* [PATCH v3 00/12] Support Argon2 KDF
@ 2025-08-26 2:01 Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 01/12] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
` (11 more replies)
0 siblings, 12 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
This patch series imports the Argon2 code and tests from libgcrypt and
adds Argon2 support to LUKS2.
- Patch 1~6 import kdf.c from libgcrypt and extract the Argon2 related
functions. The _gcry_kdf_* functions are also imported to make it
easier to support other KDF functions when necessary.
- Patch 7 introduces grub_crypto_argon2().
- Patch 8 and 9 integrates the Argon2 tests from libgcrypt into
functional_test.
- Patch 10 leverages grub_crypto_argon2() to add Argon2 support to LUKS2.
- Patch 11 changes the default KDF of the LUKS2 test to Argon2id.
- Patch 12 documents argon2 and argon2_test modules.
v3:
- Updating comments in import_gcry.py
- Splitting the kdf build patch into 3 smaller patches
- Fixing the build error on 32-bit platforms
- Adjusting the order of 'ldadd' in Makefile.util.def
- Fixing the error messages in luks2_parse_keyslot()
v2:
- Import Argon2 code differently to improve maintainability
* Updating import_gcry.py to import Argon2 and _gcry_kdf_* functions
from kdf.c instead of extracting the code manually
* Implementing grub_crypto_argon2() with the _gcry_kdf_* functions to
avoid the GCRY flags when building argon2.c
* Building argon2.c inside libgrubkernel.a since the GCRY flags are not
needed anymore
Gary Lin (12):
util/import_gcry: Import kdf.c for Argon2
crypto: Update crypto.h for libgcrypt KDF functions
libgcrypt/kdf: Implement blake2b_512.hash_buffers()
libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
libgcrypt/kdf: Remove unsupported KDFs
libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
argon2: Introduce grub_crypto_argon2()
Import Argon2 tests from libgcrypt
Integrate Argon2 tests into functional_test
disk/luks2: Add Argon2 support
tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
docs: Document argon2 and argon2_test
Makefile.util.def | 55 +++---
conf/Makefile.extra-dist | 4 +
docs/grub.texi | 11 ++
grub-core/Makefile.core.def | 10 ++
grub-core/disk/luks2.c | 40 ++++-
grub-core/lib/argon2.c | 52 ++++++
.../09-blake2b-hash-buffers.patch | 54 ++++++
.../10-kdf-use-GPG-errs.patch | 48 +++++
.../11-kdf-remove-unsupported-kdfs.patch | 166 ++++++++++++++++++
.../12-kdf-use-grub_divmod64.patch | 78 ++++++++
grub-core/tests/argon2_test.c | 139 +++++++++++++++
grub-core/tests/lib/functional_test.c | 1 +
include/grub/crypto.h | 49 ++++++
tests/util/grub-fs-tester.in | 10 +-
util/import_gcry.py | 31 +++-
15 files changed, 712 insertions(+), 36 deletions(-)
create mode 100644 grub-core/lib/argon2.c
create mode 100644 grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
create mode 100644 grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
create mode 100644 grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
create mode 100644 grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
create mode 100644 grub-core/tests/argon2_test.c
Range-diff against v2:
1: 5dd329599 ! 1: 4c2b3fec8 util/import_gcry: Import kdf.c for Argon2
@@ Commit message
## util/import_gcry.py ##
@@ util/import_gcry.py: with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
+ if re.match (r"(Makefile\.am|primegen\.c|cipher\.c|cipher-.*\.c|mac-.*\.c|mac\.c|pubkey\.c)$", cipher_file):
chlog = "%s%s: Removed\n" % (chlog, chlognew)
continue
- # TODO: Support KDF
+- # TODO: Support KDF
- if re.match (r"(kdf\.c|scrypt\.c)$", cipher_file):
++ # TODO: Support scrypt KDF
+ if re.match (r"(scrypt\.c)$", cipher_file):
chlog = "%s%s: Removed\n" % (chlog, chlognew)
continue
@@ util/import_gcry.py: with codecs.open (os.path.join (cipher_dir_out, "crypto.lst
nch = True
continue
+ elif re.match ("_gcry_kdf_selftest|check_one|_gcry_kdf_pkdf2|_gcry_kdf_derive|openpgp_s2k|ballon_context_size|balloon_*|prng_aes_*|onestep_kdf_*|hkdf_*|x963_kdf_*", line) is not None and cipher_file == "kdf.c":
++ # TODO Support other KDFs
+ skip = 1
+ fname = re.match ("[a-zA-Z0-9_]*", line).group ()
+ chmsg = "(%s): Removed." % fname
2: 5e544e51c ! 2: 210b6292b crypto: Update crypto.h for libgcrypt KDF functions
@@ Commit message
- prototypes of '_gcry_kdf_*' functions
Signed-off-by: Gary Lin <glin@suse.com>
+ Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
## include/grub/crypto.h ##
@@ include/grub/crypto.h: typedef enum
-: --------- > 3: 97e34226d libgcrypt/kdf: Implement blake2b_512.hash_buffers()
-: --------- > 4: ece319254 libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
3: 69aea293b ! 5: ac22a5546 kdf: Resovle the build errors
@@ Metadata
Author: Gary Lin <glin@suse.com>
## Commit message ##
- kdf: Resovle the build errors
+ libgcrypt/kdf: Remove unsupported KDFs
- - Adding argon2_blake2b_512_hash_buffers() as the replacement of
- _gcry_digest_spec_blake2b_512.hash_buffers()
- - Replacing gpg_err_code_from_errno() with GPG_ERR_*
- - Removing the unsupported KDFs from _gcry_kdf_*()
+ Clean up _gcry_kdf_*() to remove unsupported KDFs.
