From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1ndnmR-00060I-HS for mharc-grub-devel@gnu.org; Mon, 11 Apr 2022 02:44:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40416) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ndnlv-0005sD-7W for grub-devel@gnu.org; Mon, 11 Apr 2022 02:43:36 -0400 Received: from mail-qv1-xf2f.google.com ([2607:f8b0:4864:20::f2f]:36526) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ndnlt-0004im-F3 for grub-devel@gnu.org; Mon, 11 Apr 2022 02:43:34 -0400 Received: by mail-qv1-xf2f.google.com with SMTP id c1so3070948qvl.3 for ; Sun, 10 Apr 2022 23:43:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficientek-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rggGb/yenLnYP0fhfuQv1oUwxj3vZmWUUYTxtRV8Suw=; b=rueLQJTWTYS/gIqbZ4RJTROaYAZGWEWLDJ0rebsfpcKMzeDUocu5D902bWAjvAAuRk PCUhMjN7wWGIAN/YJkxaUdkFTwOWhW/5XU88CWcL82RTuJcJ4ZZeNJQS4V3mtbaV+MMw K0vEeUqxrkLIgeIYzRPMAiSi6Ryut1HNtEkallkFlMjnobcq2JYDpnD9plqxcbTzCyJk 418uwGgVb82jv+ePObttg39gRobHCAP/o5N/mx2ItnaD7YFxmudpcCMsCnMkGmb71NRh mdZ6EW3q98Wd1z12b5C6kCV6sztAJVge77OuL1w5y32BcZLOiOocJthi8YEyzKr8zAas Py0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rggGb/yenLnYP0fhfuQv1oUwxj3vZmWUUYTxtRV8Suw=; b=fq+Io8xt8Dnp4hlpBLYS2v7sBxDnqS38m5bNWIMXcII20a9d2jU3ODygAZKiFAtfWG nCbIE4QPAkW24L8vVEijyVQKnqmQHcalni0g/FCr/ILB6/wDF5t90Hn2oHS301kA/NLV llrzOp3AIsblV1Wsq0lJ1zjY2bR773Zxc0PfVdtFWHXYoZtRiGgBfhLZmzOkfR3mpw/H MEilAcnf5GKvpb71XC0qnImv5TQf+L2q9JmcXlWy7d3Zm+Fz0dG3hHfLHh3F5TsMqHbv HHmpc6ulYlcrpI8YiIE6Xd83psoDTMKih72jbDCiYWvzzgiA9K8eWUbyDTSGQXVuoSus ViSQ== X-Gm-Message-State: AOAM530TQS5u9+7WdLss4QKjvz/CuP4PFFYx5GzMWHAHArNj8B0msmso lqBqof3wSiBAGnG7a1u8mlAiT1nVN0WssA== X-Google-Smtp-Source: ABdhPJzStdpkidnm3UAFk0iRRd/CYOmvSleSuu5I34WoQPsvchRO8gi23NImuRmo34Pyu2vzk96UiA== X-Received: by 2002:ad4:5bc2:0:b0:443:901b:39a with SMTP id t2-20020ad45bc2000000b00443901b039amr25825977qvt.78.1649659412402; Sun, 10 Apr 2022 23:43:32 -0700 (PDT) Received: from localhost.localdomain (yal.riseup.net. [199.58.83.9]) by smtp.gmail.com with ESMTPSA id i19-20020a05620a27d300b0069c1c7986eesm1662307qkp.89.2022.04.10.23.43.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Apr 2022 23:43:32 -0700 (PDT) From: Glenn Washburn To: grub-devel@gnu.org, Daniel Kiper Cc: Denis 'GNUtoo' Carikli , Patrick Steinhardt , John Lane , Glenn Washburn Subject: [PATCH v9 3/7] cryptodisk: Add --header option to cryptomount and fail to implement it in the backends Date: Mon, 11 Apr 2022 06:40:24 +0000 Message-Id: <1b2055ac5dff02889c2306951f173a2cdcaca6ce.1649658484.git.development@efficientek.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::f2f; envelope-from=development@efficientek.com; helo=mail-qv1-xf2f.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2022 06:43:37 -0000 Add a --header (short -H) option to cryptomount which takes a file argument. Pass the file to the backends via cargs struct and cause the backends to fail when passed a header. Detached header file support will be added later for individual backends. Signed-off-by: John Lane GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message Signed-off-by: Denis 'GNUtoo' Carikli development@efficientek.com: rebase, rework for cryptomount parameter passing, improve commit message Signed-off-by: Glenn Washburn --- grub-core/disk/cryptodisk.c | 15 ++++++++++++++- grub-core/disk/geli.c | 10 ++++++++++ grub-core/disk/luks.c | 8 ++++++++ grub-core/disk/luks2.c | 8 ++++++++ include/grub/cryptodisk.h | 2 ++ include/grub/file.h | 2 ++ 6 files changed, 44 insertions(+), 1 deletion(-) diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c index 9f5dc7acbc..063997d2f0 100644 --- a/grub-core/disk/cryptodisk.c +++ b/grub-core/disk/cryptodisk.c @@ -42,6 +42,7 @@ static const struct grub_arg_option options[] = {"all", 'a', 0, N_("Mount all."), 0, 0}, {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, {"password", 'p', 0, N_("Password to open volumes."), 0, ARG_TYPE_STRING}, + {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING}, {0, 0, 0, 0, 0, 0} }; @@ -1172,6 +1173,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) cargs.key_len = grub_strlen (state[3].arg); } + if (state[4].set) /* header */ + { + if (state[0].set) + return grub_error (GRUB_ERR_BAD_ARGUMENT, + N_("cannot