From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1kComO-0008Ug-VH for mharc-grub-devel@gnu.org; Mon, 31 Aug 2020 14:43:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40902) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kComN-0008R0-JG for grub-devel@gnu.org; Mon, 31 Aug 2020 14:43:43 -0400 Received: from mail-qt1-x841.google.com ([2607:f8b0:4864:20::841]:43310) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kComL-0007bj-2Y for grub-devel@gnu.org; Mon, 31 Aug 2020 14:43:43 -0400 Received: by mail-qt1-x841.google.com with SMTP id k18so5484590qtm.10 for ; Mon, 31 Aug 2020 11:43:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficientek-com.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:in-reply-to:references:reply-to :mime-version:content-transfer-encoding; bh=/ba8ISnmD3hLUzcwOr3O7ZgQ30qBpjGR9CS5kk5mTug=; b=iE34EkyFsZYxmG8lfLt6UgzwL6ChZdi9Ky59TA65LOWLppT5zzYw6uu0wnwjoLx956 H6hJHpu6CmzPVoSqLHRWQeu812apF9UyNXXYtxifWkUBXK5FLXuP6y9/QKxk6gxhHm/L lNBYoWSZB55x3TsBQl/5W26ApXSf3XP9y4Kdqb3P65PDhEuZo0FvLX2ZxGAhmXjzcL/2 1fIEvi4sZZ7DEQeTweKI38O73t9B11aSnZrj74LhAwf2AihyCYxMmp8K5lIdA9nNDFzL Pop03YGXZn4/RlAzQ0zwPuZMiEBxejk4lK4kjHT4d4iAvGNCxep5fXpWMu09e3YdoPAY HqIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:reply-to:mime-version:content-transfer-encoding; bh=/ba8ISnmD3hLUzcwOr3O7ZgQ30qBpjGR9CS5kk5mTug=; b=EihVY/1OC7IeLc+ZY2CaaMkXOr7QK8hcrhFxESQxIRiAFgh9ftSRASe974mGFMMpfi yWWHz0FqJ4z938ox/eQVSZOUEMJ7g7otvBnSvbuuPfVrZztV1z1uQo9sdkVFFF3B4tnA vvT7mVoKM8M2r1tgcpLoVl8jQT+Q4qWvTNk3zgLIHXmWNRCNo+UjVYcpbsh2RvX0+aBw heLx4KR9C3WkxgbU7CF3aDdB0V5LoyOU+DPy+o0TlhDYpiHYlOUUkI52lTIYJcpjKwQ2 jojt1O/GwbgE5ZPmhzgmgjq5ODBL2xSv3PLkszKgn5OWgbzzvv9dDHRaW3v0wuLq/WJw FrOg== X-Gm-Message-State: AOAM533LyX+07Rp8rDv+obQdMrnlISZJMR3gkl60HF15v0iGm6SJSbqE DI2VR94Uwk4w+fXxsWtj0Kdw6g== X-Google-Smtp-Source: ABdhPJxr3poCSRPUgmmlwe8EI1DFbI8sEB0BRC9Yr6tFhikGYSrB8hbvprY5W18V4TEQGLaaL5d3Cw== X-Received: by 2002:aed:2742:: with SMTP id n60mr2620595qtd.74.1598899419571; Mon, 31 Aug 2020 11:43:39 -0700 (PDT) Received: from crass-HP-ZBook-15-G2 ([136.49.44.103]) by smtp.gmail.com with ESMTPSA id r68sm9642997qkd.13.2020.08.31.11.43.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 31 Aug 2020 11:43:39 -0700 (PDT) Date: Mon, 31 Aug 2020 13:43:36 -0500 From: Glenn Washburn To: Patrick Steinhardt Cc: grub-devel@gnu.org, Denis GNUtoo Carikli , Daniel Kiper Subject: Re: [PATCH v2 9/9] cryptodisk: Properly handle non-512 byte sized sectors Message-ID: <20200831134336.2dfaa2fc@crass-HP-ZBook-15-G2> In-Reply-To: References: Reply-To: development@efficientek.com X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=2607:f8b0:4864:20::841; envelope-from=development@efficientek.com; helo=mail-qt1-x841.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Aug 2020 18:43:44 -0000 I just noticed that I have a couple minor non-functional changes that I think will make this patch a little better. I had been planning on updating my original patch, but since you're picking this up, this is a better place to update. Let me know if you'd like the updated version of the patch instead of my inline comments below. On Wed, 26 Aug 2020 10:14:02 +0200 Patrick Steinhardt wrote: > From: Glenn Washburn > > By default, dm-crypt internally uses an IV that corresponds to > 512-byte