1 use std
::os
::unix
::prelude
::AsRawFd
;
4 use anyhow
::{bail, format_err, Error}
;
5 use endian_trait
::Endian
;
7 use proxmox_io
::{ReadExt, WriteExt}
;
9 use crate::sgutils2
::{SgRaw, alloc_page_aligned_buffer}
;
11 /// Test if drive supports hardware encryption
13 /// We search for AES_CGM algorithm with 256bits key.
14 pub fn has_encryption
<F
: AsRawFd
>(
18 let data
= match sg_spin_data_encryption_caps(file
) {
20 Err(_
) => return false,
22 decode_spin_data_encryption_caps(&data
).is_ok()
25 /// Set or clear encryption key
27 /// We always use mixed mode,
28 pub fn set_encryption
<F
: AsRawFd
>(
30 key
: Option
<[u8; 32]>,
31 ) -> Result
<(), Error
> {
33 let data
= match sg_spin_data_encryption_caps(file
) {
35 Err(_
) if key
.is_none() => {
36 // Assume device does not support HW encryption
37 // We can simply ignore the clear key request
40 Err(err
) => return Err(err
),
43 let algorithm_index
= decode_spin_data_encryption_caps(&data
)?
;
45 sg_spout_set_encryption(file
, algorithm_index
, key
)?
;
47 let data
= sg_spin_data_encryption_status(file
)?
;
48 let status
= decode_spin_data_encryption_status(&data
)?
;
51 DataEncryptionMode
::Off
=> {
56 DataEncryptionMode
::Mixed
=> {
64 bail
!("got unexpected encryption mode {:?}", status
.mode
);
69 struct SspSetDataEncryptionPage
{
83 fn sg_spout_set_encryption
<F
: AsRawFd
>(
86 key
: Option
<[u8; 32]>,
87 ) -> Result
<(), Error
> {
89 let mut sg_raw
= SgRaw
::new(file
, 0)?
;
91 let mut outbuf_len
= std
::mem
::size_of
::<SspSetDataEncryptionPage
>();
92 if let Some(ref key
) = key
{
93 outbuf_len
+= key
.len();
96 let mut outbuf
= alloc_page_aligned_buffer(outbuf_len
)?
;
99 let page
= SspSetDataEncryptionPage
{
101 page_len
: (outbuf_len
- 4) as u16,
102 scope_byte
: (0b10 << 5), // all IT nexus
103 control_byte_5
: (chok
<< 2),
104 encryption_mode
: if key
.is_some() { 2 }
else { 0 }
,
105 decryption_mode
: if key
.is_some() { 3 }
else { 0 }
, // mixed mode
109 key_len
: if let Some(ref key
) = key { key.len() as u16 }
else { 0 }
,
112 let mut writer
= &mut outbuf
[..];
113 unsafe { writer.write_be_value(page)? }
;
115 if let Some(ref key
) = key
{
116 writer
.write_all(key
)?
;
119 let mut cmd
= Vec
::new();
120 cmd
.push(0xB5); // SECURITY PROTOCOL IN (SPOUT)
121 cmd
.push(0x20); // Tape Data Encryption Page
122 cmd
.push(0);cmd
.push(0x10); // Set Data Encryption page
125 cmd
.extend(&(outbuf_len
as u32).to_be_bytes()); // data out len
129 sg_raw
.do_out_command(&cmd
, &outbuf
)
130 .map_err(|err
| format_err
!("set data encryption SPOUT(20h[0010h]) failed - {}", err
))
133 // Warning: this blocks and fails if there is no media loaded
134 fn sg_spin_data_encryption_status
<F
: AsRawFd
>(file
: &mut F
) -> Result
<Vec
<u8>, Error
> {
136 let allocation_len
: u32 = 8192+4;
138 let mut sg_raw
= SgRaw
::new(file
, allocation_len
as usize)?
