[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/2] Cryptomount support LUKS detached header
From: |
Patrick Steinhardt |
Subject: |
Re: [PATCH 1/2] Cryptomount support LUKS detached header |
Date: |
Tue, 25 Feb 2020 22:46:22 +0100 |
On Mon, Feb 24, 2020 at 12:12:37PM +0100, Daniel Kiper wrote:
> Adding Patrick...
>
> On Fri, Feb 21, 2020 at 10:03:48PM +0100, Denis 'GNUtoo' Carikli wrote:
> > From: John Lane <address@hidden>
>
> Both patches require explanation what they do and more importantly why
> they are needed... And it would be nice to have cover letter.
>
> ...and please CC Patrick next time...
>
> Daniel
I'll have a look towards the end of this week.
Patrick
> > Signed-off-by: John Lane <address@hidden>
> > address@hidden: rebase
> > Signed-off-by: Denis 'GNUtoo' Carikli <address@hidden>
> > ---
> > grub-core/disk/cryptodisk.c | 22 ++++++++++++++----
> > grub-core/disk/geli.c | 7 ++++--
> > grub-core/disk/luks.c | 45 ++++++++++++++++++++++++++++++-------
> > include/grub/cryptodisk.h | 5 +++--
> > include/grub/file.h | 2 ++
> > 5 files changed, 65 insertions(+), 16 deletions(-)
> >
> > diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
> > index 1897acc4b..6d4befc6f 100644
> > --- a/grub-core/disk/cryptodisk.c
> > +++ b/grub-core/disk/cryptodisk.c
> > @@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
> > /* TRANSLATORS: It's still restricted to cryptodisks only. */
> > {"all", 'a', 0, N_("Mount all."), 0, 0},
> > {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
> > + {"header", 'H', 0, N_("Read LUKS header from file"), 0,
> > ARG_TYPE_STRING},
> > {0, 0, 0, 0, 0, 0}
> > };
> >
> > @@ -970,6 +971,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
> >
> > static int check_boot, have_it;
> > static char *search_uuid;
> > +static grub_file_t hdr;
> >
> > static void
> > cryptodisk_close (grub_cryptodisk_t dev)
> > @@ -994,13 +996,13 @@ grub_cryptodisk_scan_device_real (const char *name,
> > grub_disk_t source)
> >
> > FOR_CRYPTODISK_DEVS (cr)
> > {
> > - dev = cr->scan (source, search_uuid, check_boot);
> > + dev = cr->scan (source, search_uuid, check_boot, hdr);
> > if (grub_errno)
> > return grub_errno;
> > if (!dev)
> > continue;
> >
> > - err = cr->recover_key (source, dev);
> > + err = cr->recover_key (source, dev, hdr);
> > if (err)
> > {
> > cryptodisk_close (dev);
> > @@ -1041,7 +1043,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev,
> > const char *cheat)
> >
> > FOR_CRYPTODISK_DEVS (cr)
> > {
> > - dev = cr->scan (source, search_uuid, check_boot);
> > + dev = cr->scan (source, search_uuid, check_boot,0);
> > if (grub_errno)
> > return grub_errno;
> > if (!dev)
> > @@ -1095,6 +1097,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt,
> > int argc, char **args)
> > if (argc < 1 && !state[1].set && !state[2].set)
> > return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
> >
> > + if (state[3].set) /* LUKS detached header */
> > + {
> > + if (state[0].set) /* Cannot use UUID lookup with detached header */
> > + return GRUB_ERR_BAD_ARGUMENT;
> > +
> > + hdr = grub_file_open (state[3].arg,
> > GRUB_FILE_TYPE_LUKS_DETACHED_HEADER);
> > + if (!hdr)
> > + return grub_errno;
> > + }
> > + else
> > + hdr = NULL;
> > +
> > have_it = 0;
> > if (state[0].set)
> > {
> > @@ -1302,7 +1316,7 @@ GRUB_MOD_INIT (cryptodisk)
> > {
> > grub_disk_dev_register (&grub_cryptodisk_dev);
> > cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
> > - N_("SOURCE|-u UUID|-a|-b"),
> > + N_("SOURCE|-u UUID|-a|-b|-H file"),
> > N_("Mount a crypto device."), options);
> > grub_procfs_register ("luks_script", &luks_script);
> > }
> > diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
> > index e9d23299a..f4394eb42 100644
> > --- a/grub-core/disk/geli.c
> > +++ b/grub-core/disk/geli.c
> > @@ -52,6 +52,7 @@
> > #include <grub/dl.h>
> > #include <grub/err.h>
> > #include <grub/disk.h>
> > +#include <grub/file.h>
> > #include <grub/crypto.h>
> > #include <grub/partition.h>
> > #include <grub/i18n.h>
> > @@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
> >
> > static grub_cryptodisk_t
> > configure_ciphers (grub_disk_t disk, const char *check_uuid,
> > - int boot_only)
> > + int boot_only,
> > + grub_file_t hdr __attribute__ ((unused)) )
> > {
> > grub_cryptodisk_t newdev;
> > struct grub_geli_phdr header;
> > @@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char
> > *check_uuid,
> > }
> >
> > static grub_err_t
> > -recover_key (grub_disk_t source, grub_cryptodisk_t dev)
> > +recover_key (grub_disk_t source, grub_cryptodisk_t dev,
> > + grub_file_t hdr __attribute__ ((unused)) )
> > {
