From: Glenn Washburn <development@efficientek.com>
To: grub-devel@gnu.org, Daniel Kiper <dkiper@net-space.pl>
Cc: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>,
Patrick Steinhardt <ps@pks.im>, John Lane <john@lane.uk.net>,
Glenn Washburn <development@efficientek.com>
Subject: [PATCH v9 0/7] Cryptodisk detached headers and key files
Date: Mon, 11 Apr 2022 06:40:21 +0000 [thread overview]
Message-ID: <cover.1649658484.git.development@efficientek.com> (raw)
Updates from v8:
* Add documentation patch
* Merge previous patch updating the cryptomount help string with key file
options into the patch adding key file support
* Improve commit messages
* rename requested_keyfile_size -> keyfile_size
* Minor improvements to the code
This patch series adds LUKS deatched header and key file support to
cryptomount.
Glenn
Denis 'GNUtoo' Carikli (2):
cryptodisk: luks: Unify grub_cryptodisk_dev function names
cryptodisk: geli: Unify grub_cryptodisk_dev function names
Glenn Washburn (3):
cryptodisk: Add --header option to cryptomount and fail to implement
it in the backends
luks2: Add detached header support
docs: Add documentation on keyfile and detached header options to
cryptomount
John Lane (2):
cryptodisk: Add support for LUKS1 detached headers
cryptodisk: Add options to cryptomount to support keyfiles
docs/grub.texi | 16 ++++--
grub-core/disk/cryptodisk.c | 98 ++++++++++++++++++++++++++++++++++++-
grub-core/disk/geli.c | 18 +++++--
grub-core/disk/luks.c | 48 ++++++++++++++----
grub-core/disk/luks2.c | 59 ++++++++++++++++++----
include/grub/cryptodisk.h | 4 ++
include/grub/file.h | 4 ++
7 files changed, 217 insertions(+), 30 deletions(-)
Range-diff against v8:
1: 9918a70dce ! 1: 40941ee45c cryptodisk: luks: unify grub_cryptodisk_dev function names
@@ Metadata
Author: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
## Commit message ##
- cryptodisk: luks: unify grub_cryptodisk_dev function names
+ cryptodisk: luks: Unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Reviewed-by: Patrick Steinhardt <ps@pks.im>
2: 5d3ce5515e ! 2: c259075bf3 cryptodisk: geli: unify grub_cryptodisk_dev function names
@@ Metadata
Author: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
## Commit message ##
- cryptodisk: geli: unify grub_cryptodisk_dev function names
+ cryptodisk: geli: Unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Reviewed-by: Patrick Steinhardt <ps@pks.im>
3: c7b8c290d7 ! 3: 1b2055ac5d cryptodisk: enable the backends to implement detached headers
@@ Metadata
Author: Glenn Washburn <development@efficientek.com>
## Commit message ##
- cryptodisk: enable the backends to implement detached headers
+ cryptodisk: Add --header option to cryptomount and fail to implement it in the backends
+
+ Add a --header (short -H) option to cryptomount which takes a file argument.
+ Pass the file to the backends via cargs struct and cause the backends to
+ fail when passed a header. Detached header file support will be added later
+ for individual backends.
Signed-off-by: John Lane <john@lane.uk.net>
GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
- development@efficientek.com: rebase, rework for cryptomount parameter passing
+ development@efficientek.com: rebase, rework for cryptomount parameter passing,
+ improve commit message
## grub-core/disk/cryptodisk.c ##
@@ grub-core/disk/cryptodisk.c: static const struct grub_arg_option options[] =
@@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t ctxt, i
cargs.key_len = grub_strlen (state[3].arg);
}
-+ if (state[4].set) /* Detached header */
++ if (state[4].set) /* header */
+ {
+ if (state[0].set)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
-+ N_("Cannot use UUID lookup with detached header"));
++ N_("cannot use UUID lookup with detached header"));
+
+ cargs.hdr_file = grub_file_open (state[4].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER);
-+ if (!cargs.hdr_file)
++ if (cargs.hdr_file == NULL)
+ return grub_errno;
+ }
+
4: 59c7c2abcb ! 4: 05c7ca844c cryptodisk: add support for LUKS1 detached headers
@@ Metadata
Author: John Lane <john@lane.uk.net>
## Commit message ##
- cryptodisk: add support for LUKS1 detached headers
+ cryptodisk: Add support for LUKS1 detached headers
- cryptsetup supports having a detached header through the
- --header command line argument for both LUKS1 and LUKS2.