;
140 let mut cmd
= Vec
::new();
141 cmd
.push(0xA2); // SECURITY PROTOCOL IN (SPIN)
142 cmd
.push(0x20); // Tape Data Encryption Page
143 cmd
.push(0);cmd
.push(0x20); // Data Encryption Status page
146 cmd
.extend(&allocation_len
.to_be_bytes());
150 sg_raw
.do_command(&cmd
)
151 .map_err(|err
| format_err
!("read data encryption status SPIN(20h[0020h]) failed - {}", err
))
155 // Warning: this blocks and fails if there is no media loaded
156 fn sg_spin_data_encryption_caps
<F
: AsRawFd
>(file
: &mut F
) -> Result
<Vec
<u8>, Error
> {
158 let allocation_len
: u32 = 8192+4;
160 let mut sg_raw
= SgRaw
::new(file
, allocation_len
as usize)?
;
162 let mut cmd
= Vec
::new();
163 cmd
.push(0xA2); // SECURITY PROTOCOL IN (SPIN)
164 cmd
.push(0x20); // Tape Data Encryption Page
165 cmd
.push(0);cmd
.push(0x10); // Data Encryption Capabilities page
168 cmd
.extend(&allocation_len
.to_be_bytes());
172 sg_raw
.do_command(&cmd
)
173 .map_err(|err
| format_err
!("read data encryption caps SPIN(20h[0010h]) failed - {}", err
))
178 enum DataEncryptionMode
{
186 struct DataEncryptionStatus
{
187 mode
: DataEncryptionMode
,
192 struct SspDataEncryptionCapabilityPage
{
200 struct SspDataEncryptionAlgorithmDescriptor
{
216 // Returns the algorythm_index for AES-CGM
217 fn decode_spin_data_encryption_caps(data
: &[u8]) -> Result
<u8, Error
> {
219 proxmox_lang
::try_block
!({
220 let mut reader
= &data
[..];
221 let _page
: SspDataEncryptionCapabilityPage
= unsafe { reader.read_be_value()? }
;
223 let mut aes_cgm_index
= None
;
226 if reader
.is_empty() { break; }
;
227 let desc
: SspDataEncryptionAlgorithmDescriptor
=
228 unsafe { reader.read_be_value()? }
;
229 if desc
.descriptor_len
!= 0x14 {
230 bail
!("got wrong key descriptor len");
232 if (desc
.control_byte_4
& 0b00000011) != 2 {
233 continue; // can't encrypt in hardware
235 if ((desc
.control_byte_4
& 0b00001100) >> 2) != 2 {
236 continue; // can't decrypt in hardware
238 if desc
.algorithm_code
== 0x00010014 && desc
.key_size
== 32 {
239 aes_cgm_index
= Some(desc
.algorythm_index
);
244 match aes_cgm_index
{
245 Some(index
) => Ok(index
),
246 None
=> bail
!("drive does not support AES-CGM encryption"),
248 }).map_err(|err
: Error
| format_err
!("decode data encryption caps page failed - {}", err
))
254 struct SspDataEncryptionStatusPage
{
261 key_instance_counter
: u32,
268 fn decode_spin_data_encryption_status(data
: &[u8]) -> Result
<DataEncryptionStatus
, Error
> {
270 proxmox_lang
::try_block
!({
271 let mut reader
= &data
[..];
272 let page
: SspDataEncryptionStatusPage
= unsafe { reader.read_be_value()? }
;
274 if page
.page_code
!= 0x20 {
275 bail
!("invalid response");
278 let mode
= match (page
.encryption_mode
, page
.decryption_mode
) {
279 (0, 0) => DataEncryptionMode
::Off
,
280 (2, 1) => DataEncryptionMode
::RawRead
,
281 (2, 2) => DataEncryptionMode
::On
,
282 (2, 3) => DataEncryptionMode
::Mixed
,
283 _
=> bail
!("unknown encryption mode"),
286 let status
= DataEncryptionStatus
{
292 }).map_err(|err
| format_err
!("decode data encryption status page failed - {}", err
))