From: Stefan Berger <stefanb@linux.ibm.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Cc: Gary Lin <glin@suse.com>,
Hernan Gatta <hegatta@linux.microsoft.com>,
Daniel Axtens <dja@axtens.net>,
Daniel Kiper <daniel.kiper@oracle.com>,
shkhisti@microsoft.com, jaskaran.khurana@microsoft.com,
christopher.co@microsoft.com, daniel.mihai@microsoft.com,
jaredz@redhat.com, development@efficientek.com,
jejb@linux.ibm.com, mchang@suse.com, patrick.colp@oracle.com
Subject: Re: [PATCH v11 12/20] cryptodisk: Support key protectors
Date: Fri, 12 Apr 2024 16:00:08 -0400 [thread overview]
Message-ID: <e1afef5f-7a75-4e58-bd9e-75abc2ee596d@linux.ibm.com> (raw)
In-Reply-To: <20240412084000.4864-13-glin@suse.com>
On 4/12/24 04:39, Gary Lin via Grub-devel wrote:
> From: Hernan Gatta <hegatta@linux.microsoft.com>
>
> Add a new parameter to cryptomount to support the key protectors framework: -P.
> The parameter is used to automatically retrieve a key from specified key
> protectors. The parameter may be repeated to specify any number of key
> protectors. These are tried in order until one provides a usable key for any
> given disk.
>
> Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
> Signed-off-by: Michael Chang <mchang@suse.com>
> Signed-off-by: Gary Lin <glin@suse.com>
> Reviewed-by: Glenn Washburn <development@efficientek.com>
> ---
> Makefile.util.def | 1 +
> grub-core/disk/cryptodisk.c | 172 +++++++++++++++++++++++++++++-------
> include/grub/cryptodisk.h | 16 ++++
> 3 files changed, 158 insertions(+), 31 deletions(-)
>
> diff --git a/Makefile.util.def b/Makefile.util.def
> index b53afb1d3..19ad5a96f 100644
> --- a/Makefile.util.def
> +++ b/Makefile.util.def
> @@ -40,6 +40,7 @@ library = {
> common = grub-core/disk/luks.c;
> common = grub-core/disk/luks2.c;
> common = grub-core/disk/geli.c;
> + common = grub-core/disk/key_protector.c;
> common = grub-core/disk/cryptodisk.c;
> common = grub-core/disk/AFSplitter.c;
> common = grub-core/lib/pbkdf2.c;
> diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
> index 2246af51b..0ca1a5c4d 100644
> --- a/grub-core/disk/cryptodisk.c
> +++ b/grub-core/disk/cryptodisk.c
> @@ -26,6 +26,7 @@
> #include <grub/file.h>
> #include <grub/procfs.h>
> #include <grub/partition.h>
> +#include <grub/key_protector.h>
>
> #ifdef GRUB_UTIL
> #include <grub/emu/hostdisk.h>
> @@ -44,7 +45,8 @@ enum
> OPTION_KEYFILE,
> OPTION_KEYFILE_OFFSET,
> OPTION_KEYFILE_SIZE,
> - OPTION_HEADER
> + OPTION_HEADER,
> + OPTION_PROTECTOR
> };
>
> static const struct grub_arg_option options[] =
> @@ -58,6 +60,8 @@ static const struct grub_arg_option options[] =
> {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
> {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
> {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
> + {"protector", 'P', GRUB_ARG_OPTION_REPEATABLE,
> + N_("Unlock volume(s) using key protector(s)."), 0, ARG_TYPE_STRING},
> {0, 0, 0, 0, 0, 0}
> };
>
> @@ -1061,6 +1065,7 @@ grub_cryptodisk_scan_device_real (const char *name,
> grub_err_t ret = GRUB_ERR_NONE;
> grub_cryptodisk_t dev;
> grub_cryptodisk_dev_t cr;
> + int i;
> struct cryptodisk_read_hook_ctx read_hook_data = {0};
> int askpass = 0;
> char *part = NULL;
> @@ -1113,41 +1118,112 @@ grub_cryptodisk_scan_device_real (const char *name,
> goto error_no_close;
> if (!dev)
> continue;
> + break;
> + }
>
> - if (!cargs->key_len)
> - {
> - /* Get the passphrase from the user, if no key data. */
> - askpass = 1;
> - part = grub_partition_get_name (source->partition);
> - grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
> - source->partition != NULL ? "," : "",
> - part != NULL ? part : N_("UNKNOWN"),
> - dev->uuid);
> - grub_free (part);
> -
> - cargs->key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
