From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1j6i1H-0006o1-UK
	for mharc-grub-devel@gnu.org; Tue, 25 Feb 2020 16:45:35 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:54552)
 by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <ps@pks.im>)
 id 1j6i1C-0006nt-UP
 for grub-devel@gnu.org; Tue, 25 Feb 2020 16:45:33 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ps@pks.im>) id 1j6i1A-0004ia-Qw
 for grub-devel@gnu.org; Tue, 25 Feb 2020 16:45:30 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43043)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <ps@pks.im>) id 1j6i1A-0004TA-9v
 for grub-devel@gnu.org; Tue, 25 Feb 2020 16:45:28 -0500
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailout.nyi.internal (Postfix) with ESMTP id 944D421EB2;
 Tue, 25 Feb 2020 16:45:24 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute1.internal (MEProxy); Tue, 25 Feb 2020 16:45:24 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pks.im; h=date
 :from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=fm3; bh=GH9RDsHnG225jI7xSFgGVqgBAjO
 jCJIeMYSrldYfkzI=; b=He4pACRA5Q6fbypMtDU0MVtz1G+YJ9NjEhgY8tJLd0C
 v5JrspUpYygQHGCid+fCDC0dWOsICVak0CeuelqV2BQVHAUkrgBtY52vZ+49naxp
 zB6Cbim22EDmq+QgbvgbBDhUDD28DKdgfhRvVIih1frHq4WOefcZ95/vTRAKPLpu
 5HqpOLVxHDhfKWvBvVXcTxpKB2vrVtHfA/TEkCqc+N/IS03CroDUrY+cVyolKWpd
 HM3u+yC+SXe2ls5EUcB0Z1rMuUYkIH43i00r92n2Tcont9oWVrhzHXzWIYWGKHHs
 3yhLqCpTI/3Psr5VdVMm2X4dyLuIQ4Pn6xqtbDNl93w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=GH9RDs
 HnG225jI7xSFgGVqgBAjOjCJIeMYSrldYfkzI=; b=Y3kPmqUmD0DNk3/bcEuwQR
 ONATTuKzyPLWIyi6HmhG4oxrdJp98nl71A8U1q7DpPnQDc4iJU7BWLG+3IdSxhAY
 n5gJ3scmKPZ3oHbmlr28+HurXXp8Ow4UtfPtTu/NJWYLZLqsSwrmV6m0/AUggs6a
 DjeNgOh4tPKozuD7KmQUDxk+lS32sjQVtyfT+ZTFoJidVxXsYujPUahby7m1agYn
 l7PU69A8D44X0BpEzXew2w+DHb+R2fNqCEmv8/xhP6RmSEB7pD03K2KwBS7iDt5P
 exQfCRnC1G6ZPC5lXRR6ne+WBM9Au0VltHMXpVqz0uons7iqeoDe62TqK7eR1+tw
 ==
X-ME-Sender: <xms:c5VVXgKzLBoltWCPkarcEoLpRuUg6wqxEdokqOkl1aGgBjkkOAdXkA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrledvgdduheduucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefrrghtrhhi
 tghkucfuthgvihhnhhgrrhguthcuoehpshesphhkshdrihhmqeenucffohhmrghinhepgh
 hnuhdrohhrghenucfkphepjeejrddufedrfeelrddvvddvnecuvehluhhsthgvrhfuihii
 vgeptdenucfrrghrrghmpehmrghilhhfrhhomhepphhssehpkhhsrdhimh
X-ME-Proxy: <xmx:c5VVXv8g7LMxtVuriCIG_Yd95nx7prrgyZ1N_SNMCoKqiuuq8EkfDw>
 <xmx:c5VVXjSudduZ61YZA4-KCP-CFj188u6xdjYEMNaewDq3ic2jtzyLqg>
 <xmx:c5VVXp88lkJ5fK0mcGIM3RtnDFny1iSlsLVvxOvlwTRfL8UEk7z6Zw>
 <xmx:dJVVXk6CH0BangBnnj_WgIYzT5rnl9_gACBLtjlP-PjPfj6p08Y0Xg>
Received: from vm-mail (x4d0d27de.dyn.telefonica.de [77.13.39.222])
 by mail.messagingengine.com (Postfix) with ESMTPA id CC8623060F09;
 Tue, 25 Feb 2020 16:45:22 -0500 (EST)
Received: from localhost (xps [10.192.0.12])
 by vm-mail (OpenSMTPD) with ESMTPSA id fe194641
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Tue, 25 Feb 2020 21:45:20 +0000 (UTC)
Date: Tue, 25 Feb 2020 22:46:22 +0100
From: Patrick Steinhardt <ps@pks.im>
To: The development of GNU GRUB <grub-devel@gnu.org>
Cc: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>,
 John Lane <john@lane.uk.net>
Subject: Re: [PATCH 1/2] Cryptomount support LUKS detached header
Message-ID: <20200225214622.GA4264@xps>
References: <20200221210349.22490-1-GNUtoo@cyberdimension.org>
 <20200224111237.jqtefw7ms2ldpw66@tomti.i.net-space.pl>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z"
Content-Disposition: inline
In-Reply-To: <20200224111237.jqtefw7ms2ldpw66@tomti.i.net-space.pl>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 66.111.4.25
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2020 21:45:34 -0000


--Nq2Wo0NMKNjxTN9z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Feb 24, 2020 at 12:12:37PM +0100, Daniel Kiper wrote:
> Adding Patrick...
