205 lines
7.7 KiB
Diff
205 lines
7.7 KiB
Diff
From 802a23fc503a3c09f167883f05c759471243b4d3 Mon Sep 17 00:00:00 2001
|
|
From: John Lane <john@lane.uk.net>
|
|
Date: Fri, 26 Jun 2015 13:37:10 +0100
|
|
Subject: [PATCH 2/5] Cryptomount support key files
|
|
|
|
---
|
|
grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-
|
|
grub-core/disk/geli.c | 4 +++-
|
|
grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++--------------
|
|
include/grub/cryptodisk.h | 5 ++++-
|
|
4 files changed, 82 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
|
|
index 6f596a0..a27e70c 100644
|
|
--- a/grub-core/disk/cryptodisk.c
|
|
+++ b/grub-core/disk/cryptodisk.c
|
|
@@ -41,6 +41,9 @@ static const struct grub_arg_option options[] =
|
|
{"all", 'a', 0, N_("Mount all."), 0, 0},
|
|
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
|
|
{"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
|
|
+ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
|
|
+ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
|
|
+ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
|
|
{0, 0, 0, 0, 0, 0}
|
|
};
|
|
|
|
@@ -805,6 +808,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
|
|
static int check_boot, have_it;
|
|
static char *search_uuid;
|
|
static grub_file_t hdr;
|
|
+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
|
|
+static grub_size_t keyfile_size;
|
|
|
|
static void
|
|
cryptodisk_close (grub_cryptodisk_t dev)
|
|
@@ -835,7 +840,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
|
|
if (!dev)
|
|
continue;
|
|
|
|
- err = cr->recover_key (source, dev, hdr);
|
|
+ err = cr->recover_key (source, dev, hdr, key, keyfile_size);
|
|
if (err)
|
|
{
|
|
cryptodisk_close (dev);
|
|
@@ -943,6 +948,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
|
|
hdr = NULL;
|
|
|
|
have_it = 0;
|
|
+ key = NULL;
|
|
+
|
|
+ if (state[4].set) /* Key file; fails back to passphrase entry */
|
|
+ {
|
|
+ grub_file_t keyfile;
|
|
+ int keyfile_offset;
|
|
+ grub_size_t requested_keyfile_size;
|
|
+
|
|
+ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0;
|
|
+
|
|
+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
|
|
+ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
|
|
+ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
|
|
+ else
|
|
+ {
|
|
+ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
|
|
+ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
|
|
+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
|
|
+
|
|
+ keyfile = grub_file_open (state[4].arg);
|
|
+ if (!keyfile)
|
|
+ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
|
|
+ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
|
|
+ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
|
|
+ else
|
|
+ {
|
|
+ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
|
|
+ if (keyfile_size == (grub_size_t)-1)
|
|
+ grub_printf (N_("Error reading key file\n"));
|
|
+ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
|
|
+ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
|
|
+ (unsigned long long) requested_keyfile_size,
|
|
+ (unsigned long long) keyfile_size);
|
|
+ else
|
|
+ key = keyfile_buffer;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
if (state[0].set)
|
|
{
|
|
grub_cryptodisk_t dev;
|
|
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
|
|
index f4394eb..da6aa6a 100644
|
|
--- a/grub-core/disk/geli.c
|
|
+++ b/grub-core/disk/geli.c
|
|
@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
|
|
|
|
static grub_err_t
|
|
recover_key (grub_disk_t source, grub_cryptodisk_t dev,
|
|
- grub_file_t hdr __attribute__ ((unused)) )
|
|
+ grub_file_t hdr __attribute__ ((unused)),
|
|
+ grub_uint8_t *key __attribute__ ((unused)),
|
|
+ grub_size_t keyfile_size __attribute__ ((unused)) )
|
|
{
|
|
grub_size_t keysize;
|
|
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
|
|
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
|
|
index 66e64c0..5882368 100644
|
|
--- a/grub-core/disk/luks.c
|
|
+++ b/grub-core/disk/luks.c
|
|
@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
|
|
static grub_err_t
|
|
luks_recover_key (grub_disk_t source,
|
|
grub_cryptodisk_t dev,
|
|
- grub_file_t hdr)
|
|
+ grub_file_t hdr,
|
|
+ grub_uint8_t *keyfile_bytes,
|
|
+ grub_size_t keyfile_bytes_size)
|
|
{
|
|
struct grub_luks_phdr header;
|
|
grub_size_t keysize;
|
|
grub_uint8_t *split_key = NULL;
|
|
- char passphrase[MAX_PASSPHRASE] = "";
|
|
+ char interactive_passphrase[MAX_PASSPHRASE] = "";
|
|
+ grub_uint8_t *passphrase;
|
|
+ grub_size_t passphrase_length;
|
|
grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
|
|
unsigned i;
|
|
grub_size_t length;
|
|
@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source,
|
|
if (!split_key)
|
|
return grub_errno;
|
|
|
|
- /* Get the passphrase from the user. */
|
|
- tmp = NULL;
|
|
- if (source->partition)
|
|
- tmp = grub_partition_get_name (source->partition);
|
|
- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
|
|
- source->partition ? "," : "", tmp ? : "",
|
|
- dev->uuid);
|
|
- grub_free (tmp);
|
|
- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
|
|
+ if (keyfile_bytes)
|
|
{
|
|
- grub_free (split_key);
|
|
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
|
|
+ /* Use bytestring from key file as passphrase */
|
|
+ passphrase = keyfile_bytes;
|
|
+ passphrase_length = keyfile_bytes_size;
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ /* Get the passphrase from the user. */
|
|
+ tmp = NULL;
|
|
+ if (source->partition)
|
|
+ tmp = grub_partition_get_name (source->partition);
|
|
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
|
|
+ source->partition ? "," : "", tmp ? : "", dev->uuid);
|
|
+ grub_free (tmp);
|
|
+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
|
|
+ {
|
|
+ grub_free (split_key);
|
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
|
|
+ }
|
|
+
|
|
+ passphrase = (grub_uint8_t *)interactive_passphrase;
|
|
+ passphrase_length = grub_strlen (interactive_passphrase);
|
|
+
|
|
}
|
|
|
|
/* Try to recover master key from each active keyslot. */
|
|
@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source,
|
|
|
|
/* Calculate the PBKDF2 of the user supplied passphrase. */
|
|
gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
|
|
- grub_strlen (passphrase),
|
|
+ passphrase_length,
|
|
header.keyblock[i].passwordSalt,
|
|
sizeof (header.keyblock[i].passwordSalt),
|
|
grub_be_to_cpu32 (header.keyblock[i].
|
|
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
|
|
index 16dee3c..0299625 100644
|
|
--- a/include/grub/cryptodisk.h
|
|
+++ b/include/grub/cryptodisk.h
|
|
@@ -55,6 +55,8 @@ typedef enum
|
|
#define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
|
|
#define GRUB_CRYPTODISK_MAX_KEYLEN 128
|
|
|
|
+#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
|
|
+
|
|
struct grub_cryptodisk;
|
|
|
|
typedef gcry_err_code_t
|
|
@@ -108,7 +110,8 @@ struct grub_cryptodisk_dev
|
|
|
|
grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
|
|
int boot_only, grub_file_t hdr);
|
|
- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
|
|
+ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
|
|
+ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size);
|
|
};
|
|
typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
|
|
|
|
--
|
|
2.1.2
|
|
|