Currently, we support only filling a volume with zeroes on wiping.
However, it is not enough as data might still be readable by
experienced and equipped attacker. Many technical papers have been
written, therefore we should support other wiping algorithms.
AC_SUBST([LIBNL_CFLAGS])
AC_SUBST([LIBNL_LIBS])
-
-
+dnl scrub program for different volume wiping algorithms
+
+AC_ARG_WITH([scrub],
+ AC_HELP_STRING([--with-scrub], [enable different volume wiping algorithms
+ @<:@default=check@:>@]),
+ [with_macvtap=${withval}],
+ [with_scrub=check])
+
+if test "$with_scrub" != "no"; then
+ AC_PATH_PROG([SCRUB], [scrub])
+ if test -z "$SCRUB" ; then
+ if test "$with_scrub" = "check"; then
+ with_scrub=no
+ else
+ AC_MSG_ERROR([You must install the 'scrub' binary to enable
+ different volume wiping algorithms])
+ fi
+ else
+ with_scrub=yes
+ fi
+ if test "$with_scrub" = "yes"; then
+ AC_DEFINE_UNQUOTED([SCRUB], ["$SCRUB"],
+ [Location of the scrub program])
+ fi
+fi
# Only COPYING.LIB is under version control, yet COPYING
# is included as part of the distribution tarball.
VIR_STORAGE_VOL_DELETE_ZEROED = 1 << 0, /* Clear all data to zeros (slow) */
} virStorageVolDeleteFlags;
+typedef enum {
+ VIR_STORAGE_VOL_WIPE_ALG_ZERO = 0, /* 1-pass, all zeroes */
+ VIR_STORAGE_VOL_WIPE_ALG_NNSA = 1, /* 4-pass NNSA Policy Letter
+ NAP-14.1-C (XVI-8) */
+ VIR_STORAGE_VOL_WIPE_ALG_DOD = 2, /* 4-pass DoD 5220.22-M section
+ 8-306 procedure */
+ VIR_STORAGE_VOL_WIPE_ALG_BSI = 3, /* 9-pass method recommended by the
+ German Center of Security in
+ Information Technologies */
+ VIR_STORAGE_VOL_WIPE_ALG_GUTMANN = 4, /* The canonical 35-pass sequence */
+ VIR_STORAGE_VOL_WIPE_ALG_SCHNEIER = 5, /* 7-pass method described by
+ Bruce Schneier in "Applied
+ Cryptography" (1996) */
+ VIR_STORAGE_VOL_WIPE_ALG_PFITZNER7 = 6, /* 7-pass random */
+
+ VIR_STORAGE_VOL_WIPE_ALG_PFITZNER33 = 7, /* 33-pass random */
+
+ VIR_STORAGE_VOL_WIPE_ALG_RANDOM = 8, /* 1-pass random */
+
+#ifdef VIR_ENUM_SENTINELS
+ /*
+ * NB: this enum value will increase over time as new algorithms are
+ * added to the libvirt API. It reflects the last algorithm supported
+ * by this version of the libvirt API.
+ */
+ VIR_STORAGE_VOL_WIPE_ALG_LAST
+#endif
+} virStorageVolWipeAlgorithm;
+
typedef struct _virStorageVolInfo virStorageVolInfo;
struct _virStorageVolInfo {
unsigned int flags);
int virStorageVolWipe (virStorageVolPtr vol,
unsigned int flags);
+int virStorageVolWipePattern (virStorageVolPtr vol,
+ unsigned int algorithm,
+ unsigned int flags);
int virStorageVolRef (virStorageVolPtr vol);
int virStorageVolFree (virStorageVolPtr vol);
typedef int
(*virDrvStorageVolWipe) (virStorageVolPtr vol,
unsigned int flags);
+typedef int
+ (*virDrvStorageVolWipePattern) (virStorageVolPtr vol,
+ unsigned int algorithm,
+ unsigned int flags);
typedef int
(*virDrvStorageVolGetInfo) (virStorageVolPtr vol,
virDrvStorageVolUpload volUpload;
virDrvStorageVolDelete volDelete;
virDrvStorageVolWipe volWipe;
+ virDrvStorageVolWipePattern volWipePattern;
virDrvStorageVolGetInfo volGetInfo;
virDrvStorageVolGetXMLDesc volGetXMLDesc;
virDrvStorageVolGetPath volGetPath;
}
+/**
+ * virStorageVolWipePattern:
+ * @vol: pointer to storage volume
+ * @algorithm: one of virStorageVolWipeAlgorithm
+ * @flags: future flags, use 0 for now
+ *
+ * Similar to virStorageVolWipe, but one can choose
+ * between different wiping algorithms.
