And it seems the next function can be used to allow
keyfile-offset and keyfile-size:
file.h:
grub_file_t
grub_file_offset_open (grub_file_t parent, enum grub_file_type type,
grub_off_t start, grub_off_t size);
So only grub_cmd_cryptomount can be modified for this.
Dmitry
пн, 9 нояб. 2020 г. в 10:56, Dmitry <reagen...@gmail.com>:
> Thanks for feedback. First of all I think it's preferable to introduce
> the master-key option at the beginning. Because I see no point for a user
> to use a standard slot key along with a detached header.
> Decryption from key to master key takes a long time. (30 seconds for
> argon2i).
> Regarding keyfile-offset and keyfile-size options I suggest to introduce
> this options in separate patches. Yes, maybe you variant to pass the
> pointer and size
> (correct me if I am wrong) to luks2_recover_key is better of files.
> But then you need to think in advance how to add master-key option.
>
> Dmitry
>
> пн, 9 нояб. 2020 г. в 06:16, Glenn Washburn <developm...@efficientek.com>:
>
>> I've read through the patch but not applied or tested it. However, it
>> looks like it does the job. In fact, its fairly similar in parts to a
>> patch, which adds LUKS2 keyfile and detached header support, I've been
>> waiting to send to the list until the previous LUKS1 keyfile and
>> detached header support gets included (which my patches rely on).
>>
>> One implementation difference in this patch from the other one is that
>> this one passes the key file to recover_key as a grub_file_t instead of
>> passing the key contents. I prefer the previous method because it
>> consolidates key file reading in grub_cmd_cryptomount, whereas this
>> patch requires each module to do its own reading. The disadvantage is
>> this causes extra code in the modules that could be consolidated and I
>> don't see much advantage to this. By having grub_cmd_cryptomount do
>> the work we also get keyfile-offset and keyfile-size options in the
>> previous patch, for not much extra work.
>>
>> A minor nit, there is not error checking on grub_file_seek calls and
>> grub_file_read errors are occluded. However, there are some changes in
>> this patch which I think make the code a bit more aesthetically
>> pleasing.
>>
>> While, I like that this patch allows for passing a master key file, I
>> think this feature should be build on the previous patch series. So I
>> don't recommend this patch be accepted.
>>
>> Glenn
>>
>> On Sat, 7 Nov 2020 19:36:35 +0300
>> reagentoo <reagen...@gmail.com> wrote:
>>
>> > From: Dmitry Baranov <reagen...@gmail.com>
>> >
>> > Hello.
>> > Could someone make initial review?
>> > The main difference between this patch and the previous ones is
>> > the ability to use a master key file with a detached header.
>> > This patch does not provide luks1 and geli support yet (luks2 only).
>> >
>> > Best Regards,
>> > Dmitry
>> >
>> > ---
>> > grub-core/disk/cryptodisk.c | 99 +++++++++++++++-----
>> > grub-core/disk/luks2.c | 178
>> > ++++++++++++++++++++++++++++-------- include/grub/cryptodisk.h |
>> > 9 +- 3 files changed, 222 insertions(+), 64 deletions(-)
>> >
>> > diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
>> > index 13af84dd1..987a39b16 100644
>> > --- a/grub-core/disk/cryptodisk.c
>> > +++ b/grub-core/disk/cryptodisk.c
>> > @@ -41,6 +41,9 @@ static const struct grub_arg_option options[] =
>> > /* TRANSLATORS: It's still restricted to cryptodisks only. */
>> > {"all", 'a', 0, N_("Mount all."), 0, 0},
>> > {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."),
