CMXSL.org/package-helpers-cmxsl
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Adjust grub2 to nabia release version

Browse source
This commit is contained in:
Luis Guzmán 2021-09-22 21:22:57 +00:00
parent 9c93f3f768
commit c5d4bac104
8 changed files with 1680 additions and 1645 deletions
Download patch file Download diff file Expand all files Collapse all files

494
helpers/DATA/grub2/0001-Cryptomount-support-LUKS-detached-header.patch
View file

@ -1,247 +1,253 @@
From 5c643ba894421ac78c3fe18ff9548d8e9fa82ed4 Mon Sep 17 00:00:00 2001 diff --git a/0001-Cryptomount-support-LUKS-detached-header.patch b/0001-Cryptomount-support-LUKS-detached-header.patch
From: John Lane <john@lane.uk.net> new file mode 100644
Date: Tue, 23 Jun 2015 11:16:30 +0100 index 00000000000..65943f41b8c
Subject: [PATCH 1/5] Cryptomount support LUKS detached header --- /dev/null
+++ b/0001-Cryptomount-support-LUKS-detached-header.patch
--- @@ -0,0 +1,247 @@
grub-core/disk/cryptodisk.c | 22 ++++++++++++++++++---- +From 2008e08c0a511da5d454664363f452a9e26c734f Mon Sep 17 00:00:00 2001
grub-core/disk/geli.c | 7 +++++-- +From: John Lane <john@lane.uk.net>
grub-core/disk/luks.c | 45 +++++++++++++++++++++++++++++++++++++-------- +Date: Tue, 23 Jun 2015 11:16:30 +0100
include/grub/cryptodisk.h | 5 +++-- +Subject: [PATCH 1/7] Cryptomount support LUKS detached header
4 files changed, 63 insertions(+), 16 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 82a3dcb..6f596a0 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -40,6 +40,7 @@ static const struct grub_arg_option options[] =
/* TRANSLATORS: It's still restricted to cryptodisks only. */
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
{0, 0, 0, 0, 0, 0}
};
@@ -803,6 +804,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
+static grub_file_t hdr;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -827,13 +829,13 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
FOR_CRYPTODISK_DEVS (cr)
{
- dev = cr->scan (source, search_uuid, check_boot);
+ dev = cr->scan (source, search_uuid, check_boot, hdr);
if (grub_errno)
return grub_errno;
if (!dev)
continue;
- err = cr->recover_key (source, dev);
+ err = cr->recover_key (source, dev, hdr);
if (err)
{
cryptodisk_close (dev);
@@ -874,7 +876,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat)
FOR_CRYPTODISK_DEVS (cr)
{
- dev = cr->scan (source, search_uuid, check_boot);
+ dev = cr->scan (source, search_uuid, check_boot,0);
if (grub_errno)
return grub_errno;
if (!dev)
@@ -928,6 +930,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
if (argc < 1 && !state[1].set && !state[2].set)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
+ if (state[3].set) /* LUKS detached header */
+ {
+ if (state[0].set) /* Cannot use UUID lookup with detached header */
+ return GRUB_ERR_BAD_ARGUMENT;
+ +
+ hdr = grub_file_open (state[3].arg); +---
+ if (!hdr) + grub-core/disk/cryptodisk.c | 22 ++++++++++++++++++----
+ return grub_errno; + grub-core/disk/geli.c | 7 +++++--
+ } + grub-core/disk/luks.c | 45 +++++++++++++++++++++++++++++++++++++--------
+ else + include/grub/cryptodisk.h | 5 +++--
+ hdr = NULL; + 4 files changed, 63 insertions(+), 16 deletions(-)
+ +
have_it = 0; +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
if (state[0].set) +index bd60a66b3..5230a5a9a 100644
{ +--- a/grub-core/disk/cryptodisk.c
@@ -1125,7 +1139,7 @@ GRUB_MOD_INIT (cryptodisk) ++++ b/grub-core/disk/cryptodisk.c
{ +@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
grub_disk_dev_register (&grub_cryptodisk_dev); + /* TRANSLATORS: It's still restricted to cryptodisks only. */
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, + {"all", 'a', 0, N_("Mount all."), 0, 0},
- N_("SOURCE|-u UUID|-a|-b"), + {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+ N_("SOURCE|-u UUID|-a|-b|-H file"), ++ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
N_("Mount a crypto device."), options); + {0, 0, 0, 0, 0, 0}
grub_procfs_register ("luks_script", &luks_script); + };
} +
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c +@@ -809,6 +810,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
index e9d2329..f4394eb 100644 +
--- a/grub-core/disk/geli.c + static int check_boot, have_it;
+++ b/grub-core/disk/geli.c + static char *search_uuid;
@@ -52,6 +52,7 @@ ++static grub_file_t hdr;
#include <grub/dl.h> +
#include <grub/err.h> + static void
#include <grub/disk.h> + cryptodisk_close (grub_cryptodisk_t dev)
+#include <grub/file.h> +@@ -833,13 +835,13 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
#include <grub/crypto.h> +
#include <grub/partition.h> + FOR_CRYPTODISK_DEVS (cr)
#include <grub/i18n.h> + {
@@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev) +- dev = cr->scan (source, search_uuid, check_boot);
++ dev = cr->scan (source, search_uuid, check_boot, hdr);
static grub_cryptodisk_t + if (grub_errno)
configure_ciphers (grub_disk_t disk, const char *check_uuid, + return grub_errno;
- int boot_only) + if (!dev)
+ int boot_only, + continue;
+ grub_file_t hdr __attribute__ ((unused)) ) +
{ +- err = cr->recover_key (source, dev);
grub_cryptodisk_t newdev; ++ err = cr->recover_key (source, dev, hdr);
struct grub_geli_phdr header; + if (err)
@@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + {
} + cryptodisk_close (dev);
+@@ -880,7 +882,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat)
static grub_err_t +
-recover_key (grub_disk_t source, grub_cryptodisk_t dev) + FOR_CRYPTODISK_DEVS (cr)
+recover_key (grub_disk_t source, grub_cryptodisk_t dev, + {
+ grub_file_t hdr __attribute__ ((unused)) ) +- dev = cr->scan (source, search_uuid, check_boot);
{ ++ dev = cr->scan (source, search_uuid, check_boot,0);
grub_size_t keysize; + if (grub_errno)
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; + return grub_errno;
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c + if (!dev)
index 86c50c6..66e64c0 100644 +@@ -934,6 +936,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
--- a/grub-core/disk/luks.c + if (argc < 1 && !state[1].set && !state[2].set)
+++ b/grub-core/disk/luks.c + return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
@@ -23,6 +23,7 @@ +
#include <grub/dl.h> ++ if (state[3].set) /* LUKS detached header */
#include <grub/err.h> ++ {
#include <grub/disk.h> ++ if (state[0].set) /* Cannot use UUID lookup with detached header */
+#include <grub/file.h> ++ return GRUB_ERR_BAD_ARGUMENT;
#include <grub/crypto.h> ++
#include <grub/partition.h> ++ hdr = grub_file_open (state[3].arg, GRUB_FILE_TYPE_NONE);
#include <grub/i18n.h> ++ if (!hdr)
@@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src, ++ return grub_errno;
++ }
static grub_cryptodisk_t ++ else
configure_ciphers (grub_disk_t disk, const char *check_uuid, ++ hdr = NULL;
- int check_boot) ++
+ int check_boot, grub_file_t hdr) + have_it = 0;
{ + if (state[0].set)
grub_cryptodisk_t newdev; + {
const char *iptr; +@@ -1141,7 +1155,7 @@ GRUB_MOD_INIT (cryptodisk)
@@ -86,11 +87,21 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + {
int benbi_log = 0; + grub_disk_dev_register (&grub_cryptodisk_dev);
grub_err_t err; + cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
+- N_("SOURCE|-u UUID|-a|-b"),
+ err = GRUB_ERR_NONE; ++ N_("SOURCE|-u UUID|-a|-b|-H file"),
+ N_("Mount a crypto device."), options);
+ grub_procfs_register ("luks_script", &luks_script);
+ }
+diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
+index e9d23299a..f4394eb42 100644
+--- a/grub-core/disk/geli.c
++++ b/grub-core/disk/geli.c
+@@ -52,6 +52,7 @@
+ #include <grub/dl.h>
+ #include <grub/err.h>
+ #include <grub/disk.h>
++#include <grub/file.h>
+ #include <grub/crypto.h>
+ #include <grub/partition.h>
+ #include <grub/i18n.h>
+@@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
+
+ static grub_cryptodisk_t
+ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+- int boot_only)
++ int boot_only,
++ grub_file_t hdr __attribute__ ((unused)) )
+ {
+ grub_cryptodisk_t newdev;
+ struct grub_geli_phdr header;
+@@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ }
+
+ static grub_err_t
+-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
++recover_key (grub_disk_t source, grub_cryptodisk_t dev,
++ grub_file_t hdr __attribute__ ((unused)) )
+ {
+ grub_size_t keysize;
+ grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 86c50c612..66e64c0e0 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -23,6 +23,7 @@
+ #include <grub/dl.h>
+ #include <grub/err.h>
+ #include <grub/disk.h>
++#include <grub/file.h>
+ #include <grub/crypto.h>
+ #include <grub/partition.h>
+ #include <grub/i18n.h>
+@@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
+
+ static grub_cryptodisk_t
+ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+- int check_boot)
++ int check_boot, grub_file_t hdr)
+ {
+ grub_cryptodisk_t newdev;
+ const char *iptr;
+@@ -86,11 +87,21 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ int benbi_log = 0;
+ grub_err_t err;
+
++ err = GRUB_ERR_NONE;
++
+ if (check_boot)
+ return NULL;
+
+ /* Read the LUKS header. */
+- err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
++ if (hdr)
++ {
++ grub_file_seek (hdr, 0);
++ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
++ err = GRUB_ERR_READ_ERROR;
++ }
++ else
++ err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
++
+ if (err)
+ {
+ if (err == GRUB_ERR_OUT_OF_RANGE)
+@@ -304,12 +315,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
+ newdev->modname = "luks";
+ COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
++
+ return newdev;
+ }
+
+ static grub_err_t
+ luks_recover_key (grub_disk_t source,
+- grub_cryptodisk_t dev)
++ grub_cryptodisk_t dev,
++ grub_file_t hdr)
+ {
+ struct grub_luks_phdr header;
+ grub_size_t keysize;
+@@ -321,8 +334,19 @@ luks_recover_key (grub_disk_t source,
+ grub_err_t err;
+ grub_size_t max_stripes = 1;
+ char *tmp;
++ grub_uint32_t sector;
++
++ err = GRUB_ERR_NONE;
++
++ if (hdr)
++ {
++ grub_file_seek (hdr, 0);
++ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
++ err = GRUB_ERR_READ_ERROR;
++ }
++ else
++ err = grub_disk_read (source, 0, 0, sizeof (header), &header);
+
+- err = grub_disk_read (source, 0, 0, sizeof (header), &header);
+ if (err)
+ return err;
+
+@@ -391,13 +415,18 @@ luks_recover_key (grub_disk_t source,
+ return grub_crypto_gcry_error (gcry_err);
+ }
+
++ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
+ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
+
+ /* Read and decrypt the key material from the disk. */
+- err = grub_disk_read (source,
+- grub_be_to_cpu32 (header.keyblock
+- [i].keyMaterialOffset), 0,
+- length, split_key);
++ if (hdr)
++ {
++ grub_file_seek (hdr, sector * 512);
++ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
++ err = GRUB_ERR_READ_ERROR;
++ }
++ else
++ err = grub_disk_read (source, sector, 0, length, split_key);
+ if (err)
+ {
+ grub_free (split_key);
+diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
+index 32f564ae0..4e6e89a93 100644
+--- a/include/grub/cryptodisk.h
++++ b/include/grub/cryptodisk.h
+@@ -20,6 +20,7 @@
+ #define GRUB_CRYPTODISK_HEADER 1
+
+ #include <grub/disk.h>
++#include <grub/file.h>
+ #include <grub/crypto.h>
+ #include <grub/list.h>
+ #ifdef GRUB_UTIL
+@@ -107,8 +108,8 @@ struct grub_cryptodisk_dev
+ struct grub_cryptodisk_dev **prev;
+
+ grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
+- int boot_only);
+- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev);
++ int boot_only, grub_file_t hdr);
++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
+ };
+ typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
+
+--
+2.16.2
+ +
if (check_boot)
return NULL;
/* Read the LUKS header. */
- err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+ if (hdr)
+ {
+ grub_file_seek (hdr, 0);
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ err = GRUB_ERR_READ_ERROR;
+ }
+ else
+ err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
+
if (err)
{
if (err == GRUB_ERR_OUT_OF_RANGE)
@@ -304,12 +315,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
newdev->modname = "luks";
COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
+
return newdev;
}
static grub_err_t
luks_recover_key (grub_disk_t source,
- grub_cryptodisk_t dev)
+ grub_cryptodisk_t dev,
+ grub_file_t hdr)
{
struct grub_luks_phdr header;
grub_size_t keysize;
@@ -321,8 +334,19 @@ luks_recover_key (grub_disk_t source,
grub_err_t err;
grub_size_t max_stripes = 1;
char *tmp;
+ grub_uint32_t sector;
+
+ err = GRUB_ERR_NONE;
+
+ if (hdr)
+ {
+ grub_file_seek (hdr, 0);
+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
+ err = GRUB_ERR_READ_ERROR;
+ }
+ else
+ err = grub_disk_read (source, 0, 0, sizeof (header), &header);
- err = grub_disk_read (source, 0, 0, sizeof (header), &header);
if (err)
return err;
@@ -391,13 +415,18 @@ luks_recover_key (grub_disk_t source,
return grub_crypto_gcry_error (gcry_err);
}
+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
/* Read and decrypt the key material from the disk. */
- err = grub_disk_read (source,
- grub_be_to_cpu32 (header.keyblock
- [i].keyMaterialOffset), 0,
- length, split_key);
+ if (hdr)
+ {
+ grub_file_seek (hdr, sector * 512);
+ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+ err = GRUB_ERR_READ_ERROR;
+ }
+ else
+ err = grub_disk_read (source, sector, 0, length, split_key);
if (err)
{
grub_free (split_key);
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
index f2ad2a7..16dee3c 100644
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
@@ -20,6 +20,7 @@
#define GRUB_CRYPTODISK_HEADER 1
#include <grub/disk.h>
+#include <grub/file.h>
#include <grub/crypto.h>
#include <grub/list.h>
#ifdef GRUB_UTIL
@@ -106,8 +107,8 @@ struct grub_cryptodisk_dev
struct grub_cryptodisk_dev **prev;
grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
- int boot_only);
- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev);
+ int boot_only, grub_file_t hdr);
+ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
};
typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
--
2.1.2

