Re: Grub2 plain dm-crypt support
On 18/11/14 19:22, Andrei Borzenkov wrote: В Tue, 18 Nov 2014 10:56:46 + John Lane g...@jelmail.com пишет: Here are patches that can be applied to master (004a2b1ef at time of writing this). 0001 is the result of merging branch peter/devmapper (e7f405abb) 0002 contains the changes that I made. I'm just sending this in case its useful to anyone in any way. It gives a buildable crypto_devmapper module but it doesn't work. I suggest you open bug on savannah and attach files there; it is better for preserving files and tracing the problem. May be there is already bug open. all the best, John Andrei, Well I spent a little time on this and I have a working implementation but I took a different approach, being that LUKS is a wrapper around dm-crypt. What I have done is added plain support to cryptomount. I have also extended the LUKS functionality to support detached headers and key files. Key data may be read from within a file by providing an offset and, for LUKS, the number of bytes to read (defaults to whole file, up to a compiled-in maximum). What's the best way to contribute this? I read your suggestion about opeining a bug and did that with my uuid patch, only to have someone suggest that patches go on the mailing list. Do let me know how I should submit my patches. I have, meanwhile, put up a page describing my changes and the patches are there. I've also put my repo on Github. See http://grub.johnlane.ie for the details. Best regards, John ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub
Re: Grub2 plain dm-crypt support
В Wed, 10 Dec 2014 10:28:06 + John Lane g...@jelmail.com пишет: On 18/11/14 19:22, Andrei Borzenkov wrote: В Tue, 18 Nov 2014 10:56:46 + John Lane g...@jelmail.com пишет: Here are patches that can be applied to master (004a2b1ef at time of writing this). 0001 is the result of merging branch peter/devmapper (e7f405abb) 0002 contains the changes that I made. I'm just sending this in case its useful to anyone in any way. It gives a buildable crypto_devmapper module but it doesn't work. I suggest you open bug on savannah and attach files there; it is better for preserving files and tracing the problem. May be there is already bug open. all the best, John Andrei, Well I spent a little time on this and I have a working implementation but I took a different approach, being that LUKS is a wrapper around dm-crypt. What I have done is added plain support to cryptomount. I have also extended the LUKS functionality to support detached headers and key files. Key data may be read from within a file by providing an offset and, for LUKS, the number of bytes to read (defaults to whole file, up to a compiled-in maximum). What's the best way to contribute this? I read your suggestion about opeining a bug and did that with my uuid patch, only to have someone suggest that patches go on the mailing list. Well, someone is main grub maintainer :) He meant grub-devel mailing list, not help-grub. Having bug report is useful for tracking, but patches get better exposure on grub-devel. Do let me know how I should submit my patches. I have, meanwhile, put up a page describing my changes and the patches are there. I've also put my repo on Github. See http://grub.johnlane.ie for the details. Wow! It looks pretty impressive. External keyfile support is definitely useful and was requested before. As for plain dmcrypt - as long as it is contained in separate module, it is fine to have if someone needs it. I still do not see how it can sensibly be integrated in grub-install/grub-mkconfig though ... Anyway, further discussion really belongs to grub-devel. ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub
Re: Grub2 plain dm-crypt support
Here are patches that can be applied to master (004a2b1ef at time of
writing this).
0001 is the result of merging branch peter/devmapper (e7f405abb)
0002 contains the changes that I made.
I'm just sending this in case its useful to anyone in any way. It gives
a buildable crypto_devmapper module but it doesn't work.
all the best,
John
From e7f405abb329977b717371b80fddb38ff9063e8a Mon Sep 17 00:00:00 2001
From: Simon Peter dn@gmx.net
Date: Sat, 26 Oct 2013 18:54:36 +0200
Subject: [PATCH 1/2] Reimport Simon Peter's devmapper
---
grub-core/Makefile.core.def | 5 +
grub-core/disk/devmapper.c | 414
include/grub/disk.h | 1 +
3 files changed, 420 insertions(+)
create mode 100644 grub-core/disk/devmapper.c
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index abd54ba..6643b53 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -2140,3 +2140,8 @@ module = {
name = progress;
common = lib/progress.c;
};
+
+module = {
+ name = crypto_devmapper;
+ common = disk/devmapper.c;
+};
\ No newline at end of file
diff --git a/grub-core/disk/devmapper.c b/grub-core/disk/devmapper.c
new file mode 100644
index 000..1ac8e5d
--- /dev/null
+++ b/grub-core/disk/devmapper.c
@@ -0,0 +1,414 @@
+/*
+ * devmapper.c - Device mapper (w/ crypto support)
+ *
+ * Copyright (C) 2007 Simon Peter dn@gmx.net
+ * Thanks to Raoul Boenisch jkl...@gmx.net for the initial idea.