> - if (cargs->key_data == NULL)
> - goto error_no_close;
> -
> - if (!grub_password_get ((char *) cargs->key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE))
> - {
> - grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
> - goto error;
> - }
> - cargs->key_len = grub_strlen ((char *) cargs->key_data);
> - }
> + if (dev == NULL)
> + {
> + grub_error (GRUB_ERR_BAD_MODULE,
> + "no cryptodisk module can handle this device");
> + goto error_no_close;
> + }
>
> - ret = cr->recover_key (source, dev, cargs);
> - if (ret != GRUB_ERR_NONE)
> - goto error;
> + if (cargs->protectors)
> + {
> + for (i = 0; cargs->protectors[i]; i++)
> + {
> + if (cargs->key_cache[i].invalid)
> + continue;
> +
> + if (cargs->key_cache[i].key == NULL)
> + {
> + ret = grub_key_protector_recover_key (cargs->protectors[i],
> + &cargs->key_cache[i].key,
> + &cargs->key_cache[i].key_len);
> + if (ret != GRUB_ERR_NONE)
> + {
> + if (grub_errno)
> + {
> + grub_print_error ();
> + grub_errno = GRUB_ERR_NONE;
> + }
> +
> + grub_dprintf ("cryptodisk",
> + "failed to recover a key from key protector "
> + "%s, will not try it again for any other "
> + "disks, if any, during this invocation of "
> + "cryptomount\n",
> + cargs->protectors[i]);
> +
> + cargs->key_cache[i].invalid = 1;
> + continue;
> + }
> + }
> +
> + cargs->key_data = cargs->key_cache[i].key;
> + cargs->key_len = cargs->key_cache[i].key_len;
>
> - ret = grub_cryptodisk_insert (dev, name, source);
> - if (ret != GRUB_ERR_NONE)
> + ret = cr->recover_key (source, dev, cargs);
> + if (ret != GRUB_ERR_NONE)
> + {
> + part = grub_partition_get_name (source->partition);
> + grub_dprintf ("cryptodisk",
> + "recovered a key from key protector %s but it "
> + "failed to unlock %s%s%s (%s)\n",
> + cargs->protectors[i], source->name,
> + source->partition != NULL ? "," : "",
> + part != NULL ? part : N_("UNKNOWN"), dev->uuid);
> + grub_free (part);
> + continue;
> + }
> + else
indentation
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> + {
> + ret = grub_cryptodisk_insert (dev, name, source);
> + if (ret != GRUB_ERR_NONE)
> + goto error;
> + goto cleanup;
> + }
> + }
> +
> + part = grub_partition_get_name (source->partition);
> + grub_error (GRUB_ERR_ACCESS_DENIED,
> + N_("no key protector provided a usable key for %s%s%s (%s)"),
> + source->name, source->partition != NULL ? "," : "",
> + part != NULL ? part : N_("UNKNOWN"), dev->uuid);
> + grub_free (part);
> goto error;
> + }
> +
> + if (!cargs->key_len)
> + {
> + /* Get the passphrase from the user, if no key data. */
> + askpass = 1;
> + part = grub_partition_get_name (source->partition);
> + grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
> + source->partition != NULL ? "," : "",
> + part != NULL ? part : N_("UNKNOWN"), dev->uuid);
> + grub_free (part);
> +
> + cargs->key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
> + if (cargs->key_data == NULL)
> + goto error;
> +
> + if (!grub_password_get ((char *) cargs->key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE))
> + {
> + grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
> + goto error;
> + }
> + cargs->key_len = grub_strlen ((char *) cargs->key_data);
> + }
> +
> + ret = cr->recover_key (source, dev, cargs);
> + if (ret != GRUB_ERR_NONE)
> + goto error;
> +
> + ret = grub_cryptodisk_insert (dev, name, source);
> + if (ret != GRUB_ERR_NONE)
> + goto error;
>
> - goto cleanup;
> - }
> - grub_error (GRUB_ERR_BAD_MODULE, "no cryptodisk module can handle this device");
> goto cleanup;
>
> error:
> @@ -1259,6 +1335,20 @@ grub_cryptodisk_scan_device (const char *name,
> return ret;
> }
>
> +static void
> +grub_cryptodisk_clear_key_cache (struct grub_cryptomount_args *cargs)
> +{
> + int i;
> +