410
helpers/DATA/grub2/0002-Cryptomount-support-key-files.patch
View file

@ -1,205 +1,211 @@
From 802a23fc503a3c09f167883f05c759471243b4d3 Mon Sep 17 00:00:00 2001 diff --git a/0002-Cryptomount-support-key-files.patch b/0002-Cryptomount-support-key-files.patch
From: John Lane <john@lane.uk.net> new file mode 100644
Date: Fri, 26 Jun 2015 13:37:10 +0100 index 00000000000..43af5ff3cbf
Subject: [PATCH 2/5] Cryptomount support key files --- /dev/null
+++ b/0002-Cryptomount-support-key-files.patch
--- @@ -0,0 +1,205 @@
grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++- +From df3aa34cc68b128c5441ee25ef092e6c2c87392e Mon Sep 17 00:00:00 2001
grub-core/disk/geli.c | 4 +++- +From: John Lane <john@lane.uk.net>
grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++-------------- +Date: Fri, 26 Jun 2015 13:37:10 +0100
include/grub/cryptodisk.h | 5 ++++- +Subject: [PATCH 2/7] Cryptomount support key files
4 files changed, 82 insertions(+), 17 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 6f596a0..a27e70c 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -41,6 +41,9 @@ static const struct grub_arg_option options[] =
{"all", 'a', 0, N_("Mount all."), 0, 0},
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
{"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
+ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
{0, 0, 0, 0, 0, 0}
};
@@ -805,6 +808,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
static int check_boot, have_it;
static char *search_uuid;
static grub_file_t hdr;
+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
+static grub_size_t keyfile_size;
static void
cryptodisk_close (grub_cryptodisk_t dev)
@@ -835,7 +840,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
if (!dev)
continue;
- err = cr->recover_key (source, dev, hdr);
+ err = cr->recover_key (source, dev, hdr, key, keyfile_size);
if (err)
{
cryptodisk_close (dev);
@@ -943,6 +948,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
hdr = NULL;
have_it = 0;
+ key = NULL;
+ +
+ if (state[4].set) /* Key file; fails back to passphrase entry */ +---
+ { + grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-
+ grub_file_t keyfile; + grub-core/disk/geli.c | 4 +++-
+ int keyfile_offset; + grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++--------------
+ grub_size_t requested_keyfile_size; + include/grub/cryptodisk.h | 5 ++++-
+ 4 files changed, 82 insertions(+), 17 deletions(-)
+ +
+ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0; +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index 5230a5a9a..5261af547 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
+ {"all", 'a', 0, N_("Mount all."), 0, 0},
+ {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
++ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
++ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
++ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
+ {0, 0, 0, 0, 0, 0}
+ };
+
+@@ -811,6 +814,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
+ static int check_boot, have_it;
+ static char *search_uuid;
+ static grub_file_t hdr;
++static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
++static grub_size_t keyfile_size;
+
+ static void
+ cryptodisk_close (grub_cryptodisk_t dev)
+@@ -841,7 +846,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
+ if (!dev)
+ continue;
+
+- err = cr->recover_key (source, dev, hdr);
++ err = cr->recover_key (source, dev, hdr, key, keyfile_size);
+ if (err)
+ {
+ cryptodisk_close (dev);
+@@ -949,6 +954,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+ hdr = NULL;
+
+ have_it = 0;
++ key = NULL;
++
++ if (state[4].set) /* Key file; fails back to passphrase entry */
++ {
++ grub_file_t keyfile;
++ int keyfile_offset;
++ grub_size_t requested_keyfile_size;
++
++ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0;
++
++ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
++ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
++ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
++ else
++ {
++ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
++ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
++
++ keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE);
++ if (!keyfile)
++ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
++ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
++ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
++ else
++ {
++ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
++ if (keyfile_size == (grub_size_t)-1)
++ grub_printf (N_("Error reading key file\n"));
++ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
++ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
++ (unsigned long long) requested_keyfile_size,
++ (unsigned long long) keyfile_size);
++ else
++ key = keyfile_buffer;
++ }
++ }
++ }
++
+ if (state[0].set)
+ {
+ grub_cryptodisk_t dev;
+diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
+index f4394eb42..da6aa6a63 100644
+--- a/grub-core/disk/geli.c
++++ b/grub-core/disk/geli.c
+@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+
+ static grub_err_t
+ recover_key (grub_disk_t source, grub_cryptodisk_t dev,
+- grub_file_t hdr __attribute__ ((unused)) )
++ grub_file_t hdr __attribute__ ((unused)),
++ grub_uint8_t *key __attribute__ ((unused)),
++ grub_size_t keyfile_size __attribute__ ((unused)) )
+ {
+ grub_size_t keysize;
+ grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 66e64c0e0..588236888 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ static grub_err_t
+ luks_recover_key (grub_disk_t source,
+ grub_cryptodisk_t dev,
+- grub_file_t hdr)
++ grub_file_t hdr,
++ grub_uint8_t *keyfile_bytes,
++ grub_size_t keyfile_bytes_size)
+ {
+ struct grub_luks_phdr header;
+ grub_size_t keysize;
+ grub_uint8_t *split_key = NULL;
+- char passphrase[MAX_PASSPHRASE] = "";
++ char interactive_passphrase[MAX_PASSPHRASE] = "";
++ grub_uint8_t *passphrase;
++ grub_size_t passphrase_length;
+ grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
+ unsigned i;
+ grub_size_t length;
+@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source,
+ if (!split_key)
+ return grub_errno;
+
+- /* Get the passphrase from the user. */
+- tmp = NULL;
+- if (source->partition)
+- tmp = grub_partition_get_name (source->partition);
+- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+- source->partition ? "," : "", tmp ? : "",
