Re: [RFC][PATCH v1 0/4] How to add --set=VARNAME to the ls command?
On Sun, 30 Jun 2024 20:05:10 +0300 "Vladimir 'phcoder' Serbinenko" wrote: > Did you try: > insmod regexp > for x in (*); do > > done > Just trying to understand the problem I didn't know that was possible, the command you gave me works fine and fits the bill even better than my half-baked patches. Thanks a lot. Denis. pgpsRbTJJt4DH.pgp Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[RFC][PATCH v1 1/4] Add grub_env_append function.
If the given environment variable doesn't exist, grub_env_append will
have the same effect than grub_env_set. But if the variable do exist,
using grub_env_append will append the given content to the variable
content.
This can be used to build a command that can append data to an
existing variable.
The goal here is to more easily add --set=VARNAME arguments to current
commands like it is done in the probe command for instance.
This is because in the code of some commands (like ls) GRUB start
printing information directly to the output instead of building a big
string and only printing the information when done building it.
And so having something like grub_env_append that is closer to this
behavior helps adding --set=VARNAME to various commands (like ls).
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/kern/env.c | 38 ++
include/grub/env.h | 1 +
2 files changed, 39 insertions(+)
diff --git a/grub-core/kern/env.c b/grub-core/kern/env.c
index 764068896..24ba42bb8 100644
--- a/grub-core/kern/env.c
+++ b/grub-core/kern/env.c
@@ -129,6 +129,44 @@ grub_env_set (const char *name, const char *val)
return grub_errno;
}
+grub_err_t
+grub_env_append (const char *name, const char *val)
+{
+ struct grub_env_var *var;
+
+ /* If the variable does already exist, append val to the variable content.
*/
+ var = grub_env_find (name);
+ if (var)
+{
+ char *old = var->value;
+ char *new;
+
+ new = grub_zalloc (grub_strlen(old) + grub_strlen(val) + 1);
+ if (!new)
+return grub_errno;
+
+ grub_strcpy (new, old);
+ grub_strcpy (new + grub_strlen(new), val);
+
+ if (var->write_hook)
+var->value = var->write_hook (var, new);
+ else
+var->value = grub_strdup (new);
+
+ if (! var->value)
+{
+ var->value = old;
+ grub_free (new);
+ return grub_errno;
+}
+
+ grub_free (old);
+ return GRUB_ERR_NONE;
+}
+
+ return grub_env_set (name, val);
+}
+
const char *
grub_env_get (const char *name)
{
diff --git a/include/grub/env.h b/include/grub/env.h
index 6b9379a30..e62786006 100644
--- a/include/grub/env.h
+++ b/include/grub/env.h
@@ -44,6 +44,7 @@ struct grub_env_var
};
grub_err_t EXPORT_FUNC(grub_env_set) (const char *name, const char *val);
+grub_err_t EXPORT_FUNC(grub_env_append) (const char *name, const char *val);
const char *EXPORT_FUNC(grub_env_get) (const char *name);
bool EXPORT_FUNC(grub_env_get_bool) (const char *name, bool if_unset);
void EXPORT_FUNC(grub_env_unset) (const char *name);
--
2.45.1
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[RFC][PATCH v1 4/4] commands/ls: support --set for files/directories.
The ls command has no way to get the name of the files or directories
being listed inside an environment variable.
This enables to programmatically, inside the grub.cfg be able to look
for files and react if they are found or not found.
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/commands/ls.c | 192 ++--
1 file changed, 166 insertions(+), 26 deletions(-)
diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
index 113235781..8a6528caa 100644
--- a/grub-core/commands/ls.c
+++ b/grub-core/commands/ls.c
@@ -127,6 +127,7 @@ struct grub_ls_list_files_ctx
char *dirname;
int all;
int human;
+ char *varname;
};
/* Helper for grub_ls_list_files. */
@@ -137,7 +138,17 @@ print_files (const char *filename, const struct
grub_dirhook_info *info,
struct grub_ls_list_files_ctx *ctx = data;
if (ctx->all || filename[0] != '.')
-grub_printf ("%s%s ", filename, info->dir ? "/" : "");
+ {
+if (ctx->varname)
+ {
+ grub_env_append (ctx->varname, filename);
+ grub_env_append (ctx->varname, info->dir ? "/" : "");
+ }
+else
+ {
+ grub_printf ("%s%s ", filename, info->dir ? "/" : "");
+ }
+ }
return 0;
}
@@ -158,9 +169,26 @@ print_files_long (const char *filename, const struct
grub_dirhook_info *info,
char *pathname;
if (ctx->dirname[grub_strlen (ctx->dirname) - 1] == '/')
- pathname = grub_xasprintf ("%s%s", ctx->dirname, filename);
+ if (ctx->varname)
+ {
+ grub_env_append (ctx->varname, ctx->dirname);
+ grub_env_append (ctx->varname, filename);
+ }
+ else
+ {
+ pathname = grub_xasprintf ("%s%s", ctx->dirname, filename);
+ }
else
- pathname = grub_xasprintf ("%s/%s", ctx->dirname, filename);
+ if (ctx->varname)
+ {
+ grub_env_append (ctx->varname, ctx->dirname);
+ grub_env_append (ctx->varname, "/");
+ grub_env_append (ctx->varname, filename);
+ }
+ else
+ {
+ pathname = grub_xasprintf ("%s/%s", ctx->dirname, filename);
+ }
if (!pathname)
return 1;
@@ -172,38 +200,144 @@ print_files_long (const char *filename, const struct
grub_dirhook_info *info,
if (file)
{
if (! ctx->human)
- grub_printf ("%-12llu", (unsigned long long) file->size);
+ if (ctx->varname)
+ {
+ char *str = grub_xasprintf("%-12llu",
+ (unsigned long long) file->size);
+ if (str)
+ {
+ grub_env_append (ctx->varname, str);
+ grub_free (str);
+ }
+ else
+ {
+ grub_error (GRUB_ERR_OUT_OF_MEMORY,
+ "print_files_long :grub_xasprintf failed.");
+ return 0;
+ }
+ }
+ else
+ {
+ grub_printf ("%-12llu", (unsigned long long) file->size);
+ }
else
- grub_printf ("%-12s", grub_get_human_size (file->size,
- GRUB_HUMAN_SIZE_SHORT));
+ if (ctx->varname)
+ {
+ char *str = grub_xasprintf("%-12s",
+ grub_get_human_size (file->size,
+
GRUB_HUMAN_SIZE_SHORT));
+ if (str)
+ {
+ grub_env_append (ctx->varname, str);
+ grub_free (str);
+ }
+ else
+ {
+ grub_error (GRUB_ERR_OUT_OF_MEMORY,
+ "print_files_long: grub_xasprintf failed.");
+ return 0;
+ }
+ }
+ else
+ {
+ grub_printf ("%-12s", grub_get_human_size (file->size,
+
GRUB_HUMAN_SIZE_SHORT));
+ }
grub_file_close (file);
}
else
- grub_xputs ("");
+ if (ctx->varname)
+ grub_env_append (ctx->varname, "");
+ else
+ grub_xputs ("");
grub_free (pathname);
grub_errno = GRUB_ERR_NONE;
}
else
-grub_printf ("%-12s", _("DIR"));
+if (ctx->varname)
+ {
+ char *str = grub_xasprintf("%-12s",
[RFC][PATCH v1 3/4] commands/ls: add --set=VARNAME.
There is currently no way to get a list of devices being found inside
an environment variable.
The GNU Boot project is a boot firmware distribution that currently
ships images with a deblobbed Coreboot, GRUB, and a hand-made GRUB
configuration.
Once installed, the GRUB provided by GNU Boot is supposed to try to
find the GRUB configuration of the (usually GNU/Linux) distribution
that is installed on the computer.
To do that GNU Boot images includes a hand-made GRUB configuration
that have hardcoded devices names like md/0 or ahci0, and that loop
over that and test if grub.cfg is found in hardcoded paths like
/grub.cfg, /boot/grub.cfg, etc.
But that cannot work for LVM2 volume that have names chosen by the
user or that differ between GNU/Linux distribution.
So having a '--set=VARNAME' option in 'ls' can enable to loop over
all the device found or even build a list of LVM devices like that:
ls --set=devices
for device in $devices ; do
if regexp ^lvm/ $device ; then
append lvmvol=" $device"
fi
done
Then the GRUB configuration shipped by GNU Boot would simply try the
various hardcoded location of grub.cfg and boot on the first one being
found.
Right now this change only adds the ability to list devices, it
doesn't support the '-l' option.
Listing devices inside a variable also doesn't add the parenthesis
around the devices as this makes the use of the result more easy to
deal with.
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/commands/ls.c | 69 ++---
1 file changed, 58 insertions(+), 11 deletions(-)
diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
index 6a1c7f5d3..113235781 100644
--- a/grub-core/commands/ls.c
+++ b/grub-core/commands/ls.c
@@ -37,31 +37,69 @@ GRUB_MOD_LICENSE ("GPLv3+");
static const struct grub_arg_option options[] =
{
+{"set", 's', 0,
+ N_("Set a variable to return value."), N_("VARNAME"), ARG_TYPE_STRING},
{"long", 'l', 0, N_("Show a long list with more detailed information."),
0, 0},
{"human-readable", 'h', 0, N_("Print sizes in a human readable format."),
0, 0},
{"all", 'a', 0, N_("List all files."), 0, 0},
{0, 0, 0, 0, 0, 0}
};
+/* Context for grub_ls_list_devices. */
+struct grub_ls_list_devices_ctx
+{
+ int longlist;
+ char *varname;
+};
+
/* Helper for grub_ls_list_devices. */
static int
grub_ls_print_devices (const char *name, void *data)
{
- int *longlist = data;
+ struct grub_ls_list_devices_ctx *ctx = data;
- if (*longlist)
-grub_normal_print_device_info (name);
+ if (ctx->longlist)
+{
+ if (ctx->varname)
+ {
+ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "set and longlist");
+ return GRUB_ERR_NOT_IMPLEMENTED_YET;
+ }
+
+ grub_normal_print_device_info (name);
+ return 0;
+}
+
+ if (ctx->varname)
+{
+ if (grub_env_get(ctx->varname))
+ grub_env_append (ctx->varname, " ");
+ grub_env_append (ctx->varname, name);
+}
else
-grub_printf ("(%s) ", name);
+{
+ grub_printf ("(%s) ", name);
+}
return 0;
}
static grub_err_t
-grub_ls_list_devices (int longlist)
+grub_ls_list_devices (int longlist, char *varname)
{
- grub_device_iterate (grub_ls_print_devices, &longlist);
- grub_xputs ("\n");
+ struct grub_ls_list_devices_ctx ctx = {
+.longlist = longlist,
+.varname = varname,
+ };
+
+ /* Clear the variable content to be able to append inside later on */
+ if (varname)
+grub_env_unset(varname);
+
+ grub_device_iterate (grub_ls_print_devices, &ctx);
+
+ if (!varname)
+grub_xputs ("\n");
#if 0
{
@@ -171,13 +209,20 @@ print_files_long (const char *filename, const struct
grub_dirhook_info *info,
}
static grub_err_t
-grub_ls_list_files (char *dirname, int longlist, int all, int human)
+grub_ls_list_files (char *dirname, int longlist, int all, int human,
+char *varname)
{
char *device_name;
grub_fs_t fs;
const char *path;
grub_device_t dev;
+ if (varname)
+{
+ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "set and list files");
+ return GRUB_ERR_NOT_IMPLEMENTED_YET;
+}
+
device_name = grub_file_get_device_name (dirname);
dev = grub_device_open (device_name);
if (! dev)
@@ -278,11 +323,13 @@ grub_cmd_ls (grub_extcmd_context_t ctxt, int argc, char
**args)
int i;
if (argc == 0)
-grub_ls_list_devices (state[0].set);
+grub_ls_list_devices (state[1].set,
+ state[0].set ? state[0].arg : NULL);
else
for (i = 0; i < argc; i++)
- grub_ls_list_files (args[i], state[0].set, state[2].set,
-
[RFC][PATCH v1 0/4] How to add --set=VARNAME to the ls command?
Hi,
The problem we try to solve with --set=VARNAME in ls.
=
In the GNU Boot project (a free software distribution that releases
free software boot firmware images), we provide images with (a
deblobbed) Coreboot and GRUB (run as a Coreboot payload). We use GRUB
mainly to find other configuration files like syslinux.cfg (to boot on
external medias) or grub.cfg (to boot on the (usually GNU/Linux)
distribution installed to the hard disk / SSD).
We also provide images with a SeaBIOS Coreboot payload instead, but we
plan to make the images with GRUB become the preffered way of booting
because in practice it works very well with the Coreboot Framebuffer,
and with it we only lack a way to reliabily list the devices being
present in order to be able to also find grub.cfg config files inside
filesystems present on LVM logical volumes as well.
The alternative to using GRUB as a Coreboot payload is to use SeaBIOS
instead but that doesn't work well because when SeaBIOS loads the
(usually GNU/Linux) distribution's GRUB, it results in a black screen
unless the users tweak the /etc/default/grub configuration to use the
'console' output instead of the default gfxterm, and we also want less
technical users to be able to easily use computers with GNU Boot. This
issue is probably due to SeaVGABIOS that probably doesn't fully
implement the VGA standard, so my guess is that fixing this is more
work than adding --set=VARNAME to the 'ls' command.
Our current GRUB configuration file is in our git repository[1] and it
hardcodes devices like ahciX,Y and then tries to find the grub.cfg
with (a limited) number of X,Y combination.
[1]https://git.savannah.gnu.org/cgit/gnuboot.git/tree/resources/grub/config/grub.cfg
Questions about the implementation
==
The patch set that follows is far from optimal:
* The 'commands/ls: add --set=VARNAME.' patch only implements
--set=VARNAME for 'ls' without other arguments, and it returns an
error otherwise. I'm not sure if it's the right solution but in
another hand implementing --set=VARNAME for all the ls command would
make the patch too big given how the implementation is done (more
on that later).
