New filter: luks

This filter allows you to open, read and write LUKSv1 disk images,
compatible with the ones used by dm-crypt and qemu.

Author: rwmjones

TODO

@@ -192,9 +192,6 @@ Suggestions for filters
   connections.  This may even allow a filter to offer a more parallel
   threading model than the underlying plugin.
 
-* LUKS encrypt/decrypt filter, bonus points if compatible with qemu
-  LUKS-encrypted disk images
-
 * CBT filter to track dirty blocks.  See these links for inspiration:
   https://www.cloudandheat.com/block-level-data-tracking-using-davice-mappers-dm-era/
   https://github.com/qemu/qemu/blob/master/docs/interop/bitmaps.rst
@@ -229,6 +226,14 @@ Suggestions for filters
   could inject a flush after pausing.  However this requires that
   filter background threads have access to the plugin (see above).
 
+nbdkit-luks-filter:
+
+* This filter should also support LUKSv2 (and so should qemu).
+
+* There are some missing features: ESSIV, more ciphers.
+
+* Implement trim and zero if possible.
+
 nbdkit-readahead-filter:
 
 * The filter should open a new connection to the plugin per background

configure.ac

@@ -127,6 +127,7 @@ filters="\
         ip \
         limit \
         log \
+        luks \
         multi-conn \
         nocache \
         noextents \
@@ -614,8 +615,9 @@ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [
 ], [
     AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.])
 ])
+AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"])
 
-AS_IF([test "$GNUTLS_LIBS" != ""],[
+AS_IF([test "x$GNUTLS_LIBS" != "x"],[
     AC_MSG_CHECKING([for default TLS session priority string])
     AC_ARG_WITH([tls-priority],
         [AS_HELP_STRING([--with-tls-priority],
@@ -1379,6 +1381,7 @@ AC_CONFIG_FILES([Makefile
                  filters/ip/Makefile
                  filters/limit/Makefile
                  filters/log/Makefile
+                 filters/luks/Makefile
                  filters/multi-conn/Makefile
                  filters/nocache/Makefile
                  filters/noextents/Makefile
@@ -1495,6 +1498,8 @@ feature "ext2 ................................... " \
         test "x$HAVE_EXT2_TRUE" = "x"
 feature "gzip ................................... " \
         test "x$HAVE_ZLIB_TRUE" = "x"
+feature "LUKS ................................... " \
+        test "x$HAVE_GNUTLS_TRUE" != "x"
 feature "xz ..................................... " \
         test "x$HAVE_LIBLZMA_TRUE" = "x"
 

docs/nbdkit-tls.pod

@@ -364,6 +364,7 @@ More information can be found in L<gnutls_priority_init(3)>.
 =head1 SEE ALSO
 
 L<nbdkit(1)>,
+L<nbdkit-luks-filter(1)>,
 L<nbdkit-tls-fallback-filter(1)>,
 L<nbdcopy(1)>,
 L<nbdfuse(1)>,

filters/luks/Makefile.am

@@ -0,0 +1,77 @@
+# nbdkit
+# Copyright (C) 2019-2022 Red Hat Inc.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# * Neither the name of Red Hat nor the names of its contributors may be
+# used to endorse or promote products derived from this software without
+# specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+include $(top_srcdir)/common-rules.mk
+
+EXTRA_DIST = nbdkit-luks-filter.pod
+
+if HAVE_GNUTLS
+
+filter_LTLIBRARIES = nbdkit-luks-filter.la
+
+nbdkit_luks_filter_la_SOURCES = \
+	luks.c \
+	$(top_srcdir)/include/nbdkit-filter.h \
+	$(NULL)
+
+nbdkit_luks_filter_la_CPPFLAGS = \
+	-I$(top_srcdir)/include \
+	-I$(top_srcdir)/common/include \
+	-I$(top_srcdir)/common/utils \
+	$(NULL)
+nbdkit_luks_filter_la_CFLAGS = \
+	$(WARNINGS_CFLAGS) \
+	$(GNUTLS_CFLAGS) \
+	$(NULL)
+nbdkit_luks_filter_la_LIBADD = \
+	$(top_builddir)/common/utils/libutils.la \
+	$(IMPORT_LIBRARY_ON_WINDOWS) \
+	$(GNUTLS_LIBS) \
+	$(NULL)
+nbdkit_luks_filter_la_LDFLAGS = \
+	-module -avoid-version -shared $(NO_UNDEFINED_ON_WINDOWS) \
+	-Wl,--version-script=$(top_srcdir)/filters/filters.syms \
+	$(NULL)
+
+if HAVE_POD
+
+man_MANS = nbdkit-luks-filter.1
+CLEANFILES += $(man_MANS)
+
+nbdkit-luks-filter.1: nbdkit-luks-filter.pod \
+		$(top_builddir)/podwrapper.pl
+	$(PODWRAPPER) --section=1 --man $@ \
+	    --html $(top_builddir)/html/$@.html \
+	    $<
+
+endif HAVE_POD
+
+endif