Signed-off-by: Gary Lin <glin@suse.com>
## conf/Makefile.extra-dist ##
-@@ conf/Makefile.extra-dist: EXTRA_DIST += grub-core/lib/libgcrypt-patches/05_disable_rsa_shake.patch
- EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake.patch
- EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
+@@ conf/Makefile.extra-dist: EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
-+EXTRA_DIST += grub-core/lib/libgcrypt-patches/09_kdf_build_fix.patch
+ EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
+ EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
++EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
- ## grub-core/lib/libgcrypt-patches/09_kdf_build_fix.patch (new) ##
+ ## grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch (new) ##
@@
-+From 8583cb1211e9f8253e072b047082b2141346fd31 Mon Sep 17 00:00:00 2001
++From f46f3dbd2e572a6610d651d14e9a3a8b27883c49 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
-+Date: Wed, 6 Aug 2025 09:56:21 +0800
-+Subject: [PATCH] kdf: Resovle the build errors
++Date: Mon, 25 Aug 2025 16:00:17 +0800
++Subject: [PATCH 3/4] libgcrypt/kdf: Remove unsupported KDFs
+
-+- Adding argon2_blake2b_512_hash_buffers() as the replacement of
-+ _gcry_digest_spec_blake2b_512.hash_buffers()
-+- Replacing gpg_err_code_from_errno() with GPG_ERR_*
-+- Removing the unsupported KDFs from _gcry_kdf_*()
++Clean up _gcry_kdf_*() to remove unsupported KDFs.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
-+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 145 ++++------------------
-+ 1 file changed, 22 insertions(+), 123 deletions(-)
++ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 119 ----------------------
++ 1 file changed, 119 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
-+index 0689f88b1..6e825d3e8 100644
++index 55294672b..6e825d3e8 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
-+@@ -129,6 +129,24 @@ beswap64_block (u64 *dst)
-+ #endif
-+ }
-+
-++/* Implementation of _gcry_blake2b_512_hash_buffers */
-++static void
-++argon2_blake2b_512_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt)
-++{
-++ void *hd;
-++
-++ hd = xtrymalloc (_gcry_digest_spec_blake2b_512.contextsize);
-++ if (!hd)
-++ return;
-++
-++ _gcry_digest_spec_blake2b_512.init (hd, 0);
-++ for (;iovcnt > 0; iov++, iovcnt--)
-++ _gcry_digest_spec_blake2b_512.write (hd, (const char*)iov[0].data + iov[0].off, iov[0].len);
-++ _gcry_digest_spec_blake2b_512.final (hd);
-++ grub_memcpy (outbuf, _gcry_digest_spec_blake2b_512.read (hd), 512 / 8);
-++
-++ xfree (hd);
-++}
-+
-+ static gpg_err_code_t
-+ argon2_fill_first_blocks (argon2_ctx_t a)
-+@@ -195,7 +213,7 @@ argon2_fill_first_blocks (argon2_ctx_t a)
-+ iov_count++;
-+ }
-+
-+- _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count);
-++ argon2_blake2b_512_hash_buffers (h0_01_i, iov, iov_count);
-+
-+ for (i = 0; i < a->lanes; i++)
-+ {
-+@@ -242,7 +260,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
-+ block = xtrymalloc (1024 * memory_blocks);
-+ if (!block)
-+ {
-+- ec = gpg_err_code_from_errno (errno);
-++ ec = GPG_ERR_OUT_OF_MEMORY;
-+ return ec;
-+ }
-+ memset (block, 0, 1024 * memory_blocks);
-+@@ -250,7 +268,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
-+ thread_data = xtrymalloc (a->lanes * sizeof (struct argon2_thread_data));
-+ if (!thread_data)
-+ {
-+- ec = gpg_err_code_from_errno (errno);
-++ ec = GPG_ERR_OUT_OF_MEMORY;
-+ xfree (block);
-+ return ec;
-+ }
-+@@ -601,7 +619,7 @@ argon2_open (gcry_kdf_hd_t *hd, int subalgo,
-+ n = offsetof (struct argon2_context, out) + taglen;
-+ a = xtrymalloc (n);
-+ if (!a)
-+- return gpg_err_code_from_errno (errno);
-++ return GPG_ERR_OUT_OF_MEMORY;
-+
-+ a->algo = GCRY_KDF_ARGON2;
-+ a->hash_type = hash_type;
-+@@ -798,64 +816,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
++@@ -816,64 +816,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+ key, keylen, ad, adlen);
+ break;
+
@@ -798,64 +816,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
-+@@ -875,26 +835,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops)
++@@ -893,26 +835,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops)
+ ec = argon2_compute ((argon2_ctx_t)(void *)h, ops);
+ break;
+
@@ -875,26 +835,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thre
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
-+@@ -915,27 +855,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result)
++@@ -933,27 +855,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result)
+ ec = argon2_final ((argon2_ctx_t)(void *)h, resultlen, result);
+ break;
+
@@ -915,27 +855,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *resu
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
-+@@ -953,26 +872,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
++@@ -971,26 +872,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
+ argon2_close ((argon2_ctx_t)(void *)h);
+ break;
+
-: --------- > 6: 51cabda08 libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
4: d551580b9 ! 7: b56661bb6 argon2: Introduce grub_crypto_argon2()
@@ Commit message
linker can discover those functions.
Signed-off-by: Gary Lin <glin@suse.com>
+ Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
## Makefile.util.def ##
@@ Makefile.util.def: library = {
@@ Makefile.util.def: library = {
common = grub-core/lib/pbkdf2.c;
common = grub-core/commands/extcmd.c;
common = grub-core/lib/arg.c;
+@@ Makefile.util.def: program = {
+ extra_dist = util/grub-mkimagexx.c;
+
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBLZMA)';
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ Makefile.util.def: program = {
cflags = '-I$(srcdir)/grub-core/lib/tss2 -I$(srcdir)/grub-core/commands/tpm2_key_protector';
@@ Makefile.util.def: program = {
@@ Makefile.util.def: program = {
common = grub-core/osdep/init.c;
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
+
+ ldadd = '$(LIBLZMA)';
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
+ common = grub-core/osdep/init.c;
+
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
+ common = grub-core/osdep/init.c;
+
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
@@ Makefile.util.def: program = {
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
+@@ Makefile.util.def: program = {
+ cflags = '$(FUSE_CFLAGS)';
+
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM) $(FUSE_LIBS)';
+ condition = COND_GRUB_MOUNT;
+@@ Makefile.util.def: program = {
+ cppflags = '-DGRUB_MKFONT=1';
+
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(FREETYPE_LIBS)';
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+@@ Makefile.util.def: program = {
+ common = grub-core/osdep/init.c;
+
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
+ common = grub-core/osdep/init.c;
+
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
+ common = grub-core/osdep/init.c;
+
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
@@ Makefile.util.def: program = {
common = grub-core/kern/emu/argp_common.c;
@@ Makefile.util.def: program = {
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ Makefile.util.def: program = {
+
+ ldadd = '$(LIBLZMA)';
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
+
+ ldadd = '$(LIBLZMA)';
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
+ common = grub-core/kern/misc.c;
+ common = grub-core/tests/lib/test.c;
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
+ common = grub-core/kern/misc.c;
+ common = grub-core/tests/lib/test.c;
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
+ common = grub-core/kern/misc.c;
+ common = grub-core/tests/lib/test.c;
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
+ common = grub-core/tests/lib/test.c;
+ common = grub-core/lib/priority_queue.c;
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ condition = COND_HAVE_CXX;
+@@ Makefile.util.def: program = {
+ common = grub-core/kern/misc.c;
+ common = grub-core/tests/lib/test.c;
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
+ common = grub-core/osdep/init.c;
+
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
+@@ Makefile.util.def: program = {
common = grub-core/kern/emu/argp_common.c;
ldadd = libgrubmods.a;
@@ Makefile.util.def: program = {
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
+@@ Makefile.util.def: program = {
+ common = grub-core/osdep/init.c;
+
+ ldadd = libgrubmods.a;
+- ldadd = libgrubgcry.a;
+ ldadd = libgrubkern.a;
++ ldadd = libgrubgcry.a;
+ ldadd = grub-core/lib/gnulib/libgnu.a;
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+ };
## grub-core/Makefile.core.def ##
@@ grub-core/Makefile.core.def: module = {
5: 60a8a8ff9 = 8: 54bd89f6a Import Argon2 tests from libgcrypt
6: 78d6cb520 ! 9: e386633aa Integrate Argon2 tests into functional_test
@@ Commit message
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
+ Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
## grub-core/Makefile.core.def ##
@@ grub-core/Makefile.core.def: module = {
7: 06836af69 ! 10: 86bbe307d disk/luks2: Add Argon2 support
@@ grub-core/disk/luks2.c: luks2_parse_keyslot (grub_luks2_keyslot_t *out, const gr
{
out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
-@@ grub-core/disk/luks2.c: luks2_parse_keyslot (grub_luks2_keyslot_t *out, const grub_json_t *keyslot)
+ grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i parameters");
- }
+- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i parameters");
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "missing Argon2i parameters");
++ }
+ else if (!grub_strcmp (type, "argon2id"))
+ {
+ out->kdf.type = LUKS2_KDF_TYPE_ARGON2ID;
+ if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
+ grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
+ grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
-+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2id parameters");
-+ }
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "missing Argon2id parameters");
+ }
else if (!grub_strcmp (type, "pbkdf2"))
{
- out->kdf.type = LUKS2_KDF_TYPE_PBKDF2;
@@ grub-core/disk/luks2.c: luks2_decrypt_key (grub_uint8_t *out_key,
grub_uint8_t salt[GRUB_CRYPTODISK_MAX_KEYLEN];
grub_uint8_t *split_key = NULL;
8: 57ec8ca9f ! 11: f626d2001 tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
@@ Commit message
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
+ Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
## tests/util/grub-fs-tester.in ##
@@ tests/util/grub-fs-tester.in: for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
9: 1d3ce8f59 ! 12: a1cdf3b42 docs: Document argon2 and argon2_test
@@ Commit message
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
+ Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
## docs/grub.texi ##
@@ docs/grub.texi: Modules can be loaded via the @command{insmod} (@pxref{insmod}) command.