+- dev->uuid);
+- grub_free (tmp);
+- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
++ if (keyfile_bytes)
+ {
+- grub_free (split_key);
+- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++ /* Use bytestring from key file as passphrase */
++ passphrase = keyfile_bytes;
++ passphrase_length = keyfile_bytes_size;
++ }
++ else
++ {
++ /* Get the passphrase from the user. */
++ tmp = NULL;
++ if (source->partition)
++ tmp = grub_partition_get_name (source->partition);
++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
++ source->partition ? "," : "", tmp ? : "", dev->uuid);
++ grub_free (tmp);
++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
++ {
++ grub_free (split_key);
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++ }
++
++ passphrase = (grub_uint8_t *)interactive_passphrase;
++ passphrase_length = grub_strlen (interactive_passphrase);
++
+ }
+
+ /* Try to recover master key from each active keyslot. */
+@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source,
+
+ /* Calculate the PBKDF2 of the user supplied passphrase. */
+ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
+- grub_strlen (passphrase),
++ passphrase_length,
+ header.keyblock[i].passwordSalt,
+ sizeof (header.keyblock[i].passwordSalt),
+ grub_be_to_cpu32 (header.keyblock[i].
+diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
+index 4e6e89a93..67f6b0b59 100644
+--- a/include/grub/cryptodisk.h
++++ b/include/grub/cryptodisk.h
+@@ -55,6 +55,8 @@ typedef enum
+ #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
+ #define GRUB_CRYPTODISK_MAX_KEYLEN 128
+
++#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
++
+ struct grub_cryptodisk;
+
+ typedef gcry_err_code_t
+@@ -109,7 +111,8 @@ struct grub_cryptodisk_dev
+
+ grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
+ int boot_only, grub_file_t hdr);
+- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
++ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size);
+ };
+ typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
+
+--
+2.16.2
+ +
+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
+ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+ else
+ {
+ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
+ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
+
+ keyfile = grub_file_open (state[4].arg);
+ if (!keyfile)
+ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
+ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
+ else
+ {
+ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
+ if (keyfile_size == (grub_size_t)-1)
+ grub_printf (N_("Error reading key file\n"));
+ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
+ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
+ (unsigned long long) requested_keyfile_size,
+ (unsigned long long) keyfile_size);
+ else
+ key = keyfile_buffer;
+ }
+ }
+ }
+
if (state[0].set)
{
grub_cryptodisk_t dev;
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
index f4394eb..da6aa6a 100644
--- a/grub-core/disk/geli.c
+++ b/grub-core/disk/geli.c
@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
static grub_err_t
recover_key (grub_disk_t source, grub_cryptodisk_t dev,
- grub_file_t hdr __attribute__ ((unused)) )
+ grub_file_t hdr __attribute__ ((unused)),
+ grub_uint8_t *key __attribute__ ((unused)),
+ grub_size_t keyfile_size __attribute__ ((unused)) )
{
grub_size_t keysize;
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
index 66e64c0..5882368 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
static grub_err_t
luks_recover_key (grub_disk_t source,
grub_cryptodisk_t dev,
- grub_file_t hdr)
+ grub_file_t hdr,
+ grub_uint8_t *keyfile_bytes,
+ grub_size_t keyfile_bytes_size)
{
struct grub_luks_phdr header;
grub_size_t keysize;
grub_uint8_t *split_key = NULL;
- char passphrase[MAX_PASSPHRASE] = "";
+ char interactive_passphrase[MAX_PASSPHRASE] = "";
+ grub_uint8_t *passphrase;
+ grub_size_t passphrase_length;
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
unsigned i;
grub_size_t length;
@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source,
if (!split_key)
return grub_errno;
- /* Get the passphrase from the user. */
- tmp = NULL;
- if (source->partition)
- tmp = grub_partition_get_name (source->partition);
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition ? "," : "", tmp ? : "",
- dev->uuid);
- grub_free (tmp);
- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
+ if (keyfile_bytes)
{
- grub_free (split_key);
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+ /* Use bytestring from key file as passphrase */
+ passphrase = keyfile_bytes;
+ passphrase_length = keyfile_bytes_size;
+ }
+ else
+ {
+ /* Get the passphrase from the user. */
+ tmp = NULL;
+ if (source->partition)
+ tmp = grub_partition_get_name (source->partition);
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition ? "," : "", tmp ? : "", dev->uuid);
+ grub_free (tmp);
+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+ {
+ grub_free (split_key);
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+ }
+
+ passphrase = (grub_uint8_t *)interactive_passphrase;
+ passphrase_length = grub_strlen (interactive_passphrase);
+
}
/* Try to recover master key from each active keyslot. */
@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source,
/* Calculate the PBKDF2 of the user supplied passphrase. */
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
- grub_strlen (passphrase),
+ passphrase_length,
header.keyblock[i].passwordSalt,
sizeof (header.keyblock[i].passwordSalt),
grub_be_to_cpu32 (header.keyblock[i].
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
index 16dee3c..0299625 100644
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
@@ -55,6 +55,8 @@ typedef enum
#define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
#define GRUB_CRYPTODISK_MAX_KEYLEN 128
+#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
+
struct grub_cryptodisk;
typedef gcry_err_code_t
@@ -108,7 +110,8 @@ struct grub_cryptodisk_dev
grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
int boot_only, grub_file_t hdr);
- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
+ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
+ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size);
};
typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
--
2.1.2