* The patches adding --set=VARNAME 'commands/ls: add --set=VARNAME.'
changes is not very intrusive but the later patch 'commands/ls:
support --set for files/directories.' shows the broader issue very
clearly: all the prints are duplicated with some 'if (varname) {
... }' construct.
Since here my goal is only to add '--set=VARNAME' for 'ls' without
arguments, what would be the best way to proceed?
Would a patch that doesn't cover all the 'ls' arguments be acceptable?
If not, I guess that the way to go would be to rework a bit the
printing as with the current way, there is too much duplication of
code and it also makes the code harder to follow which in turn makes
maintenance of this code harder.
In this case what kind of API would be acceptable? Should we introduce
some functions that have an argument that can select where to print?
If so would something similar to fprintf be ok? It could be used like
that 'grub_xfprintf( varname ? stdout : varname, "%s\n", "Hello
world");' and make the code more redable than with the 'commands/ls:
support --set for files/directories.' patch.
Denis 'GNUtoo' Carikli (4):
Add grub_env_append function.
Add command to append to existing environment variables.
commands/ls: add --set=VARNAME.
commands/ls: support --set for files/directories.
grub-core/commands/ls.c | 249 ++-
grub-core/kern/corecmd.c | 25
grub-core/kern/env.c | 38 ++
include/grub/env.h | 1 +
4 files changed, 282 insertions(+), 31 deletions(-)
--
2.45.1
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[RFC][PATCH v1 2/4] Add command to append to existing environment variables.
This can be used to easily filter out the content of an environment
variable with multiple elements:
for elm in $list ; do
if regexp ^grub $elm ; then
append results=" $elm"
fi
done
The goal is to use it to be able to be able to filter devices being
found once we add support for --set=VARNAME inside the ls command.
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/kern/corecmd.c | 25 +
1 file changed, 25 insertions(+)
diff --git a/grub-core/kern/corecmd.c b/grub-core/kern/corecmd.c
index 62d434ba9..88cf6e4d4 100644
--- a/grub-core/kern/corecmd.c
+++ b/grub-core/kern/corecmd.c
@@ -59,6 +59,28 @@ grub_core_cmd_set (struct grub_command *cmd __attribute__
((unused)),
return 0;
}
+/* Append VALUE to ENVVAR content */
+static grub_err_t
+grub_core_cmd_append (struct grub_command *cmd __attribute__ ((unused)),
+ int argc, char *argv[])
+{
+ char *var;
+ char *val;
+
+ if (argc == 0)
+return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+
+ var = argv[0];
+ val = grub_strchr (var, '=');
+ if (! val)
+return grub_error (GRUB_ERR_BAD_ARGUMENT, "not an assignment");
+
+ val[0] = 0;
+ grub_env_append (var, val + 1);
+
+ return 0;
+}
+
static grub_err_t
grub_core_cmd_unset (struct grub_command *cmd __attribute__ ((unused)),
int argc, char *argv[])
@@ -182,6 +204,9 @@ grub_register_core_commands (void)
N_("Set an environment variable."));
if (cmd)
cmd->flags |= GRUB_COMMAND_FLAG_EXTRACTOR;
+ grub_register_command ("append", grub_core_cmd_append,
+N_("[ENVVAR=VALUE]"),
+N_("Set an environment variable."));
grub_register_command ("unset", grub_core_cmd_unset,
N_("ENVVAR"),
N_("Remove an environment variable."));
--
2.45.1
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH 00/12] Grub-shell improvements
On Mon, 30 Aug 2021 17:23:44 +0200 Daniel Kiper wrote: > CC-ing Denis and Patrick... > > On Thu, Aug 26, 2021 at 05:08:21PM -0500, Glenn Washburn wrote: > > Hi Daniel, > > > > On Thu, 26 Aug 2021 20:00:32 +0200 > > Daniel Kiper wrote: > > > > > Hi Glenn, > > > > > > On Wed, Aug 25, 2021 at 06:06:30PM -0500, Glenn Washburn wrote: > > > > Hi Daniel, > > > > > > > > What are the chances this patch series can be reviewed in the > > > > near future? Some feedback would be greatly appreciated. > > > > > > I can see the following patches from you waiting in my review > > > queue: > > > - [CRYPTO-LUKS v1 00/19] Fixes and improvements for > > > cryptodisks+luks2 and a few other things. > > > https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00088.html > > > - [CRYPTOMOUNT-TEST 0/7] Add LUKS1/2 tests for cryptomount > > > https://lists.gnu.org/archive/html/grub-devel/2020-08/msg00010.html > > > - [PATCH 0/5] Testing improvements > > > https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00246.html > > > - [CI 00/17] Gitlab CI and test framework improvements > > > https://lists.gnu.org/archive/html/grub-devel/2021-02/msg00071.html > > > - [PROCFS 0/5] Add and improve (proc) entries > > > https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00264.html > > > - [PATCH 0/4] Various LUKS2 improvements > > > https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00272.html > > > - [PATCH 0/4] Miscellaneous changes to aid in troubleshooting > > > https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00279.html > > > - [PATCH] fs: Allow number of blocks in block list to be > > > optional, defaulting length to device length > > > https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00286.html > > > - [PATCH v2 0/2] cryptodisk: Allows UUIDs to be compared in a > > > dash-insensitive manner > > > https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00344.html > > > - [PATCH] command: Add silent mode to read command to suppress > > > input echo > > > https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00291.html > > > - [PATCH 0/2] Allow overriding commands > > > https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00292.html > > > - [PATCH 00/12] Grub-shell improvements > > > https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00390.html > > > - [PATCH v2 0/8] Various fixes/improvements for tests > > > https://lists.gnu.org/archive/html/grub-devel/2021-08/msg00110.html > > > - [PATCH 0/3] Refactor/improve cryptomount data passing to > > > crypto modules > > > https://lists.gnu.org/archive/html/grub-devel/2021-08/msg00129.html > > > > > > Please sort them in the order of importance/preference/... Then I > > > will be looking at them (more or less) in that order, one patch > > > set at a time. > > > > > > I hope I did not miss any of your patches. > > > > As far as I can tell, this is the full list. > > Great! > > > My order preference is as follows: > > > > These two patches are only first because it should be a quick > > review. > > - [PATCH] command: Add silent mode to read command to suppress > > input echo > > https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00291.html > > - [PATCH] fs: Allow number of blocks in block list to be optional, > > defaulting length to device length > > https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00286.html > > OK. > > > This is a high priority because I think it should be merged before > > the keyfile and detached header support patch series. If this is > > merged, I'll submit and updated keyfile and detached header patch > > series that works with this patch series. > > - [PATCH 0/3] Refactor/improve cryptomount data passing to crypto > > modules > > https://lists.gnu.org/archive/html/grub-devel/2021-08/msg00129.html > > Denis, Patrick, are you both OK with this? I'm OK with it. The "Refactor/improve cryptomount data passing to crypto modules" looks way cleaner than what we had before: it can scale better than the previous design because it's more generic, it can be extended more easily, and we can have more fine grained communication between the cryptodisk and the backends. Glenn Washburn wrote: > My intention is for this patch series to lay the foundation for an > improved patch series providing detached header and keyfile support > (I already have the series updated and ready to send once this is > accepted). Thanks a lot for that work and for taking care of the patch serie I sent. Denis. pgpbZv1PXowJY.pgp Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: v7 for detached headers and key files
Hi, Since the last time where I sent this patch serie (December 2020), GRUB 2.06 is out and many of the security issues have now been fixed, so I hope it's a good time to ping again for this patch now. So far all the concerns found in the previous reviews have been addressed, and no new issues were found in the v7, but it still needed a more in depth review. The v7 patch set also still applies on top of master as of today. Denis. pgpo5vk7LP7Ms.pgp Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: v7 for detached headers and key files
On Wed, 16 Dec 2020 12:35:13 -0600 Glenn Washburn wrote: > Great, thanks for the update. Since Grub is currently in a feature > freeze until the release, this won't get accepted until after. At least, it makes it easier for someone else to pickup the patch set, rebase it and push it if for a reason or another I don't find the time anymore to do it. > Also, when updating a patch series, its nice to use the > "--cover-letter" and "--range-diff" options to git format-patch to > show quickly what has changed since the last patch series version. Oh nice, thanks a lot! I didn't know "--cover-letter" for git-format-patch and I never heard of --range-diff. I was using meld and a very manual process for that that was also error prone as you can't store individual patch files in git (the ChangeLog is lost in that case). I'll try to remember to check that out next time I send a new revision of a patchset. Denis. pgpdYbMLUbAtq.pgp Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v7 5/6] cryptodisk: enable the backends to implement key files
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
Changelog since v3:
---
- Fixed the size formating with PRIuGRUB_SIZE
- Added Reviewed-by
ChangeLog since v4:
---
- Style fixes:
- Added missing space between function and '('
- Removed trailing backslashes in split strings
ChangeLog since v5:
---
- No changes
ChangeLog since v6:
---
- Fixed format string conversions issues found by Glenn Washburn:
- "The type of keyfile->size is grub_off_t which is
typedef'd from grub_uint64_t.
[...] when compiling for i386, PRIuGRUB_SIZE expands
to %lu, which accepts a 32-bit uint.
This will cause the strict format string checking to fail
the build."
- "The macro GRUB_CRYPTODISK_MAX_KEYFILE_SIZE gets expanded
to an integer literal which gets type cast as an int,
but PRIuGRUB_SIZE expects long or long long."
- Rebased. The rebase was needed due this commits:
- 0eb44d319 luks2: Rename source disk variable named
"disk" to "source" as in luks.c
=> No changes to this patch, it just shows in the
context lines.
---
grub-core/disk/cryptodisk.c | 86 -
grub-core/disk/geli.c | 7 +--
grub-core/disk/luks.c | 7 ++-
grub-core/disk/luks2.c | 7 +--
include/grub/cryptodisk.h | 5 ++-
include/grub/file.h | 2 +
6 files changed, 105 insertions(+), 9 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index fec949ad0..11c0f7ab6 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
+{"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+{"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+{"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0,
ARG_TYPE_INT},
{0, 0, 0, 0, 0, 0}
};
@@ -969,6 +972,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
static grub_file_t hdr;
+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
+static grub_ssize_t key_size;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -999,7 +1004,7 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
if (!dev)
continue;
-err = cr->recover_key (source, dev, hdr);
+err = cr->recover_key (source, dev, hdr, key, key_size);
if (err)
{
cryptodisk_close (dev);
@@ -1109,6 +1114,85 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
hdr = NULL;
have_it = 0;
+ key = NULL;
+
+ if (state[4].set) /* keyfile */
+{
+ const char *p = NULL;
+ grub_file_t keyfile;
+ int keyfile_offset;
+ grub_size_t requested_keyfile_size = 0;
+
+
+ if (state[5].set) /* keyfile-offset */
+ {
+ keyfile_offset = grub_strtoul (state[5].arg, &p, 0);
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("unrecognized number"));
+ }
+ else
+ {
+ keyfile_offset = 0;
+ }
+
+ if (state[6].set) /* keyfile-size */
+ {
+ requested_keyfile_size = grub_strtoul (state[6].arg, &p, 0);
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("unrecognized number"));
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("Key file size exceeds maximum (%d)\n"),
+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+
+ if (requested_keyfile_size == 0)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("Key file size is 0\n"));
+ }
+
+ keyfile = grub_file_open (state[4].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
+ if (!keyfile)
+ return grub_errno;
+
+ if (grub_file_seek (keyfile, keyfile_o
[PATCH v7 4/6] cryptodisk: add support for LUKS1 detached headers
From: John Lane
cryptsetup supports having a detached header through the
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 detached headers.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
ChangeLog since v5:
- Fixed missing grub_file_seek return value check
ChangeLog since v6:
- No changes
---
grub-core/disk/luks.c | 48 ++-
1 file changed, 34 insertions(+), 14 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 40cc162fb..1c518902b 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -23,6 +23,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -76,17 +77,23 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int
check_boot,
char ciphername[sizeof (header.cipherName) + 1];
char ciphermode[sizeof (header.cipherMode) + 1];
char hashspec[sizeof (header.hashSpec) + 1];
- grub_err_t err;
-
- /* Detached headers are not implemented yet */
- if (hdr)
-return NULL;
+ grub_err_t err = GRUB_ERR_NONE;
if (check_boot)
return NULL;
/* Read the LUKS header. */
- err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+ if (hdr)
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return NULL;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return NULL;
+}
+ else
+err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+
if (err)
{
if (err == GRUB_ERR_OUT_OF_RANGE)
@@ -164,15 +171,22 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr)
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
- grub_err_t err;
+ grub_err_t err = GRUB_ERR_NONE;
grub_size_t max_stripes = 1;
char *tmp;
+ grub_uint32_t sector;
- /* Detached headers are not implemented yet */
if (hdr)
-return GRUB_ERR_NOT_IMPLEMENTED_YET;
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return grub_errno;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return grub_errno;
+}
+ else
+err = grub_disk_read (source, 0, 0, sizeof (header), &header);
- err = grub_disk_read (source, 0, 0, sizeof (header), &header);
if (err)
return err;
@@ -241,13 +255,19 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr)
return grub_crypto_gcry_error (gcry_err);
}
+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
/* Read and decrypt the key material from the disk. */
- err = grub_disk_read (source,
- grub_be_to_cpu32 (header.keyblock
- [i].keyMaterialOffset), 0,
- length, split_key);
+ if (hdr)
+ {
+if (grub_file_seek (hdr, sector * 512) == (grub_off_t) -1)
+ return grub_errno;
+if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+ return grub_errno;
+ }
+ else
+err = grub_disk_read (source, sector, 0, length, split_key);
if (err)
{
grub_free (split_key);
--
2.29.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
v7 for detached headers and key files
Hi, I've addressed the issues found in the last round. Like the last time I also tested it on real hardware. I'm also sorry for the delay. Denis. ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v7 6/6] cryptodisk: Add support for LUKS1 key files
cryptsetup supports key files thourh the --key-file
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 key files.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
ChangeLog since v5:
- No changes
ChangeLog since v6:
- No changes
---
grub-core/disk/luks.c | 43 ++-
1 file changed, 26 insertions(+), 17 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index b7867585a..0f6948f73 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -168,7 +168,9 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
struct grub_luks_phdr header;
grub_size_t keysize;
grub_uint8_t *split_key = NULL;
- char passphrase[MAX_PASSPHRASE] = "";
+ char interactive_passphrase[MAX_PASSPHRASE] = "";
+ grub_uint8_t *passphrase;
+ grub_size_t passphrase_length;
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
@@ -177,10 +179,6 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
char *tmp;
grub_uint32_t sector;
- /* Keyfiles are not implemented yet */
- if (keyfile_bytes || keyfile_bytes_size)
- return GRUB_ERR_NOT_IMPLEMENTED_YET;
-
if (hdr)
{
if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
@@ -209,18 +207,29 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
if (!split_key)
return grub_errno;
- /* Get the passphrase from the user. */
- tmp = NULL;
- if (source->partition)
-tmp = grub_partition_get_name (source->partition);
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition ? "," : "", tmp ? : "",
- dev->uuid);
- grub_free (tmp);
- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
+ if (keyfile_bytes)
{
- grub_free (split_key);
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+ /* Use bytestring from key file as passphrase */
+ passphrase = keyfile_bytes;
+ passphrase_length = keyfile_bytes_size;
+}
+ else
+{
+ /* Get the passphrase from the user. */
+ tmp = NULL;
+ if (source->partition)
+tmp = grub_partition_get_name (source->partition);
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition ? "," : "", tmp ? : "", dev->uuid);
+ grub_free (tmp);
+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+{
+ grub_free (split_key);
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+}
+
+ passphrase = (grub_uint8_t *)interactive_passphrase;
+ passphrase_length = grub_strlen (interactive_passphrase);
}
/* Try to recover master key from each active keyslot. */
@@ -238,7 +247,7 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
/* Calculate the PBKDF2 of the user supplied passphrase. */
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
-grub_strlen (passphrase),
+passphrase_length,
header.keyblock[i].passwordSalt,
sizeof (header.keyblock[i].passwordSalt),
grub_be_to_cpu32 (header.keyblock[i].
