vbox的更動 55182 路徑 trunk/src/VBox/Main/src-client/ConsoleImpl.cpp

時間撮記:

2015-4-10 下午02:26:59 (10 年 以前)

作者:

vboxsync

訊息:

Main,FE/VBoxManage: Support exporting machines as appliances which have encrypted disks. Because the OVF standard doesn't support encrypted disks so far we always decrypt exported images which requires the password before starting the export proess

檔案:

• trunk/src/VBox/Main/src-client/ConsoleImpl.cpp (修改) (18 筆差異)

trunk/src/VBox/Main/src-client/ConsoleImpl.cpp

@@ -430 +430 @@
 #endif
     , mBusMgr(NULL)
+    , m_pKeyStore(NULL)
     , mpIfSecKey(NULL)
     , mpIfSecKeyHlp(NULL)
@@ -627 +628 @@
 #endif
 
+        unconst(m_pKeyStore) = new SecretKeyStore(true /* fKeyBufNonPageable */);
+        AssertReturn(m_pKeyStore, E_FAIL);
+
         /* VirtualBox events registration. */
         {
@@ -768 +772 @@
     }
 
+    if (m_pKeyStore)
+    {
+        delete m_pKeyStore;
+        unconst(m_pKeyStore) = NULL;
+    }
+
     m_mapGlobalSharedFolders.clear();
     m_mapMachineSharedFolders.clear();
@@ -774 +784 @@
     mRemoteUSBDevices.clear();
     mUSBDevices.clear();
-
-    for (SecretKeyMap::iterator it = m_mapSecretKeys.begin();
-         it != m_mapSecretKeys.end();
-         it++)
-        delete it->second;
-    m_mapSecretKeys.clear();
 
     if (mVRDEServerInfo)
@@ -3368 +3372 @@
     AutoWriteLock alock(this COMMA_LOCKVAL_SRC_POS);
 
-    /* Check that the ID is not existing already. */
-    SecretKeyMap::const_iterator it = m_mapSecretKeys.find(aId);
-    if (it != m_mapSecretKeys.end())
-        return setError(VBOX_E_OBJECT_IN_USE, tr("A password with the given ID already exists"));
-
     HRESULT hrc = S_OK;
     size_t cbKey = aPassword.length() + 1; /* Include terminator */
-    uint8_t *pbKey = NULL;
-    int rc = RTMemSaferAllocZEx((void **)&pbKey, cbKey, RTMEMSAFER_F_REQUIRE_NOT_PAGABLE);
+    const uint8_t *pbKey = (const uint8_t *)aPassword.c_str();
+
+    int rc = m_pKeyStore->addSecretKey(aId, pbKey, cbKey);
     if (RT_SUCCESS(rc))
     {
         unsigned cDisksConfigured = 0;
-        memcpy(pbKey, aPassword.c_str(), cbKey);
-
-        /* Scramble content to make retrieving the key more difficult. */
-        rc = RTMemSaferScramble(pbKey, cbKey);
-        AssertRC(rc);
-        SecretKey *pKey = new SecretKey(pbKey, cbKey, !!aClearOnSuspend);
-        /* Add the key to the map */
-        m_mapSecretKeys.insert(std::make_pair(aId, pKey));
+
         hrc = i_configureEncryptionForDisk(aId, &cDisksConfigured);
         if (SUCCEEDED(hrc))
         {
-            pKey->m_cDisks = cDisksConfigured;
+            SecretKey *pKey = NULL;
+            rc = m_pKeyStore->retainSecretKey(aId, &pKey);
+            AssertRCReturn(rc, E_FAIL);
+
+            pKey->setUsers(cDisksConfigured);
+            pKey->setRemoveOnSuspend(!!aClearOnSuspend);
+            m_pKeyStore->releaseSecretKey(aId);
             m_cDisksPwProvided += cDisksConfigured;
 