>> > 0, 0},
>> > + {"header", 'H', 0, N_("Read header from file"), 0,
>> > ARG_TYPE_STRING},
>> > + {"key-file", 'k', 0, N_("Read key from file"), 0,
>> > ARG_TYPE_STRING},
>> > + {"master-key-file", 'K', 0, N_("Use a master key stored in a
>> > file"), 0, ARG_TYPE_STRING}, {0, 0, 0, 0, 0, 0}
>> > };
>> >
>> > @@ -967,6 +970,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
>> >
>> > static int check_boot, have_it;
>> > static char *search_uuid;
>> > +static grub_file_t hdr_file, key_file, mkey_file;
>> >
>> > static void
>> > cryptodisk_close (grub_cryptodisk_t dev)
>> > @@ -991,13 +995,13 @@ grub_cryptodisk_scan_device_real (const char
>> > *name, grub_disk_t source)
>> > FOR_CRYPTODISK_DEVS (cr)
>> > {
>> > - dev = cr->scan (source, search_uuid, check_boot);
>> > + dev = cr->scan (source, hdr_file, search_uuid, check_boot);
>> > if (grub_errno)
>> > return grub_errno;
>> > if (!dev)
>> > continue;
>> >
>> > - err = cr->recover_key (source, dev);
>> > + err = cr->recover_key (source, dev, hdr_file, key_file,
>> > mkey_file); if (err)
>> > {
>> > cryptodisk_close (dev);
>> > @@ -1038,7 +1042,7 @@ grub_cryptodisk_cheat_mount (const char
>> > *sourcedev, const char *cheat)
>> > FOR_CRYPTODISK_DEVS (cr)
>> > {
>> > - dev = cr->scan (source, search_uuid, check_boot);
>> > + dev = cr->scan (source, 0, search_uuid, check_boot);
>> > if (grub_errno)
>> > return grub_errno;
>> > if (!dev)
>> > @@ -1087,11 +1091,59 @@ grub_cryptodisk_scan_device (const char *name,
>> > static grub_err_t
>> > grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char
>> > **args) {
>> > + grub_err_t ret = GRUB_ERR_NONE;
>> > +
>> > struct grub_arg_list *state = ctxt->state;
>> >
>> > if (argc < 1 && !state[1].set && !state[2].set)
>> > return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name
>> > required");
>> > + hdr_file = NULL;
>> > + key_file = NULL;
>> > + mkey_file = NULL;
>> > +
>> > + if (state[3].set)
>> > + {
>> > + if (state[0].set)
>> > + {
>> > + ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot use UUID
>> > lookup with detached header");
>> > + goto err;
>> > + }
>> > +
>> > + hdr_file = grub_file_open (state[3].arg, GRUB_FILE_TYPE_NONE);
>> > + if (!hdr_file)
>> > + {
>> > + ret = grub_errno;
>> > + goto err;
>> > + }
>> > + }
>> > +
>> > + if (state[4].set)
>> > + {
>> > + if (state[5].set)
>> > + {
>> > + ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot use key
>> > with master key");
>> > + goto err;
>> > + }
>> > +
>> > + key_file = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE);
>> > + if (!key_file)
>> > + {
>> > + ret = grub_errno;
>> > + goto err;
>> > + }
>> > + }
>> > +
>> > + if (state[5].set)
>> > + {
>> > + mkey_file = grub_file_open (state[5].arg, GRUB_FILE_TYPE_NONE);
>> > + if (!mkey_file)
>> > + {
>> > + ret = grub_errno;
>> > + goto err;
>> > + }
>> > + }
>> > +
>> > have_it = 0;
>> > if (state[0].set)
>> > {
>> > @@ -1102,7 +1154,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t
>> > ctxt, int argc, char **args) {
>> > grub_dprintf ("cryptodisk",
>> > "already mounted as crypto%lu\n", dev->id);
>> > - return GRUB_ERR_NONE;
>> > + goto err;
>> > }
>> >
>> > check_boot = state[2].set;
>> > @@ -1111,8 +1163,11 @@ grub_cmd_cryptomount (grub_extcmd_context_t
>> > ctxt, int argc, char **args) search_uuid = NULL;
>> >
>> > if (!have_it)
>> > - return grub_error (GRUB_ERR_BAD_ARGUMENT, "no such
>> > cryptodisk found");
>> > - return GRUB_ERR_NONE;
>> > + {
>> > + ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "no such
>> > cryptodisk found");
>> > + goto err;
>> > + }
>> > + goto err;
>> > }
>> > else if (state[1].set || (argc == 0 && state[2].set))
>> > {
>> > @@ -1120,11 +1175,10 @@ grub_cmd_cryptomount (grub_extcmd_context_t
>> > ctxt, int argc, char **args) check_boot = state[2].set;
>> > grub_device_iterate (&grub_cryptodisk_scan_device, NULL);
>> > search_uuid = NULL;
>> > - return GRUB_ERR_NONE;
>> > + goto err;
>> > }
>> > else
>> > {
>> > - grub_err_t err;
>> > grub_disk_t disk;
>> > grub_cryptodisk_t dev;
>> > char *diskname;
>> > @@ -1147,27 +1201,30 @@ grub_cmd_cryptomount (grub_extcmd_context_t
>> > ctxt, int argc, char **args) {
>> > if (disklast)
>> > *disklast = ')';
>> > - return grub_errno;
>> > + ret = grub_errno;
>> > + goto err;
>> > }
>> >
>> > dev = grub_cryptodisk_get_by_source_disk (disk);
>> > if (dev)
>> > - {
>> > - grub_dprintf ("cryptodisk", "already mounted as
>> > crypto%lu\n", dev->id);
>> > - grub_disk_close (disk);
>> > - if (disklast)
>> > - *disklast = ')';
>> > - return GRUB_ERR_NONE;
>> > - }
>> > -
>> > - err = grub_cryptodisk_scan_device_real (diskname, disk);
>> > + grub_dprintf ("cryptodisk", "already mounted as
>> > crypto%lu\n", dev->id);
>> > + else
>> > + ret = grub_cryptodisk_scan_device_real (diskname, disk);
>> >
>> > grub_disk_close (disk);
>> > if (disklast)
>> > *disklast = ')';
>> > -
>> > - return err;
>> > }
>> > +
>> > + err:
>> > + if (hdr_file)
>> > + grub_file_close (hdr_file);
>> > + if (key_file)
>> > + grub_file_close (key_file);
>> > + if (mkey_file)
>> > + grub_file_close (mkey_file);
>> > +
>> > + return ret;
>> > }
>> >
>> > static struct grub_disk_dev grub_cryptodisk_dev = {
>> > @@ -1299,7 +1356,7 @@ GRUB_MOD_INIT (cryptodisk)
>> > {
>> > grub_disk_dev_register (&grub_cryptodisk_dev);
>> > cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
>> > - N_("SOURCE|-u UUID|-a|-b"),
>> > + N_("SOURCE|-u UUID|-a|-b|-H file|-k
>> > file|-K file"), N_("Mount a crypto device."), options);
>> > grub_procfs_register ("luks_script", &luks_script);
>> > }
>> > diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
>> > index 31d7166fc..c29b472e6 100644
>> > --- a/grub-core/disk/luks2.c
>> > +++ b/grub-core/disk/luks2.c
>> > @@ -309,13 +309,22 @@ luks2_get_keyslot (grub_luks2_keyslot_t *k,
>> > grub_luks2_digest_t *d, grub_luks2_s
>> > /* Determine whether to use primary or secondary header */
>> > static grub_err_t
>> > -luks2_read_header (grub_disk_t disk, grub_luks2_header_t *outhdr)
>> > +luks2_read_header (grub_disk_t disk, grub_file_t hdr_file,
>> > grub_luks2_header_t *outhdr) {
>> > grub_luks2_header_t primary, secondary, *header = &primary;
>> > grub_err_t ret;
>> >
>> > /* Read the primary LUKS header. */
>> > - ret = grub_disk_read (disk, 0, 0, sizeof (primary), &primary);
>> > + if (hdr_file)
>> > + {
>> > + grub_file_seek (hdr_file, 0);
>> > + if (grub_file_read (hdr_file, &primary, sizeof (primary)) !=
>> > sizeof (primary))
>> > + ret = GRUB_ERR_READ_ERROR;
>> > + else
>> > + ret = GRUB_ERR_NONE;
>> > + }
>> > + else
>> > + ret = grub_disk_read (disk, 0, 0, sizeof (primary), &primary);
>> > if (ret)
>> > return ret;
>> >
>> > @@ -325,7 +334,16 @@ luks2_read_header (grub_disk_t disk,
>> > grub_luks2_header_t *outhdr) return GRUB_ERR_BAD_SIGNATURE;
>> >
>> > /* Read the secondary header. */
>> > - ret = grub_disk_read (disk, 0, grub_be_to_cpu64
>> > (primary.hdr_size), sizeof (secondary), &secondary);
>> > + if (hdr_file)
>> > + {