-
- This adds support for LUKS1 detached headers.
+ cryptsetup supports having a detached header through the --header command
+ line argument for both LUKS1 and LUKS2. Allow the LUKS1 backend to use a
+ given file as the LUKS1 header (aka detached header) instead of looking for
+ the header on the disk.
Signed-off-by: John Lane <john@lane.uk.net>
GNUtoo@cyberdimension.org: rebase, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
- development@efficientek.com: rebase
+ development@efficientek.com: rebase, improve commit message
## grub-core/disk/luks.c ##
@@
5: 9b436ce0e6 ! 5: fb33d6810d cryptodisk: enable the backends to implement key files
@@ Metadata
Author: John Lane <john@lane.uk.net>
## Commit message ##
- cryptodisk: enable the backends to implement key files
+ cryptodisk: Add options to cryptomount to support keyfiles
+
+ Add the options --key-file, --keyfile-offset, and --keyfile-size to
+ cryptomount and code to put read the requested key file data and pass
+ via the cargs struct. Note, key file data is for all intents and purposes
+ equivalent to a password given to cryptomount. So there is no need to
+ enable support for key files in the various crypto backends (eg. LUKS1)
+ because the key data is passed just as if it were a password.
Signed-off-by: John Lane <john@lane.uk.net>
GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
- development@efficientek.com: rebase and rework to use cryptomount arg passing
+ development@efficientek.com: rebase and rework to use cryptomount arg passing,
+ minor fixes, improve commit message
## grub-core/disk/cryptodisk.c ##
@@ grub-core/disk/cryptodisk.c: static const struct grub_arg_option options[] =
@@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t ctxt, i
+ const char *p = NULL;
+ grub_file_t keyfile;
+ int keyfile_offset;
-+ grub_size_t requested_keyfile_size = 0;
++ grub_size_t keyfile_size = 0;
+
+
+ if (state[6].set) /* keyfile-offset */
@@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t ctxt, i
+
+ if (state[7].set) /* keyfile-size */
+ {
-+ requested_keyfile_size = grub_strtoul (state[7].arg, &p, 0);
++ keyfile_size = grub_strtoul (state[7].arg, &p, 0);
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
@@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t ctxt, i
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
-+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
++ if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
-+ N_("Key file size exceeds maximum (%d)\n"),
-+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
++ N_("key file size exceeds maximum (%d)"),
++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+
-+ if (requested_keyfile_size == 0)
-+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
-+ N_("Key file size is 0\n"));
++ if (keyfile_size == 0)
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("key file size is 0"));
+ }
+
+ keyfile = grub_file_open (state[5].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
-+ if (!keyfile)
++ if (keyfile == NULL)
+ return grub_errno;
+
+ if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+ return grub_errno;
+
-+ if (requested_keyfile_size)
++ if (keyfile_size > 0)
+ {
-+ if (requested_keyfile_size > (keyfile->size - keyfile_offset))
++ if (keyfile_size > (keyfile->size - keyfile_offset))
+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
-+ N_("Keyfile is too small: "
