From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1keEwZ-0006zA-Rl for mharc-grub-devel@gnu.org; Sun, 15 Nov 2020 05:07:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:42006) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1keEwY-0006yr-Hs for grub-devel@gnu.org; Sun, 15 Nov 2020 05:07:34 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:44185) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1keEwW-0001f6-DH for grub-devel@gnu.org; Sun, 15 Nov 2020 05:07:34 -0500 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id EB5375C00AB; Sun, 15 Nov 2020 05:07:31 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Sun, 15 Nov 2020 05:07:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pks.im; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm2; bh=y/bsiO/Sb36/5zwKq79tTJrbIKx oMZZvLL5pxMFPaFI=; b=wBfATNX581WWtSdAT/Uzy5tU48Mo9z1cbOT9Z1kz/oD fUUMMr8jQcLgXHObr4iXNsi4U0xcfSWh+g1GQma5bv9CbiRGaacwJuOVBPNODcug U+0n49+gv+0+0FUVXldR2Z3qZu/HEU7YdPI0D1Gl+nQhXPoi9eWHwNaZEIi7KQMj 9oNKrYnykwLyvGauWQD5ddcj3hFdyR0YdENECZ79X7awfzeX6ju0AoDuSQNUe58x Q20C4Do0w45d+s5i+qZJcLAFFMw3ZgIQqcGnWyiheFCM+MoV7s3BJmKqvR8mz13V v5lPJB87n5tTod3Ze0yAOFi2IGcExxcIFQNAvYKh10g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=y/bsiO /Sb36/5zwKq79tTJrbIKxoMZZvLL5pxMFPaFI=; b=nR3wkwbU7wFv/oF9b6Xd7T +h01fTqg9ICeOzfK50cqeKWUchIfiHO7wEjGV+mcMSBQ4UszovFPwu70t2Pmj7GI Z7hdUAnJfEOblbZ4DO4uDjnSdFQ50Y0aeoYl8dGnXvuxawYsvwmYb6seq2ZzUN/T JoCCudCphDcGTyphLnaqDkOdARGPJjl/OYg/fv/vgN9cZqNCLIMRZgXwqbES/FBJ bNA1hiaEHZWUC+8j3OxMnzXLMZtoUeBRkqTpvMeWkC/oynsHCYGA71X64mmMS20g UqMXtoX63nEFYdOWLn54rEgqEnBOETjNnvGAQJ/6Suq8sThTMtALRlp8bckqtvDQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedruddvledgudefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefrrghtrhhi tghkucfuthgvihhnhhgrrhguthcuoehpshesphhkshdrihhmqeenucggtffrrghtthgvrh hnpeehgefhtdefueffheekgfffudelffejtdfhvdejkedthfehvdelgfetgfdvtedthfen ucfkphepjeekrdehgedrvddurddvtdeinecuvehluhhsthgvrhfuihiivgeptdenucfrrg hrrghmpehmrghilhhfrhhomhepphhssehpkhhsrdhimh X-ME-Proxy: Received: from vm-mail.pks.im (dynamic-078-054-021-206.78.54.pool.telefonica.de [78.54.21.206]) by mail.messagingengine.com (Postfix) with ESMTPA id C47873064AA6; Sun, 15 Nov 2020 05:07:30 -0500 (EST) Received: from localhost (ncase [10.192.0.11]) by vm-mail.pks.im (OpenSMTPD) with ESMTPSA id 8f7b0d8b (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sun, 15 Nov 2020 10:07:28 +0000 (UTC) Date: Sun, 15 Nov 2020 11:07:27 +0100 From: Patrick Steinhardt To: Glenn Washburn Cc: grub-devel@gnu.org, Daniel Kiper Subject: Re: [PATCH v4 13/15] cryptodisk: Properly handle non-512 byte sized sectors. Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="IhcyeVgugl36O0+p" Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=66.111.4.27; envelope-from=ps@pks.im; helo=out3-smtp.messagingengine.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/15 04:37:28 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Nov 2020 10:07:34 -0000 --IhcyeVgugl36O0+p Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 06, 2020 at 10:44:33PM -0600, Glenn Washburn wrote: > By default, dm-crypt internally uses an IV that corresponds to 512-byte > sectors, even when a larger sector size is specified. What this means is > that when using a larger sector size, the IV is incremented every sector. > However, the amount the IV is incremented is the number of 512 byte blocks > in a sector (ie 8 for 4K sectors). Confusingly the IV does not corespond = to > the number of, for example, 4K sectors. So each 512 byte cipher block in a > sector will be encrypted with the same IV and the IV will be incremented > afterwards by the number of 512 byte cipher blocks in the sector. >=20 > There are some encryption utilities which do it the intuitive way and have > the IV equal to the sector number regardless of sector size (ie. the fifth > sector would have an IV of 4 for each cipher block). And this is supported > by dm-crypt with the iv_large_sectors option and also cryptsetup as of 2.