(c, "gpt");
2443 if (r < 0)
2444 return log_error_errno(r, "Failed to create GPT disk label: %m");
2445
2446 r = fdisk_apply_table(c, t);
2447 if (r < 0)
2448 return log_error_errno(r, "Failed to apply partition table: %m");
2449
2450 r = fdisk_set_ask(c, ask_cb, &disk_uuids);
2451 if (r < 0)
2452 return log_error_errno(r, "Failed to set libfdisk query function: %m");
2453
2454 r = fdisk_set_disklabel_id(c);
2455 if (r < 0)
2456 return log_error_errno(r, "Failed to change disklabel ID: %m");
2457
2458 r = fdisk_write_disklabel(c);
2459 if (r < 0)
2460 return log_error_errno(r, "Failed to write disk label: %m");
2461
2462 return 1;
2463 }
2464
2465 int home_resize_luks(
2466 UserRecord *h,
2467 bool already_activated,
2468 char ***pkcs11_decrypted_passwords,
2469 HomeSetup *setup,
2470 UserRecord **ret_home) {
2471
2472 char buffer1[FORMAT_BYTES_MAX], buffer2[FORMAT_BYTES_MAX], buffer3[FORMAT_BYTES_MAX],
2473 buffer4[FORMAT_BYTES_MAX], buffer5[FORMAT_BYTES_MAX], buffer6[FORMAT_BYTES_MAX];
2474 uint64_t old_image_size, new_image_size, old_fs_size, new_fs_size, crypto_offset, new_partition_size;
2475 _cleanup_(user_record_unrefp) UserRecord *header_home = NULL, *embedded_home = NULL, *new_home = NULL;
2476 _cleanup_(fdisk_unref_tablep) struct fdisk_table *table = NULL;
2477 _cleanup_free_ char *whole_disk = NULL;
2478 _cleanup_close_ int image_fd = -1;
2479 sd_id128_t disk_uuid;
2480 const char *ip, *ipo;
2481 struct statfs sfs;
2482 struct stat st;
2483 int r, resize_type;
2484
2485 assert(h);
2486 assert(user_record_storage(h) == USER_LUKS);
2487 assert(setup);
2488 assert(ret_home);
2489
2490 assert_se(ipo = user_record_image_path(h));
2491 ip = strdupa(ipo); /* copy out since original might change later in home record object */
2492
2493 image_fd = open(ip, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2494 if (image_fd < 0)
2495 return log_error_errno(errno, "Failed to open image file %s: %m", ip);
2496
2497 if (fstat(image_fd, &st) < 0)
2498 return log_error_errno(errno, "Failed to stat image file %s: %m", ip);
2499 if (S_ISBLK(st.st_mode)) {
2500 dev_t parent;
2501
2502 r = block_get_whole_disk(st.st_rdev, &parent);
2503 if (r < 0)
2504 return log_error_errno(r, "Failed to acquire whole block device for %s: %m", ip);
2505 if (r > 0) {
2506 /* If we shall resize a file system on a partition device, then let's figure out the
2507 * whole disk device and operate on that instead, since we need to rewrite the
2508 * partition table to resize the partition. */
2509
2510 log_info("Operating on partition device %s, using parent device.", ip);
2511
2512 r = device_path_make_major_minor(st.st_mode, parent, &whole_disk);
2513 if (r < 0)
2514 return log_error_errno(r, "Failed to derive whole disk path for %s: %m", ip);
2515
2516 safe_close(image_fd);
2517
2518 image_fd = open(whole_disk, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2519 if (image_fd < 0)
2520 return log_error_errno(errno, "Failed to open whole block device %s: %m", whole_disk);
2521
2522 if (fstat(image_fd, &st) < 0)
2523 return log_error_errno(errno, "Failed to stat whole block device %s: %m", whole_disk);
2524 if (!S_ISBLK(st.st_mode))
2525 return log_error_errno(SYNTHETIC_ERRNO(ENOTBLK), "Whole block device %s is not actually a block device, refusing.", whole_disk);
2526 } else
2527 log_info("Operating on whole block device %s.", ip);
2528
2529 if (ioctl(image_fd, BLKGETSIZE64, &old_image_size) < 0)
2530 return log_error_errno(errno, "Failed to determine size of original block device: %m");
2531
2532 if (flock(image_fd, LOCK_EX) < 0) /* make sure udev doesn't read from it while we operate on the device */
2533 return log_error_errno(errno, "Failed to lock block device %s: %m", ip);
2534