>> > + grub_file_seek (hdr_file, grub_be_to_cpu64 (primary.hdr_size));
>> > + if (grub_file_read (hdr_file, &secondary, sizeof (secondary))
>> > != sizeof (secondary))
>> > + ret = GRUB_ERR_READ_ERROR;
>> > + else
>> > + ret = GRUB_ERR_NONE;
>> > + }
>> > + else
>> > + ret = grub_disk_read (disk, 0, grub_be_to_cpu64
>> > (primary.hdr_size), sizeof (secondary), &secondary); if (ret)
>> > return ret;
>> >
>> > @@ -342,7 +360,7 @@ luks2_read_header (grub_disk_t disk,
>> > grub_luks2_header_t *outhdr) }
>> >
>> > static grub_cryptodisk_t
>> > -luks2_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
>> > +luks2_scan (grub_disk_t disk, grub_file_t hdr_file, const char
>> > *check_uuid, int check_boot) {
>> > grub_cryptodisk_t cryptodisk;
>> > grub_luks2_header_t header;
>> > @@ -352,7 +370,7 @@ luks2_scan (grub_disk_t disk, const char
>> > *check_uuid, int check_boot) if (check_boot)
>> > return NULL;
>> >
>> > - if (luks2_read_header (disk, &header))
>> > + if (luks2_read_header (disk, hdr_file, &header))
>> > {
>> > grub_errno = GRUB_ERR_NONE;
>> > return NULL;
>> > @@ -415,7 +433,7 @@ luks2_verify_key (grub_luks2_digest_t *d,
>> > grub_uint8_t *candidate_key,
>> > static grub_err_t
>> > luks2_decrypt_key (grub_uint8_t *out_key,
>> > - grub_disk_t disk, grub_cryptodisk_t crypt,
>> > + grub_disk_t disk, grub_cryptodisk_t crypt,
>> > grub_file_t hdr_file, grub_luks2_keyslot_t *k,
>> > const grub_uint8_t *passphrase, grub_size_t
>> > passphraselen) {
>> > @@ -491,7 +509,16 @@ luks2_decrypt_key (grub_uint8_t *out_key,
>> > }
>> >
>> > grub_errno = GRUB_ERR_NONE;
>> > - ret = grub_disk_read (disk, 0, k->area.offset, k->area.size,
>> > split_key);
>> > + if (hdr_file)
>> > + {
>> > + grub_file_seek (hdr_file, k->area.offset);
>> > + if (grub_file_read (hdr_file, split_key, k->area.size) !=
>> > k->area.size)
>> > + ret = GRUB_ERR_READ_ERROR;
>> > + else
>> > + ret = GRUB_ERR_NONE;
>> > + }
>> > + else
>> > + ret = grub_disk_read (disk, 0, k->area.offset, k->area.size,
>> > split_key); if (ret)
>> > {
>> > grub_error (GRUB_ERR_IO, "Read error: %s\n", grub_errmsg);
>> > @@ -531,12 +558,16 @@ luks2_decrypt_key (grub_uint8_t *out_key,
>> >
>> > static grub_err_t
>> > luks2_recover_key (grub_disk_t disk,
>> > - grub_cryptodisk_t crypt)
>> > + grub_cryptodisk_t crypt,
>> > + grub_file_t hdr_file, grub_file_t key_file,
>> > grub_file_t mkey_file) {
>> > + char cipher[32];
>> > + char *passphrase = NULL;
>> > grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
>> > - char passphrase[MAX_PASSPHRASE], cipher[32];
>> > + grub_size_t candidate_key_len, passphrase_len;
>> > char *json_header = NULL, *part = NULL, *ptr;
>> > - grub_size_t candidate_key_len = 0, i, size;
>> > + grub_off_t json_header_offset;
>> > + grub_size_t json_header_size, i, size;
>> > grub_luks2_header_t header;
>> > grub_luks2_keyslot_t keyslot;
>> > grub_luks2_digest_t digest;
>> > @@ -545,7 +576,7 @@ luks2_recover_key (grub_disk_t disk,
>> > grub_json_t *json = NULL, keyslots;
>> > grub_err_t ret;
>> >
>> > - ret = luks2_read_header (disk, &header);
>> > + ret = luks2_read_header (disk, hdr_file, &header);
>> > if (ret)
>> > return ret;
>> >
>> > @@ -554,8 +585,19 @@ luks2_recover_key (grub_disk_t disk,
>> > return GRUB_ERR_OUT_OF_MEMORY;
>> >
>> > /* Read the JSON area. */
>> > - ret = grub_disk_read (disk, 0, grub_be_to_cpu64
>> > (header.hdr_offset) + sizeof (header),
>> > - grub_be_to_cpu64 (header.hdr_size) - sizeof
>> > (header), json_header);
>> > + json_header_offset = grub_be_to_cpu64 (header.hdr_offset) + sizeof