+ *
+ * Returns 0 on success, or -1 on error.
+ */
+int
+virStorageVolWipePattern(virStorageVolPtr vol,
+ unsigned int algorithm,
+ unsigned int flags)
+{
+ virConnectPtr conn;
+ VIR_DEBUG("vol=%p, algorithm=%u, flags=%x", vol, algorithm, flags);
+
+ virResetLastError();
+
+ if (!VIR_IS_CONNECTED_STORAGE_VOL(vol)) {
+ virLibStorageVolError(VIR_ERR_INVALID_STORAGE_VOL, __FUNCTION__);
+ virDispatchError(NULL);
+ return -1;
+ }
+
+ conn = vol->conn;
+ if (conn->flags & VIR_CONNECT_RO) {
+ virLibStorageVolError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
+
+ if (conn->storageDriver && conn->storageDriver->volWipePattern) {
+ int ret;
+ ret = conn->storageDriver->volWipePattern(vol, algorithm, flags);
+ if (ret < 0) {
+ goto error;
+ }
+ return ret;
+ }
+
+ virLibConnError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+
+error:
+ virDispatchError(vol->conn);
+ return -1;
+}
+
/**
* virStorageVolFree:
* @vol: pointer to storage volume
LIBVIRT_0.9.10 {
global:
virDomainShutdownFlags;
+ virStorageVolWipePattern;
} LIBVIRT_0.9.9;
+
# .... define new API here using predicted next version number ....
.volUpload = remoteStorageVolUpload, /* 0.9.0 */
.volDelete = remoteStorageVolDelete, /* 0.4.1 */
.volWipe = remoteStorageVolWipe, /* 0.8.0 */
+ .volWipePattern = remoteStorageVolWipePattern, /* 0.9.10 */
.volGetInfo = remoteStorageVolGetInfo, /* 0.4.1 */
.volGetXMLDesc = remoteStorageVolGetXMLDesc, /* 0.4.1 */
.volGetPath = remoteStorageVolGetPath, /* 0.4.1 */
unsigned int flags;
};
+struct remote_storage_vol_wipe_pattern_args {
+ remote_nonnull_storage_vol vol;
+ unsigned int algorithm;
+ unsigned int flags;
+};
+
struct remote_storage_vol_get_xml_desc_args {
remote_nonnull_storage_vol vol;
unsigned int flags;
REMOTE_PROC_DOMAIN_GET_NUMA_PARAMETERS = 255, /* skipgen skipgen */
REMOTE_PROC_DOMAIN_SET_INTERFACE_PARAMETERS = 256, /* autogen autogen */
REMOTE_PROC_DOMAIN_GET_INTERFACE_PARAMETERS = 257, /* skipgen skipgen */
- REMOTE_PROC_DOMAIN_SHUTDOWN_FLAGS = 258 /* autogen autogen */
+ REMOTE_PROC_DOMAIN_SHUTDOWN_FLAGS = 258, /* autogen autogen */
+ REMOTE_PROC_STORAGE_VOL_WIPE_PATTERN = 259 /* autogen autogen */
/*
* Notice how the entries are grouped in sets of 10 ?
remote_nonnull_storage_vol vol;
u_int flags;
};
+struct remote_storage_vol_wipe_pattern_args {
+ remote_nonnull_storage_vol vol;
+ u_int algorithm;
+ u_int flags;
+};
struct remote_storage_vol_get_xml_desc_args {
remote_nonnull_storage_vol vol;
u_int flags;
REMOTE_PROC_DOMAIN_SET_INTERFACE_PARAMETERS = 256,
REMOTE_PROC_DOMAIN_GET_INTERFACE_PARAMETERS = 257,
REMOTE_PROC_DOMAIN_SHUTDOWN_FLAGS = 258,
+ REMOTE_PROC_STORAGE_VOL_WIPE_PATTERN = 259,
};
static int
-storageVolumeWipeInternal(virStorageVolDefPtr def)
+storageVolumeWipeInternal(virStorageVolDefPtr def,
+ unsigned int algorithm)
{
int ret = -1, fd = -1;
struct stat st;
char *writebuf = NULL;
size_t bytes_wiped = 0;
+ virCommandPtr cmd = NULL;
- VIR_DEBUG("Wiping volume with path '%s'", def->target.path);
+ VIR_DEBUG("Wiping volume with path '%s' and algorithm %u",
+ def->target.path, algorithm);
fd = open(def->target.path, O_RDWR);
if (fd == -1) {
goto out;
}
- if (S_ISREG(st.st_mode) && st.st_blocks < (st.st_size / DEV_BSIZE)) {
