* [PATCH v4 00/13] Support Argon2 KDF
@ 2025-09-02 7:17 Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 01/13] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
` (12 more replies)
0 siblings, 13 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:17 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
This patch series imports the Argon2 code and tests from libgcrypt and
adds Argon2 support to LUKS2.
- Patch 1~6 import kdf.c from libgcrypt and extract the Argon2 related
functions. The _gcry_kdf_* functions are also imported to make it
easier to support other KDF functions when necessary.
- Patch 7 introduces grub_crypto_argon2().
- Patch 8 and 9 integrates the Argon2 tests from libgcrypt into
functional_test.
- Patch 10 leverages grub_crypto_argon2() to add Argon2 support to LUKS2.
- Patch 11 changes the default KDF of the LUKS2 test to Argon2id.
- Patch 12 documents argon2 and argon2_test modules.
- Patch 13 reduces Argon2 computation time by introducing a faster
grub_memcpy() implementation for aligned buffers. Per my test, this
patch lowers the decryption time from 22s to 12s.
v4:
- Handling the error from argon2_blake2b_512_hash_buffers()
- Implementing a faster grub_memcpy() to reduce Argon2 computation time
v3:
- Updating comments in import_gcry.py
- Splitting the kdf build patch into 3 smaller patches
- Fixing the build error on 32-bit platforms
- Adjusting the order of 'ldadd' in Makefile.util.def
- Fixing the error messages in luks2_parse_keyslot()
v2:
- Import Argon2 code differently to improve maintainability
* Updating import_gcry.py to import Argon2 and _gcry_kdf_* functions
from kdf.c instead of extracting the code manually
* Implementing grub_crypto_argon2() with the _gcry_kdf_* functions to
avoid the GCRY flags when building argon2.c
* Building argon2.c inside libgrubkernel.a since the GCRY flags are not
needed anymore
Gary Lin (13):
util/import_gcry: Import kdf.c for Argon2
crypto: Update crypto.h for libgcrypt KDF functions
libgcrypt/kdf: Implement blake2b_512.hash_buffers()
libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
libgcrypt/kdf: Remove unsupported KDFs
libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
argon2: Introduce grub_crypto_argon2()
Import Argon2 tests from libgcrypt
Integrate Argon2 tests into functional_test
disk/luks2: Add Argon2 support
tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
docs: Document argon2 and argon2_test
kern/misc: Implement faster grub_memcpy() for aligned buffers
Makefile.util.def | 55 +++---
conf/Makefile.extra-dist | 4 +
docs/grub.texi | 11 ++
grub-core/Makefile.core.def | 10 ++
grub-core/disk/luks2.c | 40 ++++-
grub-core/kern/compiler-rt.c | 8 +-
grub-core/kern/misc.c | 30 ++++
grub-core/lib/argon2.c | 52 ++++++
.../09-blake2b-hash-buffers.patch | 63 +++++++
.../10-kdf-use-GPG-errs.patch | 48 +++++
.../11-kdf-remove-unsupported-kdfs.patch | 166 ++++++++++++++++++
.../12-kdf-use-grub_divmod64.patch | 79 +++++++++
grub-core/tests/argon2_test.c | 139 +++++++++++++++
grub-core/tests/lib/functional_test.c | 1 +
include/grub/crypto.h | 49 ++++++
include/grub/misc.h | 8 +-
tests/util/grub-fs-tester.in | 10 +-
util/import_gcry.py | 31 +++-
18 files changed, 757 insertions(+), 47 deletions(-)
create mode 100644 grub-core/lib/argon2.c
create mode 100644 grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
create mode 100644 grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
create mode 100644 grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
create mode 100644 grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
create mode 100644 grub-core/tests/argon2_test.c
Range-diff against v3:
1: 4c2b3fec8 = 1: 4c2b3fec8 util/import_gcry: Import kdf.c for Argon2
2: 210b6292b = 2: 210b6292b crypto: Update crypto.h for libgcrypt KDF functions
3: 97e34226d ! 3: 3b72e07b8 libgcrypt/kdf: Implement blake2b_512.hash_buffers()
@@ conf/Makefile.extra-dist: EXTRA_DIST += grub-core/lib/libgcrypt-patches/05_disab
## grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch (new) ##
@@
-+From 9c4b1a458718d848d0121b81f8533bbc7f26469a Mon Sep 17 00:00:00 2001
++From 42e9975171439e2e9713e122cb0e74174f057e98 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 15:54:24 +0800
+Subject: [PATCH 1/4] libgcrypt/kdf: Implement blake2b_512.hash_buffers()
@@ grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch (new)
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
-+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 20 +++++++++++++++++++-
-+ 1 file changed, 19 insertions(+), 1 deletion(-)
++ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 25 ++++++++++++++++++++++-
++ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
-+index 0689f88b1..fd0c4a106 100644
++index 0689f88b1..08e3ef658 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
-+@@ -129,6 +129,24 @@ beswap64_block (u64 *dst)
++@@ -129,10 +129,31 @@ beswap64_block (u64 *dst)
+ #endif
+ }
+
++/* Implementation of _gcry_blake2b_512_hash_buffers */
-++static void
+++static gcry_err_code_t
++argon2_blake2b_512_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt)
++{
++ void *hd;
++
++ hd = xtrymalloc (_gcry_digest_spec_blake2b_512.contextsize);
++ if (!hd)
-++ return;
+++ return GPG_ERR_OUT_OF_MEMORY;
++
++ _gcry_digest_spec_blake2b_512.init (hd, 0);
++ for (;iovcnt > 0; iov++, iovcnt--)
@@ -129,6 +129,24 @@ beswap64_block (u64 *dst)
++ grub_memcpy (outbuf, _gcry_digest_spec_blake2b_512.read (hd), 512 / 8);
++
++ xfree (hd);
+++
+++ return GPG_ERR_NO_ERROR;
++}
+
+ static gpg_err_code_t
+ argon2_fill_first_blocks (argon2_ctx_t a)
-+@@ -195,7 +213,7 @@ argon2_fill_first_blocks (argon2_ctx_t a)
++ {
+++ gpg_err_code_t err;
++ unsigned char h0_01_i[72];
++ unsigned char buf[10][4];
++ gcry_buffer_t iov[8];
++@@ -195,7 +216,9 @@ argon2_fill_first_blocks (argon2_ctx_t a)
+ iov_count++;
+ }
+
+- _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count);
-++ argon2_blake2b_512_hash_buffers (h0_01_i, iov, iov_count);
+++ err = argon2_blake2b_512_hash_buffers (h0_01_i, iov, iov_count);
+++ if (err != GPG_ERR_NO_ERROR)
+++ return err;
+
+ for (i = 0; i < a->lanes; i++)
+ {
+--
-+2.43.0
++2.51.0
+
4: ece319254 ! 4: d90a709b1 libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
@@ conf/Makefile.extra-dist: EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake
## grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch (new) ##
@@
-+From 0344b5a1c206aaa8ec591824c5d0ccf5d9a1e6c0 Mon Sep 17 00:00:00 2001
++From 89f793515d927d8f7099b61d0b7b200611e56acd Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 15:56:03 +0800
+Subject: [PATCH 2/4] libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
@@ grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch (new)
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
-+index fd0c4a106..55294672b 100644
++index 08e3ef658..6e0351d8a 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
-+@@ -260,7 +260,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
++@@ -265,7 +265,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+ block = xtrymalloc (1024 * memory_blocks);
+ if (!block)
+ {
@@ -260,7 +260,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+ return ec;
+ }
+ memset (block, 0, 1024 * memory_blocks);
-+@@ -268,7 +268,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
++@@ -273,7 +273,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+ thread_data = xtrymalloc (a->lanes * sizeof (struct argon2_thread_data));
+ if (!thread_data)
+ {
@@ -268,7 +268,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+ xfree (block);
+ return ec;
+ }
-+@@ -619,7 +619,7 @@ argon2_open (gcry_kdf_hd_t *hd, int subalgo,
++@@ -624,7 +624,7 @@ argon2_open (gcry_kdf_hd_t *hd, int subalgo,
+ n = offsetof (struct argon2_context, out) + taglen;
+ a = xtrymalloc (n);
+ if (!a)
@@ -619,7 +619,7 @@ argon2_open (gcry_kdf_hd_t *hd, int subalgo,
+ a->algo = GCRY_KDF_ARGON2;
+ a->hash_type = hash_type;
+--
-+2.43.0
++2.51.0
+
5: ac22a5546 ! 5: 5980e8a1a libgcrypt/kdf: Remove unsupported KDFs
@@ conf/Makefile.extra-dist: EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disab
## grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch (new) ##
@@
-+From f46f3dbd2e572a6610d651d14e9a3a8b27883c49 Mon Sep 17 00:00:00 2001
++From fc9c57f54fd28685f7df79e53078e1dc9e44f964 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 16:00:17 +0800
+Subject: [PATCH 3/4] libgcrypt/kdf: Remove unsupported KDFs
@@ grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch (new)
+ 1 file changed, 119 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
-+index 55294672b..6e825d3e8 100644
++index 6e0351d8a..c51a70eff 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
-+@@ -816,64 +816,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
++@@ -821,64 +821,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+ key, keylen, ad, adlen);
+ break;
+
@@ -816,64 +816,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
-+@@ -893,26 +835,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops)
++@@ -898,26 +840,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops)
+ ec = argon2_compute ((argon2_ctx_t)(void *)h, ops);
+ break;
+
@@ -893,26 +835,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thre
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
-+@@ -933,27 +855,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result)
++@@ -938,27 +860,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result)
+ ec = argon2_final ((argon2_ctx_t)(void *)h, resultlen, result);
+ break;
+
@@ -933,27 +855,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *resu
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
-+@@ -971,26 +872,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
++@@ -976,26 +877,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
+ argon2_close ((argon2_ctx_t)(void *)h);
+ break;
+
@@ -971,26 +872,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
+ break;
+ }
+--
-+2.43.0
++2.51.0
+
6: 51cabda08 ! 6: 6f3a415ca libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
@@ Commit message
libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
Use grub_divmod64() for the 64-bit modulus to prevent creation of
- __umoddi3() calls on 32-bit platforms.