> + if (cargs->key_cache == NULL || cargs->protectors == NULL)
> + return;
> +
> + for (i = 0; cargs->protectors[i]; i++)
> + grub_free (cargs->key_cache[i].key);
> +
> + grub_free (cargs->key_cache);
> +}
> +
> static grub_err_t
> grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
> {
> @@ -1271,6 +1361,10 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
> if (grub_cryptodisk_list == NULL)
> return grub_error (GRUB_ERR_BAD_MODULE, "no cryptodisk modules loaded");
>
> + if (state[OPTION_PASSWORD].set && state[OPTION_PROTECTOR].set) /* password and key protector */
> + return grub_error (GRUB_ERR_BAD_ARGUMENT,
> + "a password and a key protector cannot both be set");
> +
> if (state[OPTION_PASSWORD].set) /* password */
> {
> cargs.key_data = (grub_uint8_t *) state[OPTION_PASSWORD].arg;
> @@ -1363,6 +1457,15 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
> return grub_errno;
> }
>
> + if (state[OPTION_PROTECTOR].set) /* key protector(s) */
> + {
> + cargs.key_cache = grub_zalloc (state[OPTION_PROTECTOR].set * sizeof (*cargs.key_cache));
> + if (cargs.key_cache == NULL)
> + return grub_error (GRUB_ERR_OUT_OF_MEMORY,
> + "no memory for key protector key cache");
> + cargs.protectors = state[OPTION_PROTECTOR].args;
> + }
> +
> if (state[OPTION_UUID].set) /* uuid */
> {
> int found_uuid;
> @@ -1371,6 +1474,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
> dev = grub_cryptodisk_get_by_uuid (args[0]);
> if (dev)
> {
> + grub_cryptodisk_clear_key_cache (&cargs);
> grub_dprintf ("cryptodisk",
> "already mounted as crypto%lu\n", dev->id);
> return GRUB_ERR_NONE;
> @@ -1379,6 +1483,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
> cargs.check_boot = state[OPTION_BOOT].set;
> cargs.search_uuid = args[0];
> found_uuid = grub_device_iterate (&grub_cryptodisk_scan_device, &cargs);
> + grub_cryptodisk_clear_key_cache (&cargs);
>
> if (found_uuid)
> return GRUB_ERR_NONE;
> @@ -1398,6 +1503,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
> {
> cargs.check_boot = state[OPTION_BOOT].set;
> grub_device_iterate (&grub_cryptodisk_scan_device, &cargs);
> + grub_cryptodisk_clear_key_cache (&cargs);
> return GRUB_ERR_NONE;
> }
> else
> @@ -1421,6 +1527,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
> disk = grub_disk_open (diskname);
> if (!disk)
> {
> + grub_cryptodisk_clear_key_cache (&cargs);
> if (disklast)
> *disklast = ')';
> return grub_errno;
> @@ -1431,12 +1538,14 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
> {
> grub_dprintf ("cryptodisk", "already mounted as crypto%lu\n", dev->id);
> grub_disk_close (disk);
> + grub_cryptodisk_clear_key_cache (&cargs);
> if (disklast)
> *disklast = ')';
> return GRUB_ERR_NONE;
> }
>
> dev = grub_cryptodisk_scan_device_real (diskname, disk, &cargs);
> + grub_cryptodisk_clear_key_cache (&cargs);
>
> grub_disk_close (disk);
> if (disklast)
> @@ -1590,6 +1699,7 @@ GRUB_MOD_INIT (cryptodisk)
> cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
> N_("[ [-p password] | [-k keyfile"
> " [-O keyoffset] [-S keysize] ] ] [-H file]"
> + " [-P protector [-P protector ...]]"
> " <SOURCE|-u UUID|-a|-b>"),
> N_("Mount a crypto device."), options);
> grub_procfs_register ("luks_script", &luks_script);
> diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
> index d94df68b6..0b41e249e 100644
> --- a/include/grub/cryptodisk.h
> +++ b/include/grub/cryptodisk.h
> @@ -70,6 +70,18 @@ typedef gcry_err_code_t
> (*grub_cryptodisk_rekey_func_t) (struct grub_cryptodisk *dev,
> grub_uint64_t zoneno);
>
> +struct grub_cryptomount_cached_key
> +{
> + grub_uint8_t *key;
> + grub_size_t key_len;
> +
> + /*
> + * The key protector associated with this cache entry failed, so avoid it
> + * even if the cached entry (an instance of this structure) is empty.