>=20
> On Fri, Feb 21, 2020 at 10:03:48PM +0100, Denis 'GNUtoo' Carikli wrote:
> > From: John Lane <john@lane.uk.net>
>=20
> Both patches require explanation what they do and more importantly why
> they are needed... And it would be nice to have cover letter.
>=20
> ...and please CC Patrick next time...
>=20
> Daniel

I'll have a look towards the end of this week.

Patrick

> > Signed-off-by: John Lane <john@lane.uk.net>
> > GNUtoo@cyberdimension.org: rebase
> > Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
> > ---
> >  grub-core/disk/cryptodisk.c | 22 ++++++++++++++----
> >  grub-core/disk/geli.c       |  7 ++++--
> >  grub-core/disk/luks.c       | 45 ++++++++++++++++++++++++++++++-------
> >  include/grub/cryptodisk.h   |  5 +++--
> >  include/grub/file.h         |  2 ++
> >  5 files changed, 65 insertions(+), 16 deletions(-)
> >
> > diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
> > index 1897acc4b..6d4befc6f 100644
> > --- a/grub-core/disk/cryptodisk.c
> > +++ b/grub-core/disk/cryptodisk.c
> > @@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =3D
> >      /* TRANSLATORS: It's still restricted to cryptodisks only.  */
> >      {"all", 'a', 0, N_("Mount all."), 0, 0},
> >      {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0,=
 0},
> > +    {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_S=
TRING},
> >      {0, 0, 0, 0, 0, 0}
> >    };
> >
> > @@ -970,6 +971,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
> >
> >  static int check_boot, have_it;
> >  static char *search_uuid;
> > +static grub_file_t hdr;
> >
> >  static void
> >  cryptodisk_close (grub_cryptodisk_t dev)
> > @@ -994,13 +996,13 @@ grub_cryptodisk_scan_device_real (const char *nam=
e, grub_disk_t source)
> >
> >    FOR_CRYPTODISK_DEVS (cr)
> >    {
> > -    dev =3D cr->scan (source, search_uuid, check_boot);
> > +    dev =3D cr->scan (source, search_uuid, check_boot, hdr);
> >      if (grub_errno)
> >        return grub_errno;
> >      if (!dev)
> >        continue;
> >
> > -    err =3D cr->recover_key (source, dev);
> > +    err =3D cr->recover_key (source, dev, hdr);
> >      if (err)
> >      {
> >        cryptodisk_close (dev);
> > @@ -1041,7 +1043,7 @@ grub_cryptodisk_cheat_mount (const char *sourcede=
v, const char *cheat)
> >
> >    FOR_CRYPTODISK_DEVS (cr)
> >    {
> > -    dev =3D cr->scan (source, search_uuid, check_boot);
> > +    dev =3D cr->scan (source, search_uuid, check_boot,0);
> >      if (grub_errno)
> >        return grub_errno;
> >      if (!dev)
> > @@ -1095,6 +1097,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt=
, int argc, char **args)
> >    if (argc < 1 && !state[1].set && !state[2].set)
> >      return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
> >
> > +  if (state[3].set) /* LUKS detached header */
> > +    {
> > +      if (state[0].set) /* Cannot use UUID lookup with detached header=
 */
> > +        return GRUB_ERR_BAD_ARGUMENT;
> > +
> > +      hdr =3D grub_file_open (state[3].arg, GRUB_FILE_TYPE_LUKS_DETACH=
ED_HEADER);
> > +      if (!hdr)
> > +        return grub_errno;
> > +    }
> > +  else
> > +    hdr =3D NULL;
> > +
> >    have_it =3D 0;
> >    if (state[0].set)
> >      {
> > @@ -1302,7 +1316,7 @@ GRUB_MOD_INIT (cryptodisk)
> >  {
> >    grub_disk_dev_register (&grub_cryptodisk_dev);
> >    cmd =3D grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
> > -			      N_("SOURCE|-u UUID|-a|-b"),
> > +			      N_("SOURCE|-u UUID|-a|-b|-H file"),
