* [PATCH v2 0/9] Support Argon2 KDF
@ 2025-08-06 7:16 Gary Lin via Grub-devel
2025-08-06 7:16 ` [PATCH v2 1/9] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
` (8 more replies)
0 siblings, 9 replies; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-06 7:16 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
This patch series imports the Argon2 code and tests from libgcrypt and
adds Argon2 support to LUKS2.
- Patch 1~3 import kdf.c from libgcrypt and extract the Argon2 related
functions. The _gcry_kdf_* functions are also imported to make it
easier to support other KDF functions when necessary.
- Patch 4 introduces grub_crypto_argon2().
- Patch 5 and 6 integrates the Argon2 tests from libgcrypt into
functional_test.
- Patch 7 leverages grub_crypto_argon2() to add Argon2 support to LUKS2.
- Patch 8 changes the default KDF of the LUKS2 test to Argon2id.
- Patch 9 documents argon2 and argon2_test modules.
v2:
- Import Argon2 code differently to improve maintainability
* Updating import_gcry.py to import Argon2 and _gcry_kdf_* functions
from kdf.c instead of extracting the code manually
* Implementing grub_crypto_argon2() with the _gcry_kdf_* functions to
avoid the GCRY flags when building argon2.c
* Building argon2.c inside libgrubkernel.a since the GCRY flags are not
needed anymore
Gary Lin (9):
util/import_gcry: Import kdf.c for Argon2
crypto: Update crypto.h for libgcrypt KDF functions
kdf: Resovle the build errors
argon2: Introduce grub_crypto_argon2()
Import Argon2 tests from libgcrypt
Integrate Argon2 tests into functional_test
disk/luks2: Add Argon2 support
tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
docs: Document argon2 and argon2_test
Makefile.util.def | 19 +-
conf/Makefile.extra-dist | 1 +
docs/grub.texi | 11 +
grub-core/Makefile.core.def | 10 +
grub-core/disk/luks2.c | 38 ++-
grub-core/lib/argon2.c | 52 ++++
.../libgcrypt-patches/09_kdf_build_fix.patch | 230 ++++++++++++++++++
grub-core/tests/argon2_test.c | 139 +++++++++++
grub-core/tests/lib/functional_test.c | 1 +
include/grub/crypto.h | 49 ++++
tests/util/grub-fs-tester.in | 10 +-
util/import_gcry.py | 28 ++-
12 files changed, 572 insertions(+), 16 deletions(-)
create mode 100644 grub-core/lib/argon2.c
create mode 100644 grub-core/lib/libgcrypt-patches/09_kdf_build_fix.patch
create mode 100644 grub-core/tests/argon2_test.c
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* [PATCH v2 1/9] util/import_gcry: Import kdf.c for Argon2
2025-08-06 7:16 [PATCH v2 0/9] Support Argon2 KDF Gary Lin via Grub-devel
@ 2025-08-06 7:16 ` Gary Lin via Grub-devel
[not found] ` <CAEaD8JO8HLqSOKyyHHf69r0LO1w+C-eTAs-V1b-_vJ_is9Wodw@mail.gmail.com>
2025-08-06 7:16 ` [PATCH v2 2/9] crypto: Update crypto.h for libgcrypt KDF functions Gary Lin via Grub-devel
` (7 subsequent siblings)
8 siblings, 1 reply; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-06 7:16 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
The import_gcry.py script now imports kdf.c from libgcrypt. To isolate
the Argon2 implementation, all unrelated functions have been removed.
Signed-off-by: Gary Lin <glin@suse.com>
---
util/import_gcry.py | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/util/import_gcry.py b/util/import_gcry.py
index 086bde77c..5b24e4041 100644
--- a/util/import_gcry.py
+++ b/util/import_gcry.py
@@ -146,7 +146,7 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
chlog = "%s%s: Removed\n" % (chlog, chlognew)
continue
# TODO: Support KDF
- if re.match (r"(kdf\.c|scrypt\.c)$", cipher_file):
+ if re.match (r"(scrypt\.c)$", cipher_file):
chlog = "%s%s: Removed\n" % (chlog, chlognew)
continue
# TODO: Support chacha20 and poly1305
@@ -313,6 +313,16 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
chlognew = "%s %s" % (chlognew, chmsg)
nch = True
continue
+ elif re.match ("_gcry_kdf_selftest|check_one|_gcry_kdf_pkdf2|_gcry_kdf_derive|openpgp_s2k|ballon_context_size|balloon_*|prng_aes_*|onestep_kdf_*|hkdf_*|x963_kdf_*", line) is not None and cipher_file == "kdf.c":
+ skip = 1
+ fname = re.match ("[a-zA-Z0-9_]*", line).group ()
+ chmsg = "(%s): Removed." % fname
+ if nch:
+ chlognew = "%s\n %s" % (chlognew, chmsg)
+ else:
+ chlognew = "%s %s" % (chlognew, chmsg)
+ nch = True
+ continue
else:
fw.write (holdline)
m = re.match ("# *include <(.*)>", line)
@@ -439,7 +449,7 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
nch = True
continue
- m = re.match (r"((static )?const char( |)\*|static const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static )?int|(static )?unsigned int|(static )?gcry_err_code_t|static gcry_mpi_t|static void|void|static elliptic_curve_t) *$", line)
+ m = re.match (r"((static )?const char( |)\*|static const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static )?int|(static )?unsigned int|(static )?gcry_err_code_t|static gcry_mpi_t|static void|void|static elliptic_curve_t|static u64|static size_t) *$", line)
if not m is None:
hold = True
holdline = line
@@ -575,6 +585,20 @@ with codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", "utf-8") as
conf.write ("};\n\n")
if nch:
chlog = "%s%s\n" % (chlog, chlognew)
+ elif cipher_file == "kdf.c":
+ modfiles = ["kdf.c"]
+ if modname in extra_files:
+ modfiles += extra_files[modname]
+ conf.write ("module = {\n")
+ conf.write (" name = %s;\n" % modname)
+ for src in modfiles:
+ conf.write (" common = lib/libgcrypt-grub/cipher/%s;\n" % src)
+ confutil.write (" common = grub-core/lib/libgcrypt-grub/cipher/%s;\n" % src)
+ conf.write (" cflags = '$(CFLAGS_GCRY)';\n")
+ conf.write (" cppflags = '$(CPPFLAGS_GCRY)';\n")
+ conf.write ("};\n\n")
+ if nch:
+ chlog = "%s%s\n" % (chlog, chlognew)
elif isc and cipher_file not in extra_files_list:
print ("WARNING: C file isn't a module: %s" % cipher_file)
os.remove (outfile)
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH v2 2/9] crypto: Update crypto.h for libgcrypt KDF functions
2025-08-06 7:16 [PATCH v2 0/9] Support Argon2 KDF Gary Lin via Grub-devel
2025-08-06 7:16 ` [PATCH v2 1/9] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
@ 2025-08-06 7:16 ` Gary Lin via Grub-devel
2025-08-21 15:39 ` Vladimir 'phcoder' Serbinenko
2025-08-06 7:16 ` [PATCH v2 3/9] kdf: Resovle the build errors Gary Lin via Grub-devel
` (6 subsequent siblings)
8 siblings, 1 reply; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-06 7:16 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Add the following items to crypto.h
- more GPG error types
- _gcry_digest_spec_blake2b_512 for Argon2
- KDF algorithm IDs for Argon2
- prototypes of '_gcry_kdf_*' functions
Signed-off-by: Gary Lin <glin@suse.com>
---
include/grub/crypto.h | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/include/grub/crypto.h b/include/grub/crypto.h
index b0d7add1d..d323f00ce 100644
--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
@@ -34,6 +34,7 @@ typedef enum
GPG_ERR_BAD_MPI,
GPG_ERR_BAD_SECKEY,
GPG_ERR_BAD_SIGNATURE,
+ GPG_ERR_CANCELED,
GPG_ERR_CIPHER_ALGO,
GPG_ERR_CONFLICT,
GPG_ERR_DECRYPT_FAILED,
@@ -48,6 +49,7 @@ typedef enum
GPG_ERR_INV_OP,
GPG_ERR_INV_SEXP,
GPG_ERR_INV_VALUE,
+ GPG_ERR_MAC_ALGO,
GPG_ERR_MISSING_VALUE,
GPG_ERR_NO_ENCRYPTION_SCHEME,
GPG_ERR_NO_OBJ,
@@ -59,7 +61,9 @@ typedef enum
GPG_ERR_PUBKEY_ALGO,
GPG_ERR_SELFTEST_FAILED,
GPG_ERR_TOO_SHORT,
+ GPG_ERR_UNKNOWN_ALGORITHM,
GPG_ERR_UNSUPPORTED,
+ GPG_ERR_UNSUPPORTED_ALGORITHM,
GPG_ERR_WEAK_KEY,
GPG_ERR_WRONG_KEY_USAGE,
GPG_ERR_WRONG_PUBKEY_ALGO,
@@ -512,6 +516,7 @@ extern gcry_md_spec_t _gcry_digest_spec_sha1;
extern gcry_md_spec_t _gcry_digest_spec_sha256;
extern gcry_md_spec_t _gcry_digest_spec_sha512;
extern gcry_md_spec_t _gcry_digest_spec_crc32;
+extern gcry_md_spec_t _gcry_digest_spec_blake2b_512;
extern gcry_cipher_spec_t _gcry_cipher_spec_aes;
#define GRUB_MD_MD5 ((const gcry_md_spec_t *) &_gcry_digest_spec_md5)
#define GRUB_MD_SHA1 ((const gcry_md_spec_t *) &_gcry_digest_spec_sha1)
@@ -520,6 +525,41 @@ extern gcry_cipher_spec_t _gcry_cipher_spec_aes;
#define GRUB_MD_CRC32 ((const gcry_md_spec_t *) &_gcry_digest_spec_crc32)
#define GRUB_CIPHER_AES ((const gcry_cipher_spec_t *) &_gcry_cipher_spec_aes)
+/* Algorithm IDs for the KDFs. */
+enum grub_gcry_kdf_algos
+ {
+ GRUB_GCRY_KDF_NONE = 0,
+ GRUB_GCRY_KDF_ARGON2 = 64,
+ };
+
+enum grub_gcry_kdf_subalgo_argon2
+ {
+ GRUB_GCRY_KDF_ARGON2D = 0,
+ GRUB_GCRY_KDF_ARGON2I = 1,
+ GRUB_GCRY_KDF_ARGON2ID = 2
+ };
+
+typedef struct gcry_kdf_handle *gcry_kdf_hd_t;
+struct gcry_kdf_handle;
+struct gcry_kdf_thread_ops;
+
+gpg_err_code_t
+_gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+ const unsigned long *param, unsigned int paramlen,
+ const void *input, grub_size_t inputlen,
+ const void *salt, grub_size_t saltlen,
+ const void *key, grub_size_t keylen,
+ const void *ad, grub_size_t adlen);
+
+gpg_err_code_t
+_gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops);
+
+gpg_err_code_t
+_gcry_kdf_final (gcry_kdf_hd_t h, grub_size_t resultlen, void *result);
+
+void
+_gcry_kdf_close (gcry_kdf_hd_t h);
+
/* Implement PKCS#5 PBKDF2 as per RFC 2898. The PRF to use is HMAC variant
of digest supplied by MD. Inputs are the password P of length PLEN,
the salt S of length SLEN, the iteration counter C (> 0), and the
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH v2 3/9] kdf: Resovle the build errors
2025-08-06 7:16 [PATCH v2 0/9] Support Argon2 KDF Gary Lin via Grub-devel
2025-08-06 7:16 ` [PATCH v2 1/9] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
2025-08-06 7:16 ` [PATCH v2 2/9] crypto: Update crypto.h for libgcrypt KDF functions Gary Lin via Grub-devel
@ 2025-08-06 7:16 ` Gary Lin via Grub-devel
2025-08-06 7:16 ` [PATCH v2 4/9] argon2: Introduce grub_crypto_argon2() Gary Lin via Grub-devel
` (5 subsequent siblings)
8 siblings, 0 replies; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-06 7:16 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
- Adding argon2_blake2b_512_hash_buffers() as the replacement of
_gcry_digest_spec_blake2b_512.hash_buffers()
- Replacing gpg_err_code_from_errno() with GPG_ERR_*
- Removing the unsupported KDFs from _gcry_kdf_*()
Signed-off-by: Gary Lin <glin@suse.com>
---
| 1 +
.../libgcrypt-patches/09_kdf_build_fix.patch | 230 ++++++++++++++++++
2 files changed, 231 insertions(+)
create mode 100644 grub-core/lib/libgcrypt-patches/09_kdf_build_fix.patch
--git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 49bca5577..844e54165 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -43,6 +43,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/05_disable_rsa_shake.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/06_blake.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/07_disable_64div.patch
EXTRA_DIST += grub-core/lib/libgcrypt-patches/08_sexp_leak.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/09_kdf_build_fix.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/09_kdf_build_fix.patch b/grub-core/lib/libgcrypt-patches/09_kdf_build_fix.patch
new file mode 100644
index 000000000..6bc430e22
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/09_kdf_build_fix.patch
@@ -0,0 +1,230 @@