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH v3 01/12] util/import_gcry: Import kdf.c for Argon2
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 02/12] crypto: Update crypto.h for libgcrypt KDF functions Gary Lin via Grub-devel
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
The import_gcry.py script now imports kdf.c from libgcrypt. To isolate
the Argon2 implementation, all unrelated functions have been removed.
Signed-off-by: Gary Lin <glin@suse.com>
---
util/import_gcry.py | 31 ++++++++++++++++++++++++++++---
1 file changed, 28 insertions(+), 3 deletions(-)
diff --git a/util/import_gcry.py b/util/import_gcry.py
index 086bde77c..b00885c93 100644
--- a/util/import_gcry.py
+++ b/util/import_gcry.py
@@ -145,8 +145,8 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
if re.match (r"(Makefile\.am|primegen\.c|cipher\.c|cipher-.*\.c|mac-.*\.c|mac\.c|pubkey\.c)$", cipher_file):
chlog = "%s%s: Removed\n" % (chlog, chlognew)
continue
- # TODO: Support KDF
- if re.match (r"(kdf\.c|scrypt\.c)$", cipher_file):
+ # TODO: Support scrypt KDF
+ if re.match (r"(scrypt\.c)$", cipher_file):
chlog = "%s%s: Removed\n" % (chlog, chlognew)
continue
# TODO: Support chacha20 and poly1305
@@ -313,6 +313,17 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
continue
+ elif re.match ("_gcry_kdf_selftest|check_one|_gcry_kdf_pkdf2|_gcry_kdf_derive|openpgp_s2k|ballon_context_size|balloon_*|prng_aes_*|onestep_kdf_*|hkdf_*|x963_kdf_*", line) is not None and cipher_file == "kdf.c":
+ # TODO Support other KDFs
+ skip = 1
+ fname = re.match ("[a-zA-Z0-9_]*", line).group ()
+ chmsg = "(%s): Removed." % fname
+ if nch:
+ chlognew = "%s\n %s" % (chlognew, chmsg)
+ else:
+ chlognew = "%s %s" % (chlognew, chmsg)
+ nch = True
+ continue
else:
fw.write (holdline)
m = re.match ("# *include <(.*)>", line)
@@ -439,7 +450,7 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
nch = True
continue
- m = re.match (r"((static )?const char( |)\*|static const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static )?int|(static )?unsigned int|(static )?gcry_err_code_t|static gcry_mpi_t|static void|void|static elliptic_curve_t) *$", line)
+ m = re.match (r"((static )?const char( |)\*|static const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static )?int|(static )?unsigned int|(static )?gcry_err_code_t|static gcry_mpi_t|static void|void|static elliptic_curve_t|static u64|static size_t) *$", line)
if not m is None:
hold = True
holdline = line
@@ -575,6 +586,20 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
conf.write ("};\n\n")
if nch:
chlog = "%s%s\n" % (chlog, chlognew)
+ elif cipher_file == "kdf.c":
+ modfiles = ["kdf.c"]
+ if modname in extra_files:
+ modfiles += extra_files[modname]
+ conf.write ("module = {\n")
+ conf.write (" name = %s;\n" % modname)
+ for src in modfiles:
+ conf.write (" common = lib/libgcrypt-grub/cipher/%s;\n" % src)
+ confutil.write (" common = grub-core/lib/libgcrypt-grub/cipher/%s;\n" % src)
+ conf.write (" cflags = '$(CFLAGS_GCRY)';\n")
+ conf.write (" cppflags = '$(CPPFLAGS_GCRY)';\n")
+ conf.write ("};\n\n")
+ if nch:
+ chlog = "%s%s\n" % (chlog, chlognew)
elif isc and cipher_file not in extra_files_list:
print ("WARNING: C file isn't a module: %s" % cipher_file)
os.remove (outfile)
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 02/12] crypto: Update crypto.h for libgcrypt KDF functions
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 01/12] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 03/12] libgcrypt/kdf: Implement blake2b_512.hash_buffers() Gary Lin via Grub-devel
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Add the following items to crypto.h
- more GPG error types
- _gcry_digest_spec_blake2b_512 for Argon2
- KDF algorithm IDs for Argon2
- prototypes of '_gcry_kdf_*' functions
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
include/grub/crypto.h | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/include/grub/crypto.h b/include/grub/crypto.h
index b0d7add1d..d323f00ce 100644
--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
@@ -34,6 +34,7 @@ typedef enum
GPG_ERR_BAD_MPI,
GPG_ERR_BAD_SECKEY,
GPG_ERR_BAD_SIGNATURE,
+ GPG_ERR_CANCELED,
GPG_ERR_CIPHER_ALGO,
GPG_ERR_CONFLICT,
GPG_ERR_DECRYPT_FAILED,
@@ -48,6 +49,7 @@ typedef enum
GPG_ERR_INV_OP,
GPG_ERR_INV_SEXP,
GPG_ERR_INV_VALUE,
+ GPG_ERR_MAC_ALGO,
GPG_ERR_MISSING_VALUE,
GPG_ERR_NO_ENCRYPTION_SCHEME,
GPG_ERR_NO_OBJ,
@@ -59,7 +61,9 @@ typedef enum
GPG_ERR_PUBKEY_ALGO,
GPG_ERR_SELFTEST_FAILED,
GPG_ERR_TOO_SHORT,
+ GPG_ERR_UNKNOWN_ALGORITHM,
GPG_ERR_UNSUPPORTED,
+ GPG_ERR_UNSUPPORTED_ALGORITHM,
GPG_ERR_WEAK_KEY,
GPG_ERR_WRONG_KEY_USAGE,
GPG_ERR_WRONG_PUBKEY_ALGO,
@@ -512,6 +516,7 @@ extern gcry_md_spec_t _gcry_digest_spec_sha1;
extern gcry_md_spec_t _gcry_digest_spec_sha256;
extern gcry_md_spec_t _gcry_digest_spec_sha512;
extern gcry_md_spec_t _gcry_digest_spec_crc32;
+extern gcry_md_spec_t _gcry_digest_spec_blake2b_512;
extern gcry_cipher_spec_t _gcry_cipher_spec_aes;
#define GRUB_MD_MD5 ((const gcry_md_spec_t *) &_gcry_digest_spec_md5)
#define GRUB_MD_SHA1 ((const gcry_md_spec_t *) &_gcry_digest_spec_sha1)
@@ -520,6 +525,41 @@ extern gcry_cipher_spec_t _gcry_cipher_spec_aes;
#define GRUB_MD_CRC32 ((const gcry_md_spec_t *) &_gcry_digest_spec_crc32)
#define GRUB_CIPHER_AES ((const gcry_cipher_spec_t *) &_gcry_cipher_spec_aes)
+/* Algorithm IDs for the KDFs. */
+enum grub_gcry_kdf_algos
+ {
+ GRUB_GCRY_KDF_NONE = 0,
+ GRUB_GCRY_KDF_ARGON2 = 64,
+ };
+
+enum grub_gcry_kdf_subalgo_argon2
+ {
+ GRUB_GCRY_KDF_ARGON2D = 0,
+ GRUB_GCRY_KDF_ARGON2I = 1,
+ GRUB_GCRY_KDF_ARGON2ID = 2
+ };
+
+typedef struct gcry_kdf_handle *gcry_kdf_hd_t;
+struct gcry_kdf_handle;
+struct gcry_kdf_thread_ops;
+
+gpg_err_code_t
+_gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+ const unsigned long *param, unsigned int paramlen,
+ const void *input, grub_size_t inputlen,
+ const void *salt, grub_size_t saltlen,
+ const void *key, grub_size_t keylen,
+ const void *ad, grub_size_t adlen);
+
+gpg_err_code_t
+_gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops);
+
+gpg_err_code_t
+_gcry_kdf_final (gcry_kdf_hd_t h, grub_size_t resultlen, void *result);
+
+void
+_gcry_kdf_close (gcry_kdf_hd_t h);
+
/* Implement PKCS#5 PBKDF2 as per RFC 2898. The PRF to use is HMAC variant
of digest supplied by MD. Inputs are the password P of length PLEN,
the salt S of length SLEN, the iteration counter C (> 0), and the
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 03/12] libgcrypt/kdf: Implement blake2b_512.hash_buffers()
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 01/12] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 02/12] crypto: Update crypto.h for libgcrypt KDF functions Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 04/12] libgcrypt/kdf: Get rid of gpg_err_code_from_errno() Gary Lin via Grub-devel
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Add argon2_blake2b_512_hash_buffers() as the replacement of
_gcry_digest_spec_blake2b_512.hash_buffers().
