From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1n3rw1-0000r4-Tn for mharc-grub-devel@gnu.org; Sat, 01 Jan 2022 22:53:30 -0500 Received: from eggs.gnu.org ([209.51.188.92]:40172) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1n3rw0-0000od-N4 for grub-devel@gnu.org; Sat, 01 Jan 2022 22:53:28 -0500 Received: from [2607:f8b0:4864:20::72d] (port=35414 helo=mail-qk1-x72d.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1n3rvy-0007Gc-W7 for grub-devel@gnu.org; Sat, 01 Jan 2022 22:53:28 -0500 Received: by mail-qk1-x72d.google.com with SMTP id 131so28283254qkk.2 for ; Sat, 01 Jan 2022 19:53:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficientek-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=7rU4bLYuHpHX4dgDgrcmqS+LNXLjdxA+xd/t2UcnF/4=; b=oQbtxMFcdJCn2a0uhuxpFFGZXYUQn0HgJD41+9Ai0Yoz92z+kbid+mEudcCaFCev0b cvNb73nsVLf9FJ4XXCthDxpJRzwv5PeVrKMoHQcydCqeEB7ALIg/VzhBkmEEiIMOAFuu DaIu2y4NKxx40XpHeqJ7f0DhlTe5e6/iBVQHEO5LNCSg+UEj77Eor0x4LU8ljiBoa00N BuDnnhLj5eNsrIqZqfN6JeGRJaZE/yxuYJz/JOIV6DBSPLZgN7t5ZbwhzvxlGC/fki75 mxDP74BvRS9lbvLf1C/wffKveyB54NM/vlUyllW+yZGmxdJuQoKyAnOjkpD3oM1dbUCl OBWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=7rU4bLYuHpHX4dgDgrcmqS+LNXLjdxA+xd/t2UcnF/4=; b=7pv1r1cxAnJQthcLHkiklk1MTqTOBT3q/kCNPitw2JF9XCnTt3ored2i08lLotyPmQ UyQ/P6gXvHW0z73IUBY7JoVkWSbGeTiU9TU6cMapPRBbyMHhLn4p9+G/MWBKgCObJ6x1 SjTTwV9EM91C+zNCLHWGLL6aAb90LVlu46LMggRZQllZTse2uy0/ds31vnM9iAk6BiKU L8iygjdSVCJKrr9tNVV9hJgrEgLYd5QORcz5TzOjDhq77j2S0pSTgc1QiUcnAD5pWx1m AstUb4Gzc5PhdmBQEtd+vs1cIxf9tgLwBLkhvYdbHw8amuTnldDXAGiA6Qtdjno6Nts+ LAnw== X-Gm-Message-State: AOAM530V+HYe1mZFJpkyAHSwoJQEDn0ThwTNuDtltbH3Be74rypn8GA/ A47ViMn/5i0xB8C9LNus3520KWqfkp78Eg== X-Google-Smtp-Source: ABdhPJyDMoexQ6NM1rUM5OAXZvFPxsBb3Ic0eLjAlHOZ3ksWDKIhjgneB5/R82pkYDTYdzxfilaAKw== X-Received: by 2002:a05:620a:22c3:: with SMTP id o3mr28270222qki.748.1641095606230; Sat, 01 Jan 2022 19:53:26 -0800 (PST) Received: from localhost.localdomain ([37.218.244.251]) by smtp.gmail.com with ESMTPSA id bm25sm25187775qkb.4.2022.01.01.19.53.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 01 Jan 2022 19:53:25 -0800 (PST) From: Glenn Washburn To: Daniel Kiper , grub-devel@gnu.org Cc: Denis 'GNUtoo' Carikli , Patrick Steinhardt , John Lane , Glenn Washburn Subject: [PATCH v8 3/7] cryptodisk: enable the backends to implement detached headers Date: Sat, 1 Jan 2022 21:52:56 -0600 Message-Id: X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Host-Lookup-Failed: Reverse DNS lookup failed for 2607:f8b0:4864:20::72d (failed) Received-SPF: pass client-ip=2607:f8b0:4864:20::72d; envelope-from=development@efficientek.com; helo=mail-qk1-x72d.google.com X-Spam_score_int: 8 X-Spam_score: 0.8 X-Spam_bar: / X-Spam_report: (0.8 / 5.0 requ) DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2022 03:53:28 -0000 Signed-off-by: John Lane GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message Signed-off-by: Denis 'GNUtoo' Carikli development@efficientek.com: rebase, rework for cryptomount parameter passing Signed-off-by: Glenn Washburn --- grub-core/disk/cryptodisk.c | 15 ++++++++++++++- grub-core/disk/geli.c | 10 ++++++++++ grub-core/disk/luks.c | 8 ++++++++ grub-core/disk/luks2.c | 8 ++++++++ include/grub/cryptodisk.h | 2 ++ include/grub/file.h | 2 ++ 6 files changed, 44 insertions(+), 1 deletion(-) diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c index 497097394..e90f680f0 100644 --- a/grub-core/disk/cryptodisk.c +++ b/grub-core/disk/cryptodisk.c @@ -42,6 +42,7 @@ static const struct grub_arg_option options[] = {"all", 'a', 0, N_("Mount all."), 0, 0}, {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, {"password", 'p', 0, N_("Password to open volumes."), 0, ARG_TYPE_STRING}, + {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING}, {0, 0, 0, 0, 0, 0} }; @@ -1173,6 +1174,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) cargs.key_len = grub_strlen (state[3].arg); } + if (state[4].set) /* Detached header */ + { + if (state[0].set) + return grub_error (GRUB_ERR_BAD_ARGUMENT, + N_("Cannot use UUID lookup with detached header")); + + cargs.hdr_file = grub_file_open (state[4].arg, + GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER); + if (!cargs.hdr_file) + return grub_errno; + } + if (state[0].set) /* uuid */ { int found_uuid; @@ -1385,7 +1398,7 @@ GRUB_MOD_INIT (cryptodisk) { grub_disk_dev_register (&grub_cryptodisk_dev); cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, - N_("[-p password] "), + N_("[-p password] [-H file] "), N_("Mount a crypto device."), options); grub_procfs_register ("luks_script", &luks_script); } diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c index 5b3a11881..0b8046746 100644 --- a/grub-core/disk/geli.c +++ b/grub-core/disk/geli.c @@ -52,6 +52,7 @@ #include #include #include +#include #include #include #include @@ -121,6 +122,7 @@ enum /* FIXME: support version 0. */ /* FIXME: support big-endian pre-version-4 volumes. */ +/* FIXME: support for detached headers. */ /* FIXME: support for keyfiles. */ /* FIXME: support for HMAC. */ const char *algorithms[] = { @@ -252,6 +254,10 @@ geli_scan (grub_disk_t disk, grub_cryptomount_args_t cargs) grub_disk_addr_t sector; grub_err_t err; + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return NULL; + if (2 * GRUB_MD_SHA256->mdlen + 1 > GRUB_CRYPTODISK_MAX_UUID_LENGTH) return NULL; @@ -412,6 +418,10 @@ geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_cryptomount_ar if (cargs->key_data == NULL || cargs->key_len == 0) return grub_error (GRUB_ERR_BAD_ARGUMENT, "no key data"); + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return GRUB_ERR_NOT_IMPLEMENTED_YET; + if (dev->cipher->cipher->blocksize > GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE) return grub_error (GRUB_ERR_BUG, "cipher block is too long"); diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c index d57257b3e..032a9db3c 100644 --- a/grub-core/disk/luks.c +++ b/grub-core/disk/luks.c @@ -75,6 +75,10 @@ luks_scan (grub_disk_t disk, grub_cryptomount_args_t cargs) char hashspec[sizeof (header.hashSpec) + 1]; grub_err_t err; + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return NULL; + if (cargs->check_boot) return NULL; @@ -164,6 +168,10 @@ luks_recover_key (grub_disk_t source, if (cargs->key_data == NULL || cargs->key_len == 0) return grub_error (GRUB_ERR_BAD_ARGUMENT, "no key data"); + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return GRUB_ERR_NOT_IMPLEMENTED_YET; + err = grub_disk_read (source, 0, 0, sizeof (header), &header); if (err) return err; diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c index ccfacb63a..567368f11 100644 --- a/grub-core/disk/luks2.c +++ b/grub-core/disk/luks2.c @@ -353,6 +353,10 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs) char uuid[sizeof (header.uuid) + 1]; grub_size_t i, j; + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return NULL; + if (cargs->check_boot) return NULL; @@ -560,6 +564,10 @@ luks2_recover_key (grub_disk_t source, if (cargs->key_data == NULL || cargs->key_len == 0) return grub_error (GRUB_ERR_BAD_ARGUMENT, "no key data"); + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return GRUB_ERR_NOT_IMPLEMENTED_YET; + ret = luks2_read_header (source, &header); if (ret) return ret; diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h index c6524c9ea..9fe451de9 100644 --- a/include/grub/cryptodisk.h +++ b/include/grub/cryptodisk.h @@ -20,6 +20,7 @@ #define GRUB_CRYPTODISK_HEADER 1 #include +#include #include #include #ifdef GRUB_UTIL @@ -77,6 +78,7 @@ struct grub_cryptomount_args grub_uint8_t *key_data; /* recover_key: Length of key_data */ grub_size_t key_len; + grub_file_t hdr_file; }; typedef struct grub_cryptomount_args *grub_cryptomount_args_t; diff --git a/include/grub/file.h b/include/grub/file.h index 31567483c..3a3c49a04 100644 --- a/include/grub/file.h +++ b/include/grub/file.h @@ -90,6 +90,8 @@ enum grub_file_type GRUB_FILE_TYPE_FONT, /* File holding encryption key for encrypted ZFS. */ GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY, + /* File holding the encryption metadata header */ + GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER, /* File we open n grub-fstest. */ GRUB_FILE_TYPE_FSTEST, /* File we open n grub-mount. */ -- 2.27.0