[PATCH v3 00/12] Support Argon2 KDF

[PATCH v3 00/12] Support Argon2 KDF

[Gary Lin via Grub-devel]

This patch series imports the Argon2 code and tests from libgcrypt and
adds Argon2 support to LUKS2.

- Patch 1~6 import kdf.c from libgcrypt and extract the Argon2 related
  functions. The _gcry_kdf_* functions are also imported to make it
  easier to support other KDF functions when necessary.
- Patch 7 introduces grub_crypto_argon2().
- Patch 8 and 9 integrates the Argon2 tests from libgcrypt into
  functional_test.
- Patch 10 leverages grub_crypto_argon2() to add Argon2 support to LUKS2.
- Patch 11 changes the default KDF of the LUKS2 test to Argon2id.
- Patch 12 documents argon2 and argon2_test modules.

v3:
- Updating comments in import_gcry.py
- Splitting the kdf build patch into 3 smaller patches
- Fixing the build error on 32-bit platforms
- Adjusting the order of 'ldadd' in Makefile.util.def
- Fixing the error messages in luks2_parse_keyslot()

v2:
- Import Argon2 code differently to improve maintainability
  * Updating import_gcry.py to import Argon2 and _gcry_kdf_* functions
    from kdf.c instead of extracting the code manually
  * Implementing grub_crypto_argon2() with the _gcry_kdf_* functions to
    avoid the GCRY flags when building argon2.c
  * Building argon2.c inside libgrubkernel.a since the GCRY flags are not
    needed anymore

Gary Lin (12):
  util/import_gcry: Import kdf.c for Argon2
  crypto: Update crypto.h for libgcrypt KDF functions
  libgcrypt/kdf: Implement blake2b_512.hash_buffers()
  libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
  libgcrypt/kdf: Remove unsupported KDFs
  libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
  argon2: Introduce grub_crypto_argon2()
  Import Argon2 tests from libgcrypt
  Integrate Argon2 tests into functional_test
  disk/luks2: Add Argon2 support
  tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
  docs: Document argon2 and argon2_test

 Makefile.util.def                             |  55 +++---
 conf/Makefile.extra-dist                      |   4 +
 docs/grub.texi                                |  11 ++
 grub-core/Makefile.core.def                   |  10 ++
 grub-core/disk/luks2.c                        |  40 ++++-
 grub-core/lib/argon2.c                        |  52 ++++++
 .../09-blake2b-hash-buffers.patch             |  54 ++++++
 .../10-kdf-use-GPG-errs.patch                 |  48 +++++
 .../11-kdf-remove-unsupported-kdfs.patch      | 166 ++++++++++++++++++
 .../12-kdf-use-grub_divmod64.patch            |  78 ++++++++
 grub-core/tests/argon2_test.c                 | 139 +++++++++++++++
 grub-core/tests/lib/functional_test.c         |   1 +
 include/grub/crypto.h                         |  49 ++++++
 tests/util/grub-fs-tester.in                  |  10 +-
 util/import_gcry.py                           |  31 +++-
 15 files changed, 712 insertions(+), 36 deletions(-)
 create mode 100644 grub-core/lib/argon2.c
 create mode 100644 grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
 create mode 100644 grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
 create mode 100644 grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
 create mode 100644 grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
 create mode 100644 grub-core/tests/argon2_test.c

Range-diff against v2:
 1:  5dd329599 !  1:  4c2b3fec8 util/import_gcry: Import kdf.c for Argon2
    @@ Commit message
     
      ## util/import_gcry.py ##
     @@ util/import_gcry.py: with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
    +         if re.match (r"(Makefile\.am|primegen\.c|cipher\.c|cipher-.*\.c|mac-.*\.c|mac\.c|pubkey\.c)$", cipher_file):
                  chlog = "%s%s: Removed\n" % (chlog, chlognew)
                  continue
    -         # TODO: Support KDF
    +-        # TODO: Support KDF
     -        if re.match (r"(kdf\.c|scrypt\.c)$", cipher_file):
    ++        # TODO: Support scrypt KDF
     +        if re.match (r"(scrypt\.c)$", cipher_file):
                  chlog = "%s%s: Removed\n" % (chlog, chlognew)
                  continue
    @@ util/import_gcry.py: with codecs.open (os.path.join (cipher_dir_out, "crypto.lst
                                      nch = True
                                  continue
     +                        elif re.match ("_gcry_kdf_selftest|check_one|_gcry_kdf_pkdf2|_gcry_kdf_derive|openpgp_s2k|ballon_context_size|balloon_*|prng_aes_*|onestep_kdf_*|hkdf_*|x963_kdf_*", line) is not None and cipher_file == "kdf.c":
    ++                            # TODO Support other KDFs
     +                            skip = 1
     +                            fname = re.match ("[a-zA-Z0-9_]*", line).group ()
     +                            chmsg = "(%s): Removed." % fname
 2:  5e544e51c !  2:  210b6292b crypto: Update crypto.h for libgcrypt KDF functions
    @@ Commit message
         - prototypes of '_gcry_kdf_*' functions
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
     
      ## include/grub/crypto.h ##
     @@ include/grub/crypto.h: typedef enum
 -:  --------- >  3:  97e34226d libgcrypt/kdf: Implement blake2b_512.hash_buffers()
 -:  --------- >  4:  ece319254 libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
 3:  69aea293b !  5:  ac22a5546 kdf: Resovle the build errors
    @@ Metadata
     Author: Gary Lin <glin@suse.com>
     
      ## Commit message ##
    -    kdf: Resovle the build errors
    +    libgcrypt/kdf: Remove unsupported KDFs
     
    -    - Adding argon2_blake2b_512_hash_buffers() as the replacement of
    -      _gcry_digest_spec_blake2b_512.hash_buffers()
    -    - Replacing gpg_err_code_from_errno() with GPG_ERR_*
    -    - Removing the unsupported KDFs from _gcry_kdf_*()
    +    Clean up _gcry_kdf_*() to remove unsupported KDFs.
     
         Signed-off-by: Gary Lin <glin@suse.com>
     
      ## conf/Makefile.extra-dist ##
    -@@ conf/Makefile.extra-dist: EXTRA_DIST += grub-core/lib/libgcrypt-patches/05_disable_rsa_shake.patch
    - EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake.patch
    - EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
    +@@ conf/Makefile.extra-dist: EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
      EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
    -+EXTRA_DIST += grub-core/lib/libgcrypt-patches/09_kdf_build_fix.patch
    + EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
    + EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
    ++EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
      
      EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
      EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
     
