From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.71)
	id 1XXlIo-0003v5-7T
	for mharc-grub-devel@gnu.org; Sat, 27 Sep 2014 02:16:18 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35858)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arvidjaar@gmail.com>) id 1XXlIh-0003uy-RY
	for grub-devel@gnu.org; Sat, 27 Sep 2014 02:16:16 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <arvidjaar@gmail.com>) id 1XXlIc-00042U-NU
	for grub-devel@gnu.org; Sat, 27 Sep 2014 02:16:11 -0400
Received: from mail-lb0-x229.google.com ([2a00:1450:4010:c04::229]:46666)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arvidjaar@gmail.com>) id 1XXlIc-000429-Fa
	for grub-devel@gnu.org; Sat, 27 Sep 2014 02:16:06 -0400
Received: by mail-lb0-f169.google.com with SMTP id u10so2146513lbd.0
	for <grub-devel@gnu.org>; Fri, 26 Sep 2014 23:16:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=date:from:to:cc:subject:message-id:in-reply-to:references
	:mime-version:content-type:content-transfer-encoding;
	bh=5/KvJq/Fx5YlT/dE2mbX6AXyjeYFxceH/kpgdG6V5jo=;
	b=W2pcUD0i2tRwpsmQBNZ5FUCgInAkTBHEgdKmCPIn7dQL4qZo1m5DelcDYd074Yu4Pg
	mHsNjk3HQuupXKi4eOW6srvyXd9MPi2LTjGUIq+9wlmAQmSB/r715l/Yqup6ZT1hjhlq
	IY9HDq7f6cmZj2AfGZHhXQ4iu4SRBi7gOon7dJzYRRhNZB/kv6SUdXjT+31OPZR9tJUn
	czRn/e2oxh7fCC5JKLmAHkQaFaf8oX+baHGfY8DzfOvzo9sTQq2QsUDsi4I0NUMRqMOi
	NfLJYSEA21TcuKeDs7Pcev4G8H9TW49VRc9oJsU7Al7nCEf1299Xt+BMbB2kzC6+bgNW
	f4Nw==
X-Received: by 10.112.35.201 with SMTP id k9mr19668673lbj.88.1411798560116;
	Fri, 26 Sep 2014 23:16:00 -0700 (PDT)
Received: from opensuse.site (ppp94-29-94-89.pppoe.spdop.ru. [94.29.94.89])
	by mx.google.com with ESMTPSA id wj8sm2598344lbb.34.2014.09.26.23.15.58
	for <multiple recipients>
	(version=SSLv3 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Fri, 26 Sep 2014 23:15:59 -0700 (PDT)
Date: Sat, 27 Sep 2014 10:15:57 +0400
From: Andrei Borzenkov <arvidjaar@gmail.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: Question about GRUB/GELI support
Message-ID: <20140927101557.0d21df61@opensuse.site>
In-Reply-To: <54259E48.4040502@pcbsd.org>
References: <54259E48.4040502@pcbsd.org>
X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.23; x86_64-suse-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-Received-From: 2a00:1450:4010:c04::229
Cc: kris@pcbsd.org
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: The development of GNU GRUB <grub-devel@gnu.org>
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Sep 2014 06:16:16 -0000

=D0=92 Fri, 26 Sep 2014 13:11:36 -0400
Kris Moore <kris@pcbsd.org> =D0=BF=D0=B8=D1=88=D0=B5=D1=82:

>=20
> Hey, quick question about GRUB's support for GELI. We are using it to
> boot Free/PC-BSD with GELI v5, and it works great there. However FreeBSD
> updated their geli implementation very slightly to v7, which only
> changes which part of the master key is used for encrypt / decrypt.
>=20
> https://github.com/freebsd/freebsd/commit/38de8ef1dd0e468ff1e3ec1c431f465=
e270beba3
>=20
> I think the line in GRUB that needs tweaking is on or around 440 of
> grub-core/disk/geli.c, where it calls grub_crypto_pbkdf2 (dev->hash.....

It would be too simple ... :) It just unlocks master key itself, while
patch makes GELI to use derived key during encryption (and I presume
decryption).

> I'm having trouble figuring out which part of that would be the
> equivalent of Freebsd's mkey -> ekey change, or if that data is even
> exposed in GRUB's version. Any tips or pointers?
>=20

You need to change which key is used for decryption after

      /* Set the master key.  */
      if (!dev->rekey)
        {
...

Now, after cursory browsing of FreeBSD code, grub geli seems to lack
quite a number of flags, each one apparently changing how keys are
computed. I do not know enough about GELI to decide whether they are
important to support or not. But I tried to understand where
sc->sc_ekey comes from in case of G_ELI_FLAG_SINGLE_KEY not set, and failed=
 :)

Also it seems that sc->sc_ekey is computed differently depending on
whether G_ELI_FLAG_AUTH is set or not (if it is not set, ekey is
apparently just a copy of mkey sans IV).

> I'm also doing some other patches to GRUB so we can pass the GELI key as
> a variable to the kernel, skipping the prompting at mount-root. That
> seems to work well, but I wanted to see if I could knock out both fixes
> at the same time. Once its done, I'll be happy to forward the patch for
> upstream inclusion.
>=20

It's up to you but I do not see any reason to wait as long as two
patches address independent problems.

> Thanks!
>=20