2535 new_image_size = old_image_size; /* we can't resize physical block devices */
2536 } else {
2537 r = stat_verify_regular(&st);
2538 if (r < 0)
2539 return log_error_errno(r, "Image file %s is not a block device nor regular: %m", ip);
2540
2541 old_image_size = st.st_size;
2542
2543 /* Note an asymetry here: when we operate on loopback files the specified disk size we get we
2544 * apply onto the loopback file as a whole. When we operate on block devices we instead apply
2545 * to the partition itself only. */
2546
2547 new_image_size = DISK_SIZE_ROUND_DOWN(h->disk_size);
2548 if (new_image_size == old_image_size) {
2549 log_info("Image size already matching, skipping operation.");
2550 return 0;
2551 }
2552 }
2553
2554 r = home_prepare_luks(h, already_activated, whole_disk, pkcs11_decrypted_passwords, setup, &header_home);
2555 if (r < 0)
2556 return r;
2557
2558 r = home_load_embedded_identity(h, setup->root_fd, header_home, USER_RECONCILE_REQUIRE_NEWER_OR_EQUAL, pkcs11_decrypted_passwords, &embedded_home, &new_home);
2559 if (r < 0)
2560 return r;
2561
2562 log_info("offset = %" PRIu64 ", size = %" PRIu64 ", image = %" PRIu64, setup->partition_offset, setup->partition_size, old_image_size);
2563
2564 if ((UINT64_MAX - setup->partition_offset) < setup->partition_size ||
2565 setup->partition_offset + setup->partition_size > old_image_size)
2566 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Old partition doesn't fit in backing storage, refusing.");
2567
2568 if (S_ISREG(st.st_mode)) {
2569 uint64_t partition_table_extra;
2570
2571 partition_table_extra = old_image_size - setup->partition_size;
2572 if (new_image_size <= partition_table_extra)
2573 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "New size smaller than partition table metadata.");
2574
2575 new_partition_size = new_image_size - partition_table_extra;
2576 } else {
2577 assert(S_ISBLK(st.st_mode));
2578
2579 new_partition_size = DISK_SIZE_ROUND_DOWN(h->disk_size);
2580 if (new_partition_size == setup->partition_size) {
2581 log_info("Partition size already matching, skipping operation.");
2582 return 0;
2583 }
2584 }
2585
2586 if ((UINT64_MAX - setup->partition_offset) < new_partition_size ||
2587 setup->partition_offset + new_partition_size > new_image_size)
2588 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "New partition doesn't fit into backing storage, refusing.");
2589
2590 crypto_offset = crypt_get_data_offset(setup->crypt_device);
2591 if (setup->partition_size / 512U <= crypto_offset)
2592 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Weird, old crypto payload offset doesn't actually fit in partition size?");
2593 if (new_partition_size / 512U <= crypto_offset)
2594 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "New size smaller than crypto payload offset?");
2595
2596 old_fs_size = (setup->partition_size / 512U - crypto_offset) * 512U;
2597 new_fs_size = (new_partition_size / 512U - crypto_offset) * 512U;
2598
2599 /* Before we start doing anything, let's figure out if we actually can */
2600 resize_type = can_resize_fs(setup->root_fd, old_fs_size, new_fs_size);
2601 if (resize_type < 0)
2602 return resize_type;
2603 if (resize_type == CAN_RESIZE_OFFLINE && already_activated)
2604 return log_error_errno(SYNTHETIC_ERRNO(ETXTBSY), "File systems of this type can only be resized offline, but is currently online.");
2605
2606 log_info("Ready to resize image size %s → %s, partition size %s → %s, file system size %s → %s.",
2607 format_bytes(buffer1, sizeof(buffer1), old_image_size),
2608 format_bytes(buffer2, sizeof(buffer2), new_image_size),
2609 format_bytes(buffer3, sizeof(buffer3), setup->partition_size),
2610 format_bytes(buffer4, sizeof(buffer4), new_partition_size),