    - ## grub-core/lib/libgcrypt-patches/09_kdf_build_fix.patch (new) ##
    + ## grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch (new) ##
     @@
    -+From 8583cb1211e9f8253e072b047082b2141346fd31 Mon Sep 17 00:00:00 2001
    ++From f46f3dbd2e572a6610d651d14e9a3a8b27883c49 Mon Sep 17 00:00:00 2001
     +From: Gary Lin <glin@suse.com>
    -+Date: Wed, 6 Aug 2025 09:56:21 +0800
    -+Subject: [PATCH] kdf: Resovle the build errors
    ++Date: Mon, 25 Aug 2025 16:00:17 +0800
    ++Subject: [PATCH 3/4] libgcrypt/kdf: Remove unsupported KDFs
     +
    -+- Adding argon2_blake2b_512_hash_buffers() as the replacement of
    -+  _gcry_digest_spec_blake2b_512.hash_buffers()
    -+- Replacing gpg_err_code_from_errno() with GPG_ERR_*
    -+- Removing the unsupported KDFs from _gcry_kdf_*()
    ++Clean up _gcry_kdf_*() to remove unsupported KDFs.
     +
     +Signed-off-by: Gary Lin <glin@suse.com>
     +---
    -+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 145 ++++------------------
    -+ 1 file changed, 22 insertions(+), 123 deletions(-)
    ++ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 119 ----------------------
    ++ 1 file changed, 119 deletions(-)
     +
     +diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
    -+index 0689f88b1..6e825d3e8 100644
    ++index 55294672b..6e825d3e8 100644
     +--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
     ++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
    -+@@ -129,6 +129,24 @@ beswap64_block (u64 *dst)
    -+ #endif
    -+ }
    -+ 
    -++/* Implementation of _gcry_blake2b_512_hash_buffers */
    -++static void
    -++argon2_blake2b_512_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt)
    -++{
    -++  void *hd;
    -++
    -++  hd = xtrymalloc (_gcry_digest_spec_blake2b_512.contextsize);
    -++  if (!hd)
    -++    return;
    -++
    -++  _gcry_digest_spec_blake2b_512.init (hd, 0);
    -++  for (;iovcnt > 0; iov++, iovcnt--)
    -++    _gcry_digest_spec_blake2b_512.write (hd, (const char*)iov[0].data + iov[0].off, iov[0].len);
    -++  _gcry_digest_spec_blake2b_512.final (hd);
    -++  grub_memcpy (outbuf, _gcry_digest_spec_blake2b_512.read (hd), 512 / 8);
    -++
    -++  xfree (hd);
    -++}
    -+ 
    -+ static gpg_err_code_t
    -+ argon2_fill_first_blocks (argon2_ctx_t a)
    -+@@ -195,7 +213,7 @@ argon2_fill_first_blocks (argon2_ctx_t a)
    -+       iov_count++;
    -+     }
    -+ 
    -+-  _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count);
    -++  argon2_blake2b_512_hash_buffers (h0_01_i, iov, iov_count);
    -+ 
    -+   for (i = 0; i < a->lanes; i++)
    -+     {
    -+@@ -242,7 +260,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
    -+   block = xtrymalloc (1024 * memory_blocks);
    -+   if (!block)
    -+     {
    -+-      ec = gpg_err_code_from_errno (errno);
    -++      ec = GPG_ERR_OUT_OF_MEMORY;
    -+       return ec;
    -+     }
    -+   memset (block, 0, 1024 * memory_blocks);
    -+@@ -250,7 +268,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
    -+   thread_data = xtrymalloc (a->lanes * sizeof (struct argon2_thread_data));
    -+   if (!thread_data)
    -+     {
    -+-      ec = gpg_err_code_from_errno (errno);
    -++      ec = GPG_ERR_OUT_OF_MEMORY;
    -+       xfree (block);
    -+       return ec;
    -+     }
    -+@@ -601,7 +619,7 @@ argon2_open (gcry_kdf_hd_t *hd, int subalgo,
    -+   n = offsetof (struct argon2_context, out) + taglen;
    -+   a = xtrymalloc (n);
    -+   if (!a)
    -+-    return gpg_err_code_from_errno (errno);
    -++    return GPG_ERR_OUT_OF_MEMORY;
    -+ 
    -+   a->algo = GCRY_KDF_ARGON2;
    -+   a->hash_type = hash_type;
    -+@@ -798,64 +816,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
    ++@@ -816,64 +816,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
     +                           key, keylen, ad, adlen);
     +       break;
     + 
    @@ -798,64 +816,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
     +     default:
     +       ec = GPG_ERR_UNKNOWN_ALGORITHM;
     +       break;
    -+@@ -875,26 +835,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops)
    ++@@ -893,26 +835,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops)
     +       ec = argon2_compute ((argon2_ctx_t)(void *)h, ops);
     +       break;
     + 
    @@ -875,26 +835,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thre
     +     default:
     +       ec = GPG_ERR_UNKNOWN_ALGORITHM;
     +       break;
    -+@@ -915,27 +855,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result)
    ++@@ -933,27 +855,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result)
     +       ec = argon2_final ((argon2_ctx_t)(void *)h, resultlen, result);
     +       break;
     + 
    @@ -915,27 +855,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *resu
     +     default:
     +       ec = GPG_ERR_UNKNOWN_ALGORITHM;
     +       break;
    -+@@ -953,26 +872,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
    ++@@ -971,26 +872,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
     +       argon2_close ((argon2_ctx_t)(void *)h);
     +       break;
     + 
 -:  --------- >  6:  51cabda08 libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
 4:  d551580b9 !  7:  b56661bb6 argon2: Introduce grub_crypto_argon2()
    @@ Commit message
         linker can discover those functions.
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
     
      ## Makefile.util.def ##
     @@ Makefile.util.def: library = {
    @@ Makefile.util.def: library = {
        common = grub-core/lib/pbkdf2.c;
        common = grub-core/commands/extcmd.c;
        common = grub-core/lib/arg.c;
    +@@ Makefile.util.def: program = {
    +   extra_dist = util/grub-mkimagexx.c;
    + 
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBLZMA)';
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
     @@ Makefile.util.def: program = {
        cflags = '-I$(srcdir)/grub-core/lib/tss2 -I$(srcdir)/grub-core/commands/tpm2_key_protector';
      
    @@ Makefile.util.def: program = {
     @@ Makefile.util.def: program = {
        common = grub-core/osdep/init.c;
      
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
    + 
    +   ldadd = '$(LIBLZMA)';
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
    +   common = grub-core/osdep/init.c;
    + 
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
    +   common = grub-core/osdep/init.c;
    + 
        ldadd = libgrubmods.a;
     -  ldadd = libgrubgcry.a;
        ldadd = libgrubkern.a;
    @@ Makefile.util.def: program = {
        ldadd = grub-core/lib/gnulib/libgnu.a;
        ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
      };
    +@@ Makefile.util.def: program = {
    +   cflags = '$(FUSE_CFLAGS)';
    + 
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM) $(FUSE_LIBS)';
    +   condition = COND_GRUB_MOUNT;
    +@@ Makefile.util.def: program = {
    +   cppflags = '-DGRUB_MKFONT=1';
    + 
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(FREETYPE_LIBS)';
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    +@@ Makefile.util.def: program = {
    +   common = grub-core/osdep/init.c;
    + 
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
    +   common = grub-core/osdep/init.c;
    + 
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
    +   common = grub-core/osdep/init.c;
    + 
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
     @@ Makefile.util.def: program = {
        common = grub-core/kern/emu/argp_common.c;
      
    @@ Makefile.util.def: program = {
        ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
      };
     @@ Makefile.util.def: program = {
    + 
    +   ldadd = '$(LIBLZMA)';
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
    + 
    +   ldadd = '$(LIBLZMA)';
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
    +   common = grub-core/kern/misc.c;
    +   common = grub-core/tests/lib/test.c;
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
    +   common = grub-core/kern/misc.c;
    +   common = grub-core/tests/lib/test.c;
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
    +   common = grub-core/kern/misc.c;
    +   common = grub-core/tests/lib/test.c;
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
    +   common = grub-core/tests/lib/test.c;
    +   common = grub-core/lib/priority_queue.c;
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    +   condition = COND_HAVE_CXX;
    +@@ Makefile.util.def: program = {
    +   common = grub-core/kern/misc.c;
    +   common = grub-core/tests/lib/test.c;
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
    +   common = grub-core/osdep/init.c;
    + 
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
    +@@ Makefile.util.def: program = {
        common = grub-core/kern/emu/argp_common.c;
      
        ldadd = libgrubmods.a;
    @@ Makefile.util.def: program = {
        ldadd = grub-core/lib/gnulib/libgnu.a;
        ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
      };
    +@@ Makefile.util.def: program = {
    +   common = grub-core/osdep/init.c;
    + 
    +   ldadd = libgrubmods.a;
    +-  ldadd = libgrubgcry.a;
    +   ldadd = libgrubkern.a;
    ++  ldadd = libgrubgcry.a;
    +   ldadd = grub-core/lib/gnulib/libgnu.a;
    +   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
    + };
     
      ## grub-core/Makefile.core.def ##
     @@ grub-core/Makefile.core.def: module = {
 5:  60a8a8ff9 =  8:  54bd89f6a Import Argon2 tests from libgcrypt
 6:  78d6cb520 !  9:  e386633aa Integrate Argon2 tests into functional_test
    @@ Commit message
     
         Signed-off-by: Gary Lin <glin@suse.com>
         Tested-By: Waldemar Brodkorb <wbx@openadk.org>
    +    Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
     