+ special division calls such as __umoddi3() and __aeabi_uldivmod() on
+ 32-bit platforms.
Signed-off-by: Gary Lin <glin@suse.com>
@@ conf/Makefile.extra-dist: EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_
## grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch (new) ##
@@
-+From 232133d5672a89f5e5a45116171e802c1ebab2e7 Mon Sep 17 00:00:00 2001
++From 990a5f7df076200aa031b1bcde6bc4b13d4f198e Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 16:01:45 +0800
+Subject: [PATCH 4/4] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
+
+Use grub_divmod64() for the 64-bit modulus to prevent creation of
-+__umoddi3() calls on 32-bit platforms.
++special division calls such as __umoddi3() and __aeabi_uldivmod() on
++32-bit platforms.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
@@ grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch (new)
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
-+index 6e825d3e8..e0a1b2901 100644
++index c51a70eff..f4bb51809 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
-+@@ -370,6 +370,7 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
++@@ -375,6 +375,7 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
+ u32 reference_area_size;
+ u64 relative_position;
+ u32 start_position;
@@ -370,6 +370,7 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t
+
+ if (t->pass == 0)
+ {
-+@@ -406,7 +407,8 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
++@@ -411,7 +412,8 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
+ ? 0
+ : (t->slice + 1) * a->segment_length;
+
@@ -406,7 +407,8 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t
+ }
+
+ static void
-+@@ -420,6 +422,7 @@ argon2_compute_segment (void *priv)
++@@ -425,6 +427,7 @@ argon2_compute_segment (void *priv)
+ u64 input_block[1024/sizeof (u64)];
+ u64 address_block[1024/sizeof (u64)];
+ u64 *random_block = NULL;
@@ -420,6 +422,7 @@ argon2_compute_segment (void *priv)
+
+ if (a->hash_type == GCRY_KDF_ARGON2I
+ || (a->hash_type == GCRY_KDF_ARGON2ID && t->pass == 0 && t->slice < 2))
-+@@ -444,7 +447,8 @@ argon2_compute_segment (void *priv)
++@@ -449,7 +452,8 @@ argon2_compute_segment (void *priv)
+ i = 0;
+
+ curr_offset = t->lane * a->lane_length + t->slice * a->segment_length + i;
@@ -444,7 +447,8 @@ argon2_compute_segment (void *priv)
+ prev_offset = curr_offset - 1;
+ else
+ prev_offset = curr_offset + a->lane_length - 1;
-+@@ -454,7 +458,8 @@ argon2_compute_segment (void *priv)
++@@ -459,7 +463,8 @@ argon2_compute_segment (void *priv)
+ u64 *ref_block, *curr_block;
+ u64 rand64;
+
@@ -454,7 +458,8 @@ argon2_compute_segment (void *priv)
+ prev_offset = curr_offset - 1;
+
+ if (random_block)
-+@@ -470,7 +475,10 @@ argon2_compute_segment (void *priv)
++@@ -475,7 +480,10 @@ argon2_compute_segment (void *priv)
+ if (t->pass == 0 && t->slice == 0)
+ ref_lane = t->lane;
+ else
@@ -470,7 +475,10 @@ argon2_compute_segment (void *priv)
+ ref_index = index_alpha (a, t, i, (rand64 & 0xffffffff),
+ ref_lane == t->lane);
+--
-+2.43.0
++2.51.0
+
7: b56661bb6 = 7: 8298d3139 argon2: Introduce grub_crypto_argon2()
8: 54bd89f6a = 8: e3ff82e7c Import Argon2 tests from libgcrypt
9: e386633aa = 9: 168a8d24b Integrate Argon2 tests into functional_test
10: 86bbe307d = 10: 3bc593992 disk/luks2: Add Argon2 support
11: f626d2001 = 11: 1fb5cac29 tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
12: a1cdf3b42 = 12: 840cf2fb0 docs: Document argon2 and argon2_test
-: --------- > 13: 1fbd2a278 kern/misc: Implement faster grub_memcpy() for aligned buffers
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v4 01/13] util/import_gcry: Import kdf.c for Argon2
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
@ 2025-09-02 7:17 ` Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 02/13] crypto: Update crypto.h for libgcrypt KDF functions Gary Lin via Grub-devel
` (11 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:17 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
The import_gcry.py script now imports kdf.c from libgcrypt. To isolate
the Argon2 implementation, all unrelated functions have been removed.