Signed-off-by: Gary Lin <glin@suse.com>
---
| 1 +
.../09-blake2b-hash-buffers.patch | 54 +++++++++++++++++++
2 files changed, 55 insertions(+)
create mode 100644 grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
--git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 49bca5577..9def61722 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -43,6 +43,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/05_disable_rsa_shake.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch b/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
new file mode 100644
index 000000000..16846ca4a
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
@@ -0,0 +1,54 @@
+From 9c4b1a458718d848d0121b81f8533bbc7f26469a Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 15:54:24 +0800
+Subject: [PATCH 1/4] libgcrypt/kdf: Implement blake2b_512.hash_buffers()
+
+Add argon2_blake2b_512_hash_buffers() as the replacement of
+_gcry_digest_spec_blake2b_512.hash_buffers().
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 0689f88b1..fd0c4a106 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -129,6 +129,24 @@ beswap64_block (u64 *dst)
+ #endif
+ }
+
++/* Implementation of _gcry_blake2b_512_hash_buffers */
++static void
++argon2_blake2b_512_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt)
++{
++ void *hd;
++
++ hd = xtrymalloc (_gcry_digest_spec_blake2b_512.contextsize);
++ if (!hd)
++ return;
++
++ _gcry_digest_spec_blake2b_512.init (hd, 0);
++ for (;iovcnt > 0; iov++, iovcnt--)
++ _gcry_digest_spec_blake2b_512.write (hd, (const char*)iov[0].data + iov[0].off, iov[0].len);
++ _gcry_digest_spec_blake2b_512.final (hd);
++ grub_memcpy (outbuf, _gcry_digest_spec_blake2b_512.read (hd), 512 / 8);
++
++ xfree (hd);
++}
+
+ static gpg_err_code_t
+ argon2_fill_first_blocks (argon2_ctx_t a)
+@@ -195,7 +213,7 @@ argon2_fill_first_blocks (argon2_ctx_t a)
+ iov_count++;
+ }
+
+- _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count);
++ argon2_blake2b_512_hash_buffers (h0_01_i, iov, iov_count);
+
+ for (i = 0; i < a->lanes; i++)
+ {
+--
+2.43.0
+
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 04/12] libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
` (2 preceding siblings ...)
2025-08-26 2:01 ` [PATCH v3 03/12] libgcrypt/kdf: Implement blake2b_512.hash_buffers() Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 05/12] libgcrypt/kdf: Remove unsupported KDFs Gary Lin via Grub-devel
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
gpg_err_code_from_errno() requires libgcrypt_wrap/mem.c which is not in
Makefile.utilgcry.def. This commit replaces gpg_err_code_from_errno()
with GPG_ERR_* to avoid the build errors.
Signed-off-by: Gary Lin <glin@suse.com>
---
| 1 +
.../10-kdf-use-GPG-errs.patch | 48 +++++++++++++++++++
2 files changed, 49 insertions(+)
create mode 100644 grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
--git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 9def61722..ac72a7ecf 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -44,6 +44,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch b/grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
new file mode 100644
index 000000000..e18ef4d15
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
@@ -0,0 +1,48 @@
+From 0344b5a1c206aaa8ec591824c5d0ccf5d9a1e6c0 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 15:56:03 +0800
+Subject: [PATCH 2/4] libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
+
+gpg_err_code_from_errno() requires libgcrypt_wrap/mem.c which is not in
+Makefile.utilgcry.def. This commit replaces gpg_err_code_from_errno()
+with GPG_ERR_* to avoid the build errors.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index fd0c4a106..55294672b 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -260,7 +260,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+ block = xtrymalloc (1024 * memory_blocks);
+ if (!block)
+ {
+- ec = gpg_err_code_from_errno (errno);
++ ec = GPG_ERR_OUT_OF_MEMORY;
+ return ec;
+ }
+ memset (block, 0, 1024 * memory_blocks);
+@@ -268,7 +268,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+ thread_data = xtrymalloc (a->lanes * sizeof (struct argon2_thread_data));
+ if (!thread_data)
+ {
+- ec = gpg_err_code_from_errno (errno);
++ ec = GPG_ERR_OUT_OF_MEMORY;
+ xfree (block);
+ return ec;
+ }
+@@ -619,7 +619,7 @@ argon2_open (gcry_kdf_hd_t *hd, int subalgo,
+ n = offsetof (struct argon2_context, out) + taglen;
+ a = xtrymalloc (n);
+ if (!a)
+- return gpg_err_code_from_errno (errno);
++ return GPG_ERR_OUT_OF_MEMORY;
+
+ a->algo = GCRY_KDF_ARGON2;
+ a->hash_type = hash_type;
+--
+2.43.0
+
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 05/12] libgcrypt/kdf: Remove unsupported KDFs
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
` (3 preceding siblings ...)
2025-08-26 2:01 ` [PATCH v3 04/12] libgcrypt/kdf: Get rid of gpg_err_code_from_errno() Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 06/12] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms Gary Lin via Grub-devel
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Clean up _gcry_kdf_*() to remove unsupported KDFs.