+ */
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2003,2007 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see http://www.gnu.org/licenses/.
+ */
+
+#include grub/types.h
+#include grub/misc.h
+#include grub/mm.h
+#include grub/err.h
+#include grub/dl.h
+#include grub/normal.h
+#include grub/extcmd.h
+#include grub/disk.h
+#include grub/crypto.h
+
+#define DEFAULT_HASH ripemd160
+#define DEFAULT_CIPHER aes-cbc
+#define MAX_KEYSIZE 64
+#define MAX_PASSPHRASE 256
+
+#define MIN(a, b) (a b ? a : b)
+
+struct grub_crypto
+{
+ char *devname, *source_devname;
+ int has_partitions;
+ grub_crypto_cipher_handle_t cipher;
+ grub_disk_t srcdisk;
+ int keysize;
+
+ struct grub_crypto *next;
+};
+
+typedef struct grub_crypto *grub_crypto_t;
+
+struct crypto_private
+{
+ grub_crypto_t crypto;
+ grub_disk_t srcdisk;
+};
+
+typedef struct crypto_private *crypto_private_t;
+
+static grub_crypto_t crypto_list = NULL;
+
+/* Delete a registered crypto device. */
+static grub_err_t
+delete_crypto (const char *name)
+{
+ grub_crypto_t dev, *prev;
+
+ /* Search for the device */
+ for (dev = crypto_list, prev = crypto_list; dev;
+ prev = dev-next, dev = dev-next)
+if (grub_strcmp (dev-devname, name) == 0)
+ break;
+
+ if (!dev)
+return grub_error (GRUB_ERR_BAD_DEVICE, Device not found);
+
+ /* Remove the device from the list */
+ *prev = dev-next;
+ grub_free (dev-devname);
+ grub_free (dev-source_devname);
+ grub_crypto_cipher_close (dev-cipher);
+ grub_free (dev);
+
+ return GRUB_ERR_NONE;
+}
+
+/* Hashes a passphrase into a key and stores it with cipher. */
+static gcry_err_code_t
+set_passphrase (grub_crypto_t dev, const gcry_md_spec_t *hashparams,
+ const char *passphrase)
+{
+ grub_uint8_t hash[MAX_KEYSIZE * 2], *key = hash;
+ char *p;
+ unsigned int round, i, size = dev-keysize;
+ unsigned int len;
+
+ /* Need no passphrase if there's no key */
+ if (size == 0)
+return GPG_ERR_INV_KEYLEN;
+
+ /* Hack to support the none hash */
+ if (hashparams)
+len = hashparams-mdlen;
+ else
+len = grub_strlen (passphrase);
+
+ if (size MAX_KEYSIZE || len MAX_KEYSIZE)
+return GPG_ERR_INV_KEYLEN;
+
+ p = grub_malloc (grub_strlen (passphrase) + 2 + size / len);
+ if (!p)
+return grub_errno;
+
+ for (round = 0; size; round++, key += len, size -= len)
+{
+ /* hack from hashalot to avoid null bytes in key */
+ for (i = 0; i round; i++)
+ p[i] = 'A';
+
+ grub_strcpy (p + i, passphrase);
+
+ if (len size)
+ len = size;
+
+ grub_crypto_hash (hashparams, key, p, grub_strlen (p));
+}
+
+ return grub_crypto_cipher_set_key (dev-cipher, hash, size);
+}
+
+/* GRUB command line interface */
+
+
+static const struct grub_arg_option options[] = {
+ {delete, 'd', 0, delete the crypto device entry, 0, ARG_TYPE_NONE},
+ {partitions,
Re: Grub2 plain dm-crypt support
В Tue, 18 Nov 2014 10:56:46 + John Lane g...@jelmail.com пишет: Here are patches that can be applied to master (004a2b1ef at time of writing this). 0001 is the result of merging branch peter/devmapper (e7f405abb) 0002 contains the changes that I made. I'm just sending this in case its useful to anyone in any way. It gives a buildable crypto_devmapper module but it doesn't work. I suggest you open bug on savannah and attach files there; it is better for preserving files and tracing the problem. May be there is already bug open. all the best, John ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub
Re: Grub2 plain dm-crypt support
Sorry meant to answer earlier. Yes, apparently it was work in progress that probably never compiled. Somebody would need to clean it up. If you manage it, send a patch so branch can be updated. I now have a version that builds. There were very few changes necessary. I can supply a patch. However... I can load the module successfully and use its devmap command but it doesn't work for me. I am not sure how much of the solution is in place and I don't know enough about how it should work to be able to progress it without help. I don't think it correctly sets up the cipher. The default value aes-cbc doesn't work. I have compared with the luks code and I believe that the cipher needs to be just the cipher name (e.g. aes) and I have verified that I don't get an error if I explicitly supply this with devmap -c aes What it doesn't do is set up the cipher mode in the way that the luks code does - there needs to be a way to pass it the mode and have it set that up (e.g. xts-plain64). Unless anyone can help who is more knowledgeable about this I am going to have to leave it and accept that it doesn't work. But, if there is someone else (perhaps the person who wrote the devmapper.c as it is now) then I am more than happy to help test it. You realize that hd1 is not guaranteed to always remain hd1 after reboot? Yes. but in a simple scenario where there is only one device I don't think it'll be an issue. ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub
Re: Grub2 plain dm-crypt support
В Mon, 10 Nov 2014 11:43:02 + John Lane g...@jelmail.com пишет: On 09/11/14 19:31, Andrei Borzenkov wrote: Only the last commit which adds plain dm-crypt support is relevant. And it is pretty much independent of the rest of grub. I checked it out and tried unsuccessfully to build due to errors. I tried building branch merged into master and then I tried building peter/devmapper (I needed to cherry-pick commit fd0df6d098b1e6a4f60275c48a3ec88d15ba1fbb into the branch). Both builds ultimately failed with the same errors shown below. Sorry meant to answer earlier. Yes, apparently it was work in progress that probably never compiled. Somebody would need to clean it up. If you manage it, send a patch so branch can be updated. But the main problem as I see it is to identify disk that is needed. LUKS is self identifying (you have UUID to find LUKS partition). But how do you propose to search for partition containing plain dm-crypt? I haven't got to the point where I've given this any thought beyond the fact that I know that (hd1,1) needs unlocking by plain dm-crypt. You realize that hd1 is not guaranteed to always remain hd1 after reboot? ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub
Re: Grub2 plain dm-crypt support
On 09/11/14 19:31, Andrei Borzenkov wrote: Only the last commit which adds plain dm-crypt support is relevant. And it is pretty much independent of the rest of grub. I checked it out and tried unsuccessfully to build due to errors. I tried building branch merged into master and then I tried building peter/devmapper (I needed to cherry-pick commit fd0df6d098b1e6a4f60275c48a3ec88d15ba1fbb into the branch). Both builds ultimately failed with the same errors shown below. disk/devmapper.c: In function ‘grub_cmd_devmap’: disk/devmapper.c:159:22: warning: initialization discards ‘const’ qualifier from pointer target type char *passphrase = ; ^ disk/devmapper.c:162:36: error: ‘struct grub_extcmd’ has no member named ‘state’ struct grub_arg_list *state = cmd-state; ^ disk/devmapper.c:221:26: error: ‘GRUB_ERR_CIPHER_NOT_FOUND’ undeclared (first use in this function) return grub_error (GRUB_ERR_CIPHER_NOT_FOUND, Unknown cipher %s, hash); ^ disk/devmapper.c:221:26: note: each undeclared identifier is reported only once for each function it appears in disk/devmapper.c: In function ‘grub_crypto_open’: disk/devmapper.c:322:7: error: ‘struct grub_disk’ has no member named ‘has_partitions’ disk-has_partitions = dev-has_partitions; ^ disk/devmapper.c: In function ‘grub_crypto_read’: disk/devmapper.c:357:7: warning: variable length array ‘iv’ is used [-Wvla] grub_uint8_t iv[cipher-cipher-blocksize]; ^ disk/devmapper.c: At top level: disk/devmapper.c:389:3: warning: initialization from incompatible pointer type .iterate = grub_crypto_iterate, ^ disk/devmapper.c:389:3: warning: (near initialization for ‘grub_crypto_dev.iterate’) disk/devmapper.c: In function ‘grub_mod_init’: disk/devmapper.c:403:58: error: ‘GRUB_COMMAND_FLAG_BOTH’ undeclared (first use in this function) cmd = grub_register_extcmd (devmap, grub_cmd_devmap, GRUB_COMMAND_FLAG_BOTH, ^ disk/devmapper.c:403:41: warning: passing argument 2 of ‘grub_register_extcmd’ from incompatible pointer type cmd = grub_register_extcmd (devmap, grub_cmd_devmap, GRUB_COMMAND_FLAG_BOTH, ^ In file included from ../include/grub/misc.h:25:0, from disk/devmapper.c:26: ../include/grub/extcmd.h:58:27: note: expected ‘grub_extcmd_func_t’ but argument is of type ‘enum grub_err_t (*)(struct grub_extcmd *, int, char **)’ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name, ^ ../include/grub/symbol.h:68:25: note: in definition of macro ‘EXPORT_FUNC’ # define EXPORT_FUNC(x) x ^ Makefile:29158: recipe for target 'disk/crypto_devmapper_module-devmapper.o' failed It looks to me like the code in devmapper.c expects some definitions that don't exist in the source. If there's any chance of a version that builds I will be pleased to test it. But the main problem as I see it is to identify disk that is needed. LUKS is self identifying (you have UUID to find LUKS partition). But how do you propose to search for partition containing plain dm-crypt? I haven't got to the point where I've given this any thought beyond the fact that I know that (hd1,1) needs unlocking by plain dm-crypt. ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub
Re: Grub2 plain dm-crypt support