      ## grub-core/Makefile.core.def ##
     @@ grub-core/Makefile.core.def: module = {
 7:  06836af69 ! 10:  86bbe307d disk/luks2: Add Argon2 support
    @@ grub-core/disk/luks2.c: luks2_parse_keyslot (grub_luks2_keyslot_t *out, const gr
          {
            out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
            if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
    -@@ grub-core/disk/luks2.c: luks2_parse_keyslot (grub_luks2_keyslot_t *out, const grub_json_t *keyslot)
    + 	  grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
      	  grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
    - 	return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i parameters");
    -     }
    +-	return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i parameters");
    ++	return grub_error (GRUB_ERR_BAD_ARGUMENT, "missing Argon2i parameters");
    ++    }
     +  else if (!grub_strcmp (type, "argon2id"))
     +    {
     +      out->kdf.type = LUKS2_KDF_TYPE_ARGON2ID;
     +      if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
     +	  grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
     +	  grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
    -+	return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2id parameters");
    -+    }
    ++	return grub_error (GRUB_ERR_BAD_ARGUMENT, "missing Argon2id parameters");
    +     }
        else if (!grub_strcmp (type, "pbkdf2"))
          {
    -       out->kdf.type = LUKS2_KDF_TYPE_PBKDF2;
     @@ grub-core/disk/luks2.c: luks2_decrypt_key (grub_uint8_t *out_key,
        grub_uint8_t salt[GRUB_CRYPTODISK_MAX_KEYLEN];
        grub_uint8_t *split_key = NULL;
 8:  57ec8ca9f ! 11:  f626d2001 tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
    @@ Commit message
     
         Signed-off-by: Gary Lin <glin@suse.com>
         Tested-By: Waldemar Brodkorb <wbx@openadk.org>
    +    Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
     
      ## tests/util/grub-fs-tester.in ##
     @@ tests/util/grub-fs-tester.in: for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
 9:  1d3ce8f59 ! 12:  a1cdf3b42 docs: Document argon2 and argon2_test
    @@ Commit message
     
         Signed-off-by: Gary Lin <glin@suse.com>
         Tested-By: Waldemar Brodkorb <wbx@openadk.org>
    +    Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
     
      ## docs/grub.texi ##
     @@ docs/grub.texi: Modules can be loaded via the @command{insmod} (@pxref{insmod}) command.
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 01/12] util/import_gcry: Import kdf.c for Argon2

[Gary Lin via Grub-devel]

The import_gcry.py script now imports kdf.c from libgcrypt. To isolate
the Argon2 implementation, all unrelated functions have been removed.

Signed-off-by: Gary Lin <glin@suse.com>
---
 util/import_gcry.py | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/util/import_gcry.py b/util/import_gcry.py
index 086bde77c..b00885c93 100644
--- a/util/import_gcry.py
+++ b/util/import_gcry.py
@@ -145,8 +145,8 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
         if re.match (r"(Makefile\.am|primegen\.c|cipher\.c|cipher-.*\.c|mac-.*\.c|mac\.c|pubkey\.c)$", cipher_file):
             chlog = "%s%s: Removed\n" % (chlog, chlognew)
             continue
-        # TODO: Support KDF
-        if re.match (r"(kdf\.c|scrypt\.c)$", cipher_file):
+        # TODO: Support scrypt KDF
+        if re.match (r"(scrypt\.c)$", cipher_file):
             chlog = "%s%s: Removed\n" % (chlog, chlognew)
             continue
         # TODO: Support chacha20 and poly1305
@@ -313,6 +313,17 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
                                 chlognew = "%s %s" % (chlognew, chmsg)
                                 nch = True
                             continue
+                        elif re.match ("_gcry_kdf_selftest|check_one|_gcry_kdf_pkdf2|_gcry_kdf_derive|openpgp_s2k|ballon_context_size|balloon_*|prng_aes_*|onestep_kdf_*|hkdf_*|x963_kdf_*", line) is not None and cipher_file == "kdf.c":
+                            # TODO Support other KDFs
+                            skip = 1
+                            fname = re.match ("[a-zA-Z0-9_]*", line).group ()
+                            chmsg = "(%s): Removed." % fname
+                            if nch:
+                                chlognew = "%s\n	%s" % (chlognew, chmsg)
+                            else:
+                                chlognew = "%s %s" % (chlognew, chmsg)
+                                nch = True
+                            continue
                         else:
                             fw.write (holdline)
                     m = re.match ("# *include <(.*)>", line)
@@ -439,7 +450,7 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
                             nch = True
                         continue
 
-                    m = re.match (r"((static )?const char( |)\*|static const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static )?int|(static )?unsigned int|(static )?gcry_err_code_t|static gcry_mpi_t|static void|void|static elliptic_curve_t) *$", line)
+                    m = re.match (r"((static )?const char( |)\*|static const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static )?int|(static )?unsigned int|(static )?gcry_err_code_t|static gcry_mpi_t|static void|void|static elliptic_curve_t|static u64|static size_t) *$", line)
                     if not m is None:
                         hold = True
                         holdline = line
@@ -575,6 +586,20 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
                     conf.write ("};\n\n")
                     if nch:
                         chlog = "%s%s\n" % (chlog, chlognew)
+                elif cipher_file == "kdf.c":
+                    modfiles = ["kdf.c"]
+                    if modname in extra_files:
+                        modfiles += extra_files[modname]
+                    conf.write ("module = {\n")
+                    conf.write ("  name = %s;\n" % modname)
+                    for src in modfiles:
+                        conf.write ("  common = lib/libgcrypt-grub/cipher/%s;\n" % src)
+                        confutil.write ("  common = grub-core/lib/libgcrypt-grub/cipher/%s;\n" % src)
+                    conf.write ("  cflags = '$(CFLAGS_GCRY)';\n")
+                    conf.write ("  cppflags = '$(CPPFLAGS_GCRY)';\n")
+                    conf.write ("};\n\n")
+                    if nch:
+                        chlog = "%s%s\n" % (chlog, chlognew)
                 elif isc and cipher_file not in extra_files_list:
                     print ("WARNING: C file isn't a module: %s" % cipher_file)
                     os.remove (outfile)
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 02/12] crypto: Update crypto.h for libgcrypt KDF functions

[Gary Lin via Grub-devel]

Add the following items to crypto.h
- more GPG error types
- _gcry_digest_spec_blake2b_512 for Argon2
- KDF algorithm IDs for Argon2
- prototypes of '_gcry_kdf_*' functions

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
 include/grub/crypto.h | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/include/grub/crypto.h b/include/grub/crypto.h
index b0d7add1d..d323f00ce 100644
--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
@@ -34,6 +34,7 @@ typedef enum
     GPG_ERR_BAD_MPI,
     GPG_ERR_BAD_SECKEY,
     GPG_ERR_BAD_SIGNATURE,
+    GPG_ERR_CANCELED,
     GPG_ERR_CIPHER_ALGO,
     GPG_ERR_CONFLICT,
     GPG_ERR_DECRYPT_FAILED,
@@ -48,6 +49,7 @@ typedef enum
     GPG_ERR_INV_OP,
     GPG_ERR_INV_SEXP,
     GPG_ERR_INV_VALUE,
+    GPG_ERR_MAC_ALGO,
     GPG_ERR_MISSING_VALUE,
     GPG_ERR_NO_ENCRYPTION_SCHEME,
     GPG_ERR_NO_OBJ,
@@ -59,7 +61,9 @@ typedef enum
     GPG_ERR_PUBKEY_ALGO,
     GPG_ERR_SELFTEST_FAILED,
     GPG_ERR_TOO_SHORT,
+    GPG_ERR_UNKNOWN_ALGORITHM,
     GPG_ERR_UNSUPPORTED,
+    GPG_ERR_UNSUPPORTED_ALGORITHM,
     GPG_ERR_WEAK_KEY,
     GPG_ERR_WRONG_KEY_USAGE,
     GPG_ERR_WRONG_PUBKEY_ALGO,
@@ -512,6 +516,7 @@ extern gcry_md_spec_t _gcry_digest_spec_sha1;
 extern gcry_md_spec_t _gcry_digest_spec_sha256;
 extern gcry_md_spec_t _gcry_digest_spec_sha512;
 extern gcry_md_spec_t _gcry_digest_spec_crc32;
+extern gcry_md_spec_t _gcry_digest_spec_blake2b_512;
 extern gcry_cipher_spec_t _gcry_cipher_spec_aes;
 #define GRUB_MD_MD5 ((const gcry_md_spec_t *) &_gcry_digest_spec_md5)
 #define GRUB_MD_SHA1 ((const gcry_md_spec_t *) &_gcry_digest_spec_sha1)
@@ -520,6 +525,41 @@ extern gcry_cipher_spec_t _gcry_cipher_spec_aes;
 #define GRUB_MD_CRC32 ((const gcry_md_spec_t *) &_gcry_digest_spec_crc32)
 #define GRUB_CIPHER_AES ((const gcry_cipher_spec_t *) &_gcry_cipher_spec_aes)
 