@@ -3411 +3410 @@
             }
         }
-        else
-            m_mapSecretKeys.erase(aId);
-    }
+    }
+    else if (rc == VERR_ALREADY_EXISTS)
+        hrc = setError(VBOX_E_OBJECT_IN_USE, tr("A password with the given ID already exists"));
+    else if (rc == VERR_NO_MEMORY)
+        hrc = setError(E_FAIL, tr("Failed to allocate enough secure memory for the key"));
     else
-        return setError(E_FAIL, tr("Failed to allocate secure memory for the password (%Rrc)"), rc);
+        hrc = setError(E_FAIL, tr("Unknown error happened while adding a password (%Rrc)"), rc);
 
     return hrc;
@@ -3437 +3438 @@
     for (unsigned i = 0; i < aIds.size(); i++)
     {
-        SecretKeyMap::const_iterator it = m_mapSecretKeys.find(aIds[i]);
-        if (it != m_mapSecretKeys.end())
+        SecretKey *pKey = NULL;
+        int rc = m_pKeyStore->retainSecretKey(aIds[i], &pKey);
+        if (rc != VERR_NOT_FOUND)
+        {
+            AssertPtr(pKey);
+            if (pKey)
+                pKey->release();
             return setError(VBOX_E_OBJECT_IN_USE, tr("A password with the given ID already exists"));
+        }
     }
 
     for (unsigned i = 0; i < aIds.size(); i++)
     {
-        size_t cbKey = aPasswords[i].length() + 1; /* Include terminator */
-        uint8_t *pbKey = NULL;
-        int rc = RTMemSaferAllocZEx((void **)&pbKey, cbKey, RTMEMSAFER_F_REQUIRE_NOT_PAGABLE);
-        if (RT_SUCCESS(rc))
-        {
-            unsigned cDisksConfigured = 0;
-            memcpy(pbKey, aPasswords[i].c_str(), cbKey);
-
-            /* Scramble content to make retrieving the key more difficult. */
-            rc = RTMemSaferScramble(pbKey, cbKey);
-            AssertRC(rc);
-            SecretKey *pKey = new SecretKey(pbKey, cbKey, !!aClearOnSuspend);
-            /* Add the key to the map */
-            m_mapSecretKeys.insert(std::make_pair(aIds[i], pKey));
-            hrc = i_configureEncryptionForDisk(aIds[i], &cDisksConfigured);
-            if (FAILED(hrc))
-                m_mapSecretKeys.erase(aIds[i]);
-            else
-                pKey->m_cDisks = cDisksConfigured;
-        }
-        else
-            hrc = setError(E_FAIL, tr("Failed to allocate secure memory for the password (%Rrc)"), rc);
-
+        hrc = addDiskEncryptionPassword(aIds[i], aPasswords[i], aClearOnSuspend);
         if (FAILED(hrc))
         {
@@ -3484 +3469 @@
     }
 
-    if (   SUCCEEDED(hrc)
-        && m_cDisksPwProvided == m_cDisksEncrypted
-        && mMachineState == MachineState_Paused)
-    {
-        /* get the VM handle. */
-        SafeVMPtr ptrVM(this);
-        if (!ptrVM.isOk())
-            return ptrVM.rc();
-
-        alock.release();
-        int vrc = VMR3Resume(ptrVM.rawUVM(), VMRESUMEREASON_RECONFIG);
-
-        hrc = RT_SUCCESS(vrc) ? S_OK :
-                setError(VBOX_E_VM_ERROR,
-                         tr("Could not resume the machine execution (%Rrc)"), vrc);
-    }
-
     return hrc;
 }
@@ -3511 +3479 @@
     AutoWriteLock alock(this COMMA_LOCKVAL_SRC_POS);
 