Signed-off-by: Gary Lin <glin@suse.com>
---
util/import_gcry.py | 31 ++++++++++++++++++++++++++++---
1 file changed, 28 insertions(+), 3 deletions(-)
diff --git a/util/import_gcry.py b/util/import_gcry.py
index 086bde77c..b00885c93 100644
--- a/util/import_gcry.py
+++ b/util/import_gcry.py
@@ -145,8 +145,8 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
if re.match (r"(Makefile\.am|primegen\.c|cipher\.c|cipher-.*\.c|mac-.*\.c|mac\.c|pubkey\.c)$", cipher_file):
chlog = "%s%s: Removed\n" % (chlog, chlognew)
continue
- # TODO: Support KDF
- if re.match (r"(kdf\.c|scrypt\.c)$", cipher_file):
+ # TODO: Support scrypt KDF
+ if re.match (r"(scrypt\.c)$", cipher_file):
chlog = "%s%s: Removed\n" % (chlog, chlognew)
continue
# TODO: Support chacha20 and poly1305
@@ -313,6 +313,17 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
continue
+ elif re.match ("_gcry_kdf_selftest|check_one|_gcry_kdf_pkdf2|_gcry_kdf_derive|openpgp_s2k|ballon_context_size|balloon_*|prng_aes_*|onestep_kdf_*|hkdf_*|x963_kdf_*", line) is not None and cipher_file == "kdf.c":
+ # TODO Support other KDFs
+ skip = 1
+ fname = re.match ("[a-zA-Z0-9_]*", line).group ()
+ chmsg = "(%s): Removed." % fname
+ if nch:
+ chlognew = "%s\n %s" % (chlognew, chmsg)
+ else:
+ chlognew = "%s %s" % (chlognew, chmsg)
+ nch = True
+ continue
else:
fw.write (holdline)
m = re.match ("# *include <(.*)>", line)
@@ -439,7 +450,7 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
nch = True
continue
- m = re.match (r"((static )?const char( |)\*|static const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static )?int|(static )?unsigned int|(static )?gcry_err_code_t|static gcry_mpi_t|static void|void|static elliptic_curve_t) *$", line)
+ m = re.match (r"((static )?const char( |)\*|static const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static )?int|(static )?unsigned int|(static )?gcry_err_code_t|static gcry_mpi_t|static void|void|static elliptic_curve_t|static u64|static size_t) *$", line)
if not m is None:
hold = True
holdline = line
@@ -575,6 +586,20 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
conf.write ("};\n\n")
if nch:
chlog = "%s%s\n" % (chlog, chlognew)
+ elif cipher_file == "kdf.c":
+ modfiles = ["kdf.c"]
+ if modname in extra_files:
+ modfiles += extra_files[modname]
+ conf.write ("module = {\n")
+ conf.write (" name = %s;\n" % modname)
+ for src in modfiles:
+ conf.write (" common = lib/libgcrypt-grub/cipher/%s;\n" % src)
+ confutil.write (" common = grub-core/lib/libgcrypt-grub/cipher/%s;\n" % src)
+ conf.write (" cflags = '$(CFLAGS_GCRY)';\n")
+ conf.write (" cppflags = '$(CPPFLAGS_GCRY)';\n")
+ conf.write ("};\n\n")
+ if nch:
+ chlog = "%s%s\n" % (chlog, chlognew)
elif isc and cipher_file not in extra_files_list:
print ("WARNING: C file isn't a module: %s" % cipher_file)
os.remove (outfile)
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 02/13] crypto: Update crypto.h for libgcrypt KDF functions
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 01/13] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
@ 2025-09-02 7:17 ` Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 03/13] libgcrypt/kdf: Implement blake2b_512.hash_buffers() Gary Lin via Grub-devel
` (10 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:17 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Add the following items to crypto.h
- more GPG error types
- _gcry_digest_spec_blake2b_512 for Argon2
- KDF algorithm IDs for Argon2
- prototypes of '_gcry_kdf_*' functions
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
include/grub/crypto.h | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/include/grub/crypto.h b/include/grub/crypto.h
index b0d7add1d..d323f00ce 100644
--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
@@ -34,6 +34,7 @@ typedef enum
GPG_ERR_BAD_MPI,
GPG_ERR_BAD_SECKEY,
GPG_ERR_BAD_SIGNATURE,
+ GPG_ERR_CANCELED,
GPG_ERR_CIPHER_ALGO,
GPG_ERR_CONFLICT,
GPG_ERR_DECRYPT_FAILED,
@@ -48,6 +49,7 @@ typedef enum
GPG_ERR_INV_OP,
GPG_ERR_INV_SEXP,
GPG_ERR_INV_VALUE,
+ GPG_ERR_MAC_ALGO,
GPG_ERR_MISSING_VALUE,
GPG_ERR_NO_ENCRYPTION_SCHEME,
GPG_ERR_NO_OBJ,
@@ -59,7 +61,9 @@ typedef enum
GPG_ERR_PUBKEY_ALGO,
GPG_ERR_SELFTEST_FAILED,
GPG_ERR_TOO_SHORT,
+ GPG_ERR_UNKNOWN_ALGORITHM,
GPG_ERR_UNSUPPORTED,
+ GPG_ERR_UNSUPPORTED_ALGORITHM,
GPG_ERR_WEAK_KEY,
GPG_ERR_WRONG_KEY_USAGE,
GPG_ERR_WRONG_PUBKEY_ALGO,
@@ -512,6 +516,7 @@ extern gcry_md_spec_t _gcry_digest_spec_sha1;
extern gcry_md_spec_t _gcry_digest_spec_sha256;
extern gcry_md_spec_t _gcry_digest_spec_sha512;
extern gcry_md_spec_t _gcry_digest_spec_crc32;
+extern gcry_md_spec_t _gcry_digest_spec_blake2b_512;
extern gcry_cipher_spec_t _gcry_cipher_spec_aes;
#define GRUB_MD_MD5 ((const gcry_md_spec_t *) &_gcry_digest_spec_md5)
#define GRUB_MD_SHA1 ((const gcry_md_spec_t *) &_gcry_digest_spec_sha1)
@@ -520,6 +525,41 @@ extern gcry_cipher_spec_t _gcry_cipher_spec_aes;
#define GRUB_MD_CRC32 ((const gcry_md_spec_t *) &_gcry_digest_spec_crc32)
#define GRUB_CIPHER_AES ((const gcry_cipher_spec_t *) &_gcry_cipher_spec_aes)
+/* Algorithm IDs for the KDFs. */
+enum grub_gcry_kdf_algos
+ {
+ GRUB_GCRY_KDF_NONE = 0,
+ GRUB_GCRY_KDF_ARGON2 = 64,
+ };
+
+enum grub_gcry_kdf_subalgo_argon2
+ {
+ GRUB_GCRY_KDF_ARGON2D = 0,
+ GRUB_GCRY_KDF_ARGON2I = 1,
+ GRUB_GCRY_KDF_ARGON2ID = 2
+ };
+
+typedef struct gcry_kdf_handle *gcry_kdf_hd_t;
+struct gcry_kdf_handle;
+struct gcry_kdf_thread_ops;
+
+gpg_err_code_t
+_gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+ const unsigned long *param, unsigned int paramlen,
+ const void *input, grub_size_t inputlen,
+ const void *salt, grub_size_t saltlen,
+ const void *key, grub_size_t keylen,
+ const void *ad, grub_size_t adlen);
+
+gpg_err_code_t
+_gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops);
+
+gpg_err_code_t
+_gcry_kdf_final (gcry_kdf_hd_t h, grub_size_t resultlen, void *result);
+
+void
+_gcry_kdf_close (gcry_kdf_hd_t h);
+
/* Implement PKCS#5 PBKDF2 as per RFC 2898. The PRF to use is HMAC variant
of digest supplied by MD. Inputs are the password P of length PLEN,
the salt S of length SLEN, the iteration counter C (> 0), and the
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 03/13] libgcrypt/kdf: Implement blake2b_512.hash_buffers()
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 01/13] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 02/13] crypto: Update crypto.h for libgcrypt KDF functions Gary Lin via Grub-devel
@ 2025-09-02 7:17 ` Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 04/13] libgcrypt/kdf: Get rid of gpg_err_code_from_errno() Gary Lin via Grub-devel
` (9 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:17 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Add argon2_blake2b_512_hash_buffers() as the replacement of
_gcry_digest_spec_blake2b_512.hash_buffers().
Signed-off-by: Gary Lin <glin@suse.com>
---
| 1 +
.../09-blake2b-hash-buffers.patch | 63 +++++++++++++++++++
2 files changed, 64 insertions(+)
create mode 100644 grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
--git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 49bca5577..9def61722 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -43,6 +43,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/05_disable_rsa_shake.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch b/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
new file mode 100644
index 000000000..fd4bae571
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
@@ -0,0 +1,63 @@
+From 42e9975171439e2e9713e122cb0e74174f057e98 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 15:54:24 +0800
+Subject: [PATCH 1/4] libgcrypt/kdf: Implement blake2b_512.hash_buffers()
+
+Add argon2_blake2b_512_hash_buffers() as the replacement of
+_gcry_digest_spec_blake2b_512.hash_buffers().
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 25 ++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 0689f88b1..08e3ef658 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -129,10 +129,31 @@ beswap64_block (u64 *dst)
+ #endif
+ }
+
++/* Implementation of _gcry_blake2b_512_hash_buffers */
++static gcry_err_code_t
++argon2_blake2b_512_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt)
++{
++ void *hd;
++
++ hd = xtrymalloc (_gcry_digest_spec_blake2b_512.contextsize);
++ if (!hd)
++ return GPG_ERR_OUT_OF_MEMORY;
++
++ _gcry_digest_spec_blake2b_512.init (hd, 0);
++ for (;iovcnt > 0; iov++, iovcnt--)
++ _gcry_digest_spec_blake2b_512.write (hd, (const char*)iov[0].data + iov[0].off, iov[0].len);
++ _gcry_digest_spec_blake2b_512.final (hd);
++ grub_memcpy (outbuf, _gcry_digest_spec_blake2b_512.read (hd), 512 / 8);
++
++ xfree (hd);
++
++ return GPG_ERR_NO_ERROR;
++}
+
+ static gpg_err_code_t
+ argon2_fill_first_blocks (argon2_ctx_t a)
+ {
++ gpg_err_code_t err;
+ unsigned char h0_01_i[72];
+ unsigned char buf[10][4];
+ gcry_buffer_t iov[8];
+@@ -195,7 +216,9 @@ argon2_fill_first_blocks (argon2_ctx_t a)
+ iov_count++;
+ }
+
+- _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count);
++ err = argon2_blake2b_512_hash_buffers (h0_01_i, iov, iov_count);
++ if (err != GPG_ERR_NO_ERROR)
++ return err;
+
+ for (i = 0; i < a->lanes; i++)
+ {
+--
+2.51.0
+
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 04/13] libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
` (2 preceding siblings ...)