> >  			      N_("Mount a crypto device."), options);
> >    grub_procfs_register ("luks_script", &luks_script);
> >  }
> > diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
> > index e9d23299a..f4394eb42 100644
> > --- a/grub-core/disk/geli.c
> > +++ b/grub-core/disk/geli.c
> > @@ -52,6 +52,7 @@
> >  #include <grub/dl.h>
> >  #include <grub/err.h>
> >  #include <grub/disk.h>
> > +#include <grub/file.h>
> >  #include <grub/crypto.h>
> >  #include <grub/partition.h>
> >  #include <grub/i18n.h>
> > @@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
> >
> >  static grub_cryptodisk_t
> >  configure_ciphers (grub_disk_t disk, const char *check_uuid,
> > -		   int boot_only)
> > +		   int boot_only,
> > +		   grub_file_t hdr __attribute__ ((unused)) )
> >  {
> >    grub_cryptodisk_t newdev;
> >    struct grub_geli_phdr header;
> > @@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char *ch=
eck_uuid,
> >  }
> >
> >  static grub_err_t
> > -recover_key (grub_disk_t source, grub_cryptodisk_t dev)
> > +recover_key (grub_disk_t source, grub_cryptodisk_t dev,
> > +	     grub_file_t hdr __attribute__ ((unused)) )
> >  {
> >    grub_size_t keysize;
> >    grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
> > diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
> > index 410cd6f84..950e89237 100644
> > --- a/grub-core/disk/luks.c
> > +++ b/grub-core/disk/luks.c
> > @@ -23,6 +23,7 @@
> >  #include <grub/dl.h>
> >  #include <grub/err.h>
> >  #include <grub/disk.h>
> > +#include <grub/file.h>
> >  #include <grub/crypto.h>
> >  #include <grub/partition.h>
> >  #include <grub/i18n.h>
> > @@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash=
, grub_uint8_t * src,
> >
> >  static grub_cryptodisk_t
> >  configure_ciphers (grub_disk_t disk, const char *check_uuid,
> > -		   int check_boot)
> > +		   int check_boot, grub_file_t hdr)
> >  {
> >    grub_cryptodisk_t newdev;
> >    const char *iptr;
> > @@ -78,11 +79,21 @@ configure_ciphers (grub_disk_t disk, const char *ch=
eck_uuid,
> >    char hashspec[sizeof (header.hashSpec) + 1];
> >    grub_err_t err;
> >
> > +  err =3D GRUB_ERR_NONE;
> > +
> >    if (check_boot)
> >      return NULL;
> >
> >    /* Read the LUKS header.  */
> > -  err =3D grub_disk_read (disk, 0, 0, sizeof (header), &header);
> > +  if (hdr)
> > +  {
> > +    grub_file_seek (hdr, 0);
> > +    if (grub_file_read (hdr, &header, sizeof (header)) !=3D sizeof (he=
ader))
> > +        err =3D GRUB_ERR_READ_ERROR;
> > +  }
> > +  else
> > +    err =3D grub_disk_read (disk, 0, 0, sizeof (header), &header);
> > +
> >    if (err)
> >      {
> >        if (err =3D=3D GRUB_ERR_OUT_OF_RANGE)
> > @@ -146,12 +157,14 @@ configure_ciphers (grub_disk_t disk, const char *=
check_uuid,
> >      }
> >
> >    COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >=3D sizeof (uuid));
> > +
> >    return newdev;
> >  }
> >
> >  static grub_err_t
> >  luks_recover_key (grub_disk_t source,
> > -		  grub_cryptodisk_t dev)
> > +		  grub_cryptodisk_t dev,
> > +	          grub_file_t hdr)
> >  {
> >    struct grub_luks_phdr header;
> >    grub_size_t keysize;
> > @@ -163,8 +176,19 @@ luks_recover_key (grub_disk_t source,
> >    grub_err_t err;
> >    grub_size_t max_stripes =3D 1;
> >    char *tmp;
> > +  grub_uint32_t sector;
> > +
> > +  err =3D GRUB_ERR_NONE;
> > +
> > +  if (hdr)
> > +  {
> > +    grub_file_seek (hdr, 0);
> > +    if (grub_file_read (hdr, &header, sizeof (header)) !=3D sizeof (he=
ader))
> > +        err =3D GRUB_ERR_READ_ERROR;