-    SecretKeyMap::iterator it = m_mapSecretKeys.find(aId);
-    if (it == m_mapSecretKeys.end())
-        return setError(VBOX_E_OBJECT_NOT_FOUND, tr("A password with the given ID does not exist"));
-
-    SecretKey *pKey = it->second;
-    if (pKey->m_cRefs)
-        return setError(VBOX_E_OBJECT_IN_USE, tr("The password is still in use by the VM"));
-
-    m_cDisksPwProvided -= pKey->m_cDisks;
-    m_mapSecretKeys.erase(it);
-    delete pKey;
+    SecretKey *pKey = NULL;
+    int rc = m_pKeyStore->retainSecretKey(aId, &pKey);
+    if (RT_SUCCESS(rc))
+    {
+        m_cDisksPwProvided -= pKey->getUsers();
+        m_pKeyStore->releaseSecretKey(aId);
+        rc = m_pKeyStore->deleteSecretKey(aId);
+        AssertRCReturn(rc, E_FAIL);
+    }
+    else if (rc == VERR_NOT_FOUND)
+        return setError(VBOX_E_OBJECT_NOT_FOUND, tr("A password with the ID \"%s\" does not exist"),
+                                                 aId.c_str());
+    else
+        return setError(E_FAIL, tr("Failed to remove password with ID \"%s\" (%Rrc)"),
+                                aId.c_str(), rc);
 
     return S_OK;
@@ -3530 +3502 @@
     AutoWriteLock alock(this COMMA_LOCKVAL_SRC_POS);
 
-    /* First check whether a password is still in use. */
-    for (SecretKeyMap::iterator it = m_mapSecretKeys.begin();
-        it != m_mapSecretKeys.end();
-        it++)
-    {
-        SecretKey *pKey = it->second;
-        if (pKey->m_cRefs)
-            return setError(VBOX_E_OBJECT_IN_USE, tr("The password with ID \"%s\" is still in use by the VM"),
-                            it->first.c_str());
-    }
-
-    for (SecretKeyMap::iterator it = m_mapSecretKeys.begin();
-        it != m_mapSecretKeys.end();
-        it++)
-        delete it->second;
-    m_mapSecretKeys.clear();
+    int rc = m_pKeyStore->deleteAllSecretKeys(false /* fSuspend */, false /* fForce */);
+    if (rc == VERR_RESOURCE_IN_USE)
+        return setError(VBOX_E_OBJECT_IN_USE, tr("A password is still in use by the VM"));
+    else if (RT_FAILURE(rc))
+        return setError(E_FAIL, tr("Deleting all passwords failed (%Rrc)"));
+
     m_cDisksPwProvided = 0;
-
     return S_OK;
 }
@@ -3598 +3559 @@
         case StorageControllerType_USB:
             return "Msd";
+        case StorageControllerType_NVMe:
+            return "nvme";
         default:
             return NULL;
@@ -5073 +5036 @@
                 if (RT_SUCCESS(rc))
                 {
-                    SecretKey *pKey = new SecretKey(pbKey, cbKey, true /* fRemoveOnSuspend */);
-                    /* Add the key to the map */
-                    m_mapSecretKeys.insert(std::make_pair(Utf8Str(pszUuid), pKey));
-                    hrc = i_configureEncryptionForDisk(Utf8Str(pszUuid), NULL);
-                    if (FAILED(hrc))
+                    rc = m_pKeyStore->addSecretKey(Utf8Str(pszUuid), pbKey, cbKey);
+                    if (RT_SUCCESS(rc))
                     {
-                        /* Delete the key from the map. */
-                        m_mapSecretKeys.erase(Utf8Str(pszUuid));
+                        hrc = i_configureEncryptionForDisk(Utf8Str(pszUuid), NULL);
+                        if (FAILED(hrc))
+                        {
+                            /* Delete the key from the map. */
+                            rc = m_pKeyStore->deleteSecretKey(Utf8Str(pszUuid));
+                            AssertRC(rc);
+                        }
                     }
                 }
@@ -5087 +5052 @@
                                    tr("Failed to decode the key (%Rrc)"),
                                    rc);
+
+                RTMemSaferFree(pbKey, cbKey);
             }
             else
@@ -5133 +5100 @@
 {
     /* Remove keys which are supposed to be removed on a suspend. */
-    SecretKeyMap::iterator it = m_mapSecretKeys.begin();
-    while (it != m_mapSecretKeys.end())
-    {
-        SecretKey *pKey = it->second;
-        if (pKey->m_fRemoveOnSuspend)
-        {
-            /* Unconfigure disk encryption from all attachments associated with this key. */
-            i_clearDiskEncryptionKeysOnAllAttachmentsWithKeyId(it->first);
-
-            AssertMsg(!pKey->m_cRefs, ("No one should access the stored key at this point anymore!\n"));
-            m_cDisksPwProvided -= pKey->m_cDisks;
-            delete pKey;
-            m_mapSecretKeys.erase(it++);
-        }
-        else
-            it++;
-    }
+    int rc = m_pKeyStore->deleteAllSecretKeys(true /* fSuspend */, true /* fForce */);
 }
 
