From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1mUzpe-0005QI-KV for mharc-grub-devel@gnu.org; Mon, 27 Sep 2021 19:14:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37216) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mUzpd-0005Q3-9k for grub-devel@gnu.org; Mon, 27 Sep 2021 19:14:45 -0400 Received: from mail-qt1-x835.google.com ([2607:f8b0:4864:20::835]:34439) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mUzpb-0004hy-0M for grub-devel@gnu.org; Mon, 27 Sep 2021 19:14:44 -0400 Received: by mail-qt1-x835.google.com with SMTP id m26so6755135qtn.1 for ; Mon, 27 Sep 2021 16:14:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficientek-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Y70DmSdVyexqMas5s9+Pn1RP+8cvVrdJhrztvDjqOKY=; b=Ouy6H9RLWxo9w0rhTuQLgmAvSXv40eWxub8u9+0Ch3CLiezaH9riMndiwbHJ8yHzjT 6DYwyu7JWvHL4TyZ9p6eGUDb6Mixn2EanK5rXDIIdu2hpP7IO7VAipRA004B2Q53bVVa XJ0ZkNlzxnK9dxbh6tQcBKY2aMz8wu93s8SZzbBV+AXzB1MBdkFRB9gdxxS1kAuqpwrC nLmdyD8oOaOExJlaL74qZGRYVzwNGUzHqpyZmy0b1er1kDVuP92GIQ++QiBHJ+4mdwkd w95+26q1gFDOa+k2h9+iGhNKgh8P+AKggeOCFWzCR0x6OFrC1DAkHeuaIuYL4UqiPzxP meXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Y70DmSdVyexqMas5s9+Pn1RP+8cvVrdJhrztvDjqOKY=; b=gFzMyPcR4Vk5p+ZreloU1jGF2Jq5In/sPbTPHmTFyZ2SZGoa4eTpb4rdTW2ZAOGWLN JAMd6025FdkQn4NB2CGaqWHtPtRDSqURqkemCu/2rm+xXaeMxQJiwdHE25uIOvGbWshH ek+F64AiN9piyk3OLSYhMCw9s0d6v1V51TtgBC6IlHwLTPVFVKzJ9QixXaw+/DEPhpA/ 6TaMJD+aecMBs05mn0yXZxPQrHA+Dk4i1m2RxE6mOZ/43qgtY8HrTQdxYpg2amtP6r+7 8giT5egvNDato7wAdTZ2PNehht68u9Gii5TXaayaKXM1Sxm1fyyZcVWM+JDIozEzJSJM +lBQ== X-Gm-Message-State: AOAM5318Uv3FKHvCLa8nRsn3VDKqsAIghkEwQ0uEyn1eztRN0GnwBW1w Er/1Z+KfQKe8I9UT9BEedgSZYkz4E93yFQ== X-Google-Smtp-Source: ABdhPJyN5MEa8hW78CV+1s2t1qJiQRABUZruW17fw1WXbDn6ZFKIZzD9OGdRy1zpjgNs203R9UxA8Q== X-Received: by 2002:ac8:4d48:: with SMTP id x8mr2516764qtv.415.1632784480823; Mon, 27 Sep 2021 16:14:40 -0700 (PDT) Received: from localhost.localdomain ([37.218.244.251]) by smtp.gmail.com with ESMTPSA id n16sm11671214qta.51.2021.09.27.16.14.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 16:14:40 -0700 (PDT) From: Glenn Washburn To: grub-devel@gnu.org, Daniel Kiper Cc: Denis 'GNUtoo' Carikli , Patrick Steinhardt , James Bottomley , Glenn Washburn Subject: [PATCH v2 0/4] Refactor/improve cryptomount data passing to crypto modules Date: Mon, 27 Sep 2021 18:13:59 -0500 Message-Id: <20210927231403.642857-1-development@efficientek.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::835; envelope-from=development@efficientek.com; helo=mail-qt1-x835.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2021 23:14:45 -0000 In this version of this patch series the cargs struct was moved out of the device struct and is passed around as a function parameter. Also a fourth patch was added to remove the found_uuid flag from the cargs struct, which is not needed because the same information can be obtained from the return value of grub_device_iterate. Also, per Daniel's request I'm explicitly adding James and Denis. Glenn Glenn Washburn (4): cryptodisk: Add infrastructure to pass data from cryptomount to cryptodisk modules cryptodisk: Refactor password input out of crypto dev modules into cryptodisk cryptodisk: Move global variables into grub_cryptomount_args struct