+From 8583cb1211e9f8253e072b047082b2141346fd31 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 6 Aug 2025 09:56:21 +0800
+Subject: [PATCH] kdf: Resovle the build errors
+
+- Adding argon2_blake2b_512_hash_buffers() as the replacement of
+ _gcry_digest_spec_blake2b_512.hash_buffers()
+- Replacing gpg_err_code_from_errno() with GPG_ERR_*
+- Removing the unsupported KDFs from _gcry_kdf_*()
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/kdf.c | 145 ++++------------------
+ 1 file changed, 22 insertions(+), 123 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/kdf.c b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+index 0689f88b1..6e825d3e8 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/kdf.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/kdf.c
+@@ -129,6 +129,24 @@ beswap64_block (u64 *dst)
+ #endif
+ }
+
++/* Implementation of _gcry_blake2b_512_hash_buffers */
++static void
++argon2_blake2b_512_hash_buffers (void *outbuf, const gcry_buffer_t *iov, int iovcnt)
++{
++ void *hd;
++
++ hd = xtrymalloc (_gcry_digest_spec_blake2b_512.contextsize);
++ if (!hd)
++ return;
++
++ _gcry_digest_spec_blake2b_512.init (hd, 0);
++ for (;iovcnt > 0; iov++, iovcnt--)
++ _gcry_digest_spec_blake2b_512.write (hd, (const char*)iov[0].data + iov[0].off, iov[0].len);
++ _gcry_digest_spec_blake2b_512.final (hd);
++ grub_memcpy (outbuf, _gcry_digest_spec_blake2b_512.read (hd), 512 / 8);
++
++ xfree (hd);
++}
+
+ static gpg_err_code_t
+ argon2_fill_first_blocks (argon2_ctx_t a)
+@@ -195,7 +213,7 @@ argon2_fill_first_blocks (argon2_ctx_t a)
+ iov_count++;
+ }
+
+- _gcry_digest_spec_blake2b_512.hash_buffers (h0_01_i, 64, iov, iov_count);
++ argon2_blake2b_512_hash_buffers (h0_01_i, iov, iov_count);
+
+ for (i = 0; i < a->lanes; i++)
+ {
+@@ -242,7 +260,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+ block = xtrymalloc (1024 * memory_blocks);
+ if (!block)
+ {
+- ec = gpg_err_code_from_errno (errno);
++ ec = GPG_ERR_OUT_OF_MEMORY;
+ return ec;
+ }
+ memset (block, 0, 1024 * memory_blocks);
+@@ -250,7 +268,7 @@ argon2_init (argon2_ctx_t a, unsigned int parallelism,
+ thread_data = xtrymalloc (a->lanes * sizeof (struct argon2_thread_data));
+ if (!thread_data)
+ {
+- ec = gpg_err_code_from_errno (errno);
++ ec = GPG_ERR_OUT_OF_MEMORY;
+ xfree (block);
+ return ec;
+ }
+@@ -601,7 +619,7 @@ argon2_open (gcry_kdf_hd_t *hd, int subalgo,
+ n = offsetof (struct argon2_context, out) + taglen;
+ a = xtrymalloc (n);
+ if (!a)
+- return gpg_err_code_from_errno (errno);
++ return GPG_ERR_OUT_OF_MEMORY;
+
+ a->algo = GCRY_KDF_ARGON2;
+ a->hash_type = hash_type;
+@@ -798,64 +816,6 @@ _gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
+ key, keylen, ad, adlen);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- if (!inputlen || !saltlen || keylen || adlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)key;
+- (void)ad;
+- ec = balloon_open (hd, subalgo, param, paramlen,
+- input, inputlen, salt, saltlen);
+- }
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- if (!inputlen || !paramlen || !adlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- (void)key;
+- ec = onestep_kdf_open (hd, subalgo, param, paramlen,
+- input, inputlen, ad, adlen);
+- }
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- if (!inputlen || !paramlen || !keylen || !adlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- ec = onestep_kdf_mac_open (hd, subalgo, param, paramlen,
+- input, inputlen, key, keylen, ad, adlen);
+- }
+- break;
+-
+- case GCRY_KDF_HKDF:
+- if (!inputlen || !paramlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- ec = hkdf_open (hd, subalgo, param, paramlen,
+- input, inputlen, key, keylen, ad, adlen);
+- }
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- if (!inputlen || !paramlen)
+- ec = GPG_ERR_INV_VALUE;
+- else
+- {
+- (void)salt;
+- (void)key;
+- ec = x963_kdf_open (hd, subalgo, param, paramlen,
+- input, inputlen, ad, adlen);
+- }
+- break;
+-
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
+@@ -875,26 +835,6 @@ _gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops *ops)
+ ec = argon2_compute ((argon2_ctx_t)(void *)h, ops);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- ec = balloon_compute_all ((balloon_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- ec = onestep_kdf_compute ((onestep_kdf_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- ec = onestep_kdf_mac_compute ((onestep_kdf_mac_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_HKDF:
+- ec = hkdf_compute ((hkdf_ctx_t)(void *)h, ops);
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- ec = x963_kdf_compute ((x963_kdf_ctx_t)(void *)h, ops);
+- break;
+-
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
+@@ -915,27 +855,6 @@ _gcry_kdf_final (gcry_kdf_hd_t h, size_t resultlen, void *result)
+ ec = argon2_final ((argon2_ctx_t)(void *)h, resultlen, result);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- ec = balloon_final ((balloon_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- ec = onestep_kdf_final ((onestep_kdf_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- ec = onestep_kdf_mac_final ((onestep_kdf_mac_ctx_t)(void *)h,
+- resultlen, result);
+- break;
+-
+- case GCRY_KDF_HKDF:
+- ec = hkdf_final ((hkdf_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- ec = x963_kdf_final ((x963_kdf_ctx_t)(void *)h, resultlen, result);
+- break;
+-
+ default:
+ ec = GPG_ERR_UNKNOWN_ALGORITHM;
+ break;
+@@ -953,26 +872,6 @@ _gcry_kdf_close (gcry_kdf_hd_t h)
+ argon2_close ((argon2_ctx_t)(void *)h);
+ break;
+
+- case GCRY_KDF_BALLOON:
+- balloon_close ((balloon_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF:
+- onestep_kdf_close ((onestep_kdf_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_ONESTEP_KDF_MAC:
+- onestep_kdf_mac_close ((onestep_kdf_mac_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_HKDF:
+- hkdf_close ((hkdf_ctx_t)(void *)h);
+- break;
+-
+- case GCRY_KDF_X963_KDF:
+- x963_kdf_close ((x963_kdf_ctx_t)(void *)h);
+- break;
+-
+ default:
+ break;
+ }
+--
+2.43.0
+
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH v2 4/9] argon2: Introduce grub_crypto_argon2()
2025-08-06 7:16 [PATCH v2 0/9] Support Argon2 KDF Gary Lin via Grub-devel
` (2 preceding siblings ...)
2025-08-06 7:16 ` [PATCH v2 3/9] kdf: Resovle the build errors Gary Lin via Grub-devel
@ 2025-08-06 7:16 ` Gary Lin via Grub-devel
2025-08-21 20:30 ` Vladimir 'phcoder' Serbinenko
2025-08-06 7:16 ` [PATCH v2 5/9] Import Argon2 tests from libgcrypt Gary Lin via Grub-devel
` (4 subsequent siblings)
8 siblings, 1 reply; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-06 7:16 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
This commit introduces grub_crypto_argon2() which leverages the
'_gcry_kdf_*' functions from libgcrypt to provide Argon2 support.
Due to the dependency of the '_gcry_kdf_*' functions, the order of
'ldadd' entries have to be tweaked in Makefile.util.def so that the
linker can discover those functions.
Signed-off-by: Gary Lin <glin@suse.com>
---
Makefile.util.def | 19 +++++++-------
grub-core/Makefile.core.def | 5 ++++
grub-core/lib/argon2.c | 52 +++++++++++++++++++++++++++++++++++++
include/grub/crypto.h | 9 +++++++
4 files changed, 76 insertions(+), 9 deletions(-)
create mode 100644 grub-core/lib/argon2.c
diff --git a/Makefile.util.def b/Makefile.util.def
index 038253b37..820897bff 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -43,6 +43,7 @@ library = {
common = grub-core/disk/key_protector.c;
common = grub-core/disk/cryptodisk.c;
common = grub-core/disk/AFSplitter.c;
+ common = grub-core/lib/argon2.c;
common = grub-core/lib/pbkdf2.c;
common = grub-core/commands/extcmd.c;
common = grub-core/lib/arg.c;
@@ -225,8 +226,8 @@ program = {
cflags = '-I$(srcdir)/grub-core/lib/tss2 -I$(srcdir)/grub-core/commands/tpm2_key_protector';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBTASN1)';
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -323,8 +324,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -378,8 +379,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -466,8 +467,8 @@ program = {
common = grub-core/kern/emu/argp_common.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -605,8 +606,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
@@ -691,8 +692,8 @@ program = {
ldadd = '$(LIBLZMA)';
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1400,8 +1401,8 @@ program = {
common = grub-core/kern/emu/argp_common.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1434,8 +1435,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
@@ -1463,8 +1464,8 @@ program = {
common = grub-core/osdep/init.c;
ldadd = libgrubmods.a;
- ldadd = libgrubgcry.a;
ldadd = libgrubkern.a;
+ ldadd = libgrubgcry.a;
ldadd = grub-core/lib/gnulib/libgnu.a;
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index b3f71196a..16166b1ed 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1694,6 +1694,11 @@ module = {
common = lib/pbkdf2.c;
};
+module = {
+ name = argon2;
+ common = lib/argon2.c;
+};
+
module = {
name = relocator;
common = lib/relocator.c;
diff --git a/grub-core/lib/argon2.c b/grub-core/lib/argon2.c
new file mode 100644
index 000000000..12ad7ad1c
--- /dev/null
+++ b/grub-core/lib/argon2.c
@@ -0,0 +1,52 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2025 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/crypto.h>
+#include <grub/dl.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+gcry_err_code_t
+grub_crypto_argon2 (int subalgo,
+ const unsigned long *param, unsigned int paramlen,
+ const void *password, grub_size_t passwordlen,
+ const void *salt, grub_size_t saltlen,
+ const void *key, grub_size_t keylen,
+ const void *ad, grub_size_t adlen,
+ grub_size_t resultlen, void *result)
+{
+ gcry_kdf_hd_t hd = {0};
+ gpg_err_code_t err;
+
+ if (saltlen == 0)
+ return GPG_ERR_INV_VALUE;
+
+ err = _gcry_kdf_open (&hd, GRUB_GCRY_KDF_ARGON2, subalgo, param, paramlen,
+ password, passwordlen, salt, saltlen, key, keylen,
+ ad, adlen);
+ if (err != GPG_ERR_NO_ERROR)
+ return err;
+
+ err = _gcry_kdf_compute (hd, NULL);
+ if (err == GPG_ERR_NO_ERROR)
+ err = _gcry_kdf_final (hd, resultlen, result);
+
+ _gcry_kdf_close (hd);
+
+ return err;
+}
diff --git a/include/grub/crypto.h b/include/grub/crypto.h
index d323f00ce..c6eb8b2d2 100644
--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
@@ -573,6 +573,15 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
unsigned int c,
grub_uint8_t *DK, grub_size_t dkLen);
+gcry_err_code_t
+grub_crypto_argon2 (int subalgo,
+ const unsigned long *param, unsigned int paramlen,
+ const void *password, grub_size_t passwordlen,
+ const void *salt, grub_size_t saltlen,
+ const void *key, grub_size_t keylen,
+ const void *ad, grub_size_t adlen,
+ grub_size_t resultlen, void *result);
+
int
grub_crypto_memcmp (const void *a, const void *b, grub_size_t n);
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH v2 5/9] Import Argon2 tests from libgcrypt
2025-08-06 7:16 [PATCH v2 0/9] Support Argon2 KDF Gary Lin via Grub-devel
` (3 preceding siblings ...)