--
2.29.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v7 2/6] cryptodisk: geli: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
ChangeLog since v5:
- No changes
ChangeLog since v6:
- No changes
---
grub-core/disk/geli.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index 0175ce4c4..203a9081b 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -242,8 +242,7 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -398,7 +397,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
}
static grub_err_t
-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev)
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
@@ -580,8 +579,8 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev)
}
struct grub_cryptodisk_dev geli_crypto = {
- .scan = configure_ciphers,
- .recover_key = recover_key
+ .scan = geli_scan,
+ .recover_key = geli_recover_key
};
GRUB_MOD_INIT (geli)
--
2.29.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v7 3/6] cryptodisk: enable the backends to implement detached headers
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
ChangeLog since v5:
- No changes
ChangeLog since v6: Rebase only.
The rebase was needed due these commits:
- 0eb44d319 luks2: Rename source disk variable named
"disk" to "source" as in luks.c
=> disk was also renamed to source in this rebased patch.
- ee12785f7 luks2: Strip dashes off of the UUID
=> No changes to this patch, it just shows in the
context lines.
---
grub-core/disk/cryptodisk.c | 24
grub-core/disk/geli.c | 15 +--
grub-core/disk/luks.c | 14 +++---
grub-core/disk/luks2.c | 15 ---
include/grub/cryptodisk.h | 6 --
include/grub/file.h | 2 ++
6 files changed, 62 insertions(+), 14 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 473c93976..fec949ad0 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
/* TRANSLATORS: It's still restricted to cryptodisks only. */
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
{0, 0, 0, 0, 0, 0}
};
@@ -967,6 +968,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
+static grub_file_t hdr;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -991,13 +993,13 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, hdr);
if (grub_errno)
return grub_errno;
if (!dev)
continue;
-err = cr->recover_key (source, dev);
+err = cr->recover_key (source, dev, hdr);
if (err)
{
cryptodisk_close (dev);
@@ -1038,7 +1040,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const
char *cheat)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, NULL);
if (grub_errno)
return grub_errno;
if (!dev)
@@ -1092,6 +1094,20 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
if (argc < 1 && !state[1].set && !state[2].set)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
+ if (state[3].set) /* Detached header */
+{
+ if (state[0].set)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Cannot use UUID lookup with detached header"));
+
+ hdr = grub_file_open (state[3].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER);
+ if (!hdr)
+ return grub_errno;
+}
+ else
+hdr = NULL;
+
have_it = 0;
if (state[0].set)
{
@@ -1299,7 +1315,7 @@ GRUB_MOD_INIT (cryptodisk)
{
grub_disk_dev_register (&grub_cryptodisk_dev);
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
- N_("SOURCE|-u UUID|-a|-b"),
+ N_("SOURCE|-u UUID|-a|-b|-H file"),
N_("Mount a crypto device."), options);
grub_procfs_register ("luks_script", &luks_script);
}
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index 203a9081b..d4d537e05 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -52,6 +52,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -121,6 +122,7 @@ enum
/* FIXME: support version 0. */
/* FIXME: support big-endian pre-version-4 volumes. */
+/* FIXME: support for detached headers. */
/* FIXME: support for keyfiles. */
/* FIXME: support for HMAC. */
const char *algorithms[] = {
@@ -242,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only,
+ grub_file_t hdr)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -254,6 +257,10 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only)
grub_disk_addr_t sector;
grub_err_t err;
+ /* Detached headers are not implemented yet */
+ if (hdr)
+return NULL;
+
if (2 * GRUB_MD_SHA256->mdlen + 1 > GRUB_CRYPTODISK_MAX_UUID_LENGTH
[PATCH v7 1/6] cryptodisk: luks: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
ChangeLog since v5:
- No changes
ChangeLog since v6:
- No changes
---
grub-core/disk/luks.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index aa9877b68..229036d1d 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -65,8 +65,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash,
grub_uint8_t * src,
grub_size_t blocknumbers);
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int check_boot)
+luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
{
grub_cryptodisk_t newdev;
const char *iptr;
@@ -311,7 +310,7 @@ luks_recover_key (grub_disk_t source,
}
struct grub_cryptodisk_dev luks_crypto = {
- .scan = configure_ciphers,
+ .scan = luks_scan,
.recover_key = luks_recover_key
};
--
2.29.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH 2/9] luks: Fix out-of-bounds copy of UUID
On Sun, 23 Aug 2020 12:59:57 +0200
Patrick Steinhardt wrote:
> When configuring a LUKS disk, we copy over the UUID from the LUKS
> header into the new `grub_cryptodisk_t` structure via `grub_memcpy
> ()`. As size we mistakenly use the size of the `grub_cryptodisk_t`
> UUID field, which is guaranteed to be strictly bigger than the LUKS
> UUID field we're copying. As a result, the copy always goes
> out-of-bounds and copies some garbage from other surrounding fields.
> During runtime, this isn't noticed due to the fact that we always
> NUL-terminate the UUID and thus never hit the trailing garbage.
>
> Fix the issue by using the size of the local stripped UUID field.
>
> Signed-off-by: Patrick Steinhardt
> ---
> grub-core/disk/luks.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
> index 6ae162601..76f89dd29 100644
> --- a/grub-core/disk/luks.c
> +++ b/grub-core/disk/luks.c
> @@ -125,7 +125,7 @@ configure_ciphers (grub_disk_t disk, const char
> *check_uuid, newdev->source_disk = NULL;
>newdev->log_sector_size = 9;
>newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
> - grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
> + grub_memcpy (newdev->uuid, uuid, sizeof (uuid));
Is the fact that the real UUID size is 37 (36 + \0) instead of 40 an
issue?
In grub-core/disk/luks.c we have:
> /* On disk LUKS header */
> struct grub_luks_phdr
> {
> [...]
> char uuid[40];
> [...]
> } GRUB_PACKED;
So here we use 40.
It's then used to define the size of the 'uuid' local variable that is
used grub_memcpy:
> static grub_cryptodisk_t
> luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot,
> grub_file_t hdr)
> {
> [...]
> char uuid[sizeof (header.uuid) + 1];
> [...]
> grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
> [...]
> }
However in lib/luks1/luks.h in cryptsetup source code we have:
> /* Actually we need only 37, but we don't want struct autoaligning to kick in
> */
> #define UUID_STRING_L 40
And still in cryptsetup source code in the LUKS2_luks2_to_luks1
function in lib/luks2/luks2_luks1_convert.c we have:
> strncpy(hdr1->uuid, hdr2->uuid, UUID_STRING_L); /* max 36 chars */
> hdr1->uuid[UUID_STRING_L-1] = '\0';
Denis.
pgpPvPxnDfej7.pgp
Description: OpenPGP digital signature
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] v6 for detached headers and key files
On Wed, 19 Aug 2020 13:59:57 -0500 Glenn Washburn wrote: > I'm curious, are you using a virtual machine to test grub? If I > understand correctly the above, you're using physical machines to > test. I'm using qemu and generally testing with x86_64-efi. I don't have a good vm setup for testing yet. I tried to create a self contained test setup with qemu+coreboot+grub as a payload but it ended up being too slow (probably due to my key sizes) and messy as I needed to specify all the modules and I always missed some. For the v6 I ended up installed grub in /usr/local and then with grub-install + grub-mkconfig on an x86_64 machine running Coreboot and SeaBIOS. I then created two LVM partitions: one encrypted with the key and the header inside, and another without a header to be opened, and I tested by opening the later and accessing a file inside that I read with cat. So it was more manual but I could reuse the distribution installation and configuration I already had. Denis. pgplwxSjpmmx4.pgp Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v6 1/6] cryptodisk: luks: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
ChangeLog since v5:
- No changes
---
grub-core/disk/luks.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 6ae162601..b50f6fd02 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -65,8 +65,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash,
grub_uint8_t * src,
grub_size_t blocknumbers);
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int check_boot)
+luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
{
grub_cryptodisk_t newdev;
const char *iptr;
@@ -310,7 +309,7 @@ luks_recover_key (grub_disk_t source,
}
struct grub_cryptodisk_dev luks_crypto = {
- .scan = configure_ciphers,
+ .scan = luks_scan,
.recover_key = luks_recover_key
};
--
2.28.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v6 4/6] cryptodisk: add support for LUKS1 detached headers
From: John Lane
cryptsetup supports having a detached header through the
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 detached headers.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
ChangeLog since v5:
- Fixed missing grub_file_seek return value check
---
grub-core/disk/luks.c | 48 ++-
1 file changed, 34 insertions(+), 14 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 685235565..6286302e7 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -23,6 +23,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -76,17 +77,23 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int
check_boot,
char ciphername[sizeof (header.cipherName) + 1];
char ciphermode[sizeof (header.cipherMode) + 1];
char hashspec[sizeof (header.hashSpec) + 1];
- grub_err_t err;
-
- /* Detached headers are not implemented yet */
- if (hdr)
-return NULL;
+ grub_err_t err = GRUB_ERR_NONE;
if (check_boot)
return NULL;
/* Read the LUKS header. */
- err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+ if (hdr)
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return NULL;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return NULL;
+}
+ else
+err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+
if (err)
{
if (err == GRUB_ERR_OUT_OF_RANGE)
@@ -163,15 +170,22 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr)
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
- grub_err_t err;
+ grub_err_t err = GRUB_ERR_NONE;
grub_size_t max_stripes = 1;
char *tmp;
+ grub_uint32_t sector;
- /* Detached headers are not implemented yet */
if (hdr)
-return GRUB_ERR_NOT_IMPLEMENTED_YET;
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return grub_errno;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return grub_errno;
+}
+ else
+err = grub_disk_read (source, 0, 0, sizeof (header), &header);
- err = grub_disk_read (source, 0, 0, sizeof (header), &header);
if (err)
return err;
@@ -240,13 +254,19 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr)
return grub_crypto_gcry_error (gcry_err);
}
+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
/* Read and decrypt the key material from the disk. */
- err = grub_disk_read (source,
- grub_be_to_cpu32 (header.keyblock
- [i].keyMaterialOffset), 0,
- length, split_key);
+ if (hdr)
+ {
+if (grub_file_seek (hdr, sector * 512) == (grub_off_t) -1)
+ return grub_errno;
+if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+ return grub_errno;
+ }
+ else
+err = grub_disk_read (source, sector, 0, length, split_key);
if (err)
{
grub_free (split_key);
--
2.28.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH] v6 for detached headers and key files
Hi, Here's a new version of this patchset. The only change with the v5 is that I fixed the issue that Glenn Washburn found (in the 4/6 patch, one of the grub_file_seek return code wasn't properly checked). Thanks for finding the issue. I also took some time to send it again because I tried to test with the chainload with Coreboot in order to minimize the risk of non-booting computer, and as it took too much time (missing modules, etc), I ended up dedicating a computer with SeaBIOS for the test. Denis. ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v6 5/6] cryptodisk: enable the backends to implement key files
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
Changelog since v3:
---
- Fixed the size formating with PRIuGRUB_SIZE
- Added Reviewed-by
ChangeLog since v4:
---
- Style fixes:
- Added missing space between function and '('
- Removed trailing backslashes in split strings
ChangeLog since v5:
---
- No changes
---
grub-core/disk/cryptodisk.c | 87 -
grub-core/disk/geli.c | 7 +--
grub-core/disk/luks.c | 7 ++-
grub-core/disk/luks2.c | 7 +--
include/grub/cryptodisk.h | 5 ++-
include/grub/file.h | 2 +
6 files changed, 106 insertions(+), 9 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 6ad2e486e..dd94736d3 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
+{"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+{"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+{"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0,
ARG_TYPE_INT},
{0, 0, 0, 0, 0, 0}
};
@@ -972,6 +975,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
static grub_file_t hdr;
+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
+static grub_ssize_t key_size;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -1002,7 +1007,7 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
if (!dev)
continue;
-err = cr->recover_key (source, dev, hdr);
+err = cr->recover_key (source, dev, hdr, key, key_size);
if (err)
{
cryptodisk_close (dev);
@@ -1112,6 +1117,86 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
hdr = NULL;
have_it = 0;
+ key = NULL;
+
+ if (state[4].set) /* keyfile */
+{
+ const char *p = NULL;
+ grub_file_t keyfile;
+ int keyfile_offset;
+ grub_size_t requested_keyfile_size = 0;
+
+
+ if (state[5].set) /* keyfile-offset */
+ {
+ keyfile_offset = grub_strtoul (state[5].arg, &p, 0);
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("unrecognized number"));
+ }
+ else
+ {
+ keyfile_offset = 0;
+ }
+
+ if (state[6].set) /* keyfile-size */
+ {
+ requested_keyfile_size = grub_strtoul (state[6].arg, &p, 0);
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("unrecognized number"));
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("Key file size exceeds maximum (%"
+PRIuGRUB_SIZE ")\n"),
+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+
+ if (requested_keyfile_size == 0)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("Key file size is 0\n"));
+ }
+
+ keyfile = grub_file_open (state[4].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
+ if (!keyfile)
+ return grub_errno;
+
+ if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+ return grub_errno;
+
+ if (requested_keyfile_size)
+ {
+ if (requested_keyfile_size > (keyfile->size - keyfile_offset))
+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
+ N_("Keyfile is too small: "
+ "requested %" PRIuGRUB_SIZE " bytes, "
+ "but the file only has %" PRIuGRUB_SIZE
+ " bytes.\n"),
+ requested_keyfile_size,
+ keyfile->size);
+
+ key_size = requested_keyfile_size;
+ }
+ else
+ {
+ key_size = keyfile->size - keyfile_offset;
+
[PATCH v6 6/6] cryptodisk: Add support for LUKS1 key files
cryptsetup supports key files thourh the --key-file
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 key files.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
ChangeLog since v5:
- No changes
---
grub-core/disk/luks.c | 43 ++-
1 file changed, 26 insertions(+), 17 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 0dd33b2af..125a21902 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -167,7 +167,9 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
struct grub_luks_phdr header;
grub_size_t keysize;
grub_uint8_t *split_key = NULL;
- char passphrase[MAX_PASSPHRASE] = "";
+ char interactive_passphrase[MAX_PASSPHRASE] = "";
+ grub_uint8_t *passphrase;
+ grub_size_t passphrase_length;
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
@@ -176,10 +178,6 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
char *tmp;
grub_uint32_t sector;
- /* Keyfiles are not implemented yet */
- if (keyfile_bytes || keyfile_bytes_size)
- return GRUB_ERR_NOT_IMPLEMENTED_YET;
-
if (hdr)
{
if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
@@ -208,18 +206,29 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
if (!split_key)
return grub_errno;
- /* Get the passphrase from the user. */
- tmp = NULL;
- if (source->partition)
-tmp = grub_partition_get_name (source->partition);
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition ? "," : "", tmp ? : "",
- dev->uuid);
- grub_free (tmp);
- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
+ if (keyfile_bytes)
{
- grub_free (split_key);
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+ /* Use bytestring from key file as passphrase */
+ passphrase = keyfile_bytes;
+ passphrase_length = keyfile_bytes_size;
+}
+ else
+{
+ /* Get the passphrase from the user. */
+ tmp = NULL;
+ if (source->partition)
+tmp = grub_partition_get_name (source->partition);
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition ? "," : "", tmp ? : "", dev->uuid);
+ grub_free (tmp);
+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+{
+ grub_free (split_key);
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+}
+
+ passphrase = (grub_uint8_t *)interactive_passphrase;
+ passphrase_length = grub_strlen (interactive_passphrase);
}
/* Try to recover master key from each active keyslot. */
@@ -237,7 +246,7 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
/* Calculate the PBKDF2 of the user supplied passphrase. */
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
-grub_strlen (passphrase),
+passphrase_length,
header.keyblock[i].passwordSalt,
sizeof (header.keyblock[i].passwordSalt),
grub_be_to_cpu32 (header.keyblock[i].