cryptodisk: Remove unneeded found_uuid from cryptomount args grub-core/disk/cryptodisk.c | 108 ++++++++++++++++++++++++------------ grub-core/disk/geli.c | 35 ++++-------- grub-core/disk/luks.c | 37 ++++-------- grub-core/disk/luks2.c | 33 ++++------- include/grub/cryptodisk.h | 15 ++++- 5 files changed, 116 insertions(+), 112 deletions(-) Interdiff against v1: diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c index 083acbb06..033894257 100644 --- a/grub-core/disk/cryptodisk.c +++ b/grub-core/disk/cryptodisk.c @@ -1011,7 +1011,7 @@ grub_cryptodisk_scan_device_real (const char *name, FOR_CRYPTODISK_DEVS (cr) { - dev = cr->scan (source, cargs->search_uuid, cargs->check_boot); + dev = cr->scan (source, cargs); if (grub_errno) return grub_errno; if (!dev) @@ -1040,16 +1040,12 @@ grub_cryptodisk_scan_device_real (const char *name, cargs->key_len = grub_strlen((char *) cargs->key_data); } - *dev->cargs = *cargs; - ret = cr->recover_key (source, dev); - dev->cargs = NULL; + ret = cr->recover_key (source, dev, cargs); if (ret) goto error; grub_cryptodisk_insert (dev, name, source); - cargs->found_uuid = 1; - goto cleanup; } goto cleanup; @@ -1090,7 +1086,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat) FOR_CRYPTODISK_DEVS (cr) { - dev = cr->scan (source, NULL, 0); + dev = cr->scan (source, NULL); if (grub_errno) return grub_errno; if (!dev) @@ -1134,7 +1130,7 @@ grub_cryptodisk_scan_device (const char *name, if (err) grub_print_error (); - return (cargs->found_uuid && cargs->search_uuid) ? 1 : 0; + return (!err && cargs->search_uuid) ? 1 : 0; } static grub_err_t @@ -1154,6 +1150,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) if (state[0].set) /* uuid */ { + int found_uuid = 0; grub_cryptodisk_t dev; dev = grub_cryptodisk_get_by_uuid (args[0]); @@ -1166,9 +1163,9 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) cargs.check_boot = state[2].set; cargs.search_uuid = args[0]; - grub_device_iterate (&grub_cryptodisk_scan_device, &cargs); + found_uuid = grub_device_iterate (&grub_cryptodisk_scan_device, &cargs); - if (!cargs.found_uuid) + if (!found_uuid) return grub_error (GRUB_ERR_BAD_ARGUMENT, "no such cryptodisk found"); return GRUB_ERR_NONE; } diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c index b4525ed48..32d35521b 100644 --- a/grub-core/disk/geli.c +++ b/grub-core/disk/geli.c @@ -240,8 +240,7 @@ grub_util_get_geli_uuid (const char *dev) #endif static grub_cryptodisk_t -configure_ciphers (grub_disk_t disk, const char *check_uuid, - int boot_only) +configure_ciphers (grub_disk_t disk, grub_cryptomount_args_t cargs) { grub_cryptodisk_t newdev; struct grub_geli_phdr header; @@ -289,7 +288,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, return NULL; } - if (boot_only && !(grub_le_to_cpu32 (header.flags) & GRUB_GELI_FLAGS_BOOT)) + if (cargs->check_boot && !