Signed-off-by: Gary Lin <glin@suse.com>
---
| 1 +
.../11-kdf-remove-unsupported-kdfs.patch | 166 ++++++++++++++++++
2 files changed, 167 insertions(+)
create mode 100644 grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
--git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index ac72a7ecf..abd4227e7 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -45,6 +45,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch b/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
new file mode 100644
index 000000000..06723201e
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
@@ -0,0 +1,166 @@
+From f46f3dbd2e572a6610d651d14e9a3a8b27883c49 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 16:00:17 +0800
+Subject: [PATCH 3/4] libgcrypt/kdf: Remove unsupported KDFs
+
+Clean up _gcry_kdf_*() to remove unsupported KDFs.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 119 ----------------------
+ 1 file changed, 119 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 55294672b..6e825d3e8 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -816,64 +816,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+ key, keylen, ad, adlen);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- if (!inputlen || !saltlen || keylen || adlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)key;
+- (void)ad;
+- ec = balloon_open (hd, subalgo, param, paramlen,
+- input, inputlen, salt, saltlen);
+- }
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- if (!inputlen || !paramlen || !adlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- (void)key;
+- ec = onestep_kdf_open (hd, subalgo, param, paramlen,
+- input, inputlen, ad, adlen);
+- }
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- if (!inputlen || !paramlen || !keylen || !adlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- ec = onestep_kdf_mac_open (hd, subalgo, param, paramlen,
+- input, inputlen, key, keylen, ad, adlen);
+- }
+- break;
+-
+- case GCRY_KDF_HKDF:
+- if (!inputlen || !paramlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- ec = hkdf_open (hd, subalgo, param, paramlen,
+- input, inputlen, key, keylen, ad, adlen);
+- }
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- if (!inputlen || !paramlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- (void)key;
+- ec = x963_kdf_open (hd, subalgo, param, paramlen,
+- input, inputlen, ad, adlen);
+- }
+- break;
+-
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
+@@ -893,26 +835,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops)
+ ec = argon2_compute ((argon2_ctx_t)(void *)h, ops);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- ec = balloon_compute_all ((balloon_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- ec = onestep_kdf_compute ((onestep_kdf_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- ec = onestep_kdf_mac_compute ((onestep_kdf_mac_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_HKDF:
+- ec = hkdf_compute ((hkdf_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- ec = x963_kdf_compute ((x963_kdf_ctx_t)(void *)h, ops);
+- break;
+-
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
+@@ -933,27 +855,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result)
+ ec = argon2_final ((argon2_ctx_t)(void *)h, resultlen, result);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- ec = balloon_final ((balloon_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- ec = onestep_kdf_final ((onestep_kdf_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- ec = onestep_kdf_mac_final ((onestep_kdf_mac_ctx_t)(void *)h,
+- resultlen, result);
+- break;
+-
+- case GCRY_KDF_HKDF:
+- ec = hkdf_final ((hkdf_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- ec = x963_kdf_final ((x963_kdf_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
+@@ -971,26 +872,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
+ argon2_close ((argon2_ctx_t)(void *)h);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- balloon_close ((balloon_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- onestep_kdf_close ((onestep_kdf_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- onestep_kdf_mac_close ((onestep_kdf_mac_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_HKDF:
+- hkdf_close ((hkdf_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- x963_kdf_close ((x963_kdf_ctx_t)(void *)h);
+- break;
+-
+ default:
+ break;
+ }
+--
+2.43.0
+
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 06/12] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
` (4 preceding siblings ...)
2025-08-26 2:01 ` [PATCH v3 05/12] libgcrypt/kdf: Remove unsupported KDFs Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 07/12] argon2: Introduce grub_crypto_argon2() Gary Lin via Grub-devel
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Use grub_divmod64() for the 64-bit modulus to prevent creation of
__umoddi3() calls on 32-bit platforms.
Signed-off-by: Gary Lin <glin@suse.com>
---
| 1 +
.../12-kdf-use-grub_divmod64.patch | 78 +++++++++++++++++++
2 files changed, 79 insertions(+)
create mode 100644 grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
--git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index abd4227e7..5d9ff91e9 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -46,6 +46,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch b/grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
new file mode 100644
index 000000000..f6e1251ae
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
@@ -0,0 +1,78 @@
+From 232133d5672a89f5e5a45116171e802c1ebab2e7 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 16:01:45 +0800
+Subject: [PATCH 4/4] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
+
+Use grub_divmod64() for the 64-bit modulus to prevent creation of
+__umoddi3() calls on 32-bit platforms.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 6e825d3e8..e0a1b2901 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -370,6 +370,7 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
+ u32 reference_area_size;
+ u64 relative_position;
+ u32 start_position;
++ u64 remainder;
+
+ if (t->pass == 0)
+ {
+@@ -406,7 +407,8 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
+ ? 0
+ : (t->slice + 1) * a->segment_length;
+
+- return (start_position + relative_position) % a->lane_length;
++ grub_divmod64 (start_position + relative_position, a->lane_length, &remainder);
++ return remainder;
+ }
+
+ static void
+@@ -420,6 +422,7 @@ argon2_compute_segment (void *priv)
+ u64 input_block[1024/sizeof (u64)];
+ u64 address_block[1024/sizeof (u64)];
+ u64 *random_block = NULL;
++ u64 remainder;
+
+ if (a->hash_type == GCRY_KDF_ARGON2I
+ || (a->hash_type == GCRY_KDF_ARGON2ID && t->pass == 0 && t->slice < 2))
+@@ -444,7 +447,8 @@ argon2_compute_segment (void *priv)
+ i = 0;
+
+ curr_offset = t->lane * a->lane_length + t->slice * a->segment_length + i;
+- if ((curr_offset % a->lane_length))
++ grub_divmod64 (curr_offset, a->lane_length, &remainder);
++ if (remainder)
+ prev_offset = curr_offset - 1;
+ else
+ prev_offset = curr_offset + a->lane_length - 1;
+@@ -454,7 +458,8 @@ argon2_compute_segment (void *priv)
+ u64 *ref_block, *curr_block;
+ u64 rand64;
+
+- if ((curr_offset % a->lane_length) == 1)
++ grub_divmod64 (curr_offset, a->lane_length, &remainder);
++ if (remainder == 1)
+ prev_offset = curr_offset - 1;
+
+ if (random_block)
+@@ -470,7 +475,10 @@ argon2_compute_segment (void *priv)
+ if (t->pass == 0 && t->slice == 0)
+ ref_lane = t->lane;
+ else
+- ref_lane = (rand64 >> 32) % a->lanes;
++ {
++ grub_divmod64 (rand64 >> 32, a->lanes, &remainder);
++ ref_lane = remainder;
++ }
+
+ ref_index = index_alpha (a, t, i, (rand64 & 0xffffffff),
+ ref_lane == t->lane);
+--
+2.43.0
+
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 07/12] argon2: Introduce grub_crypto_argon2()
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
` (5 preceding siblings ...)
2025-08-26 2:01 ` [PATCH v3 06/12] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 08/12] Import Argon2 tests from libgcrypt Gary Lin via Grub-devel
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
This commit introduces grub_crypto_argon2() which leverages the
'_gcry_kdf_*' functions from libgcrypt to provide Argon2 support.
Due to the dependency of the '_gcry_kdf_*' functions, the order of
'ldadd' entries have to be tweaked in Makefile.util.def so that the
linker can discover those functions.