658
helpers/DATA/grub2/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
View file

@ -1,329 +1,335 @@
From 3e2ffefe1edbbd874ca18ac397a14465d1ac49be Mon Sep 17 00:00:00 2001 diff --git a/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch b/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
From: John Lane <john@lane.uk.net> new file mode 100644
Date: Fri, 26 Jun 2015 13:49:58 +0100 index 00000000000..19ffed89ca8
Subject: [PATCH 3/5] Cryptomount luks allow multiple passphrase attempts --- /dev/null
+++ b/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
--- @@ -0,0 +1,329 @@
grub-core/disk/luks.c | 278 ++++++++++++++++++++++++++------------------------ +From d055c1e314fa37957f169e08bea9d19c4417ed21 Mon Sep 17 00:00:00 2001
1 file changed, 143 insertions(+), 135 deletions(-) +From: John Lane <john@lane.uk.net>
+Date: Fri, 26 Jun 2015 13:49:58 +0100
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +Subject: [PATCH 3/7] cryptomount luks allow multiple passphrase attempts
index 5882368..11e437e 100644
--- a/grub-core/disk/luks.c
+++ b/grub-core/disk/luks.c
@@ -321,10 +321,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
static grub_err_t
luks_recover_key (grub_disk_t source,
- grub_cryptodisk_t dev,
- grub_file_t hdr,
- grub_uint8_t *keyfile_bytes,
- grub_size_t keyfile_bytes_size)
+ grub_cryptodisk_t dev,
+ grub_file_t hdr,
+ grub_uint8_t *keyfile_bytes,
+ grub_size_t keyfile_bytes_size)
{
struct grub_luks_phdr header;
grub_size_t keysize;
@@ -339,6 +339,7 @@ luks_recover_key (grub_disk_t source,
grub_size_t max_stripes = 1;
char *tmp;
grub_uint32_t sector;
+ unsigned attempts = 2;
err = GRUB_ERR_NONE;
@@ -361,151 +362,158 @@ luks_recover_key (grub_disk_t source,
for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
if (grub_be_to_cpu32 (header.keyblock[i].active) == LUKS_KEY_ENABLED
- && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
+ && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
split_key = grub_malloc (keysize * max_stripes);
if (!split_key)
return grub_errno;
- if (keyfile_bytes)
+ while (attempts)
{
- /* Use bytestring from key file as passphrase */
- passphrase = keyfile_bytes;
- passphrase_length = keyfile_bytes_size;
- }
- else
- {
- /* Get the passphrase from the user. */
- tmp = NULL;
- if (source->partition)
- tmp = grub_partition_get_name (source->partition);
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
- source->partition ? "," : "", tmp ? : "", dev->uuid);
- grub_free (tmp);
- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+ if (keyfile_bytes)
{
- grub_free (split_key);
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
- }
-
- passphrase = (grub_uint8_t *)interactive_passphrase;
- passphrase_length = grub_strlen (interactive_passphrase);
-
- }
-
- /* Try to recover master key from each active keyslot. */
- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
- {
- gcry_err_code_t gcry_err;
- grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
- grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
-
- /* Check if keyslot is enabled. */
- if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
- continue;
-
- grub_dprintf ("luks", "Trying keyslot %d\n", i);
-
- /* Calculate the PBKDF2 of the user supplied passphrase. */
- gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
- passphrase_length,
- header.keyblock[i].passwordSalt,
- sizeof (header.keyblock[i].passwordSalt),
- grub_be_to_cpu32 (header.keyblock[i].
- passwordIterations),
- digest, keysize);
-
- if (gcry_err)
- {
- grub_free (split_key);
- return grub_crypto_gcry_error (gcry_err);
- }
-
- grub_dprintf ("luks", "PBKDF2 done\n");
-
- gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
- if (gcry_err)
- {
- grub_free (split_key);
- return grub_crypto_gcry_error (gcry_err);
- }
-
- sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
- length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
-
- /* Read and decrypt the key material from the disk. */
- if (hdr)
- {
- grub_file_seek (hdr, sector * 512);
- if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
- err = GRUB_ERR_READ_ERROR;
+ /* Use bytestring from key file as passphrase */
+ passphrase = keyfile_bytes;
+ passphrase_length = keyfile_bytes_size;
+ keyfile_bytes = NULL; /* use it only once */
}
else
- err = grub_disk_read (source, sector, 0, length, split_key);
- if (err)
- {
- grub_free (split_key);
- return err;
- }
-
- gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
- if (gcry_err)
- {
- grub_free (split_key);
- return grub_crypto_gcry_error (gcry_err);
- }
-
- /* Merge the decrypted key material to get the candidate master key. */
- gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
- grub_be_to_cpu32 (header.keyblock[i].stripes));
- if (gcry_err)
- {
- grub_free (split_key);
- return grub_crypto_gcry_error (gcry_err);
- }
-
- grub_dprintf ("luks", "candidate key recovered\n");
-
- /* Calculate the PBKDF2 of the candidate master key. */
- gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
- grub_be_to_cpu32 (header.keyBytes),
- header.mkDigestSalt,
- sizeof (header.mkDigestSalt),
- grub_be_to_cpu32
- (header.mkDigestIterations),
- candidate_digest,
- sizeof (candidate_digest));
- if (gcry_err)
- {
- grub_free (split_key);
- return grub_crypto_gcry_error (gcry_err);
- }
-
- /* Compare the calculated PBKDF2 to the digest stored
- in the header to see if it's correct. */
- if (grub_memcmp (candidate_digest, header.mkDigest,
- sizeof (header.mkDigest)) != 0)
- {
- grub_dprintf ("luks", "bad digest\n");
- continue;
- }
+ {
+ /* Get the passphrase from the user. */
+ tmp = NULL;
+ if (source->partition)
+ tmp = grub_partition_get_name (source->partition);
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition ? "," : "", tmp ? : "", dev->uuid);
+ grub_free (tmp);
+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
+ {
+ grub_free (split_key);
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+ }
+ +
+ passphrase = (grub_uint8_t *)interactive_passphrase; +---
+ passphrase_length = grub_strlen (interactive_passphrase); + grub-core/disk/luks.c | 278 ++++++++++++++++++++++++++------------------------
+ 1 file changed, 143 insertions(+), 135 deletions(-)
- /* TRANSLATORS: It's a cryptographic key slot: one element of an array
- where each element is either empty or holds a key. */
- grub_printf_ (N_("Slot %d opened\n"), i);
+ }
- /* Set the master key. */
- gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
- if (gcry_err)
- {
- grub_free (split_key);
- return grub_crypto_gcry_error (gcry_err);
- }
+ /* Try to recover master key from each active keyslot. */
+ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
+ {
+ gcry_err_code_t gcry_err;
+ grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
+ grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
+ +
+ /* Check if keyslot is enabled. */ +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+ if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED) +index 588236888..11e437edb 100644
+ continue; +--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -321,10 +321,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+
+ static grub_err_t
+ luks_recover_key (grub_disk_t source,
+- grub_cryptodisk_t dev,
+- grub_file_t hdr,
+- grub_uint8_t *keyfile_bytes,
+- grub_size_t keyfile_bytes_size)
++ grub_cryptodisk_t dev,
++ grub_file_t hdr,
++ grub_uint8_t *keyfile_bytes,
++ grub_size_t keyfile_bytes_size)
+ {
+ struct grub_luks_phdr header;
+ grub_size_t keysize;
+@@ -339,6 +339,7 @@ luks_recover_key (grub_disk_t source,
+ grub_size_t max_stripes = 1;
+ char *tmp;
+ grub_uint32_t sector;
++ unsigned attempts = 2;
+
+ err = GRUB_ERR_NONE;
+
+@@ -361,151 +362,158 @@ luks_recover_key (grub_disk_t source,
+
+ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
+ if (grub_be_to_cpu32 (header.keyblock[i].active) == LUKS_KEY_ENABLED
+- && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
++ && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
+ max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
+
+ split_key = grub_malloc (keysize * max_stripes);
+ if (!split_key)
+ return grub_errno;
+
+- if (keyfile_bytes)
++ while (attempts)
+ {
+- /* Use bytestring from key file as passphrase */
+- passphrase = keyfile_bytes;
+- passphrase_length = keyfile_bytes_size;
+- }
+- else
+- {
+- /* Get the passphrase from the user. */
+- tmp = NULL;
+- if (source->partition)
+- tmp = grub_partition_get_name (source->partition);
+- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+- source->partition ? "," : "", tmp ? : "", dev->uuid);
+- grub_free (tmp);
+- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
++ if (keyfile_bytes)
+ {
+- grub_free (split_key);
+- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+- }
+-
+- passphrase = (grub_uint8_t *)interactive_passphrase;
+- passphrase_length = grub_strlen (interactive_passphrase);
+-
+- }
+-
+- /* Try to recover master key from each active keyslot. */
+- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
+- {
+- gcry_err_code_t gcry_err;
+- grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
+- grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
+-
+- /* Check if keyslot is enabled. */
+- if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
+- continue;
+-
+- grub_dprintf ("luks", "Trying keyslot %d\n", i);
+-
+- /* Calculate the PBKDF2 of the user supplied passphrase. */
+- gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
+- passphrase_length,
+- header.keyblock[i].passwordSalt,
+- sizeof (header.keyblock[i].passwordSalt),
+- grub_be_to_cpu32 (header.keyblock[i].
+- passwordIterations),
+- digest, keysize);
+-
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
+-
+- grub_dprintf ("luks", "PBKDF2 done\n");
+-
+- gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
+-
+- sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
+- length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
+-
+- /* Read and decrypt the key material from the disk. */
+- if (hdr)
+- {
+- grub_file_seek (hdr, sector * 512);
+- if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+- err = GRUB_ERR_READ_ERROR;
++ /* Use bytestring from key file as passphrase */
++ passphrase = keyfile_bytes;
++ passphrase_length = keyfile_bytes_size;
++ keyfile_bytes = NULL; /* use it only once */
+ }
+ else
+- err = grub_disk_read (source, sector, 0, length, split_key);
+- if (err)
+- {
+- grub_free (split_key);
+- return err;
+- }
+-
+- gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
+-
+- /* Merge the decrypted key material to get the candidate master key. */
+- gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
+- grub_be_to_cpu32 (header.keyblock[i].stripes));
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
+-
+- grub_dprintf ("luks", "candidate key recovered\n");
+-
+- /* Calculate the PBKDF2 of the candidate master key. */
+- gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
+- grub_be_to_cpu32 (header.keyBytes),
+- header.mkDigestSalt,
+- sizeof (header.mkDigestSalt),
+- grub_be_to_cpu32
+- (header.mkDigestIterations),
+- candidate_digest,
+- sizeof (candidate_digest));
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
+-
+- /* Compare the calculated PBKDF2 to the digest stored
+- in the header to see if it's correct. */
+- if (grub_memcmp (candidate_digest, header.mkDigest,
+- sizeof (header.mkDigest)) != 0)
+- {
+- grub_dprintf ("luks", "bad digest\n");
+- continue;
+- }
++ {
++ /* Get the passphrase from the user. */
++ tmp = NULL;
++ if (source->partition)
++ tmp = grub_partition_get_name (source->partition);
++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
++ source->partition ? "," : "", tmp ? : "", dev->uuid);
++ grub_free (tmp);
++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
++ {
++ grub_free (split_key);
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++ }
++
++ passphrase = (grub_uint8_t *)interactive_passphrase;
++ passphrase_length = grub_strlen (interactive_passphrase);
+
+- /* TRANSLATORS: It's a cryptographic key slot: one element of an array
+- where each element is either empty or holds a key. */
+- grub_printf_ (N_("Slot %d opened\n"), i);
++ }
+
+- /* Set the master key. */
+- gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
++ /* Try to recover master key from each active keyslot. */
++ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
++ {
++ gcry_err_code_t gcry_err;
++ grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
++ grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
++
++ /* Check if keyslot is enabled. */
++ if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
++ continue;
++
++ grub_dprintf ("luks", "Trying keyslot %d\n", i);
++
++ /* Calculate the PBKDF2 of the user supplied passphrase. */
++ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
++ passphrase_length,
++ header.keyblock[i].passwordSalt,
++ sizeof (header.keyblock[i].passwordSalt),
++ grub_be_to_cpu32 (header.keyblock[i].
++ passwordIterations),
++ digest, keysize);
++
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
++
++ grub_dprintf ("luks", "PBKDF2 done\n");
++
++ gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
++
++ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
++ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
++
++ /* Read and decrypt the key material from the disk. */
++ if (hdr)
++ {
++ grub_file_seek (hdr, sector * 512);
++ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
++ err = GRUB_ERR_READ_ERROR;
++ }
++ else
++ err = grub_disk_read (source, sector, 0, length, split_key);
++ if (err)
++ {
++ grub_free (split_key);
++ return err;
++ }
++
++ gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
++
++ /* Merge the decrypted key material to get the candidate master key. */
++ gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
++ grub_be_to_cpu32 (header.keyblock[i].stripes));
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
++
++ grub_dprintf ("luks", "candidate key recovered\n");
++
++ /* Calculate the PBKDF2 of the candidate master key. */
++ gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
++ grub_be_to_cpu32 (header.keyBytes),
++ header.mkDigestSalt,
++ sizeof (header.mkDigestSalt),
++ grub_be_to_cpu32
++ (header.mkDigestIterations),
++ candidate_digest,
++ sizeof (candidate_digest));
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
++
++ /* Compare the calculated PBKDF2 to the digest stored
++ in the header to see if it's correct. */
++ if (grub_memcmp (candidate_digest, header.mkDigest,
++ sizeof (header.mkDigest)) != 0)
++ {
++ grub_dprintf ("luks", "bad digest\n");
++ continue;
++ }
++
++ /* TRANSLATORS: It's a cryptographic key slot: one element of an array
++ where each element is either empty or holds a key. */
++ grub_printf_ (N_("Slot %d opened\n"), i);
++
++ /* Set the master key. */
++ gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
+
+- grub_free (split_key);
++ grub_free (split_key);
+
+- return GRUB_ERR_NONE;
++ return GRUB_ERR_NONE;
++ }
++ grub_printf_ (N_("Failed to decrypt master key.\n"));
++ if (--attempts) grub_printf_ (N_("%u attempt%s remaining.\n"), attempts,
++ (attempts==1) ? "" : "s");
+ }
+
+ grub_free (split_key);
+--
+2.16.2
+ +
+ grub_dprintf ("luks", "Trying keyslot %d\n", i);
+
+ /* Calculate the PBKDF2 of the user supplied passphrase. */
+ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
+ passphrase_length,
+ header.keyblock[i].passwordSalt,
+ sizeof (header.keyblock[i].passwordSalt),
+ grub_be_to_cpu32 (header.keyblock[i].
+ passwordIterations),
+ digest, keysize);
+
+ if (gcry_err)
+ {
+ grub_free (split_key);
+ return grub_crypto_gcry_error (gcry_err);
+ }
+
+ grub_dprintf ("luks", "PBKDF2 done\n");
+
+ gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
+ if (gcry_err)
+ {
+ grub_free (split_key);
+ return grub_crypto_gcry_error (gcry_err);
+ }
+
+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
+ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
+
+ /* Read and decrypt the key material from the disk. */
+ if (hdr)
+ {
+ grub_file_seek (hdr, sector * 512);
+ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+ err = GRUB_ERR_READ_ERROR;
+ }
+ else
+ err = grub_disk_read (source, sector, 0, length, split_key);
+ if (err)
+ {
+ grub_free (split_key);
+ return err;
+ }
+
+ gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
+ if (gcry_err)
+ {
+ grub_free (split_key);
+ return grub_crypto_gcry_error (gcry_err);
+ }
+
+ /* Merge the decrypted key material to get the candidate master key. */
+ gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
+ grub_be_to_cpu32 (header.keyblock[i].stripes));
+ if (gcry_err)
+ {
+ grub_free (split_key);
+ return grub_crypto_gcry_error (gcry_err);
+ }
+
+ grub_dprintf ("luks", "candidate key recovered\n");
+
+ /* Calculate the PBKDF2 of the candidate master key. */
+ gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
+ grub_be_to_cpu32 (header.keyBytes),
+ header.mkDigestSalt,
+ sizeof (header.mkDigestSalt),
+ grub_be_to_cpu32
+ (header.mkDigestIterations),
+ candidate_digest,
+ sizeof (candidate_digest));
+ if (gcry_err)
+ {
+ grub_free (split_key);
+ return grub_crypto_gcry_error (gcry_err);
+ }
+
+ /* Compare the calculated PBKDF2 to the digest stored
+ in the header to see if it's correct. */
+ if (grub_memcmp (candidate_digest, header.mkDigest,
+ sizeof (header.mkDigest)) != 0)
+ {
+ grub_dprintf ("luks", "bad digest\n");
+ continue;
+ }
+
+ /* TRANSLATORS: It's a cryptographic key slot: one element of an array
+ where each element is either empty or holds a key. */
+ grub_printf_ (N_("Slot %d opened\n"), i);
+
+ /* Set the master key. */
+ gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
+ if (gcry_err)
+ {
+ grub_free (split_key);
+ return grub_crypto_gcry_error (gcry_err);
+ }
- grub_free (split_key);
+ grub_free (split_key);
- return GRUB_ERR_NONE;
+ return GRUB_ERR_NONE;
+ }
+ grub_printf_ (N_("Failed to decrypt master key.\n"));
+ if (--attempts) grub_printf_ (N_("%u attempt%s remaining.\n"), attempts,
+ (attempts==1) ? "" : "s");
}
grub_free (split_key);
--
2.1.2