2025-08-06 7:16 ` [PATCH v2 4/9] argon2: Introduce grub_crypto_argon2() Gary Lin via Grub-devel
@ 2025-08-06 7:16 ` Gary Lin via Grub-devel
2025-08-21 20:33 ` Vladimir 'phcoder' Serbinenko
2025-08-06 7:16 ` [PATCH v2 6/9] Integrate Argon2 tests into functional_test Gary Lin via Grub-devel
` (3 subsequent siblings)
8 siblings, 1 reply; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-06 7:16 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Copy the Argon2 test function, check_argon2(), from t-kdf.c in libgcrypt
to grub-core/tests/argon2_test.c.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
---
grub-core/tests/argon2_test.c | 141 ++++++++++++++++++++++++++++++++++
1 file changed, 141 insertions(+)
create mode 100644 grub-core/tests/argon2_test.c
diff --git a/grub-core/tests/argon2_test.c b/grub-core/tests/argon2_test.c
new file mode 100644
index 000000000..d2f70166a
--- /dev/null
+++ b/grub-core/tests/argon2_test.c
@@ -0,0 +1,141 @@
+static void
+check_argon2 (void)
+{
+ gcry_error_t err;
+ static struct {
+ int subalgo;
+ unsigned long param[4];
+ size_t passlen;
+ const char *pass;
+ size_t saltlen;
+ const char *salt;
+ size_t keylen;
+ const char *key;
+ size_t adlen;
+ const char *ad;
+ size_t dklen;
+ const char *dk;
+ } tv[] = {
+ {
+ GCRY_KDF_ARGON2D,
+ { 32, 3, 32, 4 },
+ 32,
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+ 16,
+ "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+ 8,
+ "\x03\x03\x03\x03\x03\x03\x03\x03",
+ 12,
+ "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+ 32,
+ "\x51\x2b\x39\x1b\x6f\x11\x62\x97\x53\x71\xd3\x09\x19\x73\x42\x94"
+ "\xf8\x68\xe3\xbe\x39\x84\xf3\xc1\xa1\x3a\x4d\xb9\xfa\xbe\x4a\xcb"
+ },
+ {
+ GCRY_KDF_ARGON2I,
+ { 32, 3, 32, 4 },
+ 32,
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+ 16,
+ "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+ 8,
+ "\x03\x03\x03\x03\x03\x03\x03\x03",
+ 12,
+ "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+ 32,
+ "\xc8\x14\xd9\xd1\xdc\x7f\x37\xaa\x13\xf0\xd7\x7f\x24\x94\xbd\xa1"
+ "\xc8\xde\x6b\x01\x6d\xd3\x88\xd2\x99\x52\xa4\xc4\x67\x2b\x6c\xe8"
+ },
+ {
+ GCRY_KDF_ARGON2ID,
+ { 32, 3, 32, 4 },
+ 32,
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+ "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
+ 16,
+ "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
+ 8,
+ "\x03\x03\x03\x03\x03\x03\x03\x03",
+ 12,
+ "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
+ 32,
+ "\x0d\x64\x0d\xf5\x8d\x78\x76\x6c\x08\xc0\x37\xa3\x4a\x8b\x53\xc9"
+ "\xd0\x1e\xf0\x45\x2d\x75\xb6\x5e\xb5\x25\x20\xe9\x6b\x01\xe6\x59"
+ },
+ {
+ /* empty password */
+ GCRY_KDF_ARGON2I,
+ { 32, 3, 128, 1 },
+ 0, NULL,
+ 16,
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ 0, NULL,
+ 0, NULL,
+ 32,
+ "\xbb\x1f\xf2\xb9\x9f\xd4\x4a\xd9\xdf\x7f\xb9\x54\x55\x9e\xb8\xeb"
+ "\xb5\x9d\xab\xce\x2e\x62\x9f\x9b\x89\x09\xfe\xde\x57\xcc\x63\x86"
+ },
+ {
+ /* empty password */
+ GCRY_KDF_ARGON2ID,
+ { 32, 3, 128, 1 },
+ 0, NULL,
+ 16,
+ "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ 0, NULL,
+ 0, NULL,
+ 32,
+ "\x09\x2f\x38\x35\xac\xb2\x43\x92\x93\xeb\xcd\xe8\x04\x16\x6a\x31"
+ "\xce\x14\xd4\x55\xdb\xd8\xf7\xe6\xb4\xf5\x9d\x64\x8e\xd0\x3a\xdb"
+ },
+ };
+ unsigned char out[32];
+ int i;
+ int count;
+
+ for (count = 0; count < DIM(tv); count++)
+ {
+ if (verbose)
+ fprintf (stderr, "checking ARGON2 test vector %d\n", count);
+
+ err = my_kdf_derive (0, GCRY_KDF_ARGON2,
+ tv[count].subalgo, tv[count].param, 4,
+ tv[count].pass, tv[count].passlen,
+ tv[count].salt, tv[count].saltlen,
+ tv[count].key, tv[count].keylen,
+ tv[count].ad, tv[count].adlen,
+ tv[count].dklen, out);
+ if (err)
+ fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror (err));
+ else if (memcmp (out, tv[count].dk, tv[count].dklen))
+ {
+ fail ("argon2 test %d failed: mismatch\n", count*2+0);
+ fputs ("got:", stderr);
+ for (i=0; i < tv[count].dklen; i++)
+ fprintf (stderr, " %02x", out[i]);
+ putc ('\n', stderr);
+ }
+
+#ifdef HAVE_PTHREAD
+ err = my_kdf_derive (1, GCRY_KDF_ARGON2,
+ tv[count].subalgo, tv[count].param, 4,
+ tv[count].pass, tv[count].passlen,
+ tv[count].salt, tv[count].saltlen,
+ tv[count].key, tv[count].keylen,
+ tv[count].ad, tv[count].adlen,
+ tv[count].dklen, out);
+ if (err)
+ fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror (err));
+ else if (memcmp (out, tv[count].dk, tv[count].dklen))
+ {
+ fail ("argon2 test %d failed: mismatch\n", count*2+1);
+ fputs ("got:", stderr);
+ for (i=0; i < tv[count].dklen; i++)
+ fprintf (stderr, " %02x", out[i]);
+ putc ('\n', stderr);
+ }
+#endif
+ }
+}
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH v2 6/9] Integrate Argon2 tests into functional_test
2025-08-06 7:16 [PATCH v2 0/9] Support Argon2 KDF Gary Lin via Grub-devel
` (4 preceding siblings ...)
2025-08-06 7:16 ` [PATCH v2 5/9] Import Argon2 tests from libgcrypt Gary Lin via Grub-devel
@ 2025-08-06 7:16 ` Gary Lin via Grub-devel
2025-08-21 20:34 ` Vladimir 'phcoder' Serbinenko
2025-08-06 7:16 ` [PATCH v2 7/9] disk/luks2: Add Argon2 support Gary Lin via Grub-devel
` (2 subsequent siblings)
8 siblings, 1 reply; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-06 7:16 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Refactor the Argon2 tests to enable the module build and integrate the
tests into function_test.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
---
grub-core/Makefile.core.def | 5 ++
grub-core/tests/argon2_test.c | 104 +++++++++++++-------------
grub-core/tests/lib/functional_test.c | 1 +
3 files changed, 57 insertions(+), 53 deletions(-)
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 16166b1ed..fb96f92a5 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -2222,6 +2222,11 @@ module = {
common = tests/pbkdf2_test.c;
};
+module = {
+ name = argon2_test;
+ common = tests/argon2_test.c;
+};
+
module = {
name = legacy_password_test;
common = tests/legacy_password_test.c;
diff --git a/grub-core/tests/argon2_test.c b/grub-core/tests/argon2_test.c
index d2f70166a..8318a0962 100644
--- a/grub-core/tests/argon2_test.c
+++ b/grub-core/tests/argon2_test.c
@@ -1,23 +1,50 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2025 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/test.h>
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/crypto.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+#define DIM(v) (sizeof(v)/sizeof((v)[0]))
+
static void
-check_argon2 (void)
+argon2_test (void)
{
gcry_error_t err;
static struct {
int subalgo;
unsigned long param[4];
- size_t passlen;
+ grub_size_t passlen;
const char *pass;
- size_t saltlen;
+ grub_size_t saltlen;
const char *salt;
- size_t keylen;
+ grub_size_t keylen;
const char *key;
- size_t adlen;
+ grub_size_t adlen;
const char *ad;
- size_t dklen;
+ grub_size_t dklen;
const char *dk;
} tv[] = {
{
- GCRY_KDF_ARGON2D,
+ GRUB_GCRY_KDF_ARGON2D,
{ 32, 3, 32, 4 },
32,
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -33,7 +60,7 @@ check_argon2 (void)
"\xf8\x68\xe3\xbe\x39\x84\xf3\xc1\xa1\x3a\x4d\xb9\xfa\xbe\x4a\xcb"
},
{
- GCRY_KDF_ARGON2I,
+ GRUB_GCRY_KDF_ARGON2I,
{ 32, 3, 32, 4 },
32,
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -49,7 +76,7 @@ check_argon2 (void)
"\xc8\xde\x6b\x01\x6d\xd3\x88\xd2\x99\x52\xa4\xc4\x67\x2b\x6c\xe8"
},
{
- GCRY_KDF_ARGON2ID,
+ GRUB_GCRY_KDF_ARGON2ID,
{ 32, 3, 32, 4 },
32,
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
@@ -66,7 +93,7 @@ check_argon2 (void)
},
{
/* empty password */
- GCRY_KDF_ARGON2I,
+ GRUB_GCRY_KDF_ARGON2I,
{ 32, 3, 128, 1 },
0, NULL,
16,
@@ -79,7 +106,7 @@ check_argon2 (void)
},
{
/* empty password */
- GCRY_KDF_ARGON2ID,
+ GRUB_GCRY_KDF_ARGON2ID,
{ 32, 3, 128, 1 },
0, NULL,
16,
@@ -92,50 +119,21 @@ check_argon2 (void)
},
};
unsigned char out[32];
- int i;
- int count;
+ unsigned int count;
for (count = 0; count < DIM(tv); count++)
{
- if (verbose)
- fprintf (stderr, "checking ARGON2 test vector %d\n", count);
-
- err = my_kdf_derive (0, GCRY_KDF_ARGON2,
- tv[count].subalgo, tv[count].param, 4,
- tv[count].pass, tv[count].passlen,
- tv[count].salt, tv[count].saltlen,
- tv[count].key, tv[count].keylen,
- tv[count].ad, tv[count].adlen,
- tv[count].dklen, out);
- if (err)
- fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror (err));
- else if (memcmp (out, tv[count].dk, tv[count].dklen))
- {
- fail ("argon2 test %d failed: mismatch\n", count*2+0);
- fputs ("got:", stderr);
- for (i=0; i < tv[count].dklen; i++)
- fprintf (stderr, " %02x", out[i]);
- putc ('\n', stderr);
- }
-
-#ifdef HAVE_PTHREAD
- err = my_kdf_derive (1, GCRY_KDF_ARGON2,
- tv[count].subalgo, tv[count].param, 4,
- tv[count].pass, tv[count].passlen,
- tv[count].salt, tv[count].saltlen,
- tv[count].key, tv[count].keylen,
- tv[count].ad, tv[count].adlen,
- tv[count].dklen, out);
- if (err)
- fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror (err));
- else if (memcmp (out, tv[count].dk, tv[count].dklen))
- {
- fail ("argon2 test %d failed: mismatch\n", count*2+1);
- fputs ("got:", stderr);
- for (i=0; i < tv[count].dklen; i++)
- fprintf (stderr, " %02x", out[i]);
- putc ('\n', stderr);
- }
-#endif
+ err = grub_crypto_argon2 (tv[count].subalgo,
+ tv[count].param, 4,
+ tv[count].pass, tv[count].passlen,
+ tv[count].salt, tv[count].saltlen,
+ tv[count].key, tv[count].keylen,
+ tv[count].ad, tv[count].adlen,
+ tv[count].dklen, out);
+ grub_test_assert (err == 0, "argon2 test %d failed: %d", count, err);
+ grub_test_assert (grub_memcmp (out, tv[count].dk, tv[count].dklen) == 0,
+ "argon2 test %d failed: mismatch", count);
}
}
+
+GRUB_FUNCTIONAL_TEST (argon2_test, argon2_test);
diff --git a/grub-core/tests/lib/functional_test.c b/grub-core/tests/lib/functional_test.c
index 38e981f2c..0289ff38f 100644
--- a/grub-core/tests/lib/functional_test.c
+++ b/grub-core/tests/lib/functional_test.c
@@ -80,6 +80,7 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt __attribute__ ((unused)),
grub_dl_load ("mul_test");
grub_dl_load ("shift_test");
grub_dl_load ("asn1_test");
+ grub_dl_load ("argon2_test");
FOR_LIST_ELEMENTS (test, grub_test_list)
ok = !grub_test_run (test) && ok;
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH v2 7/9] disk/luks2: Add Argon2 support
2025-08-06 7:16 [PATCH v2 0/9] Support Argon2 KDF Gary Lin via Grub-devel
` (5 preceding siblings ...)
2025-08-06 7:16 ` [PATCH v2 6/9] Integrate Argon2 tests into functional_test Gary Lin via Grub-devel
@ 2025-08-06 7:16 ` Gary Lin via Grub-devel
2025-08-21 20:37 ` Vladimir 'phcoder' Serbinenko
2025-08-06 7:16 ` [PATCH v2 8/9] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test Gary Lin via Grub-devel
2025-08-06 7:16 ` [PATCH v2 9/9] docs: Document argon2 and argon2_test Gary Lin via Grub-devel
8 siblings, 1 reply; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-06 7:16 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Leverage the new grub_crypto_argon2() function to add support for the
Argon2i and Argon2id KDFs in LUKS2
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
---
grub-core/disk/luks2.c | 38 +++++++++++++++++++++++++++++++++++---
1 file changed, 35 insertions(+), 3 deletions(-)
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index b17cd2115..1fa68c3a3 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -39,6 +39,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
enum grub_luks2_kdf_type
{
LUKS2_KDF_TYPE_ARGON2I,
+ LUKS2_KDF_TYPE_ARGON2ID,
LUKS2_KDF_TYPE_PBKDF2
};
typedef enum grub_luks2_kdf_type grub_luks2_kdf_type_t;
@@ -159,7 +160,7 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const grub_json_t *keyslot)
grub_json_getstring (&type, &kdf, "type") ||
grub_json_getstring (&out->kdf.salt, &kdf, "salt"))
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing or invalid KDF");
- else if (!grub_strcmp (type, "argon2i") || !grub_strcmp (type, "argon2id"))
+ else if (!grub_strcmp (type, "argon2i"))
{
out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
@@ -167,6 +168,14 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const grub_json_t *keyslot)
grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i parameters");
}
+ else if (!grub_strcmp (type, "argon2id"))
+ {
+ out->kdf.type = LUKS2_KDF_TYPE_ARGON2ID;
+ if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
+ grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
+ grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2id parameters");
+ }
else if (!grub_strcmp (type, "pbkdf2"))
{
out->kdf.type = LUKS2_KDF_TYPE_PBKDF2;
@@ -444,6 +453,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
grub_uint8_t salt[GRUB_CRYPTODISK_MAX_KEYLEN];
grub_uint8_t *split_key = NULL;
idx_t saltlen = sizeof (salt);
+ int subalgo;
+ unsigned long param[4];
char cipher[32], *p;
const gcry_md_spec_t *hash;
gcry_err_code_t gcry_ret;
@@ -460,8 +471,29 @@ luks2_decrypt_key (grub_uint8_t *out_key,
switch (k->kdf.type)
{
case LUKS2_KDF_TYPE_ARGON2I:
- ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
- goto err;
+ case LUKS2_KDF_TYPE_ARGON2ID:
+ if (k->kdf.type == LUKS2_KDF_TYPE_ARGON2I)
+ subalgo = GRUB_GCRY_KDF_ARGON2I;
+ else
+ subalgo = GRUB_GCRY_KDF_ARGON2ID;
+
+ param[0] = k->area.key_size;
+ param[1] = k->kdf.u.argon2i.time;
+ param[2] = k->kdf.u.argon2i.memory;
+ param[3] = k->kdf.u.argon2i.cpus;
+
+ gcry_ret = grub_crypto_argon2 (subalgo, param, 4,
+ passphrase, passphraselen,
+ salt, saltlen,
+ NULL, 0, NULL, 0,
+ k->area.key_size, area_key);
+ if (gcry_ret)
+ {
+ ret = grub_crypto_gcry_error (gcry_ret);
+ goto err;
+ }
+
+ break;
case LUKS2_KDF_TYPE_PBKDF2:
hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash);
if (!hash)
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH v2 8/9] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
2025-08-06 7:16 [PATCH v2 0/9] Support Argon2 KDF Gary Lin via Grub-devel
` (6 preceding siblings ...)