>> > (header);
>> > + json_header_size = grub_be_to_cpu64 (header.hdr_size) - sizeof
>> > (header); +
>> > + if (hdr_file)
>> > + {
>> > + grub_file_seek (hdr_file, json_header_offset);
>> > + if (grub_file_read (hdr_file, json_header, json_header_size)
>> > != json_header_size)
>> > + ret = GRUB_ERR_READ_ERROR;
>> > + else
>> > + ret = GRUB_ERR_NONE;
>> > + }
>> > + else
>> > + ret = grub_disk_read (disk, 0, json_header_offset,
>> > json_header_size, json_header); if (ret)
>> > goto err;
>> >
>> > @@ -570,16 +612,47 @@ luks2_recover_key (grub_disk_t disk,
>> > goto err;
>> > }
>> >
>> > - /* Get the passphrase from the user. */
>> > - if (disk->partition)
>> > - part = grub_partition_get_name (disk->partition);
>> > - grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), disk->name,
>> > - disk->partition ? "," : "", part ? : "",
>> > - crypt->uuid);
>> > - if (!grub_password_get (passphrase, MAX_PASSPHRASE))
>> > + if (mkey_file)
>> > {
>> > - ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not
>> > supplied");
>> > - goto err;
>> > + /* Get the master key from file. */
>> > + candidate_key_len = grub_file_read (mkey_file, candidate_key,
>> > GRUB_CRYPTODISK_MAX_KEYLEN);
>> > + if (candidate_key_len == (grub_size_t)-1)
>> > + {
>> > + ret = grub_error (GRUB_ERR_FILE_READ_ERROR, "Error reading
>> > key file");
>> > + goto err;
>> > + }
>> > + if (candidate_key_len == 0)
>> > + {
>> > + ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Key not
>> > supplied");
>> > + goto err;
>> > + }
>> > + }
>> > + else if (key_file)
>> > + {
>> > + /* Get the passphrase from file. */
>> > + passphrase = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
>> > + passphrase_len = grub_file_read (key_file, passphrase,
>> > GRUB_CRYPTODISK_MAX_PASSPHRASE);
>> > + if (passphrase_len == (grub_size_t)-1)
>> > + {
>> > + ret = grub_error (GRUB_ERR_FILE_READ_ERROR, "Error reading
>> > passphrase file");
>> > + goto err;
>> > + }
>> > + }
>> > + else
>> > + {
>> > + /* Get the passphrase from the user. */
>> > + if (disk->partition)
>> > + part = grub_partition_get_name (disk->partition);
>> > + grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "),
>> > disk->name,
>> > + disk->partition ? "," : "", part ? : "",
>> > + crypt->uuid);
>> > + passphrase = grub_malloc (MAX_PASSPHRASE);
>> > + if (!grub_password_get (passphrase, MAX_PASSPHRASE))
>> > + {
>> > + ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not
>> > supplied");
>> > + goto err;
>> > + }
>> > + passphrase_len = grub_strlen (passphrase);
>> > }
>> >
>> > if (grub_json_getvalue (&keyslots, json, "keyslots") ||
>> > @@ -604,6 +677,26 @@ luks2_recover_key (grub_disk_t disk,
>> >
>> > grub_dprintf ("luks2", "Trying keyslot %"PRIuGRUB_SIZE"\n", i);
>> >
>> > + if (mkey_file)
>> > + {
>> > + if (candidate_key_len != keyslot.key_size)
>> > + {
>> > + grub_dprintf ("luks2", "Wrong key length for keyslot
>> > %"PRIuGRUB_SIZE": %s\n",
>> > + i, grub_errmsg);
>> > + continue;
>> > + }
>> > +
>> > + ret = luks2_verify_key (&digest, candidate_key,
>> > candidate_key_len);
>> > + if (ret)
>> > + {
>> > + grub_dprintf ("luks2", "Could not open keyslot
>> > %"PRIuGRUB_SIZE": %s\n",
>> > + i, grub_errmsg);
>> > + continue;
>> > + }
>> > + }
>> > + else
>> > + candidate_key_len = keyslot.key_size;
>> > +
>> > /* Set up disk according to keyslot's segment. */
>> > crypt->offset = grub_divmod64 (segment.offset,
>> > segment.sector_size, NULL); crypt->log_sector_size = sizeof (unsigned