2611 format_bytes(buffer5, sizeof(buffer5), old_fs_size),
2612 format_bytes(buffer6, sizeof(buffer6), new_fs_size));
2613
2614 r = prepare_resize_partition(
2615 image_fd,
2616 setup->partition_offset,
2617 setup->partition_size,
2618 new_partition_size,
2619 &disk_uuid,
2620 &table);
2621 if (r < 0)
2622 return r;
2623
2624 if (new_fs_size > old_fs_size) {
2625
2626 if (S_ISREG(st.st_mode)) {
2627 /* Grow file size */
2628
2629 if (user_record_luks_discard(h))
2630 r = ftruncate(image_fd, new_image_size);
2631 else
2632 r = fallocate(image_fd, 0, 0, new_image_size);
2633 if (r < 0) {
2634 if (ERRNO_IS_DISK_SPACE(errno)) {
2635 log_debug_errno(errno, "Not enough disk space to grow home.");
2636 return -ENOSPC; /* make recognizable */
2637 }
2638
2639 return log_error_errno(errno, "Failed to grow image file %s: %m", ip);
2640 }
2641
2642 log_info("Growing of image file completed.");
2643 }
2644
2645 /* Make sure loopback device sees the new bigger size */
2646 r = loop_device_refresh_size(setup->loop, UINT64_MAX, new_partition_size);
2647 if (r == -ENOTTY)
2648 log_debug_errno(r, "Device is not a loopback device, not refreshing size.");
2649 else if (r < 0)
2650 return log_error_errno(r, "Failed to refresh loopback device size: %m");
2651 else
2652 log_info("Refreshing loop device size completed.");
2653
2654 r = apply_resize_partition(image_fd, disk_uuid, table);
2655 if (r < 0)
2656 return r;
2657 if (r > 0)
2658 log_info("Growing of partition completed.");
2659
2660 if (ioctl(image_fd, BLKRRPART, 0) < 0)
2661 log_debug_errno(errno, "BLKRRPART failed on block device, ignoring: %m");
2662
2663 /* Tell LUKS about the new bigger size too */
2664 r = crypt_resize(setup->crypt_device, setup->dm_name, new_fs_size / 512U);
2665 if (r < 0)
2666 return log_error_errno(r, "Failed to grow LUKS device: %m");
2667
2668 log_info("LUKS device growing completed.");
2669 } else {
2670 r = home_store_embedded_identity(new_home, setup->root_fd, h->uid, embedded_home);
2671 if (r < 0)
2672 return r;
2673
2674 if (S_ISREG(st.st_mode)) {
2675 if (user_record_luks_discard(h))
2676 /* Before we shrink, let's trim the file system, so that we need less space on disk during the shrinking */
2677 (void) run_fitrim(setup->root_fd);
2678 else {
2679 /* If discard is off, let's ensure all backing blocks are allocated, so that our resize operation doesn't fail half-way */
2680 r = run_fallocate(image_fd, &st);
2681 if (r < 0)
2682 return r;
2683 }
2684 }
2685 }
2686
2687 /* Now resize the file system */
2688 if (resize_type == CAN_RESIZE_ONLINE)
2689 r = resize_fs(setup->root_fd, new_fs_size, NULL);
2690 else
2691 r = ext4_offline_resize_fs(setup, new_fs_size, user_record_luks_discard(h));
2692 if (r < 0)
2693 return log_error_errno(r, "Failed to resize file system: %m");
2694
2695 log_info("File system resizing completed.");
2696
2697 /* Immediately sync afterwards */
2698 r = home_sync_and_statfs(setup->root_fd, NULL);
2699 if (r < 0)
2700 return r;
2701
2702 if (new_fs_size < old_fs_size) {
2703
2704 /* Shrink the LUKS device now, matching the new file system size */
2705 r = crypt_resize(setup->crypt_device, setup->dm_name, new_fs_size / 512);
2706 if (r < 0)
2707 return log_error_errno(r, "Failed to shrink LUKS device: %m");
2708
2709 log_info("LUKS device shrinking completed.");
2710
2711 if (S_ISREG(st.st_mode)) {
2712 /* Shrink the image file */
2713 if (ftruncate(image_fd, new_image_size) < 0)
2714 return log_error_errno(errno, "Failed to shrink image file %s: %m", ip);
2715
2716 log_info("Shrinking of image file completed.");
2717 }
2718
2719 /* Refresh the loop devices size */
2720 r = loop_device_refresh_size(setup->loop, UINT64_MAX, new_partition_size);
2721 if (r == -ENOTTY)
