[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v9 3/7] cryptodisk: Add --header option to cryptomount and fail t
From: |
Glenn Washburn |
Subject: |
[PATCH v9 3/7] cryptodisk: Add --header option to cryptomount and fail to implement it in the backends |
Date: |
Mon, 11 Apr 2022 06:40:24 +0000 |
Add a --header (short -H) option to cryptomount which takes a file argument.
Pass the file to the backends via cargs struct and cause the backends to
fail when passed a header. Detached header file support will be added later
for individual backends.
Signed-off-by: John Lane <john@lane.uk.net>
GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
development@efficientek.com: rebase, rework for cryptomount parameter passing,
improve commit message
Signed-off-by: Glenn Washburn <development@efficientek.com>
---
grub-core/disk/cryptodisk.c | 15 ++++++++++++++-
grub-core/disk/geli.c | 10 ++++++++++
grub-core/disk/luks.c | 8 ++++++++
grub-core/disk/luks2.c | 8 ++++++++
include/grub/cryptodisk.h | 2 ++
include/grub/file.h | 2 ++
6 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 9f5dc7acbc..063997d2f0 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -42,6 +42,7 @@ static const struct grub_arg_option options[] =
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
{"password", 'p', 0, N_("Password to open volumes."), 0, ARG_TYPE_STRING},
+ {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
{0, 0, 0, 0, 0, 0}
};
@@ -1172,6 +1173,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
cargs.key_len = grub_strlen (state[3].arg);
}
+ if (state[4].set) /* header */
+ {
+ if (state[0].set)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("cannot use UUID lookup with detached header"));
+
+ cargs.hdr_file = grub_file_open (state[4].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER);
+ if (cargs.hdr_file == NULL)
+ return grub_errno;
+ }
+
if (state[0].set) /* uuid */
{
int found_uuid;
@@ -1384,7 +1397,7 @@ GRUB_MOD_INIT (cryptodisk)
{
grub_disk_dev_register (&grub_cryptodisk_dev);
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
- N_("[-p password] <SOURCE|-u UUID|-a|-b>"),
+ N_("[-p password] [-H file] <SOURCE|-u
UUID|-a|-b>"),
N_("Mount a crypto device."), options);
grub_procfs_register ("luks_script", &luks_script);
}
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index 91eb101224..39b32a2add 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -52,6 +52,7 @@
#include <grub/dl.h>
#include <grub/err.h>
#include <grub/disk.h>
+#include <grub/file.h>
#include <grub/crypto.h>
#include <grub/partition.h>
#include <grub/i18n.h>
@@ -121,6 +122,7 @@ enum
/* FIXME: support version 0. */
/* FIXME: support big-endian pre-version-4 volumes. */
+/* FIXME: support for detached headers. */
/* FIXME: support for keyfiles. */
/* FIXME: support for HMAC. */
const char *algorithms[] = {
@@ -252,6 +254,10 @@ geli_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
grub_disk_addr_t sector;
grub_err_t err;
+ /* Detached headers are not implemented yet */
+ if (cargs->hdr_file)
+ return NULL;
+
if (2 * GRUB_MD_SHA256->mdlen + 1 > GRUB_CRYPTODISK_MAX_UUID_LENGTH)
return NULL;
@@ -412,6 +418,10 @@ geli_recover_key (grub_disk_t source, grub_cryptodisk_t
dev, grub_cryptomount_ar
if (cargs->key_data == NULL || cargs->key_len == 0)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no key data");
+ /* Detached headers are not implemented yet */
+ if (cargs->hdr_file)
+ return GRUB_ERR_NOT_IMPLEMENTED_YET;
+
if (dev->cipher->cipher->blocksize > GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE)
return grub_error (GRUB_ERR_BUG, "cipher block is too long");
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 7f837d52c4..fe1655c3c2 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -75,6 +75,10 @@ luks_scan (grub_disk_t disk, grub_cryptomount_args_t cargs)
char hashspec[sizeof (header.hashSpec) + 1];
grub_err_t err;
+ /* Detached headers are not implemented yet */
+ if (cargs->hdr_file)
+ return NULL;
+
if (cargs->check_boot)
return NULL;
@@ -164,6 +168,10 @@ luks_recover_key (grub_disk_t source,
if (cargs->key_data == NULL || cargs->key_len == 0)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no key data");
+ /* Detached headers are not implemented yet */
+ if (cargs->hdr_file)
+ return GRUB_ERR_NOT_IMPLEMENTED_YET;
+
err = grub_disk_read (source, 0, 0, sizeof (header), &header);
if (err)
return err;
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index bf741d70f3..349462c61a 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -353,6 +353,10 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t
cargs)
char uuid[sizeof (header.uuid) + 1];
grub_size_t i, j;
+ /* Detached headers are not implemented yet */
+ if (cargs->hdr_file)
+ return NULL;
+
if (cargs->check_boot)
return NULL;
@@ -560,6 +564,10 @@ luks2_recover_key (grub_disk_t source,
if (cargs->key_data == NULL || cargs->key_len == 0)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no key data");
+ /* Detached headers are not implemented yet */
+ if (cargs->hdr_file)
+ return GRUB_ERR_NOT_IMPLEMENTED_YET;
+
ret = luks2_read_header (source, &header);
if (ret)
return ret;
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
index c6524c9ea9..9fe451de92 100644
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
@@ -20,6 +20,7 @@
#define GRUB_CRYPTODISK_HEADER 1
#include <grub/disk.h>
+#include <grub/file.h>
#include <grub/crypto.h>
#include <grub/list.h>
#ifdef GRUB_UTIL
@@ -77,6 +78,7 @@ struct grub_cryptomount_args
grub_uint8_t *key_data;
/* recover_key: Length of key_data */
grub_size_t key_len;
+ grub_file_t hdr_file;
};
typedef struct grub_cryptomount_args *grub_cryptomount_args_t;
diff --git a/include/grub/file.h b/include/grub/file.h
index 31567483cc..3a3c49a04c 100644
--- a/include/grub/file.h
+++ b/include/grub/file.h
@@ -90,6 +90,8 @@ enum grub_file_type
GRUB_FILE_TYPE_FONT,
/* File holding encryption key for encrypted ZFS. */
GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY,
+ /* File holding the encryption metadata header */
+ GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER,
/* File we open n grub-fstest. */
GRUB_FILE_TYPE_FSTEST,
/* File we open n grub-mount. */
--
2.25.1
- [PATCH v9 0/7] Cryptodisk detached headers and key files, Glenn Washburn, 2022/04/11
- [PATCH v9 1/7] cryptodisk: luks: Unify grub_cryptodisk_dev function names, Glenn Washburn, 2022/04/11
- [PATCH v9 7/7] docs: Add documentation on keyfile and detached header options to cryptomount, Glenn Washburn, 2022/04/11
- [PATCH v9 2/7] cryptodisk: geli: Unify grub_cryptodisk_dev function names, Glenn Washburn, 2022/04/11
- [PATCH v9 3/7] cryptodisk: Add --header option to cryptomount and fail to implement it in the backends,
Glenn Washburn <=
- [PATCH v9 4/7] cryptodisk: Add support for LUKS1 detached headers, Glenn Washburn, 2022/04/11
- [PATCH v9 5/7] cryptodisk: Add options to cryptomount to support keyfiles, Glenn Washburn, 2022/04/11
- [PATCH v9 6/7] luks2: Add detached header support, Glenn Washburn, 2022/04/11