Open Menu / drivers / block / luks_internal.h
Loading...
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
/* SPDX-License-Identifier: GPL-2.0+ */
/*
 * LUKS (Linux Unified Key Setup) internal interfaces
 *
 * Copyright (C) 2025 Canonical Ltd
 */

#ifndef __LUKS_INTERNAL_H__
#define __LUKS_INTERNAL_H__

#include <hash.h>

/**
 * af_merge() - Merge anti-forensic split key into original key
 *
 * This performs the LUKS AF-merge operation to recover the original key from
 * its AF-split representation. The algorithm XORs all stripes together,
 * applying diffusion between each stripe. Used by both LUKS1 and LUKS2.
 *
 * @src:	AF-split key material (key_size * stripes bytes)
 * @dst:	Output buffer for merged key (key_size bytes)
 * @key_size:	Size of the original key
 * @stripes:	Number of anti-forensic stripes
 * @hash_spec:	Hash algorithm name (e.g., "sha256")
 * Return:	0 on success, -ve on error
 */
int af_merge(const u8 *src, u8 *dst, size_t key_size, uint stripes,
	     const char *hash_spec);

/**
 * essiv_decrypt() - Decrypt key material using ESSIV mode
 *
 * ESSIV (Encrypted Salt-Sector Initialization Vector) mode generates a unique
 * IV for each sector by encrypting the sector number with a key derived from
 * hashing the encryption key. Used by both LUKS1 and LUKS2.
 *
 * @derived_key: Key derived from passphrase
 * @key_size: Size of the encryption key in bytes
 * @expkey: Expanded AES key for decryption
 * @km: Encrypted key material buffer
 * @split_key: Output buffer for decrypted key material
 * @km_blocks: Number of blocks of key material
 * @blksz: Block size in bytes
 */
void essiv_decrypt(const u8 *derived_key, uint key_size, u8 *expkey, u8 *km,
		   u8 *split_key, uint km_blocks, uint blksz);

/**
 * unlock_luks2() - Unlock a LUKS2 partition with a passphrase
 *
 * @blk:	Block device
 * @pinfo:	Partition information
 * @pass:	Passphrase to unlock the partition or pre-derived key
 * @pass_len:	Length of the passphrase in bytes
 * @pre_derived: True if pass is a pre-derived key, false for passphrase
 * @master_key:	Buffer to receive the decrypted master key
 * @key_sizep:	Returns the key size
 * Return:	0 on success, -EACCES if no keyslots matched, other -ve on other
 * error
 */
int unlock_luks2(struct udevice *blk, struct disk_partition *pinfo,
		 const u8 *pass, size_t pass_len, bool pre_derived,
		 u8 *master_key, uint *key_sizep);

#endif /* __LUKS_INTERNAL_H__ */