2722 log_debug_errno(r, "Device is not a loopback device, not refreshing size.");
2723 else if (r < 0)
2724 return log_error_errno(r, "Failed to refresh loopback device size: %m");
2725 else
2726 log_info("Refreshing loop device size completed.");
2727
2728 r = apply_resize_partition(image_fd, disk_uuid, table);
2729 if (r < 0)
2730 return r;
2731 if (r > 0)
2732 log_info("Shrinking of partition completed.");
2733
2734 if (ioctl(image_fd, BLKRRPART, 0) < 0)
2735 log_debug_errno(errno, "BLKRRPART failed on block device, ignoring: %m");
2736 } else {
2737 r = home_store_embedded_identity(new_home, setup->root_fd, h->uid, embedded_home);
2738 if (r < 0)
2739 return r;
2740 }
2741
2742 r = home_store_header_identity_luks(new_home, setup, header_home);
2743 if (r < 0)
2744 return r;
2745
2746 r = home_extend_embedded_identity(new_home, h, setup);
2747 if (r < 0)
2748 return r;
2749
2750 if (user_record_luks_discard(h))
2751 (void) run_fitrim(setup->root_fd);
2752
2753 r = home_sync_and_statfs(setup->root_fd, &sfs);
2754 if (r < 0)
2755 return r;
2756
2757 r = home_setup_undo(setup);
2758 if (r < 0)
2759 return r;
2760
2761 log_info("Everything completed.");
2762
2763 print_size_summary(new_image_size, new_fs_size, &sfs);
2764
2765 *ret_home = TAKE_PTR(new_home);
2766 return 0;
2767 }
2768
2769 int home_passwd_luks(
2770 UserRecord *h,
2771 HomeSetup *setup,
2772 char **pkcs11_decrypted_passwords, /* the passwords acquired via PKCS#11 security tokens */
2773 char **effective_passwords /* new passwords */) {
2774
2775 size_t volume_key_size, i, max_key_slots, n_effective;
2776 _cleanup_(erase_and_freep) void *volume_key = NULL;
2777 struct crypt_pbkdf_type good_pbkdf, minimal_pbkdf;
2778 const char *type;
2779 int r;
2780
2781 assert(h);
2782 assert(user_record_storage(h) == USER_LUKS);
2783 assert(setup);
2784
2785 type = crypt_get_type(setup->crypt_device);
2786 if (!type)
2787 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine crypto device type.");
2788
2789 r = crypt_keyslot_max(type);
2790 if (r <= 0)
2791 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine number of key slots.");
2792 max_key_slots = r;
2793
2794 r = crypt_get_volume_key_size(setup->crypt_device);
2795 if (r <= 0)
2796 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine volume key size.");
2797 volume_key_size = (size_t) r;
2798
2799 volume_key = malloc(volume_key_size);
2800 if (!volume_key)
2801 return log_oom();
2802
2803 r = luks_try_passwords(setup->crypt_device, pkcs11_decrypted_passwords, volume_key, &volume_key_size);
2804 if (r == -ENOKEY) {
2805 r = luks_try_passwords(setup->crypt_device, h->password, volume_key, &volume_key_size);
2806 if (r == -ENOKEY)
2807 return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), "Failed to unlock LUKS superblock with supplied passwords.");
2808 }
2809 if (r < 0)
2810 return log_error_errno(r, "Failed to unlocks LUKS superblock: %m");
2811
2812 n_effective = strv_length(effective_passwords);
2813
2814 build_good_pbkdf(&good_pbkdf, h);
2815 build_minimal_pbkdf(&minimal_pbkdf, h);
2816
2817 for (i = 0; i < max_key_slots; i++) {
2818 r = crypt_keyslot_destroy(setup->crypt_device, i);
2819 if (r < 0 && !IN_SET(r, -ENOENT, -EINVAL)) /* Returns EINVAL or ENOENT if there's no key in this slot already */
2820 return log_error_errno(r, "Failed to destroy LUKS password: %m");
2821
2822 if (i >= n_effective) {
2823 if (r >= 0)
2824 log_info("Destroyed LUKS key slot %zu.", i);
2825 continue;
2826 }
2827
2828 if (strv_find(pkcs11_decrypted_passwords, effective_passwords[i])) {
2829 log_debug("Using minimal PBKDF for slot %zu", i);
2830 r = crypt_set_pbkdf_type(setup->crypt_device, &minimal_pbkdf);
2831 } else {
2832 log_debug("Using good PBKDF for slot %zu", i);