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
Makefile.util.def | 55 +++++++++++++++++++------------------
grub-core/Makefile.core.def | 5 ++++
grub-core/lib/argon2.c | 52 +++++++++++++++++++++++++++++++++++
include/grub/crypto.h | 9 ++++++
4 files changed, 94 insertions(+), 27 deletions(-)
create mode 100644 grub-core/lib/argon2.c
diff --git a/Makefile.util.def b/Makefile.util.def
index 038253b37..f8d4ae7d3 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -43,6 +43,7 @@ library = {
common = grub-core/disk/key_protector.c;
common = grub-core/disk/cryptodisk.c;
common = grub-core/disk/AFSplitter.c;
+ common = grub-core/lib/argon2.c;
common = grub-core/lib/pbkdf2.c;
common = grub-core/commands/extcmd.c;
common = grub-core/lib/arg.c;
@@ -201,8 +202,8 @@ program = {
extra_dist = util/grub-mkimagexx.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBLZMA)';
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -225,8 +226,8 @@ program = {
cflags = '-I$(srcdir)/grub-core/lib/tss2 -I$(srcdir)/grub-core/commands/tpm2_key_protector';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBTASN1)';
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -243,8 +244,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -258,8 +259,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -284,8 +285,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -300,8 +301,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -323,8 +324,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -341,8 +342,8 @@ program = {
cflags = '$(FUSE_CFLAGS)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM) $(FUSE_LIBS)';
condition = COND_GRUB_MOUNT;
@@ -359,8 +360,8 @@ program = {
cppflags = '-DGRUB_MKFONT=1';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(FREETYPE_LIBS)';
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -378,8 +379,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -436,8 +437,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -451,8 +452,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -466,8 +467,8 @@ program = {
common = grub-core/kern/emu/argp_common.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -605,8 +606,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -652,8 +653,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -691,8 +692,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -727,8 +728,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1305,8 +1306,8 @@ program = {
common = grub-core/kern/misc.c;
common = grub-core/tests/lib/test.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1320,8 +1321,8 @@ program = {
common = grub-core/kern/misc.c;
common = grub-core/tests/lib/test.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1335,8 +1336,8 @@ program = {
common = grub-core/kern/misc.c;
common = grub-core/tests/lib/test.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1351,8 +1352,8 @@ program = {
common = grub-core/tests/lib/test.c;
common = grub-core/lib/priority_queue.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
condition = COND_HAVE_CXX;
@@ -1367,8 +1368,8 @@ program = {
common = grub-core/kern/misc.c;
common = grub-core/tests/lib/test.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1382,8 +1383,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1400,8 +1401,8 @@ program = {
common = grub-core/kern/emu/argp_common.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1416,8 +1417,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1434,8 +1435,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1463,8 +1464,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index b3f71196a..16166b1ed 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1694,6 +1694,11 @@ module = {
common = lib/pbkdf2.c;
};
+module = {
+ name = argon2;
+ common = lib/argon2.c;
+};
+
module = {
name = relocator;
common = lib/relocator.c;
diff --git a/grub-core/lib/argon2.c b/grub-core/lib/argon2.c
new file mode 100644
index 000000000..12ad7ad1c
--- /dev/null
+++ b/grub-core/lib/argon2.c
@@ -0,0 +1,52 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2025 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/crypto.h>
+#include <grub/dl.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+gcry_err_code_t
+grub_crypto_argon2 (int subalgo,
+ const unsigned long *param, unsigned int paramlen,
+ const void *password, grub_size_t passwordlen,
+ const void *salt, grub_size_t saltlen,
+ const void *key, grub_size_t keylen,
+ const void *ad, grub_size_t adlen,
+ grub_size_t resultlen, void *result)
+{
+ gcry_kdf_hd_t hd = {0};
+ gpg_err_code_t err;
+
+ if (saltlen == 0)
+ return GPG_ERR_INV_VALUE;
+
+ err = _gcry_kdf_open (&hd, GRUB_GCRY_KDF_ARGON2, subalgo, param, paramlen,
+ password, passwordlen, salt, saltlen, key, keylen,
+ ad, adlen);
+ if (err != GPG_ERR_NO_ERROR)
+ return err;
+
+ err = _gcry_kdf_compute (hd, NULL);
+ if (err == GPG_ERR_NO_ERROR)
+ err = _gcry_kdf_final (hd, resultlen, result);
+
+ _gcry_kdf_close (hd);
+
+ return err;
+}
diff --git a/include/grub/crypto.h b/include/grub/crypto.h
index d323f00ce..c6eb8b2d2 100644
--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
@@ -573,6 +573,15 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
unsigned int c,
grub_uint8_t *DK, grub_size_t dkLen);
+gcry_err_code_t
+grub_crypto_argon2 (int subalgo,
+ const unsigned long *param, unsigned int paramlen,
+ const void *password, grub_size_t passwordlen,
+ const void *salt, grub_size_t saltlen,
+ const void *key, grub_size_t keylen,
+ const void *ad, grub_size_t adlen,
+ grub_size_t resultlen, void *result);
+
int
grub_crypto_memcmp (const void *a, const void *b, grub_size_t n);
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 08/12] Import Argon2 tests from libgcrypt
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
` (6 preceding siblings ...)
2025-08-26 2:01 ` [PATCH v3 07/12] argon2: Introduce grub_crypto_argon2() Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 09/12] Integrate Argon2 tests into functional_test Gary Lin via Grub-devel
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Copy the Argon2 test function, check_argon2(), from t-kdf.c in libgcrypt
to grub-core/tests/argon2_test.c.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
---
grub-core/tests/argon2_test.c | 141 ++++++++++++++++++++++++++++++++++
1 file changed, 141 insertions(+)
create mode 100644 grub-core/tests/argon2_test.c
diff --git a/grub-core/tests/argon2_test.c b/grub-core/tests/argon2_test.c
new file mode 100644
index 000000000..d2f70166a
--- /dev/null
+++ b/grub-core/tests/argon2_test.c
@@ -0,0 +1,141 @@
+static void
+check_argon2 (void)
+{
+ gcry_error_t err;
+ static struct {
+ int subalgo;
+ unsigned long param[4];
+ size_t passlen;
+ const char *pass;
+ size_t saltlen;
+ const char *salt;
+ size_t keylen;
+ const char *key;
+ size_t adlen;
+ const char *ad;
+ size_t dklen;
+ const char *dk;
+ } tv[] = {
+ {
+ GCRY_KDF_ARGON2D,
+ { 32, 3, 32, 4 },
+ 32,
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+ 16,
+ "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+ 8,
+ "\x03\x03\x03\x03\x03\x03\x03\x03",
+ 12,
+ "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+ 32,
+ "\x51\x2b\x39\x1b\x6f\x11\x62\x97\x53\x71\xd3\x09\x19\x73\x42\x94"
+ "\xf8\x68\xe3\xbe\x39\x84\xf3\xc1\xa1\x3a\x4d\xb9\xfa\xbe\x4a\xcb"
+ },
+ {
+ GCRY_KDF_ARGON2I,
+ { 32, 3, 32, 4 },
+ 32,
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+ 16,
+ "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+ 8,
+ "\x03\x03\x03\x03\x03\x03\x03\x03",
+ 12,
+ "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+ 32,
+ "\xc8\x14\xd9\xd1\xdc\x7f\x37\xaa\x13\xf0\xd7\x7f\x24\x94\xbd\xa1"
+ "\xc8\xde\x6b\x01\x6d\xd3\x88\xd2\x99\x52\xa4\xc4\x67\x2b\x6c\xe8"
+ },
+ {
+ GCRY_KDF_ARGON2ID,
+ { 32, 3, 32, 4 },
+ 32,
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+ 16,
+ "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+ 8,
+ "\x03\x03\x03\x03\x03\x03\x03\x03",
+ 12,
+ "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+ 32,
+ "\x0d\x64\x0d\xf5\x8d\x78\x76\x6c\x08\xc0\x37\xa3\x4a\x8b\x53\xc9"
+ "\xd0\x1e\xf0\x45\x2d\x75\xb6\x5e\xb5\x25\x20\xe9\x6b\x01\xe6\x59"
+ },
+ {
+ /* empty password */
+ GCRY_KDF_ARGON2I,
+ { 32, 3, 128, 1 },
+ 0, NULL,
+ 16,
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ 0, NULL,
+ 0, NULL,
+ 32,
+ "\xbb\x1f\xf2\xb9\x9f\xd4\x4a\xd9\xdf\x7f\xb9\x54\x55\x9e\xb8\xeb"
+ "\xb5\x9d\xab\xce\x2e\x62\x9f\x9b\x89\x09\xfe\xde\x57\xcc\x63\x86"
+ },
+ {
+ /* empty password */
+ GCRY_KDF_ARGON2ID,
+ { 32, 3, 128, 1 },
+ 0, NULL,
+ 16,
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ 0, NULL,
+ 0, NULL,
+ 32,
+ "\x09\x2f\x38\x35\xac\xb2\x43\x92\x93\xeb\xcd\xe8\x04\x16\x6a\x31"
+ "\xce\x14\xd4\x55\xdb\xd8\xf7\xe6\xb4\xf5\x9d\x64\x8e\xd0\x3a\xdb"
+ },
+ };
+ unsigned char out[32];
+ int i;
+ int count;
+
+ for (count = 0; count < DIM(tv); count++)
+ {
+ if (verbose)
+ fprintf (stderr, "checking ARGON2 test vector %d\n", count);
+
+ err = my_kdf_derive (0, GCRY_KDF_ARGON2,
+ tv[count].subalgo, tv[count].param, 4,
+ tv[count].pass, tv[count].passlen,
+ tv[count].salt, tv[count].saltlen,
+ tv[count].key, tv[count].keylen,
+ tv[count].ad, tv[count].adlen,
+ tv[count].dklen, out);
+ if (err)
+ fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror (err));
+ else if (memcmp (out, tv[count].dk, tv[count].dklen))
+ {
+ fail ("argon2 test %d failed: mismatch\n", count*2+0);
+ fputs ("got:", stderr);
+ for (i=0; i < tv[count].dklen; i++)
+ fprintf (stderr, " %02x", out[i]);
+ putc ('\n', stderr);
+ }
+
+#ifdef HAVE_PTHREAD
+ err = my_kdf_derive (1, GCRY_KDF_ARGON2,
+ tv[count].subalgo, tv[count].param, 4,
+ tv[count].pass, tv[count].passlen,
+ tv[count].salt, tv[count].saltlen,
+ tv[count].key, tv[count].keylen,
+ tv[count].ad, tv[count].adlen,
+ tv[count].dklen, out);
+ if (err)
+ fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror (err));
+ else if (memcmp (out, tv[count].dk, tv[count].dklen))
+ {
+ fail ("argon2 test %d failed: mismatch\n", count*2+1);
+ fputs ("got:", stderr);
+ for (i=0; i < tv[count].dklen; i++)
+ fprintf (stderr, " %02x", out[i]);
+ putc ('\n', stderr);
+ }
+#endif
+ }
+}
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 09/12] Integrate Argon2 tests into functional_test
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
` (7 preceding siblings ...)
