From bf09618c47c6632b763960e265436294ab98dd43 Mon Sep 17 00:00:00 2001 From: Hernan Gatta Date: Tue, 1 Feb 2022 05:02:53 -0800 Subject: [PATCH 1/5] key_protector: Add key protectors framework A key protector encapsulates functionality to retrieve an unlocking key for a fully-encrypted disk from a specific source. A key protector module registers itself with the key protectors framework when it is loaded and unregisters when unloaded. Additionally, a key protector may accept parameters that describe how it should operate. The key protectors framework, besides offering registration and unregistration functions, also offers a one-stop routine for finding and invoking a key protector by name. If a key protector with the specified name exists and if an unlocking key is successfully retrieved by it, the function returns to the caller the retrieved key and its length. Cc: Vladimir Serbinenko Signed-off-by: Hernan Gatta Signed-off-by: Gary Lin Reviewed-by: Stefan Berger --- grub-core/Makefile.am | 1 + grub-core/Makefile.core.def | 5 +++ grub-core/disk/key_protector.c | 78 ++++++++++++++++++++++++++++++++++ include/grub/key_protector.h | 46 ++++++++++++++++++++ 4 files changed, 130 insertions(+) create mode 100644 grub-core/disk/key_protector.c create mode 100644 include/grub/key_protector.h diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am index f18550c1c..9d3d5f519 100644 --- a/grub-core/Makefile.am +++ b/grub-core/Makefile.am @@ -90,6 +90,7 @@ endif KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h +KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/key_protector.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def index bc893e547..4307b8e2d 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def @@ -1302,6 +1302,11 @@ module = { common = disk/raid6_recover.c; }; +module = { + name = key_protector; + common = disk/key_protector.c; +}; + module = { name = scsi; common = disk/scsi.c; diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c new file mode 100644 index 000000000..b84afe1c7 --- /dev/null +++ b/grub-core/disk/key_protector.c @@ -0,0 +1,78 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation + * + * GRUB is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * GRUB is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GRUB. If not, see . + */ + +#include +#include +#include +#include +#include + +GRUB_MOD_LICENSE ("GPLv3+"); + +struct grub_key_protector *grub_key_protectors = NULL; + +grub_err_t +grub_key_protector_register (struct grub_key_protector *protector) +{ + if (protector == NULL || protector->name == NULL || grub_strlen (protector->name) == 0) + return GRUB_ERR_BAD_ARGUMENT; + + if (grub_key_protectors && + grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors), + protector->name)) + return GRUB_ERR_BAD_ARGUMENT; + + grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors), + GRUB_AS_LIST (protector)); + + return GRUB_ERR_NONE; +} + +grub_err_t +grub_key_protector_unregister (struct grub_key_protector *protector) +{ + if (protector == NULL) + return GRUB_ERR_BAD_ARGUMENT; + + grub_list_remove (GRUB_AS_LIST (protector)); + + return GRUB_ERR_NONE; +} + +grub_err_t +grub_key_protector_recover_key (const char *protector, grub_uint8_t **key, + grub_size_t *key_size) +{ + struct grub_key_protector *kp = NULL; + + if (grub_key_protectors == NULL) + return GRUB_ERR_OUT_OF_RANGE; + + if (protector == NULL || grub_strlen (protector) == 0) + return GRUB_ERR_BAD_ARGUMENT; + + kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors), + protector); + if (kp == NULL) + return grub_error (GRUB_ERR_OUT_OF_RANGE, + N_("A key protector with name '%s' could not be found. " + "Is the name spelled correctly and is the " + "corresponding module loaded?"), protector); + + return kp->recover_key (key, key_size); +} diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h new file mode 100644 index 000000000..6e6a6fb24 --- /dev/null +++ b/include/grub/key_protector.h @@ -0,0 +1,46 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation + * + * GRUB is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * GRUB is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GRUB. If not, see . + */ + +#ifndef GRUB_PROTECTOR_HEADER +#define GRUB_PROTECTOR_HEADER 1 + +#include +#include + +struct grub_key_protector +{ + struct grub_key_protector *next; + struct grub_key_protector **prev; + + const char *name; + + grub_err_t (*recover_key) (grub_uint8_t **key, grub_size_t *key_size); +}; + +grub_err_t +grub_key_protector_register (struct grub_key_protector *protector); + +grub_err_t +grub_key_protector_unregister (struct grub_key_protector *protector); + +grub_err_t +grub_key_protector_recover_key (const char *protector, + grub_uint8_t **key, + grub_size_t *key_size); + +#endif /* ! GRUB_PROTECTOR_HEADER */ -- 2.35.3