From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1iQxnu-0006p0-GB for mharc-grub-devel@gnu.org; Sat, 02 Nov 2019 14:07:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51654) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iQxnr-0006oc-FL for grub-devel@gnu.org; Sat, 02 Nov 2019 14:07:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iQxnq-0002b1-4j for grub-devel@gnu.org; Sat, 02 Nov 2019 14:07:11 -0400 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:47687) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iQxnp-0002Rm-Dl for grub-devel@gnu.org; Sat, 02 Nov 2019 14:07:10 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id B9B0B41B for ; Sat, 2 Nov 2019 14:07:06 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Sat, 02 Nov 2019 14:07:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pks.im; h=from :to:cc:subject:date:message-id:mime-version :content-transfer-encoding; s=fm2; bh=ucRNA+gvwBSGH3xivfIlkh34JI dxeuJlKiWIuwuOLWs=; b=A+cTsOMS2AcGZxbFxjtp6j9Dh35ICfQDwVrvTtlJHu bkuLE/pE2rhlg9pq4SWCHqpPLgf8CUxuYCxYHfN+V/Vi5G6OcSSUWEBDj/6t67yY YYa2HMwi17wZN3bSzV7Jhs/+EEgpqKVkU2Hv0yd3qia0M2Nuro2qPZ6F0hXxgdbe bGI1OpjT5qU0HUxqdBxj9QX/XGGsBUsCwRQIVf4G0QxSqxBYHeIrrPYfMVL1sgjD D401RM34+cI8mF3GUFYi9W6V46A9poaiKnPAjR6d8X3kI7jyCN9F9LHhyEs60NUT 9tkgsgXM67eyiqushT3X0bgPisjw6mOJucObYUffVWtg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=ucRNA+gvwBSGH3xiv fIlkh34JIdxeuJlKiWIuwuOLWs=; b=htMAhAQUkhkAoU+tTL0GeOFYrkORdEmxc QKO0jMf2DVu/B7eECLBg4LDPQZtm/LHZR2Pbo0HUn2Y6k4RZ9TCgKNjvXNV408DD 0fLscGGwVeea/UXz64MlbQkjjhUZ38ot7eSj1BAuLqmdJZ4BLYTiV5FNqOaqb3+L tHZofs6uoClnwklzOhv264rxxFu/bCTGn3gCMNYOrRf4e+fXY3ermmGTFMwdN4l0 jlEmn/DRnuSwsupR6zPpTwMNL/G9pr9IzFW0nV2ok8GmlymoQL0KEiZwMxwiwNGN 2AIV/H/XZLsv/Ihn9bc5EolCWLlMzY42QqAHtFae/N959AXnK+bFA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedruddtledguddtjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffoggfgsedtkeertd ertddtnecuhfhrohhmpefrrghtrhhitghkucfuthgvihhnhhgrrhguthcuoehpshesphhk shdrihhmqeenucfkphepjeejrddukeefrddvtddvrdejfeenucfrrghrrghmpehmrghilh hfrhhomhepphhssehpkhhsrdhimhenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from NSJAIL (x4db7ca49.dyn.telefonica.de [77.183.202.73]) by mail.messagingengine.com (Postfix) with ESMTPA id B0642306005E for ; Sat, 2 Nov 2019 14:07:05 -0400 (EDT) Received: from localhost (10.192.0.11 [10.192.0.11]) by NSJAIL (OpenSMTPD) with ESMTPSA id 5a307b73 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sat, 2 Nov 2019 18:07:03 +0000 (UTC) From: Patrick Steinhardt To: grub-devel@gnu.org Cc: Patrick Steinhardt Subject: [PATCH 0/6] Support for LUKS2 disc encryption Date: Sat, 2 Nov 2019 19:06:49 +0100 Message-Id: X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 64.147.123.21 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Nov 2019 18:07:12 -0000 Hi, as you probably know, the cryptsetup project has introduced a new format LUKS2 in 2017 which is incompatible with the previous format. GRUB is thus currently not able to boot from disks encrypted with the newer format. Both formats do in fact differ quite a lot. While the old one used a single binary header, LUKS2 one uses a binary header to identify a JSON header that contains all encryption parameters. The intent of the cryptsetup project is to be more flexible than they have previously been with the binary header, but that also required me to pull in a JSON parser. I hope to have found one that doesn't generate too much controversy, but let's see. Anyway. This patch set implements support for key derival via PBKDF2, only. LUKS2 has also introduced the Argon2i/Argon2id KDFs, but as libgcrypt does not currently support these I've decided to first go the simple route of adding PBKDF2, only. GRUB could probably pull in Argon2i as another dependency, but I focussed on getting basic support for LUKS2 ready first. So the result is a new module "luks2" that is able to decrypt and read LUKS2-encrypted partitions that use PBKDF2 as KDF. Regards Patrick Patrick Steinhardt (6): jsmn: Add JSON parser jsmn: Add convenience functions bootstrap: Add gnulib's base64 module afsplitter: Move into its own module luks: Move configuration of ciphers into cryptodisk disk: Implement support for LUKS2 Makefile.util.def | 1 + bootstrap.conf | 3 +- conf/Makefile.extra-dist | 1 + docs/grub.texi | 2 +- grub-core/Makefile.core.def | 14 +- grub-core/disk/AFSplitter.c | 3 + grub-core/disk/cryptodisk.c | 163 ++++- grub-core/disk/luks.c | 188 +---- grub-core/disk/luks2.c | 685 ++++++++++++++++++ grub-core/lib/gnulib-patches/fix-base64.patch | 26 + include/grub/cryptodisk.h | 3 + include/grub/jsmn.h | 579 +++++++++++++++ 12 files changed, 1491 insertions(+), 177 deletions(-) create mode 100644 grub-core/disk/luks2.c create mode 100644 grub-core/lib/gnulib-patches/fix-base64.patch create mode 100644 include/grub/jsmn.h -- 2.23.0