sectors, even when a larger sector size is specified. What > this means is that when using a larger sector size, the IV is > incremented every sector. However, the amount the IV is incremented > is the number of 512 byte blocks in a sector (ie 8 for 4K sectors). > Confusingly the IV does not corespond to the number of, for example, > 4K sectors. So each cipher block in the fifth 4K sector will be > encrypted with an IV equal to 32, as opposed to 32-39 for each > sequential 512 byte block or an IV of 4 for each cipher block in the > sector. > > There are some encryption utilities which do it the intuitive way and > have the IV equal to the sector number regardless of sector size (ie. > the fifth sector would have an IV of 4 for each cipher block). And > this is supported by dm-crypt with the iv_large_sectors option and > also cryptsetup as of 2.3.3 with the --iv-large-sectors, though not > with LUKS headers (only with --type plain). However, support for this > has not been included as grub does not support plain devices right > now. > > One gotcha here is that the encrypted split keys are encrypted with a > hard- coded 512-byte sector size. So even if your data is encrypted > with 4K sector sizes, the split key encrypted area must be decrypted > with a block size of 512 (ie the IV increments every 512 bytes). This > made these changes less aestetically pleasing than desired. > > Signed-off-by: Glenn Washburn > Reviewed-by: Patrick Steinhardt > --- > grub-core/disk/cryptodisk.c | 47 > +++++++++++++++++++++---------------- grub-core/disk/luks.c | > 5 ++-- grub-core/disk/luks2.c | 6 ++++- > include/grub/cryptodisk.h | 2 +- > 4 files changed, 36 insertions(+), 24 deletions(-) > > diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c > index 0b63b7d96..0b8ac5b30 100644 > --- a/grub-core/disk/cryptodisk.c > +++ b/grub-core/disk/cryptodisk.c > @@ -33,6 +33,9 @@ > > GRUB_MOD_LICENSE ("GPLv3+"); > > +/* Internally encrypted sectors are 512 bytes regardless of what the > cryptodisk is */ +#define CRYPT_LOG_SECTOR_SIZE 9 > + > grub_cryptodisk_dev_t grub_cryptodisk_list; > > static const struct grub_arg_option options[] = > @@ -224,7 +227,8 @@ lrw_xor (const struct lrw_sector *sec, > static gcry_err_code_t > grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev, > grub_uint8_t * data, grub_size_t len, > - grub_disk_addr_t sector, int do_encrypt) > + grub_disk_addr_t sector, grub_size_t > sector_size, > + int do_encrypt) I've changed the sector_size parameter to log_sector_size, which is what it really is. I think this is really important to change because there's already enough confusingly named identifiers. > { > grub_size_t i; > gcry_err_code_t err; > @@ -237,12 +241,13 @@ grub_cryptodisk_endecrypt (struct > grub_cryptodisk *dev, return (do_encrypt ? grub_crypto_ecb_encrypt > (dev->cipher, data, data, len) : grub_crypto_ecb_decrypt > (dev->cipher, data, data, len)); > - for (i = 0; i < len; i += (1U << dev->log_sector_size)) > + for (i = 0; i < len; i += (1U << sector_size)) > { > grub_size_t sz = ((dev->cipher->cipher->blocksize > + sizeof (grub_uint32_t) - 1) > / sizeof (grub_uint32_t)); > grub_uint32_t iv[(GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE + 3) / 4]; > + grub_uint64_t iv_calc; > > if (dev->rekey) > { > @@ -270,7 +275,7 