--
2.28.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v6 2/6] cryptodisk: geli: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
ChangeLog since v5:
- No changes
---
grub-core/disk/geli.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index e9d23299a..581631c1d 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -242,8 +242,7 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -398,7 +397,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
}
static grub_err_t
-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev)
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
@@ -580,8 +579,8 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev)
}
struct grub_cryptodisk_dev geli_crypto = {
- .scan = configure_ciphers,
- .recover_key = recover_key
+ .scan = geli_scan,
+ .recover_key = geli_recover_key
};
GRUB_MOD_INIT (geli)
--
2.28.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v6 3/6] cryptodisk: enable the backends to implement detached headers
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
ChangeLog since v5:
- No changes
---
grub-core/disk/cryptodisk.c | 24
grub-core/disk/geli.c | 15 +--
grub-core/disk/luks.c | 14 +++---
grub-core/disk/luks2.c | 15 ---
include/grub/cryptodisk.h | 6 --
include/grub/file.h | 2 ++
6 files changed, 62 insertions(+), 14 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 1897acc4b..6ad2e486e 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
/* TRANSLATORS: It's still restricted to cryptodisks only. */
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
{0, 0, 0, 0, 0, 0}
};
@@ -970,6 +971,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
+static grub_file_t hdr;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -994,13 +996,13 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, hdr);
if (grub_errno)
return grub_errno;
if (!dev)
continue;
-err = cr->recover_key (source, dev);
+err = cr->recover_key (source, dev, hdr);
if (err)
{
cryptodisk_close (dev);
@@ -1041,7 +1043,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const
char *cheat)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, NULL);
if (grub_errno)
return grub_errno;
if (!dev)
@@ -1095,6 +1097,20 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
if (argc < 1 && !state[1].set && !state[2].set)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
+ if (state[3].set) /* Detached header */
+{
+ if (state[0].set)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Cannot use UUID lookup with detached header"));
+
+ hdr = grub_file_open (state[3].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER);
+ if (!hdr)
+ return grub_errno;
+}
+ else
+hdr = NULL;
+
have_it = 0;
if (state[0].set)
{
@@ -1302,7 +1318,7 @@ GRUB_MOD_INIT (cryptodisk)
{
grub_disk_dev_register (&grub_cryptodisk_dev);
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
- N_("SOURCE|-u UUID|-a|-b"),
+ N_("SOURCE|-u UUID|-a|-b|-H file"),
N_("Mount a crypto device."), options);
grub_procfs_register ("luks_script", &luks_script);
}
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index 581631c1d..acd09d874 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -52,6 +52,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -121,6 +122,7 @@ enum
/* FIXME: support version 0. */
/* FIXME: support big-endian pre-version-4 volumes. */
+/* FIXME: support for detached headers. */
/* FIXME: support for keyfiles. */
/* FIXME: support for HMAC. */
const char *algorithms[] = {
@@ -242,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only,
+ grub_file_t hdr)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -254,6 +257,10 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only)
grub_disk_addr_t sector;
grub_err_t err;
+ /* Detached headers are not implemented yet */
+ if (hdr)
+return NULL;
+
if (2 * GRUB_MD_SHA256->mdlen + 1 > GRUB_CRYPTODISK_MAX_UUID_LENGTH)
return NULL;
@@ -397,7 +404,7 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only)
}
static grub_err_t
-geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
@@ -413,6 +420,10 @@ geli_recover_key (grub_
Re: [PATCH] forgotten in Subject, Was: v5 for detached headers and key files
Hi, Do I need to resend the patches with [PATCH] in the topic? Or do I need to do something to get the patch merged now that there is a Reviewed-by tag? Denis. pgp5CqKGMruhs.pgp Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] forgotten in Subject, Was: v5 for detached headers and key files
On Fri, 12 Jun 2020 10:33:45 +0200 Patrick Steinhardt wrote: > On Fri, Jun 12, 2020 at 07:30:00AM +0200, Denis 'GNUtoo' Carikli > wrote: > > On Thu, 11 Jun 2020 18:18:01 +0200 > > Denis 'GNUtoo' Carikli wrote: > > > > Hi, > > > > The patches Subject ends up like that because I forgot the PATCH in > > git format-patch --subject-prefix: > > > Subject: [v5][ 1/6] cryptodisk: luks: unify grub_cryptodisk_dev > > > function names > > > > Do I have to do something about it? Or should I instead leave it > > like that and hope that people don't filter it out because they > > don't contain [PATCH]. > > Instead of manually adjusting the prefix, you can just say `git > format-patch -v5` to set the patch set's version. I noticed that > earlier but forgot to point this out to you. Thanks a lot. I'll try it next time as something like that is way more convenient. It also makes it look always the same instead of having many variations between things like [PATCH v1][1/3], [Patch v1][1/3], [Patch][v1 1/3], etc and gets rid of the many half-messed up subject prefixes. Denis. pgpvw5G5lL5ij.pgp Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH] forgotten in Subject, Was: v5 for detached headers and key files
On Thu, 11 Jun 2020 18:18:01 +0200 Denis 'GNUtoo' Carikli wrote: Hi, The patches Subject ends up like that because I forgot the PATCH in git format-patch --subject-prefix: > Subject: [v5][ 1/6] cryptodisk: luks: unify grub_cryptodisk_dev > function names Do I have to do something about it? Or should I instead leave it like that and hope that people don't filter it out because they don't contain [PATCH]. I'm sorry for the inconvenience. Denis. pgpuDYPriCEGZ.pgp Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[v5][ 4/6] cryptodisk: add support for LUKS1 detached headers
From: John Lane
cryptsetup supports having a detached header through the
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 detached headers.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
---
grub-core/disk/luks.c | 48 ++-
1 file changed, 34 insertions(+), 14 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index ffeb679d1..0b20908ac 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -23,6 +23,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -76,17 +77,23 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int
check_boot,
char ciphername[sizeof (header.cipherName) + 1];
char ciphermode[sizeof (header.cipherMode) + 1];
char hashspec[sizeof (header.hashSpec) + 1];
- grub_err_t err;
-
- /* Detached headers are not implemented yet */
- if (hdr)
-return NULL;
+ grub_err_t err = GRUB_ERR_NONE;
if (check_boot)
return NULL;
/* Read the LUKS header. */
- err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+ if (hdr)
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return NULL;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return NULL;
+}
+ else
+err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+
if (err)
{
if (err == GRUB_ERR_OUT_OF_RANGE)
@@ -163,15 +170,22 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr)
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
- grub_err_t err;
+ grub_err_t err = GRUB_ERR_NONE;
grub_size_t max_stripes = 1;
char *tmp;
+ grub_uint32_t sector;
- /* Detached headers are not implemented yet */
if (hdr)
-return GRUB_ERR_NOT_IMPLEMENTED_YET;
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return grub_errno;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return grub_errno;
+}
+ else
+err = grub_disk_read (source, 0, 0, sizeof (header), &header);
- err = grub_disk_read (source, 0, 0, sizeof (header), &header);
if (err)
return err;
@@ -240,13 +254,19 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr)
return grub_crypto_gcry_error (gcry_err);
}
+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
/* Read and decrypt the key material from the disk. */
- err = grub_disk_read (source,
- grub_be_to_cpu32 (header.keyblock
- [i].keyMaterialOffset), 0,
- length, split_key);
+ if (hdr)
+ {
+if (grub_file_seek (hdr, sector * 512))
+ return grub_errno;
+if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+ return grub_errno;
+ }
+ else
+err = grub_disk_read (source, sector, 0, length, split_key);
if (err)
{
grub_free (split_key);
--
2.27.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[v5][ 3/6] cryptodisk: enable the backends to implement detached headers
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
---
grub-core/disk/cryptodisk.c | 24
grub-core/disk/geli.c | 15 +--
grub-core/disk/luks.c | 14 +++---
grub-core/disk/luks2.c | 15 ---
include/grub/cryptodisk.h | 6 --
include/grub/file.h | 2 ++
6 files changed, 62 insertions(+), 14 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 1897acc4b..6ad2e486e 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
/* TRANSLATORS: It's still restricted to cryptodisks only. */
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
{0, 0, 0, 0, 0, 0}
};
@@ -970,6 +971,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
+static grub_file_t hdr;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -994,13 +996,13 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, hdr);
if (grub_errno)
return grub_errno;
if (!dev)
continue;
-err = cr->recover_key (source, dev);
+err = cr->recover_key (source, dev, hdr);
if (err)
{
cryptodisk_close (dev);
@@ -1041,7 +1043,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const
char *cheat)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, NULL);
if (grub_errno)
return grub_errno;
if (!dev)
@@ -1095,6 +1097,20 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
if (argc < 1 && !state[1].set && !state[2].set)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
+ if (state[3].set) /* Detached header */
+{
+ if (state[0].set)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Cannot use UUID lookup with detached header"));
+
+ hdr = grub_file_open (state[3].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER);
+ if (!hdr)
+ return grub_errno;
+}
+ else
+hdr = NULL;
+
have_it = 0;
if (state[0].set)
{
@@ -1302,7 +1318,7 @@ GRUB_MOD_INIT (cryptodisk)
{
grub_disk_dev_register (&grub_cryptodisk_dev);
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
- N_("SOURCE|-u UUID|-a|-b"),
+ N_("SOURCE|-u UUID|-a|-b|-H file"),
N_("Mount a crypto device."), options);
grub_procfs_register ("luks_script", &luks_script);
}
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index 581631c1d..acd09d874 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -52,6 +52,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -121,6 +122,7 @@ enum
/* FIXME: support version 0. */
/* FIXME: support big-endian pre-version-4 volumes. */
+/* FIXME: support for detached headers. */
/* FIXME: support for keyfiles. */
/* FIXME: support for HMAC. */
const char *algorithms[] = {
@@ -242,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only,
+ grub_file_t hdr)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -254,6 +257,10 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only)
grub_disk_addr_t sector;
grub_err_t err;
+ /* Detached headers are not implemented yet */
+ if (hdr)
+return NULL;
+
if (2 * GRUB_MD_SHA256->mdlen + 1 > GRUB_CRYPTODISK_MAX_UUID_LENGTH)
return NULL;
@@ -397,7 +404,7 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only)
}
static grub_err_t
-geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
@@ -413,6 +420,10 @@ geli_recover_key (grub_disk_t source, grub_cryptodisk_t
d
[v5][ 1/6] cryptodisk: luks: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
---
grub-core/disk/luks.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 410cd6f84..28585806a 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -65,8 +65,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash,
grub_uint8_t * src,
grub_size_t blocknumbers);
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int check_boot)
+luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
{
grub_cryptodisk_t newdev;
const char *iptr;
@@ -310,7 +309,7 @@ luks_recover_key (grub_disk_t source,
}
struct grub_cryptodisk_dev luks_crypto = {
- .scan = configure_ciphers,
+ .scan = luks_scan,
.recover_key = luks_recover_key
};
--
2.27.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
v5 for detached headers and key files