= 3.3 > with the --iv-large-sectors, though not with LUKS headers (only with --ty= pe > plain). However, support for this has not been included as grub does not > support plain devices right now. >=20 > One gotcha here is that the encrypted split keys are encrypted with a har= d- > coded 512-byte sector size. So even if your data is encrypted with 4K sec= tor > sizes, the split key encrypted area must be decrypted with a block size of > 512 (ie the IV increments every 512 bytes). This made these changes less > aestetically pleasing than desired. >=20 > Signed-off-by: Glenn Washburn > --- > grub-core/disk/cryptodisk.c | 55 ++++++++++++++++++++++--------------- > grub-core/disk/luks.c | 5 ++-- > grub-core/disk/luks2.c | 7 ++++- > include/grub/cryptodisk.h | 8 +++++- > 4 files changed, 49 insertions(+), 26 deletions(-) >=20 > diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c > index 31b73c535..61f8e57f4 100644 > --- a/grub-core/disk/cryptodisk.c > +++ b/grub-core/disk/cryptodisk.c > @@ -224,7 +224,8 @@ lrw_xor (const struct lrw_sector *sec, > static gcry_err_code_t > grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev, > grub_uint8_t * data, grub_size_t len, > - grub_disk_addr_t sector, int do_encrypt) > + grub_disk_addr_t sector, grub_size_t log_sector_size, > + int do_encrypt) > { > grub_size_t i; > gcry_err_code_t err; > @@ -237,12 +238,12 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *= dev, > return (do_encrypt ? grub_crypto_ecb_encrypt (dev->cipher, data, dat= a, len) > : grub_crypto_ecb_decrypt (dev->cipher, data, data, len)); > =20 > - for (i =3D 0; i < len; i +=3D (1U << dev->log_sector_size)) > + for (i =3D 0; i < len; i +=3D (1U << log_sector_size)) > { > grub_size_t sz =3D ((dev->cipher->cipher->blocksize > + sizeof (grub_uint32_t) - 1) > / sizeof (grub_uint32_t)); > - grub_uint32_t iv[(GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE + 3) / 4]; > + grub_uint32_t iv[(GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE + 3) / 4] __att= ribute__((aligned (sizeof (grub_uint64_t)))); > =20 > if (dev->rekey) > { > @@ -270,7 +271,7 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *de= v, > if (!ctx) > return GPG_ERR_OUT_OF_MEMORY; > =20 > - tmp =3D grub_cpu_to_le64 (sector << dev->log_sector_size); > + tmp =3D grub_cpu_to_le64 (sector << log_sector_size); > dev->iv_hash->init (ctx); > dev->iv_hash->write (ctx, dev->iv_prefix, dev->iv_prefix_len); > dev->iv_hash->write (ctx, &tmp, sizeof (tmp)); > @@ -281,15 +282,25 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *= dev, > } > break; > case GRUB_CRYPTODISK_MODE_IV_PLAIN64: > - iv[1] =3D grub_cpu_to_le32 (sector >> 32); > - /* FALLTHROUGH */ > case GRUB_CRYPTODISK_MODE_IV_PLAIN: > - iv[0] =3D grub_cpu_to_le32 (sector & GRUB_TYPE_U_MAX (iv[0])); > + /* > + * The IV is a 32 or 64 bit value of the dm-crypt native sector > + * number. If using 32 bit IV mode, zero out the most significant > + * 32 bits. > + */ > + { > + grub_uint64_t *iv64 =3D (grub_uint64_t *) iv; > + *iv64 =3D grub_cpu_to_le64 (sector << (log_sector_size > + - GRUB_CRYPTODISK_IV_LOG_SIZE)); > + if (dev->mode_iv =3D=3D GRUB_CRYPTODISK_MODE_IV_PLAIN) > + iv[1] =3D 