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk > *dev, if (!ctx) > return GPG_ERR_OUT_OF_MEMORY; > > - tmp = grub_cpu_to_le64 (sector << dev->log_sector_size); > + tmp = grub_cpu_to_le64 (sector << sector_size); > dev->iv_hash->init (ctx); > dev->iv_hash->write (ctx, dev->iv_prefix, > dev->iv_prefix_len); dev->iv_hash->write (ctx, &tmp, sizeof (tmp)); > @@ -281,14 +286,16 @@ grub_cryptodisk_endecrypt (struct > grub_cryptodisk *dev, } > break; > case GRUB_CRYPTODISK_MODE_IV_PLAIN64: > - iv[1] = grub_cpu_to_le32 (sector >> 32); > + iv_calc = sector << (sector_size - CRYPT_LOG_SECTOR_SIZE); > + iv[1] = grub_cpu_to_le32 (iv_calc >> 32); > /* FALLTHROUGH */ > case GRUB_CRYPTODISK_MODE_IV_PLAIN: > - iv[0] = grub_cpu_to_le32 (sector & 0xFFFFFFFF); > + iv_calc = sector << (sector_size - CRYPT_LOG_SECTOR_SIZE); > + iv[0] = grub_cpu_to_le32 (iv_calc & 0xFFFFFFFF); > break; > case GRUB_CRYPTODISK_MODE_IV_BYTECOUNT64: > - iv[1] = grub_cpu_to_le32 (sector >> (32 - > dev->log_sector_size)); > - iv[0] = grub_cpu_to_le32 ((sector << dev->log_sector_size) > + iv[1] = grub_cpu_to_le32 (sector >> (32 - sector_size)); > + iv[0] = grub_cpu_to_le32 ((sector << sector_size) > & 0xFFFFFFFF); > break; > case GRUB_CRYPTODISK_MODE_IV_BENBI: > @@ -311,10 +318,10 @@ grub_cryptodisk_endecrypt (struct > grub_cryptodisk *dev, case GRUB_CRYPTODISK_MODE_CBC: > if (do_encrypt) > err = grub_crypto_cbc_encrypt (dev->cipher, data + i, > data + i, > - (1U << > dev->log_sector_size), iv); > + (1U << sector_size), iv); > else > err = grub_crypto_cbc_decrypt (dev->cipher, data + i, > data + i, > - (1U << > dev->log_sector_size), iv); > + (1U << sector_size), iv); > if (err) > return err; > break; > @@ -322,10 +329,10 @@ grub_cryptodisk_endecrypt (struct > grub_cryptodisk *dev, case GRUB_CRYPTODISK_MODE_PCBC: > if (do_encrypt) > err = grub_crypto_pcbc_encrypt (dev->cipher, data + i, > data + i, > - (1U << > dev->log_sector_size), iv); > + (1U << sector_size), iv); > else > err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, > data + i, > - (1U << > dev->log_sector_size), iv); > + (1U << sector_size), iv); > if (err) > return err; > break; > @@ -337,7 +344,7 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk > *dev, if (err) > return err; > > - for (j = 0; j < (1U << dev->log_sector_size); > + for (j = 0; j < (1U << sector_size); > j += dev->cipher->cipher->blocksize) > { > grub_crypto_xor (data + i + j, data + i + j, iv, > @@ -368,11 +375,11 @@ grub_cryptodisk_endecrypt (struct > grub_cryptodisk *dev, if (do_encrypt) > err = grub_crypto_ecb_encrypt (dev->cipher, data + i, > data + i, > - (1U << > dev->log_sector_size)); > + (1U << sector_size)); > else > err = grub_crypto_ecb_decrypt (dev->cipher, data + i, > data + i, > - (1U << > dev->log_sector_size)); > + (1U << sector_size)); > if (err) > return err; > lrw_xor (&sec, dev, data + i); > @@ -381,10 +388,10 @@ grub_cryptodisk_endecrypt (struct > grub_cryptodisk *dev, case GRUB_CRYPTODISK_MODE_ECB: > if (do_encrypt) > err = grub_crypto_ecb_encrypt (dev->cipher, data + i, > data + i, > - (1U << > dev->log_sector_size)); > + (1U << sector_size)); > else > err = grub_crypto_ecb_decrypt (dev->cipher, data + i, > data + i, > - (1U << > dev->log_sector_size)); > + (1U << sector_size)); > if (err) > return err; > break; > @@ -399,9 +406,9 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk > *dev, gcry_err_code_t > grub_cryptodisk_decrypt (struct grub_cryptodisk *dev, > grub_uint8_t * data, grub_size_t len, > - grub_disk_addr_t sector) > + grub_disk_addr_t sector, grub_size_t > sector_size) { > - return grub_cryptodisk_endecrypt (dev, data, len, sector, 0); > + return grub_cryptodisk_endecrypt (dev, data, len, sector, > sector_size, 0); } > > grub_err_t > @@ -766,7 +773,7 @@ grub_cryptodisk_read (grub_disk_t disk, > grub_disk_addr_t sector, } > gcry_err = grub_cryptodisk_endecrypt (dev, (grub_uint8_t *) buf, > size << > disk->log_sector_size, > - sector, 0); > + sector, > dev->log_sector_size, 0); return grub_crypto_gcry_error (gcry_err); > } > > @@ -807,7 +814,7 @@ grub_cryptodisk_write (grub_disk_t disk, > grub_disk_addr_t sector, > gcry_err = grub_cryptodisk_endecrypt (dev, (grub_uint8_t *) tmp, > size << > disk->log_sector_size, > - sector, 1); > + sector, > disk->log_sector_size, 1); if (gcry_err) > { > grub_free (tmp); > diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c > index 59702067a..b30c4551e 100644 > --- a/grub-core/disk/luks.c > +++ b/grub-core/disk/luks.c > @@ -30,6 +30,7 @@ > GRUB_MOD_LICENSE ("GPLv3+"); > > #define MAX_PASSPHRASE 256 > +#define LOG_SECTOR_SIZE 9 > > #define LUKS_KEY_ENABLED 0x00AC71F3 > > @@ -124,7 +125,7 @@ configure_ciphers (grub_disk_t disk, const char > *check_uuid, return NULL; > newdev->offset = grub_be_to_cpu32 (header.payloadOffset); > newdev->source_disk = NULL; > - newdev->log_sector_size = 9; > + newdev->log_sector_size = LOG_SECTOR_SIZE; > newdev->total_length = grub_disk_get_size (disk) - newdev->offset; > grub_memcpy (newdev->uuid, uuid, sizeof (uuid)); > newdev->modname = "luks"; > @@ -247,7 +248,7 @@ luks_recover_key (grub_disk_t source, > return err; > } > > - gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0); > + gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0, > LOG_SECTOR_SIZE); if (gcry_err) > { > grub_free (split_key); > diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c > index 26e1126b1..1f5f9766a 100644 > --- a/grub-core/disk/luks2.c > +++ b/grub-core/disk/luks2.c > @@ -492,7 +492,11 @@ luks2_decrypt_key (grub_uint8_t *out_key, > goto err; > } > > - gcry_ret = grub_cryptodisk_decrypt (crypt, split_key, > k->area.size, 0); > + /* > + * The encrypted key slots are always with 512byte sectors, > + * regardless of encrypted data sector size > + */ > + gcry_ret = grub_cryptodisk_decrypt (crypt, split_key, > k->area.size, 0, 9); if (gcry_ret) I've reworded the comment to be slightly more readable: The key slots area is always encrypted in 512-byte sectors, regardless of encrypted data sector size. > { > ret = grub_crypto_gcry_error (gcry_ret); > diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h > index e1b21e785..06653a622 100644 > --- a/include/grub/cryptodisk.h > +++ b/include/grub/cryptodisk.h > @@ -139,7 +139,7 @@ grub_cryptodisk_setkey (grub_cryptodisk_t dev, > gcry_err_code_t > grub_cryptodisk_decrypt (struct grub_cryptodisk *dev, > grub_uint8_t * data, grub_size_t len, > - grub_disk_addr_t sector); > + grub_disk_addr_t sector, grub_size_t > sector_size); grub_err_t > grub_cryptodisk_insert (grub_cryptodisk_t newdev, const char *name, > grub_disk_t source);