Hi, I've now addressed the comments of the following patch: - [ 5/6] cryptodisk: enable the backends to implement key. Denis. ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[v5][ 5/6] cryptodisk: enable the backends to implement key files
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
Changelog since v3:
---
- Fixed the size formating with PRIuGRUB_SIZE
- Added Reviewed-by
ChangeLog since v4:
---
- Style fixes:
- Added missing space between function and '('
- Removed trailing backslashes in split strings
---
grub-core/disk/cryptodisk.c | 87 -
grub-core/disk/geli.c | 7 +--
grub-core/disk/luks.c | 7 ++-
grub-core/disk/luks2.c | 7 +--
include/grub/cryptodisk.h | 5 ++-
include/grub/file.h | 2 +
6 files changed, 106 insertions(+), 9 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 6ad2e486e..dd94736d3 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
+{"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+{"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+{"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0,
ARG_TYPE_INT},
{0, 0, 0, 0, 0, 0}
};
@@ -972,6 +975,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
static grub_file_t hdr;
+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
+static grub_ssize_t key_size;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -1002,7 +1007,7 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
if (!dev)
continue;
-err = cr->recover_key (source, dev, hdr);
+err = cr->recover_key (source, dev, hdr, key, key_size);
if (err)
{
cryptodisk_close (dev);
@@ -1112,6 +1117,86 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
hdr = NULL;
have_it = 0;
+ key = NULL;
+
+ if (state[4].set) /* keyfile */
+{
+ const char *p = NULL;
+ grub_file_t keyfile;
+ int keyfile_offset;
+ grub_size_t requested_keyfile_size = 0;
+
+
+ if (state[5].set) /* keyfile-offset */
+ {
+ keyfile_offset = grub_strtoul (state[5].arg, &p, 0);
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("unrecognized number"));
+ }
+ else
+ {
+ keyfile_offset = 0;
+ }
+
+ if (state[6].set) /* keyfile-size */
+ {
+ requested_keyfile_size = grub_strtoul (state[6].arg, &p, 0);
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("unrecognized number"));
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("Key file size exceeds maximum (%"
+PRIuGRUB_SIZE ")\n"),
+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+
+ if (requested_keyfile_size == 0)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("Key file size is 0\n"));
+ }
+
+ keyfile = grub_file_open (state[4].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
+ if (!keyfile)
+ return grub_errno;
+
+ if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+ return grub_errno;
+
+ if (requested_keyfile_size)
+ {
+ if (requested_keyfile_size > (keyfile->size - keyfile_offset))
+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
+ N_("Keyfile is too small: "
+ "requested %" PRIuGRUB_SIZE " bytes, "
+ "but the file only has %" PRIuGRUB_SIZE
+ " bytes.\n"),
+ requested_keyfile_size,
+ keyfile->size);
+
+ key_size = requested_keyfile_size;
+ }
+ else
+ {
+ key_size = keyfile->size - keyfile_offset;
+ }
+
+ if (grub_file_read (keyfile, keyfile_buffer,
[v5][ 6/6] cryptodisk: Add support for LUKS1 key files
cryptsetup supports key files thourh the --key-file
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 key files.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
---
grub-core/disk/luks.c | 43 ++-
1 file changed, 26 insertions(+), 17 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 8dde70d8d..376895259 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -167,7 +167,9 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
struct grub_luks_phdr header;
grub_size_t keysize;
grub_uint8_t *split_key = NULL;
- char passphrase[MAX_PASSPHRASE] = "";
+ char interactive_passphrase[MAX_PASSPHRASE] = "";
+ grub_uint8_t *passphrase;
+ grub_size_t passphrase_length;
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
@@ -176,10 +178,6 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
char *tmp;
grub_uint32_t sector;
- /* Keyfiles are not implemented yet */
- if (keyfile_bytes || keyfile_bytes_size)
- return GRUB_ERR_NOT_IMPLEMENTED_YET;
-
if (hdr)
{
if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
@@ -208,18 +206,29 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
if (!split_key)
return grub_errno;
- /* Get the passphrase from the user. */
- tmp = NULL;
- if (source->partition)
-tmp = grub_partition_get_name (source->partition);
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition ? "," : "", tmp ? : "",
- dev->uuid);
- grub_free (tmp);
- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
+ if (keyfile_bytes)
{
- grub_free (split_key);
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+ /* Use bytestring from key file as passphrase */
+ passphrase = keyfile_bytes;
+ passphrase_length = keyfile_bytes_size;
+}
+ else
+{
+ /* Get the passphrase from the user. */
+ tmp = NULL;
+ if (source->partition)
+tmp = grub_partition_get_name (source->partition);
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition ? "," : "", tmp ? : "", dev->uuid);
+ grub_free (tmp);
+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+{
+ grub_free (split_key);
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+}
+
+ passphrase = (grub_uint8_t *)interactive_passphrase;
+ passphrase_length = grub_strlen (interactive_passphrase);
}
/* Try to recover master key from each active keyslot. */
@@ -237,7 +246,7 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
/* Calculate the PBKDF2 of the user supplied passphrase. */
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
-grub_strlen (passphrase),
+passphrase_length,
header.keyblock[i].passwordSalt,
sizeof (header.keyblock[i].passwordSalt),
grub_be_to_cpu32 (header.keyblock[i].
--
2.27.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[v5][ 2/6] cryptodisk: geli: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
ChangeLog since v4:
- Added Reviewed-by tag
---
grub-core/disk/geli.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index e9d23299a..581631c1d 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -242,8 +242,7 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -398,7 +397,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
}
static grub_err_t
-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev)
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
@@ -580,8 +579,8 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev)
}
struct grub_cryptodisk_dev geli_crypto = {
- .scan = configure_ciphers,
- .recover_key = recover_key
+ .scan = geli_scan,
+ .recover_key = geli_recover_key
};
GRUB_MOD_INIT (geli)
--
2.27.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH v4][ 5/6] cryptodisk: enable the backends to implement key files
On Mon, 8 Jun 2020 20:50:15 +0200
Patrick Steinhardt wrote:
> > + if (requested_keyfile_size)
> > + {
> > + if (requested_keyfile_size > (keyfile->size -
> > keyfile_offset))
> > + return grub_error (GRUB_ERR_FILE_READ_ERROR,
> > + N_("Keyfile is too small: "
> > \
> > + "requested %" PRIuGRUB_SIZE "
> > bytes, " \
> > + "but the file only has %"
> > PRIuGRUB_SIZE \
> > + " bytes.\n"),
>
> These trailing backslashes aren't required. C handles strings split
> over multiple lines without any need for escaping.
Thanks, I wasn't sure what to do with them and I assumed they were
there because of the (GNU?) code style, which I'm not familiar with.
Denis.
pgpOGq_4EIqkm.pgp
Description: OpenPGP digital signature
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v4][ 4/6] cryptodisk: add support for LUKS1 detached headers
From: John Lane
cryptsetup supports having a detached header through the
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 detached headers.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/luks.c | 48 ++-
1 file changed, 34 insertions(+), 14 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index ffeb679d1..0b20908ac 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -23,6 +23,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -76,17 +77,23 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int
check_boot,
char ciphername[sizeof (header.cipherName) + 1];
char ciphermode[sizeof (header.cipherMode) + 1];
char hashspec[sizeof (header.hashSpec) + 1];
- grub_err_t err;
-
- /* Detached headers are not implemented yet */
- if (hdr)
-return NULL;
+ grub_err_t err = GRUB_ERR_NONE;
if (check_boot)
return NULL;
/* Read the LUKS header. */
- err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+ if (hdr)
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return NULL;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return NULL;
+}
+ else
+err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+
if (err)
{
if (err == GRUB_ERR_OUT_OF_RANGE)
@@ -163,15 +170,22 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr)
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
- grub_err_t err;
+ grub_err_t err = GRUB_ERR_NONE;
grub_size_t max_stripes = 1;
char *tmp;
+ grub_uint32_t sector;
- /* Detached headers are not implemented yet */
if (hdr)
-return GRUB_ERR_NOT_IMPLEMENTED_YET;
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return grub_errno;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return grub_errno;
+}
+ else
+err = grub_disk_read (source, 0, 0, sizeof (header), &header);
- err = grub_disk_read (source, 0, 0, sizeof (header), &header);
if (err)
return err;
@@ -240,13 +254,19 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr)
return grub_crypto_gcry_error (gcry_err);
}
+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
/* Read and decrypt the key material from the disk. */
- err = grub_disk_read (source,
- grub_be_to_cpu32 (header.keyblock
- [i].keyMaterialOffset), 0,
- length, split_key);
+ if (hdr)
+ {
+if (grub_file_seek (hdr, sector * 512))
+ return grub_errno;
+if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+ return grub_errno;
+ }
+ else
+err = grub_disk_read (source, sector, 0, length, split_key);
if (err)
{
grub_free (split_key);
--
2.26.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v4][ 6/6] cryptodisk: Add support for LUKS1 key files
cryptsetup supports key files thourh the --key-file
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 key files.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/luks.c | 43 ++-
1 file changed, 26 insertions(+), 17 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 8dde70d8d..376895259 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -167,7 +167,9 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
struct grub_luks_phdr header;
grub_size_t keysize;
grub_uint8_t *split_key = NULL;
- char passphrase[MAX_PASSPHRASE] = "";
+ char interactive_passphrase[MAX_PASSPHRASE] = "";
+ grub_uint8_t *passphrase;
+ grub_size_t passphrase_length;
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
@@ -176,10 +178,6 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
char *tmp;
grub_uint32_t sector;
- /* Keyfiles are not implemented yet */
- if (keyfile_bytes || keyfile_bytes_size)
- return GRUB_ERR_NOT_IMPLEMENTED_YET;
-
if (hdr)
{
if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
@@ -208,18 +206,29 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
if (!split_key)
return grub_errno;
- /* Get the passphrase from the user. */
- tmp = NULL;
- if (source->partition)
-tmp = grub_partition_get_name (source->partition);
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition ? "," : "", tmp ? : "",
- dev->uuid);
- grub_free (tmp);
- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
+ if (keyfile_bytes)
{
- grub_free (split_key);
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+ /* Use bytestring from key file as passphrase */
+ passphrase = keyfile_bytes;
+ passphrase_length = keyfile_bytes_size;
+}
+ else
+{
+ /* Get the passphrase from the user. */
+ tmp = NULL;
+ if (source->partition)
+tmp = grub_partition_get_name (source->partition);
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition ? "," : "", tmp ? : "", dev->uuid);
+ grub_free (tmp);
+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+{
+ grub_free (split_key);
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+}
+
+ passphrase = (grub_uint8_t *)interactive_passphrase;
+ passphrase_length = grub_strlen (interactive_passphrase);
}
/* Try to recover master key from each active keyslot. */
@@ -237,7 +246,7 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
/* Calculate the PBKDF2 of the user supplied passphrase. */
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
-grub_strlen (passphrase),
+passphrase_length,
header.keyblock[i].passwordSalt,
sizeof (header.keyblock[i].passwordSalt),
grub_be_to_cpu32 (header.keyblock[i].
