From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1n3rw8-00010e-GE
	for mharc-grub-devel@gnu.org; Sat, 01 Jan 2022 22:53:36 -0500
Received: from eggs.gnu.org ([209.51.188.92]:40200)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <development@efficientek.com>)
 id 1n3rw7-0000wN-3z
 for grub-devel@gnu.org; Sat, 01 Jan 2022 22:53:35 -0500
Received: from [2607:f8b0:4864:20::735] (port=38703
 helo=mail-qk1-x735.google.com)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <development@efficientek.com>)
 id 1n3rw5-0007HG-BS
 for grub-devel@gnu.org; Sat, 01 Jan 2022 22:53:34 -0500
Received: by mail-qk1-x735.google.com with SMTP id i187so26144328qkf.5
 for <grub-devel@gnu.org>; Sat, 01 Jan 2022 19:53:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=efficientek-com.20210112.gappssmtp.com; s=20210112;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=dc9q8qgSXxBuXpfTNPbD8fvNfeXNAm5XDPLSwvnb5ow=;
 b=LzOp1e82avSO+BdGthpRzeBvQTSS5Y/0QEEZFMs0c6TpeOj7d2cgKyzehSzr/9WkHG
 XKjKiD5FoZE3XSqCMJ41RcCYsFBc9tEs8pANmXZr82mgKnCUfsGiRj/6VvljDX2QI3oj
 oY4ywJG+GYcUIe6ioDXDLbeUfYM9JQ9lXoYsdyr2g6kWXGF/jIRWnALBm5w79U+Y1Ciy
 TOCWw8Z13Q3mB5ZSuxf3OxNHG0ZffwF/6T6Eo7pDr8w6+HWrhhacF79xCcYecZxiqD+O
 6Bjj+jPE1ONRbbiSHgo/3nJDGSkbb/EDrYdhyJK4UumX48ryPYZYfuMzOGx4MuJ5kdrm
 mn0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=dc9q8qgSXxBuXpfTNPbD8fvNfeXNAm5XDPLSwvnb5ow=;
 b=Wo/bVd2ftd77oZM8jbcmyTrZp6+4doSKqN3WIpnD+WlggqJqvFL97fkPMiI3prMeYk
 uiG397CXvRsY+50W2hcgtlG8eSc+5Bt3GbrleuUvmTHPfMyK7X8nJrcHjilWGzjuXi/c
 GcVsFhacmP759lRVLNYvSPFmOfleOJRXdlAoiBAuZPE4T1Sp3DSht650X9yQcU7XR0IV
 HkWuTGBe2NbMSYawaVYY7hmSM7zkZJ9rLZRJkvS76UdPjThT1A3ppa5qPLOESsHdJhbb
 GZXwsw5ycBSnngnIq1Vi98cAIT6usP0VNr57wMNHhjNnFdXPrZu/Eb/W0DhfFxbdtk/F
 FICQ==
X-Gm-Message-State: AOAM533LYstT1MP3MUxNXuvXDK7NoSAsGWofqvcQL+JJh5DWgkBkdG0R
 eS4Q5EeaJD81CVa2Z+8O51XQ03TESmuveg==
X-Google-Smtp-Source: ABdhPJyuf1Ay/ZILka8wk4EeY7uoLDnTwBMdvhGJ+Y/ksZoy5weIm1hua4OWFSdYL7xwv2n37Rqbsw==
X-Received: by 2002:a05:620a:298a:: with SMTP id
 r10mr28679207qkp.381.1641095612580; 
 Sat, 01 Jan 2022 19:53:32 -0800 (PST)
Received: from localhost.localdomain ([37.218.244.251])
 by smtp.gmail.com with ESMTPSA id bm25sm25187775qkb.4.2022.01.01.19.53.28
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 01 Jan 2022 19:53:30 -0800 (PST)
From: Glenn Washburn <development@efficientek.com>
To: Daniel Kiper <dkiper@net-space.pl>,
	grub-devel@gnu.org
Cc: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>,
 Patrick Steinhardt <ps@pks.im>, John Lane <john@lane.uk.net>,
 Glenn Washburn <development@efficientek.com>
Subject: [PATCH v8 5/7] cryptodisk: enable the backends to implement key files
Date: Sat,  1 Jan 2022 21:52:58 -0600
Message-Id: <ded97bfa385a301d51978a78f50f5846cc096d01.1641092534.git.development@efficientek.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <cover.1641092534.git.development@efficientek.com>
References: <cover.1641092534.git.development@efficientek.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Host-Lookup-Failed: Reverse DNS lookup failed for 2607:f8b0:4864:20::735
 (failed)
Received-SPF: pass client-ip=2607:f8b0:4864:20::735;
 envelope-from=development@efficientek.com; helo=mail-qk1-x735.google.com
X-Spam_score_int: 8
X-Spam_score: 0.8
X-Spam_bar: /
X-Spam_report: (0.8 / 5.0 requ) DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Jan 2022 03:53:35 -0000

