From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1izi7g-0005Zz-Nr for mharc-grub-devel@gnu.org; Thu, 06 Feb 2020 09:27:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:54300) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1izi7Y-0005RL-0S for grub-devel@gnu.org; Thu, 06 Feb 2020 09:27:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1izi7W-0000ie-L2 for grub-devel@gnu.org; Thu, 06 Feb 2020 09:27:07 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43317) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1izi7W-0000WJ-AN for grub-devel@gnu.org; Thu, 06 Feb 2020 09:27:06 -0500 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id A72A92219C; Thu, 6 Feb 2020 09:27:04 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Thu, 06 Feb 2020 09:27:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pks.im; h=from :to:cc:subject:date:message-id:mime-version :content-transfer-encoding; s=fm3; bh=Frr2IjGzoml5YXOEcOTeZGaA0N a+1z1qzsbrtDHG70o=; b=mfT9hnEkS1khO4i+cCOWqlifOXvOOtcflx7lNXiGry Fablculug0suYcJYxYqAtdDtkMhVZnPaHSzlrXHwPfqO8j2XObQDi2oYlD0R5AY2 bnBMW8baNHdJYKVv5i4p9HBnemUmrq7guWmK3S1lWx+2plIAnx+EzH6qjVAcTz2+ aNK12oXiWNmqQZUeNDTBxvXrHVILXBjzcpzoBIlv92q3OguH0g0YJSF3UNc8Rscr xzMui6Zu6VATV1MFjChQJeLfP8qLixmC5Rm7CIDTUqoAlnrNuZ5fuUlPsFUQTZfx jSEff4WnqgYSCNfb/tsJMxlj3fXGIWagP5uSYFzE789A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Frr2IjGzoml5YXOEc OTeZGaA0Na+1z1qzsbrtDHG70o=; b=unvMncGcCIH/vnq8Az8hJEfar+m6s5I57 l6kqCkxaw/KoOVrz66xn7EKRqaJCcGbIRBqMd7PFjYFAZnGBtPKR4V5jtbWgIofO CAjlSkDZyWfwbig8KtVwMGEiy5UKAx4vRJL8QheWkxOUpoaerpvc+KOJtqOLVIBP 4qwhkp0U9NVZgeNTPxx6CGKDwLrS5s81v++WsvenDi1JKrtOkud45YW4C1OJB6ob ROhc6Up7pl4RgammD0VBqhsYQRy3cfNB7+t/MQoTmBE1SeI59/uWUWU3rmvJGuyv Jb/Z45Qe7rWlouyEdJWB4p7limLa/QTYtTA9f5ipCS4FEzSYpopyA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrheefgdeigecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvffufffkofgggfestdekredtredttdenucfhrhhomheprfgrthhrihgtkhcu ufhtvghinhhhrghrughtuceophhssehpkhhsrdhimheqnecukfhppeejjedrudekfedrud ekfedruddvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhho mhepphhssehpkhhsrdhimh X-ME-Proxy: Received: from vm-mail (x4db7b70c.dyn.telefonica.de [77.183.183.12]) by mail.messagingengine.com (Postfix) with ESMTPA id DAE563280065; Thu, 6 Feb 2020 09:27:03 -0500 (EST) Received: from localhost ( [10.192.0.11]) by vm-mail (OpenSMTPD) with ESMTPSA id bf16be54 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 6 Feb 2020 14:27:00 +0000 (UTC) From: Patrick Steinhardt To: grub-devel@gnu.org Cc: Patrick Steinhardt , Daniel Kiper Subject: [PATCH 0/5] Support Argon2 KDF in LUKS2 Date: Thu, 6 Feb 2020 15:27:28 +0100 Message-Id: X-Mailer: git-send-email 2.25.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.111.4.25 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Feb 2020 14:27:10 -0000 Hi, as promised back when LUKS2 support was merged, here's the code that enables decrypting LUKS2 partitions that use Argon2 as their key derival function. Most of this is simple legwork, but I expect two things to be potentially controversial: - I've changed how EFI allocates memory. On my test systems, I was only able to allocate roughly 800MB, which isn't enough for the default of 1GB memory parameter that cryptsetup uses with Argon2. Instead of taking a quarter of available memory, we now take half of it, which amounts to ~1.6GB on 32 bit systems. - The import of Argon2 itself. I've imported code from the cryptsetup project, but I've modified it quite a bit to fit into GRUB's codebase. This included both stripping off unneeded functionality as well as converting the code to use our own coding style. While it makes importing upstream fixes harder, I'd argue the code is still very similar in its structure and thus backporting should be easy enough. Anyway. With these changes I'm able to successfully decrypt LUKS2 partitions making use of either PBKDF2, Argon2i or Argon2id. Regards Patrick Patrick Steinhardt (5): efi: Allocate half of available memory by default argon2: Import Argon2 from cryptsetup disk: luks2: Add missing newline to debug message disk: luks2: Discern Argon2i and Argon2id disk: luks2: Support key derival via Argon2 Makefile.util.def | 4 +- grub-core/Makefile.core.def | 8 +- grub-core/disk/luks2.c | 29 +- grub-core/kern/efi/mm.c | 4 +- grub-core/lib/argon2/argon2.c | 614 ++++++++++++++++++ grub-core/lib/argon2/argon2.h | 65 ++ grub-core/lib/argon2/blake2/blake2-impl.h | 143 ++++ grub-core/lib/argon2/blake2/blake2.h | 81 +++ grub-core/lib/argon2/blake2/blake2b.c | 384 +++++++++++ .../lib/argon2/blake2/blamka-round-ref.h | 56 ++ 10 files changed, 1376 insertions(+), 12 deletions(-) create mode 100644 grub-core/lib/argon2/argon2.c create mode 100644 grub-core/lib/argon2/argon2.h create mode 100644 grub-core/lib/argon2/blake2/blake2-impl.h create mode 100644 grub-core/lib/argon2/blake2/blake2.h create mode 100644 grub-core/lib/argon2/blake2/blake2b.c create mode 100644 grub-core/lib/argon2/blake2/blamka-round-ref.h -- 2.25.0