>> > int) * 8 @@ -613,21 +706,24 @@ luks2_recover_key (grub_disk_t disk,
>> > else
>> > crypt->total_length = grub_strtoull (segment.size, NULL, 10);
>> >
>> > - ret = luks2_decrypt_key (candidate_key, disk, crypt, &keyslot,
>> > - (const grub_uint8_t *) passphrase,
>> > grub_strlen (passphrase));
>> > - if (ret)
>> > + if (passphrase)
>> > {
>> > - grub_dprintf ("luks2", "Decryption with keyslot
>> > %"PRIuGRUB_SIZE" failed: %s\n",
>> > - i, grub_errmsg);
>> > - continue;
>> > - }
>> > -
>> > - ret = luks2_verify_key (&digest, candidate_key,
>> > keyslot.key_size);
>> > - if (ret)
>> > - {
>> > - grub_dprintf ("luks2", "Could not open keyslot
>> > %"PRIuGRUB_SIZE": %s\n",
>> > - i, grub_errmsg);
>> > - continue;
>> > + ret = luks2_decrypt_key (candidate_key, disk, crypt,
>> > hdr_file, &keyslot,
>> > + (const grub_uint8_t *)
>> > passphrase, passphrase_len);
>> > + if (ret)
>> > + {
>> > + grub_dprintf ("luks2", "Decryption with keyslot
>> > %"PRIuGRUB_SIZE" failed: %s\n",
>> > + i, grub_errmsg);
>> > + continue;
>> > + }
>> > +
>> > + ret = luks2_verify_key (&digest, candidate_key,
>> > candidate_key_len);
>> > + if (ret)
>> > + {
>> > + grub_dprintf ("luks2", "Could not open keyslot
>> > %"PRIuGRUB_SIZE": %s\n",
>> > + i, grub_errmsg);
>> > + continue;
>> > + }
>> > }
>> >
>> > /*
>> > @@ -635,13 +731,14 @@ luks2_recover_key (grub_disk_t disk,
>> > * where each element is either empty or holds a key.
>> > */
>> > grub_printf_ (N_("Slot %"PRIuGRUB_SIZE" opened\n"), i);
>> > -
>> > - candidate_key_len = keyslot.key_size;
>> > break;
>> > }
>> > - if (candidate_key_len == 0)
>> > + if (i == size)
>> > {
>> > - ret = grub_error (GRUB_ERR_ACCESS_DENIED, "Invalid
>> > passphrase");
>> > + if (mkey_file)
>> > + ret = grub_error (GRUB_ERR_ACCESS_DENIED, "Invalid key");
>> > + else
>> > + ret = grub_error (GRUB_ERR_ACCESS_DENIED, "Invalid
>> > passphrase"); goto err;
>> > }
>> >
>> > @@ -666,6 +763,7 @@ luks2_recover_key (grub_disk_t disk,
>> >
>> > err:
>> > grub_free (part);
>> > + grub_free (passphrase);
>> > grub_free (json_header);
>> > grub_json_free (json);
>> > return ret;
>> > diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
>> > index e1b21e785..b53006854 100644
>> > --- a/include/grub/cryptodisk.h
>> > +++ b/include/grub/cryptodisk.h
>> > @@ -21,6 +21,7 @@
>> >
>> > #include <grub/disk.h>
>> > #include <grub/crypto.h>
>> > +#include <grub/file.h>
>> > #include <grub/list.h>
>> > #ifdef GRUB_UTIL
>> > #include <grub/emu/hostdisk.h>
>> > @@ -53,6 +54,7 @@ typedef enum
>> > #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE -
>> > 3) #define GRUB_CRYPTODISK_GF_BYTES (1U <<
>> > GRUB_CRYPTODISK_GF_LOG_BYTES) #define GRUB_CRYPTODISK_MAX_KEYLEN 128
>> > +#define GRUB_CRYPTODISK_MAX_PASSPHRASE 8192
>> >
>> > struct grub_cryptodisk;
>> >
>> > @@ -106,9 +108,10 @@ struct grub_cryptodisk_dev
>> > struct grub_cryptodisk_dev *next;
>> > struct grub_cryptodisk_dev **prev;
>> >
>> > - grub_cryptodisk_t (*scan) (grub_disk_t disk, const char
>> > *check_uuid,
>> > - int boot_only);
>> > - grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t
>> > dev);
>> > + grub_cryptodisk_t (*scan) (grub_disk_t disk, grub_file_t hdr_file,
>> > + const char *check_uuid, int boot_only);
>> > + grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
>> > + grub_file_t hdr_file, grub_file_t
>> > key_file, grub_file_t mkey_file); };
>> > typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
>> >
>>
>
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
