diff options
author | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2020-08-07 12:56:45 +0200 |
---|---|---|
committer | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2020-08-07 12:57:44 +0200 |
commit | b17a8a19e232caaffe62f369269ec9614e00ba4c (patch) | |
tree | d9e01918a68c628c61913e8023c966cdb0273b53 /libre/grub-crypt-git/v6-0005-cryptodisk-enable-the-backends-to-implement-key-f.patch | |
parent | 00c6386a735ce2dab702599322b1d7842de76f63 (diff) | |
download | abslibre-b17a8a19e232caaffe62f369269ec9614e00ba4c.tar.gz abslibre-b17a8a19e232caaffe62f369269ec9614e00ba4c.tar.bz2 abslibre-b17a8a19e232caaffe62f369269ec9614e00ba4c.zip |
libre: Add grub-crypt-git
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Diffstat (limited to 'libre/grub-crypt-git/v6-0005-cryptodisk-enable-the-backends-to-implement-key-f.patch')
-rw-r--r-- | libre/grub-crypt-git/v6-0005-cryptodisk-enable-the-backends-to-implement-key-f.patch | 251 |
1 files changed, 251 insertions, 0 deletions
diff --git a/libre/grub-crypt-git/v6-0005-cryptodisk-enable-the-backends-to-implement-key-f.patch b/libre/grub-crypt-git/v6-0005-cryptodisk-enable-the-backends-to-implement-key-f.patch new file mode 100644 index 000000000..b9f727211 --- /dev/null +++ b/libre/grub-crypt-git/v6-0005-cryptodisk-enable-the-backends-to-implement-key-f.patch @@ -0,0 +1,251 @@ +From f17a54035876808331c7ab753a0706de4bf46a7a Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Tue, 23 Jun 2015 11:16:30 +0100 +Subject: [PATCH v6 5/6] cryptodisk: enable the backends to implement key files + +Signed-off-by: John Lane <john@lane.uk.net> +GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message +Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> +Reviewed-by: Patrick Steinhardt <ps@pks.im> +--- + grub-core/disk/cryptodisk.c | 87 ++++++++++++++++++++++++++++++++++++- + grub-core/disk/geli.c | 7 +-- + grub-core/disk/luks.c | 7 ++- + grub-core/disk/luks2.c | 7 +-- + include/grub/cryptodisk.h | 5 ++- + include/grub/file.h | 2 + + 6 files changed, 106 insertions(+), 9 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index 6ad2e486e..dd94736d3 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] = + {"all", 'a', 0, N_("Mount all."), 0, 0}, + {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, + {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING}, ++ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, ++ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, ++ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -972,6 +975,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) + static int check_boot, have_it; + static char *search_uuid; + static grub_file_t hdr; ++static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE]; ++static grub_ssize_t key_size; + + static void + cryptodisk_close (grub_cryptodisk_t dev) +@@ -1002,7 +1007,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) + if (!dev) + continue; + +- err = cr->recover_key (source, dev, hdr); ++ err = cr->recover_key (source, dev, hdr, key, key_size); + if (err) + { + cryptodisk_close (dev); +@@ -1112,6 +1117,86 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + hdr = NULL; + + have_it = 0; ++ key = NULL; ++ ++ if (state[4].set) /* keyfile */ ++ { ++ const char *p = NULL; ++ grub_file_t keyfile; ++ int keyfile_offset; ++ grub_size_t requested_keyfile_size = 0; ++ ++ ++ if (state[5].set) /* keyfile-offset */ ++ { ++ keyfile_offset = grub_strtoul (state[5].arg, &p, 0); ++ ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; ++ ++ if (*p != '\0') ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, ++ N_("unrecognized number")); ++ } ++ else ++ { ++ keyfile_offset = 0; ++ } ++ ++ if (state[6].set) /* keyfile-size */ ++ { ++ requested_keyfile_size = grub_strtoul (state[6].arg, &p, 0); ++ ++ if (*p != '\0') ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, ++ N_("unrecognized number")); ++ ++ if (grub_errno != GRUB_ERR_NONE) ++ return grub_errno; ++ ++ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, ++ N_("Key file size exceeds maximum (%" ++ PRIuGRUB_SIZE ")\n"), ++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); ++ ++ if (requested_keyfile_size == 0) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, ++ N_("Key file size is 0\n")); ++ } ++ ++ keyfile = grub_file_open (state[4].arg, ++ GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY); ++ if (!keyfile) ++ return grub_errno; ++ ++ if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) ++ return grub_errno; ++ ++ if (requested_keyfile_size) ++ { ++ if (requested_keyfile_size > (keyfile->size - keyfile_offset)) ++ return grub_error (GRUB_ERR_FILE_READ_ERROR, ++ N_("Keyfile is too small: " ++ "requested %" PRIuGRUB_SIZE " bytes, " ++ "but the file only has %" PRIuGRUB_SIZE ++ " bytes.