From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1n4rdb-0000qu-3G
	for mharc-grub-devel@gnu.org; Tue, 04 Jan 2022 16:46:35 -0500
Received: from eggs.gnu.org ([209.51.188.92]:60388)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <development@efficientek.com>)
 id 1n4rdZ-0000qk-2T
 for grub-devel@gnu.org; Tue, 04 Jan 2022 16:46:33 -0500
Received: from [2607:f8b0:4864:20::72b] (port=42703
 helo=mail-qk1-x72b.google.com)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <development@efficientek.com>)
 id 1n4rdX-0003oU-Bm
 for grub-devel@gnu.org; Tue, 04 Jan 2022 16:46:32 -0500
Received: by mail-qk1-x72b.google.com with SMTP id r139so35376300qke.9
 for <grub-devel@gnu.org>; Tue, 04 Jan 2022 13:46:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=efficientek-com.20210112.gappssmtp.com; s=20210112;
 h=date:from:to:cc:subject:message-id:in-reply-to:references:reply-to
 :mime-version:content-transfer-encoding;
 bh=h87aZ9/Yr5kiXo8PUEZxmCEiCW5ZdvQtsCAYw4xAnzk=;
 b=TCs+zRV/YyQNV+y22vr2AOVo90gCIqzr4HFIs4wE05ApOno8OVoF+MX5Rm0sPmlpo8
 ktVi6XCz211xuXi6Ond1mKtUoypoGn/B3sqIzl9ohu1cEfLaEkDmMOM6+t7zKPB6n06d
 6Zqf7a6r+VdHMMckJHBaQ3uxxrsb1x0s+VtEx17W/19t4Ex9o5KiOL3cB1Bf7CtixvNQ
 M0b4+zpZilPf9gu3KODdA6qNXeNXpjry6PZNiSNfBEkNKKSw3WGnlxVRWmFpoHR+S6MS
 5p9bLAPRL48BwLPyNDvH64tiHx5/LpeVG703vIqd2TxtyEJAqOLwzh5O73F99clHWhP/
 Uo+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to
 :references:reply-to:mime-version:content-transfer-encoding;
 bh=h87aZ9/Yr5kiXo8PUEZxmCEiCW5ZdvQtsCAYw4xAnzk=;
 b=tmb826Ux3G0gEkjMavPKaeMcj1wJIXdTs66C2tdGYrDtsP9LeydGLCPPB94WwBdXn+
 vZk4gcjWdXwwk3EPfjzv+K8qJ9Sxt1CXL/pI8f6hm+TYuhNU9X2c9soOW6Fb6u/AWGYm
 kaHAzf2zfsVW/YrzCZVrHXpEs7JjrJciTSRPi7KgEWfmV76bqgG7G/xM4BY+guRGgKjX
 DC6C/AVWV8yd3zGpvRl369iwy2YeSJal7/t9LdQoC2Ze2JeFfdx1TlOo2CfpyvXZ/N6w
 J74HahJpmZUhzvnFrezlo0a5rjRa399WCg2GFpoATNpHg29jP7Pe4QC30TKJX64g3+w1
 UnHA==
X-Gm-Message-State: AOAM533nUIwjyR+dQ+RAyxGcQ3G+KQsNe1HTtnAQuCUlTEXgq7nEEcxl
 hLorAksHIaLc3o+naKGXSaNici0XlvShHw==
X-Google-Smtp-Source: ABdhPJyEQBrkBXpR9s5gGGAn6Zh5ZDPae7H8YOBkMbYIZiCiOZYr5o4CJY2nchfxokH3BDNhMYTV9A==
X-Received: by 2002:a05:620a:280d:: with SMTP id
 f13mr37446052qkp.686.1641332790388; 
 Tue, 04 Jan 2022 13:46:30 -0800 (PST)
Received: from crass-HP-ZBook-15-G2 ([37.218.244.251])
 by smtp.gmail.com with ESMTPSA id u7sm34236081qkp.17.2022.01.04.13.46.28
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 04 Jan 2022 13:46:30 -0800 (PST)
Date: Tue, 4 Jan 2022 15:46:19 -0600
From: Glenn Washburn <development@efficientek.com>
To: Daniel Kiper <dkiper@net-space.pl>, grub-devel@gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>, Patrick Steinhardt
 <ps@pks.im>, John Lane <john@lane.uk.net>
Subject: Re: [PATCH v8 5/7] cryptodisk: enable the backends to implement key
 files
Message-ID: <20220104154619.2aa0a4bb@crass-HP-ZBook-15-G2>
In-Reply-To: <ded97bfa385a301d51978a78f50f5846cc096d01.1641092534.git.development@efficientek.com>
References: <cover.1641092534.git.development@efficientek.com>
 <ded97bfa385a301d51978a78f50f5846cc096d01.1641092534.git.development@efficientek.com>
Reply-To: Dmitry <reagentoo@gmail.com>
X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Host-Lookup-Failed: Reverse DNS lookup failed for 2607:f8b0:4864:20::72b
 (failed)
Received-SPF: pass client-ip=2607:f8b0:4864:20::72b;
 envelope-from=development@efficientek.com; helo=mail-qk1-x72b.google.com
X-Spam_score_int: 29
X-Spam_score: 2.9
X-Spam_bar: ++
X-Spam_report: (2.9 / 5.0 requ) DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 FREEMAIL_FORGED_REPLYTO=2.095, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2022 21:46:33 -0000

Also from Dmitry.

