commit 59dffa63af63ac1021f372e4505fb8c1b9084906
author John Edward Broadbent <jebr@google.com> Thu Jan 13 17:41:32 2022 -0800
committer John Broadbent <jebr@google.com> Tue Jan 25 21:06:45 2022 +0000
tree 1d65c84c7ac356e483920889341b218a8725fe2c
parent 6978676100aa65c551e00ea58c6a891223f25be5

Add crypto Erase to eStorageD.

The goal is to erase the keys that are used to decrypt the drive. After
the keys are erased it will not be possible to decrypt the drive, even
if the password can be recalled. The data is forever inaccessible.

Testing:

$ systemctl stop emmc.service

$ /eStoraged -b /dev/mmcblk0 &

$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume FormatLuks ays 3 1 2 3 xyz.openbmc_project.Inventory.Item.Volume.FilesystemType.ext4

$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume Lock

$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume Erase s xyz.openbmc_project.Inventory.Item.Volume.EraseMethod.CryptoErase

$ busctl call xyz.openbmc_project.eStoraged.mmcblk0 /xyz/openbmc_project/storage/mmcblk0 xyz.openbmc_project.Inventory.Item.Volume Unlock ay 3 1 2 3
Call failed: The operation failed internally.

Signed-off-by: John Edward Broadbent <jebr@google.com>
Change-Id: I3221e82a92c1b555e2379b19c9e1d5b6e4b02f9b

include/cryptsetupInterface.hpp

diff --git a/include/cryptsetupInterface.hpp b/include/cryptsetupInterface.hpp
index 25c69d0..8cc0469 100644
--- a/include/cryptsetupInterface.hpp
+++ b/include/cryptsetupInterface.hpp
@@ -96,6 +96,40 @@
      *  @returns 0 on success or negative errno value otherwise.
      */
     virtual int cryptDeactivate(struct crypt_device* cd, const char* name) = 0;
+
+    /** @brief Wrapper around crypt_keyslot_destory.
+     *  @details Used for mocking purposes.
+     *
+     *  @param[in] cd - crypt device handle, can not be NULL.
+     *  @param[in] keyslot requested key slot to destroy
+     *
+     *  @returns 0 on success or negative errno value otherwise.
+     */
+    virtual int cryptKeyslotDestroy(struct crypt_device* cd,
+                                    const int keyslot) = 0;
+
+    /** @breif Wapper around crypt_keyslot_max
+     *  @details Used for mocking purposes.
+     *
+     * @param type crypt device type
+     *
+     * @return slot count or negative errno otherwise if device
+     * does not support keyslots.
+     */
+    virtual int cryptKeySlotMax(const char* type) = 0;
+
+    /** @breif Wapper around crypt_keyslot_status
+     *  @details Used for mocking purposes.
+     *  Get information about particular key slot.
+     *
+     * @param cd crypt device handle
+     * @param keyslot requested keyslot to check or CRYPT_ANY_SLOT
+     *
+     * @return value defined by crypt_keyslot_info
+     *
+     */
+    virtual crypt_keyslot_info cryptKeySlotStatus(struct crypt_device* cd,
+                                                  int keyslot) = 0;
 };
 
 /** @class Cryptsetup
@@ -143,6 +177,22 @@
     {
         return crypt_deactivate(cd, name);
     }
+
+    int cryptKeyslotDestroy(struct crypt_device* cd, const int keyslot) override
+    {
+        return crypt_keyslot_destroy(cd, keyslot);
+    }
+
+    int cryptKeySlotMax(const char* type) override
+    {
+        return crypt_keyslot_max(type);
+    }
+
+    crypt_keyslot_info cryptKeySlotStatus(struct crypt_device* cd,
+                                          int keyslot) override
+    {
+        return crypt_keyslot_status(cd, keyslot);
+    }
 };
 
 /** @class CryptHandle