From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1jP3kf-00078e-N9 for mharc-grub-devel@gnu.org; Thu, 16 Apr 2020 08:36:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55283) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jP3kc-000786-Mn for grub-devel@gnu.org; Thu, 16 Apr 2020 08:36:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jP3kb-0003UI-Ia for grub-devel@gnu.org; Thu, 16 Apr 2020 08:36:14 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:33757) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jP3kb-0003U7-EF for grub-devel@gnu.org; Thu, 16 Apr 2020 08:36:13 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 42CD35C02CD; Thu, 16 Apr 2020 08:36:13 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Thu, 16 Apr 2020 08:36:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pks.im; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm3; bh=EFtxKLn58RfQtB1KdpES16Rdk0c flwMSHsQEqlIQNNU=; b=G0QUI0kYeeESfX6gBe2J5Yxm6DAECAcea5retw5fYvS 8NgtUtibinBonNVtowsaqU8boIyYK+6Dd1RO+ZCLDP21Mz8/lfvkuzrPpUILatUm d3bzfSy05ceuHXlHh1WQoMKi8AVOCugOpowzC7WWvNNjG4buh+p+0PxubrVdBgEi HS7c2oupnwt2OOCQv/Y+gUEc5j0GPqT6iponezMF4bjnF3HZB6aFH/YbNGQIGyBt Kwg9XCZN1I/lkgBL2Zu5B10TO8kbJ9PyG5BCVdcMIAeaX6UUWLLkmTw6E0Vfz1+A Vt3qtQTv1J2UHIOnljLumVv/nJSSsiamwQFwdlQ0HRA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=EFtxKL n58RfQtB1KdpES16Rdk0cflwMSHsQEqlIQNNU=; b=qwMgEK067qllKpeB6qvEyR /GDbVcLm2Jwyu6Kyk3MadHR1Ro6dLK53iRnDw18nyGkvStDaAaOz/sb3WXtbGAw6 iv9Yh3q2+4M8iH8mjL4d1VaafDR6d7QbUp7w2s7DG/hyihyhKiOx/Z5vp/7dDXeZ Iu4B7P0/UazNv1j5bnN70w0BCLcJRcCWBwYILi4SVm1PD6PIA+Fh8Gpmm1iqJl4a nFtXpi/vh0SazwFq2us/oyeDFu8WncDFBRzq+2da8EuWyBwvPjPKIfFO46A3B2uP jih71B+ed7ET8TQDIsRzpv1d4s1bROpQDZuZ1oOSwUrmEchBOxjwo4HB/43UmH0Q == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrfeehgdehgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpeffhffvuffkfhggtggujgesghdtreertddtvdenucfhrhhomheprfgrthhrihgt khcuufhtvghinhhhrghrughtuceophhssehpkhhsrdhimheqnecukfhppeejkedrheehrd dukeefrdejieenucevlhhushhtvghrufhiiigvpedunecurfgrrhgrmhepmhgrihhlfhhr ohhmpehpshesphhkshdrihhm X-ME-Proxy: Received: from vm-mail.pks.im (x4e37b74c.dyn.telefonica.de [78.55.183.76]) by mail.messagingengine.com (Postfix) with ESMTPA id 62C243280067; Thu, 16 Apr 2020 08:36:12 -0400 (EDT) Received: from localhost (tanuki [10.192.0.23]) by vm-mail.pks.im (OpenSMTPD) with ESMTPSA id ac45c06b (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 16 Apr 2020 12:36:11 +0000 (UTC) Date: Thu, 16 Apr 2020 14:36:10 +0200 From: Patrick Steinhardt To: Daniel Kiper Cc: grub-devel@gnu.org Subject: Re: [PATCH] luks2: Improve error reporting when decrypting/verifying key Message-ID: <20200416123610.GB277885@tanuki.pks.im> References: <20200416122702.pbr3r67ahrt65zcj@tomti.i.net-space.