- ret = storageVolumeZeroSparseFile(def, st.st_size, fd);
- } else {
+ if (algorithm != VIR_STORAGE_VOL_WIPE_ALG_ZERO) {
+ const char *alg_char ATTRIBUTE_UNUSED = NULL;
+ switch (algorithm) {
+#ifdef SCRUB
+ case VIR_STORAGE_VOL_WIPE_ALG_NNSA:
+ alg_char = "nnsa";
+ break;
+ case VIR_STORAGE_VOL_WIPE_ALG_DOD:
+ alg_char = "dod";
+ break;
+ case VIR_STORAGE_VOL_WIPE_ALG_BSI:
+ alg_char = "bsi";
+ break;
+ case VIR_STORAGE_VOL_WIPE_ALG_GUTMANN:
+ alg_char = "gutmann";
+ break;
+ case VIR_STORAGE_VOL_WIPE_ALG_SCHNEIER:
+ alg_char = "shneier";
+ break;
+ case VIR_STORAGE_VOL_WIPE_ALG_PFITZNER7:
+ alg_char = "pfitzner7";
+ break;
+ case VIR_STORAGE_VOL_WIPE_ALG_PFITZNER33:
+ alg_char = " pfitzner33";
+ break;
+ case VIR_STORAGE_VOL_WIPE_ALG_RANDOM:
+ alg_char = "random";
+ break;
+#endif
+ default:
+ virStorageReportError(VIR_ERR_INVALID_ARG,
+ _("unsupported algorithm %d"),
+ algorithm);
+ }
+#ifdef SCRUB
+ cmd = virCommandNew(SCRUB);
+ virCommandAddArgList(cmd, "-f", "-p", alg_char,
+ def->target.path, NULL);
- if (VIR_ALLOC_N(writebuf, st.st_blksize) != 0) {
- virReportOOMError();
+ if (virCommandRun(cmd, NULL) < 0)
goto out;
- }
- ret = storageWipeExtent(def,
- fd,
- 0,
- def->allocation,
- writebuf,
- st.st_blksize,
- &bytes_wiped);
+ ret = 0;
+#endif
+ goto out;
+ } else {
+ if (S_ISREG(st.st_mode) && st.st_blocks < (st.st_size / DEV_BSIZE)) {
+ ret = storageVolumeZeroSparseFile(def, st.st_size, fd);
+ } else {
+
+ if (VIR_ALLOC_N(writebuf, st.st_blksize) != 0) {
+ virReportOOMError();
+ goto out;
+ }
+
+ ret = storageWipeExtent(def,
+ fd,
+ 0,
+ def->allocation,
+ writebuf,
+ st.st_blksize,
+ &bytes_wiped);
+ }
}
out:
+ virCommandFree(cmd);
VIR_FREE(writebuf);
-
VIR_FORCE_CLOSE(fd);
-
return ret;
}
static int
-storageVolumeWipe(virStorageVolPtr obj,
- unsigned int flags)
+storageVolumeWipePattern(virStorageVolPtr obj,
+ unsigned int algorithm,
+ unsigned int flags)
{
virStorageDriverStatePtr driver = obj->conn->storagePrivateData;
virStoragePoolObjPtr pool = NULL;
virCheckFlags(0, -1);
+ if (algorithm >= VIR_STORAGE_VOL_WIPE_ALG_LAST) {
+ virStorageReportError(VIR_ERR_INVALID_ARG,
+ _("wiping algorithm %d not supported"),
+ algorithm);
+ return -1;
+ }
+
storageDriverLock(driver);
pool = virStoragePoolObjFindByName(&driver->pools, obj->pool);
storageDriverUnlock(driver);
goto out;
}
- if (storageVolumeWipeInternal(vol) == -1) {
+ if (storageVolumeWipeInternal(vol, algorithm) == -1) {
goto out;
}
}
+static int
+storageVolumeWipe(virStorageVolPtr obj,
+ unsigned int flags)
+{
+ return storageVolumeWipePattern(obj, VIR_STORAGE_VOL_WIPE_ALG_ZERO, flags);
+}
+
static int
storageVolumeDelete(virStorageVolPtr obj,
unsigned int flags) {
.volUpload = storageVolumeUpload, /* 0.9.0 */
.volDelete = storageVolumeDelete, /* 0.4.0 */
.volWipe = storageVolumeWipe, /* 0.8.0 */
+ .volWipePattern = storageVolumeWipePattern, /* 0.9.10 */
.volGetInfo = storageVolumeGetInfo, /* 0.4.0 */
.volGetXMLDesc = storageVolumeGetXMLDesc, /* 0.4.0 */
.volGetPath = storageVolumeGetPath, /* 0.4.0 */
static const vshCmdOptDef opts_vol_wipe[] = {
{"vol", VSH_OT_DATA, VSH_OFLAG_REQ, N_("vol name, key or path")},
