From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1ndnlu-0005s8-6d for mharc-grub-devel@gnu.org; Mon, 11 Apr 2022 02:43:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40374) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ndnlr-0005rs-OK for grub-devel@gnu.org; Mon, 11 Apr 2022 02:43:31 -0400 Received: from mail-qt1-x82f.google.com ([2607:f8b0:4864:20::82f]:39821) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ndnlp-0004iJ-37 for grub-devel@gnu.org; Mon, 11 Apr 2022 02:43:31 -0400 Received: by mail-qt1-x82f.google.com with SMTP id s7so15550309qtk.6 for ; Sun, 10 Apr 2022 23:43:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficientek-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Txloq9XFwoVvSZGuhGHMHrTTVXw3FwznHmTaFW5J/z8=; b=1hKWGT2QnIyPhpJMNNK6Pn2rzHXf5G1z6vVIsRZqNeC1/q12OuZe2bnNI2HDEZFnhr AMPBHQ/XaTwt/AIaXBENTwaJcKaS++R/slFGMZhlm7up5xyT86CPaBkZDvwojTj40OyZ iuLB1AedhsHv4zK+sRtgQJIAgZgsUHVumP9QzA/Wj1AEqqAfzuNm3UOOddGbGSblYalY wJt3h8kkDrfUn+JIdlI5Li2jKkHDZowq4sng7N1cApJ+AIG2/Zv441feGQu+rmW+4ETJ ukYLvIFqLMjuDctCnn+s3qaCINTE4rsHX3k2l+/TzSg0yn2gk6w2qNUO4ie6F2y/Iukp glzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Txloq9XFwoVvSZGuhGHMHrTTVXw3FwznHmTaFW5J/z8=; b=w1uN5x0PDVUO8T5QSgi50tqyk7V0CrZZ7MnFXTVChXl3k7wNmGWZ66YHb0tPNBMv4V EDl5aRq8xRvLd49cmoHo/ZD4rZWWQwr8yQvDAKmnpsDCQ/m3U92rZHDoDNAl/7ULoskM RygJQ9Dg6Hp2oOZDFb3IJKz1pLyxaF5sj6JtRbeeKFbNy8meqI8QjUPJI7GvEb4y9c31 VKPprgg8T41ppLY0ehkjlkouZfQunlDp8HITjOWWOATfeU5ifle4inPsGSvM2Dq1EynD KWhgbWKFzXhLNS8Xtqk6kPxp7F8nHd2zUiZQhBdUuAC+2/ciA4ZACYj59uD9JY3S2jVW L03Q== X-Gm-Message-State: AOAM532GY5wRUuW/+Rz9lPI/FaKXqcJHPwRfAN0FteW/6U3aJ66HUdY5 ybYkHzwKE1AB+NBY1/IYMWNR2IxpXnaQTQ== X-Google-Smtp-Source: ABdhPJznJTWSZ1IqNIsBAaLaM3lw958iH9a60d89vNUwVmDoHBbHptdQDM9kMNWU3pkLKBjVJVD1ZA== X-Received: by 2002:ac8:7e81:0:b0:2eb:8e71:93d9 with SMTP id w1-20020ac87e81000000b002eb8e7193d9mr24524698qtj.516.1649659407516; Sun, 10 Apr 2022 23:43:27 -0700 (PDT) Received: from localhost.localdomain (yal.riseup.net. [199.58.83.9]) by smtp.gmail.com with ESMTPSA id i19-20020a05620a27d300b0069c1c7986eesm1662307qkp.89.2022.04.10.23.43.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Apr 2022 23:43:26 -0700 (PDT) From: Glenn Washburn To: grub-devel@gnu.org, Daniel Kiper Cc: Denis 'GNUtoo' Carikli , Patrick Steinhardt , John Lane , Glenn Washburn Subject: [PATCH v9 0/7] Cryptodisk detached headers and key files Date: Mon, 11 Apr 2022 06:40:21 +0000 Message-Id: X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::82f; envelope-from=development@efficientek.com; helo=mail-qt1-x82f.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2022 06:43:32 -0000 Updates from v8: * Add documentation patch * Merge previous patch updating the cryptomount help string with key file options into the patch adding key file support * Improve commit messages * rename requested_keyfile_size -> keyfile_size * Minor improvements to the code This patch series adds LUKS deatched header and key file support to cryptomount. Glenn Denis 'GNUtoo' Carikli (2): cryptodisk: luks: Unify grub_cryptodisk_dev function names cryptodisk: geli: Unify grub_cryptodisk_dev function names Glenn Washburn (3): cryptodisk: Add --header option to cryptomount and fail to implement it in the backends luks2: Add detached header support docs: Add documentation on keyfile and detached header options to cryptomount John Lane (2): cryptodisk: Add support for LUKS1 detached headers cryptodisk: Add options to cryptomount to support keyfiles docs/grub.texi | 16 ++++-- grub-core/disk/cryptodisk.c | 98 ++++++++++++++++++++++++++++++++++++- grub-core/disk/geli.c | 18 +++++-- grub-core/disk/luks.c | 48 ++++++++++++++---- grub-core/disk/luks2.c | 59 ++++++++++++++++++---- include/grub/cryptodisk.h | 4 ++ include/grub/file.h | 4 ++ 7 files changed, 217 insertions(+), 30 deletions(-) Range-diff against v8: 1: 9918a70dce ! 