\n"), ++ requested_keyfile_size, ++ keyfile->size); ++ ++ key_size = requested_keyfile_size; ++ } ++ else ++ { ++ key_size = keyfile->size - keyfile_offset; ++ } ++ ++ if (grub_file_read (keyfile, keyfile_buffer, key_size) != key_size) ++ return grub_error (GRUB_ERR_FILE_READ_ERROR, ++ (N_("Error reading key file\n"))); ++ key = keyfile_buffer; ++ } ++ + if (state[0].set) + { + grub_cryptodisk_t dev; +diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c +index acd09d874..159ac0f96 100644 +--- a/grub-core/disk/geli.c ++++ b/grub-core/disk/geli.c +@@ -404,7 +404,8 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only, + } + + static grub_err_t +-geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr) ++geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr, ++ grub_uint8_t *key, grub_size_t keyfile_size) + { + grub_size_t keysize; + grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; +@@ -420,8 +421,8 @@ geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr) + grub_disk_addr_t sector; + grub_err_t err; + +- /* Detached headers are not implemented yet */ +- if (hdr) ++ /* Detached headers and keyfiles are not implemented yet */ ++ if (hdr || key || keyfile_size) + return GRUB_ERR_NOT_IMPLEMENTED_YET; + + if (dev->cipher->cipher->blocksize > GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE) +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 6286302e7..0dd33b2af 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -161,7 +161,8 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot, + } + + static grub_err_t +-luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr) ++luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr, ++ grub_uint8_t *keyfile_bytes, grub_size_t keyfile_bytes_size) + { + struct grub_luks_phdr header; + grub_size_t keysize; +@@ -175,6 +176,10 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr) + char *tmp; + grub_uint32_t sector; + ++ /* Keyfiles are not implemented yet */ ++ if (keyfile_bytes || keyfile_bytes_size) ++ return GRUB_ERR_NOT_IMPLEMENTED_YET; ++ + if (hdr) + { + if (grub_file_seek (hdr, 0) == (grub_off_t) -1) +diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c +index bc00e8bbc..6a38a1f4d 100644 +--- a/grub-core/disk/luks2.c ++++ b/grub-core/disk/luks2.c +@@ -529,7 +529,8 @@ luks2_decrypt_key (grub_uint8_t *out_key, + + static grub_err_t + luks2_recover_key (grub_disk_t disk, grub_cryptodisk_t crypt, +- grub_file_t hdr_file) ++ grub_file_t hdr_file, grub_uint8_t *key, ++ grub_size_t keyfile_size) + { + grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; + char passphrase[MAX_PASSPHRASE], cipher[32]; +@@ -543,8 +544,8 @@ luks2_recover_key (grub_disk_t disk, grub_cryptodisk_t crypt, + grub_json_t *json = NULL, keyslots; + grub_err_t ret; + +- /* Detached headers are not implemented yet */ +- if (hdr_file) ++ /* Detached headers and keyfiles are not implemented yet */ ++ if (hdr_file || key || keyfile_size) + return GRUB_ERR_NOT_IMPLEMENTED_YET; + + ret = luks2_read_header (disk, &header); +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index e24b1b8cb..6d2610f93 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -55,6 +55,8 @@ typedef enum + #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) + #define GRUB_CRYPTODISK_MAX_KEYLEN 128 + ++#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 ++ + struct grub_cryptodisk; + + typedef gcry_err_code_t +@@ -110,7 +112,8 @@ struct grub_cryptodisk_dev + grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, + int boot_only, grub_file_t hdr); + grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, +- grub_file_t hdr); ++ grub_file_t hdr, grub_uint8_t *key, ++ grub_size_t keyfile_size); + }; + typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; + +diff --git a/include/grub/file.h b/include/grub/file.h +index a7d7be853..97678aa45 100644 +--- a/include/grub/file.h ++++ b/include/grub/file.h +@@ -92,6 +92,8 @@ enum grub_file_type + GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY, + /* File holiding the encryption metadata header */ + GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER, ++ /* File holiding the encryption key */ ++ GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY, + /* File we open n grub-fstest. */ + GRUB_FILE_TYPE_FSTEST, + /* File we open n grub-mount. */ +-- +2.28.0 + |