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="7ZAtKRhVyVSsbBD2" Content-Disposition: inline In-Reply-To: <20200416122702.pbr3r67ahrt65zcj@tomti.i.net-space.pl> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.111.4.29 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Apr 2020 12:36:16 -0000 --7ZAtKRhVyVSsbBD2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 16, 2020 at 02:27:02PM +0200, Daniel Kiper wrote: > On Thu, Apr 16, 2020 at 12:19:55PM +0200, Patrick Steinhardt wrote: > > While we already set up error messages in both `luks2_verify_key()` and > > `luks2_decrypt_key()`, we do not ever print them. This makes it really > > hard to discover why a given key actually failed to decrypt a disk. > > > > Improve this by including the error message in the user-visible output. > > > > Signed-off-by: Patrick Steinhardt > > --- > > grub-core/disk/luks2.c | 8 +++++--- > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c > > index 65c4f0aac..a48bddf5d 100644 > > --- a/grub-core/disk/luks2.c > > +++ b/grub-core/disk/luks2.c > > @@ -487,7 +487,7 @@ luks2_decrypt_key (grub_uint8_t *out_key, > > ret =3D grub_disk_read (disk, 0, k->area.offset, k->area.size, split= _key); > > if (ret) > > { > > - grub_dprintf ("luks2", "Read error: %s\n", grub_errmsg); > > + grub_error (GRUB_ERR_IO, "Read error: %s\n", grub_errmsg); > > goto err; > > } >=20 > AIUI the commit message says about this change but... >=20 > > @@ -610,14 +610,16 @@ luks2_recover_key (grub_disk_t disk, > > (const grub_uint8_t *) passphrase, grub_strlen (passphrase)); > > if (ret) > > { > > - grub_dprintf ("luks2", "Decryption with keyslot %"PRIuGRUB_SIZE" fa= iled\n", i); > > + grub_dprintf ("luks2", "Decryption with keyslot %"PRIuGRUB_SIZE" fa= iled: %s\n", > > + i, grub_errmsg); > > continue; > > } > > > > ret =3D luks2_verify_key (&digest, candidate_key, keyslot.key_si= ze); > > if (ret) > > { > > - grub_dprintf ("luks2", "Could not open keyslot %"PRIuGRUB_SIZE"\n",= i); > > + grub_dprintf ("luks2", "Could not open keyslot %"PRIuGRUB_SIZE": %s= \n", > > + i, grub_errmsg); > > continue; >=20 > ...it does not say anything about these changes. If you update commit > message you can add Reviewed-by: Daniel Kiper >=20 > Daniel Does the following commit message clear things up? luks2: Improve error reporting when recovering keys While we already set up error messages in both `luks2_verify_key()` and `luks2_decrypt_key()`, we do not ever print them in the calling function `luks2_recover_key()`. This makes it really hard to discover why a given key actually failed to decrypt a disk. Improve this by including the error message in the user-visible output. While at it, fix one error path in `luks2_decrypt_key()` that printed the error directly instead of returning it. Signed-off-by: Patrick Steinhardt Patrick --7ZAtKRhVyVSsbBD2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEF9hrgiFbCdvenl/rVbJhu7ckPpQFAl6YUTkACgkQVbJhu7ck PpRRfA//dqCgx2FzY+IwvhM+RiyKsZ/61592bjy8vjBrqlIkYcKuw9hKYVXLQW9k 0kvo9AKVlxipwUxg4Vgxudk/0pYv9YRXE5uCbA7I1ydn4K5pxCcLF9N4ewClykVg QeQcUL/ahA9b1VoOMd/IfooE++b+zBzeQ/6VbAxdPoVQWZC3pcx7ui3gjlwULX4c yU7q/JwIO47Yp8t2cVX+kYCIeGuKsBJJJYKgzzemQ8T6K/skmBf4Jvxd9WCtUZCK JJru9sGCPcBtSVyAy2UAuGst+UcarfvZqfU0ymT5e4gQwz9kX8Pckp+8HNZpZftv Xt/8fC5UaKwYuqns4ihWctYweWsCXQFfBmc+Gd87OFEZRBGv1TonXsi2boy30ry8 NNhJfmtpYqCcFaE9zufHdAROtVrqYYq9g466/Wvg3bktJ9knBvKOeAt41HULcfNg Mf50YHdLjVMp3+mvKhl93NPfueR03A00W8ZsME2TpDMlVBDMqdc3Wt2AoRxCnx2H h9/oQNm5wdpA5uVboCBRlAKP3lgZwD/a8ef5kTRz3uzno1dyVZoo5vnaQI4lrxTN qV/jUlicVMtIH2hCKfwhjRjwCzRawmm28i52rOC8iANdUsNC5DMmNIvGzCsgl4sm 5eMmb6Zk7Ogs98C+B4uEBmKs+wxAnHOiaRrB4mP/zxLeSRJ/7wc= =0Wls -----END PGP SIGNATURE----- --7ZAtKRhVyVSsbBD2--