++ N_("keyfile is too small: "
+ "requested %" PRIuGRUB_SIZE " bytes, "
+ "but the file only has %" PRIuGRUB_UINT64_T
-+ " bytes.\n"),
-+ requested_keyfile_size,
++ " bytes"),
++ keyfile_size,
+ keyfile->size);
+
-+ cargs.key_len = requested_keyfile_size;
++ cargs.key_len = keyfile_size;
+ }
+ else
+ {
@@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t ctxt, i
+ }
+
+ cargs.key_data = grub_malloc (cargs.key_len);
-+ if (!cargs.key_data)
++ if (cargs.key_data == NULL)
+ return GRUB_ERR_OUT_OF_MEMORY;
+
+ if (grub_file_read (keyfile, cargs.key_data, cargs.key_len) != (grub_ssize_t) cargs.key_len)
-+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
-+ (N_("Error reading key file\n")));
++ return grub_error (GRUB_ERR_FILE_READ_ERROR, (N_("reading key file")));
+ }
+
if (state[0].set) /* uuid */
{
int found_uuid;
+@@ grub-core/disk/cryptodisk.c: GRUB_MOD_INIT (cryptodisk)
+ {
+ grub_disk_dev_register (&grub_cryptodisk_dev);
+ cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
+- N_("[-p password] [-H file] <SOURCE|-u UUID|-a|-b>"),
++ N_("[ [-p password] | [-k keyfile"
++ " [-O keyoffset] [-S keysize] ] ] [-H file]"
++ " <SOURCE|-u UUID|-a|-b>"),
+ N_("Mount a crypto device."), options);
+ grub_procfs_register ("luks_script", &luks_script);
+ }
## include/grub/cryptodisk.h ##
@@ include/grub/cryptodisk.h: typedef enum
6: ccb3bde361 < -: ---------- cryptodisk: Improve cryptomount short help string
7: 0464e48e2d ! 6: f15ff743c4 luks2: Add detached header support
@@ Metadata
## Commit message ##
luks2: Add detached header support
+ If a header file is given to the LUKS2 backend, use that file as the LUKS2
+ header, instead of looking for it on the disk.
+
## grub-core/disk/luks2.c ##
@@ grub-core/disk/luks2.c: luks2_get_keyslot (grub_luks2_keyslot_t *k, grub_luks2_digest_t *d, grub_luks2_s
-: ---------- > 7: 53ba137d3b docs: Add documentation on keyfile and detached header options to cryptomount
--
2.25.1
next reply other threads:[~2022-04-11 6:43 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-11 6:40 Glenn Washburn [this message]
2022-04-11 6:40 ` [PATCH v9 1/7] cryptodisk: luks: Unify grub_cryptodisk_dev function names Glenn Washburn
2022-04-28 12:01 ` Daniel Kiper
2022-04-11 6:40 ` [PATCH v9 2/7] cryptodisk: geli: " Glenn Washburn
2022-04-28 12:02 ` Daniel Kiper
2022-04-11 6:40 ` [PATCH v9 3/7] cryptodisk: Add --header option to cryptomount and fail to implement it in the backends Glenn Washburn
2022-04-28 12:39 ` Daniel Kiper
2022-04-11 6:40 ` [PATCH v9 4/7] cryptodisk: Add support for LUKS1 detached headers Glenn Washburn
2022-04-28 12:46 ` Daniel Kiper
2022-04-11 6:40 ` [PATCH v9 5/7] cryptodisk: Add options to cryptomount to support keyfiles Glenn Washburn
2022-04-29 13:03 ` Daniel Kiper
2022-05-05 23:03 ` Glenn Washburn
2022-04-11 6:40 ` [PATCH v9 6/7] luks2: Add detached header support Glenn Washburn
2022-04-29 13:12 ` Daniel Kiper
2022-04-11 6:40 ` [PATCH v9 7/7] docs: Add documentation on keyfile and detached header options to cryptomount Glenn Washburn
2022-04-29 13:15 ` Daniel Kiper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1649658484.git.development@efficientek.com \
--to=development@efficientek.com \
--cc=GNUtoo@cyberdimension.org \
--cc=dkiper@net-space.pl \
--cc=grub-devel@gnu.org \
--cc=john@lane.uk.net \
--cc=ps@pks.im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.