On 09/11/14 05:21, Andrei Borzenkov wrote: No, I do not think anything has changed since then. I feared that would be the answer! You could start with git branch mentioned above. I've looked at git. The branch peter/devmapper mentioned in the other thread is over a year old. I presume the relevant that files that implement the cryptomount command are ./include/grub/cryptodisk.h ./grub-core/disk/cryptodisk.c I can't see any changes in their git logs that refer to plan dm-crypt. Being unfamiliar with the code, I don't really know what I am looking for. I'd hoped there would be a specific branch that I could check out and build, as building isn't a problem for me. But, if I have to modify code to implement it, then that's a step too far. Do you mean - modules implementing crypto routines? I'm afraid, the only documentation is in sources. Ok, thanks. I meant generally for all modules but specifically for the crypto stuff that I am currently trying to use. I have looked through the source but am none the wiser. All I know is there is a cryptmount command. ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub
Re: Grub2 plain dm-crypt support
В Sat, 08 Nov 2014 20:48:55 + John Lane g...@jelmail.com пишет: Hello, I am trying to establish whether Grub2 can open a plain-mode dm-crypt volume. I have |grub-install (GRUB) 2.02~beta2| I can't find much information on the subject, the most recent I can see is a thread from a year ago https://lists.gnu.org/archive/html/help-grub/2013-12/msg4.html What's the current situation - is it possible to boot using files stored on a plain dm-crypt volume? No, I do not think anything has changed since then. I'd appreciate any guidance to help me get this to work. I don't mind if it means building a git checkout. You could start with git branch mentioned above. Also, I have looked for documentation on the crypt modules but cannot find any. I'd be grateful for a pointer towards any module documentation, as all I've been able to find is the main Grub user guide. Do you mean - modules implementing crypto routines? I'm afraid, the only documentation is in sources. Many thanks in advance. ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub
Re: GRUB2 plain dm-crypt support
Hi, thanks for the quick response. Unfortunately, I didn't find anything related to plain dm-crypt searching through the recent grub-devel archives. I'll probably try cross-posting to that forum though, hopefully someone will be able to provide a link to this patch. Thanks! - Original Message - From: Andrey Borzenkov Sent: 12/15/13 12:53 AM To: joe fresh Subject: Re: GRUB2 plain dm-crypt support В Sun, 15 Dec 2013 00:46:18 -0500 joe fresh dzrdm...@gmx.com пишет: Hi, Is there any way to access a plain dm-crypt device from grub2? The necessary decryption code seems to be already present in the cryptodisk module, but I can't find a module/command that would let me mount a dm-crypt device. cryptomount provided by the luks module only works with luks encrypted devices. Thanks! Try searching grub-devel. IIRC I have seen patch adding support for plain dm-crypt posted recently. ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub
Re: GRUB2 plain dm-crypt support
On Sun, Dec 15, 2013 at 7:54 PM, joe fresh dzrdm...@gmx.com wrote: Hi, thanks for the quick response. Unfortunately, I didn't find anything related to plain dm-crypt searching through the recent grub-devel archives. OK it was not on the list but on GIT branch :p http://git.savannah.gnu.org/cgit/grub.git/log/?h=peter/devmapper Disclaimer - did not try it myself and no idea in which state it is. ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub
Re: GRUB2 plain dm-crypt support
Thanks a lot, that's exactly what I was looking for. So it's not officially supported yet, but work is in progress to support this in the future. I took a quick look at this commit and I don't see the code to support modes such as xts. Therefore, I doubt it will work for me in its current state but I'll take a closer look later and see if I can hack it to add xts support. Thanks again! - Original Message - From: Andrey Borzenkov Sent: 12/15/13 11:02 AM To: joe fresh Subject: Re: GRUB2 plain dm-crypt support On Sun, Dec 15, 2013 at 7:54 PM, joe fresh dzrdm...@gmx.com wrote: Hi, thanks for the quick response. Unfortunately, I didn't find anything related to plain dm-crypt searching through the recent grub-devel archives. OK it was not on the list but on GIT branch :p http://git.savannah.gnu.org/cgit/grub.git/log/?h=peter/devmapper Disclaimer - did not try it myself and no idea in which state it is. ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub ___ Help-grub mailing list Help-grub@gnu.org https://lists.gnu.org/mailman/listinfo/help-grub