2833 r = crypt_set_pbkdf_type(setup->crypt_device, &good_pbkdf);
2834 }
2835 if (r < 0)
2836 return log_error_errno(r, "Failed to tweak PBKDF for slot %zu: %m", i);
2837
2838 r = crypt_keyslot_add_by_volume_key(
2839 setup->crypt_device,
2840 i,
2841 volume_key,
2842 volume_key_size,
2843 effective_passwords[i],
2844 strlen(effective_passwords[i]));
2845 if (r < 0)
2846 return log_error_errno(r, "Failed to set up LUKS password: %m");
2847
2848 log_info("Updated LUKS key slot %zu.", i);
2849 }
2850
2851 return 1;
2852 }
2853
2854 int home_lock_luks(UserRecord *h) {
2855 _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
2856 _cleanup_free_ char *dm_name = NULL, *dm_node = NULL;
2857 _cleanup_close_ int root_fd = -1;
2858 const char *p;
2859 int r;
2860
2861 assert(h);
2862
2863 assert_se(p = user_record_home_directory(h));
2864 root_fd = open(p, O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW);
2865 if (root_fd < 0)
2866 return log_error_errno(errno, "Failed to open home directory: %m");
2867
2868 r = make_dm_names(h->user_name, &dm_name, &dm_node);
2869 if (r < 0)
2870 return r;
2871
2872 r = crypt_init_by_name(&cd, dm_name);
2873 if (r < 0)
2874 return log_error_errno(r, "Failed to initialize cryptsetup context for %s: %m", dm_name);
2875
2876 log_info("Discovered used LUKS device %s.", dm_node);
2877 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
2878
2879 if (syncfs(root_fd) < 0) /* Snake oil, but let's better be safe than sorry */
2880 return log_error_errno(errno, "Failed to synchronize file system %s: %m", p);
2881
2882 root_fd = safe_close(root_fd);
2883
2884 log_info("File system synchronized.");
2885
2886 /* Note that we don't invoke FIFREEZE here, it appears libcryptsetup/device-mapper already does that on its own for us */
2887
2888 r = crypt_suspend(cd, dm_name);
2889 if (r < 0)
2890 return log_error_errno(r, "Failed to suspend cryptsetup device: %s: %m", dm_node);
2891
2892 log_info("LUKS device suspended.");
2893 return 0;
2894 }
2895
2896 static int luks_try_resume(
2897 struct crypt_device *cd,
2898 const char *dm_name,
2899 char **password) {
2900
2901 char **pp;
2902 int r;
2903
2904 assert(cd);
2905 assert(dm_name);
2906
2907 STRV_FOREACH(pp, password) {
2908 r = crypt_resume_by_passphrase(
2909 cd,
2910 dm_name,
2911 CRYPT_ANY_SLOT,
2912 *pp,
2913 strlen(*pp));
2914 if (r >= 0) {
2915 log_info("Resumed LUKS device %s.", dm_name);
2916 return 0;
2917 }
2918
2919 log_debug_errno(r, "Password %zu didn't work for resuming device: %m", (size_t) (pp - password));
2920 }
2921
2922 return -ENOKEY;
2923 }
2924
2925 int home_unlock_luks(UserRecord *h, char ***pkcs11_decrypted_passwords) {
2926 _cleanup_free_ char *dm_name = NULL, *dm_node = NULL;
2927 _cleanup_(crypt_freep) struct crypt_device *cd = NULL;
2928 int r;
2929
2930 assert(h);
2931
2932 r = make_dm_names(h->user_name, &dm_name, &dm_node);
2933 if (r < 0)
2934 return r;
2935
2936 r = crypt_init_by_name(&cd, dm_name);
2937 if (r < 0)
2938 return log_error_errno(r, "Failed to initialize cryptsetup context for %s: %m", dm_name);
2939
2940 log_info("Discovered used LUKS device %s.", dm_node);
2941 crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
2942
2943 r = luks_try_resume(cd, dm_name, pkcs11_decrypted_passwords ? *pkcs11_decrypted_passwords : NULL);
2944 if (r == -ENOKEY) {
2945 r = luks_try_resume(cd, dm_name, h->password);
2946 if (r == -ENOKEY)
2947 return log_error_errno(r, "No valid password for LUKS superblock.");
2948 }
2949 if (r < 0)
2950 return log_error_errno(r, "Failed to resume LUKS superblock: %m");
2951
2952 log_info("LUKS device resumed.");
2953 return 0;
2954 }
Unnamed repository; edit this file 'description' to name the repository.