@@ -10682 +10633 @@
 
     AutoReadLock thatLock(pConsole COMMA_LOCKVAL_SRC_POS);
-    SecretKeyMap::const_iterator it = pConsole->m_mapSecretKeys.find(Utf8Str(pszId));
-    if (it != pConsole->m_mapSecretKeys.end())
-    {
-        SecretKey *pKey = (*it).second;
-
-        ASMAtomicIncU32(&pKey->m_cRefs);
-        *ppbKey = pKey->m_pbKey;
-        *pcbKey = pKey->m_cbKey;
-        return VINF_SUCCESS;
-    }
-
-    return VERR_NOT_FOUND;
+    SecretKey *pKey = NULL;
+
+    int rc = pConsole->m_pKeyStore->retainSecretKey(Utf8Str(pszId), &pKey);
+    if (RT_SUCCESS(rc))
+    {
+        *ppbKey = (const uint8_t *)pKey->getKeyBuffer();
+        *pcbKey = pKey->getKeySize();
+    }
+
+    return rc;
 }
 
@@ -10705 +10654 @@
 
     AutoReadLock thatLock(pConsole COMMA_LOCKVAL_SRC_POS);
-    SecretKeyMap::const_iterator it = pConsole->m_mapSecretKeys.find(Utf8Str(pszId));
-    if (it != pConsole->m_mapSecretKeys.end())
-    {
-        SecretKey *pKey = (*it).second;
-        ASMAtomicDecU32(&pKey->m_cRefs);
-        return VINF_SUCCESS;
-    }
-
-    return VERR_NOT_FOUND;
+    return pConsole->m_pKeyStore->releaseSecretKey(Utf8Str(pszId));
 }
 
@@ -10725 +10666 @@
 
     AutoReadLock thatLock(pConsole COMMA_LOCKVAL_SRC_POS);
-    SecretKeyMap::const_iterator it = pConsole->m_mapSecretKeys.find(Utf8Str(pszId));
-    if (it != pConsole->m_mapSecretKeys.end())
-    {
-        SecretKey *pKey = (*it).second;
-
-        uint32_t cRefs = ASMAtomicIncU32(&pKey->m_cRefs);
-        if (cRefs == 1)
-        {
-            int rc = RTMemSaferUnscramble(pKey->m_pbKey, pKey->m_cbKey);
-            AssertRC(rc);
-        }
-        *ppszPassword = (const char *)pKey->m_pbKey;
-        return VINF_SUCCESS;
-    }
-
-    return VERR_NOT_FOUND;
+    SecretKey *pKey = NULL;
+
+    int rc = pConsole->m_pKeyStore->retainSecretKey(Utf8Str(pszId), &pKey);
+    if (RT_SUCCESS(rc))
+        *ppszPassword = (const char *)pKey->getKeyBuffer();
+
+    return rc;
 }
 
@@ -10752 +10684 @@
 
     AutoReadLock thatLock(pConsole COMMA_LOCKVAL_SRC_POS);
-    SecretKeyMap::const_iterator it = pConsole->m_mapSecretKeys.find(Utf8Str(pszId));
-    if (it != pConsole->m_mapSecretKeys.end())
-    {
-        SecretKey *pKey = (*it).second;
-        uint32_t cRefs = ASMAtomicDecU32(&pKey->m_cRefs);
-        if (!cRefs)
-        {
-            int rc = RTMemSaferScramble(pKey->m_pbKey, pKey->m_cbKey);
-            AssertRC(rc);
-        }
-        return VINF_SUCCESS;
-    }
-
-    return VERR_NOT_FOUND;
+    return pConsole->m_pKeyStore->releaseSecretKey(Utf8Str(pszId));
 }