On Fri, 13 Nov 2020 14:25:08 -0800 James Bottomley <j...@linux.ibm.com> wrote:
> For AMD SEV environments, the grub boot password has to be retrieved > from a given memory location rather than prompted for. This means > that the standard password getter needs to be replaced with one that > gets the passphrase from the SEV area and uses that instead. Adding > the password getter as a passed in argument to recover_key() makes > this possible. > > Signed-off-by: James Bottomley <j...@linux.ibm.com> > > --- > > v2: add conditional prompting to geli.c > --- > grub-core/disk/cryptodisk.c | 2 +- > grub-core/disk/geli.c | 12 +++++++----- > grub-core/disk/luks.c | 12 +++++++----- > grub-core/disk/luks2.c | 12 +++++++----- > include/grub/cryptodisk.h | 6 +++++- > 5 files changed, 27 insertions(+), 17 deletions(-) > > diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c > index a3d672f68..682f5a55d 100644 > --- a/grub-core/disk/cryptodisk.c > +++ b/grub-core/disk/cryptodisk.c > @@ -997,7 +997,7 @@ grub_cryptodisk_scan_device_real (const char > *name, grub_disk_t source) if (!dev) > continue; > > - err = cr->recover_key (source, dev); > + err = cr->recover_key (source, dev, grub_password_get); > if (err) > { > cryptodisk_close (dev); > diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c > index e9d23299a..3fece3f4a 100644 > --- a/grub-core/disk/geli.c > +++ b/grub-core/disk/geli.c > @@ -398,7 +398,8 @@ configure_ciphers (grub_disk_t disk, const char > *check_uuid, } > > static grub_err_t > -recover_key (grub_disk_t source, grub_cryptodisk_t dev) > +recover_key (grub_disk_t source, grub_cryptodisk_t dev, > + grub_passwd_cb *password_get) > { > grub_size_t keysize; > grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; > @@ -438,11 +439,12 @@ recover_key (grub_disk_t source, > grub_cryptodisk_t dev) tmp = NULL; > if (source->partition) > tmp = grub_partition_get_name (source->partition); > - grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), > source->name, > - source->partition ? "," : "", tmp ? : "", > - dev->uuid); > + if (password_get == grub_password_get) > + grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), > source->name, > + source->partition ? "," : "", tmp ? : "", > + dev->uuid); > grub_free (tmp); > - if (!grub_password_get (passphrase, MAX_PASSPHRASE)) > + if (!password_get (passphrase, MAX_PASSPHRASE)) > return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not > supplied"); > /* Calculate the PBKDF2 of the user supplied passphrase. */ > diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c > index 59702067a..165f4a6bd 100644 > --- a/grub-core/disk/luks.c > +++ b/grub-core/disk/luks.c > @@ -152,7 +152,8 @@ configure_ciphers (grub_disk_t disk, const char > *check_uuid, > static grub_err_t > luks_recover_key (grub_disk_t source, > - grub_cryptodisk_t dev) > + grub_cryptodisk_t dev, > + grub_passwd_cb *password_get) > { > struct grub_luks_phdr header; > grub_size_t keysize; > @@ -187,11 +188,12 @@ luks_recover_key (grub_disk_t source, > tmp = NULL; > if (source->partition) > tmp = grub_partition_get_name (source->partition); > - grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), > source->name, > - source->partition ? "," : "", tmp ? : "", > - dev->uuid); > + if (password_get == grub_password_get) > + grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), > source->name, > + source->partition ? "," : "", tmp ? : "", > + dev->uuid); I don't really like this added if statement. It feels hackish. I also don't have an unambiguously better alternative. What feels like an imperfect alternative is to define a function grub_password_prompt(char buf[], unsigned buf_size, const char *prompt), which calls grub_password_get after displaying the string prompt. Typedef grub_passwd_cb to grub_password_prompt's signature. Then some grub_passwd_cb implementations can decide when not to use the given prompt. Perhaps grub_password_prompt should have snprintf's signature to be more complete and combine the grub_printf_ and grub_password_get. Any other ideas? Glenn _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel