Hello
Patch to the dm-crypt module so that it hides the crypto-key from
userland. (dmsetup table)
Adds an extra option (DM_CRYPT_NULLKEYSTATUS) to
config/menuconfig/whateverconfig, under dm-crypt, so you can toggle the
patch.
Code by Bjorn Andersson and Erik Ekman.
// Bjorn
diff -ur linux-2.6.11-gentoo-r4/drivers/md/Kconfig linux-2.6.11-gentoo-r4-mod/drivers/md/Kconfig
--- linux-2.6.11-gentoo-r4/drivers/md/Kconfig 2005-03-18 14:44:33.000000000 +0100
+++ linux-2.6.11-gentoo-r4-mod/drivers/md/Kconfig 2005-04-12 15:46:03.000000000 +0200
@@ -207,6 +207,18 @@
If unsure, say N.
+config DM_CRYPT_NULLKEYSTATUS
+ bool "Hide key from userspace"
+ depends on DM_CRYPT
+ ---help---
+ When executing 'dmsetup table' it prints the crypto-key for all
+ mounted dm-crypt-devices. See dmsetup(8).
+
+ This hides the real key and returns a key of zeros instead.
+
+ If paranoid or unsure, say Y.
+ If you need to see your keys in runtime, say N.
+
config DM_SNAPSHOT
tristate "Snapshot target (EXPERIMENTAL)"
depends on BLK_DEV_DM && EXPERIMENTAL
diff -ur linux-2.6.11-gentoo-r4/drivers/md/dm-crypt.c linux-2.6.11-gentoo-r4-mod/drivers/md/dm-crypt.c
--- linux-2.6.11-gentoo-r4/drivers/md/dm-crypt.c 2005-04-12 12:51:28.000000000 +0200
+++ linux-2.6.11-gentoo-r4-mod/drivers/md/dm-crypt.c 2005-04-12 15:36:35.000000000 +0200
@@ -518,6 +518,7 @@
/*
* Encode key into its hex representation
*/
+#ifndef CONFIG_DM_CRYPT_NULLKEYSTATUS
static void crypt_encode_key(char *hex, u8 *key, unsigned int size)
{
unsigned int i;
@@ -528,6 +529,7 @@
key++;
}
}
+#endif
/*
* Construct an encryption mapping:
@@ -900,8 +902,11 @@
if (cc->key_size > 0) {
if ((maxlen - sz) < ((cc->key_size << 1) + 1))
return -ENOMEM;
-
+#ifdef CONFIG_DM_CRYPT_NULLKEYSTATUS
+ memset(result + sz, '0', cc->key_size << 1);
+#else
crypt_encode_key(result + sz, cc->key, cc->key_size);
+#endif
sz += cc->key_size << 1;
} else {
if (sz >= maxlen)