2025-08-06 7:16 ` [PATCH v2 7/9] disk/luks2: Add Argon2 support Gary Lin via Grub-devel
@ 2025-08-06 7:16 ` Gary Lin via Grub-devel
2025-08-21 20:38 ` Vladimir 'phcoder' Serbinenko
2025-08-06 7:16 ` [PATCH v2 9/9] docs: Document argon2 and argon2_test Gary Lin via Grub-devel
8 siblings, 1 reply; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-06 7:16 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Given that the LUKS1 test already covers PBKDF2, the default KDF for the
LUKS2 test has been switched to Argon2id to ensure both algorithms are
validated.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
---
tests/util/grub-fs-tester.in | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
index cac58dafa..126f19a7e 100644
--- a/tests/util/grub-fs-tester.in
+++ b/tests/util/grub-fs-tester.in
@@ -860,8 +860,14 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
MOUNTDEVICE="/dev/mapper/grub_test-testvol"
MOUNTFS=ext2
"mkfs.ext2" -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
- x"luks"*)
- echo -n "$PASS" | cryptsetup luksFormat --type "$fs" --sector-size $SECSIZE --pbkdf pbkdf2 --force-password --disable-locks $LODEVICE
+ xluks1)
+ echo -n "$PASS" | cryptsetup luksFormat --type luks1 --sector-size $SECSIZE --pbkdf pbkdf2 --force-password --disable-locks $LODEVICE
+ echo -n "$PASS" | cryptsetup open --disable-locks $LODEVICE "$DMNAME"
+ MOUNTDEVICE="/dev/mapper/${DMNAME}"
+ MOUNTFS=ext2
+ "mkfs.ext2" -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
+ xluks2)
+ echo -n "$PASS" | cryptsetup luksFormat --type luks2 --sector-size $SECSIZE --pbkdf argon2id --force-password --disable-locks $LODEVICE
echo -n "$PASS" | cryptsetup open --disable-locks $LODEVICE "$DMNAME"
MOUNTDEVICE="/dev/mapper/${DMNAME}"
MOUNTFS=ext2
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH v2 9/9] docs: Document argon2 and argon2_test
2025-08-06 7:16 [PATCH v2 0/9] Support Argon2 KDF Gary Lin via Grub-devel
` (7 preceding siblings ...)
2025-08-06 7:16 ` [PATCH v2 8/9] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test Gary Lin via Grub-devel
@ 2025-08-06 7:16 ` Gary Lin via Grub-devel
2025-08-21 20:39 ` Vladimir 'phcoder' Serbinenko
8 siblings, 1 reply; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-06 7:16 UTC (permalink / raw)
To: The development of GNU GRUB
Cc: Gary Lin, Daniel Kiper, Vladimir 'phcoder' Serbinenko,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
Document the argon2 and argon2_test modules.
Signed-off-by: Gary Lin <glin@suse.com>
Tested-By: Waldemar Brodkorb <wbx@openadk.org>
---
docs/grub.texi | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 34b3484dc..b3908ecf6 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -3889,6 +3889,8 @@ Modules can be loaded via the @command{insmod} (@pxref{insmod}) command.
* aout_module::
* appleldr_module::
* archelp_module::
+* argon2_module::
+* argon2_test_module::
* at_keyboard_module::
* ata_module::
* backtrace_module::
@@ -4244,6 +4246,15 @@ computer (Intel based Macs).
This module provides Archive Helper functions for archive based file systems
such as TAR and CPIO archives.
+@node argon2_module
+@section argon2
+This module provides support for the Argon2 key derivation function.
+
+@node argon2_test_module
+@section argon2_test
+This module is intended for performing a functional test of the Argon2
+operation in GRUB.
+
@node at_keyboard_module
@section at_keyboard
This module provides support for the AT keyboard input for the GRUB terminal.
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [PATCH v2 2/9] crypto: Update crypto.h for libgcrypt KDF functions
2025-08-06 7:16 ` [PATCH v2 2/9] crypto: Update crypto.h for libgcrypt KDF functions Gary Lin via Grub-devel
@ 2025-08-21 15:39 ` Vladimir 'phcoder' Serbinenko
0 siblings, 0 replies; 21+ messages in thread
From: Vladimir 'phcoder' Serbinenko @ 2025-08-21 15:39 UTC (permalink / raw)
To: Gary Lin
Cc: The development of GNU GRUB, Daniel Kiper, Glenn Washburn,
Michael Chang, Waldemar Brodkorb
[-- Attachment #1.1: Type: text/plain, Size: 3509 bytes --]
Looks good. Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Regards
Le mer. 6 août 2025, 10:16, Gary Lin <glin@suse.com> a écrit :
> Add the following items to crypto.h
> - more GPG error types
> - _gcry_digest_spec_blake2b_512 for Argon2
> - KDF algorithm IDs for Argon2
> - prototypes of '_gcry_kdf_*' functions
>
> Signed-off-by: Gary Lin <glin@suse.com>
> ---
> include/grub/crypto.h | 40 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 40 insertions(+)
>
> diff --git a/include/grub/crypto.h b/include/grub/crypto.h
> index b0d7add1d..d323f00ce 100644
> --- a/include/grub/crypto.h
> +++ b/include/grub/crypto.h
> @@ -34,6 +34,7 @@ typedef enum
> GPG_ERR_BAD_MPI,
> GPG_ERR_BAD_SECKEY,
> GPG_ERR_BAD_SIGNATURE,
> + GPG_ERR_CANCELED,
> GPG_ERR_CIPHER_ALGO,
> GPG_ERR_CONFLICT,
> GPG_ERR_DECRYPT_FAILED,
> @@ -48,6 +49,7 @@ typedef enum
> GPG_ERR_INV_OP,
> GPG_ERR_INV_SEXP,
> GPG_ERR_INV_VALUE,
> + GPG_ERR_MAC_ALGO,
> GPG_ERR_MISSING_VALUE,
> GPG_ERR_NO_ENCRYPTION_SCHEME,
> GPG_ERR_NO_OBJ,
> @@ -59,7 +61,9 @@ typedef enum
> GPG_ERR_PUBKEY_ALGO,
> GPG_ERR_SELFTEST_FAILED,
> GPG_ERR_TOO_SHORT,
> + GPG_ERR_UNKNOWN_ALGORITHM,
> GPG_ERR_UNSUPPORTED,
> + GPG_ERR_UNSUPPORTED_ALGORITHM,
> GPG_ERR_WEAK_KEY,
> GPG_ERR_WRONG_KEY_USAGE,
> GPG_ERR_WRONG_PUBKEY_ALGO,
> @@ -512,6 +516,7 @@ extern gcry_md_spec_t _gcry_digest_spec_sha1;
> extern gcry_md_spec_t _gcry_digest_spec_sha256;
> extern gcry_md_spec_t _gcry_digest_spec_sha512;
> extern gcry_md_spec_t _gcry_digest_spec_crc32;
> +extern gcry_md_spec_t _gcry_digest_spec_blake2b_512;
> extern gcry_cipher_spec_t _gcry_cipher_spec_aes;
> #define GRUB_MD_MD5 ((const gcry_md_spec_t *) &_gcry_digest_spec_md5)
> #define GRUB_MD_SHA1 ((const gcry_md_spec_t *) &_gcry_digest_spec_sha1)
> @@ -520,6 +525,41 @@ extern gcry_cipher_spec_t _gcry_cipher_spec_aes;
> #define GRUB_MD_CRC32 ((const gcry_md_spec_t *) &_gcry_digest_spec_crc32)
> #define GRUB_CIPHER_AES ((const gcry_cipher_spec_t *)
> &_gcry_cipher_spec_aes)
>
> +/* Algorithm IDs for the KDFs. */
> +enum grub_gcry_kdf_algos
> + {
> + GRUB_GCRY_KDF_NONE = 0,
> + GRUB_GCRY_KDF_ARGON2 = 64,
> + };
> +
> +enum grub_gcry_kdf_subalgo_argon2
> + {
> + GRUB_GCRY_KDF_ARGON2D = 0,
> + GRUB_GCRY_KDF_ARGON2I = 1,
> + GRUB_GCRY_KDF_ARGON2ID = 2
> + };
> +
> +typedef struct gcry_kdf_handle *gcry_kdf_hd_t;
> +struct gcry_kdf_handle;
> +struct gcry_kdf_thread_ops;
> +
> +gpg_err_code_t
> +_gcry_kdf_open (gcry_kdf_hd_t *hd, int algo, int subalgo,
> + const unsigned long *param, unsigned int paramlen,
> + const void *input, grub_size_t inputlen,
> + const void *salt, grub_size_t saltlen,
> + const void *key, grub_size_t keylen,
> + const void *ad, grub_size_t adlen);
> +
> +gpg_err_code_t
> +_gcry_kdf_compute (gcry_kdf_hd_t h, const struct gcry_kdf_thread_ops
> *ops);
> +
> +gpg_err_code_t
> +_gcry_kdf_final (gcry_kdf_hd_t h, grub_size_t resultlen, void *result);
> +
> +void
> +_gcry_kdf_close (gcry_kdf_hd_t h);
> +
> /* Implement PKCS#5 PBKDF2 as per RFC 2898. The PRF to use is HMAC
> variant
> of digest supplied by MD. Inputs are the password P of length PLEN,
> the salt S of length SLEN, the iteration counter C (> 0), and the
> --
> 2.43.0
>
>
[-- Attachment #1.2: Type: text/html, Size: 4392 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH v2 1/9] util/import_gcry: Import kdf.c for Argon2
[not found] ` <CAEaD8JO8HLqSOKyyHHf69r0LO1w+C-eTAs-V1b-_vJ_is9Wodw@mail.gmail.com>
@ 2025-08-21 15:40 ` Vladimir 'phcoder' Serbinenko
2025-08-22 1:21 ` Gary Lin via Grub-devel
0 siblings, 1 reply; 21+ messages in thread
From: Vladimir 'phcoder' Serbinenko @ 2025-08-21 15:40 UTC (permalink / raw)
To: Gary Lin, The development of GRUB 2
[-- Attachment #1.1: Type: text/plain, Size: 4404 bytes --]
>
>
Few comments, otherwise looks good
>
>>
>>
>> Signed-off-by: Gary Lin <glin@suse.com>
>> ---
>> util/import_gcry.py | 28 ++++++++++++++++++++++++++--
>> 1 file changed, 26 insertions(+), 2 deletions(-)
>>
>> diff --git a/util/import_gcry.py b/util/import_gcry.py
>> index 086bde77c..5b24e4041 100644
>> --- a/util/import_gcry.py
>> +++ b/util/import_gcry.py
>> @@ -146,7 +146,7 @@ with codecs.open (os.path.join (cipher_dir_out,
>> "crypto.lst"), "w", "utf-8") as
>> chlog = "%s%s: Removed\n" % (chlog, chlognew)
>> continue
>> # TODO: Support KDF
>>
> Please update the comment
>
>> - if re.match (r"(kdf\.c|scrypt\.c)$", cipher_file):
>> + if re.match (r"(scrypt\.c)$", cipher_file):
>> chlog = "%s%s: Removed\n" % (chlog, chlognew)
>> continue
>> # TODO: Support chacha20 and poly1305
>> @@ -313,6 +313,16 @@ with codecs.open (os.path.join (cipher_dir_out,
>> "crypto.lst"), "w", "utf-8") as
>> chlognew = "%s %s" % (chlognew, chmsg)
>> nch = True
>> continue
>> + elif re.match
>> ("_gcry_kdf_selftest|check_one|_gcry_kdf_pkdf2|_gcry_kdf_derive|openpgp_s2k|ballon_context_size|balloon_*|prng_aes_*|onestep_kdf_*|hkdf_*|x963_kdf_*",
>> line) is not None and cipher_file == "kdf.c":
>>
> Here should be a new Todo for supporting other KDF.