2025-08-26 2:01 ` [PATCH v3 08/12] Import Argon2 tests from libgcrypt Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 10/12] disk/luks2: Add Argon2 support Gary Lin via Grub-devel
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Refactor the Argon2 tests to enable the module build and integrate the
tests into function_test.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
grub-core/Makefile.core.def | 5 ++
grub-core/tests/argon2_test.c | 104 +++++++++++++-------------
grub-core/tests/lib/functional_test.c | 1 +
3 files changed, 57 insertions(+), 53 deletions(-)
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 16166b1ed..fb96f92a5 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -2222,6 +2222,11 @@ module = {
common = tests/pbkdf2_test.c;
};
+module = {
+ name = argon2_test;
+ common = tests/argon2_test.c;
+};
+
module = {
name = legacy_password_test;
common = tests/legacy_password_test.c;
diff --git a/grub-core/tests/argon2_test.c b/grub-core/tests/argon2_test.c
index d2f70166a..8318a0962 100644
--- a/grub-core/tests/argon2_test.c
+++ b/grub-core/tests/argon2_test.c
@@ -1,23 +1,50 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2025 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/test.h>
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/crypto.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+#define DIM(v) (sizeof(v)/sizeof((v)[0]))
+
static void
-check_argon2 (void)
+argon2_test (void)
{
gcry_error_t err;
static struct {
int subalgo;
unsigned long param[4];
- size_t passlen;
+ grub_size_t passlen;
const char *pass;
- size_t saltlen;
+ grub_size_t saltlen;
const char *salt;
- size_t keylen;
+ grub_size_t keylen;
const char *key;
- size_t adlen;
+ grub_size_t adlen;
const char *ad;
- size_t dklen;
+ grub_size_t dklen;
const char *dk;
} tv[] = {
{
- GCRY_KDF_ARGON2D,
+ GRUB_GCRY_KDF_ARGON2D,
{ 32, 3, 32, 4 },
32,
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -33,7 +60,7 @@ check_argon2 (void)
"\xf8\x68\xe3\xbe\x39\x84\xf3\xc1\xa1\x3a\x4d\xb9\xfa\xbe\x4a\xcb"
},
{
- GCRY_KDF_ARGON2I,
+ GRUB_GCRY_KDF_ARGON2I,
{ 32, 3, 32, 4 },
32,
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -49,7 +76,7 @@ check_argon2 (void)
"\xc8\xde\x6b\x01\x6d\xd3\x88\xd2\x99\x52\xa4\xc4\x67\x2b\x6c\xe8"
},
{
- GCRY_KDF_ARGON2ID,
+ GRUB_GCRY_KDF_ARGON2ID,
{ 32, 3, 32, 4 },
32,
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -66,7 +93,7 @@ check_argon2 (void)
},
{
/* empty password */
- GCRY_KDF_ARGON2I,
+ GRUB_GCRY_KDF_ARGON2I,
{ 32, 3, 128, 1 },
0, NULL,
16,
@@ -79,7 +106,7 @@ check_argon2 (void)
},
{
/* empty password */
- GCRY_KDF_ARGON2ID,
+ GRUB_GCRY_KDF_ARGON2ID,
{ 32, 3, 128, 1 },
0, NULL,
16,
@@ -92,50 +119,21 @@ check_argon2 (void)
},
};
unsigned char out[32];
- int i;
- int count;
+ unsigned int count;
for (count = 0; count < DIM(tv); count++)
{
- if (verbose)
- fprintf (stderr, "checking ARGON2 test vector %d\n", count);
-
- err = my_kdf_derive (0, GCRY_KDF_ARGON2,
- tv[count].subalgo, tv[count].param, 4,
- tv[count].pass, tv[count].passlen,
- tv[count].salt, tv[count].saltlen,
- tv[count].key, tv[count].keylen,
- tv[count].ad, tv[count].adlen,
- tv[count].dklen, out);
- if (err)
- fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror (err));
- else if (memcmp (out, tv[count].dk, tv[count].dklen))
- {
- fail ("argon2 test %d failed: mismatch\n", count*2+0);
- fputs ("got:", stderr);
- for (i=0; i < tv[count].dklen; i++)
- fprintf (stderr, " %02x", out[i]);
- putc ('\n', stderr);
- }
-
-#ifdef HAVE_PTHREAD
- err = my_kdf_derive (1, GCRY_KDF_ARGON2,
- tv[count].subalgo, tv[count].param, 4,
- tv[count].pass, tv[count].passlen,
- tv[count].salt, tv[count].saltlen,
- tv[count].key, tv[count].keylen,
- tv[count].ad, tv[count].adlen,
- tv[count].dklen, out);
- if (err)
- fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror (err));
- else if (memcmp (out, tv[count].dk, tv[count].dklen))
- {
- fail ("argon2 test %d failed: mismatch\n", count*2+1);
- fputs ("got:", stderr);
- for (i=0; i < tv[count].dklen; i++)
- fprintf (stderr, " %02x", out[i]);
- putc ('\n', stderr);
- }
-#endif
+ err = grub_crypto_argon2 (tv[count].subalgo,
+ tv[count].param, 4,
+ tv[count].pass, tv[count].passlen,
+ tv[count].salt, tv[count].saltlen,
+ tv[count].key, tv[count].keylen,
+ tv[count].ad, tv[count].adlen,
+ tv[count].dklen, out);
+ grub_test_assert (err == 0, "argon2 test %d failed: %d", count, err);
+ grub_test_assert (grub_memcmp (out, tv[count].dk, tv[count].dklen) == 0,
+ "argon2 test %d failed: mismatch", count);
}
}
+
+GRUB_FUNCTIONAL_TEST (argon2_test, argon2_test);
diff --git a/grub-core/tests/lib/functional_test.c b/grub-core/tests/lib/functional_test.c
index 38e981f2c..0289ff38f 100644
--- a/grub-core/tests/lib/functional_test.c
+++ b/grub-core/tests/lib/functional_test.c
@@ -80,6 +80,7 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt __attribute__ ((unused)),
grub_dl_load ("mul_test");
grub_dl_load ("shift_test");
grub_dl_load ("asn1_test");
+ grub_dl_load ("argon2_test");
FOR_LIST_ELEMENTS (test, grub_test_list)
ok = !grub_test_run (test) && ok;
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 10/12] disk/luks2: Add Argon2 support
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
` (8 preceding siblings ...)
