Updates from v8:
* Add documentation patch
* Merge previous patch updating the cryptomount help string with key file
options into the patch adding key file support
* Improve commit messages
* rename requested_keyfile_size -> keyfile_size
* Minor improvements to the code
This patch series adds LUKS deatched header and key file support to
cryptomount.
Glenn
Denis 'GNUtoo' Carikli (2):
cryptodisk: luks: Unify grub_cryptodisk_dev function names
cryptodisk: geli: Unify grub_cryptodisk_dev function names
Glenn Washburn (3):
cryptodisk: Add --header option to cryptomount and fail to implement
it in the backends
luks2: Add detached header support
docs: Add documentation on keyfile and detached header options to
cryptomount
John Lane (2):
cryptodisk: Add support for LUKS1 detached headers
cryptodisk: Add options to cryptomount to support keyfiles
docs/grub.texi | 16 ++++--
grub-core/disk/cryptodisk.c | 98 ++++++++++++++++++++++++++++++++++++-
grub-core/disk/geli.c | 18 +++++--
grub-core/disk/luks.c | 48 ++++++++++++++----
grub-core/disk/luks2.c | 59 ++++++++++++++++++----
include/grub/cryptodisk.h | 4 ++
include/grub/file.h | 4 ++
7 files changed, 217 insertions(+), 30 deletions(-)
Range-diff against v8:
1: 9918a70dce ! 1: 40941ee45c cryptodisk: luks: unify grub_cryptodisk_dev
function names
@@ Metadata
Author: Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org>
## Commit message ##
- cryptodisk: luks: unify grub_cryptodisk_dev function names
+ cryptodisk: luks: Unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org>
Reviewed-by: Patrick Steinhardt <p...@pks.im>
2: 5d3ce5515e ! 2: c259075bf3 cryptodisk: geli: unify grub_cryptodisk_dev
function names
@@ Metadata
Author: Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org>
## Commit message ##
- cryptodisk: geli: unify grub_cryptodisk_dev function names
+ cryptodisk: geli: Unify grub_cryptodisk_dev function names
Signed-off-by: Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org>
Reviewed-by: Patrick Steinhardt <p...@pks.im>
3: c7b8c290d7 ! 3: 1b2055ac5d cryptodisk: enable the backends to implement
detached headers
@@ Metadata
Author: Glenn Washburn <developm...@efficientek.com>
## Commit message ##
- cryptodisk: enable the backends to implement detached headers
+ cryptodisk: Add --header option to cryptomount and fail to implement
it in the backends
+
+ Add a --header (short -H) option to cryptomount which takes a file
argument.
+ Pass the file to the backends via cargs struct and cause the backends
to
+ fail when passed a header. Detached header file support will be added
later
+ for individual backends.
Signed-off-by: John Lane <j...@lane.uk.net>
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit
message
Signed-off-by: Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org>
- developm...@efficientek.com: rebase, rework for cryptomount parameter
passing
+ developm...@efficientek.com: rebase, rework for cryptomount parameter
passing,
+ improve commit message
## grub-core/disk/cryptodisk.c ##
@@ grub-core/disk/cryptodisk.c: static const struct grub_arg_option
options[] =
@@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t
ctxt, i
cargs.key_len = grub_strlen (state[3].arg);
}
-+ if (state[4].set) /* Detached header */
++ if (state[4].set) /* header */
+ {
+ if (state[0].set)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
-+ N_("Cannot use UUID lookup with detached header"));
++ N_("cannot use UUID lookup with detached header"));
+
+ cargs.hdr_file = grub_file_open (state[4].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER);
-+ if (!cargs.hdr_file)
++ if (cargs.hdr_file == NULL)
+ return grub_errno;
+ }
+
4: 59c7c2abcb ! 4: 05c7ca844c cryptodisk: add support for LUKS1 detached
headers
@@ Metadata
Author: John Lane <j...@lane.uk.net>
## Commit message ##
- cryptodisk: add support for LUKS1 detached headers
+ cryptodisk: Add support for LUKS1 detached headers
- cryptsetup supports having a detached header through the
- --header command line argument for both LUKS1 and LUKS2.
-
- This adds support for LUKS1 detached headers.
+ cryptsetup supports having a detached header through the --header
command
+ line argument for both LUKS1 and LUKS2. Allow the LUKS1 backend to use
a
+ given file as the LUKS1 header (aka detached header) instead of
looking for
+ the header on the disk.
Signed-off-by: John Lane <j...@lane.uk.net>
gnu...@cyberdimension.org: rebase, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org>
- developm...@efficientek.com: rebase
+ developm...@efficientek.com: rebase, improve commit message
## grub-core/disk/luks.c ##
@@
5: 9b436ce0e6 ! 5: fb33d6810d cryptodisk: enable the backends to implement
key files
@@ Metadata
Author: John Lane <j...@lane.uk.net>
## Commit message ##
- cryptodisk: enable the backends to implement key files
+ cryptodisk: Add options to cryptomount to support keyfiles
+
+ Add the options --key-file, --keyfile-offset, and --keyfile-size to
+ cryptomount and code to put read the requested key file data and pass
+ via the cargs struct. Note, key file data is for all intents and
purposes
+ equivalent to a password given to cryptomount. So there is no need to
+ enable support for key files in the various crypto backends (eg. LUKS1)
+ because the key data is passed just as if it were a password.