>
> + skip = 1
>> + fname = re.match ("[a-zA-Z0-9_]*",
>> line).group ()
>> + chmsg = "(%s): Removed." % fname
>> + if nch:
>> + chlognew = "%s\n %s" % (chlognew,
>> chmsg)
>> + else:
>> + chlognew = "%s %s" % (chlognew, chmsg)
>> + nch = True
>> + continue
>> else:
>> fw.write (holdline)
>> m = re.match ("# *include <(.*)>", line)
>> @@ -439,7 +449,7 @@ with codecs.open (os.path.join (cipher_dir_out,
>> "crypto.lst"), "w", "utf-8") as
>> nch = True
>> continue
>>
>> - m = re.match (r"((static )?const char( |)\*|static
>> const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static
>> )?int|(static )?unsigned int|(static )?gcry_err_code_t|static
>> gcry_mpi_t|static void|void|static elliptic_curve_t) *$", line)
>> + m = re.match (r"((static )?const char( |)\*|static
>> const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static
>> )?int|(static )?unsigned int|(static )?gcry_err_code_t|static
>> gcry_mpi_t|static void|void|static elliptic_curve_t|static u64|static
>> size_t) *$", line)
>> if not m is None:
>> hold = True
>> holdline = line
>> @@ -575,6 +585,20 @@ with codecs.open (os.path.join (cipher_dir_out,
>> "crypto.lst"), "w", "utf-8") as
>> conf.write ("};\n\n")
>> if nch:
>> chlog = "%s%s\n" % (chlog, chlognew)
>> + elif cipher_file == "kdf.c":
>> + modfiles = ["kdf.c"]
>> + if modname in extra_files:
>> + modfiles += extra_files[modname]
>> + conf.write ("module = {\n")
>> + conf.write (" name = %s;\n" % modname)
>> + for src in modfiles:
>> + conf.write (" common =
>> lib/libgcrypt-grub/cipher/%s;\n" % src)
>> + confutil.write (" common =
>> grub-core/lib/libgcrypt-grub/cipher/%s;\n" % src)
>> + conf.write (" cflags = '$(CFLAGS_GCRY)';\n")
>> + conf.write (" cppflags = '$(CPPFLAGS_GCRY)';\n")
>> + conf.write ("};\n\n")
>> + if nch:
>> + chlog = "%s%s\n" % (chlog, chlognew)
>> elif isc and cipher_file not in extra_files_list:
>> print ("WARNING: C file isn't a module: %s" %
>> cipher_file)
>> os.remove (outfile)
>> --
>> 2.43.0
>>
>> Regards
> Vladimir 'phcoder' Serbinenko
>
[-- Attachment #1.2: Type: text/html, Size: 6943 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH v2 4/9] argon2: Introduce grub_crypto_argon2()
2025-08-06 7:16 ` [PATCH v2 4/9] argon2: Introduce grub_crypto_argon2() Gary Lin via Grub-devel
@ 2025-08-21 20:30 ` Vladimir 'phcoder' Serbinenko
0 siblings, 0 replies; 21+ messages in thread
From: Vladimir 'phcoder' Serbinenko @ 2025-08-21 20:30 UTC (permalink / raw)
To: Gary Lin
Cc: The development of GNU GRUB, Daniel Kiper, Glenn Washburn,
Michael Chang, Waldemar Brodkorb
[-- Attachment #1.1: Type: text/plain, Size: 7832 bytes --]
Looks good. Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Regards
Vladimir 'phcoder' Serbinenko
Le mer. 6 août 2025, 10:16, Gary Lin <glin@suse.com> a écrit :
> This commit introduces grub_crypto_argon2() which leverages the
> '_gcry_kdf_*' functions from libgcrypt to provide Argon2 support.
>
> Due to the dependency of the '_gcry_kdf_*' functions, the order of
> 'ldadd' entries have to be tweaked in Makefile.util.def so that the
> linker can discover those functions.
>
> Signed-off-by: Gary Lin <glin@suse.com>
> ---
> Makefile.util.def | 19 +++++++-------
> grub-core/Makefile.core.def | 5 ++++
> grub-core/lib/argon2.c | 52 +++++++++++++++++++++++++++++++++++++
> include/grub/crypto.h | 9 +++++++
> 4 files changed, 76 insertions(+), 9 deletions(-)
> create mode 100644 grub-core/lib/argon2.c
>
> diff --git a/Makefile.util.def b/Makefile.util.def
> index 038253b37..820897bff 100644
> --- a/Makefile.util.def
> +++ b/Makefile.util.def
> @@ -43,6 +43,7 @@ library = {
> common = grub-core/disk/key_protector.c;
> common = grub-core/disk/cryptodisk.c;
> common = grub-core/disk/AFSplitter.c;
> + common = grub-core/lib/argon2.c;
> common = grub-core/lib/pbkdf2.c;
> common = grub-core/commands/extcmd.c;
> common = grub-core/lib/arg.c;
> @@ -225,8 +226,8 @@ program = {
> cflags = '-I$(srcdir)/grub-core/lib/tss2
> -I$(srcdir)/grub-core/commands/tpm2_key_protector';
>
> ldadd = libgrubmods.a;
> - ldadd = libgrubgcry.a;
> ldadd = libgrubkern.a;
> + ldadd = libgrubgcry.a;
> ldadd = grub-core/lib/gnulib/libgnu.a;
> ldadd = '$(LIBTASN1)';
> ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR)
> $(LIBGEOM)';
> @@ -323,8 +324,8 @@ program = {
> common = grub-core/osdep/init.c;
>
> ldadd = libgrubmods.a;
> - ldadd = libgrubgcry.a;
> ldadd = libgrubkern.a;
> + ldadd = libgrubgcry.a;
> ldadd = grub-core/lib/gnulib/libgnu.a;
> ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR)
> $(LIBGEOM)';
> };
> @@ -378,8 +379,8 @@ program = {
> common = grub-core/osdep/init.c;
>
> ldadd = libgrubmods.a;
> - ldadd = libgrubgcry.a;
> ldadd = libgrubkern.a;
> + ldadd = libgrubgcry.a;
> ldadd = grub-core/lib/gnulib/libgnu.a;
> ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR)
> $(LIBGEOM)';
> };
> @@ -466,8 +467,8 @@ program = {
> common = grub-core/kern/emu/argp_common.c;
>
> ldadd = libgrubmods.a;
> - ldadd = libgrubgcry.a;
> ldadd = libgrubkern.a;
> + ldadd = libgrubgcry.a;
> ldadd = grub-core/lib/gnulib/libgnu.a;
> ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR)
> $(LIBGEOM)';
> };
> @@ -605,8 +606,8 @@ program = {
>
> ldadd = '$(LIBLZMA)';
> ldadd = libgrubmods.a;
> - ldadd = libgrubgcry.a;
> ldadd = libgrubkern.a;
> + ldadd = libgrubgcry.a;
> ldadd = grub-core/lib/gnulib/libgnu.a;
> ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR)
> $(LIBGEOM)';
>
> @@ -691,8 +692,8 @@ program = {
>
> ldadd = '$(LIBLZMA)';
> ldadd = libgrubmods.a;
> - ldadd = libgrubgcry.a;
> ldadd = libgrubkern.a;
> + ldadd = libgrubgcry.a;
> ldadd = grub-core/lib/gnulib/libgnu.a;
> ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR)
> $(LIBGEOM)';
> };
> @@ -1400,8 +1401,8 @@ program = {
> common = grub-core/kern/emu/argp_common.c;
>
> ldadd = libgrubmods.a;
> - ldadd = libgrubgcry.a;
> ldadd = libgrubkern.a;
> + ldadd = libgrubgcry.a;
> ldadd = grub-core/lib/gnulib/libgnu.a;
> ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
> };
> @@ -1434,8 +1435,8 @@ program = {
> common = grub-core/osdep/init.c;
>
> ldadd = libgrubmods.a;
> - ldadd = libgrubgcry.a;
> ldadd = libgrubkern.a;
> + ldadd = libgrubgcry.a;
> ldadd = grub-core/lib/gnulib/libgnu.a;
> ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
> };
> @@ -1463,8 +1464,8 @@ program = {
> common = grub-core/osdep/init.c;
>
> ldadd = libgrubmods.a;
> - ldadd = libgrubgcry.a;
> ldadd = libgrubkern.a;
> + ldadd = libgrubgcry.a;
> ldadd = grub-core/lib/gnulib/libgnu.a;
> ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
> };
> diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> index b3f71196a..16166b1ed 100644
> --- a/grub-core/Makefile.core.def
> +++ b/grub-core/Makefile.core.def
> @@ -1694,6 +1694,11 @@ module = {
> common = lib/pbkdf2.c;
> };
>
> +module = {
> + name = argon2;
> + common = lib/argon2.c;
> +};
> +
> module = {
> name = relocator;
> common = lib/relocator.c;
> diff --git a/grub-core/lib/argon2.c b/grub-core/lib/argon2.c
> new file mode 100644
> index 000000000..12ad7ad1c
> --- /dev/null
> +++ b/grub-core/lib/argon2.c
> @@ -0,0 +1,52 @@
> +/*
> + * GRUB -- GRand Unified Bootloader
> + * Copyright (C) 2025 Free Software Foundation, Inc.
> + *
> + * GRUB is free software: you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, either version 3 of the License, or
> + * (at your option) any later version.
> + *
> + * GRUB is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +#include <grub/crypto.h>
> +#include <grub/dl.h>
> +
> +GRUB_MOD_LICENSE ("GPLv3+");
> +
> +gcry_err_code_t
> +grub_crypto_argon2 (int subalgo,
> + const unsigned long *param, unsigned int paramlen,
> + const void *password, grub_size_t passwordlen,
> + const void *salt, grub_size_t saltlen,
> + const void *key, grub_size_t keylen,
> + const void *ad, grub_size_t adlen,
> + grub_size_t resultlen, void *result)
> +{
> + gcry_kdf_hd_t hd = {0};
> + gpg_err_code_t err;
> +
> + if (saltlen == 0)
> + return GPG_ERR_INV_VALUE;
> +
> + err = _gcry_kdf_open (&hd, GRUB_GCRY_KDF_ARGON2, subalgo, param,
> paramlen,
> + password, passwordlen, salt, saltlen, key, keylen,
> + ad, adlen);
> + if (err != GPG_ERR_NO_ERROR)
> + return err;
> +
> + err = _gcry_kdf_compute (hd, NULL);
> + if (err == GPG_ERR_NO_ERROR)
> + err = _gcry_kdf_final (hd, resultlen, result);
> +
> + _gcry_kdf_close (hd);
> +
> + return err;
> +}
> diff --git a/include/grub/crypto.h b/include/grub/crypto.h
> index d323f00ce..c6eb8b2d2 100644
> --- a/include/grub/crypto.h
> +++ b/include/grub/crypto.h
> @@ -573,6 +573,15 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
> unsigned int c,
> grub_uint8_t *DK, grub_size_t dkLen);
>
> +gcry_err_code_t
> +grub_crypto_argon2 (int subalgo,
> + const unsigned long *param, unsigned int paramlen,
> + const void *password, grub_size_t passwordlen,
> + const void *salt, grub_size_t saltlen,
> + const void *key, grub_size_t keylen,
> + const void *ad, grub_size_t adlen,
> + grub_size_t resultlen, void *result);
> +
> int
> grub_crypto_memcmp (const void *a, const void *b, grub_size_t n);
>
> --
> 2.43.0
>
>
[-- Attachment #1.2: Type: text/html, Size: 9332 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH v2 5/9] Import Argon2 tests from libgcrypt
2025-08-06 7:16 ` [PATCH v2 5/9] Import Argon2 tests from libgcrypt Gary Lin via Grub-devel
@ 2025-08-21 20:33 ` Vladimir 'phcoder' Serbinenko
2025-08-22 1:30 ` Gary Lin via Grub-devel
0 siblings, 1 reply; 21+ messages in thread
From: Vladimir 'phcoder' Serbinenko @ 2025-08-21 20:33 UTC (permalink / raw)
To: Gary Lin
Cc: The development of GNU GRUB, Daniel Kiper, Glenn Washburn,
Michael Chang, Waldemar Brodkorb
[-- Attachment #1.1: Type: text/plain, Size: 6047 bytes --]
Can we make it a "functional" test? This would allow it to run on real
grub2 rather than in OS environment.
Regards
Vladimir 'phcoder' Serbinenko
Le mer. 6 août 2025, 10:16, Gary Lin <glin@suse.com> a écrit :
> Copy the Argon2 test function, check_argon2(), from t-kdf.c in libgcrypt
> to grub-core/tests/argon2_test.c.