{"pool", VSH_OT_STRING, 0, N_("pool name or uuid")},
+ {"algorithm", VSH_OT_STRING, 0, N_("perform selected wiping algorithm")},
{NULL, 0, 0, NULL}
};
+VIR_ENUM_DECL(virStorageVolWipeAlgorithm)
+VIR_ENUM_IMPL(virStorageVolWipeAlgorithm, VIR_STORAGE_VOL_WIPE_ALG_LAST,
+ "zero", "nnsa", "dod", "bsi", "gutmann", "schneier",
+ "pfitzner7", "pfitzner33", "random");
+
static bool
cmdVolWipe(vshControl *ctl, const vshCmd *cmd)
{
virStorageVolPtr vol;
- bool ret = true;
+ bool ret = false;
const char *name;
+ const char *algorithm_str = NULL;
+ int algorithm = VIR_STORAGE_VOL_WIPE_ALG_ZERO;
+ int funcRet;
if (!vshConnectionUsability(ctl, ctl->conn))
return false;
return false;
}
- if (virStorageVolWipe(vol, 0) == 0) {
- vshPrint(ctl, _("Vol %s wiped\n"), name);
- } else {
+ if (vshCommandOptString(cmd, "algorithm", &algorithm_str) < 0) {
+ vshError(ctl, "%s", _("missing argument"));
+ goto out;
+ }
+
+ if (algorithm_str &&
+ (algorithm = virStorageVolWipeAlgorithmTypeFromString(algorithm_str)) < 0) {
+ vshError(ctl, _("Unsupported algorithm '%s'"), algorithm_str);
+ goto out;
+ }
+
+ if ((funcRet = virStorageVolWipePattern(vol, algorithm, 0)) < 0) {
+ if (last_error->code == VIR_ERR_NO_SUPPORT &&
+ algorithm == VIR_STORAGE_VOL_WIPE_ALG_ZERO)
+ funcRet = virStorageVolWipe(vol, 0);
+ }
+
+ if (funcRet < 0) {
vshError(ctl, _("Failed to wipe vol %s"), name);
- ret = false;
+ goto out;
}
+ vshPrint(ctl, _("Vol %s wiped\n"), name);
+ ret = true;
+out:
virStorageVolFree(vol);
return ret;
}
I<--offset> is the position in the storage volume at which to start reading
the data. I<--length> is an upper bound of the amount of data to be downloaded.
-=item B<vol-wipe> [I<--pool> I<pool-or-uuid>] I<vol-name-or-key-or-path>
+=item B<vol-wipe> [I<--pool> I<pool-or-uuid>] [I<--algorithm> I<algorithm>]
+I<vol-name-or-key-or-path>
Wipe a volume, ensure data previously on the volume is not accessible to
future reads. I<--pool> I<pool-or-uuid> is the name or UUID of the storage
pool the volume is in.
I<vol-name-or-key-or-path> is the name or key or path of the volume to wipe.
+It is possible to choose different wiping algorithms instead of re-writing
+volume with zeroes. This can be done via I<--algorithm> switch.
+
+B<Supported algorithms>
+ zero - 1-pass all zeroes
+ nnsa - 4-pass NNSA Policy Letter NAP-14.1-C (XVI-8) for
+ sanitizing removable and non-removable hard disks:
+ random x2, 0x00, verify.
+ dod - 4-pass DoD 5220.22-M section 8-306 procedure for
+ sanitizing removeable and non-removeable rigid
+ disks: random, 0x00, 0xff, verify.
+ bsi - 9-pass method recommended by the German Center of
+ Security in Information Technologies
+ (http://www.bsi.bund.de): 0xff, 0xfe, 0xfd, 0xfb,
+ 0xf7, 0xef, 0xdf, 0xbf, 0x7f.
+ gutmann - The canonical 35-pass sequence described in
+ Gutmann's paper.
+ schneier - 7-pass method described by Bruce Schneier in
+ "Applied Cryptography" (1996): 0x00, 0xff,
+ random x5.
+ pfitzner7 - Roy Pfitzner's 7-random-pass method: random x7.
+ pfitzner33 - Roy Pfitzner's 33-random-pass method: random x33.
+ random - 1-pass pattern: random.
=item B<vol-dumpxml> [I<--pool> I<pool-or-uuid>] I<vol-name-or-key-or-path>
projects / libvirt.git / commitdiff