0; > + } > break; > case GRUB_CRYPTODISK_MODE_IV_BYTECOUNT64: > + /* The IV is the 64 bit byte offset of the sector. */ > iv[1] =3D grub_cpu_to_le32 (sector >> (GRUB_TYPE_BITS (iv[1]) > - - dev->log_sector_size)); > - iv[0] =3D grub_cpu_to_le32 ((sector << dev->log_sector_size) > + - log_sector_size)); > + iv[0] =3D grub_cpu_to_le32 ((sector << log_sector_size) > & GRUB_TYPE_U_MAX (iv[0])); > break; > case GRUB_CRYPTODISK_MODE_IV_BENBI: > @@ -312,10 +323,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *= dev, > case GRUB_CRYPTODISK_MODE_CBC: > if (do_encrypt) > err =3D grub_crypto_cbc_encrypt (dev->cipher, data + i, data + i, > - (1U << dev->log_sector_size), iv); > + (1U << log_sector_size), iv); > else > err =3D grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i, > - (1U << dev->log_sector_size), iv); > + (1U << log_sector_size), iv); > if (err) > return err; > break; > @@ -323,10 +334,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *= dev, > case GRUB_CRYPTODISK_MODE_PCBC: > if (do_encrypt) > err =3D grub_crypto_pcbc_encrypt (dev->cipher, data + i, data + i, > - (1U << dev->log_sector_size), iv); > + (1U << log_sector_size), iv); > else > err =3D grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i, > - (1U << dev->log_sector_size), iv); > + (1U << log_sector_size), iv); > if (err) > return err; > break; > @@ -338,7 +349,7 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *de= v, > if (err) > return err; > =20 > - for (j =3D 0; j < (1U << dev->log_sector_size); > + for (j =3D 0; j < (1U << log_sector_size); > j +=3D dev->cipher->cipher->blocksize) > { > grub_crypto_xor (data + i + j, data + i + j, iv, > @@ -369,11 +380,11 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *= dev, > if (do_encrypt) > err =3D grub_crypto_ecb_encrypt (dev->cipher, data + i,=20 > data + i, > - (1U << dev->log_sector_size)); > + (1U << log_sector_size)); > else > err =3D grub_crypto_ecb_decrypt (dev->cipher, data + i,=20 > data + i, > - (1U << dev->log_sector_size)); > + (1U << log_sector_size)); > if (err) > return err; > lrw_xor (&sec, dev, data + i); > @@ -382,10 +393,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *= dev, > case GRUB_CRYPTODISK_MODE_ECB: > if (do_encrypt) > err =3D grub_crypto_ecb_encrypt (dev->cipher, data + i, data + i, > - (1U << dev->log_sector_size)); > + (1U << log_sector_size)); > else > err =3D grub_crypto_ecb_decrypt (dev->cipher, data + i, data + i, > - (1U << dev->log_sector_size)); > + (1U << log_sector_size)); > if (err) > return err; > break; > @@ -400,9 +411,9 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *de= v, > gcry_err_code_t > grub_cryptodisk_decrypt (struct grub_cryptodisk *dev, > grub_uint8_t * data, grub_size_t len, > - grub_disk_addr_t sector) > + grub_disk_addr_t sector, grub_size_t log_sector_size) > { > - return grub_cryptodisk_endecrypt (dev, data, len, sector, 0); > + return grub_cryptodisk_endecrypt (dev, data, len, sector, log_sector_s= ize, 0); > } > =20 > grub_err_t > @@ -767,7 +778,7 @@ grub_cryptodisk_read (grub_disk_t disk, grub_disk_add= r_t sector, > } > gcry_err =3D grub_cryptodisk_endecrypt (dev, (grub_uint8_t *) buf, > size << disk->log_sector_size, > - sector, 0); > + sector, dev->log_sector_size, 0); > return grub_crypto_gcry_error (gcry_err); > } > =20 > @@ -808,7 +819,7 @@ grub_cryptodisk_write (grub_disk_t disk, grub_disk_ad= dr_t sector, > =20 > gcry_err =3D grub_cryptodisk_endecrypt (dev, (grub_uint8_t *) tmp, > size << disk->log_sector_size, > - sector, 1); > + sector, disk->log_sector_size, 1); > if (gcry_err) > { > grub_free (tmp); > diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c > index aa9877b68..84c3fa73a 100644 > --- a/grub-core/disk/luks.c > +++ b/grub-core/disk/luks.c > @@ -124,7 +124,7 @@ configure_ciphers (grub_disk_t disk, const char *chec= k_uuid, > return NULL; > newdev->offset_sectors =3D grub_be_to_cpu32 (header.payloadOffset); > newdev->source_disk =3D NULL; > - newdev->log_sector_size =3D 9; > + newdev->log_sector_size =3D GRUB_LUKS1_LOG_SECTOR_SIZE; > newdev->total_sectors =3D grub_disk_get_size (disk) - newdev->offset_s= ectors; > grub_memcpy (newdev->uuid, uuid, sizeof (uuid)); > newdev->modname =3D "luks"; > @@ -247,7 +247,8 @@ luks_recover_key (grub_disk_t source, > return err; > } > =20 > - gcry_err =3D grub_cryptodisk_decrypt (dev, split_key, length, 0); > + gcry_err =3D grub_cryptodisk_decrypt (dev, split_key, length, 0, > + GRUB_LUKS1_LOG_SECTOR_SIZE); > if (gcry_err) > { > grub_free (split_key); > diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c > index 355bb4aec..4a4a0dec4 100644 > --- a/grub-core/disk/luks2.c > +++ b/grub-core/disk/luks2.c > @@ -504,7 +504,12 @@ luks2_decrypt_key (grub_uint8_t *out_key, > goto err; > } > =20 > - gcry_ret =3D grub_cryptodisk_decrypt (crypt, split_key, k->area.size, = 0); > + /* > + * The key slots area is always encrypted in 512-byte sectors, > + * regardless of encrypted data sector size. > + */ > + gcry_ret =3D grub_cryptodisk_decrypt (crypt, split_key, k->area.size, = 0, > + GRUB_LUKS1_LOG_SECTOR_SIZE); > if (gcry_ret) > { > ret =3D grub_crypto_gcry_error (gcry_ret); > diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h > index 258b777bf..ee30e4537 100644 > --- a/include/grub/cryptodisk.h > +++ b/include/grub/cryptodisk.h > @@ -48,6 +48,12 @@ typedef enum > =20 > #define GRUB_CRYPTODISK_MAX_UUID_LENGTH 71 > =20 > +/* LUKS1 specification defines the block size to always be 512 bytes. */ > +#define GRUB_LUKS1_LOG_SECTOR_SIZE 9 Sorry to be nitpicky, but this constant is used for both LUKS1 and LUKS2. Shouldn't it just be called `GRUB_LUKS_LOG_SECTOR_SIZE`? Patrick > +/* By default dm-crypt increments the IV every 512 bytes. */ > +#define GRUB_CRYPTODISK_IV_LOG_SIZE 9 > + > #define GRUB_CRYPTODISK_GF_LOG_SIZE 7 > #define GRUB_CRYPTODISK_GF_SIZE (1U << GRUB_CRYPTODISK_GF_LOG_SIZE) > #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3) > @@ -145,7 +151,7 @@ grub_cryptodisk_setkey (grub_cryptodisk_t dev, > gcry_err_code_t > grub_cryptodisk_decrypt (struct grub_cryptodisk *dev, > grub_uint8_t * data, grub_size_t len, > - grub_disk_addr_t sector); > + grub_disk_addr_t sector, grub_size_t log_sector_size); > grub_err_t > grub_cryptodisk_insert (grub_cryptodisk_t newdev, const char *name, > grub_disk_t source); > --=20 > 2.27.0 >=20 --IhcyeVgugl36O0+p Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEF9hrgiFbCdvenl/rVbJhu7ckPpQFAl+w/d4ACgkQVbJhu7ck PpQgaA/9GXV3SSgBMtGZCIF0T1bJ1aQp1ugovwyG1YPZu8wgayai8YLXNJjBqoKF DVaFErdbrbUvboK5f8zNcYN+tbc+7MW9zy7awu/rU9IqqmSQxl3YeH95M5qrM8Wm iNQSfq2Ud69ZKgDj/SvEIBv7h5cABolQl9gDsxAwluo7pA/ukedM5s1zDRG4ys6U bnelreoqPfJvIrdpWFj+hSD9POwahMqlXzBjTwy08PAOyweo6auGk/mFZFc9rogB AZQS54m0UahJvkepT/GSkPQjewrioQ2XUO26sXZ4MEBdR83QVIXxr6xvHQW7osQE NnFCEajr1qD3/zc3B1e5KHoEZ4uVKMO7k92AdcqXPY4qCDkhQIBxUM+IHDkGWB39 KCq5z48h4HNwC38UNGacATuLFr8sc7fiQZoGyk9zdRr/K7706fsFtoXbX7NcztNt IaFV2amVLbBPW+9GYnGYbIcoLQNc1bok1ISFg0s3XMzjsKfBg3zPxnD+kBAHRHkt 70+23b1iRoqNgN5040dMt0acPL3vFq3OM4PX2POfDDihWU2nQhQQhhpeU2oK2JEF NXP4jd7E/OoIDyZfsxxksrW1/EoMPh6DUZ4eIgU0hJbsZ71BS+rfbFTADPr7TA0W j2y8V1SXq3aIH9wEYgY3DCav/+NlMF7Gl7o41Vgz6fR4vGGA8Xc= =OYYB -----END PGP SIGNATURE----- --IhcyeVgugl36O0+p--