> + */
> + int invalid;
> +};
> +
> struct grub_cryptomount_args
> {
> /* scan: Flag to indicate that only bootable volumes should be decrypted */
> @@ -81,6 +93,10 @@ struct grub_cryptomount_args
> /* recover_key: Length of key_data */
> grub_size_t key_len;
> grub_file_t hdr_file;
> + /* recover_key: Names of the key protectors to use (NULL-terminated) */
> + char **protectors;
> + /* recover_key: Key cache to avoid invoking the same key protector twice */
> + struct grub_cryptomount_cached_key *key_cache;
> };
> typedef struct grub_cryptomount_args *grub_cryptomount_args_t;
>
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2024-04-12 20:01 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-12 8:39 [PATCH v11 00/20] Automatic Disk Unlock with TPM2 Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 01/20] posix_wrap: tweaks in preparation for libtasn1 Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 02/20] libtasn1: import libtasn1-4.19.0 Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 03/20] libtasn1: disable code not needed in grub Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 04/20] libtasn1: changes for grub compatibility Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 05/20] libtasn1: fix the potential buffer overrun Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 06/20] libtasn1: compile into asn1 module Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 07/20] asn1_test: test module for libtasn1 Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 08/20] libtasn1: Add the documentation Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 09/20] key_protector: Add key protectors framework Gary Lin via Grub-devel
2024-04-12 17:25 ` Stefan Berger
2024-04-12 8:39 ` [PATCH v11 10/20] tpm2: Add TPM Software Stack (TSS) Gary Lin via Grub-devel
2024-04-12 15:26 ` Stefan Berger
2024-04-15 6:57 ` Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 11/20] key_protector: Add TPM2 Key Protector Gary Lin via Grub-devel
2024-04-12 18:57 ` Stefan Berger
2024-04-15 7:53 ` Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 12/20] cryptodisk: Support key protectors Gary Lin via Grub-devel
2024-04-12 20:00 ` Stefan Berger [this message]
2024-04-12 8:39 ` [PATCH v11 13/20] util/grub-protect: Add new tool Gary Lin via Grub-devel
2024-04-12 20:52 ` Stefan Berger
2024-04-15 9:40 ` Gary Lin via Grub-devel
2024-04-15 12:31 ` Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 14/20] tpm2: Support authorized policy Gary Lin via Grub-devel
2024-04-12 16:18 ` Stefan Berger
2024-04-12 8:39 ` [PATCH v11 15/20] tpm2: Implement NV index Gary Lin via Grub-devel
2024-04-12 20:56 ` Stefan Berger
2024-04-12 8:39 ` [PATCH v11 16/20] cryptodisk: Fallback to passphrase Gary Lin via Grub-devel
2024-04-12 21:13 ` Stefan Berger
2024-04-12 23:12 ` Patrick Colp via Grub-devel
2024-04-12 8:39 ` [PATCH v11 17/20] cryptodisk: wipe out the cached keys from protectors Gary Lin via Grub-devel
2024-04-12 21:04 ` Stefan Berger
2024-04-12 8:39 ` [PATCH v11 18/20] diskfilter: look up cryptodisk devices first Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 19/20] tpm2: Enable tpm2 module for grub-emu Gary Lin via Grub-devel
2024-04-12 21:03 ` Stefan Berger
2024-04-12 8:40 ` [PATCH v11 20/20] tests: Add tpm2_test Gary Lin via Grub-devel
2024-04-12 16:24 ` [PATCH v11 00/20] Automatic Disk Unlock with TPM2 Stefan Berger
2024-04-15 9:45 ` Gary Lin via Grub-devel
2024-04-15 14:26 ` Stefan Berger
2024-04-16 2:28 ` Gary Lin via Grub-devel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1afef5f-7a75-4e58-bd9e-75abc2ee596d@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=christopher.co@microsoft.com \
--cc=daniel.kiper@oracle.com \
--cc=daniel.mihai@microsoft.com \
--cc=development@efficientek.com \
--cc=dja@axtens.net \
--cc=glin@suse.com \
--cc=grub-devel@gnu.org \
--cc=hegatta@linux.microsoft.com \
--cc=jaredz@redhat.com \
--cc=jaskaran.khurana@microsoft.com \
--cc=jejb@linux.ibm.com \
--cc=mchang@suse.com \
--cc=patrick.colp@oracle.com \
--cc=shkhisti@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.