1286
helpers/DATA/grub2/0004-Cryptomount-support-plain-dm-crypt.patch
View file

File diff suppressed because it is too large Load diff

246
helpers/DATA/grub2/0005-Cryptomount-support-for-hyphens-in-UUID.patch
View file

@ -1,122 +1,128 @@
From f723c22cb7d8a5a6633eaa0682e024e667fb581a Mon Sep 17 00:00:00 2001 diff --git a/0005-Cryptomount-support-for-hyphens-in-UUID.patch b/0005-Cryptomount-support-for-hyphens-in-UUID.patch
From: John Lane <john@lane.uk.net> new file mode 100644
Date: Fri, 26 Jun 2015 22:48:03 +0100 index 00000000000..f6ed18a66d7
Subject: [PATCH 5/5] Cryptomount support for hyphens in UUID --- /dev/null
+++ b/0005-Cryptomount-support-for-hyphens-in-UUID.patch
--- @@ -0,0 +1,122 @@
grub-core/disk/cryptodisk.c | 20 +++++++++++++++++--- +From 0939fef502c4b97d1facc7972a54d5dfeba4ab71 Mon Sep 17 00:00:00 2001
grub-core/disk/luks.c | 26 ++++++++------------------ +From: John Lane <john@lane.uk.net>
include/grub/cryptodisk.h | 2 ++ +Date: Fri, 26 Jun 2015 22:48:03 +0100
3 files changed, 27 insertions(+), 21 deletions(-) +Subject: [PATCH 5/7] Cryptomount support for hyphens in UUID
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index cd5cfc9..d36d16b 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -113,6 +113,20 @@ gf_mul_be (grub_uint8_t *o, const grub_uint8_t *a, const grub_uint8_t *b)
}
}
+int
+grub_cryptodisk_uuidcmp(const char *uuid_a, const char *uuid_b)
+{
+ while ((*uuid_a != '\0') && (*uuid_b != '\0'))
+ {
+ while (*uuid_a == '-') uuid_a++;
+ while (*uuid_b == '-') uuid_b++;
+ if (grub_toupper(*uuid_a) != grub_toupper(*uuid_b)) break;
+ uuid_a++;
+ uuid_b++;
+ }
+ return (*uuid_a == '\0') && (*uuid_b == '\0');
+}
+ +
static gcry_err_code_t +---
grub_crypto_pcbc_decrypt (grub_crypto_cipher_handle_t cipher, + grub-core/disk/cryptodisk.c | 20 +++++++++++++++++---
void *out, void *in, grub_size_t size, + grub-core/disk/luks.c | 26 ++++++++------------------
@@ -507,8 +521,8 @@ grub_cryptodisk_open (const char *name, grub_disk_t disk) + include/grub/cryptodisk.h | 2 ++
if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) == 0) + 3 files changed, 27 insertions(+), 21 deletions(-)
{ +
for (dev = cryptodisk_list; dev != NULL; dev = dev->next) +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
- if (grub_strcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid) == 0) +index 7f656f75c..c442d3a34 100644
- break; +--- a/grub-core/disk/cryptodisk.c
+ if (grub_cryptodisk_uuidcmp(name + sizeof ("cryptouuid/") - 1, dev->uuid)) ++++ b/grub-core/disk/cryptodisk.c
+ break; +@@ -114,6 +114,20 @@ gf_mul_be (grub_uint8_t *o, const grub_uint8_t *a, const grub_uint8_t *b)
} + }
else + }
{ +
@@ -739,7 +753,7 @@ grub_cryptodisk_get_by_uuid (const char *uuid) ++int
{ ++grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b)
grub_cryptodisk_t dev; ++{
for (dev = cryptodisk_list; dev != NULL; dev = dev->next) ++ while ((*uuid_a != '\0') && (*uuid_b != '\0'))
- if (grub_strcasecmp (dev->uuid, uuid) == 0) ++ {
+ if (grub_cryptodisk_uuidcmp(dev->uuid, uuid)) ++ while (*uuid_a == '-') uuid_a++;
return dev; ++ while (*uuid_b == '-') uuid_b++;
return NULL; ++ if (grub_toupper(*uuid_a) != grub_toupper(*uuid_b)) break;
} ++ uuid_a++;
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c ++ uuid_b++;
index 4ebe21b..80a7606 100644 ++ }
--- a/grub-core/disk/luks.c ++ return (*uuid_a == '\0') && (*uuid_b == '\0');
+++ b/grub-core/disk/luks.c ++}
@@ -68,9 +68,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, ++
int check_boot, grub_file_t hdr) + static gcry_err_code_t
{ + grub_crypto_pcbc_decrypt (grub_crypto_cipher_handle_t cipher,
grub_cryptodisk_t newdev; + void *out, void *in, grub_size_t size,
- const char *iptr; +@@ -509,8 +523,8 @@ grub_cryptodisk_open (const char *name, grub_disk_t disk)
struct grub_luks_phdr header; + if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) == 0)
- char *optr; + {
char uuid[sizeof (header.uuid) + 1]; + for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
char ciphername[sizeof (header.cipherName) + 1]; +- if (grub_strcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid) == 0)
char ciphermode[sizeof (header.cipherMode) + 1]; +- break;
@@ -104,22 +102,6 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, ++ if (grub_cryptodisk_uuidcmp(name + sizeof ("cryptouuid/") - 1, dev->uuid))
|| grub_be_to_cpu16 (header.version) != 1) ++ break;
return NULL; + }
+ else
- optr = uuid; + {
- for (iptr = header.uuid; iptr < &header.uuid[ARRAY_SIZE (header.uuid)]; +@@ -742,7 +756,7 @@ grub_cryptodisk_get_by_uuid (const char *uuid)
- iptr++) + {
- { + grub_cryptodisk_t dev;
- if (*iptr != '-') + for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
- *optr++ = *iptr; +- if (grub_strcasecmp (dev->uuid, uuid) == 0)
- } ++ if (grub_cryptodisk_uuidcmp(dev->uuid, uuid))
- *optr = 0; + return dev;
- + return NULL;
- if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0) + }
- { +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
- grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid); +index 4ebe21b4e..80a760670 100644
- return NULL; +--- a/grub-core/disk/luks.c
- } ++++ b/grub-core/disk/luks.c
- +@@ -68,9 +68,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
- + int check_boot, grub_file_t hdr)
/* Make sure that strings are null terminated. */ + {
grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName)); + grub_cryptodisk_t newdev;
ciphername[sizeof (header.cipherName)] = 0; +- const char *iptr;
@@ -127,6 +109,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + struct grub_luks_phdr header;
ciphermode[sizeof (header.cipherMode)] = 0; +- char *optr;
grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec)); + char uuid[sizeof (header.uuid) + 1];
hashspec[sizeof (header.hashSpec)] = 0; + char ciphername[sizeof (header.cipherName) + 1];
+ grub_memcpy (uuid, header.uuid, sizeof (header.uuid)); + char ciphermode[sizeof (header.cipherMode) + 1];
+ uuid[sizeof (header.uuid)] = 0; +@@ -104,22 +102,6 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ || grub_be_to_cpu16 (header.version) != 1)
+ return NULL;
+
+- optr = uuid;
+- for (iptr = header.uuid; iptr < &header.uuid[ARRAY_SIZE (header.uuid)];
+- iptr++)
+- {
+- if (*iptr != '-')
+- *optr++ = *iptr;
+- }
+- *optr = 0;
+-
+- if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0)
+- {
+- grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid);
+- return NULL;
+- }
+-
+-
+ /* Make sure that strings are null terminated. */
+ grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName));
+ ciphername[sizeof (header.cipherName)] = 0;
+@@ -127,6 +109,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ ciphermode[sizeof (header.cipherMode)] = 0;
+ grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec));
+ hashspec[sizeof (header.hashSpec)] = 0;
++ grub_memcpy (uuid, header.uuid, sizeof (header.uuid));
++ uuid[sizeof (header.uuid)] = 0;
++
++ if ( check_uuid && ! grub_cryptodisk_uuidcmp(check_uuid, uuid))
++ {
++ grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid);
++ return NULL;
++ }
+
+ newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec);
+
+diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
+index bb25ab730..01c02696e 100644
+--- a/include/grub/cryptodisk.h
++++ b/include/grub/cryptodisk.h
+@@ -168,4 +168,6 @@ grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
+ grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid,
+ char *ciphername, char *ciphermode, char *digest);
+
++int
++grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b);
+ #endif
+--
+2.16.2
+ +
+ if ( check_uuid && ! grub_cryptodisk_uuidcmp(check_uuid, uuid))
+ {
+ grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid);
+ return NULL;
+ }
newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec);
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
index 4076412..a564f2c 100644
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
@@ -167,4 +167,6 @@ grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid,
char *ciphername, char *ciphermode, char *digest);
+int
+grub_cryptodisk_uuidcmp(const char *uuid_a, const char *uuid_b);
#endif
--
2.1.2

114
helpers/DATA/grub2/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch Normal file
View file

