From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1pG6di-0000wm-Un for mharc-grub-devel@gnu.org; Thu, 12 Jan 2023 18:05:42 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pG6de-0000wJ-5p for grub-devel@gnu.org; Thu, 12 Jan 2023 18:05:38 -0500 Received: from mail-yw1-x112d.google.com ([2607:f8b0:4864:20::112d]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pG6dc-00054v-EJ for grub-devel@gnu.org; Thu, 12 Jan 2023 18:05:37 -0500 Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-4d0f843c417so147741157b3.7 for ; Thu, 12 Jan 2023 15:05:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficientek-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ySvx/2SwzkXkEcVOpHFpa3DpSPBLLjJT+z9XEcShe0E=; b=CLp5P6hoPKXpBUpUjx+VgOeINEOF7PWs/0BcUDCl66K+U57/RZ99aKgJwgOUmsUFG+ strlsqnliZXbM7p5+/mBGzee7qnCb448CLwC+p0I2VeXvsr+QIFHTdFIvx3a8bgAxw7D qs+5wLYsQ5xoLZhrTdN/zvJFbL5CwaYX9k78HlST6K+HS1daTQGvZ+4EQMjAHflQQ+5N UIm38sCse7GT4lFgyaypOZP0EGNM6YfBhJSKCNKXduTWH8KQBZ/mlGastokprB+qa5Zf Rkp4k4vzCAnhHmToO45IcOYUbkF2N21mQzBaC5a1fKe4ibcohwTP4GmYshOmaNR+jd4c H6wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ySvx/2SwzkXkEcVOpHFpa3DpSPBLLjJT+z9XEcShe0E=; b=alnZbCQhFkSTSZu9/Yml6R1knqeTS6sikWr3JUsFg8APVlM5xaILlhRhU98hgHaDmK iwMk2KDVoZ8/CAI09H1YLZugM086FsXG7SYEr4e9IeCOO/sUxvhjLjNKmd1YUXIr7yFJ 0PBRmW5qSXL7761YaBiAdXUI+Tbmowh5U/dxLwd6P2ApzdRslXIWRpHHB3KS7q4fcqGe 18plE6Nt+fEfzMP/+ArpTmE80PEoEMiKgNHA9xFC6a6jeRnP6GxAQIPlEMbf9P0TYqzt V/m8nuPltFm4wH4Dhg8YZAGKhjqsxsuBTmgBCjIBizOaQ+NxEJ6HeH6BBWeB4pWK7qUh QtuA== X-Gm-Message-State: AFqh2koiZLTp51RTF8VCSK/BlFE0BcRtPXtsLO1hazqYxtdWIYsqsP3B eFM3WCi1sHngdJ1r7aVVMBeu9leVKxVvAWE/ X-Google-Smtp-Source: AMrXdXuu/0zzTPsFTHI51KYCPuTJnpV6DqL28TYe86f4G3sWWZFxn3g7SnRNMjF4UY11e83vznqjMQ== X-Received: by 2002:a05:690c:fd5:b0:4cf:95f:fc40 with SMTP id dg21-20020a05690c0fd500b004cf095ffc40mr20021941ywb.7.1673564735362; Thu, 12 Jan 2023 15:05:35 -0800 (PST) Received: from crass-HP-ZBook-15-G2.lan ([37.218.244.251]) by smtp.gmail.com with ESMTPSA id bq35-20020a05620a46a300b00704c9015e68sm11704446qkb.116.2023.01.12.15.05.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Jan 2023 15:05:34 -0800 (PST) From: Glenn Washburn To: grub-devel@gnu.org, Daniel Kiper Cc: Patrick Steinhardt , Pierre-Louis Bonicoli , Josselin Poiret , Fabian Vogt , Glenn Washburn Subject: [PATCH 3/4] devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM parameters Date: Thu, 12 Jan 2023 17:05:09 -0600 Message-Id: <20230112230510.1319896-4-development@efficientek.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230112230510.1319896-1-development@efficientek.com> References: <20230112230510.1319896-1-development@efficientek.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::112d; envelope-from=development@efficientek.com; helo=mail-yw1-x112d.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2023 23:05:39 -0000 From: Josselin Poiret This lets a LUKS2 cryptodisk have its cipher and hash filled out, otherwise they wouldn't be initialized if cheat mounted. Signed-off-by: Josselin Poiret Tested-by: Glenn Washburn --- grub-core/osdep/devmapper/getroot.c | 107 +++++++++++++++++++++++++++- 1 file changed, 106 insertions(+), 1 deletion(-) diff --git a/grub-core/osdep/devmapper/getroot.c b/grub-core/osdep/devmapper/getroot.c index 2bf4264cf0..090ac71670 100644 --- a/grub-core/osdep/devmapper/getroot.c +++ b/grub-core/osdep/devmapper/getroot.c @@ -51,6 +51,8 @@ #include #include +#include + static int grub_util_open_dm (const char *os_dev, struct dm_tree **tree, struct dm_tree_node **node) @@ -186,7 +188,6 @@ grub_util_pull_devmapper (const char *os_dev) && lastsubdev) { char *grdev = grub_util_get_grub_dev (lastsubdev); - dm_tree_free (tree); if (grdev) { grub_err_t err; @@ -194,7 +195,111 @@ grub_util_pull_devmapper (const char *os_dev) if (err) grub_util_error (_("can't mount encrypted volume `%s': %s"), lastsubdev, grub_errmsg); + if (strncmp (uuid, "CRYPT-LUKS2-", sizeof ("CRYPT-LUKS2-") - 1) == 0) + { + /* + * set LUKS2 cipher from dm parameters, since it is not + * possible to determine the correct one without + * unlocking, as there might be multiple segments. + */ + grub_disk_t source; + grub_cryptodisk_t cryptodisk; + grub_uint64_t start, length; + char *target_type; + char *params; + const char *name; + char *cipher, *cipher_mode; + struct dm_task *dmt; + char *seek_head, *c; + unsigned int remaining; + + source = grub_disk_open (grdev); + if (! source) + grub_util_error (_("cannot open grub disk `%s'"), grdev); + cryptodisk = grub_cryptodisk_get_by_source_disk (source); + if (! cryptodisk) + grub_util_error (_("cannot get cryptodisk from source disk `%s'"), grdev); + grub_disk_close (source); + + /* + * the following function always returns a non-NULL pointer, + * but the string may be empty if the relevant info is not present + */ + name = dm_tree_node_get_name (node); + if (grub_strlen (name) == 0) + grub_util_error (_("cannot get dm node name for grub dev `%s'"), grdev); + + grub_util_info ("populating parameters of cryptomount `%s' from DM device `%s'", + uuid, name); + + dmt = dm_task_create (DM_DEVICE_TABLE); + if (dmt == NULL) + grub_util_error (_("can't create dm task DM_DEVICE_TABLE")); + if (dm_task_set_name (dmt, name) == 0) + grub_util_error (_("can't set dm task name to `%s'"), name); + if (dm_task_run (dmt) == 0) + grub_util_error (_("can't run dm task for `%s'"), name); + /* + * dm_get_next_target doesn't have any error modes, everything has + * been handled by dm_task_run. + */ + dm_get_next_target (dmt, NULL, &start, &length, + &target_type, ¶ms); + if (strncmp (target_type, "crypt", sizeof ("crypt")) != 0) + grub_util_error (_("dm target of type `%s' is not `crypt'"), target_type); + + /* + * dm target parameters for dm-crypt is + * [<#opt_params> ...] + */ + c = params; + remaining = grub_strlen (c); + + /* first, get the cipher name from the cipher */ + seek_head = grub_memchr (c, '-', remaining); + if (seek_head == NULL) + grub_util_error (_("can't get cipher from dm-crypt parameters `%s'"), + params); + cipher = grub_strndup (c, seek_head - c); + if (cipher == NULL) + grub_util_error (_("could not strndup cipher of length `%lu'"), seek_head - c); + remaining -= seek_head - c + 1; + c = seek_head + 1; + + /* now, the cipher mode */ + seek_head = grub_memchr (c, ' ', remaining); + if (seek_head == NULL) + grub_util_error (_("can't get cipher mode from dm-crypt parameters `%s'"), + params); + cipher_mode = grub_strndup (c, seek_head - c); + if (cipher_mode == NULL) + grub_util_error (_("could not strndup cipher_mode of length `%lu'"), seek_head - c); + + remaining -= seek_head - c + 1; + c = seek_head + 1; + + err = grub_cryptodisk_setcipher (cryptodisk, cipher, cipher_mode); + if (err) + grub_util_error (_("can't set cipher of cryptodisk `%s' to `%s' with mode `%s'"), + uuid, cipher, cipher_mode); + + grub_free (cipher); + grub_free (cipher_mode); + + /* + * This is the only hash usable by PBKDF2, and we don't + * have Argon2 support yet, so set it by default, + * otherwise grub-probe would miss the required + * abstraction + */ + cryptodisk->hash = grub_crypto_lookup_md_by_name ("sha256"); + if (cryptodisk->hash == NULL) + grub_util_error (_("can't lookup hash sha256 by name")); + + dm_task_destroy (dmt); + } } + dm_tree_free (tree); grub_free (grdev); } else -- 2.34.1