2025-09-02 7:17 ` [PATCH v4 03/13] libgcrypt/kdf: Implement blake2b_512.hash_buffers() Gary Lin via Grub-devel
@ 2025-09-02 7:17 ` Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 05/13] libgcrypt/kdf: Remove unsupported KDFs Gary Lin via Grub-devel
` (8 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:17 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
gpg_err_code_from_errno() requires libgcrypt_wrap/mem.c which is not in
Makefile.utilgcry.def. This commit replaces gpg_err_code_from_errno()
with GPG_ERR_* to avoid the build errors.
Signed-off-by: Gary Lin <glin@suse.com>
---
| 1 +
.../10-kdf-use-GPG-errs.patch | 48 +++++++++++++++++++
2 files changed, 49 insertions(+)
create mode 100644 grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
--git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 9def61722..ac72a7ecf 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -44,6 +44,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch b/grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
new file mode 100644
index 000000000..53ca52d53
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
@@ -0,0 +1,48 @@
+From 89f793515d927d8f7099b61d0b7b200611e56acd Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 15:56:03 +0800
+Subject: [PATCH 2/4] libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
+
+gpg_err_code_from_errno() requires libgcrypt_wrap/mem.c which is not in
+Makefile.utilgcry.def. This commit replaces gpg_err_code_from_errno()
+with GPG_ERR_* to avoid the build errors.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 08e3ef658..6e0351d8a 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -265,7 +265,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+ block = xtrymalloc (1024 * memory_blocks);
+ if (!block)
+ {
+- ec = gpg_err_code_from_errno (errno);
++ ec = GPG_ERR_OUT_OF_MEMORY;
+ return ec;
+ }
+ memset (block, 0, 1024 * memory_blocks);
+@@ -273,7 +273,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+ thread_data = xtrymalloc (a->lanes * sizeof (struct argon2_thread_data));
+ if (!thread_data)
+ {
+- ec = gpg_err_code_from_errno (errno);
++ ec = GPG_ERR_OUT_OF_MEMORY;
+ xfree (block);
+ return ec;
+ }
+@@ -624,7 +624,7 @@ argon2_open (gcry_kdf_hd_t *hd, int subalgo,
+ n = offsetof (struct argon2_context, out) + taglen;
+ a = xtrymalloc (n);
+ if (!a)
+- return gpg_err_code_from_errno (errno);
++ return GPG_ERR_OUT_OF_MEMORY;
+
+ a->algo = GCRY_KDF_ARGON2;
+ a->hash_type = hash_type;
+--
+2.51.0
+
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 05/13] libgcrypt/kdf: Remove unsupported KDFs
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
` (3 preceding siblings ...)
2025-09-02 7:17 ` [PATCH v4 04/13] libgcrypt/kdf: Get rid of gpg_err_code_from_errno() Gary Lin via Grub-devel
@ 2025-09-02 7:17 ` Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 06/13] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms Gary Lin via Grub-devel
` (7 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:17 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Clean up _gcry_kdf_*() to remove unsupported KDFs.
Signed-off-by: Gary Lin <glin@suse.com>
---
| 1 +
.../11-kdf-remove-unsupported-kdfs.patch | 166 ++++++++++++++++++
2 files changed, 167 insertions(+)
create mode 100644 grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
--git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index ac72a7ecf..abd4227e7 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -45,6 +45,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch b/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
new file mode 100644
index 000000000..44ef3dec2
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
@@ -0,0 +1,166 @@
+From fc9c57f54fd28685f7df79e53078e1dc9e44f964 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 16:00:17 +0800
+Subject: [PATCH 3/4] libgcrypt/kdf: Remove unsupported KDFs
+
+Clean up _gcry_kdf_*() to remove unsupported KDFs.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 119 ----------------------
+ 1 file changed, 119 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 6e0351d8a..c51a70eff 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -821,64 +821,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+ key, keylen, ad, adlen);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- if (!inputlen || !saltlen || keylen || adlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)key;
+- (void)ad;
+- ec = balloon_open (hd, subalgo, param, paramlen,
+- input, inputlen, salt, saltlen);
+- }
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- if (!inputlen || !paramlen || !adlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- (void)key;
+- ec = onestep_kdf_open (hd, subalgo, param, paramlen,
+- input, inputlen, ad, adlen);
+- }
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- if (!inputlen || !paramlen || !keylen || !adlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- ec = onestep_kdf_mac_open (hd, subalgo, param, paramlen,
+- input, inputlen, key, keylen, ad, adlen);
+- }
+- break;
+-
+- case GCRY_KDF_HKDF:
+- if (!inputlen || !paramlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- ec = hkdf_open (hd, subalgo, param, paramlen,
+- input, inputlen, key, keylen, ad, adlen);
+- }
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- if (!inputlen || !paramlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- (void)key;
+- ec = x963_kdf_open (hd, subalgo, param, paramlen,
+- input, inputlen, ad, adlen);
+- }
+- break;
+-
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
+@@ -898,26 +840,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops)
+ ec = argon2_compute ((argon2_ctx_t)(void *)h, ops);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- ec = balloon_compute_all ((balloon_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- ec = onestep_kdf_compute ((onestep_kdf_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- ec = onestep_kdf_mac_compute ((onestep_kdf_mac_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_HKDF:
+- ec = hkdf_compute ((hkdf_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- ec = x963_kdf_compute ((x963_kdf_ctx_t)(void *)h, ops);
+- break;
+-
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
+@@ -938,27 +860,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result)
+ ec = argon2_final ((argon2_ctx_t)(void *)h, resultlen, result);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- ec = balloon_final ((balloon_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- ec = onestep_kdf_final ((onestep_kdf_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- ec = onestep_kdf_mac_final ((onestep_kdf_mac_ctx_t)(void *)h,
+- resultlen, result);
+- break;
+-
+- case GCRY_KDF_HKDF:
+- ec = hkdf_final ((hkdf_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- ec = x963_kdf_final ((x963_kdf_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
+@@ -976,26 +877,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
+ argon2_close ((argon2_ctx_t)(void *)h);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- balloon_close ((balloon_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- onestep_kdf_close ((onestep_kdf_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- onestep_kdf_mac_close ((onestep_kdf_mac_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_HKDF:
+- hkdf_close ((hkdf_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- x963_kdf_close ((x963_kdf_ctx_t)(void *)h);
+- break;
+-
+ default:
+ break;
+ }
+--
+2.51.0
+
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 06/13] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
` (4 preceding siblings ...)
2025-09-02 7:17 ` [PATCH v4 05/13] libgcrypt/kdf: Remove unsupported KDFs Gary Lin via Grub-devel
@ 2025-09-02 7:17 ` Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 07/13] argon2: Introduce grub_crypto_argon2() Gary Lin via Grub-devel
` (6 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:17 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Use grub_divmod64() for the 64-bit modulus to prevent creation of
special division calls such as __umoddi3() and __aeabi_uldivmod() on
32-bit platforms.