(grub_le_to_cpu32 (header.flags) & GRUB_GELI_FLAGS_BOOT)) { grub_dprintf ("geli", "not a boot volume\n"); return NULL; @@ -302,9 +301,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, return NULL; } - if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0) + if (cargs->search_uuid && grub_strcasecmp (cargs->search_uuid, uuid) != 0) { - grub_dprintf ("geli", "%s != %s\n", uuid, check_uuid); + grub_dprintf ("geli", "%s != %s\n", uuid, cargs->search_uuid); return NULL; } @@ -396,7 +395,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, } static grub_err_t -recover_key (grub_disk_t source, grub_cryptodisk_t dev) +recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_cryptomount_args_t cargs) { grub_size_t keysize; grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; @@ -410,7 +409,7 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev) grub_disk_addr_t sector; grub_err_t err; - if (dev->cargs->key_data == NULL || dev->cargs->key_len == 0) + if (cargs->key_data == NULL || cargs->key_len == 0) return grub_error (GRUB_ERR_BAD_ARGUMENT, "No key data"); if (dev->cipher->cipher->blocksize > GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE) @@ -437,8 +436,8 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev) if (grub_le_to_cpu32 (header.niter) != 0) { grub_uint8_t pbkdf_key[64]; - gcry_err = grub_crypto_pbkdf2 (dev->hash, dev->cargs->key_data, - dev->cargs->key_len, + gcry_err = grub_crypto_pbkdf2 (dev->hash, cargs->key_data, + cargs->key_len, header.salt, sizeof (header.salt), grub_le_to_cpu32 (header.niter), @@ -461,7 +460,7 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev) return grub_crypto_gcry_error (GPG_ERR_OUT_OF_MEMORY); grub_crypto_hmac_write (hnd, header.salt, sizeof (header.salt)); - grub_crypto_hmac_write (hnd, dev->cargs->key_data, dev->cargs->key_len); + grub_crypto_hmac_write (hnd, cargs->key_data, cargs->key_len); gcry_err = grub_crypto_hmac_fini (hnd, geomkey); if (gcry_err) diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c index e6ff0631e..6ced312c7 100644 --- a/grub-core/disk/luks.c +++ b/grub-core/disk/luks.c @@ -63,8 +63,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src, grub_size_t blocknumbers); static grub_cryptodisk_t -configure_ciphers (grub_disk_t disk, const char *check_uuid, - int check_boot) +configure_ciphers (grub_disk_t disk, grub_cryptomount_args_t cargs) { grub_cryptodisk_t newdev; const char *iptr; @@ -76,7 +75,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, char hashspec[sizeof (header.hashSpec) + 1]; grub_err_t err; - if (check_boot) + if (cargs->check_boot) return NULL; /* Read the LUKS header. */ @@ -103,9 +102,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, } *optr = 0; - if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0) + if (cargs->search_uuid && grub_strcasecmp (cargs->search_uuid, uuid) != 0) { - grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid); + grub_dprintf ("luks", "%s != %s\n", uuid, cargs->search_uuid); return NULL; } @@ -150,7 +149,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, static grub_err_t luks_recover_key (grub_disk_t source, - grub_cryptodisk_t dev) + grub_cryptodisk_t dev, + grub_cryptomount_args_t cargs) { struct grub_luks_phdr header; grub_size_t keysize; @@ -161,7 +161,7 @@ luks_recover_key (grub_disk_t source, grub_err_t err; grub_size_t max_stripes = 1; - if (dev->cargs->key_data == NULL || dev->cargs->key_len == 0) + if (cargs->key_data == NULL || cargs->key_len == 0) return grub_error (GRUB_ERR_BAD_ARGUMENT, "No key data"); err = grub_disk_read (source, 0, 0, sizeof (header), &header); @@ -196,8 +196,8 @@ luks_recover_key (grub_disk_t source, grub_dprintf ("luks", "Trying keyslot %d\n", i); /* Calculate the PBKDF2 of the user supplied passphrase. */ - gcry_err = grub_crypto_pbkdf2 (dev->hash, dev->cargs->key_data, - dev->cargs->key_len, + gcry_err = grub_crypto_pbkdf2 (dev->hash, cargs->key_data, + cargs->key_len, header.keyblock[i].passwordSalt, sizeof (header.keyblock[i].passwordSalt), grub_be_to_cpu32 (header.keyblock[i]. diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c index e4afa4156..28fad54aa 100644 --- a/grub-core/disk/luks2.c +++ b/grub-core/disk/luks2.c @@ -346,14 +346,14 @@ luks2_read_header (grub_disk_t disk, grub_luks2_header_t *outhdr) } static grub_cryptodisk_t -luks2_scan (grub_disk_t disk, const char *check_uuid, int check_boot) +luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs) { grub_cryptodisk_t cryptodisk; grub_luks2_header_t header; char uuid[sizeof (header.uuid) + 1]; grub_size_t i, j; - if (check_boot) + if (cargs->check_boot) return NULL; if (luks2_read_header (disk, &header)) @@ -367,7 +367,7 @@ luks2_scan (grub_disk_t disk, const char *check_uuid, int check_boot) uuid[j++] = header.uuid[i]; uuid[j] = '\0'; - if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0) + if (cargs->search_uuid && grub_strcasecmp (cargs->search_uuid, uuid) != 0) return NULL; cryptodisk = grub_zalloc (sizeof (*cryptodisk)); @@ -540,7 +540,8 @@ luks2_decrypt_key (grub_uint8_t *out_key, static grub_err_t luks2_recover_key (grub_disk_t source, - grub_cryptodisk_t crypt) + grub_cryptodisk_t crypt, + grub_cryptomount_args_t cargs) { grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; char cipher[32]; @@ -554,7 +555,7 @@ luks2_recover_key (grub_disk_t source, grub_json_t *json = NULL, keyslots; grub_err_t ret; - if (crypt->cargs->key_data == NULL || crypt->cargs->key_len == 0) + if (cargs->key_data == NULL || cargs->key_len == 0) return grub_error (GRUB_ERR_BAD_ARGUMENT, "No key data"); ret = luks2_read_header (source, &header); @@ -706,7 +707,7 @@ luks2_recover_key (grub_disk_t source, } ret = luks2_decrypt_key (candidate_key, source, crypt, &keyslot, - crypt->cargs->key_data, crypt->cargs->key_len); + cargs->key_data, cargs->key_len); if (ret) { grub_dprintf ("luks2", "Decryption with keyslot \"%" PRIuGRUB_UINT64_T "\" failed: %s\n", diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h index 11062f43a..f4afb9cbd 100644 --- a/include/grub/cryptodisk.h +++ b/include/grub/cryptodisk.h @@ -70,7 +70,6 @@ typedef gcry_err_code_t struct grub_cryptomount_args { grub_uint32_t check_boot : 1; - grub_uint32_t found_uuid : 1; char *search_uuid; grub_uint8_t *key_data; grub_size_t key_len; @@ -120,7 +119,6 @@ struct grub_cryptodisk grub_uint64_t last_rekey; int rekey_derived_size; grub_disk_addr_t partition_start; - grub_cryptomount_args_t cargs; }; typedef struct grub_cryptodisk *grub_cryptodisk_t; @@ -129,9 +127,8 @@ struct grub_cryptodisk_dev struct grub_cryptodisk_dev *next; struct grub_cryptodisk_dev **prev; - grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, - int boot_only); - grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev); + grub_cryptodisk_t (*scan) (grub_disk_t disk, grub_cryptomount_args_t cargs); + grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_cryptomount_args_t cargs); }; typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; -- 2.32.0