From: Andrei Borzenkov <arvidjaar@gmail.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Cc: kris@pcbsd.org
Subject: Re: Question about GRUB/GELI support
Date: Sat, 27 Sep 2014 10:15:57 +0400 [thread overview]
Message-ID: <20140927101557.0d21df61@opensuse.site> (raw)
In-Reply-To: <54259E48.4040502@pcbsd.org>
В Fri, 26 Sep 2014 13:11:36 -0400
Kris Moore <kris@pcbsd.org> пишет:
>
> Hey, quick question about GRUB's support for GELI. We are using it to
> boot Free/PC-BSD with GELI v5, and it works great there. However FreeBSD
> updated their geli implementation very slightly to v7, which only
> changes which part of the master key is used for encrypt / decrypt.
>
> https://github.com/freebsd/freebsd/commit/38de8ef1dd0e468ff1e3ec1c431f465e270beba3
>
> I think the line in GRUB that needs tweaking is on or around 440 of
> grub-core/disk/geli.c, where it calls grub_crypto_pbkdf2 (dev->hash.....
It would be too simple ... :) It just unlocks master key itself, while
patch makes GELI to use derived key during encryption (and I presume
decryption).
> I'm having trouble figuring out which part of that would be the
> equivalent of Freebsd's mkey -> ekey change, or if that data is even
> exposed in GRUB's version. Any tips or pointers?
>
You need to change which key is used for decryption after
/* Set the master key. */
if (!dev->rekey)
{
...
Now, after cursory browsing of FreeBSD code, grub geli seems to lack
quite a number of flags, each one apparently changing how keys are
computed. I do not know enough about GELI to decide whether they are
important to support or not. But I tried to understand where
sc->sc_ekey comes from in case of G_ELI_FLAG_SINGLE_KEY not set, and failed :)
Also it seems that sc->sc_ekey is computed differently depending on
whether G_ELI_FLAG_AUTH is set or not (if it is not set, ekey is
apparently just a copy of mkey sans IV).
> I'm also doing some other patches to GRUB so we can pass the GELI key as
> a variable to the kernel, skipping the prompting at mount-root. That
> seems to work well, but I wanted to see if I could knock out both fixes
> at the same time. Once its done, I'll be happy to forward the patch for
> upstream inclusion.
>
It's up to you but I do not see any reason to wait as long as two
patches address independent problems.
> Thanks!
>
prev parent reply other threads:[~2014-09-27 6:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-26 17:11 Question about GRUB/GELI support Kris Moore
2014-09-27 6:15 ` Andrei Borzenkov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140927101557.0d21df61@opensuse.site \
--to=arvidjaar@gmail.com \
--cc=grub-devel@gnu.org \
--cc=kris@pcbsd.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.