Signed-off-by: Gary Lin <glin@suse.com>
---
| 1 +
.../12-kdf-use-grub_divmod64.patch | 79 +++++++++++++++++++
2 files changed, 80 insertions(+)
create mode 100644 grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
--git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index abd4227e7..5d9ff91e9 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -46,6 +46,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch b/grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
new file mode 100644
index 000000000..644485ebf
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
@@ -0,0 +1,79 @@
+From 990a5f7df076200aa031b1bcde6bc4b13d4f198e Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 25 Aug 2025 16:01:45 +0800
+Subject: [PATCH 4/4] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
+
+Use grub_divmod64() for the 64-bit modulus to prevent creation of
+special division calls such as __umoddi3() and __aeabi_uldivmod() on
+32-bit platforms.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index c51a70eff..f4bb51809 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -375,6 +375,7 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
+ u32 reference_area_size;
+ u64 relative_position;
+ u32 start_position;
++ u64 remainder;
+
+ if (t->pass == 0)
+ {
+@@ -411,7 +412,8 @@ index_alpha (argon2_ctx_t a, const struct argon2_thread_data *t,
+ ? 0
+ : (t->slice + 1) * a->segment_length;
+
+- return (start_position + relative_position) % a->lane_length;
++ grub_divmod64 (start_position + relative_position, a->lane_length, &remainder);
++ return remainder;
+ }
+
+ static void
+@@ -425,6 +427,7 @@ argon2_compute_segment (void *priv)
+ u64 input_block[1024/sizeof (u64)];
+ u64 address_block[1024/sizeof (u64)];
+ u64 *random_block = NULL;
++ u64 remainder;
+
+ if (a->hash_type == GCRY_KDF_ARGON2I
+ || (a->hash_type == GCRY_KDF_ARGON2ID && t->pass == 0 && t->slice < 2))
+@@ -449,7 +452,8 @@ argon2_compute_segment (void *priv)
+ i = 0;
+
+ curr_offset = t->lane * a->lane_length + t->slice * a->segment_length + i;
+- if ((curr_offset % a->lane_length))
++ grub_divmod64 (curr_offset, a->lane_length, &remainder);
++ if (remainder)
+ prev_offset = curr_offset - 1;
+ else
+ prev_offset = curr_offset + a->lane_length - 1;
+@@ -459,7 +463,8 @@ argon2_compute_segment (void *priv)
+ u64 *ref_block, *curr_block;
+ u64 rand64;
+
+- if ((curr_offset % a->lane_length) == 1)
++ grub_divmod64 (curr_offset, a->lane_length, &remainder);
++ if (remainder == 1)
+ prev_offset = curr_offset - 1;
+
+ if (random_block)
+@@ -475,7 +480,10 @@ argon2_compute_segment (void *priv)
+ if (t->pass == 0 && t->slice == 0)
+ ref_lane = t->lane;
+ else
+- ref_lane = (rand64 >> 32) % a->lanes;
++ {
++ grub_divmod64 (rand64 >> 32, a->lanes, &remainder);
++ ref_lane = remainder;
++ }
+
+ ref_index = index_alpha (a, t, i, (rand64 & 0xffffffff),
+ ref_lane == t->lane);
+--
+2.51.0
+
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 07/13] argon2: Introduce grub_crypto_argon2()
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
` (5 preceding siblings ...)
2025-09-02 7:17 ` [PATCH v4 06/13] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms Gary Lin via Grub-devel
@ 2025-09-02 7:17 ` Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 08/13] Import Argon2 tests from libgcrypt Gary Lin via Grub-devel
` (5 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:17 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
This commit introduces grub_crypto_argon2() which leverages the
'_gcry_kdf_*' functions from libgcrypt to provide Argon2 support.
Due to the dependency of the '_gcry_kdf_*' functions, the order of
'ldadd' entries have to be tweaked in Makefile.util.def so that the
linker can discover those functions.
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
Makefile.util.def | 55 +++++++++++++++++++------------------
grub-core/Makefile.core.def | 5 ++++
grub-core/lib/argon2.c | 52 +++++++++++++++++++++++++++++++++++
include/grub/crypto.h | 9 ++++++
4 files changed, 94 insertions(+), 27 deletions(-)
create mode 100644 grub-core/lib/argon2.c
diff --git a/Makefile.util.def b/Makefile.util.def
index 038253b37..f8d4ae7d3 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -43,6 +43,7 @@ library = {
common = grub-core/disk/key_protector.c;
common = grub-core/disk/cryptodisk.c;
common = grub-core/disk/AFSplitter.c;
+ common = grub-core/lib/argon2.c;
common = grub-core/lib/pbkdf2.c;
common = grub-core/commands/extcmd.c;
common = grub-core/lib/arg.c;
@@ -201,8 +202,8 @@ program = {
extra_dist = util/grub-mkimagexx.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBLZMA)';
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -225,8 +226,8 @@ program = {
cflags = '-I$(srcdir)/grub-core/lib/tss2 -I$(srcdir)/grub-core/commands/tpm2_key_protector';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBTASN1)';
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -243,8 +244,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -258,8 +259,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -284,8 +285,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -300,8 +301,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -323,8 +324,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -341,8 +342,8 @@ program = {
cflags = '$(FUSE_CFLAGS)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM) $(FUSE_LIBS)';
condition = COND_GRUB_MOUNT;
@@ -359,8 +360,8 @@ program = {
cppflags = '-DGRUB_MKFONT=1';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(FREETYPE_LIBS)';
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -378,8 +379,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -436,8 +437,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -451,8 +452,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -466,8 +467,8 @@ program = {
common = grub-core/kern/emu/argp_common.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -605,8 +606,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -652,8 +653,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -691,8 +692,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -727,8 +728,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1305,8 +1306,8 @@ program = {
common = grub-core/kern/misc.c;
common = grub-core/tests/lib/test.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1320,8 +1321,8 @@ program = {
common = grub-core/kern/misc.c;
common = grub-core/tests/lib/test.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1335,8 +1336,8 @@ program = {
common = grub-core/kern/misc.c;
common = grub-core/tests/lib/test.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1351,8 +1352,8 @@ program = {
common = grub-core/tests/lib/test.c;
common = grub-core/lib/priority_queue.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
condition = COND_HAVE_CXX;
@@ -1367,8 +1368,8 @@ program = {
common = grub-core/kern/misc.c;
common = grub-core/tests/lib/test.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1382,8 +1383,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1400,8 +1401,8 @@ program = {
common = grub-core/kern/emu/argp_common.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1416,8 +1417,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1434,8 +1435,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1463,8 +1464,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index b3f71196a..16166b1ed 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1694,6 +1694,11 @@ module = {
common = lib/pbkdf2.c;
};
+module = {
+ name = argon2;
+ common = lib/argon2.c;
+};
+
module = {
name = relocator;
common = lib/relocator.c;
diff --git a/grub-core/lib/argon2.c b/grub-core/lib/argon2.c
new file mode 100644
index 000000000..12ad7ad1c
--- /dev/null
+++ b/grub-core/lib/argon2.c
@@ -0,0 +1,52 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2025 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/crypto.h>
+#include <grub/dl.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+gcry_err_code_t
+grub_crypto_argon2 (int subalgo,
+ const unsigned long *param, unsigned int paramlen,
+ const void *password, grub_size_t passwordlen,
+ const void *salt, grub_size_t saltlen,
+ const void *key, grub_size_t keylen,
+ const void *ad, grub_size_t adlen,
+ grub_size_t resultlen, void *result)
+{
+ gcry_kdf_hd_t hd = {0};
+ gpg_err_code_t err;
+
+ if (saltlen == 0)
+ return GPG_ERR_INV_VALUE;
+
+ err = _gcry_kdf_open (&hd, GRUB_GCRY_KDF_ARGON2, subalgo, param, paramlen,
+ password, passwordlen, salt, saltlen, key, keylen,
+ ad, adlen);
+ if (err != GPG_ERR_NO_ERROR)
+ return err;
+
+ err = _gcry_kdf_compute (hd, NULL);
+ if (err == GPG_ERR_NO_ERROR)
+ err = _gcry_kdf_final (hd, resultlen, result);
+
+ _gcry_kdf_close (hd);
+
+ return err;
+}
diff --git a/include/grub/crypto.h b/include/grub/crypto.h
index d323f00ce..c6eb8b2d2 100644
--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
@@ -573,6 +573,15 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
unsigned int c,
grub_uint8_t *DK, grub_size_t dkLen);
+gcry_err_code_t
+grub_crypto_argon2 (int subalgo,
+ const unsigned long *param, unsigned int paramlen,
+ const void *password, grub_size_t passwordlen,
+ const void *salt, grub_size_t saltlen,
+ const void *key, grub_size_t keylen,
+ const void *ad, grub_size_t adlen,
+ grub_size_t resultlen, void *result);
+
int
grub_crypto_memcmp (const void *a, const void *b, grub_size_t n);
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 08/13] Import Argon2 tests from libgcrypt
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
` (6 preceding siblings ...)