From: John Lane <john@lane.uk.net>

Signed-off-by: John Lane <john@lane.uk.net>
GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
development@efficientek.com: rebase and rework to use cryptomount arg passing
Signed-off-by: Glenn Washburn <development@efficientek.com>
---
 grub-core/disk/cryptodisk.c | 83 +++++++++++++++++++++++++++++++++++++
 include/grub/cryptodisk.h   |  2 +
 include/grub/file.h         |  2 +
 3 files changed, 87 insertions(+)

diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index e90f680f0..ea8ed20e2 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -43,6 +43,9 @@ static const struct grub_arg_option options[] =
     {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
     {"password", 'p', 0, N_("Password to open volumes."), 0, ARG_TYPE_STRING},
     {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
+    {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+    {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+    {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
     {0, 0, 0, 0, 0, 0}
   };
 
@@ -1186,6 +1189,86 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
 	return grub_errno;
     }
 
+  if (state[5].set) /* keyfile */
+    {
+      const char *p = NULL;
+      grub_file_t keyfile;
+      int keyfile_offset;
+      grub_size_t requested_keyfile_size = 0;
+
+
+      if (state[6].set) /* keyfile-offset */
+	{
+	  keyfile_offset = grub_strtoul (state[6].arg, &p, 0);
+
+	  if (grub_errno != GRUB_ERR_NONE)
+	    return grub_errno;
+
+	  if (*p != '\0')
+	    return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			       N_("unrecognized number"));
+	}
+      else
+	{
+	  keyfile_offset = 0;
+	}
+
+      if (state[7].set) /* keyfile-size */
+	{
+	  requested_keyfile_size = grub_strtoul (state[7].arg, &p, 0);
+
+	  if (*p != '\0')
+	    return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			       N_("unrecognized number"));
+
+	  if (grub_errno != GRUB_ERR_NONE)
+	    return grub_errno;
+
+	  if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+	    return grub_error (GRUB_ERR_OUT_OF_RANGE,
+			      N_("Key file size exceeds maximum (%d)\n"),
+			      GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+
+	  if (requested_keyfile_size == 0)
+	    return grub_error (GRUB_ERR_OUT_OF_RANGE,
+			      N_("Key file size is 0\n"));
+	}
+
+      keyfile = grub_file_open (state[5].arg,
+				GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
+      if (!keyfile)
+	return grub_errno;
+
+      if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+	return grub_errno;
+
+      if (requested_keyfile_size)
+	{
+	  if (requested_keyfile_size > (keyfile->size - keyfile_offset))
+	    return grub_error (GRUB_ERR_FILE_READ_ERROR,
+			       N_("Keyfile is too small: "
+				  "requested %" PRIuGRUB_SIZE " bytes, "
+				  "but the file only has %" PRIuGRUB_UINT64_T
+				  " bytes.\n"),
+			       requested_keyfile_size,
+			       keyfile->size);
+
+	  cargs.key_len = requested_keyfile_size;
+	}
+      else
+	{
+	  cargs.key_len = keyfile->size - keyfile_offset;
+	}
+
+      cargs.key_data = grub_malloc (cargs.key_len);
+      if (!cargs.key_data)
+	return GRUB_ERR_OUT_OF_MEMORY;
+
+      if (grub_file_read (keyfile, cargs.key_data, cargs.key_len) != (grub_ssize_t) cargs.key_len)
+	return grub_error (GRUB_ERR_FILE_READ_ERROR,
+			   (N_("Error reading key file\n")));
+    }
+
   if (state[0].set) /* uuid */
     {
       int found_uuid;
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
index 9fe451de9..d94df68b6 100644
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
@@ -62,6 +62,8 @@ typedef enum
 #define GRUB_CRYPTODISK_MAX_KEYLEN 128
 #define GRUB_CRYPTODISK_MAX_PASSPHRASE 256
 
+#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
+
 struct grub_cryptodisk;
 
 typedef gcry_err_code_t
diff --git a/include/grub/file.h b/include/grub/file.h
index 3a3c49a04..2d5d16cd2 100644
--- a/include/grub/file.h
+++ b/include/grub/file.h
@@ -92,6 +92,8 @@ enum grub_file_type
     GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY,
     /* File holding the encryption metadata header */
     GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER,
+    /* File holding the encryption key */
+    GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY,
     /* File we open n grub-fstest.  */
     GRUB_FILE_TYPE_FSTEST,
     /* File we open n grub-mount.  */
-- 
2.27.0