--
2.26.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v4][ 5/6] cryptodisk: enable the backends to implement key files
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
Reviewed-by: Patrick Steinhardt
---
Changelog since v3:
---
- Fixed the size formating with PRIuGRUB_SIZE
- Added Reviewed-by
---
grub-core/disk/cryptodisk.c | 89 -
grub-core/disk/geli.c | 7 +--
grub-core/disk/luks.c | 7 ++-
grub-core/disk/luks2.c | 7 +--
include/grub/cryptodisk.h | 5 ++-
include/grub/file.h | 2 +
6 files changed, 108 insertions(+), 9 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 6ad2e486e..b86309ed3 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
+{"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+{"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+{"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0,
ARG_TYPE_INT},
{0, 0, 0, 0, 0, 0}
};
@@ -972,6 +975,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
static grub_file_t hdr;
+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
+static grub_ssize_t key_size;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -1002,7 +1007,7 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
if (!dev)
continue;
-err = cr->recover_key (source, dev, hdr);
+err = cr->recover_key (source, dev, hdr, key, key_size);
if (err)
{
cryptodisk_close (dev);
@@ -1112,6 +1117,88 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
hdr = NULL;
have_it = 0;
+ key = NULL;
+
+ if (state[4].set) /* keyfile */
+{
+ const char *p = NULL;
+ grub_file_t keyfile;
+ int keyfile_offset;
+ grub_size_t requested_keyfile_size = 0;
+
+
+ if (state[5].set) /* keyfile-offset */
+ {
+ keyfile_offset = grub_strtoul (state[5].arg, &p, 0);
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("unrecognized number"));
+ }
+ else
+ {
+ keyfile_offset = 0;
+ }
+
+ if (state[6].set) /* keyfile-size */
+ {
+ requested_keyfile_size = grub_strtoul(state[6].arg, &p, 0);
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("unrecognized number"));
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+ return grub_error(GRUB_ERR_OUT_OF_RANGE,
+ N_("Key file size exceeds maximum (%" \
+PRIuGRUB_SIZE ")\n"),
+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+
+ if (requested_keyfile_size == 0)
+ return grub_error(GRUB_ERR_OUT_OF_RANGE,
+ N_("Key file size is 0\n"));
+ }
+
+
+ keyfile = grub_file_open (state[4].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
+ if (!keyfile)
+ return grub_errno;
+
+ if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+ return grub_errno;
+
+
+ if (requested_keyfile_size)
+ {
+ if (requested_keyfile_size > (keyfile->size - keyfile_offset))
+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
+ N_("Keyfile is too small: "\
+ "requested %" PRIuGRUB_SIZE " bytes, " \
+ "but the file only has %" PRIuGRUB_SIZE \
+ " bytes.\n"),
+ requested_keyfile_size,
+ keyfile->size);
+
+ key_size = requested_keyfile_size;
+ }
+ else
+ {
+ key_size = keyfile->size - keyfile_offset;
+ }
+
+ if (grub_file_read (keyfile, keyfile_buffer, key_size) != key_size)
+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
+ (N_("Error reading
[PATCH v4][ 3/6] cryptodisk: enable the backends to implement detached headers
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/cryptodisk.c | 24
grub-core/disk/geli.c | 15 +--
grub-core/disk/luks.c | 14 +++---
grub-core/disk/luks2.c | 15 ---
include/grub/cryptodisk.h | 6 --
include/grub/file.h | 2 ++
6 files changed, 62 insertions(+), 14 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 1897acc4b..6ad2e486e 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
/* TRANSLATORS: It's still restricted to cryptodisks only. */
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
{0, 0, 0, 0, 0, 0}
};
@@ -970,6 +971,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
+static grub_file_t hdr;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -994,13 +996,13 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, hdr);
if (grub_errno)
return grub_errno;
if (!dev)
continue;
-err = cr->recover_key (source, dev);
+err = cr->recover_key (source, dev, hdr);
if (err)
{
cryptodisk_close (dev);
@@ -1041,7 +1043,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const
char *cheat)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, NULL);
if (grub_errno)
return grub_errno;
if (!dev)
@@ -1095,6 +1097,20 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
if (argc < 1 && !state[1].set && !state[2].set)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
+ if (state[3].set) /* Detached header */
+{
+ if (state[0].set)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Cannot use UUID lookup with detached header"));
+
+ hdr = grub_file_open (state[3].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER);
+ if (!hdr)
+ return grub_errno;
+}
+ else
+hdr = NULL;
+
have_it = 0;
if (state[0].set)
{
@@ -1302,7 +1318,7 @@ GRUB_MOD_INIT (cryptodisk)
{
grub_disk_dev_register (&grub_cryptodisk_dev);
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
- N_("SOURCE|-u UUID|-a|-b"),
+ N_("SOURCE|-u UUID|-a|-b|-H file"),
N_("Mount a crypto device."), options);
grub_procfs_register ("luks_script", &luks_script);
}
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index 581631c1d..acd09d874 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -52,6 +52,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -121,6 +122,7 @@ enum
/* FIXME: support version 0. */
/* FIXME: support big-endian pre-version-4 volumes. */
+/* FIXME: support for detached headers. */
/* FIXME: support for keyfiles. */
/* FIXME: support for HMAC. */
const char *algorithms[] = {
@@ -242,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only,
+ grub_file_t hdr)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -254,6 +257,10 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only)
grub_disk_addr_t sector;
grub_err_t err;
+ /* Detached headers are not implemented yet */
+ if (hdr)
+return NULL;
+
if (2 * GRUB_MD_SHA256->mdlen + 1 > GRUB_CRYPTODISK_MAX_UUID_LENGTH)
return NULL;
@@ -397,7 +404,7 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only)
}
static grub_err_t
-geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
@@ -413,6 +420,10 @@ geli_recover_key (grub_disk_t source, grub_cryptodisk_t
dev)
grub_disk_addr_t sector;
grub_err_t err;
+ /* Detached headers are not implement
v4 for detached headers and key files
Hi, I've now addressed the comment of the following patch: - [ 5/6] cryptodisk: enable the backends to implement key. As there weren't other comments, I hope that everything is fine and that I didn't send the v4 too soon. Denis. ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v4][ 1/6] cryptodisk: luks: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/luks.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 410cd6f84..28585806a 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -65,8 +65,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash,
grub_uint8_t * src,
grub_size_t blocknumbers);
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int check_boot)
+luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
{
grub_cryptodisk_t newdev;
const char *iptr;
@@ -310,7 +309,7 @@ luks_recover_key (grub_disk_t source,
}
struct grub_cryptodisk_dev luks_crypto = {
- .scan = configure_ciphers,
+ .scan = luks_scan,
.recover_key = luks_recover_key
};
--
2.26.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v4][ 2/6] cryptodisk: geli: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/geli.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index e9d23299a..581631c1d 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -242,8 +242,7 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -398,7 +397,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
}
static grub_err_t
-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev)
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
@@ -580,8 +579,8 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev)
}
struct grub_cryptodisk_dev geli_crypto = {
- .scan = configure_ciphers,
- .recover_key = recover_key
+ .scan = geli_scan,
+ .recover_key = geli_recover_key
};
GRUB_MOD_INIT (geli)
--
2.26.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[Patchv3][ 6/6] cryptodisk: Add support for LUKS1 key files
cryptsetup supports key files thourh the --key-file
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 key files.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/luks.c | 43 ++-
1 file changed, 26 insertions(+), 17 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 8dde70d8d..376895259 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -167,7 +167,9 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
struct grub_luks_phdr header;
grub_size_t keysize;
grub_uint8_t *split_key = NULL;
- char passphrase[MAX_PASSPHRASE] = "";
+ char interactive_passphrase[MAX_PASSPHRASE] = "";
+ grub_uint8_t *passphrase;
+ grub_size_t passphrase_length;
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
@@ -176,10 +178,6 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
char *tmp;
grub_uint32_t sector;
- /* Keyfiles are not implemented yet */
- if (keyfile_bytes || keyfile_bytes_size)
- return GRUB_ERR_NOT_IMPLEMENTED_YET;
-
if (hdr)
{
if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
@@ -208,18 +206,29 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
if (!split_key)
return grub_errno;
- /* Get the passphrase from the user. */
- tmp = NULL;
- if (source->partition)
-tmp = grub_partition_get_name (source->partition);
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition ? "," : "", tmp ? : "",
- dev->uuid);
- grub_free (tmp);
- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
+ if (keyfile_bytes)
{
- grub_free (split_key);
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+ /* Use bytestring from key file as passphrase */
+ passphrase = keyfile_bytes;
+ passphrase_length = keyfile_bytes_size;
+}
+ else
+{
+ /* Get the passphrase from the user. */
+ tmp = NULL;
+ if (source->partition)
+tmp = grub_partition_get_name (source->partition);
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition ? "," : "", tmp ? : "", dev->uuid);
+ grub_free (tmp);
+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+{
+ grub_free (split_key);
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+}
+
+ passphrase = (grub_uint8_t *)interactive_passphrase;
+ passphrase_length = grub_strlen (interactive_passphrase);
}
/* Try to recover master key from each active keyslot. */
@@ -237,7 +246,7 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
/* Calculate the PBKDF2 of the user supplied passphrase. */
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
-grub_strlen (passphrase),
+passphrase_length,
header.keyblock[i].passwordSalt,
sizeof (header.keyblock[i].passwordSalt),
grub_be_to_cpu32 (header.keyblock[i].
--
2.26.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[Patchv3][ 1/6] cryptodisk: luks: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/luks.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 410cd6f84..28585806a 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -65,8 +65,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash,
grub_uint8_t * src,
grub_size_t blocknumbers);
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int check_boot)
+luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
{
grub_cryptodisk_t newdev;
const char *iptr;
@@ -310,7 +309,7 @@ luks_recover_key (grub_disk_t source,
}
struct grub_cryptodisk_dev luks_crypto = {
- .scan = configure_ciphers,
+ .scan = luks_scan,
.recover_key = luks_recover_key
};
--
2.26.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[Patchv3][ 5/6] cryptodisk: enable the backends to implement key files
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
---
ChangeLog:
In addition to the requested changes (if any), the following was
changed:
- Changed a bit the error message "Keyfile is too small"
from the one suggested in the review.
---
grub-core/disk/cryptodisk.c | 87 -
grub-core/disk/geli.c | 7 +--
grub-core/disk/luks.c | 7 ++-
grub-core/disk/luks2.c | 7 +--
include/grub/cryptodisk.h | 5 ++-
include/grub/file.h | 2 +
6 files changed, 106 insertions(+), 9 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 6ad2e486e..ab4a62b7f 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
+{"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+{"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+{"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0,
ARG_TYPE_INT},
{0, 0, 0, 0, 0, 0}
};
@@ -972,6 +975,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
static grub_file_t hdr;
+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
+static grub_ssize_t key_size;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -1002,7 +1007,7 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
if (!dev)
continue;
-err = cr->recover_key (source, dev, hdr);
+err = cr->recover_key (source, dev, hdr, key, key_size);
if (err)
{
cryptodisk_close (dev);
@@ -1112,6 +1117,86 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
hdr = NULL;
have_it = 0;
+ key = NULL;
+
+ if (state[4].set) /* keyfile */
+{
+ const char *p = NULL;
+ grub_file_t keyfile;
+ int keyfile_offset;
+ grub_size_t requested_keyfile_size = 0;
+
+
+ if (state[5].set) /* keyfile-offset */
+ {
+ keyfile_offset = grub_strtoul (state[5].arg, &p, 0);
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("unrecognized number"));
+ }
+ else
+ {
+ keyfile_offset = 0;
+ }
+
+ if (state[6].set) /* keyfile-size */
+ {
+ requested_keyfile_size = grub_strtoul(state[6].arg, &p, 0);
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("unrecognized number"));
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+ return grub_error(GRUB_ERR_OUT_OF_RANGE,
+ N_("Key file size exceeds maximum (%llu)\n"), \
+ (unsigned long long)
GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+
+ if (requested_keyfile_size == 0)
+ return grub_error(GRUB_ERR_OUT_OF_RANGE,
+ N_("Key file size is 0\n"));
+ }
+
+
+ keyfile = grub_file_open (state[4].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
+ if (!keyfile)
+ return grub_errno;
+
+ if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+ return grub_errno;
+
+
+ if (requested_keyfile_size)
+ {
+ if (requested_keyfile_size > (keyfile->size - keyfile_offset))
+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
+ N_("Keyfile is too small: "
+ "requested %llu bytes, "
+ "but the file only has %llu bytes.\n"),
+ (unsigned long long) requested_keyfile_size,
+ (unsigned long long) keyfile->size);
+
+ key_size = requested_keyfile_size;
+ }
+ else
+ {
+ key_size = keyfile->size - keyfile_offset;
+ }
+
+ if (grub_file_read (keyfile, keyfile_buffer, key_size) != key_size)
+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
+ (N_("Error reading key file\n")));
+ key = keyfile_bu
[Patchv3][ 2/6] cryptodisk: geli: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
---
ChangeLog:
In addition to the requested changes (if any), the following was
changed:
- recover_keys was renamed to geli_recover_keys
---
grub-core/disk/geli.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index e9d23299a..581631c1d 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -242,8 +242,7 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -398,7 +397,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
}
static grub_err_t
-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev)
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
@@ -580,8 +579,8 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev)
}
struct grub_cryptodisk_dev geli_crypto = {
- .scan = configure_ciphers,
- .recover_key = recover_key
+ .scan = geli_scan,
+ .recover_key = geli_recover_key
};
GRUB_MOD_INIT (geli)
--
2.26.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[Patchv3][ 4/6] cryptodisk: add support for LUKS1 detached headers
From: John Lane
cryptsetup supports having a detached header through the
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 detached headers.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/luks.c | 48 ++-
1 file changed, 34 insertions(+), 14 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index ffeb679d1..0b20908ac 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -23,6 +23,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -76,17 +77,23 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int
check_boot,
char ciphername[sizeof (header.cipherName) + 1];
char ciphermode[sizeof (header.cipherMode) + 1];
char hashspec[sizeof (header.hashSpec) + 1];
- grub_err_t err;
-
- /* Detached headers are not implemented yet */
- if (hdr)
-return NULL;
+ grub_err_t err = GRUB_ERR_NONE;
if (check_boot)
return NULL;
/* Read the LUKS header. */
- err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+ if (hdr)
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return NULL;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return NULL;
+}
+ else
+err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+
if (err)
{
if (err == GRUB_ERR_OUT_OF_RANGE)
@@ -163,15 +170,22 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr)
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
- grub_err_t err;
+ grub_err_t err = GRUB_ERR_NONE;
grub_size_t max_stripes = 1;
char *tmp;
+ grub_uint32_t sector;
- /* Detached headers are not implemented yet */
if (hdr)
-return GRUB_ERR_NOT_IMPLEMENTED_YET;
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return grub_errno;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return grub_errno;
+}
+ else
+err = grub_disk_read (source, 0, 0, sizeof (header), &header);
- err = grub_disk_read (source, 0, 0, sizeof (header), &header);
if (err)
return err;
@@ -240,13 +254,19 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr)
return grub_crypto_gcry_error (gcry_err);
}
+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
/* Read and decrypt the key material from the disk. */
- err = grub_disk_read (source,
- grub_be_to_cpu32 (header.keyblock
- [i].keyMaterialOffset), 0,
- length, split_key);
+ if (hdr)
+ {
+if (grub_file_seek (hdr, sector * 512))
+ return grub_errno;
+if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+ return grub_errno;
+ }
+ else
+err = grub_disk_read (source, sector, 0, length, split_key);
if (err)
{
grub_free (split_key);
--
2.26.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
V3 for detached headers and key files
Hi, Here's the v3 where I fixed the comments. The additional changes which are not covered by the comments are mentioned in the individual patches ChangeLogs. PS: I'm really sorry for the delay. It is due to a combinaison of various things (personal issue, urgent things that needed to be done, etc). Denis. ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[Patchv3][ 3/6] cryptodisk: enable the backends to implement detached headers
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
---
ChangeLog:
In addition to the requested changes (if any), the following was
changed:
- __unused was removed as we now return an error when a header
is given to an unsupported backend, in all backends (geli,
luks, luks2)
- Added a "FIXME: support for detached headers." comment
near similar FIXME comments in geli.c.