1: 40941ee45c cryptodisk: luks: unify grub_cryptodisk_dev function names @@ Metadata Author: Denis 'GNUtoo' Carikli ## Commit message ## - cryptodisk: luks: unify grub_cryptodisk_dev function names + cryptodisk: luks: Unify grub_cryptodisk_dev function names Signed-off-by: Denis 'GNUtoo' Carikli Reviewed-by: Patrick Steinhardt 2: 5d3ce5515e ! 2: c259075bf3 cryptodisk: geli: unify grub_cryptodisk_dev function names @@ Metadata Author: Denis 'GNUtoo' Carikli ## Commit message ## - cryptodisk: geli: unify grub_cryptodisk_dev function names + cryptodisk: geli: Unify grub_cryptodisk_dev function names Signed-off-by: Denis 'GNUtoo' Carikli Reviewed-by: Patrick Steinhardt 3: c7b8c290d7 ! 3: 1b2055ac5d cryptodisk: enable the backends to implement detached headers @@ Metadata Author: Glenn Washburn ## Commit message ## - cryptodisk: enable the backends to implement detached headers + cryptodisk: Add --header option to cryptomount and fail to implement it in the backends + + Add a --header (short -H) option to cryptomount which takes a file argument. + Pass the file to the backends via cargs struct and cause the backends to + fail when passed a header. Detached header file support will be added later + for individual backends. Signed-off-by: John Lane GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message Signed-off-by: Denis 'GNUtoo' Carikli - development@efficientek.com: rebase, rework for cryptomount parameter passing + development@efficientek.com: rebase, rework for cryptomount parameter passing, + improve commit message ## grub-core/disk/cryptodisk.c ## @@ grub-core/disk/cryptodisk.c: static const struct grub_arg_option options[] = @@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t ctxt, i cargs.key_len = grub_strlen (state[3].arg); } -+ if (state[4].set) /* Detached header */ ++ if (state[4].set) /* header */ + { + if (state[0].set) + return grub_error (GRUB_ERR_BAD_ARGUMENT, -+ N_("Cannot use UUID lookup with detached header")); ++ N_("cannot use UUID lookup with detached header")); + + cargs.hdr_file = grub_file_open (state[4].arg, + GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER); -+ if (!cargs.hdr_file) ++ if (cargs.hdr_file == NULL) + return grub_errno; + } + 4: 59c7c2abcb ! 4: 05c7ca844c cryptodisk: add support for LUKS1 detached headers @@ Metadata Author: John Lane ## Commit message ## - cryptodisk: add support for LUKS1 detached headers + cryptodisk: Add support for LUKS1 detached headers - cryptsetup supports having a detached header through the - --header command line argument for both LUKS1 and LUKS2. - - This adds support for LUKS1 detached headers. + cryptsetup supports having a detached header through the --header command + line argument for both LUKS1 and LUKS2. Allow the LUKS1 backend to use a + given file as the LUKS1 header (aka detached header) instead of looking for + the header on the disk. Signed-off-by: John Lane GNUtoo@cyberdimension.org: rebase, small fixes, commit message Signed-off-by: Denis 'GNUtoo' Carikli - development@efficientek.com: rebase + development@efficientek.com: rebase, improve commit message ## grub-core/disk/luks.c ## @@ 5: 9b436ce0e6 ! 5: fb33d6810d cryptodisk: enable the backends to implement key files @@ Metadata Author: John Lane ## Commit message ## - cryptodisk: enable the backends to implement key files + cryptodisk: Add options to cryptomount to support keyfiles + + Add the options --key-file, --keyfile-offset, and --keyfile-size to + cryptomount and code to put read the requested key file data and pass + via the cargs struct. Note, key file data is for all intents and purposes + equivalent to a password given to cryptomount. So there is no need to + enable support for key files in the various crypto backends (eg. LUKS1) + because the key data is passed just as if it were a password. Signed-off-by: John Lane GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message Signed-off-by: Denis 'GNUtoo' Carikli - development@efficientek.com: rebase and