@ -0,0 +1,114 @@
diff --git a/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch b/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch
new file mode 100644
index 00000000000..49750f84aca
--- /dev/null
+++ b/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch
@@ -0,0 +1,108 @@
+From 908f4282cc934422923ff59836a835e63d6a7117 Mon Sep 17 00:00:00 2001
+From: Paul Gideon Dann <pdgiddie@gmail.com>
+Date: Tue, 19 Jul 2016 12:36:37 +0100
+Subject: [PATCH] Add support for using a whole device as a keyfile
+
+---
+ grub-core/disk/cryptodisk.c | 86 +++++++++++++++++++++++++++++--------
+ 1 file changed, 68 insertions(+), 18 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index d0388c6d1..c5d8021ba 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -1031,26 +1031,76 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+ else
+ {
+ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
+- keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
+- GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
+-
+- keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE);
+- if (!keyfile)
+- grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
+- else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+- grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
+- else
++
++ if (grub_strchr (state[4].arg, '/'))
+ {
+- keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
+- if (keyfile_size == (grub_size_t)-1)
+- grub_printf (N_("Error reading key file\n"));
+- else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
+- grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
+- (unsigned long long) requested_keyfile_size,
+- (unsigned long long) keyfile_size);
++ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
++ keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE);
++ if (!keyfile)
++ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
++ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
++ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
+ else
+- key = keyfile_buffer;
+- }
++ {
++ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
++ if (keyfile_size == (grub_size_t)-1)
++ grub_printf (N_("Error reading key file\n"));
++ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
++ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
++ (unsigned long long) requested_keyfile_size,
++ (unsigned long long) keyfile_size);
++ else
++ key = keyfile_buffer;
++ }
++ }
++ else
++ {
++ grub_disk_t keydisk;
++ char* keydisk_name;
++ grub_err_t err;
++ grub_uint64_t total_sectors;
++
++ keydisk_name = grub_file_get_device_name(state[4].arg);
++ keydisk = grub_disk_open (keydisk_name);
++ if (!keydisk)
++ {
++ grub_printf (N_("Unable to open disk %s\n"), keydisk_name);
++ goto cleanup_keydisk_name;
++ }
++
++ total_sectors = grub_disk_get_size (keydisk);
++ if (total_sectors == GRUB_DISK_SIZE_UNKNOWN)
++ {
++ grub_printf (N_("Unable to determine size of disk %s\n"), keydisk_name);
++ goto cleanup_keydisk;
++ }
++
++ keyfile_size = (total_sectors << GRUB_DISK_SECTOR_BITS);
++ if (requested_keyfile_size > 0 && requested_keyfile_size < keyfile_size)
++ keyfile_size = requested_keyfile_size;
++ if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
++ {
++ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
++ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
++ goto cleanup_keydisk;
++ }
++
++ err = grub_disk_read (keydisk, 0, keyfile_offset, keyfile_size, keyfile_buffer);
++ if (err != GRUB_ERR_NONE)
++ {
++ grub_printf (N_("Failed to read from disk %s\n"), keydisk_name);
++ keyfile_size = 0;
++ goto cleanup_keydisk;
++ }
++
++ key = keyfile_buffer;
++
++ cleanup_keydisk:
++ grub_disk_close (keydisk);
++ cleanup_keydisk_name:
++ grub_free (keydisk_name);
++ }
+ }
+ }
+

111
helpers/DATA/grub2/0007-Add-support-for-using-a-whole-device-as-a-keyfile.patch
View file

@ -1,111 +0,0 @@
From ef720d0d44b8d97a83950ced0df1ce1bcf8cd988 Mon Sep 17 00:00:00 2001
From: Paul Gideon Dann <pdgiddie@gmail.com>
Date: Tue, 19 Jul 2016 12:36:37 +0100
Subject: [PATCH 7/7] Add support for using a whole device as a keyfile
---
grub-core/disk/cryptodisk.c | 86 +++++++++++++++++++++++++++++++++++----------
1 file changed, 68 insertions(+), 18 deletions(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 6fc2c23aa..a8937e5e3 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1032,26 +1032,76 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
else
{
keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
- keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
- GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
-
- keyfile = grub_file_open (state[4].arg);
- if (!keyfile)
- grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
- else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
- grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
- else
+
+ if (grub_strchr (state[4].arg, '/'))
{
- keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
- if (keyfile_size == (grub_size_t)-1)
- grub_printf (N_("Error reading key file\n"));
- else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
- grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
- (unsigned long long) requested_keyfile_size,
- (unsigned long long) keyfile_size);
+ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
+ keyfile = grub_file_open (state[4].arg);
+ if (!keyfile)
+ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
+ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
else
- key = keyfile_buffer;
- }
+ {
+ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
+ if (keyfile_size == (grub_size_t)-1)
+ grub_printf (N_("Error reading key file\n"));
+ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
+ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
+ (unsigned long long) requested_keyfile_size,
+ (unsigned long long) keyfile_size);
+ else
+ key = keyfile_buffer;
+ }
+ }
+ else
+ {
+ grub_disk_t keydisk;
+ char* keydisk_name;
+ grub_err_t err;
+ grub_uint64_t total_sectors;
+
+ keydisk_name = grub_file_get_device_name(state[4].arg);
+ keydisk = grub_disk_open (keydisk_name);
+ if (!keydisk)
+ {
+ grub_printf (N_("Unable to open disk %s\n"), keydisk_name);
+ goto cleanup_keydisk_name;
+ }
+
+ total_sectors = grub_disk_get_size (keydisk);
+ if (total_sectors == GRUB_DISK_SIZE_UNKNOWN)
+ {
+ grub_printf (N_("Unable to determine size of disk %s\n"), keydisk_name);
+ goto cleanup_keydisk;
+ }
+
+ keyfile_size = (total_sectors << GRUB_DISK_SECTOR_BITS);
+ if (requested_keyfile_size > 0 && requested_keyfile_size < keyfile_size)
+ keyfile_size = requested_keyfile_size;
+ if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+ {
+ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
+ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+ goto cleanup_keydisk;
+ }
+
+ err = grub_disk_read (keydisk, 0, keyfile_offset, keyfile_size, keyfile_buffer);
+ if (err != GRUB_ERR_NONE)
+ {
+ grub_printf (N_("Failed to read from disk %s\n"), keydisk_name);
+ keyfile_size = 0;
+ goto cleanup_keydisk;
+ }
+
+ key = keyfile_buffer;
+
+ cleanup_keydisk:
+ grub_disk_close (keydisk);
+ cleanup_keydisk_name:
+ grub_free (keydisk_name);
+ }
}
}
--
2.16.2

6
helpers/make-grub2
View file

@ -2,6 +2,7 @@
# #
# Copyright (C) 2011-2017 Ruben Rodriguez <ruben@trisquel.info> # Copyright (C) 2011-2017 Ruben Rodriguez <ruben@trisquel.info>
# Copyright (C) 2019 Mason Hock <mason@masonhock.com> # Copyright (C) 2019 Mason Hock <mason@masonhock.com>
# Copyright (C) 2021 Luis Guzman <ark@switnet.org>
# #
# This program is free software; you can redistribute it and/or modify # This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
@ -24,6 +25,7 @@ COMPONENT=main
. ./config . ./config
# http://grub.johnlane.ie/ # http://grub.johnlane.ie/
## updated to 2.04-1 on https://aur.archlinux.org/packages/grub-luks-keyfile/
for i in $DATA/*.patch; do for i in $DATA/*.patch; do
echo Applying patch $i echo Applying patch $i
patch -p1 < $i patch -p1 < $i
@ -33,13 +35,13 @@ done
#sed '/dosfstools/d' -i debian/control #sed '/dosfstools/d' -i debian/control
sed '/mkfs.minix/s/-B $BLKSIZE//g' -i tests/util/grub-fs-tester.in sed '/mkfs.minix/s/-B $BLKSIZE//g' -i tests/util/grub-fs-tester.in
for i in install_efi_ubuntu_flavours.patch mkconfig_ubuntu_distributor.patch; do for i in install-efi-ubuntu-flavours.patch mkconfig-ubuntu-distributor.patch; do
rm debian/patches/$i rm debian/patches/$i
sed /$i/d debian/patches/series -i sed /$i/d debian/patches/series -i
done done
#Allow passwords https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1311302 #Allow passwords https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1311302
/bin/sed '/CLASS=/s/class os/class os --unrestricted/' -i util/grub.d/* debian/patches/mkconfig_other_inits.patch /bin/sed '/CLASS=/s/class os/class os --unrestricted/' -i util/grub.d/* debian/patches/mkconfig-other-inits.patch
replace "with Linux" "with Linux-Libre" util replace "with Linux" "with Linux-Libre" util
replace "with Linux" "with Linux-Libre" debian replace "with Linux" "with Linux-Libre" debian