> > grub_size_t keysize;
> > grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
> > diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
> > index 410cd6f84..950e89237 100644
> > --- a/grub-core/disk/luks.c
> > +++ b/grub-core/disk/luks.c
> > @@ -23,6 +23,7 @@
> > #include <grub/dl.h>
> > #include <grub/err.h>
> > #include <grub/disk.h>
> > +#include <grub/file.h>
> > #include <grub/crypto.h>
> > #include <grub/partition.h>
> > #include <grub/i18n.h>
> > @@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash,
> > grub_uint8_t * src,
> >
> > static grub_cryptodisk_t
> > configure_ciphers (grub_disk_t disk, const char *check_uuid,
> > - int check_boot)
> > + int check_boot, grub_file_t hdr)
> > {
> > grub_cryptodisk_t newdev;
> > const char *iptr;
> > @@ -78,11 +79,21 @@ configure_ciphers (grub_disk_t disk, const char
> > *check_uuid,
> > char hashspec[sizeof (header.hashSpec) + 1];
> > grub_err_t err;
> >
> > + err = GRUB_ERR_NONE;
> > +
> > if (check_boot)
> > return NULL;
> >
> > /* Read the LUKS header. */
> > - err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
> > + if (hdr)
> > + {
> > + grub_file_seek (hdr, 0);
> > + if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
> > + err = GRUB_ERR_READ_ERROR;
> > + }
> > + else
> > + err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
> > +
> > if (err)
> > {
> > if (err == GRUB_ERR_OUT_OF_RANGE)
> > @@ -146,12 +157,14 @@ configure_ciphers (grub_disk_t disk, const char
> > *check_uuid,
> > }
> >
> > COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
> > +
> > return newdev;
> > }
> >
> > static grub_err_t
> > luks_recover_key (grub_disk_t source,
> > - grub_cryptodisk_t dev)
> > + grub_cryptodisk_t dev,
> > + grub_file_t hdr)
> > {
> > struct grub_luks_phdr header;
> > grub_size_t keysize;
> > @@ -163,8 +176,19 @@ luks_recover_key (grub_disk_t source,
> > grub_err_t err;
> > grub_size_t max_stripes = 1;
> > char *tmp;
> > + grub_uint32_t sector;
> > +
> > + err = GRUB_ERR_NONE;
> > +
> > + if (hdr)
> > + {
> > + grub_file_seek (hdr, 0);
> > + if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
> > + err = GRUB_ERR_READ_ERROR;
> > + }
> > + else
> > + err = grub_disk_read (source, 0, 0, sizeof (header), &header);
> >
> > - err = grub_disk_read (source, 0, 0, sizeof (header), &header);
> > if (err)
> > return err;
> >
> > @@ -233,13 +257,18 @@ luks_recover_key (grub_disk_t source,
> > return grub_crypto_gcry_error (gcry_err);
> > }
> >
> > + sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
> > length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
> >
> > /* Read and decrypt the key material from the disk. */
> > - err = grub_disk_read (source,
> > - grub_be_to_cpu32 (header.keyblock
> > - [i].keyMaterialOffset), 0,
> > - length, split_key);
> > + if (hdr)
> > + {
> > + grub_file_seek (hdr, sector * 512);
> > + if (grub_file_read (hdr, split_key, length) !=
> > (grub_ssize_t)length)
> > + err = GRUB_ERR_READ_ERROR;
> > + }
> > + else
> > + err = grub_disk_read (source, sector, 0, length, split_key);
> > if (err)
> > {
> > grub_free (split_key);
> > diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
> > index e1b21e785..ccbe7ce93 100644
> > --- a/include/grub/cryptodisk.h
> > +++ b/include/grub/cryptodisk.h
> > @@ -20,6 +20,7 @@
> > #define GRUB_CRYPTODISK_HEADER 1
> >
> > #include <grub/disk.h>
> > +#include <grub/file.h>
> > #include <grub/crypto.h>
> > #include <grub/list.h>
> > #ifdef GRUB_UTIL
> > @@ -107,8 +108,8 @@ struct grub_cryptodisk_dev
> > struct grub_cryptodisk_dev **prev;
> >
> > grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
> > - int boot_only);
> > - grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev);
> > + int boot_only, grub_file_t hdr);
> > + grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
> > grub_file_t hdr);
> > };
> > typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
> >
> > diff --git a/include/grub/file.h b/include/grub/file.h
> > index 31567483c..49428bf8d 100644
> > --- a/include/grub/file.h
> > +++ b/include/grub/file.h
> > @@ -90,6 +90,8 @@ enum grub_file_type
> > GRUB_FILE_TYPE_FONT,
> > /* File holding encryption key for encrypted ZFS. */
> > GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY,
> > + /* LUKS detached (separated) metadata header */
> > + GRUB_FILE_TYPE_LUKS_DETACHED_HEADER,
> > /* File we open n grub-fstest. */
> > GRUB_FILE_TYPE_FSTEST,
> > /* File we open n grub-mount. */
> > --
> > 2.25.1
>
> _______________________________________________
> Grub-devel mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/grub-devel
signature.asc
Description: PGP signature