rework to use cryptomount arg passing + development@efficientek.com: rebase and rework to use cryptomount arg passing, + minor fixes, improve commit message ## grub-core/disk/cryptodisk.c ## @@ grub-core/disk/cryptodisk.c: static const struct grub_arg_option options[] = @@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t ctxt, i + const char *p = NULL; + grub_file_t keyfile; + int keyfile_offset; -+ grub_size_t requested_keyfile_size = 0; ++ grub_size_t keyfile_size = 0; + + + if (state[6].set) /* keyfile-offset */ @@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t ctxt, i + + if (state[7].set) /* keyfile-size */ + { -+ requested_keyfile_size = grub_strtoul (state[7].arg, &p, 0); ++ keyfile_size = grub_strtoul (state[7].arg, &p, 0); + + if (*p != '\0') + return grub_error (GRUB_ERR_BAD_ARGUMENT, @@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t ctxt, i + if (grub_errno != GRUB_ERR_NONE) + return grub_errno; + -+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) ++ if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) + return grub_error (GRUB_ERR_OUT_OF_RANGE, -+ N_("Key file size exceeds maximum (%d)\n"), -+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); ++ N_("key file size exceeds maximum (%d)"), ++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); + -+ if (requested_keyfile_size == 0) -+ return grub_error (GRUB_ERR_OUT_OF_RANGE, -+ N_("Key file size is 0\n")); ++ if (keyfile_size == 0) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("key file size is 0")); + } + + keyfile = grub_file_open (state[5].arg, + GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY); -+ if (!keyfile) ++ if (keyfile == NULL) + return grub_errno; + + if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) + return grub_errno; + -+ if (requested_keyfile_size) ++ if (keyfile_size > 0) + { -+ if (requested_keyfile_size > (keyfile->size - keyfile_offset)) ++ if (keyfile_size > (keyfile->size - keyfile_offset)) + return grub_error (GRUB_ERR_FILE_READ_ERROR, -+ N_("Keyfile is too small: " ++ N_("keyfile is too small: " + "requested %" PRIuGRUB_SIZE " bytes, " + "but the file only has %" PRIuGRUB_UINT64_T -+ " bytes.\n"), -+ requested_keyfile_size, ++ " bytes"), ++ keyfile_size, + keyfile->size); + -+ cargs.key_len = requested_keyfile_size; ++ cargs.key_len = keyfile_size; + } + else + { @@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t ctxt, i + } + + cargs.key_data = grub_malloc (cargs.key_len); -+ if (!cargs.key_data) ++ if (cargs.key_data == NULL) + return GRUB_ERR_OUT_OF_MEMORY; + + if (grub_file_read (keyfile, cargs.key_data, cargs.key_len) != (grub_ssize_t) cargs.key_len) -+ return grub_error (GRUB_ERR_FILE_READ_ERROR, -+ (N_("Error reading key file\n"))); ++ return grub_error (GRUB_ERR_FILE_READ_ERROR, (N_("reading key file"))); + } + if (state[0].set) /* uuid */ { int found_uuid; +@@ grub-core/disk/cryptodisk.c: GRUB_MOD_INIT (cryptodisk) + { + grub_disk_dev_register (&grub_cryptodisk_dev); + cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, +- N_("[-p password] [-H file] "), ++ N_("[ [-p password] | [-k keyfile" ++ " [-O keyoffset] [-S keysize] ] ] [-H file]" ++ " "), + N_("Mount a crypto device."), options); + grub_procfs_register ("luks_script", &luks_script); + } ## include/grub/cryptodisk.h ## @@ include/grub/cryptodisk.h: typedef enum 6: ccb3bde361 < -: ---------- cryptodisk: Improve cryptomount short help string 7: 0464e48e2d ! 6: f15ff743c4 luks2: Add detached header support @@ Metadata ## Commit message ## luks2: Add detached header support + If a header file is given to the LUKS2 backend, use that file as the LUKS2 + header, instead of looking for it on the disk. + ## grub-core/disk/luks2.c ## @@ grub-core/disk/luks2.c: luks2_get_keyslot (grub_luks2_keyslot_t *k, grub_luks2_digest_t *d, grub_luks2_s -: ---------- > 7: 53ba137d3b docs: Add documentation on keyfile and detached header options to cryptomount -- 2.25.1