> > +  }
> > +  else
> > +    err =3D grub_disk_read (source, 0, 0, sizeof (header), &header);
> >
> > -  err =3D grub_disk_read (source, 0, 0, sizeof (header), &header);
> >    if (err)
> >      return err;
> >
> > @@ -233,13 +257,18 @@ luks_recover_key (grub_disk_t source,
> >  	  return grub_crypto_gcry_error (gcry_err);
> >  	}
> >
> > +      sector =3D grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffse=
t);
> >        length =3D (keysize * grub_be_to_cpu32 (header.keyblock[i].strip=
es));
> >
> >        /* Read and decrypt the key material from the disk.  */
> > -      err =3D grub_disk_read (source,
> > -			    grub_be_to_cpu32 (header.keyblock
> > -					      [i].keyMaterialOffset), 0,
> > -			    length, split_key);
> > +      if (hdr)
> > +        {
> > +	  grub_file_seek (hdr, sector * 512);
> > +          if (grub_file_read (hdr, split_key, length) !=3D (grub_ssize=
_t)length)
> > +            err =3D GRUB_ERR_READ_ERROR;
> > +        }
> > +      else
> > +        err =3D grub_disk_read (source, sector, 0, length, split_key);
> >        if (err)
> >  	{
> >  	  grub_free (split_key);
> > diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
> > index e1b21e785..ccbe7ce93 100644
> > --- a/include/grub/cryptodisk.h
> > +++ b/include/grub/cryptodisk.h
> > @@ -20,6 +20,7 @@
> >  #define GRUB_CRYPTODISK_HEADER	1
> >
> >  #include <grub/disk.h>
> > +#include <grub/file.h>
> >  #include <grub/crypto.h>
> >  #include <grub/list.h>
> >  #ifdef GRUB_UTIL
> > @@ -107,8 +108,8 @@ struct grub_cryptodisk_dev
> >    struct grub_cryptodisk_dev **prev;
> >
> >    grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
> > -			     int boot_only);
> > -  grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev);
> > +			     int boot_only, grub_file_t hdr);
> > +  grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, =
grub_file_t hdr);
> >  };
> >  typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
> >
> > diff --git a/include/grub/file.h b/include/grub/file.h
> > index 31567483c..49428bf8d 100644
> > --- a/include/grub/file.h
> > +++ b/include/grub/file.h
> > @@ -90,6 +90,8 @@ enum grub_file_type
> >      GRUB_FILE_TYPE_FONT,
> >      /* File holding encryption key for encrypted ZFS.  */
> >      GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY,
> > +    /* LUKS detached (separated) metadata header */
> > +    GRUB_FILE_TYPE_LUKS_DETACHED_HEADER,
> >      /* File we open n grub-fstest.  */
> >      GRUB_FILE_TYPE_FSTEST,
> >      /* File we open n grub-mount.  */
> > --
> > 2.25.1
>=20
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel

--Nq2Wo0NMKNjxTN9z
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEtmscHsieVjl9VyNUEXxntp6r8SwFAl5VlawACgkQEXxntp6r
8SzHlhAAq7N8iu0f1Si34QXlrJFoCjxDQFJlnW+gvt1yicXY8MwBPYSXetdnIeTS
ABTRniXybHmr6ds8cxAQJrpqV8KSJMWqC8DuzxxIX97Lsqm2kZKQkgCFdu+Z91nk
W6a8+WVhf0yQI2K9B0M1a3E9jk71bdNhTZVcWWW+KvZhTQ8FYz+UKIlvA2sE3BV4
87xY2ZeZ8GZesDRzMEgf67Jfq+BMQ2GCd1NP/gGmv+WCt7oMPMW8ep4xAVJaQGMk
sliAqIaEdXK/ynd4eIAA4tffSv4A4ukEffDIUV6iP0yn7nxT4jnyoDqjZFi+oQ6E
X37LHht3/VWTc8pClHy7VCboT2SKN2EDkxo8VqJ/VilyHGX1uBDPDAr6iHDLsJMC
Ee4R+rfjgvqk5vfrULJk+qu4WlIUs3FmP0eZFT6O+xe7Rq3BKIxF9UmhEIVKZOVD
xtENpAREijKyeeKpFxj7FgyD7QKOMNjwrYI/0b1x6RpOZ06+yuhYv9vl00cQhvBU
oYTcEMq489r2vzV4PgLQOkKN4C1dWT0y0/5oJ8ezgP5gn2XjxX23FpaeRgUJUJc9
gE2doScy7EsDXBfov5NzPc5+XIew7q2l+LRDOMOTSyugN1qO+RLjX6RFYsi+XSSR
DmhAY+KOKrkkMoBNYBvx99qjfDaSlDVmbPAmUWiXIim5xvRARfk=
=phrF
-----END PGP SIGNATURE-----

--Nq2Wo0NMKNjxTN9z--