2025-09-02 7:17 ` [PATCH v4 07/13] argon2: Introduce grub_crypto_argon2() Gary Lin via Grub-devel
@ 2025-09-02 7:18 ` Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 09/13] Integrate Argon2 tests into functional_test Gary Lin via Grub-devel
` (4 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:18 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Copy the Argon2 test function, check_argon2(), from t-kdf.c in libgcrypt
to grub-core/tests/argon2_test.c.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
---
grub-core/tests/argon2_test.c | 141 ++++++++++++++++++++++++++++++++++
1 file changed, 141 insertions(+)
create mode 100644 grub-core/tests/argon2_test.c
diff --git a/grub-core/tests/argon2_test.c b/grub-core/tests/argon2_test.c
new file mode 100644
index 000000000..d2f70166a
--- /dev/null
+++ b/grub-core/tests/argon2_test.c
@@ -0,0 +1,141 @@
+static void
+check_argon2 (void)
+{
+ gcry_error_t err;
+ static struct {
+ int subalgo;
+ unsigned long param[4];
+ size_t passlen;
+ const char *pass;
+ size_t saltlen;
+ const char *salt;
+ size_t keylen;
+ const char *key;
+ size_t adlen;
+ const char *ad;
+ size_t dklen;
+ const char *dk;
+ } tv[] = {
+ {
+ GCRY_KDF_ARGON2D,
+ { 32, 3, 32, 4 },
+ 32,
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+ 16,
+ "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+ 8,
+ "\x03\x03\x03\x03\x03\x03\x03\x03",
+ 12,
+ "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+ 32,
+ "\x51\x2b\x39\x1b\x6f\x11\x62\x97\x53\x71\xd3\x09\x19\x73\x42\x94"
+ "\xf8\x68\xe3\xbe\x39\x84\xf3\xc1\xa1\x3a\x4d\xb9\xfa\xbe\x4a\xcb"
+ },
+ {
+ GCRY_KDF_ARGON2I,
+ { 32, 3, 32, 4 },
+ 32,
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+ 16,
+ "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+ 8,
+ "\x03\x03\x03\x03\x03\x03\x03\x03",
+ 12,
+ "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+ 32,
+ "\xc8\x14\xd9\xd1\xdc\x7f\x37\xaa\x13\xf0\xd7\x7f\x24\x94\xbd\xa1"
+ "\xc8\xde\x6b\x01\x6d\xd3\x88\xd2\x99\x52\xa4\xc4\x67\x2b\x6c\xe8"
+ },
+ {
+ GCRY_KDF_ARGON2ID,
+ { 32, 3, 32, 4 },
+ 32,
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+ 16,
+ "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+ 8,
+ "\x03\x03\x03\x03\x03\x03\x03\x03",
+ 12,
+ "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+ 32,
+ "\x0d\x64\x0d\xf5\x8d\x78\x76\x6c\x08\xc0\x37\xa3\x4a\x8b\x53\xc9"
+ "\xd0\x1e\xf0\x45\x2d\x75\xb6\x5e\xb5\x25\x20\xe9\x6b\x01\xe6\x59"
+ },
+ {
+ /* empty password */
+ GCRY_KDF_ARGON2I,
+ { 32, 3, 128, 1 },
+ 0, NULL,
+ 16,
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ 0, NULL,
+ 0, NULL,
+ 32,
+ "\xbb\x1f\xf2\xb9\x9f\xd4\x4a\xd9\xdf\x7f\xb9\x54\x55\x9e\xb8\xeb"
+ "\xb5\x9d\xab\xce\x2e\x62\x9f\x9b\x89\x09\xfe\xde\x57\xcc\x63\x86"
+ },
+ {
+ /* empty password */
+ GCRY_KDF_ARGON2ID,
+ { 32, 3, 128, 1 },
+ 0, NULL,
+ 16,
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ 0, NULL,
+ 0, NULL,
+ 32,
+ "\x09\x2f\x38\x35\xac\xb2\x43\x92\x93\xeb\xcd\xe8\x04\x16\x6a\x31"
+ "\xce\x14\xd4\x55\xdb\xd8\xf7\xe6\xb4\xf5\x9d\x64\x8e\xd0\x3a\xdb"
+ },
+ };
+ unsigned char out[32];
+ int i;
+ int count;
+
+ for (count = 0; count < DIM(tv); count++)
+ {
+ if (verbose)
+ fprintf (stderr, "checking ARGON2 test vector %d\n", count);
+
+ err = my_kdf_derive (0, GCRY_KDF_ARGON2,
+ tv[count].subalgo, tv[count].param, 4,
+ tv[count].pass, tv[count].passlen,
+ tv[count].salt, tv[count].saltlen,
+ tv[count].key, tv[count].keylen,
+ tv[count].ad, tv[count].adlen,
+ tv[count].dklen, out);
+ if (err)
+ fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror (err));
+ else if (memcmp (out, tv[count].dk, tv[count].dklen))
+ {
+ fail ("argon2 test %d failed: mismatch\n", count*2+0);
+ fputs ("got:", stderr);
+ for (i=0; i < tv[count].dklen; i++)
+ fprintf (stderr, " %02x", out[i]);
+ putc ('\n', stderr);
+ }
+
+#ifdef HAVE_PTHREAD
+ err = my_kdf_derive (1, GCRY_KDF_ARGON2,
+ tv[count].subalgo, tv[count].param, 4,
+ tv[count].pass, tv[count].passlen,
+ tv[count].salt, tv[count].saltlen,
+ tv[count].key, tv[count].keylen,
+ tv[count].ad, tv[count].adlen,
+ tv[count].dklen, out);
+ if (err)
+ fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror (err));
+ else if (memcmp (out, tv[count].dk, tv[count].dklen))
+ {
+ fail ("argon2 test %d failed: mismatch\n", count*2+1);
+ fputs ("got:", stderr);
+ for (i=0; i < tv[count].dklen; i++)
+ fprintf (stderr, " %02x", out[i]);
+ putc ('\n', stderr);
+ }
+#endif
+ }
+}
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 09/13] Integrate Argon2 tests into functional_test
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
` (7 preceding siblings ...)