On Tue, 4 Jan 2022 21:25:14 +0300
Dmitry <reagentoo@gmail.com> wrote:

> From: John Lane <john@lane.uk.net>
> 
> Signed-off-by: John Lane <john@lane.uk.net>
> GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message
> Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
> development@efficientek.com: rebase and rework to use cryptomount arg passing
> Signed-off-by: Glenn Washburn <development@efficientek.com>
> ---
>  grub-core/disk/cryptodisk.c | 83 +++++++++++++++++++++++++++++++++++++
>  include/grub/cryptodisk.h   |  2 +
>  include/grub/file.h         |  2 +
>  3 files changed, 87 insertions(+)
> 
> diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
> index e90f680f0..ea8ed20e2 100644
> --- a/grub-core/disk/cryptodisk.c
> +++ b/grub-core/disk/cryptodisk.c
> @@ -43,6 +43,9 @@ static const struct grub_arg_option options[] =
>      {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
>      {"password", 'p', 0, N_("Password to open volumes."), 0, ARG_TYPE_STRING},
>      {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
> +    {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},

You have custom options --header, --keyfile. I suggest renaming in a
similar 
way as in cryptsetup(8) - --header, --key-file, (--master-key-file)

> +    {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
> +    {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
>      {0, 0, 0, 0, 0, 0}
>    };
>  
> @@ -1186,6 +1189,86 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
>  	return grub_errno;
>      }
>  
> +  if (state[5].set) /* keyfile */
> +    {
> +      const char *p = NULL;
> +      grub_file_t keyfile;
> +      int keyfile_offset;
> +      grub_size_t requested_keyfile_size = 0;
> +
> +
> +      if (state[6].set) /* keyfile-offset */
> +	{
> +	  keyfile_offset = grub_strtoul (state[6].arg, &p, 0);
> +
> +	  if (grub_errno != GRUB_ERR_NONE)
> +	    return grub_errno;
> +
> +	  if (*p != '\0')
> +	    return grub_error (GRUB_ERR_BAD_ARGUMENT,
> +			       N_("unrecognized number"));
> +	}
> +      else
> +	{
> +	  keyfile_offset = 0;
> +	}
> +
> +      if (state[7].set) /* keyfile-size */
> +	{
> +	  requested_keyfile_size = grub_strtoul (state[7].arg, &p, 0);
> +
> +	  if (*p != '\0')
> +	    return grub_error (GRUB_ERR_BAD_ARGUMENT,
> +			       N_("unrecognized number"));
> +
> +	  if (grub_errno != GRUB_ERR_NONE)
> +	    return grub_errno;
> +
> +	  if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
> +	    return grub_error (GRUB_ERR_OUT_OF_RANGE,
> +			      N_("Key file size exceeds maximum (%d)\n"),
> +			      GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
> +
> +	  if (requested_keyfile_size == 0)
> +	    return grub_error (GRUB_ERR_OUT_OF_RANGE,
> +			      N_("Key file size is 0\n"));
> +	}
> +
> +      keyfile = grub_file_open (state[5].arg,
> +				GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
> +      if (!keyfile)
> +	return grub_errno;
> +
> +      if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
> +	return grub_errno;
> +
> +      if (requested_keyfile_size)
> +	{
> +	  if (requested_keyfile_size > (keyfile->size - keyfile_offset))
> +	    return grub_error (GRUB_ERR_FILE_READ_ERROR,
> +			       N_("Keyfile is too small: "
> +				  "requested %" PRIuGRUB_SIZE " bytes, "
> +				  "but the file only has %" PRIuGRUB_UINT64_T
> +				  " bytes.\n"),
> +			       requested_keyfile_size,
> +			       keyfile->size);
> +
> +	  cargs.key_len = requested_keyfile_size;
> +	}
> +      else
> +	{
> +	  cargs.key_len = keyfile->size - keyfile_offset;
> +	}
> +
> +      cargs.key_data = grub_malloc (cargs.key_len);
> +      if (!cargs.key_data)
> +	return GRUB_ERR_OUT_OF_MEMORY;
> +
> +      if (grub_file_read (keyfile, cargs.key_data, cargs.key_len) != (grub_ssize_t) cargs.key_len)
> +	return grub_error (GRUB_ERR_FILE_READ_ERROR,
> +			   (N_("Error reading key file\n")));
> +    }
> +
>    if (state[0].set) /* uuid */
>      {
>        int found_uuid;
> diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
> index 9fe451de9..d94df68b6 100644
> --- a/include/grub/cryptodisk.h
> +++ b/include/grub/cryptodisk.h
> @@ -62,6 +62,8 @@ typedef enum
>  #define GRUB_CRYPTODISK_MAX_KEYLEN 128
>  #define GRUB_CRYPTODISK_MAX_PASSPHRASE 256
>  
> +#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
> +
>  struct grub_cryptodisk;
>  
>  typedef gcry_err_code_t
> diff --git a/include/grub/file.h b/include/grub/file.h
> index 3a3c49a04..2d5d16cd2 100644
> --- a/include/grub/file.h
> +++ b/include/grub/file.h
> @@ -92,6 +92,8 @@ enum grub_file_type
>      GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY,
>      /* File holding the encryption metadata header */
>      GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER,
> +    /* File holding the encryption key */
> +    GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY,
>      /* File we open n grub-fstest.  */
>      GRUB_FILE_TYPE_FSTEST,
>      /* File we open n grub-mount.  */

Dmitry