>
> Signed-off-by: Gary Lin <glin@suse.com>
> Tested-By: Waldemar Brodkorb <wbx@openadk.org>
> ---
> grub-core/tests/argon2_test.c | 141 ++++++++++++++++++++++++++++++++++
> 1 file changed, 141 insertions(+)
> create mode 100644 grub-core/tests/argon2_test.c
>
> diff --git a/grub-core/tests/argon2_test.c b/grub-core/tests/argon2_test.c
> new file mode 100644
> index 000000000..d2f70166a
> --- /dev/null
> +++ b/grub-core/tests/argon2_test.c
> @@ -0,0 +1,141 @@
> +static void
> +check_argon2 (void)
> +{
> + gcry_error_t err;
> + static struct {
> + int subalgo;
> + unsigned long param[4];
> + size_t passlen;
> + const char *pass;
> + size_t saltlen;
> + const char *salt;
> + size_t keylen;
> + const char *key;
> + size_t adlen;
> + const char *ad;
> + size_t dklen;
> + const char *dk;
> + } tv[] = {
> + {
> + GCRY_KDF_ARGON2D,
> + { 32, 3, 32, 4 },
> + 32,
> + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
> + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
> + 16,
> + "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
> + 8,
> + "\x03\x03\x03\x03\x03\x03\x03\x03",
> + 12,
> + "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
> + 32,
> + "\x51\x2b\x39\x1b\x6f\x11\x62\x97\x53\x71\xd3\x09\x19\x73\x42\x94"
> + "\xf8\x68\xe3\xbe\x39\x84\xf3\xc1\xa1\x3a\x4d\xb9\xfa\xbe\x4a\xcb"
> + },
> + {
> + GCRY_KDF_ARGON2I,
> + { 32, 3, 32, 4 },
> + 32,
> + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
> + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
> + 16,
> + "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
> + 8,
> + "\x03\x03\x03\x03\x03\x03\x03\x03",
> + 12,
> + "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
> + 32,
> + "\xc8\x14\xd9\xd1\xdc\x7f\x37\xaa\x13\xf0\xd7\x7f\x24\x94\xbd\xa1"
> + "\xc8\xde\x6b\x01\x6d\xd3\x88\xd2\x99\x52\xa4\xc4\x67\x2b\x6c\xe8"
> + },
> + {
> + GCRY_KDF_ARGON2ID,
> + { 32, 3, 32, 4 },
> + 32,
> + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
> + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
> + 16,
> + "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
> + 8,
> + "\x03\x03\x03\x03\x03\x03\x03\x03",
> + 12,
> + "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
> + 32,
> + "\x0d\x64\x0d\xf5\x8d\x78\x76\x6c\x08\xc0\x37\xa3\x4a\x8b\x53\xc9"
> + "\xd0\x1e\xf0\x45\x2d\x75\xb6\x5e\xb5\x25\x20\xe9\x6b\x01\xe6\x59"
> + },
> + {
> + /* empty password */
> + GCRY_KDF_ARGON2I,
> + { 32, 3, 128, 1 },
> + 0, NULL,
> + 16,
> + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
> + 0, NULL,
> + 0, NULL,
> + 32,
> + "\xbb\x1f\xf2\xb9\x9f\xd4\x4a\xd9\xdf\x7f\xb9\x54\x55\x9e\xb8\xeb"
> + "\xb5\x9d\xab\xce\x2e\x62\x9f\x9b\x89\x09\xfe\xde\x57\xcc\x63\x86"
> + },
> + {
> + /* empty password */
> + GCRY_KDF_ARGON2ID,
> + { 32, 3, 128, 1 },
> + 0, NULL,
> + 16,
> + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
> + 0, NULL,
> + 0, NULL,
> + 32,
> + "\x09\x2f\x38\x35\xac\xb2\x43\x92\x93\xeb\xcd\xe8\x04\x16\x6a\x31"
> + "\xce\x14\xd4\x55\xdb\xd8\xf7\xe6\xb4\xf5\x9d\x64\x8e\xd0\x3a\xdb"
> + },
> + };
> + unsigned char out[32];
> + int i;
> + int count;
> +
> + for (count = 0; count < DIM(tv); count++)
> + {
> + if (verbose)
> + fprintf (stderr, "checking ARGON2 test vector %d\n", count);
> +
> + err = my_kdf_derive (0, GCRY_KDF_ARGON2,
> + tv[count].subalgo, tv[count].param, 4,
> + tv[count].pass, tv[count].passlen,
> + tv[count].salt, tv[count].saltlen,
> + tv[count].key, tv[count].keylen,
> + tv[count].ad, tv[count].adlen,
> + tv[count].dklen, out);
> + if (err)
> + fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror
> (err));
> + else if (memcmp (out, tv[count].dk, tv[count].dklen))
> + {
> + fail ("argon2 test %d failed: mismatch\n", count*2+0);
> + fputs ("got:", stderr);
> + for (i=0; i < tv[count].dklen; i++)
> + fprintf (stderr, " %02x", out[i]);
> + putc ('\n', stderr);
> + }
> +
> +#ifdef HAVE_PTHREAD
> + err = my_kdf_derive (1, GCRY_KDF_ARGON2,
> + tv[count].subalgo, tv[count].param, 4,
> + tv[count].pass, tv[count].passlen,
> + tv[count].salt, tv[count].saltlen,
> + tv[count].key, tv[count].keylen,
> + tv[count].ad, tv[count].adlen,
> + tv[count].dklen, out);
> + if (err)
> + fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror
> (err));
> + else if (memcmp (out, tv[count].dk, tv[count].dklen))
> + {
> + fail ("argon2 test %d failed: mismatch\n", count*2+1);
> + fputs ("got:", stderr);
> + for (i=0; i < tv[count].dklen; i++)
> + fprintf (stderr, " %02x", out[i]);
> + putc ('\n', stderr);
> + }
> +#endif
> + }
> +}
> --
> 2.43.0
>
>
[-- Attachment #1.2: Type: text/html, Size: 7780 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH v2 6/9] Integrate Argon2 tests into functional_test
2025-08-06 7:16 ` [PATCH v2 6/9] Integrate Argon2 tests into functional_test Gary Lin via Grub-devel
@ 2025-08-21 20:34 ` Vladimir 'phcoder' Serbinenko
0 siblings, 0 replies; 21+ messages in thread
From: Vladimir 'phcoder' Serbinenko @ 2025-08-21 20:34 UTC (permalink / raw)
To: Gary Lin
Cc: The development of GNU GRUB, Daniel Kiper, Glenn Washburn,
Michael Chang, Waldemar Brodkorb
[-- Attachment #1.1: Type: text/plain, Size: 7555 bytes --]
Looks good. Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
Regards
Vladimir 'phcoder' Serbinenko
Le mer. 6 août 2025, 10:16, Gary Lin <glin@suse.com> a écrit :
> Refactor the Argon2 tests to enable the module build and integrate the
> tests into function_test.
>
> Signed-off-by: Gary Lin <glin@suse.com>
> Tested-By: Waldemar Brodkorb <wbx@openadk.org>
> ---
> grub-core/Makefile.core.def | 5 ++
> grub-core/tests/argon2_test.c | 104 +++++++++++++-------------
> grub-core/tests/lib/functional_test.c | 1 +
> 3 files changed, 57 insertions(+), 53 deletions(-)
>
> diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> index 16166b1ed..fb96f92a5 100644
> --- a/grub-core/Makefile.core.def
> +++ b/grub-core/Makefile.core.def
> @@ -2222,6 +2222,11 @@ module = {
> common = tests/pbkdf2_test.c;
> };
>
> +module = {
> + name = argon2_test;
> + common = tests/argon2_test.c;
> +};
> +
> module = {
> name = legacy_password_test;
> common = tests/legacy_password_test.c;
> diff --git a/grub-core/tests/argon2_test.c b/grub-core/tests/argon2_test.c
> index d2f70166a..8318a0962 100644
> --- a/grub-core/tests/argon2_test.c
> +++ b/grub-core/tests/argon2_test.c
> @@ -1,23 +1,50 @@
> +/*
> + * GRUB -- GRand Unified Bootloader
> + * Copyright (C) 2025 Free Software Foundation, Inc.
> + *
> + * GRUB is free software: you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, either version 3 of the License, or
> + * (at your option) any later version.
> + *
> + * GRUB is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +#include <grub/test.h>
> +#include <grub/dl.h>
> +#include <grub/misc.h>
> +#include <grub/crypto.h>
> +
> +GRUB_MOD_LICENSE ("GPLv3+");
> +
> +#define DIM(v) (sizeof(v)/sizeof((v)[0]))
> +
> static void
> -check_argon2 (void)
> +argon2_test (void)
> {
> gcry_error_t err;
> static struct {
> int subalgo;
> unsigned long param[4];
> - size_t passlen;
> + grub_size_t passlen;
> const char *pass;
> - size_t saltlen;
> + grub_size_t saltlen;
> const char *salt;
> - size_t keylen;
> + grub_size_t keylen;
> const char *key;
> - size_t adlen;
> + grub_size_t adlen;
> const char *ad;
> - size_t dklen;
> + grub_size_t dklen;
> const char *dk;
> } tv[] = {
> {
> - GCRY_KDF_ARGON2D,
> + GRUB_GCRY_KDF_ARGON2D,
> { 32, 3, 32, 4 },
> 32,
> "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
> @@ -33,7 +60,7 @@ check_argon2 (void)
> "\xf8\x68\xe3\xbe\x39\x84\xf3\xc1\xa1\x3a\x4d\xb9\xfa\xbe\x4a\xcb"
> },
> {
> - GCRY_KDF_ARGON2I,
> + GRUB_GCRY_KDF_ARGON2I,
> { 32, 3, 32, 4 },
> 32,
> "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
> @@ -49,7 +76,7 @@ check_argon2 (void)
> "\xc8\xde\x6b\x01\x6d\xd3\x88\xd2\x99\x52\xa4\xc4\x67\x2b\x6c\xe8"
> },
> {
> - GCRY_KDF_ARGON2ID,
> + GRUB_GCRY_KDF_ARGON2ID,
> { 32, 3, 32, 4 },
> 32,
> "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
> @@ -66,7 +93,7 @@ check_argon2 (void)
> },
> {
> /* empty password */
> - GCRY_KDF_ARGON2I,
> + GRUB_GCRY_KDF_ARGON2I,
> { 32, 3, 128, 1 },
> 0, NULL,
> 16,
> @@ -79,7 +106,7 @@ check_argon2 (void)
> },
> {
> /* empty password */
> - GCRY_KDF_ARGON2ID,
> + GRUB_GCRY_KDF_ARGON2ID,
> { 32, 3, 128, 1 },
> 0, NULL,
> 16,
> @@ -92,50 +119,21 @@ check_argon2 (void)
> },
> };
> unsigned char out[32];
> - int i;
> - int count;
> + unsigned int count;
>
> for (count = 0; count < DIM(tv); count++)
> {
> - if (verbose)
> - fprintf (stderr, "checking ARGON2 test vector %d\n", count);
> -
> - err = my_kdf_derive (0, GCRY_KDF_ARGON2,
> - tv[count].subalgo, tv[count].param, 4,
> - tv[count].pass, tv[count].passlen,
> - tv[count].salt, tv[count].saltlen,
> - tv[count].key, tv[count].keylen,
> - tv[count].ad, tv[count].adlen,
> - tv[count].dklen, out);
> - if (err)
> - fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror
> (err));
> - else if (memcmp (out, tv[count].dk, tv[count].dklen))
> - {
> - fail ("argon2 test %d failed: mismatch\n", count*2+0);
> - fputs ("got:", stderr);
> - for (i=0; i < tv[count].dklen; i++)
> - fprintf (stderr, " %02x", out[i]);
> - putc ('\n', stderr);
> - }
> -
> -#ifdef HAVE_PTHREAD
> - err = my_kdf_derive (1, GCRY_KDF_ARGON2,
> - tv[count].subalgo, tv[count].param, 4,
> - tv[count].pass, tv[count].passlen,
> - tv[count].salt, tv[count].saltlen,
> - tv[count].key, tv[count].keylen,
> - tv[count].ad, tv[count].adlen,
> - tv[count].dklen, out);
> - if (err)
> - fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror
> (err));
> - else if (memcmp (out, tv[count].dk, tv[count].dklen))
> - {
> - fail ("argon2 test %d failed: mismatch\n", count*2+1);
> - fputs ("got:", stderr);
> - for (i=0; i < tv[count].dklen; i++)
> - fprintf (stderr, " %02x", out[i]);
> - putc ('\n', stderr);
> - }
> -#endif
> + err = grub_crypto_argon2 (tv[count].subalgo,
> + tv[count].param, 4,
> + tv[count].pass, tv[count].passlen,
> + tv[count].salt, tv[count].saltlen,
> + tv[count].key, tv[count].keylen,
> + tv[count].ad, tv[count].adlen,
> + tv[count].dklen, out);
> + grub_test_assert (err == 0, "argon2 test %d failed: %d", count,
> err);
> + grub_test_assert (grub_memcmp (out, tv[count].dk, tv[count].dklen)
> == 0,
> + "argon2 test %d failed: mismatch", count);
> }
> }
> +
> +GRUB_FUNCTIONAL_TEST (argon2_test, argon2_test);
> diff --git a/grub-core/tests/lib/functional_test.c
> b/grub-core/tests/lib/functional_test.c
> index 38e981f2c..0289ff38f 100644
> --- a/grub-core/tests/lib/functional_test.c
> +++ b/grub-core/tests/lib/functional_test.c
> @@ -80,6 +80,7 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt
> __attribute__ ((unused)),
> grub_dl_load ("mul_test");
> grub_dl_load ("shift_test");
> grub_dl_load ("asn1_test");
> + grub_dl_load ("argon2_test");
>
> FOR_LIST_ELEMENTS (test, grub_test_list)
> ok = !grub_test_run (test) && ok;
> --
> 2.43.0
>
>
[-- Attachment #1.2: Type: text/html, Size: 9502 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH v2 7/9] disk/luks2: Add Argon2 support
2025-08-06 7:16 ` [PATCH v2 7/9] disk/luks2: Add Argon2 support Gary Lin via Grub-devel
@ 2025-08-21 20:37 ` Vladimir 'phcoder' Serbinenko
2025-08-22 1:33 ` Gary Lin via Grub-devel
0 siblings, 1 reply; 21+ messages in thread
From: Vladimir 'phcoder' Serbinenko @ 2025-08-21 20:37 UTC (permalink / raw)
To: Gary Lin
Cc: The development of GNU GRUB, Daniel Kiper, Glenn Washburn,
Michael Chang, Waldemar Brodkorb
[-- Attachment #1.1: Type: text/plain, Size: 3924 bytes --]
Small comment, otherwise looks good
Le mer. 6 août 2025, 10:16, Gary Lin <glin@suse.com> a écrit :
> Leverage the new grub_crypto_argon2() function to add support for the
> Argon2i and Argon2id KDFs in LUKS2
>
> Signed-off-by: Gary Lin <glin@suse.com>
> Tested-By: Waldemar Brodkorb <wbx@openadk.org>
> ---
> grub-core/disk/luks2.c | 38 +++++++++++++++++++++++++++++++++++---
> 1 file changed, 35 insertions(+), 3 deletions(-)
>
> diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
> index b17cd2115..1fa68c3a3 100644
> --- a/grub-core/disk/luks2.c
> +++ b/grub-core/disk/luks2.c
> @@ -39,6 +39,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
> enum grub_luks2_kdf_type
> {
> LUKS2_KDF_TYPE_ARGON2I,
> + LUKS2_KDF_TYPE_ARGON2ID,
> LUKS2_KDF_TYPE_PBKDF2
> };
> typedef enum grub_luks2_kdf_type grub_luks2_kdf_type_t;
> @@ -159,7 +160,7 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const
> grub_json_t *keyslot)
> grub_json_getstring (&type, &kdf, "type") ||
> grub_json_getstring (&out->kdf.salt, &kdf, "salt"))
> return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing or invalid KDF");
> - else if (!grub_strcmp (type, "argon2i") || !grub_strcmp (type,
> "argon2id"))
> + else if (!grub_strcmp (type, "argon2i"))
> {
> out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
> if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
> @@ -167,6 +168,14 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const
> grub_json_t *keyslot)
> grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
> return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i
> parameters");
> }
> + else if (!grub_strcmp (type, "argon2id"))
> + {
> + out->kdf.type = LUKS2_KDF_TYPE_ARGON2ID;
> + if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
> + grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory")
> ||
> + grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
> + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2id
> parameters");
>
I know that you copied from above but error messages should start with
lowercase.