---
grub-core/disk/cryptodisk.c | 24
grub-core/disk/geli.c | 15 +--
grub-core/disk/luks.c | 14 +++---
grub-core/disk/luks2.c | 15 ---
include/grub/cryptodisk.h | 6 --
include/grub/file.h | 2 ++
6 files changed, 62 insertions(+), 14 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 1897acc4b..6ad2e486e 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
/* TRANSLATORS: It's still restricted to cryptodisks only. */
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
{0, 0, 0, 0, 0, 0}
};
@@ -970,6 +971,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
+static grub_file_t hdr;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -994,13 +996,13 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, hdr);
if (grub_errno)
return grub_errno;
if (!dev)
continue;
-err = cr->recover_key (source, dev);
+err = cr->recover_key (source, dev, hdr);
if (err)
{
cryptodisk_close (dev);
@@ -1041,7 +1043,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const
char *cheat)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, NULL);
if (grub_errno)
return grub_errno;
if (!dev)
@@ -1095,6 +1097,20 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
if (argc < 1 && !state[1].set && !state[2].set)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
+ if (state[3].set) /* Detached header */
+{
+ if (state[0].set)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Cannot use UUID lookup with detached header"));
+
+ hdr = grub_file_open (state[3].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER);
+ if (!hdr)
+ return grub_errno;
+}
+ else
+hdr = NULL;
+
have_it = 0;
if (state[0].set)
{
@@ -1302,7 +1318,7 @@ GRUB_MOD_INIT (cryptodisk)
{
grub_disk_dev_register (&grub_cryptodisk_dev);
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
- N_("SOURCE|-u UUID|-a|-b"),
+ N_("SOURCE|-u UUID|-a|-b|-H file"),
N_("Mount a crypto device."), options);
grub_procfs_register ("luks_script", &luks_script);
}
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index 581631c1d..acd09d874 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -52,6 +52,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -121,6 +122,7 @@ enum
/* FIXME: support version 0. */
/* FIXME: support big-endian pre-version-4 volumes. */
+/* FIXME: support for detached headers. */
/* FIXME: support for keyfiles. */
/* FIXME: support for HMAC. */
const char *algorithms[] = {
@@ -242,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only,
+ grub_file_t hdr)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -254,6 +257,10 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only)
grub_disk_addr_t sector;
grub_err_t err;
+ /* Detached headers are not implemented yet */
+ if (hdr)
+return NULL;
+
if (2 * GRUB_MD_SHA256->mdlen + 1 > GRUB_CRYPTODISK_MAX_UUID_LENGTH)
return NULL;
@@ -397,7 +404,7 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only)
}
static grub_err_t
-geli_recover_key (grub_disk_t source, grub_crypto
Re: [PATCHv2][ 1/6] cryptodisk: luks: unify grub_cryptodisk_dev function names
On Fri, 3 Apr 2020 18:02:41 +0200 Daniel Kiper wrote: > Sorry, this is not 2.06 material for me. It's not a big issue for my use cases. In the worst case I can just backport the patches in the 2.06 packages and/or rely on -git packages until the next release. In the other hand, I want to avoid having to maintain out of tree patches, and having such features in GRUB at some point would probably be very useful for many other people as well. > However, I am happy to take it after the release. Thanks a lot. Denis. pgpsamXXBNBmP.pgp Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCHv2][ 1/6] cryptodisk: luks: unify grub_cryptodisk_dev function names
I'm sorry to have taken so long. I ended up being sidetracked with other functionalities I wanted to add as well along the way, which I'll probably address another time. I also forgot to use --compose for sending the patches. As for the changes between the V1 and this one, beside addressing the comments the main changes are that: - I've split the patch set between the generic part and the backend specific part (like luks1). - I've renamed the GRUB_FILE_TYPE to match the fact that the file type could also be used in geli if it's implemented there. - I've also added two tiny patches to unify function names as it makes the code easier to read afterward. Denis. pgp2bc4L6i073.pgp Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCHv2][ 5/6] cryptodisk: enable the backends to implement key files
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/cryptodisk.c | 71 -
grub-core/disk/geli.c | 4 ++-
grub-core/disk/luks.c | 4 ++-
grub-core/disk/luks2.c | 4 ++-
include/grub/cryptodisk.h | 5 ++-
include/grub/file.h | 2 ++
6 files changed, 85 insertions(+), 5 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index fa342fe44..2adb224d0 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
+{"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+{"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+{"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0,
ARG_TYPE_INT},
{0, 0, 0, 0, 0, 0}
};
@@ -972,6 +975,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
static grub_file_t hdr;
+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
+static grub_ssize_t key_size;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -1002,7 +1007,7 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
if (!dev)
continue;
-err = cr->recover_key (source, dev, hdr);
+err = cr->recover_key (source, dev, hdr, key, key_size);
if (err)
{
cryptodisk_close (dev);
@@ -1112,6 +1117,70 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
hdr = NULL;
have_it = 0;
+ key = NULL;
+
+ if (state[4].set) /* keyfile */
+{
+ grub_file_t keyfile;
+ int keyfile_offset;
+ grub_size_t requested_keyfile_size = 0;
+
+ if (state[5].set) /* keyfile-offset */
+ {
+ keyfile_offset = grub_strtoul (state[5].arg, 0, 0);
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+ }
+ else
+ {
+ keyfile_offset = 0;
+ }
+
+ if (state[6].set) /* keyfile-size */
+ {
+ requested_keyfile_size = grub_strtoul(state[6].arg, 0, 0);
+
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+ return grub_error(GRUB_ERR_OUT_OF_RANGE,
+ N_("Key file size exceeds maximum (%llu)\n"), \
+ (unsigned long long)
GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+ }
+
+
+ keyfile = grub_file_open (state[4].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
+ if (!keyfile)
+ return grub_errno;
+
+ if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+ return grub_errno;
+
+
+ if (state[6].set) /* keyfile-size */
+ {
+ if (requested_keyfile_size > (keyfile->size - keyfile_offset))
+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
+ N_("Cannot read %llu bytes for key file (read
%llu bytes)\n"),
+ (unsigned long long) requested_keyfile_size,
+ (unsigned long long) keyfile->size);
+
+ key_size = requested_keyfile_size;
+ }
+ else
+ {
+ key_size = keyfile->size - keyfile_offset;
+ }
+
+ if (grub_file_read (keyfile, keyfile_buffer, key_size) != key_size)
+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
+ (N_("Error reading key file\n")));
+ key = keyfile_buffer;
+}
+
if (state[0].set)
{
grub_cryptodisk_t dev;
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index bec0bb877..7b3f3e721 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -401,7 +401,9 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only,
static grub_err_t
recover_key (grub_disk_t source, grub_cryptodisk_t dev,
-grub_file_t hdr __attribute__ ((unused)))
+grub_file_t hdr __attribute__ ((unused)),
+grub_uint8_t *key __attribute__ ((unused)),
+grub_size_t keyfile_size __attribute__ ((unused)))
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 0b20908ac..d0f65700d 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@
[PATCHv2][ 4/6] cryptodisk: add support for LUKS1 detached headers
From: John Lane
cryptsetup supports having a detached header through the
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 detached headers.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/luks.c | 49 +--
1 file changed, 38 insertions(+), 11 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index e07a2fef1..0b20908ac 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -23,6 +23,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash,
grub_uint8_t * src,
static grub_cryptodisk_t
luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot,
- grub_file_t hdr __attribute__((__unused__)))
+ grub_file_t hdr)
{
grub_cryptodisk_t newdev;
const char *iptr;
@@ -76,13 +77,23 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int
check_boot,
char ciphername[sizeof (header.cipherName) + 1];
char ciphermode[sizeof (header.cipherMode) + 1];
char hashspec[sizeof (header.hashSpec) + 1];
- grub_err_t err;
+ grub_err_t err = GRUB_ERR_NONE;
if (check_boot)
return NULL;
/* Read the LUKS header. */
- err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+ if (hdr)
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return NULL;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return NULL;
+}
+ else
+err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+
if (err)
{
if (err == GRUB_ERR_OUT_OF_RANGE)
@@ -150,8 +161,7 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int
check_boot,
}
static grub_err_t
-luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev,
- grub_file_t hdr __attribute__ ((unused)))
+luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
{
struct grub_luks_phdr header;
grub_size_t keysize;
@@ -160,11 +170,22 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev,
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
- grub_err_t err;
+ grub_err_t err = GRUB_ERR_NONE;
grub_size_t max_stripes = 1;
char *tmp;
+ grub_uint32_t sector;
+
+ if (hdr)
+{
+ if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+ return grub_errno;
+
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ return grub_errno;
+}
+ else
+err = grub_disk_read (source, 0, 0, sizeof (header), &header);
- err = grub_disk_read (source, 0, 0, sizeof (header), &header);
if (err)
return err;
@@ -233,13 +254,19 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev,
return grub_crypto_gcry_error (gcry_err);
}
+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
/* Read and decrypt the key material from the disk. */
- err = grub_disk_read (source,
- grub_be_to_cpu32 (header.keyblock
- [i].keyMaterialOffset), 0,
- length, split_key);
+ if (hdr)
+ {
+if (grub_file_seek (hdr, sector * 512))
+ return grub_errno;
+if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+ return grub_errno;
+ }
+ else
+err = grub_disk_read (source, sector, 0, length, split_key);
if (err)
{
grub_free (split_key);
--
2.25.1
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCHv2][ 3/6] cryptodisk: enable the backends to implement detached headers
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/cryptodisk.c | 24
grub-core/disk/geli.c | 8 ++--
grub-core/disk/luks.c | 7 ---
grub-core/disk/luks2.c | 7 ---
include/grub/cryptodisk.h | 6 --
include/grub/file.h | 2 ++
6 files changed, 40 insertions(+), 14 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 1897acc4b..fa342fe44 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
/* TRANSLATORS: It's still restricted to cryptodisks only. */
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
{0, 0, 0, 0, 0, 0}
};
@@ -970,6 +971,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
+static grub_file_t hdr;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -994,13 +996,13 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, hdr);
if (grub_errno)
return grub_errno;
if (!dev)
continue;
-err = cr->recover_key (source, dev);
+err = cr->recover_key (source, dev, hdr);
if (err)
{
cryptodisk_close (dev);
@@ -1041,7 +1043,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const
char *cheat)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, 0);
if (grub_errno)
return grub_errno;
if (!dev)
@@ -1095,6 +1097,20 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
if (argc < 1 && !state[1].set && !state[2].set)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
+ if (state[3].set) /* Detached header */
+{
+ if (state[0].set)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Cannot use UUID lookup with detached header"));
+
+ hdr = grub_file_open (state[3].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER);
+ if (!hdr)
+ return grub_errno;
+}
+ else
+hdr = NULL;
+
have_it = 0;
if (state[0].set)
{
@@ -1302,7 +1318,7 @@ GRUB_MOD_INIT (cryptodisk)
{
grub_disk_dev_register (&grub_cryptodisk_dev);
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
- N_("SOURCE|-u UUID|-a|-b"),
+ N_("SOURCE|-u UUID|-a|-b|-H file"),
N_("Mount a crypto device."), options);
grub_procfs_register ("luks_script", &luks_script);
}
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index 786682077..bec0bb877 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -52,6 +52,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -242,7 +243,8 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only,
+ grub_file_t hdr __attribute__((__unused__)))
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -254,6 +256,7 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only)
grub_disk_addr_t sector;
grub_err_t err;
+
if (2 * GRUB_MD_SHA256->mdlen + 1 > GRUB_CRYPTODISK_MAX_UUID_LENGTH)
return NULL;
@@ -397,7 +400,8 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int
boot_only)
}
static grub_err_t
-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+recover_key (grub_disk_t source, grub_cryptodisk_t dev,
+grub_file_t hdr __attribute__ ((unused)))
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 28585806a..e07a2fef1 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -65,7 +65,8 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash,
grub_uint8_t * src,
grub_size_t blocknumbers);
static grub_cryptodisk_t
-luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
+luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot,
+
[PATCHv2][ 2/6] cryptodisk: geli: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/geli.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index e9d23299a..786682077 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -242,8 +242,7 @@ grub_util_get_geli_uuid (const char *dev)
#endif
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int boot_only)
+geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -580,7 +579,7 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev)
}
struct grub_cryptodisk_dev geli_crypto = {
- .scan = configure_ciphers,
+ .scan = geli_scan,
.recover_key = recover_key
};
--
2.25.1
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCHv2][ 6/6] cryptodisk: Add support for LUKS1 key files
cryptsetup supports key files thourh the --key-file
--header command line argument for both LUKS1 and LUKS2.
This adds support for LUKS1 key files.
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase, fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/luks.c | 42 +++---
1 file changed, 27 insertions(+), 15 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index d0f65700d..376895259 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -162,13 +162,14 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int
check_boot,
static grub_err_t
luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr,
- grub_uint8_t *keyfile_bytes __attribute__ ((unused)),
- grub_size_t keyfile_bytes_size __attribute__ ((unused)))
+ grub_uint8_t *keyfile_bytes, grub_size_t keyfile_bytes_size)
{
struct grub_luks_phdr header;
grub_size_t keysize;
grub_uint8_t *split_key = NULL;
- char passphrase[MAX_PASSPHRASE] = "";
+ char interactive_passphrase[MAX_PASSPHRASE] = "";
+ grub_uint8_t *passphrase;
+ grub_size_t passphrase_length;
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
@@ -205,18 +206,29 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
if (!split_key)
return grub_errno;
- /* Get the passphrase from the user. */
- tmp = NULL;
- if (source->partition)
-tmp = grub_partition_get_name (source->partition);
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition ? "," : "", tmp ? : "",
- dev->uuid);
- grub_free (tmp);
- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
+ if (keyfile_bytes)
{
- grub_free (split_key);
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+ /* Use bytestring from key file as passphrase */
+ passphrase = keyfile_bytes;
+ passphrase_length = keyfile_bytes_size;
+}
+ else
+{
+ /* Get the passphrase from the user. */
+ tmp = NULL;
+ if (source->partition)
+tmp = grub_partition_get_name (source->partition);
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition ? "," : "", tmp ? : "", dev->uuid);
+ grub_free (tmp);
+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+{
+ grub_free (split_key);
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+}
+
+ passphrase = (grub_uint8_t *)interactive_passphrase;
+ passphrase_length = grub_strlen (interactive_passphrase);
}
/* Try to recover master key from each active keyslot. */
@@ -234,7 +246,7 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_file_t hdr,
/* Calculate the PBKDF2 of the user supplied passphrase. */
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
-grub_strlen (passphrase),
+passphrase_length,
header.keyblock[i].passwordSalt,
sizeof (header.keyblock[i].passwordSalt),
grub_be_to_cpu32 (header.keyblock[i].
