--- /dev/null
+/*
+ * Copyright (C) 2022 Milan Broz <gmazyland@gmail.com>
+ *
+ * This file may be redistributed under the terms of the
+ * GNU Lesser General Public License.
+ */
+
+#include "superblocks.h"
+#include "crc32c.h"
+
+/*
+ * For header details, see:
+ * https://github.com/libyal/libfvde/blob/main/documentation/FileVault%20Drive%20Encryption%20(FVDE).asciidoc
+ * https://is.muni.cz/auth/th/p0aok/thesis.pdf
+ */
+
+/* Apple Core Storage magic bytes */
+#define CS_MAGIC "CS"
+
+struct crc32_checksum {
+ uint32_t value;
+ uint32_t seed;
+} __attribute__((packed));
+
+/*
+ * The superblock structure describes "physical volume"; Core Storage
+ * then uses another abstractions above, similar to LVM.
+ * After activation through dm-crypt, filesystem (usually HFS+) is on top.
+ * The filesystem block size and used data size cannot be directly derived from
+ * this superblock structure without parsing other metadata blocks.
+ */
+
+struct cs_fvault2_sb {
+ struct crc32_checksum checksum;
+ uint16_t version;
+ uint16_t block_type;
+ uint8_t unknown1[52];
+ uint64_t ph_vol_size;
+ uint8_t unknown2[16];
+ uint16_t magic;
+ uint32_t checksum_algo;
+ uint8_t unknown3[2];
+ uint32_t block_size;
+ uint32_t metadata_size;
+ uint64_t disklbl_blkoff;
+ uint64_t other_md_blkoffs[3];
+ uint8_t unknown4[32];
+ uint32_t key_data_size;
+ uint32_t cipher;
+ uint8_t key_data[16];
+ uint8_t unknown5[112];
+ uint8_t ph_vol_uuid[16];
+ uint8_t unknown6[192];
+} __attribute__((packed));
+
+static int cs_fvault2_verify_csum(blkid_probe pr, const struct cs_fvault2_sb *sb)
+{
+ uint32_t seed = le32_to_cpu(sb->checksum.seed);
+ uint32_t crc = le32_to_cpu(sb->checksum.value);
+ unsigned char *buf = (unsigned char *)sb + sizeof(sb->checksum);
+ size_t buf_size = sizeof(*sb) - sizeof(sb->checksum);
+
+ return blkid_probe_verify_csum(pr, crc32c(seed, buf, buf_size), crc);
+}
+
+static int probe_cs_fvault2(blkid_probe pr, const struct blkid_idmag *mag)
+{
+ struct cs_fvault2_sb *sb;
+
+ sb = blkid_probe_get_sb(pr, mag, struct cs_fvault2_sb);
+ if (!sb)
+ return errno ? -errno : BLKID_PROBE_NONE;
+
+ /* Apple Core storage Physical Volume Header; only type 1 checksum is supported */
+ if (le16_to_cpu(sb->version) != 1 ||
+ le32_to_cpu(sb->checksum_algo) != 1)
+ return BLKID_PROBE_NONE;
+
+ if (!cs_fvault2_verify_csum(pr, sb))
+ return BLKID_PROBE_NONE;
+
+ /* We support only block type 0x10 as it should be used for FileVault2 */
+ if (le16_to_cpu(sb->block_type) != 0x10 ||
+ le32_to_cpu(sb->key_data_size) != 16 ||
+ le32_to_cpu(sb->cipher) != 2 /* AES-XTS */)
+ return BLKID_PROBE_NONE;
+
+ blkid_probe_sprintf_version(pr, "%u", le16_to_cpu(sb->version));
+ blkid_probe_set_uuid(pr, sb->ph_vol_uuid);
+
+ return BLKID_PROBE_OK;
+}
+
+const struct blkid_idinfo cs_fvault2_idinfo =
+{
+ .name = "cs_fvault2",
+ .usage = BLKID_USAGE_CRYPTO,
+ .probefunc = probe_cs_fvault2,
+ .magics =
+ {
+ { .magic = CS_MAGIC, .len = 2, .sboff = 88 },
+ { NULL }
+ }
+};
projects / thirdparty / util-linux.git / commitdiff