+/* Algorithm IDs for the KDFs.  */
+enum grub_gcry_kdf_algos
+  {
+    GRUB_GCRY_KDF_NONE = 0,
+    GRUB_GCRY_KDF_ARGON2 = 64,
+  };
+
+enum grub_gcry_kdf_subalgo_argon2
+  {
+    GRUB_GCRY_KDF_ARGON2D  = 0,
+    GRUB_GCRY_KDF_ARGON2I  = 1,
+    GRUB_GCRY_KDF_ARGON2ID = 2
+  };
+
+typedef struct gcry_kdf_handle *gcry_kdf_hd_t;
+struct gcry_kdf_handle;
+struct gcry_kdf_thread_ops;
+
+gpg_err_code_t
+_gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+                const unsigned long *param, unsigned int paramlen,
+                const void *input, grub_size_t inputlen,
+                const void *salt, grub_size_t saltlen,
+                const void *key, grub_size_t keylen,
+                const void *ad, grub_size_t adlen);
+
+gpg_err_code_t
+_gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops);
+
+gpg_err_code_t
+_gcry_kdf_final (gcry_kdf_hd_t h, grub_size_t resultlen, void *result);
+
+void
+_gcry_kdf_close (gcry_kdf_hd_t h);
+
 /* Implement PKCS#5 PBKDF2 as per RFC 2898.  The PRF to use is HMAC variant
    of digest supplied by MD.  Inputs are the password P of length PLEN,
    the salt S of length SLEN, the iteration counter C (> 0), and the
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 03/12] libgcrypt/kdf: Implement blake2b_512.hash_buffers()

[Gary Lin via Grub-devel]

Add argon2_blake2b_512_hash_buffers() as the replacement of
_gcry_digest_spec_blake2b_512.hash_buffers().

Signed-off-by: Gary Lin <glin@suse.com>
---
 conf/Makefile.extra-dist                      |  1 +
 .../09-blake2b-hash-buffers.patch             | 54 +++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch

diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 49bca5577..9def61722 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -43,6 +43,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/05_disable_rsa_shake.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
 
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch b/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
new file mode 100644
index 000000000..16846ca4a
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
@@ -0,0 +1,54 @@
+From 9c4b1a458718d848d0121b81f8533bbc7f26469a Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 15:54:24 +0800
+Subject: [PATCH 1/4] libgcrypt/kdf: Implement blake2b_512.hash_buffers()
+
+Add argon2_blake2b_512_hash_buffers() as the replacement of
+_gcry_digest_spec_blake2b_512.hash_buffers().
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 0689f88b1..fd0c4a106 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -129,6 +129,24 @@ beswap64_block (u64 *dst)
+ #endif
+ }
+ 
++/* Implementation of _gcry_blake2b_512_hash_buffers */
++static void
++argon2_blake2b_512_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt)
++{
++  void *hd;
++
++  hd = xtrymalloc (_gcry_digest_spec_blake2b_512.contextsize);
++  if (!hd)
++    return;
++
++  _gcry_digest_spec_blake2b_512.init (hd, 0);
++  for (;iovcnt > 0; iov++, iovcnt--)
++    _gcry_digest_spec_blake2b_512.write (hd, (const char*)iov[0].data + iov[0].off, iov[0].len);
++  _gcry_digest_spec_blake2b_512.final (hd);
++  grub_memcpy (outbuf, _gcry_digest_spec_blake2b_512.read (hd), 512 / 8);
++
++  xfree (hd);
++}
+ 
+ static gpg_err_code_t
+ argon2_fill_first_blocks (argon2_ctx_t a)
+@@ -195,7 +213,7 @@ argon2_fill_first_blocks (argon2_ctx_t a)
+       iov_count++;
+     }
+ 
+-  _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count);
++  argon2_blake2b_512_hash_buffers (h0_01_i, iov, iov_count);
+ 
+   for (i = 0; i < a->lanes; i++)
+     {
+-- 
+2.43.0
+
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 04/12] libgcrypt/kdf: Get rid of gpg_err_code_from_errno()

[Gary Lin via Grub-devel]

gpg_err_code_from_errno() requires libgcrypt_wrap/mem.c which is not in
Makefile.utilgcry.def. This commit replaces gpg_err_code_from_errno()
with GPG_ERR_* to avoid the build errors.

Signed-off-by: Gary Lin <glin@suse.com>
---
 conf/Makefile.extra-dist                      |  1 +
 .../10-kdf-use-GPG-errs.patch                 | 48 +++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch

diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 9def61722..ac72a7ecf 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -44,6 +44,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
 
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch b/grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
new file mode 100644
index 000000000..e18ef4d15
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
@@ -0,0 +1,48 @@
+From 0344b5a1c206aaa8ec591824c5d0ccf5d9a1e6c0 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 15:56:03 +0800
+Subject: [PATCH 2/4] libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
+
+gpg_err_code_from_errno() requires libgcrypt_wrap/mem.c which is not in
+Makefile.utilgcry.def. This commit replaces gpg_err_code_from_errno()
+with GPG_ERR_* to avoid the build errors.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index fd0c4a106..55294672b 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -260,7 +260,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+   block = xtrymalloc (1024 * memory_blocks);
+   if (!block)
+     {
+-      ec = gpg_err_code_from_errno (errno);
++      ec = GPG_ERR_OUT_OF_MEMORY;
+       return ec;
+     }
+   memset (block, 0, 1024 * memory_blocks);
+@@ -268,7 +268,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+   thread_data = xtrymalloc (a->lanes * sizeof (struct argon2_thread_data));
+   if (!thread_data)
+     {
+-      ec = gpg_err_code_from_errno (errno);
++      ec = GPG_ERR_OUT_OF_MEMORY;
+       xfree (block);
+       return ec;
+     }
+@@ -619,7 +619,7 @@ argon2_open (gcry_kdf_hd_t *hd, int subalgo,
+   n = offsetof (struct argon2_context, out) + taglen;
+   a = xtrymalloc (n);
+   if (!a)
+-    return gpg_err_code_from_errno (errno);
++    return GPG_ERR_OUT_OF_MEMORY;
+ 
+   a->algo = GCRY_KDF_ARGON2;
+   a->hash_type = hash_type;
+-- 
+2.43.0
+
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 05/12] libgcrypt/kdf: Remove unsupported KDFs

[Gary Lin via Grub-devel]

Clean up _gcry_kdf_*() to remove unsupported KDFs.

Signed-off-by: Gary Lin <glin@suse.com>
---
 conf/Makefile.extra-dist                      |   1 +
 .../11-kdf-remove-unsupported-kdfs.patch      | 166 ++++++++++++++++++
 2 files changed, 167 insertions(+)
 create mode 100644 grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch

diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index ac72a7ecf..abd4227e7 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -45,6 +45,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
 