Signed-off-by: John Lane <j...@lane.uk.net>
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit
message
Signed-off-by: Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org>
- developm...@efficientek.com: rebase and rework to use cryptomount arg
passing
+ developm...@efficientek.com: rebase and rework to use cryptomount arg
passing,
+ minor fixes, improve commit message
## grub-core/disk/cryptodisk.c ##
@@ grub-core/disk/cryptodisk.c: static const struct grub_arg_option
options[] =
@@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t
ctxt, i
+ const char *p = NULL;
+ grub_file_t keyfile;
+ int keyfile_offset;
-+ grub_size_t requested_keyfile_size = 0;
++ grub_size_t keyfile_size = 0;
+
+
+ if (state[6].set) /* keyfile-offset */
@@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t
ctxt, i
+
+ if (state[7].set) /* keyfile-size */
+ {
-+ requested_keyfile_size = grub_strtoul (state[7].arg, &p, 0);
++ keyfile_size = grub_strtoul (state[7].arg, &p, 0);
+
+ if (*p != '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
@@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t
ctxt, i
+ if (grub_errno != GRUB_ERR_NONE)
+ return grub_errno;
+
-+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
++ if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
-+ N_("Key file size exceeds maximum (%d)\n"),
-+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
++ N_("key file size exceeds maximum (%d)"),
++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+
-+ if (requested_keyfile_size == 0)
-+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
-+ N_("Key file size is 0\n"));
++ if (keyfile_size == 0)
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("key file size is 0"));
+ }
+
+ keyfile = grub_file_open (state[5].arg,
+ GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
-+ if (!keyfile)
++ if (keyfile == NULL)
+ return grub_errno;
+
+ if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+ return grub_errno;
+
-+ if (requested_keyfile_size)
++ if (keyfile_size > 0)
+ {
-+ if (requested_keyfile_size > (keyfile->size - keyfile_offset))
++ if (keyfile_size > (keyfile->size - keyfile_offset))
+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
-+ N_("Keyfile is too small: "
++ N_("keyfile is too small: "
+ "requested %" PRIuGRUB_SIZE " bytes, "
+ "but the file only has %" PRIuGRUB_UINT64_T
-+ " bytes.\n"),
-+ requested_keyfile_size,
++ " bytes"),
++ keyfile_size,
+ keyfile->size);
+
-+ cargs.key_len = requested_keyfile_size;
++ cargs.key_len = keyfile_size;
+ }
+ else
+ {
@@ grub-core/disk/cryptodisk.c: grub_cmd_cryptomount (grub_extcmd_context_t
ctxt, i
+ }
+
+ cargs.key_data = grub_malloc (cargs.key_len);
-+ if (!cargs.key_data)
++ if (cargs.key_data == NULL)
+ return GRUB_ERR_OUT_OF_MEMORY;
+
+ if (grub_file_read (keyfile, cargs.key_data, cargs.key_len) !=
(grub_ssize_t) cargs.key_len)
-+ return grub_error (GRUB_ERR_FILE_READ_ERROR,
-+ (N_("Error reading key file\n")));
++ return grub_error (GRUB_ERR_FILE_READ_ERROR, (N_("reading key file")));
+ }
+
if (state[0].set) /* uuid */
{
int found_uuid;
+@@ grub-core/disk/cryptodisk.c: GRUB_MOD_INIT (cryptodisk)
+ {
+ grub_disk_dev_register (&grub_cryptodisk_dev);
+ cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
+- N_("[-p password] [-H file] <SOURCE|-u
UUID|-a|-b>"),
++ N_("[ [-p password] | [-k keyfile"
++ " [-O keyoffset] [-S keysize] ] ] [-H file]"
++ " <SOURCE|-u UUID|-a|-b>"),
+ N_("Mount a crypto device."), options);
+ grub_procfs_register ("luks_script", &luks_script);
+ }
## include/grub/cryptodisk.h ##
@@ include/grub/cryptodisk.h: typedef enum
6: ccb3bde361 < -: ---------- cryptodisk: Improve cryptomount short help
string
7: 0464e48e2d ! 6: f15ff743c4 luks2: Add detached header support
@@ Metadata
## Commit message ##
luks2: Add detached header support
+ If a header file is given to the LUKS2 backend, use that file as the
LUKS2
+ header, instead of looking for it on the disk.
+
## grub-core/disk/luks2.c ##
@@ grub-core/disk/luks2.c: luks2_get_keyslot (grub_luks2_keyslot_t *k,
grub_luks2_digest_t *d, grub_luks2_s
-: ---------- > 7: 53ba137d3b docs: Add documentation on keyfile and detached
header options to cryptomount
--
2.25.1
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
