[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 3/5] cryptodisk: Add options to cryptomount to support key
From: |
Glenn Washburn |
Subject: |
Re: [PATCH v2 3/5] cryptodisk: Add options to cryptomount to support keyfiles |
Date: |
Thu, 19 May 2022 16:09:37 -0500 |
On Thu, 19 May 2022 20:23:12 +0200
Daniel Kiper <dkiper@net-space.pl> wrote:
> On Fri, May 13, 2022 at 12:00:49PM -0500, Glenn Washburn wrote:
> > From: John Lane <john@lane.uk.net>
> >
> > Add the options --key-file, --keyfile-offset, and --keyfile-size to
> > cryptomount and code to put read the requested key file data and pass
> > via the cargs struct. Note, key file data is for all intents and purposes
> > equivalent to a password given to cryptomount. So there is no need to
> > enable support for key files in the various crypto backends (eg. LUKS1)
> > because the key data is passed just as if it were a password.
> >
> > Signed-off-by: John Lane <john@lane.uk.net>
> > GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message
> > Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
> > development@efficientek.com: rebase and rework to use cryptomount arg
> > passing,
> > minor fixes, improve commit message
> > Signed-off-by: Glenn Washburn <development@efficientek.com>
> > ---
> > grub-core/disk/cryptodisk.c | 104 +++++++++++++++++++++++++++++++++++-
> > include/grub/cryptodisk.h | 2 +
> > include/grub/file.h | 2 +
> > 3 files changed, 107 insertions(+), 1 deletion(-)
> >
> > diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
> > index 9f5dc7acb..94640b502 100644
> > --- a/grub-core/disk/cryptodisk.c
> > +++ b/grub-core/disk/cryptodisk.c
> > @@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
> > {"all", 'a', 0, N_("Mount all."), 0, 0},
> > {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
> > {"password", 'p', 0, N_("Password to open volumes."), 0,
> > ARG_TYPE_STRING},
> > + {"key-file", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
> > + {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0,
> > ARG_TYPE_INT},
> > + {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0,
> > ARG_TYPE_INT},
> > {0, 0, 0, 0, 0, 0}
> > };
> >
> > @@ -1172,6 +1175,103 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt,
> > int argc, char **args)
> > cargs.key_len = grub_strlen (state[3].arg);
> > }
> >
> > + if (state[4].set) /* keyfile */
> > + {
> > + char tmp_errmsg[GRUB_MAX_ERRMSG];
> > + const char *p = NULL;
> > + grub_file_t keyfile;
> > + unsigned long long keyfile_offset = 0, keyfile_size = 0;
> > +
> > + if (state[5].set) /* keyfile-offset */
> > + {
> > + grub_errno = GRUB_ERR_NONE;
> > + keyfile_offset = grub_strtoull (state[5].arg, &p, 0);
> > +
> > + if (state[5].arg[0] == '\0' || *p != '\0')
> > + {
> > + if (grub_errno != GRUB_ERR_NONE)
> > + {
> > + grub_strncpy (tmp_errmsg, grub_errmsg, GRUB_MAX_ERRMSG);
> > + return grub_error (grub_errno,
> > + N_("non-numeric or invalid keyfile offset
> > `%s': %s"),
> > + state[5].arg, tmp_errmsg);
> > + }
> > + else
> > + return grub_error (GRUB_ERR_BAD_ARGUMENT,
> > + N_("invalid keyfile offset `%s': non-numeric"
> > + " characters at end of number"),
> > + state[5].arg);
>
> I think this does not give us a lot of value. I would just do
>
> if (state[5].arg[0] == '\0' || *p != '\0')
> return grub_error (GRUB_ERR_BAD_NUMBER, ...
Even low value error information can be quite valuable to those that
need it. Despite that, I'll make the suggested change.
>
> > + }
> > + }
> > +
> > + if (state[6].set) /* keyfile-size */
> > + {
> > + grub_errno = GRUB_ERR_NONE;
> > + keyfile_size = grub_strtoull (state[6].arg, &p, 0);
> > +
> > + if (state[6].arg[0] == '\0' || *p != '\0')
> > + {
> > + if (grub_errno != GRUB_ERR_NONE)
> > + {
> > + grub_strncpy (tmp_errmsg, grub_errmsg, GRUB_MAX_ERRMSG);
> > + return grub_error (grub_errno,
> > + N_("non-numeric or invalid keyfile offset
> > `%s': %s"),
> > + state[5].arg, tmp_errmsg);
> > + }
> > + else
> > + return grub_error (GRUB_ERR_BAD_ARGUMENT,
> > + N_("invalid keyfile offset `%s': non-numeric"
> > + " characters at end of number"),
> > + state[6].arg);
>
> Ditto.
>
> > + }
> > +
> > + if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
> > + return grub_error (GRUB_ERR_OUT_OF_RANGE,
> > + N_("key file size exceeds maximum (%d)"),
> > + GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
> > +
> > + if (keyfile_size == 0)
> > + return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("key file size is 0"));
>
> Nit, I would move this before the "if (keyfile_size > ...". This would
> be more natural.
Sure thing.
Glenn
>
> Daniel
- [PATCH v2 0/5] Cryptomount keyfile support, Glenn Washburn, 2022/05/13
- [PATCH v2 1/5] cryptodisk: luks: Unify grub_cryptodisk_dev function names, Glenn Washburn, 2022/05/13
- [PATCH v2 2/5] cryptodisk: geli: Unify grub_cryptodisk_dev function names, Glenn Washburn, 2022/05/13
- [PATCH v2 3/5] cryptodisk: Add options to cryptomount to support keyfiles, Glenn Washburn, 2022/05/13
- [PATCH v2 5/5] docs: Add documentation on keyfile option to cryptomount, Glenn Washburn, 2022/05/13
- [PATCH v2 4/5] cryptodisk: Use enum constants as indexes into cryptomount option array, Glenn Washburn, 2022/05/13