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch b/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
new file mode 100644
index 000000000..06723201e
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
@@ -0,0 +1,166 @@
+From f46f3dbd2e572a6610d651d14e9a3a8b27883c49 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 16:00:17 +0800
+Subject: [PATCH 3/4] libgcrypt/kdf: Remove unsupported KDFs
+
+Clean up _gcry_kdf_*() to remove unsupported KDFs.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 119 ----------------------
+ 1 file changed, 119 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 55294672b..6e825d3e8 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -816,64 +816,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+                           key, keylen, ad, adlen);
+       break;
+ 
+-    case GCRY_KDF_BALLOON:
+-      if (!inputlen || !saltlen || keylen || adlen)
+-        ec = GPG_ERR_INV_VALUE;
+-      else
+-        {
+-          (void)key;
+-          (void)ad;
+-          ec = balloon_open (hd, subalgo, param, paramlen,
+-                             input, inputlen, salt, saltlen);
+-        }
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF:
+-      if (!inputlen || !paramlen || !adlen)
+-        ec = GPG_ERR_INV_VALUE;
+-      else
+-        {
+-          (void)salt;
+-          (void)key;
+-          ec = onestep_kdf_open (hd, subalgo, param, paramlen,
+-                                 input, inputlen, ad, adlen);
+-        }
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF_MAC:
+-      if (!inputlen || !paramlen || !keylen || !adlen)
+-        ec = GPG_ERR_INV_VALUE;
+-      else
+-        {
+-          (void)salt;
+-          ec = onestep_kdf_mac_open (hd, subalgo, param, paramlen,
+-                                     input, inputlen, key, keylen, ad, adlen);
+-        }
+-      break;
+-
+-    case GCRY_KDF_HKDF:
+-      if (!inputlen || !paramlen)
+-        ec = GPG_ERR_INV_VALUE;
+-      else
+-        {
+-          (void)salt;
+-          ec = hkdf_open (hd, subalgo, param, paramlen,
+-                          input, inputlen, key, keylen, ad, adlen);
+-        }
+-      break;
+-
+-    case GCRY_KDF_X963_KDF:
+-      if (!inputlen || !paramlen)
+-        ec = GPG_ERR_INV_VALUE;
+-      else
+-        {
+-          (void)salt;
+-          (void)key;
+-          ec = x963_kdf_open (hd, subalgo, param, paramlen,
+-                              input, inputlen, ad, adlen);
+-        }
+-      break;
+-
+     default:
+       ec = GPG_ERR_UNKNOWN_ALGORITHM;
+       break;
+@@ -893,26 +835,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops)
+       ec = argon2_compute ((argon2_ctx_t)(void *)h, ops);
+       break;
+ 
+-    case GCRY_KDF_BALLOON:
+-      ec = balloon_compute_all ((balloon_ctx_t)(void *)h, ops);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF:
+-      ec = onestep_kdf_compute ((onestep_kdf_ctx_t)(void *)h, ops);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF_MAC:
+-      ec = onestep_kdf_mac_compute ((onestep_kdf_mac_ctx_t)(void *)h, ops);
+-      break;
+-
+-    case GCRY_KDF_HKDF:
+-      ec = hkdf_compute ((hkdf_ctx_t)(void *)h, ops);
+-      break;
+-
+-    case GCRY_KDF_X963_KDF:
+-      ec = x963_kdf_compute ((x963_kdf_ctx_t)(void *)h, ops);
+-      break;
+-
+     default:
+       ec = GPG_ERR_UNKNOWN_ALGORITHM;
+       break;
+@@ -933,27 +855,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result)
+       ec = argon2_final ((argon2_ctx_t)(void *)h, resultlen, result);
+       break;
+ 
+-    case GCRY_KDF_BALLOON:
+-      ec = balloon_final ((balloon_ctx_t)(void *)h, resultlen, result);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF:
+-      ec = onestep_kdf_final ((onestep_kdf_ctx_t)(void *)h, resultlen, result);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF_MAC:
+-      ec = onestep_kdf_mac_final ((onestep_kdf_mac_ctx_t)(void *)h,
+-                                  resultlen, result);
+-      break;
+-
+-    case GCRY_KDF_HKDF:
+-      ec = hkdf_final ((hkdf_ctx_t)(void *)h, resultlen, result);
+-      break;
+-
+-    case GCRY_KDF_X963_KDF:
+-      ec = x963_kdf_final ((x963_kdf_ctx_t)(void *)h, resultlen, result);
+-      break;
+-
+     default:
+       ec = GPG_ERR_UNKNOWN_ALGORITHM;
+       break;
+@@ -971,26 +872,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
+       argon2_close ((argon2_ctx_t)(void *)h);
+       break;
+ 
+-    case GCRY_KDF_BALLOON:
+-      balloon_close ((balloon_ctx_t)(void *)h);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF:
+-      onestep_kdf_close ((onestep_kdf_ctx_t)(void *)h);
+-      break;
+-
+-    case GCRY_KDF_ONESTEP_KDF_MAC:
+-      onestep_kdf_mac_close ((onestep_kdf_mac_ctx_t)(void *)h);
+-      break;
+-
+-    case GCRY_KDF_HKDF:
+-      hkdf_close ((hkdf_ctx_t)(void *)h);
+-      break;
+-
+-    case GCRY_KDF_X963_KDF:
+-      x963_kdf_close ((x963_kdf_ctx_t)(void *)h);
+-      break;
+-
+     default:
+       break;
+     }
+-- 
+2.43.0
+
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 06/12] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms

[Gary Lin via Grub-devel]

Use grub_divmod64() for the 64-bit modulus to prevent creation of
__umoddi3() calls on 32-bit platforms.

Signed-off-by: Gary Lin <glin@suse.com>
---
 conf/Makefile.extra-dist                      |  1 +
 .../12-kdf-use-grub_divmod64.patch            | 78 +++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch

diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index abd4227e7..5d9ff91e9 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -46,6 +46,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
 
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch b/grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
new file mode 100644
index 000000000..f6e1251ae
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
@@ -0,0 +1,78 @@
+From 232133d5672a89f5e5a45116171e802c1ebab2e7 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 16:01:45 +0800
+Subject: [PATCH 4/4] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
+
+Use grub_divmod64() for the 64-bit modulus to prevent creation of
+__umoddi3() calls on 32-bit platforms.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 6e825d3e8..e0a1b2901 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -370,6 +370,7 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
+   u32 reference_area_size;
+   u64 relative_position;
+   u32 start_position;
++  u64 remainder;
+ 
+   if (t->pass == 0)
+     {
+@@ -406,7 +407,8 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
+       ? 0
+       : (t->slice + 1) * a->segment_length;
+ 
+-  return (start_position + relative_position) % a->lane_length;
++  grub_divmod64 (start_position + relative_position, a->lane_length, &remainder);
++  return remainder;
+ }
+ 
+ static void
+@@ -420,6 +422,7 @@ argon2_compute_segment (void *priv)
+   u64 input_block[1024/sizeof (u64)];
+   u64 address_block[1024/sizeof (u64)];
+   u64 *random_block = NULL;
++  u64 remainder;
+ 
+   if (a->hash_type == GCRY_KDF_ARGON2I
+       || (a->hash_type == GCRY_KDF_ARGON2ID && t->pass == 0 && t->slice < 2))
+@@ -444,7 +447,8 @@ argon2_compute_segment (void *priv)
+     i = 0;
+ 
+   curr_offset = t->lane * a->lane_length + t->slice * a->segment_length + i;
+-  if ((curr_offset % a->lane_length))
++  grub_divmod64 (curr_offset, a->lane_length, &remainder);
++  if (remainder)
+     prev_offset = curr_offset - 1;
+   else
+     prev_offset = curr_offset + a->lane_length - 1;
+@@ -454,7 +458,8 @@ argon2_compute_segment (void *priv)
+       u64 *ref_block, *curr_block;
+       u64 rand64;
+ 
+-      if ((curr_offset % a->lane_length) == 1)
++      grub_divmod64 (curr_offset, a->lane_length, &remainder);
++      if (remainder == 1)
+         prev_offset = curr_offset - 1;
+ 
+       if (random_block)
+@@ -470,7 +475,10 @@ argon2_compute_segment (void *priv)
+       if (t->pass == 0 && t->slice == 0)
+         ref_lane = t->lane;
+       else
+-        ref_lane = (rand64 >> 32) % a->lanes;
++	{
++	  grub_divmod64 (rand64 >> 32, a->lanes, &remainder);
++	  ref_lane = remainder;
++	}
+ 
+       ref_index = index_alpha (a, t, i, (rand64 & 0xffffffff),
+                                ref_lane == t->lane);
+-- 
+2.43.0
+
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 07/12] argon2: Introduce grub_crypto_argon2()

[Gary Lin via Grub-devel]

This commit introduces grub_crypto_argon2() which leverages the
'_gcry_kdf_*' functions from libgcrypt to provide Argon2 support.

Due to the dependency of the '_gcry_kdf_*' functions, the order of
'ldadd' entries have to be tweaked in Makefile.util.def so that the
linker can discover those functions.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
 Makefile.util.def           | 55 +++++++++++++++++++------------------
 grub-core/Makefile.core.def |  5 ++++
 grub-core/lib/argon2.c      | 52 +++++++++++++++++++++++++++++++++++
 include/grub/crypto.h       |  9 ++++++
 4 files changed, 94 insertions(+), 27 deletions(-)
 create mode 100644 grub-core/lib/argon2.c

diff --git a/Makefile.util.def b/Makefile.util.def
index 038253b37..f8d4ae7d3 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -43,6 +43,7 @@ library = {
   common = grub-core/disk/key_protector.c;
   common = grub-core/disk/cryptodisk.c;
   common = grub-core/disk/AFSplitter.c;
+  common = grub-core/lib/argon2.c;
   common = grub-core/lib/pbkdf2.c;
   common = grub-core/commands/extcmd.c;
   common = grub-core/lib/arg.c;
@@ -201,8 +202,8 @@ program = {
   extra_dist = util/grub-mkimagexx.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBLZMA)';
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -225,8 +226,8 @@ program = {
   cflags = '-I$(srcdir)/grub-core/lib/tss2 -I$(srcdir)/grub-core/commands/tpm2_key_protector';
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBTASN1)';
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -243,8 +244,8 @@ program = {
   common = grub-core/osdep/init.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -258,8 +259,8 @@ program = {
   common = grub-core/osdep/init.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -284,8 +285,8 @@ program = {
 
   ldadd = '$(LIBLZMA)';
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -300,8 +301,8 @@ program = {
   common = grub-core/osdep/init.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -323,8 +324,8 @@ program = {
   common = grub-core/osdep/init.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -341,8 +342,8 @@ program = {
   cflags = '$(FUSE_CFLAGS)';
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM) $(FUSE_LIBS)';
   condition = COND_GRUB_MOUNT;
@@ -359,8 +360,8 @@ program = {
   cppflags = '-DGRUB_MKFONT=1';
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(FREETYPE_LIBS)';
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -378,8 +379,8 @@ program = {
   common = grub-core/osdep/init.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -436,8 +437,8 @@ program = {
   common = grub-core/osdep/init.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -451,8 +452,8 @@ program = {
   common = grub-core/osdep/init.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -466,8 +467,8 @@ program = {
   common = grub-core/kern/emu/argp_common.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -605,8 +606,8 @@ program = {
 
   ldadd = '$(LIBLZMA)';
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 
@@ -652,8 +653,8 @@ program = {
 
   ldadd = '$(LIBLZMA)';
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -691,8 +692,8 @@ program = {
 
   ldadd = '$(LIBLZMA)';
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -727,8 +728,8 @@ program = {
 
   ldadd = '$(LIBLZMA)';
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -1305,8 +1306,8 @@ program = {
   common = grub-core/kern/misc.c;
   common = grub-core/tests/lib/test.c;
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -1320,8 +1321,8 @@ program = {
   common = grub-core/kern/misc.c;
   common = grub-core/tests/lib/test.c;
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -1335,8 +1336,8 @@ program = {
   common = grub-core/kern/misc.c;
   common = grub-core/tests/lib/test.c;
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -1351,8 +1352,8 @@ program = {
   common = grub-core/tests/lib/test.c;
   common = grub-core/lib/priority_queue.c;
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
   condition = COND_HAVE_CXX;
@@ -1367,8 +1368,8 @@ program = {
   common = grub-core/kern/misc.c;
   common = grub-core/tests/lib/test.c;
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -1382,8 +1383,8 @@ program = {
   common = grub-core/osdep/init.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -1400,8 +1401,8 @@ program = {
   common = grub-core/kern/emu/argp_common.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -1416,8 +1417,8 @@ program = {
   common = grub-core/osdep/init.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -1434,8 +1435,8 @@ program = {
   common = grub-core/osdep/init.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
@@ -1463,8 +1464,8 @@ program = {
   common = grub-core/osdep/init.c;
 
   ldadd = libgrubmods.a;
-  ldadd = libgrubgcry.a;
   ldadd = libgrubkern.a;
+  ldadd = libgrubgcry.a;
   ldadd = grub-core/lib/gnulib/libgnu.a;
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index b3f71196a..16166b1ed 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1694,6 +1694,11 @@ module = {
   common = lib/pbkdf2.c;
 };
 
+module = {
+  name = argon2;
+  common = lib/argon2.c;
+};
+
 module = {
   name = relocator;
   common = lib/relocator.c;
diff --git a/grub-core/lib/argon2.c b/grub-core/lib/argon2.c
new file mode 100644
index 000000000..12ad7ad1c
--- /dev/null
+++ b/grub-core/lib/argon2.c
@@ -0,0 +1,52 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2025  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/crypto.h>
+#include <grub/dl.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+gcry_err_code_t
+grub_crypto_argon2 (int subalgo,
+		    const unsigned long *param, unsigned int paramlen,
+		    const void *password, grub_size_t passwordlen,
+		    const void *salt, grub_size_t saltlen,
+		    const void *key, grub_size_t keylen,
+		    const void *ad, grub_size_t adlen,
+		    grub_size_t resultlen, void *result)
+{
+  gcry_kdf_hd_t hd = {0};
+  gpg_err_code_t err;
+
+  if (saltlen == 0)
+    return GPG_ERR_INV_VALUE;
+
+  err = _gcry_kdf_open (&hd, GRUB_GCRY_KDF_ARGON2, subalgo, param, paramlen,
+			password, passwordlen, salt, saltlen, key, keylen,
+			ad, adlen);
+  if (err != GPG_ERR_NO_ERROR)
+    return err;
+
+  err = _gcry_kdf_compute (hd, NULL);
+  if (err == GPG_ERR_NO_ERROR)
+    err = _gcry_kdf_final (hd, resultlen, result);
+
+  _gcry_kdf_close (hd);
+
+  return err;
+}
diff --git a/include/grub/crypto.h b/include/grub/crypto.h
index d323f00ce..c6eb8b2d2 100644
--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
@@ -573,6 +573,15 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
 		    unsigned int c,
 		    grub_uint8_t *DK, grub_size_t dkLen);
 
+gcry_err_code_t
+grub_crypto_argon2 (int subalgo,
+		    const unsigned long *param, unsigned int paramlen,
+		    const void *password, grub_size_t passwordlen,
+		    const void *salt, grub_size_t saltlen,
+		    const void *key, grub_size_t keylen,
+		    const void *ad, grub_size_t adlen,
+		    grub_size_t resultlen, void *result);
+
 int
 grub_crypto_memcmp (const void *a, const void *b, grub_size_t n);
 
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 08/12] Import Argon2 tests from libgcrypt

[Gary Lin via Grub-devel]

Copy the Argon2 test function, check_argon2(), from t-kdf.c in libgcrypt
to grub-core/tests/argon2_test.c.

Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
---
 grub-core/tests/argon2_test.c | 141 ++++++++++++++++++++++++++++++++++
 1 file changed, 141 insertions(+)
 create mode 100644 grub-core/tests/argon2_test.c