2025-08-26 2:01 ` [PATCH v3 09/12] Integrate Argon2 tests into functional_test Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 11/12] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 12/12] docs: Document argon2 and argon2_test Gary Lin via Grub-devel
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Leverage the new grub_crypto_argon2() function to add support for the
Argon2i and Argon2id KDFs in LUKS2
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
---
grub-core/disk/luks2.c | 40 ++++++++++++++++++++++++++++++++++++----
1 file changed, 36 insertions(+), 4 deletions(-)
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index b17cd2115..a3608e233 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -39,6 +39,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
enum grub_luks2_kdf_type
{
LUKS2_KDF_TYPE_ARGON2I,
+ LUKS2_KDF_TYPE_ARGON2ID,
LUKS2_KDF_TYPE_PBKDF2
};
typedef enum grub_luks2_kdf_type grub_luks2_kdf_type_t;
@@ -159,13 +160,21 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const grub_json_t *keyslot)
grub_json_getstring (&type, &kdf, "type") ||
grub_json_getstring (&out->kdf.salt, &kdf, "salt"))
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing or invalid KDF");
- else if (!grub_strcmp (type, "argon2i") || !grub_strcmp (type, "argon2id"))
+ else if (!grub_strcmp (type, "argon2i"))
{
out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i parameters");
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "missing Argon2i parameters");
+ }
+ else if (!grub_strcmp (type, "argon2id"))
+ {
+ out->kdf.type = LUKS2_KDF_TYPE_ARGON2ID;
+ if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
+ grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
+ grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "missing Argon2id parameters");
}
else if (!grub_strcmp (type, "pbkdf2"))
{
@@ -444,6 +453,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
grub_uint8_t salt[GRUB_CRYPTODISK_MAX_KEYLEN];
grub_uint8_t *split_key = NULL;
idx_t saltlen = sizeof (salt);
+ int subalgo;
+ unsigned long param[4];
char cipher[32], *p;
const gcry_md_spec_t *hash;
gcry_err_code_t gcry_ret;
@@ -460,8 +471,29 @@ luks2_decrypt_key (grub_uint8_t *out_key,
switch (k->kdf.type)
{
case LUKS2_KDF_TYPE_ARGON2I:
- ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
- goto err;
+ case LUKS2_KDF_TYPE_ARGON2ID:
+ if (k->kdf.type == LUKS2_KDF_TYPE_ARGON2I)
+ subalgo = GRUB_GCRY_KDF_ARGON2I;
+ else
+ subalgo = GRUB_GCRY_KDF_ARGON2ID;
+
+ param[0] = k->area.key_size;
+ param[1] = k->kdf.u.argon2i.time;
+ param[2] = k->kdf.u.argon2i.memory;
+ param[3] = k->kdf.u.argon2i.cpus;
+
+ gcry_ret = grub_crypto_argon2 (subalgo, param, 4,
+ passphrase, passphraselen,
+ salt, saltlen,
+ NULL, 0, NULL, 0,
+ k->area.key_size, area_key);
+ if (gcry_ret)
+ {
+ ret = grub_crypto_gcry_error (gcry_ret);
+ goto err;
+ }
+
+ break;
case LUKS2_KDF_TYPE_PBKDF2:
hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash);
if (!hash)
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 11/12] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
` (9 preceding siblings ...)
2025-08-26 2:01 ` [PATCH v3 10/12] disk/luks2: Add Argon2 support Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 12/12] docs: Document argon2 and argon2_test Gary Lin via Grub-devel
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Given that the LUKS1 test already covers PBKDF2, the default KDF for the
LUKS2 test has been switched to Argon2id to ensure both algorithms are
validated.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
tests/util/grub-fs-tester.in | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
index cac58dafa..126f19a7e 100644
--- a/tests/util/grub-fs-tester.in
+++ b/tests/util/grub-fs-tester.in
@@ -860,8 +860,14 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
MOUNTDEVICE="/dev/mapper/grub_test-testvol"
MOUNTFS=ext2
"mkfs.ext2" -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
- x"luks"*)
- echo -n "$PASS" | cryptsetup luksFormat --type "$fs" --sector-size $SECSIZE --pbkdf pbkdf2 --force-password --disable-locks $LODEVICE
+ xluks1)
+ echo -n "$PASS" | cryptsetup luksFormat --type luks1 --sector-size $SECSIZE --pbkdf pbkdf2 --force-password --disable-locks $LODEVICE
+ echo -n "$PASS" | cryptsetup open --disable-locks $LODEVICE "$DMNAME"
+ MOUNTDEVICE="/dev/mapper/${DMNAME}"
+ MOUNTFS=ext2
+ "mkfs.ext2" -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
+ xluks2)
+ echo -n "$PASS" | cryptsetup luksFormat --type luks2 --sector-size $SECSIZE --pbkdf argon2id --force-password --disable-locks $LODEVICE
echo -n "$PASS" | cryptsetup open --disable-locks $LODEVICE "$DMNAME"
MOUNTDEVICE="/dev/mapper/${DMNAME}"
MOUNTFS=ext2
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH v3 12/12] docs: Document argon2 and argon2_test
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
` (10 preceding siblings ...)
2025-08-26 2:01 ` [PATCH v3 11/12] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test Gary Lin via Grub-devel
@ 2025-08-26 2:01 ` Gary Lin via Grub-devel
11 siblings, 0 replies; 13+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-26 2:01 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Document the argon2 and argon2_test modules.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
docs/grub.texi | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 34b3484dc..b3908ecf6 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -3889,6 +3889,8 @@ Modules can be loaded via the @command{insmod} (@pxref{insmod}) command.
* aout_module::
* appleldr_module::
* archelp_module::
+* argon2_module::
+* argon2_test_module::
* at_keyboard_module::
* ata_module::
* backtrace_module::
@@ -4244,6 +4246,15 @@ computer (Intel based Macs).
This module provides Archive Helper functions for archive based file systems
such as TAR and CPIO archives.
+@node argon2_module
+@section argon2
+This module provides support for the Argon2 key derivation function.
+
+@node argon2_test_module
+@section argon2_test
+This module is intended for performing a functional test of the Argon2
+operation in GRUB.
+
@node at_keyboard_module
@section at_keyboard
This module provides support for the AT keyboard input for the GRUB terminal.
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
end of thread, other threads:[~2025-08-26 2:05 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-26 2:01 [PATCH v3 00/12] Support Argon2 KDF Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 01/12] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 02/12] crypto: Update crypto.h for libgcrypt KDF functions Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 03/12] libgcrypt/kdf: Implement blake2b_512.hash_buffers() Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 04/12] libgcrypt/kdf: Get rid of gpg_err_code_from_errno() Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 05/12] libgcrypt/kdf: Remove unsupported KDFs Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 06/12] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 07/12] argon2: Introduce grub_crypto_argon2() Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 08/12] Import Argon2 tests from libgcrypt Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 09/12] Integrate Argon2 tests into functional_test Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 10/12] disk/luks2: Add Argon2 support Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 11/12] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test Gary Lin via Grub-devel
2025-08-26 2:01 ` [PATCH v3 12/12] docs: Document argon2 and argon2_test Gary Lin via Grub-devel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).