+ }
> else if (!grub_strcmp (type, "pbkdf2"))
> {
> out->kdf.type = LUKS2_KDF_TYPE_PBKDF2;
> @@ -444,6 +453,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
> grub_uint8_t salt[GRUB_CRYPTODISK_MAX_KEYLEN];
> grub_uint8_t *split_key = NULL;
> idx_t saltlen = sizeof (salt);
> + int subalgo;
> + unsigned long param[4];
> char cipher[32], *p;
> const gcry_md_spec_t *hash;
> gcry_err_code_t gcry_ret;
> @@ -460,8 +471,29 @@ luks2_decrypt_key (grub_uint8_t *out_key,
> switch (k->kdf.type)
> {
> case LUKS2_KDF_TYPE_ARGON2I:
> - ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
> - goto err;
> + case LUKS2_KDF_TYPE_ARGON2ID:
> + if (k->kdf.type == LUKS2_KDF_TYPE_ARGON2I)
> + subalgo = GRUB_GCRY_KDF_ARGON2I;
> + else
> + subalgo = GRUB_GCRY_KDF_ARGON2ID;
> +
> + param[0] = k->area.key_size;
> + param[1] = k->kdf.u.argon2i.time;
> + param[2] = k->kdf.u.argon2i.memory;
> + param[3] = k->kdf.u.argon2i.cpus;
> +
> + gcry_ret = grub_crypto_argon2 (subalgo, param, 4,
> + passphrase, passphraselen,
> + salt, saltlen,
> + NULL, 0, NULL, 0,
> + k->area.key_size, area_key);
> + if (gcry_ret)
> + {
> + ret = grub_crypto_gcry_error (gcry_ret);
> + goto err;
> + }
> +
> + break;
> case LUKS2_KDF_TYPE_PBKDF2:
> hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash);
> if (!hash)
> --
> 2.43.0
>
>
[-- Attachment #1.2: Type: text/html, Size: 5335 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH v2 8/9] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
2025-08-06 7:16 ` [PATCH v2 8/9] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test Gary Lin via Grub-devel
@ 2025-08-21 20:38 ` Vladimir 'phcoder' Serbinenko
0 siblings, 0 replies; 21+ messages in thread
From: Vladimir 'phcoder' Serbinenko @ 2025-08-21 20:38 UTC (permalink / raw)
To: Gary Lin
Cc: The development of GNU GRUB, Daniel Kiper, Glenn Washburn,
Michael Chang, Waldemar Brodkorb
[-- Attachment #1.1: Type: text/plain, Size: 2058 bytes --]
Looks good. Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
Regards
Vladimir 'phcoder' Serbinenko
Le mer. 6 août 2025, 10:16, Gary Lin <glin@suse.com> a écrit :
> Given that the LUKS1 test already covers PBKDF2, the default KDF for the
> LUKS2 test has been switched to Argon2id to ensure both algorithms are
> validated.
>
> Signed-off-by: Gary Lin <glin@suse.com>
> Tested-By: Waldemar Brodkorb <wbx@openadk.org>
> ---
> tests/util/grub-fs-tester.in | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
> index cac58dafa..126f19a7e 100644
> --- a/tests/util/grub-fs-tester.in
> +++ b/tests/util/grub-fs-tester.in
> @@ -860,8 +860,14 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE"
> "$MAXLOGSECSIZE" 1); do
> MOUNTDEVICE="/dev/mapper/grub_test-testvol"
> MOUNTFS=ext2
> "mkfs.ext2" -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
> - x"luks"*)
> - echo -n "$PASS" | cryptsetup luksFormat --type "$fs"
> --sector-size $SECSIZE --pbkdf pbkdf2 --force-password --disable-locks
> $LODEVICE
> + xluks1)
> + echo -n "$PASS" | cryptsetup luksFormat --type luks1
> --sector-size $SECSIZE --pbkdf pbkdf2 --force-password --disable-locks
> $LODEVICE
> + echo -n "$PASS" | cryptsetup open --disable-locks
> $LODEVICE "$DMNAME"
> + MOUNTDEVICE="/dev/mapper/${DMNAME}"
> + MOUNTFS=ext2
> + "mkfs.ext2" -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
> + xluks2)
> + echo -n "$PASS" | cryptsetup luksFormat --type luks2
> --sector-size $SECSIZE --pbkdf argon2id --force-password --disable-locks
> $LODEVICE
> echo -n "$PASS" | cryptsetup open --disable-locks
> $LODEVICE "$DMNAME"
> MOUNTDEVICE="/dev/mapper/${DMNAME}"
> MOUNTFS=ext2
> --
> 2.43.0
>
>
[-- Attachment #1.2: Type: text/html, Size: 3422 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH v2 9/9] docs: Document argon2 and argon2_test
2025-08-06 7:16 ` [PATCH v2 9/9] docs: Document argon2 and argon2_test Gary Lin via Grub-devel
@ 2025-08-21 20:39 ` Vladimir 'phcoder' Serbinenko
0 siblings, 0 replies; 21+ messages in thread
From: Vladimir 'phcoder' Serbinenko @ 2025-08-21 20:39 UTC (permalink / raw)
To: Gary Lin
Cc: The development of GNU GRUB, Daniel Kiper, Glenn Washburn,
Michael Chang, Waldemar Brodkorb
[-- Attachment #1.1: Type: text/plain, Size: 1442 bytes --]
Looks good. Reviewed-by: Vladimir Serbinenko<phcoder@gmail.com>
Regards
Vladimir 'phcoder' Serbinenko
Le mer. 6 août 2025, 10:17, Gary Lin <glin@suse.com> a écrit :
> Document the argon2 and argon2_test modules.
>
> Signed-off-by: Gary Lin <glin@suse.com>
> Tested-By: Waldemar Brodkorb <wbx@openadk.org>
> ---
> docs/grub.texi | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/docs/grub.texi b/docs/grub.texi
> index 34b3484dc..b3908ecf6 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -3889,6 +3889,8 @@ Modules can be loaded via the @command{insmod}
> (@pxref{insmod}) command.
> * aout_module::
> * appleldr_module::
> * archelp_module::
> +* argon2_module::
> +* argon2_test_module::
> * at_keyboard_module::
> * ata_module::
> * backtrace_module::
> @@ -4244,6 +4246,15 @@ computer (Intel based Macs).
> This module provides Archive Helper functions for archive based file
> systems
> such as TAR and CPIO archives.
>
> +@node argon2_module
> +@section argon2
> +This module provides support for the Argon2 key derivation function.
> +
> +@node argon2_test_module
> +@section argon2_test
> +This module is intended for performing a functional test of the Argon2
> +operation in GRUB.
> +
> @node at_keyboard_module
> @section at_keyboard
> This module provides support for the AT keyboard input for the GRUB
> terminal.
> --
> 2.43.0
>
>
[-- Attachment #1.2: Type: text/html, Size: 2077 bytes --]
[-- Attachment #2: Type: text/plain, Size: 141 bytes --]
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH v2 1/9] util/import_gcry: Import kdf.c for Argon2
2025-08-21 15:40 ` Vladimir 'phcoder' Serbinenko
@ 2025-08-22 1:21 ` Gary Lin via Grub-devel
0 siblings, 0 replies; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-22 1:21 UTC (permalink / raw)
To: Vladimir 'phcoder' Serbinenko; +Cc: Gary Lin, The development of GRUB 2
On Thu, Aug 21, 2025 at 06:40:32PM +0300, Vladimir 'phcoder' Serbinenko wrote:
> >
> >
>
> Few comments, otherwise looks good
> >
> >>
> >>
> >> Signed-off-by: Gary Lin <glin@suse.com>
> >> ---
> >> util/import_gcry.py | 28 ++++++++++++++++++++++++++--
> >> 1 file changed, 26 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/util/import_gcry.py b/util/import_gcry.py
> >> index 086bde77c..5b24e4041 100644
> >> --- a/util/import_gcry.py
> >> +++ b/util/import_gcry.py
> >> @@ -146,7 +146,7 @@ with codecs.open (os.path.join (cipher_dir_out,
> >> "crypto.lst"), "w", "utf-8") as
> >> chlog = "%s%s: Removed\n" % (chlog, chlognew)
> >> continue
> >> # TODO: Support KDF
> >>
> > Please update the comment
> >
Ok, I'll update the comment as "TODO: Support scrypt KDF"
> >> - if re.match (r"(kdf\.c|scrypt\.c)$", cipher_file):
> >> + if re.match (r"(scrypt\.c)$", cipher_file):
> >> chlog = "%s%s: Removed\n" % (chlog, chlognew)
> >> continue
> >> # TODO: Support chacha20 and poly1305
> >> @@ -313,6 +313,16 @@ with codecs.open (os.path.join (cipher_dir_out,
> >> "crypto.lst"), "w", "utf-8") as
> >> chlognew = "%s %s" % (chlognew, chmsg)
> >> nch = True
> >> continue
> >> + elif re.match
> >> ("_gcry_kdf_selftest|check_one|_gcry_kdf_pkdf2|_gcry_kdf_derive|openpgp_s2k|ballon_context_size|balloon_*|prng_aes_*|onestep_kdf_*|hkdf_*|x963_kdf_*",
> >> line) is not None and cipher_file == "kdf.c":
> >>
> > Here should be a new Todo for supporting other KDF.
Sure. Will add a TODO here.
Gary Lin
> >
> > + skip = 1
> >> + fname = re.match ("[a-zA-Z0-9_]*",
> >> line).group ()
> >> + chmsg = "(%s): Removed." % fname
> >> + if nch:
> >> + chlognew = "%s\n %s" % (chlognew,
> >> chmsg)
> >> + else:
> >> + chlognew = "%s %s" % (chlognew, chmsg)
> >> + nch = True
> >> + continue
> >> else:
> >> fw.write (holdline)
> >> m = re.match ("# *include <(.*)>", line)
> >> @@ -439,7 +449,7 @@ with codecs.open (os.path.join (cipher_dir_out,
> >> "crypto.lst"), "w", "utf-8") as
> >> nch = True
> >> continue
> >>
> >> - m = re.match (r"((static )?const char( |)\*|static
> >> const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static
> >> )?int|(static )?unsigned int|(static )?gcry_err_code_t|static
> >> gcry_mpi_t|static void|void|static elliptic_curve_t) *$", line)
> >> + m = re.match (r"((static )?const char( |)\*|static
> >> const gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static
> >> )?int|(static )?unsigned int|(static )?gcry_err_code_t|static
> >> gcry_mpi_t|static void|void|static elliptic_curve_t|static u64|static
> >> size_t) *$", line)
> >> if not m is None:
> >> hold = True
> >> holdline = line
> >> @@ -575,6 +585,20 @@ with codecs.open (os.path.join (cipher_dir_out,
> >> "crypto.lst"), "w", "utf-8") as
> >> conf.write ("};\n\n")
> >> if nch:
> >> chlog = "%s%s\n" % (chlog, chlognew)
> >> + elif cipher_file == "kdf.c":
> >> + modfiles = ["kdf.c"]
> >> + if modname in extra_files:
> >> + modfiles += extra_files[modname]
> >> + conf.write ("module = {\n")
> >> + conf.write (" name = %s;\n" % modname)
> >> + for src in modfiles:
> >> + conf.write (" common =
> >> lib/libgcrypt-grub/cipher/%s;\n" % src)
> >> + confutil.write (" common =
> >> grub-core/lib/libgcrypt-grub/cipher/%s;\n" % src)
> >> + conf.write (" cflags = '$(CFLAGS_GCRY)';\n")
> >> + conf.write (" cppflags = '$(CPPFLAGS_GCRY)';\n")
> >> + conf.write ("};\n\n")
> >> + if nch:
> >> + chlog = "%s%s\n" % (chlog, chlognew)
> >> elif isc and cipher_file not in extra_files_list:
> >> print ("WARNING: C file isn't a module: %s" %
> >> cipher_file)
> >> os.remove (outfile)
> >> --
> >> 2.43.0
> >>
> >> Regards
> > Vladimir 'phcoder' Serbinenko
> >
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH v2 5/9] Import Argon2 tests from libgcrypt
2025-08-21 20:33 ` Vladimir 'phcoder' Serbinenko
@ 2025-08-22 1:30 ` Gary Lin via Grub-devel
0 siblings, 0 replies; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-22 1:30 UTC (permalink / raw)
To: Vladimir 'phcoder' Serbinenko
Cc: Gary Lin, The development of GNU GRUB, Daniel Kiper,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
On Thu, Aug 21, 2025 at 11:33:07PM +0300, Vladimir 'phcoder' Serbinenko wrote:
> Can we make it a "functional" test? This would allow it to run on real
> grub2 rather than in OS environment.
>
Sure, that is my intention. This patch just imports the code from libgcrypt,
and the next patch integrates this test into functional_test.
Gary Lin
> Regards
> Vladimir 'phcoder' Serbinenko
>
> Le mer. 6 août 2025, 10:16, Gary Lin <glin@suse.com> a écrit :
>
> > Copy the Argon2 test function, check_argon2(), from t-kdf.c in libgcrypt
> > to grub-core/tests/argon2_test.c.