2025-09-02 7:18 ` [PATCH v4 08/13] Import Argon2 tests from libgcrypt Gary Lin via Grub-devel
@ 2025-09-02 7:18 ` Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 10/13] disk/luks2: Add Argon2 support Gary Lin via Grub-devel
` (3 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:18 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Refactor the Argon2 tests to enable the module build and integrate the
tests into function_test.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
grub-core/Makefile.core.def | 5 ++
grub-core/tests/argon2_test.c | 104 +++++++++++++-------------
grub-core/tests/lib/functional_test.c | 1 +
3 files changed, 57 insertions(+), 53 deletions(-)
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 16166b1ed..fb96f92a5 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -2222,6 +2222,11 @@ module = {
common = tests/pbkdf2_test.c;
};
+module = {
+ name = argon2_test;
+ common = tests/argon2_test.c;
+};
+
module = {
name = legacy_password_test;
common = tests/legacy_password_test.c;
diff --git a/grub-core/tests/argon2_test.c b/grub-core/tests/argon2_test.c
index d2f70166a..8318a0962 100644
--- a/grub-core/tests/argon2_test.c
+++ b/grub-core/tests/argon2_test.c
@@ -1,23 +1,50 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2025 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/test.h>
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/crypto.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+#define DIM(v) (sizeof(v)/sizeof((v)[0]))
+
static void
-check_argon2 (void)
+argon2_test (void)
{
gcry_error_t err;
static struct {
int subalgo;
unsigned long param[4];
- size_t passlen;
+ grub_size_t passlen;
const char *pass;
- size_t saltlen;
+ grub_size_t saltlen;
const char *salt;
- size_t keylen;
+ grub_size_t keylen;
const char *key;
- size_t adlen;
+ grub_size_t adlen;
const char *ad;
- size_t dklen;
+ grub_size_t dklen;
const char *dk;
} tv[] = {
{
- GCRY_KDF_ARGON2D,
+ GRUB_GCRY_KDF_ARGON2D,
{ 32, 3, 32, 4 },
32,
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -33,7 +60,7 @@ check_argon2 (void)
"\xf8\x68\xe3\xbe\x39\x84\xf3\xc1\xa1\x3a\x4d\xb9\xfa\xbe\x4a\xcb"
},
{
- GCRY_KDF_ARGON2I,
+ GRUB_GCRY_KDF_ARGON2I,
{ 32, 3, 32, 4 },
32,
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -49,7 +76,7 @@ check_argon2 (void)
"\xc8\xde\x6b\x01\x6d\xd3\x88\xd2\x99\x52\xa4\xc4\x67\x2b\x6c\xe8"
},
{
- GCRY_KDF_ARGON2ID,
+ GRUB_GCRY_KDF_ARGON2ID,
{ 32, 3, 32, 4 },
32,
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -66,7 +93,7 @@ check_argon2 (void)
},
{
/* empty password */
- GCRY_KDF_ARGON2I,
+ GRUB_GCRY_KDF_ARGON2I,
{ 32, 3, 128, 1 },
0, NULL,
16,
@@ -79,7 +106,7 @@ check_argon2 (void)
},
{
/* empty password */
- GCRY_KDF_ARGON2ID,
+ GRUB_GCRY_KDF_ARGON2ID,
{ 32, 3, 128, 1 },
0, NULL,
16,
@@ -92,50 +119,21 @@ check_argon2 (void)
},
};
unsigned char out[32];
- int i;
- int count;
+ unsigned int count;
for (count = 0; count < DIM(tv); count++)
{
- if (verbose)
- fprintf (stderr, "checking ARGON2 test vector %d\n", count);
-
- err = my_kdf_derive (0, GCRY_KDF_ARGON2,
- tv[count].subalgo, tv[count].param, 4,
- tv[count].pass, tv[count].passlen,
- tv[count].salt, tv[count].saltlen,
- tv[count].key, tv[count].keylen,
- tv[count].ad, tv[count].adlen,
- tv[count].dklen, out);
- if (err)
- fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror (err));
- else if (memcmp (out, tv[count].dk, tv[count].dklen))
- {
- fail ("argon2 test %d failed: mismatch\n", count*2+0);
- fputs ("got:", stderr);
- for (i=0; i < tv[count].dklen; i++)
- fprintf (stderr, " %02x", out[i]);
- putc ('\n', stderr);
- }
-
-#ifdef HAVE_PTHREAD
- err = my_kdf_derive (1, GCRY_KDF_ARGON2,
- tv[count].subalgo, tv[count].param, 4,
- tv[count].pass, tv[count].passlen,
- tv[count].salt, tv[count].saltlen,
- tv[count].key, tv[count].keylen,
- tv[count].ad, tv[count].adlen,
- tv[count].dklen, out);
- if (err)
- fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror (err));
- else if (memcmp (out, tv[count].dk, tv[count].dklen))
- {
- fail ("argon2 test %d failed: mismatch\n", count*2+1);
- fputs ("got:", stderr);
- for (i=0; i < tv[count].dklen; i++)
- fprintf (stderr, " %02x", out[i]);
- putc ('\n', stderr);
- }
-#endif
+ err = grub_crypto_argon2 (tv[count].subalgo,
+ tv[count].param, 4,
+ tv[count].pass, tv[count].passlen,
+ tv[count].salt, tv[count].saltlen,
+ tv[count].key, tv[count].keylen,
+ tv[count].ad, tv[count].adlen,
+ tv[count].dklen, out);
+ grub_test_assert (err == 0, "argon2 test %d failed: %d", count, err);
+ grub_test_assert (grub_memcmp (out, tv[count].dk, tv[count].dklen) == 0,
+ "argon2 test %d failed: mismatch", count);
}
}
+
+GRUB_FUNCTIONAL_TEST (argon2_test, argon2_test);
diff --git a/grub-core/tests/lib/functional_test.c b/grub-core/tests/lib/functional_test.c
index 38e981f2c..0289ff38f 100644
--- a/grub-core/tests/lib/functional_test.c
+++ b/grub-core/tests/lib/functional_test.c
@@ -80,6 +80,7 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt __attribute__ ((unused)),
grub_dl_load ("mul_test");
grub_dl_load ("shift_test");
grub_dl_load ("asn1_test");
+ grub_dl_load ("argon2_test");
FOR_LIST_ELEMENTS (test, grub_test_list)
ok = !grub_test_run (test) && ok;
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 10/13] disk/luks2: Add Argon2 support
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
` (8 preceding siblings ...)
2025-09-02 7:18 ` [PATCH v4 09/13] Integrate Argon2 tests into functional_test Gary Lin via Grub-devel
@ 2025-09-02 7:18 ` Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 11/13] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test Gary Lin via Grub-devel
` (2 subsequent siblings)
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:18 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Leverage the new grub_crypto_argon2() function to add support for the
Argon2i and Argon2id KDFs in LUKS2
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
---
grub-core/disk/luks2.c | 40 ++++++++++++++++++++++++++++++++++++----
1 file changed, 36 insertions(+), 4 deletions(-)
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index b17cd2115..a3608e233 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -39,6 +39,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
enum grub_luks2_kdf_type
{
LUKS2_KDF_TYPE_ARGON2I,
+ LUKS2_KDF_TYPE_ARGON2ID,
LUKS2_KDF_TYPE_PBKDF2
};
typedef enum grub_luks2_kdf_type grub_luks2_kdf_type_t;
@@ -159,13 +160,21 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const grub_json_t *keyslot)
grub_json_getstring (&type, &kdf, "type") ||
grub_json_getstring (&out->kdf.salt, &kdf, "salt"))
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing or invalid KDF");
- else if (!grub_strcmp (type, "argon2i") || !grub_strcmp (type, "argon2id"))
+ else if (!grub_strcmp (type, "argon2i"))
{
out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i parameters");
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "missing Argon2i parameters");
+ }
+ else if (!grub_strcmp (type, "argon2id"))
+ {
+ out->kdf.type = LUKS2_KDF_TYPE_ARGON2ID;
+ if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
+ grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
+ grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "missing Argon2id parameters");
}
else if (!grub_strcmp (type, "pbkdf2"))
{
@@ -444,6 +453,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
grub_uint8_t salt[GRUB_CRYPTODISK_MAX_KEYLEN];
grub_uint8_t *split_key = NULL;
idx_t saltlen = sizeof (salt);
+ int subalgo;
+ unsigned long param[4];
char cipher[32], *p;
const gcry_md_spec_t *hash;
gcry_err_code_t gcry_ret;
@@ -460,8 +471,29 @@ luks2_decrypt_key (grub_uint8_t *out_key,
switch (k->kdf.type)
{
case LUKS2_KDF_TYPE_ARGON2I:
- ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
- goto err;
+ case LUKS2_KDF_TYPE_ARGON2ID:
+ if (k->kdf.type == LUKS2_KDF_TYPE_ARGON2I)
+ subalgo = GRUB_GCRY_KDF_ARGON2I;
+ else
+ subalgo = GRUB_GCRY_KDF_ARGON2ID;
+
+ param[0] = k->area.key_size;
+ param[1] = k->kdf.u.argon2i.time;
+ param[2] = k->kdf.u.argon2i.memory;
+ param[3] = k->kdf.u.argon2i.cpus;
+
+ gcry_ret = grub_crypto_argon2 (subalgo, param, 4,
+ passphrase, passphraselen,
+ salt, saltlen,
+ NULL, 0, NULL, 0,
+ k->area.key_size, area_key);
+ if (gcry_ret)
+ {
+ ret = grub_crypto_gcry_error (gcry_ret);
+ goto err;
+ }
+
+ break;
case LUKS2_KDF_TYPE_PBKDF2:
hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash);
if (!hash)
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 11/13] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
` (9 preceding siblings ...)