use UUID lookup with detached header")); + + cargs.hdr_file = grub_file_open (state[4].arg, + GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER); + if (cargs.hdr_file == NULL) + return grub_errno; + } + if (state[0].set) /* uuid */ { int found_uuid; @@ -1384,7 +1397,7 @@ GRUB_MOD_INIT (cryptodisk) { grub_disk_dev_register (&grub_cryptodisk_dev); cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, - N_("[-p password] "), + N_("[-p password] [-H file] "), N_("Mount a crypto device."), options); grub_procfs_register ("luks_script", &luks_script); } diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c index 91eb101224..39b32a2add 100644 --- a/grub-core/disk/geli.c +++ b/grub-core/disk/geli.c @@ -52,6 +52,7 @@ #include #include #include +#include #include #include #include @@ -121,6 +122,7 @@ enum /* FIXME: support version 0. */ /* FIXME: support big-endian pre-version-4 volumes. */ +/* FIXME: support for detached headers. */ /* FIXME: support for keyfiles. */ /* FIXME: support for HMAC. */ const char *algorithms[] = { @@ -252,6 +254,10 @@ geli_scan (grub_disk_t disk, grub_cryptomount_args_t cargs) grub_disk_addr_t sector; grub_err_t err; + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return NULL; + if (2 * GRUB_MD_SHA256->mdlen + 1 > GRUB_CRYPTODISK_MAX_UUID_LENGTH) return NULL; @@ -412,6 +418,10 @@ geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_cryptomount_ar if (cargs->key_data == NULL || cargs->key_len == 0) return grub_error (GRUB_ERR_BAD_ARGUMENT, "no key data"); + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return GRUB_ERR_NOT_IMPLEMENTED_YET; + if (dev->cipher->cipher->blocksize > GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE) return grub_error (GRUB_ERR_BUG, "cipher block is too long"); diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c index 7f837d52c4..fe1655c3c2 100644 --- a/grub-core/disk/luks.c +++ b/grub-core/disk/luks.c @@ -75,6 +75,10 @@ luks_scan (grub_disk_t disk, grub_cryptomount_args_t cargs) char hashspec[sizeof (header.hashSpec) + 1]; grub_err_t err; + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return NULL; + if (cargs->check_boot) return NULL; @@ -164,6 +168,10 @@ luks_recover_key (grub_disk_t source, if (cargs->key_data == NULL || cargs->key_len == 0) return grub_error (GRUB_ERR_BAD_ARGUMENT, "no key data"); + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return GRUB_ERR_NOT_IMPLEMENTED_YET; + err = grub_disk_read (source, 0, 0, sizeof (header), &header); if (err) return err; diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c index bf741d70f3..349462c61a 100644 --- a/grub-core/disk/luks2.c +++ b/grub-core/disk/luks2.c @@ -353,6 +353,10 @@ luks2_scan (grub_disk_t disk, grub_cryptomount_args_t cargs) char uuid[sizeof (header.uuid) + 1]; grub_size_t i, j; + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return NULL; + if (cargs->check_boot) return NULL; @@ -560,6 +564,10 @@ luks2_recover_key (grub_disk_t source, if (cargs->key_data == NULL || cargs->key_len == 0) return grub_error (GRUB_ERR_BAD_ARGUMENT, "no key data"); + /* Detached headers are not implemented yet */ + if (cargs->hdr_file) + return GRUB_ERR_NOT_IMPLEMENTED_YET; + ret = luks2_read_header (source, &header); if (ret) return ret; diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h index c6524c9ea9..9fe451de92 100644 --- a/include/grub/cryptodisk.h +++ b/include/grub/cryptodisk.h @@ -20,6 +20,7 @@ #define GRUB_CRYPTODISK_HEADER 1 #include +#include #include #include #ifdef GRUB_UTIL @@ -77,6 +78,7 @@ struct grub_cryptomount_args grub_uint8_t *key_data; /* recover_key: Length of key_data */ grub_size_t key_len; + grub_file_t hdr_file; }; typedef struct grub_cryptomount_args *grub_cryptomount_args_t; diff --git a/include/grub/file.h b/include/grub/file.h index 31567483cc..3a3c49a04c 100644 --- a/include/grub/file.h +++ b/include/grub/file.h @@ -90,6 +90,8 @@ enum grub_file_type GRUB_FILE_TYPE_FONT, /* File holding encryption key for encrypted ZFS. */ GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY, + /* File holding the encryption metadata header */ + GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER, /* File we open n grub-fstest. */ GRUB_FILE_TYPE_FSTEST, /* File we open n grub-mount. */ -- 2.25.1