> >
> > Signed-off-by: Gary Lin <glin@suse.com>
> > Tested-By: Waldemar Brodkorb <wbx@openadk.org>
> > ---
> > grub-core/tests/argon2_test.c | 141 ++++++++++++++++++++++++++++++++++
> > 1 file changed, 141 insertions(+)
> > create mode 100644 grub-core/tests/argon2_test.c
> >
> > diff --git a/grub-core/tests/argon2_test.c b/grub-core/tests/argon2_test.c
> > new file mode 100644
> > index 000000000..d2f70166a
> > --- /dev/null
> > +++ b/grub-core/tests/argon2_test.c
> > @@ -0,0 +1,141 @@
> > +static void
> > +check_argon2 (void)
> > +{
> > + gcry_error_t err;
> > + static struct {
> > + int subalgo;
> > + unsigned long param[4];
> > + size_t passlen;
> > + const char *pass;
> > + size_t saltlen;
> > + const char *salt;
> > + size_t keylen;
> > + const char *key;
> > + size_t adlen;
> > + const char *ad;
> > + size_t dklen;
> > + const char *dk;
> > + } tv[] = {
> > + {
> > + GCRY_KDF_ARGON2D,
> > + { 32, 3, 32, 4 },
> > + 32,
> > + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
> > + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
> > + 16,
> > + "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
> > + 8,
> > + "\x03\x03\x03\x03\x03\x03\x03\x03",
> > + 12,
> > + "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
> > + 32,
> > + "\x51\x2b\x39\x1b\x6f\x11\x62\x97\x53\x71\xd3\x09\x19\x73\x42\x94"
> > + "\xf8\x68\xe3\xbe\x39\x84\xf3\xc1\xa1\x3a\x4d\xb9\xfa\xbe\x4a\xcb"
> > + },
> > + {
> > + GCRY_KDF_ARGON2I,
> > + { 32, 3, 32, 4 },
> > + 32,
> > + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
> > + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
> > + 16,
> > + "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
> > + 8,
> > + "\x03\x03\x03\x03\x03\x03\x03\x03",
> > + 12,
> > + "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
> > + 32,
> > + "\xc8\x14\xd9\xd1\xdc\x7f\x37\xaa\x13\xf0\xd7\x7f\x24\x94\xbd\xa1"
> > + "\xc8\xde\x6b\x01\x6d\xd3\x88\xd2\x99\x52\xa4\xc4\x67\x2b\x6c\xe8"
> > + },
> > + {
> > + GCRY_KDF_ARGON2ID,
> > + { 32, 3, 32, 4 },
> > + 32,
> > + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
> > + "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01",
> > + 16,
> > + "\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02",
> > + 8,
> > + "\x03\x03\x03\x03\x03\x03\x03\x03",
> > + 12,
> > + "\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04",
> > + 32,
> > + "\x0d\x64\x0d\xf5\x8d\x78\x76\x6c\x08\xc0\x37\xa3\x4a\x8b\x53\xc9"
> > + "\xd0\x1e\xf0\x45\x2d\x75\xb6\x5e\xb5\x25\x20\xe9\x6b\x01\xe6\x59"
> > + },
> > + {
> > + /* empty password */
> > + GCRY_KDF_ARGON2I,
> > + { 32, 3, 128, 1 },
> > + 0, NULL,
> > + 16,
> > + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
> > + 0, NULL,
> > + 0, NULL,
> > + 32,
> > + "\xbb\x1f\xf2\xb9\x9f\xd4\x4a\xd9\xdf\x7f\xb9\x54\x55\x9e\xb8\xeb"
> > + "\xb5\x9d\xab\xce\x2e\x62\x9f\x9b\x89\x09\xfe\xde\x57\xcc\x63\x86"
> > + },
> > + {
> > + /* empty password */
> > + GCRY_KDF_ARGON2ID,
> > + { 32, 3, 128, 1 },
> > + 0, NULL,
> > + 16,
> > + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
> > + 0, NULL,
> > + 0, NULL,
> > + 32,
> > + "\x09\x2f\x38\x35\xac\xb2\x43\x92\x93\xeb\xcd\xe8\x04\x16\x6a\x31"
> > + "\xce\x14\xd4\x55\xdb\xd8\xf7\xe6\xb4\xf5\x9d\x64\x8e\xd0\x3a\xdb"
> > + },
> > + };
> > + unsigned char out[32];
> > + int i;
> > + int count;
> > +
> > + for (count = 0; count < DIM(tv); count++)
> > + {
> > + if (verbose)
> > + fprintf (stderr, "checking ARGON2 test vector %d\n", count);
> > +
> > + err = my_kdf_derive (0, GCRY_KDF_ARGON2,
> > + tv[count].subalgo, tv[count].param, 4,
> > + tv[count].pass, tv[count].passlen,
> > + tv[count].salt, tv[count].saltlen,
> > + tv[count].key, tv[count].keylen,
> > + tv[count].ad, tv[count].adlen,
> > + tv[count].dklen, out);
> > + if (err)
> > + fail ("argon2 test %d failed: %s\n", count*2+0, gpg_strerror
> > (err));
> > + else if (memcmp (out, tv[count].dk, tv[count].dklen))
> > + {
> > + fail ("argon2 test %d failed: mismatch\n", count*2+0);
> > + fputs ("got:", stderr);
> > + for (i=0; i < tv[count].dklen; i++)
> > + fprintf (stderr, " %02x", out[i]);
> > + putc ('\n', stderr);
> > + }
> > +
> > +#ifdef HAVE_PTHREAD
> > + err = my_kdf_derive (1, GCRY_KDF_ARGON2,
> > + tv[count].subalgo, tv[count].param, 4,
> > + tv[count].pass, tv[count].passlen,
> > + tv[count].salt, tv[count].saltlen,
> > + tv[count].key, tv[count].keylen,
> > + tv[count].ad, tv[count].adlen,
> > + tv[count].dklen, out);
> > + if (err)
> > + fail ("argon2 test %d failed: %s\n", count*2+1, gpg_strerror
> > (err));
> > + else if (memcmp (out, tv[count].dk, tv[count].dklen))
> > + {
> > + fail ("argon2 test %d failed: mismatch\n", count*2+1);
> > + fputs ("got:", stderr);
> > + for (i=0; i < tv[count].dklen; i++)
> > + fprintf (stderr, " %02x", out[i]);
> > + putc ('\n', stderr);
> > + }
> > +#endif
> > + }
> > +}
> > --
> > 2.43.0
> >
> >
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH v2 7/9] disk/luks2: Add Argon2 support
2025-08-21 20:37 ` Vladimir 'phcoder' Serbinenko
@ 2025-08-22 1:33 ` Gary Lin via Grub-devel
0 siblings, 0 replies; 21+ messages in thread
From: Gary Lin via Grub-devel @ 2025-08-22 1:33 UTC (permalink / raw)
To: Vladimir 'phcoder' Serbinenko
Cc: Gary Lin, The development of GNU GRUB, Daniel Kiper,
Glenn Washburn, Michael Chang, Waldemar Brodkorb
On Thu, Aug 21, 2025 at 11:37:13PM +0300, Vladimir 'phcoder' Serbinenko wrote:
> Small comment, otherwise looks good
>
> Le mer. 6 août 2025, 10:16, Gary Lin <glin@suse.com> a écrit :
>
> > Leverage the new grub_crypto_argon2() function to add support for the
> > Argon2i and Argon2id KDFs in LUKS2
> >
> > Signed-off-by: Gary Lin <glin@suse.com>
> > Tested-By: Waldemar Brodkorb <wbx@openadk.org>
> > ---
> > grub-core/disk/luks2.c | 38 +++++++++++++++++++++++++++++++++++---
> > 1 file changed, 35 insertions(+), 3 deletions(-)
> >
> > diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
> > index b17cd2115..1fa68c3a3 100644
> > --- a/grub-core/disk/luks2.c
> > +++ b/grub-core/disk/luks2.c
> > @@ -39,6 +39,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
> > enum grub_luks2_kdf_type
> > {
> > LUKS2_KDF_TYPE_ARGON2I,
> > + LUKS2_KDF_TYPE_ARGON2ID,
> > LUKS2_KDF_TYPE_PBKDF2
> > };
> > typedef enum grub_luks2_kdf_type grub_luks2_kdf_type_t;
> > @@ -159,7 +160,7 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const
> > grub_json_t *keyslot)
> > grub_json_getstring (&type, &kdf, "type") ||
> > grub_json_getstring (&out->kdf.salt, &kdf, "salt"))
> > return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing or invalid KDF");
> > - else if (!grub_strcmp (type, "argon2i") || !grub_strcmp (type,
> > "argon2id"))
> > + else if (!grub_strcmp (type, "argon2i"))
> > {
> > out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
> > if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
> > @@ -167,6 +168,14 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const
> > grub_json_t *keyslot)
> > grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
> > return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i
> > parameters");
> > }
> > + else if (!grub_strcmp (type, "argon2id"))
> > + {
> > + out->kdf.type = LUKS2_KDF_TYPE_ARGON2ID;
> > + if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
> > + grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory")
> > ||
> > + grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
> > + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2id
> > parameters");
> >
>
> I know that you copied from above but error messages should start with
> lowercase.
>
Will fix it in v3.
Thanks,
Gary Lin
> + }
> > else if (!grub_strcmp (type, "pbkdf2"))
> > {
> > out->kdf.type = LUKS2_KDF_TYPE_PBKDF2;
> > @@ -444,6 +453,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
> > grub_uint8_t salt[GRUB_CRYPTODISK_MAX_KEYLEN];
> > grub_uint8_t *split_key = NULL;
> > idx_t saltlen = sizeof (salt);
> > + int subalgo;
> > + unsigned long param[4];
> > char cipher[32], *p;
> > const gcry_md_spec_t *hash;
> > gcry_err_code_t gcry_ret;
> > @@ -460,8 +471,29 @@ luks2_decrypt_key (grub_uint8_t *out_key,
> > switch (k->kdf.type)
> > {
> > case LUKS2_KDF_TYPE_ARGON2I:
> > - ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
> > - goto err;
> > + case LUKS2_KDF_TYPE_ARGON2ID:
> > + if (k->kdf.type == LUKS2_KDF_TYPE_ARGON2I)
> > + subalgo = GRUB_GCRY_KDF_ARGON2I;
> > + else
> > + subalgo = GRUB_GCRY_KDF_ARGON2ID;
> > +
> > + param[0] = k->area.key_size;
> > + param[1] = k->kdf.u.argon2i.time;
> > + param[2] = k->kdf.u.argon2i.memory;
> > + param[3] = k->kdf.u.argon2i.cpus;
> > +
> > + gcry_ret = grub_crypto_argon2 (subalgo, param, 4,
> > + passphrase, passphraselen,
> > + salt, saltlen,
> > + NULL, 0, NULL, 0,
> > + k->area.key_size, area_key);
> > + if (gcry_ret)
> > + {
> > + ret = grub_crypto_gcry_error (gcry_ret);
> > + goto err;
> > + }
> > +
> > + break;
> > case LUKS2_KDF_TYPE_PBKDF2:
> > hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash);
> > if (!hash)
> > --
> > 2.43.0
> >
> >
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2025-08-22 1:33 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-06 7:16 [PATCH v2 0/9] Support Argon2 KDF Gary Lin via Grub-devel
2025-08-06 7:16 ` [PATCH v2 1/9] util/import_gcry: Import kdf.c for Argon2 Gary Lin via Grub-devel
[not found] ` <CAEaD8JO8HLqSOKyyHHf69r0LO1w+C-eTAs-V1b-_vJ_is9Wodw@mail.gmail.com>
2025-08-21 15:40 ` Vladimir 'phcoder' Serbinenko
2025-08-22 1:21 ` Gary Lin via Grub-devel
2025-08-06 7:16 ` [PATCH v2 2/9] crypto: Update crypto.h for libgcrypt KDF functions Gary Lin via Grub-devel
2025-08-21 15:39 ` Vladimir 'phcoder' Serbinenko
2025-08-06 7:16 ` [PATCH v2 3/9] kdf: Resovle the build errors Gary Lin via Grub-devel
2025-08-06 7:16 ` [PATCH v2 4/9] argon2: Introduce grub_crypto_argon2() Gary Lin via Grub-devel
2025-08-21 20:30 ` Vladimir 'phcoder' Serbinenko
2025-08-06 7:16 ` [PATCH v2 5/9] Import Argon2 tests from libgcrypt Gary Lin via Grub-devel
2025-08-21 20:33 ` Vladimir 'phcoder' Serbinenko
2025-08-22 1:30 ` Gary Lin via Grub-devel
2025-08-06 7:16 ` [PATCH v2 6/9] Integrate Argon2 tests into functional_test Gary Lin via Grub-devel
2025-08-21 20:34 ` Vladimir 'phcoder' Serbinenko
2025-08-06 7:16 ` [PATCH v2 7/9] disk/luks2: Add Argon2 support Gary Lin via Grub-devel
2025-08-21 20:37 ` Vladimir 'phcoder' Serbinenko
2025-08-22 1:33 ` Gary Lin via Grub-devel
2025-08-06 7:16 ` [PATCH v2 8/9] tests/util/grub-fs-tester: Use Argon2id for LUKS2 test Gary Lin via Grub-devel
2025-08-21 20:38 ` Vladimir 'phcoder' Serbinenko
2025-08-06 7:16 ` [PATCH v2 9/9] docs: Document argon2 and argon2_test Gary Lin via Grub-devel
2025-08-21 20:39 ` Vladimir 'phcoder' Serbinenko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).