diff --git a/grub-core/tests/argon2_test.c b/grub-core/tests/argon2_test.c
new file mode 100644
index 000000000..d2f70166a
--- /dev/null
+++ b/grub-core/tests/argon2_test.c
@@ -0,0 +1,141 @@
+static void
+check_argon2 (void)
+{
+  gcry_error_t err;
+  static struct {
+    int subalgo;
+    unsigned long param[4];
+    size_t passlen;
+    const char *pass;
+    size_t saltlen;
+    const char *salt;
+    size_t keylen;
+    const char *key;
+    size_t adlen;
+    const char *ad;
+    size_t dklen;
+    const char *dk;
+  } tv[] = {
+    {
+      GCRY_KDF_ARGON2D,
+      { 32, 3, 32, 4 },
+      32,
+      "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+      "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+      16,
+      "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+      8,
+      "\x03\x03\x03\x03\x03\x03\x03\x03",
+      12,
+      "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+      32,
+      "\x51\x2b\x39\x1b\x6f\x11\x62\x97\x53\x71\xd3\x09\x19\x73\x42\x94"
+      "\xf8\x68\xe3\xbe\x39\x84\xf3\xc1\xa1\x3a\x4d\xb9\xfa\xbe\x4a\xcb"
+    },
+    {
+      GCRY_KDF_ARGON2I,
+      { 32, 3, 32, 4 },
+      32,
+      "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+      "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+      16,
+      "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+      8,
+      "\x03\x03\x03\x03\x03\x03\x03\x03",
+      12,
+      "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+      32,
+      "\xc8\x14\xd9\xd1\xdc\x7f\x37\xaa\x13\xf0\xd7\x7f\x24\x94\xbd\xa1"
+      "\xc8\xde\x6b\x01\x6d\xd3\x88\xd2\x99\x52\xa4\xc4\x67\x2b\x6c\xe8"
+    },
+    {
+      GCRY_KDF_ARGON2ID,
+      { 32, 3, 32, 4 },
+      32,
+      "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+      "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+      16,
+      "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+      8,
+      "\x03\x03\x03\x03\x03\x03\x03\x03",
+      12,
+      "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+      32,
+      "\x0d\x64\x0d\xf5\x8d\x78\x76\x6c\x08\xc0\x37\xa3\x4a\x8b\x53\xc9"
+      "\xd0\x1e\xf0\x45\x2d\x75\xb6\x5e\xb5\x25\x20\xe9\x6b\x01\xe6\x59"
+    },
+    {
+      /* empty password */
+      GCRY_KDF_ARGON2I,
+      { 32, 3, 128, 1 },
+      0, NULL,
+      16,
+      "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+      0, NULL,
+      0, NULL,
+      32,
+      "\xbb\x1f\xf2\xb9\x9f\xd4\x4a\xd9\xdf\x7f\xb9\x54\x55\x9e\xb8\xeb"
+      "\xb5\x9d\xab\xce\x2e\x62\x9f\x9b\x89\x09\xfe\xde\x57\xcc\x63\x86"
+    },
+    {
+      /* empty password */
+      GCRY_KDF_ARGON2ID,
+      { 32, 3, 128, 1 },
+      0, NULL,
+      16,
+      "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+      0, NULL,
+      0, NULL,
+      32,
+      "\x09\x2f\x38\x35\xac\xb2\x43\x92\x93\xeb\xcd\xe8\x04\x16\x6a\x31"
+      "\xce\x14\xd4\x55\xdb\xd8\xf7\xe6\xb4\xf5\x9d\x64\x8e\xd0\x3a\xdb"
+    },
+  };
+  unsigned char out[32];
+  int i;
+  int count;
+
+  for (count = 0; count < DIM(tv); count++)
+    {
+      if (verbose)
+        fprintf (stderr, "checking ARGON2 test vector %d\n", count);
+
+      err = my_kdf_derive (0, GCRY_KDF_ARGON2,
+                           tv[count].subalgo, tv[count].param, 4,
+                           tv[count].pass, tv[count].passlen,
+                           tv[count].salt, tv[count].saltlen,
+                           tv[count].key, tv[count].keylen,
+                           tv[count].ad, tv[count].adlen,
+                           tv[count].dklen, out);
+      if (err)
+        fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror (err));
+      else if (memcmp (out, tv[count].dk, tv[count].dklen))
+        {
+          fail ("argon2 test %d failed: mismatch\n", count*2+0);
+          fputs ("got:", stderr);
+          for (i=0; i < tv[count].dklen; i++)
+            fprintf (stderr, " %02x", out[i]);
+          putc ('\n', stderr);
+        }
+
+#ifdef HAVE_PTHREAD
+      err = my_kdf_derive (1, GCRY_KDF_ARGON2,
+                           tv[count].subalgo, tv[count].param, 4,
+                           tv[count].pass, tv[count].passlen,
+                           tv[count].salt, tv[count].saltlen,
+                           tv[count].key, tv[count].keylen,
+                           tv[count].ad, tv[count].adlen,
+                           tv[count].dklen, out);
+      if (err)
+        fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror (err));
+      else if (memcmp (out, tv[count].dk, tv[count].dklen))
+        {
+          fail ("argon2 test %d failed: mismatch\n", count*2+1);
+          fputs ("got:", stderr);
+          for (i=0; i < tv[count].dklen; i++)
+            fprintf (stderr, " %02x", out[i]);
+          putc ('\n', stderr);
+        }
+#endif
+    }
+}
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 09/12] Integrate Argon2 tests into functional_test

[Gary Lin via Grub-devel]

Refactor the Argon2 tests to enable the module build and integrate the
tests into function_test.

Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
 grub-core/Makefile.core.def           |   5 ++
 grub-core/tests/argon2_test.c         | 104 +++++++++++++-------------
 grub-core/tests/lib/functional_test.c |   1 +
 3 files changed, 57 insertions(+), 53 deletions(-)

diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 16166b1ed..fb96f92a5 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -2222,6 +2222,11 @@ module = {
   common = tests/pbkdf2_test.c;
 };
 
+module = {
+  name = argon2_test;
+  common = tests/argon2_test.c;
+};
+
 module = {
   name = legacy_password_test;
   common = tests/legacy_password_test.c;
diff --git a/grub-core/tests/argon2_test.c b/grub-core/tests/argon2_test.c
index d2f70166a..8318a0962 100644
--- a/grub-core/tests/argon2_test.c
+++ b/grub-core/tests/argon2_test.c
@@ -1,23 +1,50 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2025 Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/test.h>
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/crypto.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+#define DIM(v) (sizeof(v)/sizeof((v)[0]))
+
 static void
-check_argon2 (void)
+argon2_test (void)
 {
   gcry_error_t err;
   static struct {
     int subalgo;
     unsigned long param[4];
-    size_t passlen;
+    grub_size_t passlen;
     const char *pass;
-    size_t saltlen;
+    grub_size_t saltlen;
     const char *salt;
-    size_t keylen;
+    grub_size_t keylen;
     const char *key;
-    size_t adlen;
+    grub_size_t adlen;
     const char *ad;
-    size_t dklen;
+    grub_size_t dklen;
     const char *dk;
   } tv[] = {
     {
-      GCRY_KDF_ARGON2D,
+      GRUB_GCRY_KDF_ARGON2D,
       { 32, 3, 32, 4 },
       32,
       "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -33,7 +60,7 @@ check_argon2 (void)
       "\xf8\x68\xe3\xbe\x39\x84\xf3\xc1\xa1\x3a\x4d\xb9\xfa\xbe\x4a\xcb"
     },
     {
-      GCRY_KDF_ARGON2I,
+      GRUB_GCRY_KDF_ARGON2I,
       { 32, 3, 32, 4 },
       32,
       "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -49,7 +76,7 @@ check_argon2 (void)
       "\xc8\xde\x6b\x01\x6d\xd3\x88\xd2\x99\x52\xa4\xc4\x67\x2b\x6c\xe8"
     },
     {
-      GCRY_KDF_ARGON2ID,
+      GRUB_GCRY_KDF_ARGON2ID,
       { 32, 3, 32, 4 },
       32,
       "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -66,7 +93,7 @@ check_argon2 (void)
     },
     {
       /* empty password */
-      GCRY_KDF_ARGON2I,
+      GRUB_GCRY_KDF_ARGON2I,
       { 32, 3, 128, 1 },
       0, NULL,
       16,
@@ -79,7 +106,7 @@ check_argon2 (void)
     },
     {
       /* empty password */
-      GCRY_KDF_ARGON2ID,
+      GRUB_GCRY_KDF_ARGON2ID,
       { 32, 3, 128, 1 },
       0, NULL,
       16,
@@ -92,50 +119,21 @@ check_argon2 (void)
     },
   };
   unsigned char out[32];
-  int i;
-  int count;
+  unsigned int count;
 