2025-09-02 7:18 ` [PATCH v4 10/13] disk/luks2: Add Argon2 support Gary Lin via Grub-devel
@ 2025-09-02 7:18 ` Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 12/13] docs: Document argon2 and argon2_test Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 13/13] kern/misc: Implement faster grub_memcpy() for aligned buffers Gary Lin via Grub-devel
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:18 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Given that the LUKS1 test already covers PBKDF2, the default KDF for the
LUKS2 test has been switched to Argon2id to ensure both algorithms are
validated.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
tests/util/grub-fs-tester.in | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
index cac58dafa..126f19a7e 100644
--- a/tests/util/grub-fs-tester.in
+++ b/tests/util/grub-fs-tester.in
@@ -860,8 +860,14 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
MOUNTDEVICE="/dev/mapper/grub_test-testvol"
MOUNTFS=ext2
"mkfs.ext2" -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
- x"luks"*)
- echo -n "$PASS" | cryptsetup luksFormat --type "$fs" --sector-size $SECSIZE --pbkdf pbkdf2 --force-password --disable-locks $LODEVICE
+ xluks1)
+ echo -n "$PASS" | cryptsetup luksFormat --type luks1 --sector-size $SECSIZE --pbkdf pbkdf2 --force-password --disable-locks $LODEVICE
+ echo -n "$PASS" | cryptsetup open --disable-locks $LODEVICE "$DMNAME"
+ MOUNTDEVICE="/dev/mapper/${DMNAME}"
+ MOUNTFS=ext2
+ "mkfs.ext2" -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
+ xluks2)
+ echo -n "$PASS" | cryptsetup luksFormat --type luks2 --sector-size $SECSIZE --pbkdf argon2id --force-password --disable-locks $LODEVICE
echo -n "$PASS" | cryptsetup open --disable-locks $LODEVICE "$DMNAME"
MOUNTDEVICE="/dev/mapper/${DMNAME}"
MOUNTFS=ext2
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 12/13] docs: Document argon2 and argon2_test
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
` (10 preceding siblings ...)
2025-09-02 7:18 ` [PATCH v4 11/13] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test Gary Lin via Grub-devel
@ 2025-09-02 7:18 ` Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 13/13] kern/misc: Implement faster grub_memcpy() for aligned buffers Gary Lin via Grub-devel
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:18 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Document the argon2 and argon2_test modules.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
---
docs/grub.texi | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 34b3484dc..b3908ecf6 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -3889,6 +3889,8 @@ Modules can be loaded via the @command{insmod} (@pxref{insmod}) command.
* aout_module::
* appleldr_module::
* archelp_module::
+* argon2_module::
+* argon2_test_module::
* at_keyboard_module::
* ata_module::
* backtrace_module::
@@ -4244,6 +4246,15 @@ computer (Intel based Macs).
This module provides Archive Helper functions for archive based file systems
such as TAR and CPIO archives.
+@node argon2_module
+@section argon2
+This module provides support for the Argon2 key derivation function.
+
+@node argon2_test_module
+@section argon2_test
+This module is intended for performing a functional test of the Argon2
+operation in GRUB.
+
@node at_keyboard_module
@section at_keyboard
This module provides support for the AT keyboard input for the GRUB terminal.
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v4 13/13] kern/misc: Implement faster grub_memcpy() for aligned buffers
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
` (11 preceding siblings ...)
2025-09-02 7:18 ` [PATCH v4 12/13] docs: Document argon2 and argon2_test Gary Lin via Grub-devel
@ 2025-09-02 7:18 ` Gary Lin via Grub-devel
12 siblings, 0 replies; 14+ messages in thread
From: Gary Lin via Grub-devel @ 2025-09-02 7:18 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
When both "dest" and "src" are aligned, copying the data in chunks
(unsigned long) is more efficient than a byte-by-byte copy.
Also tweak '__aeabi_memcpy()', '__aeabi_memcpy4()', and
'__aeabi_memcpy8()', since 'grub_memcpy()' is not inline anymore.
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/kern/compiler-rt.c | 8 ++++----
grub-core/kern/misc.c | 30 ++++++++++++++++++++++++++++++
include/grub/misc.h | 8 +-------
3 files changed, 35 insertions(+), 11 deletions(-)
diff --git a/grub-core/kern/compiler-rt.c b/grub-core/kern/compiler-rt.c
index eda689a0c..8f3865e95 100644
--- a/grub-core/kern/compiler-rt.c
+++ b/grub-core/kern/compiler-rt.c
@@ -24,7 +24,7 @@
void * GRUB_BUILTIN_ATTR
memcpy (void *dest, const void *src, grub_size_t n)
{
- return grub_memmove (dest, src, n);
+ return grub_memcpy (dest, src, n);
}
void * GRUB_BUILTIN_ATTR
memmove (void *dest, const void *src, grub_size_t n)
@@ -372,11 +372,11 @@ grub_int32_t
__aeabi_idiv (grub_int32_t a, grub_int32_t b)
__attribute__ ((alias ("__divsi3")));
void *__aeabi_memcpy (void *dest, const void *src, grub_size_t n)
- __attribute__ ((alias ("grub_memcpy")));
+ __attribute__ ((alias ("memcpy")));
void *__aeabi_memcpy4 (void *dest, const void *src, grub_size_t n)
- __attribute__ ((alias ("grub_memcpy")));
+ __attribute__ ((alias ("memcpy")));
void *__aeabi_memcpy8 (void *dest, const void *src, grub_size_t n)
- __attribute__ ((alias ("grub_memcpy")));
+ __attribute__ ((alias ("memcpy")));
void *__aeabi_memset (void *s, int c, grub_size_t n)
__attribute__ ((alias ("memset")));
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
index 2b7922393..016932583 100644
--- a/grub-core/kern/misc.c
+++ b/grub-core/kern/misc.c
@@ -99,6 +99,36 @@ grub_memmove (void *dest, const void *src, grub_size_t n)
return dest;
}
+static void *
+__memcpy_aligned (void *dest, const void *src, grub_size_t n)
+{
+ unsigned long *dw = (unsigned long *) dest;
+ const unsigned long *sw = (const unsigned long *) src;
+ grub_uint8_t *d;
+ const grub_uint8_t *s;
+
+ for (; n >= sizeof (unsigned long); n -= sizeof (unsigned long))
+ *dw++ = *sw++;
+
+ d = (grub_uint8_t *) dw;
+ s = (const grub_uint8_t *) sw;
+ for (; n > 0; n--)
+ *d++ = *s++;
+
+ return dest;
+}
+
+void *
+grub_memcpy (void *dest, const void *src, grub_size_t n)
+{
+ /* Check if 'dest' and 'src' are aligned */
+ if (((grub_addr_t) dest & (sizeof (unsigned long) - 1)) == 0 &&
+ ((grub_addr_t) src & (sizeof (unsigned long) - 1)) == 0)
+ return __memcpy_aligned (dest, src, n);
+
+ return grub_memmove (dest, src, n);
+}
+
char *
grub_strcpy (char *dest, const char *src)
{
diff --git a/include/grub/misc.h b/include/grub/misc.h
index e087e7b3e..b6b14ca55 100644
--- a/include/grub/misc.h
+++ b/include/grub/misc.h
@@ -38,6 +38,7 @@
#define grub_dprintf(condition, ...) grub_real_dprintf(GRUB_FILE, __LINE__, condition, __VA_ARGS__)
void *EXPORT_FUNC(grub_memmove) (void *dest, const void *src, grub_size_t n);
+void *EXPORT_FUNC(grub_memcpy) (void *dest, const void *src, grub_size_t n);
char *EXPORT_FUNC(grub_strcpy) (char *dest, const char *src);
static inline char *
@@ -103,13 +104,6 @@ grub_strlcpy (char *dest, const char *src, grub_size_t size)
return res;
}
-/* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */
-static inline void *
-grub_memcpy (void *dest, const void *src, grub_size_t n)
-{
- return grub_memmove (dest, src, n);
-}
-
#if defined(__x86_64__) && !defined (GRUB_UTIL)
#if defined (__MINGW32__) || defined (__CYGWIN__) || defined (__MINGW64__)
#define GRUB_ASM_ATTR __attribute__ ((sysv_abi))
--
2.51.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 14+ messages in thread
end of thread, other threads:[~2025-09-02 7:20 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-02 7:17 [PATCH v4 00/13] Support Argon2 KDF Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 01/13] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 02/13] crypto: Update crypto.h for libgcrypt KDF functions Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 03/13] libgcrypt/kdf: Implement blake2b_512.hash_buffers() Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 04/13] libgcrypt/kdf: Get rid of gpg_err_code_from_errno() Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 05/13] libgcrypt/kdf: Remove unsupported KDFs Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 06/13] libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms Gary Lin via Grub-devel
2025-09-02 7:17 ` [PATCH v4 07/13] argon2: Introduce grub_crypto_argon2() Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 08/13] Import Argon2 tests from libgcrypt Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 09/13] Integrate Argon2 tests into functional_test Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 10/13] disk/luks2: Add Argon2 support Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 11/13] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 12/13] docs: Document argon2 and argon2_test Gary Lin via Grub-devel
2025-09-02 7:18 ` [PATCH v4 13/13] kern/misc: Implement faster grub_memcpy() for aligned buffers Gary Lin via Grub-devel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).