--
2.25.1
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCHv2][ 1/6] cryptodisk: luks: unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/luks.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 410cd6f84..28585806a 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -65,8 +65,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash,
grub_uint8_t * src,
grub_size_t blocknumbers);
static grub_cryptodisk_t
-configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int check_boot)
+luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
{
grub_cryptodisk_t newdev;
const char *iptr;
@@ -310,7 +309,7 @@ luks_recover_key (grub_disk_t source,
}
struct grub_cryptodisk_dev luks_crypto = {
- .scan = configure_ciphers,
+ .scan = luks_scan,
.recover_key = luks_recover_key
};
--
2.25.1
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH 2/2] Cryptomount support key files
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/cryptodisk.c | 46 -
grub-core/disk/geli.c | 4 +++-
grub-core/disk/luks.c | 44 ---
include/grub/cryptodisk.h | 5 +++-
include/grub/file.h | 2 ++
5 files changed, 84 insertions(+), 17 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 6d4befc6f..ee2f300dd 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
{"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
+{"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+{"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+{"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0,
ARG_TYPE_INT},
{0, 0, 0, 0, 0, 0}
};
@@ -972,6 +975,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
static grub_file_t hdr;
+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
+static grub_size_t keyfile_size;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -1002,7 +1007,7 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
if (!dev)
continue;
-err = cr->recover_key (source, dev, hdr);
+err = cr->recover_key (source, dev, hdr, key, keyfile_size);
if (err)
{
cryptodisk_close (dev);
@@ -1110,6 +1115,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
hdr = NULL;
have_it = 0;
+ key = NULL;
+
+ if (state[4].set) /* Key file; fails back to passphrase entry */
+{
+ grub_file_t keyfile;
+ int keyfile_offset;
+ grub_size_t requested_keyfile_size;
+
+ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0)
: 0;
+
+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
+(unsigned long long)
GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+ else
+{
+ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) :
0;
+ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
+GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
+
+ keyfile = grub_file_open (state[4].arg,
GRUB_FILE_TYPE_LUKS_KEY_FILE);
+ if (!keyfile)
+grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
+ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+grub_printf (N_("Unable to seek to offset %d in key file\n"),
keyfile_offset);
+ else
+{
+ keyfile_size = grub_file_read (keyfile, keyfile_buffer,
keyfile_size);
+ if (keyfile_size == (grub_size_t)-1)
+ grub_printf (N_("Error reading key file\n"));
+ else if (requested_keyfile_size && (keyfile_size !=
requested_keyfile_size))
+ grub_printf (N_("Cannot read %llu bytes for key file (read
%llu bytes)\n"),
+(unsigned long long)
requested_keyfile_size,
+ (unsigned long long)
keyfile_size);
+ else
+key = keyfile_buffer;
+ }
+}
+}
+
if (state[0].set)
{
grub_cryptodisk_t dev;
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index f4394eb42..da6aa6a63 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
static grub_err_t
recover_key (grub_disk_t source, grub_cryptodisk_t dev,
-grub_file_t hdr __attribute__ ((unused)) )
+grub_file_t hdr __attribute__ ((unused)),
+grub_uint8_t *key __attribute__ ((unused)),
+grub_size_t keyfile_size __attribute__ ((unused)) )
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 950e89237..54b1cfe70 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -164,12 +164,16 @@ configure_ciphers (grub_disk_t disk, const char
*check_uuid,
static grub_err_t
luks_recover_key (grub_disk_t source,
grub_cryptodisk_t dev,
-
[PATCH 1/2] Cryptomount support LUKS detached header
From: John Lane
Signed-off-by: John Lane
gnu...@cyberdimension.org: rebase
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/disk/cryptodisk.c | 22 ++
grub-core/disk/geli.c | 7 --
grub-core/disk/luks.c | 45 ++---
include/grub/cryptodisk.h | 5 +++--
include/grub/file.h | 2 ++
5 files changed, 65 insertions(+), 16 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 1897acc4b..6d4befc6f 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
/* TRANSLATORS: It's still restricted to cryptodisks only. */
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+{"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
{0, 0, 0, 0, 0, 0}
};
@@ -970,6 +971,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
+static grub_file_t hdr;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -994,13 +996,13 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_disk_t source)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot, hdr);
if (grub_errno)
return grub_errno;
if (!dev)
continue;
-err = cr->recover_key (source, dev);
+err = cr->recover_key (source, dev, hdr);
if (err)
{
cryptodisk_close (dev);
@@ -1041,7 +1043,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const
char *cheat)
FOR_CRYPTODISK_DEVS (cr)
{
-dev = cr->scan (source, search_uuid, check_boot);
+dev = cr->scan (source, search_uuid, check_boot,0);
if (grub_errno)
return grub_errno;
if (!dev)
@@ -1095,6 +1097,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
if (argc < 1 && !state[1].set && !state[2].set)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
+ if (state[3].set) /* LUKS detached header */
+{
+ if (state[0].set) /* Cannot use UUID lookup with detached header */
+return GRUB_ERR_BAD_ARGUMENT;
+
+ hdr = grub_file_open (state[3].arg, GRUB_FILE_TYPE_LUKS_DETACHED_HEADER);
+ if (!hdr)
+return grub_errno;
+}
+ else
+hdr = NULL;
+
have_it = 0;
if (state[0].set)
{
@@ -1302,7 +1316,7 @@ GRUB_MOD_INIT (cryptodisk)
{
grub_disk_dev_register (&grub_cryptodisk_dev);
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
- N_("SOURCE|-u UUID|-a|-b"),
+ N_("SOURCE|-u UUID|-a|-b|-H file"),
N_("Mount a crypto device."), options);
grub_procfs_register ("luks_script", &luks_script);
}
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index e9d23299a..f4394eb42 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -52,6 +52,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
static grub_cryptodisk_t
configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int boot_only)
+ int boot_only,
+ grub_file_t hdr __attribute__ ((unused)) )
{
grub_cryptodisk_t newdev;
struct grub_geli_phdr header;
@@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
}
static grub_err_t
-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+recover_key (grub_disk_t source, grub_cryptodisk_t dev,
+grub_file_t hdr __attribute__ ((unused)) )
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 410cd6f84..950e89237 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -23,6 +23,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash,
grub_uint8_t * src,
static grub_cryptodisk_t
configure_ciphers (grub_disk_t disk, const char *check_uuid,
- int check_boot)
+ int check_boot, grub_file_t hdr)
{
grub_cryptodisk_t newdev;
const char *iptr;
@@ -78,11 +79,21 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
char hashspec[sizeof (header.hashSpec) + 1];
grub_err_t err;
+ err = GRUB_ERR_NONE;
+
if (check_boot)
return NULL;
/* Read the LUKS header. */
- err = grub_disk_read (disk, 0, 0, sizeof (header), &
Re: GRUB multiboot_elfxx.c issue
On Mon, 2 Jul 2018 15:21:05 +0500 yanvasilij yan wrote: > Hello! Hi, > I suppose there is error > in ./grub-core/loader/multiboot_elfxx.c in 130 line. Becose of it I > get a error: > > loader/multiboot_elfxx.c: In function ‘grub_multiboot_load_elf64’: > loader/multiboot_elfxx.c:130:28: error: ‘relocatable’ undeclared > (first use in this function) >"load_base_addr=0x%x\n", relocatable, You the patch I just sent for fixing that: https://lists.gnu.org/archive/html/grub-devel/2018-06/msg00102.html As I didn't have any comments on it yet, I don't know if it's the proper way to fix it though. Denis. pgpT25Rki2520.pgp Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH] multiboot_elfxx.c: fix compilation by fixing undeclared variable
Without that fix we have:
In file included from ../../include/grub/command.h:25:0,
from ../../grub-core/loader/multiboot.c:30:
../../grub-core/loader/multiboot_elfxx.c: In function
'grub_multiboot_load_elf64':
../../grub-core/loader/multiboot_elfxx.c:130:28: error: 'relocatable'
undeclared (first use in this function)
"load_base_addr=0x%x\n", relocatable,
Signed-off-by: Denis 'GNUtoo' Carikli
---
grub-core/loader/multiboot_elfxx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/loader/multiboot_elfxx.c
b/grub-core/loader/multiboot_elfxx.c
index ae36d9d49..70cd1db51 100644
--- a/grub-core/loader/multiboot_elfxx.c
+++ b/grub-core/loader/multiboot_elfxx.c
@@ -127,7 +127,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
mld->load_base_addr = mld->link_base_addr;
grub_dprintf ("multiboot_loader", "relocatable=%d, link_base_addr=0x%x, "
- "load_base_addr=0x%x\n", relocatable,
+ "load_base_addr=0x%x\n", mld->relocatable,
mld->link_base_addr, mld->load_base_addr);
/* Load every loadable segment in memory. */
--
2.18.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[MERGE] * grub-core/Makefile.core.def: permit to build linux16 for coreboot.
Hi,
Here's a small change for enabling the linux16 command(needed for ipxe)
with the coreboot target.
As stated in the commit message linux16 doesn't work yet.
Denis.# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: gnu...@no-log.org-20130217204650-bshkr0dhq5paqdwr
# target_branch: http://bzr.savannah.gnu.org/r/grub/trunk/grub/
# testament_sha1: 53580e95df91a29167d3b8747810d6e53a1c7029
# timestamp: 2013-02-17 21:50:09 +0100
# base_revision_id: phco...@gmail.com-20130206163729-9hvyp8zymvilwmao
#
# Begin patch
=== modified file 'grub-core/Makefile.core.def'
--- grub-core/Makefile.core.def 2013-02-01 20:49:29 +
+++ grub-core/Makefile.core.def 2013-02-17 20:46:50 +
@@ -1384,9 +1384,10 @@
module = {
name = linux16;
- i386_pc = loader/i386/pc/linux.c;
- i386_pc = lib/cmdline.c;
+ common = loader/i386/pc/linux.c;
+ common = lib/cmdline.c;
enable = i386_pc;
+ enable = i386_coreboot;
};
module = {
# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWSkyhLgAAZRfgAAQUPP//16D
AgC/7//wUAP+5123Y3Gjm7bNwSiJMGjUNGRqeU9CaniZhU2gnqMgkoTTU2jQ1PUyYUanqAHqD1DQ
AEoIJoamqfkap7JNTxIPUAyHqMgGA0AAA0AASSQ0TCbQptMjU0NAaDTRoA2fC8bhDiaK2fHa
rq7paUDYZpWjvHOHsvj+fbuezMuNv2Tj5SsV1ORFoOz+Fg/Ds+uXccKt42x7beftletHa5oXZ1Zt
VJKV32ylB6rr6vvvzo+CMqFd2Cmk9k7DYp+Q7C2CAvK2ckvvPXYfLzxG/3YGrUZglk3DC51OrL/f
SwRV2a4REg+ipPruB1EPcFFEUvcSqy4gyYxvLvSJHJEaBGOWcf0VE9eEIbqz0e+X6gzRHCClog+X
EehWmz/MW8tS9cMR4u2ZnwNzBXwics7mbsVGCNxWOS0zZEpfYRJpXZQHN/8nAQW0phvjri2SmCbi
o8Rgwopxg696zlrtZMJmLsQjO9tJS/NYlMP5xtVZqpzhE8x+xZ3Wjx0Nhjk0e8LRRpJUkrY2u0x6
k4V3swrMAHIbT2YTwvTyFXTx8Ly7B0HFo1XsXjwurlSLiOp1UqGwaX1GJlS041yd1xrQx+K/mSbp
z6cJsem3X5YtJ1zYmyQBpLEmE4rl1Xj9RUfS1deanHxn1yDciRuVFPmHfBl3c76JPBXRplQwygOO
1oecf5Iy3pUTTbA9gl/pk12i6LyzJMJeqHhtAp7fmXZ83MiYcxZ8on0nG8SHchRZD1K5DsPO5K3e
SP7Y4XbJl6WhOFLz1aVN/0rcru+nqyxmZ2LnBNeucMQ9Fx6w2FudOUX1dxp9RUOe+bvpzDUWCLuv
DAw0WbSdksgcJjXytsbnXRcHubtcr8Vm8ML7KfP7kMUVIXpXtYGeXWu03VPHBIjM/laMGa8OPIzb
KlvjLTOe8RqjsVL4FoE1Ii80PsMTEWGNb9JYGJrCSIWQqiVQDLfmLKqrHtbv3ppqiTmDZih21PKD
tCmH05ar47wlsnB20jmxg2cuDLcJ6cGkJgc0He5iMiks9OLpWQbU2o0SZZaxbh2C/2qiupKPOJLO
5PRzctpYeCUsINVzEUnfIkhBcY96IqDqlDEUQtmwmMkupyV5oDRcVrCRLzHpSFIbqUGROX5NqDKw
XdLeCndBTPJmNWStmLZrF4PO2D7Kw3lxdn0E0E2lnc6uOzdBGR1BQ0VEhFCzpUiiT75OD74bOEKi
y5ChhpAp0bLA2rXISgNYnLGiTQwMbFZvnpgRO4EI3U0FjEsk9BGv+0TThQD2VWmIgFrG8hKY3NE5
KnWdiXJUFNaRmqlGPEp6juyi2uTGkKCOo6JcUpBWSYp/xdyRThQkCkyhLgA=
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