   for (count = 0; count < DIM(tv); count++)
     {
-      if (verbose)
-        fprintf (stderr, "checking ARGON2 test vector %d\n", count);
-
-      err = my_kdf_derive (0, GCRY_KDF_ARGON2,
-                           tv[count].subalgo, tv[count].param, 4,
-                           tv[count].pass, tv[count].passlen,
-                           tv[count].salt, tv[count].saltlen,
-                           tv[count].key, tv[count].keylen,
-                           tv[count].ad, tv[count].adlen,
-                           tv[count].dklen, out);
-      if (err)
-        fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror (err));
-      else if (memcmp (out, tv[count].dk, tv[count].dklen))
-        {
-          fail ("argon2 test %d failed: mismatch\n", count*2+0);
-          fputs ("got:", stderr);
-          for (i=0; i < tv[count].dklen; i++)
-            fprintf (stderr, " %02x", out[i]);
-          putc ('\n', stderr);
-        }
-
-#ifdef HAVE_PTHREAD
-      err = my_kdf_derive (1, GCRY_KDF_ARGON2,
-                           tv[count].subalgo, tv[count].param, 4,
-                           tv[count].pass, tv[count].passlen,
-                           tv[count].salt, tv[count].saltlen,
-                           tv[count].key, tv[count].keylen,
-                           tv[count].ad, tv[count].adlen,
-                           tv[count].dklen, out);
-      if (err)
-        fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror (err));
-      else if (memcmp (out, tv[count].dk, tv[count].dklen))
-        {
-          fail ("argon2 test %d failed: mismatch\n", count*2+1);
-          fputs ("got:", stderr);
-          for (i=0; i < tv[count].dklen; i++)
-            fprintf (stderr, " %02x", out[i]);
-          putc ('\n', stderr);
-        }
-#endif
+      err = grub_crypto_argon2 (tv[count].subalgo,
+				tv[count].param, 4,
+				tv[count].pass, tv[count].passlen,
+				tv[count].salt, tv[count].saltlen,
+				tv[count].key, tv[count].keylen,
+				tv[count].ad, tv[count].adlen,
+				tv[count].dklen, out);
+      grub_test_assert (err == 0, "argon2 test %d failed: %d", count, err);
+      grub_test_assert (grub_memcmp (out, tv[count].dk, tv[count].dklen) == 0,
+			"argon2 test %d failed: mismatch", count);
     }
 }
+
+GRUB_FUNCTIONAL_TEST (argon2_test, argon2_test);
diff --git a/grub-core/tests/lib/functional_test.c b/grub-core/tests/lib/functional_test.c
index 38e981f2c..0289ff38f 100644
--- a/grub-core/tests/lib/functional_test.c
+++ b/grub-core/tests/lib/functional_test.c
@@ -80,6 +80,7 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt __attribute__ ((unused)),
   grub_dl_load ("mul_test");
   grub_dl_load ("shift_test");
   grub_dl_load ("asn1_test");
+  grub_dl_load ("argon2_test");
 
   FOR_LIST_ELEMENTS (test, grub_test_list)
     ok = !grub_test_run (test) && ok;
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 10/12] disk/luks2: Add Argon2 support

[Gary Lin via Grub-devel]

Leverage the new grub_crypto_argon2() function to add support for the
Argon2i and Argon2id KDFs in LUKS2

Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
---
 grub-core/disk/luks2.c | 40 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 36 insertions(+), 4 deletions(-)

diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index b17cd2115..a3608e233 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -39,6 +39,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
 enum grub_luks2_kdf_type
 {
   LUKS2_KDF_TYPE_ARGON2I,
+  LUKS2_KDF_TYPE_ARGON2ID,
   LUKS2_KDF_TYPE_PBKDF2
 };
 typedef enum grub_luks2_kdf_type grub_luks2_kdf_type_t;
@@ -159,13 +160,21 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const grub_json_t *keyslot)
       grub_json_getstring (&type, &kdf, "type") ||
       grub_json_getstring (&out->kdf.salt, &kdf, "salt"))
     return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing or invalid KDF");
-  else if (!grub_strcmp (type, "argon2i") || !grub_strcmp (type, "argon2id"))
+  else if (!grub_strcmp (type, "argon2i"))
     {
       out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
       if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
 	  grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
 	  grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
-	return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i parameters");
+	return grub_error (GRUB_ERR_BAD_ARGUMENT, "missing Argon2i parameters");
+    }
+  else if (!grub_strcmp (type, "argon2id"))
+    {
+      out->kdf.type = LUKS2_KDF_TYPE_ARGON2ID;
+      if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
+	  grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
+	  grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
+	return grub_error (GRUB_ERR_BAD_ARGUMENT, "missing Argon2id parameters");
     }
   else if (!grub_strcmp (type, "pbkdf2"))
     {
@@ -444,6 +453,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
   grub_uint8_t salt[GRUB_CRYPTODISK_MAX_KEYLEN];
   grub_uint8_t *split_key = NULL;
   idx_t saltlen = sizeof (salt);
+  int subalgo;
+  unsigned long param[4];
   char cipher[32], *p;
   const gcry_md_spec_t *hash;
   gcry_err_code_t gcry_ret;
@@ -460,8 +471,29 @@ luks2_decrypt_key (grub_uint8_t *out_key,
   switch (k->kdf.type)
     {
       case LUKS2_KDF_TYPE_ARGON2I:
-	ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
-	goto err;
+      case LUKS2_KDF_TYPE_ARGON2ID:
+	if (k->kdf.type == LUKS2_KDF_TYPE_ARGON2I)
+	  subalgo = GRUB_GCRY_KDF_ARGON2I;
+	else
+	  subalgo = GRUB_GCRY_KDF_ARGON2ID;
+
+	param[0] = k->area.key_size;
+	param[1] = k->kdf.u.argon2i.time;
+	param[2] = k->kdf.u.argon2i.memory;
+	param[3] = k->kdf.u.argon2i.cpus;
+
+	gcry_ret = grub_crypto_argon2 (subalgo, param, 4,
+				       passphrase, passphraselen,
+				       salt, saltlen,
+				       NULL, 0, NULL, 0,
+				       k->area.key_size, area_key);
+	if (gcry_ret)
+	  {
+	    ret = grub_crypto_gcry_error (gcry_ret);
+	    goto err;
+	  }
+
+	break;
       case LUKS2_KDF_TYPE_PBKDF2:
 	hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash);
 	if (!hash)
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 11/12] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test

[Gary Lin via Grub-devel]

Given that the LUKS1 test already covers PBKDF2, the default KDF for the
LUKS2 test has been switched to Argon2id to ensure both algorithms are
validated.

Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
 tests/util/grub-fs-tester.in | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
index cac58dafa..126f19a7e 100644
--- a/tests/util/grub-fs-tester.in
+++ b/tests/util/grub-fs-tester.in
@@ -860,8 +860,14 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
 		    MOUNTDEVICE="/dev/mapper/grub_test-testvol"
 		    MOUNTFS=ext2
 		    "mkfs.ext2" -L "$FSLABEL" -q "${MOUNTDEVICE}"  ;;
-		x"luks"*)
-		    echo -n "$PASS" | cryptsetup luksFormat --type "$fs" --sector-size $SECSIZE --pbkdf pbkdf2 --force-password --disable-locks $LODEVICE
+		xluks1)
+		    echo -n "$PASS" | cryptsetup luksFormat --type luks1 --sector-size $SECSIZE --pbkdf pbkdf2 --force-password --disable-locks $LODEVICE
+		    echo -n "$PASS" | cryptsetup open --disable-locks $LODEVICE "$DMNAME"
+		    MOUNTDEVICE="/dev/mapper/${DMNAME}"
+		    MOUNTFS=ext2
+		    "mkfs.ext2" -L "$FSLABEL" -q "${MOUNTDEVICE}"  ;;
+		xluks2)
+		    echo -n "$PASS" | cryptsetup luksFormat --type luks2 --sector-size $SECSIZE --pbkdf argon2id --force-password --disable-locks $LODEVICE
 		    echo -n "$PASS" | cryptsetup open --disable-locks $LODEVICE "$DMNAME"
 		    MOUNTDEVICE="/dev/mapper/${DMNAME}"
 		    MOUNTFS=ext2
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v3 12/12] docs: Document argon2 and argon2_test

[Gary Lin via Grub-devel]

Document the argon2 and argon2_test modules.

Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
 docs/grub.texi | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/grub.texi b/docs/grub.texi
index 34b3484dc..b3908ecf6 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -3889,6 +3889,8 @@ Modules can be loaded via the @command{insmod} (@pxref{insmod}) command.
 * aout_module::
 * appleldr_module::
 * archelp_module::
+* argon2_module::
+* argon2_test_module::
 * at_keyboard_module::
 * ata_module::
 * backtrace_module::
@@ -4244,6 +4246,15 @@ computer (Intel based Macs).
 This module provides Archive Helper functions for archive based file systems
 such as TAR and CPIO archives.
 
+@node argon2_module
+@section argon2
+This module provides support for the Argon2 key derivation function.
+
+@node argon2_test_module
+@section argon2_test
+This module is intended for performing a functional test of the Argon2
+operation in GRUB.
+
 @node at_keyboard_module
 @section at_keyboard
 This module provides support for the AT keyboard input for the GRUB terminal.
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel