14793c1f96
- Add tpm, tpm2, luks2 and gcry_sha512 to default grub.efi (bsc#1197625) - Make grub-tpm.efi a symlink to grub.efi * grub2.spec - Log error when tpm event log is full and continue * 0001-tpm-Log-EFI_VOLUME_FULL-and-continue.patch - Patch superseded * 0001-tpm-Pass-unknown-error-as-non-fatal-but-debug-print-.patch - Add patches for automatic TPM disk unlock (jsc#SLE-24018) (bsc#1196668) * 0001-luks2-Add-debug-message-to-align-with-luks-and-geli-.patch * 0002-cryptodisk-Refactor-to-discard-have_it-global.patch * 0003-cryptodisk-Return-failure-in-cryptomount-when-no-cry.patch * 0004-cryptodisk-Improve-error-messaging-in-cryptomount-in.patch * 0005-cryptodisk-Improve-cryptomount-u-error-message.patch * 0006-cryptodisk-Add-infrastructure-to-pass-data-from-cryp.patch * 0007-cryptodisk-Refactor-password-input-out-of-crypto-dev.patch * 0008-cryptodisk-Move-global-variables-into-grub_cryptomou.patch * 0009-cryptodisk-Improve-handling-of-partition-name-in-cry.patch * 0010-protectors-Add-key-protectors-framework.patch * 0011-tpm2-Add-TPM-Software-Stack-TSS.patch * 0012-protectors-Add-TPM2-Key-Protector.patch * 0013-cryptodisk-Support-key-protectors.patch * 0014-util-grub-protect-Add-new-tool.patch - Fix no disk unlocking happen (bsc#1196668) * 0001-crytodisk-fix-cryptodisk-module-looking-up.patch - Fix build error * fix-tpm2-build.patch OBS-URL: https://build.opensuse.org/request/show/992180 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=417
253 lines
8.7 KiB
Diff
253 lines
8.7 KiB
Diff
From 0a5619abd170b3ad43e44cb8036062506d8623cc Mon Sep 17 00:00:00 2001
|
|
From: Glenn Washburn <development@efficientek.com>
|
|
Date: Thu, 9 Dec 2021 11:14:55 -0600
|
|
Subject: [PATCH 06/14] cryptodisk: Add infrastructure to pass data from
|
|
cryptomount to cryptodisk modules
|
|
|
|
Previously, the cryptomount arguments were passed by global variable and
|
|
function call argument, neither of which are ideal. This change passes data
|
|
via a grub_cryptomount_args struct, which can be added to over time as
|
|
opposed to continually adding arguments to the cryptodisk scan and
|
|
recover_key.
|
|
|
|
As an example, passing a password as a cryptomount argument is implemented.
|
|
However, the backends are not implemented, so testing this will return a not
|
|
implemented error.
|
|
|
|
Also, add comments to cryptomount argument parsing to make it more obvious
|
|
which argument states are being handled.
|
|
|
|
Signed-off-by: Glenn Washburn <development@efficientek.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/disk/cryptodisk.c | 31 +++++++++++++++++++++----------
|
|
grub-core/disk/geli.c | 6 +++++-
|
|
grub-core/disk/luks.c | 7 ++++++-
|
|
grub-core/disk/luks2.c | 7 ++++++-
|
|
include/grub/cryptodisk.h | 9 ++++++++-
|
|
5 files changed, 46 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
|
|
index 5a9780b14c..14c661a86e 100644
|
|
--- a/grub-core/disk/cryptodisk.c
|
|
+++ b/grub-core/disk/cryptodisk.c
|
|
@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
|
|
/* TRANSLATORS: It's still restricted to cryptodisks only. */
|
|
{"all", 'a', 0, N_("Mount all."), 0, 0},
|
|
{"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
|
|
+ {"password", 'p', 0, N_("Password to open volumes."), 0, ARG_TYPE_STRING},
|
|
{0, 0, 0, 0, 0, 0}
|
|
};
|
|
|
|
@@ -996,7 +997,9 @@ cryptodisk_close (grub_cryptodisk_t dev)
|
|
}
|
|
|
|
static grub_cryptodisk_t
|
|
-grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
|
|
+grub_cryptodisk_scan_device_real (const char *name,
|
|
+ grub_disk_t source,
|
|
+ grub_cryptomount_args_t cargs)
|
|
{
|
|
grub_err_t err;
|
|
grub_cryptodisk_t dev;
|
|
@@ -1015,7 +1018,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
|
|
if (!dev)
|
|
continue;
|
|
|
|
- err = cr->recover_key (source, dev);
|
|
+ err = cr->recover_key (source, dev, cargs);
|
|
if (err)
|
|
{
|
|
cryptodisk_close (dev);
|
|
@@ -1080,11 +1083,12 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat)
|
|
|
|
static int
|
|
grub_cryptodisk_scan_device (const char *name,
|
|
- void *data __attribute__ ((unused)))
|
|
+ void *data)
|
|
{
|
|
int ret = 0;
|
|
grub_disk_t source;
|
|
grub_cryptodisk_t dev;
|
|
+ grub_cryptomount_args_t cargs = data;
|
|
grub_errno = GRUB_ERR_NONE;
|
|
|
|
/* Try to open disk. */
|
|
@@ -1095,7 +1099,7 @@ grub_cryptodisk_scan_device (const char *name,
|
|
return 0;
|
|
}
|
|
|
|
- dev = grub_cryptodisk_scan_device_real (name, source);
|
|
+ dev = grub_cryptodisk_scan_device_real (name, source, cargs);
|
|
if (dev)
|
|
{
|
|
ret = (search_uuid != NULL && grub_strcasecmp (search_uuid, dev->uuid) == 0);
|
|
@@ -1124,6 +1128,7 @@ static grub_err_t
|
|
grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
|
|
{
|
|
struct grub_arg_list *state = ctxt->state;
|
|
+ struct grub_cryptomount_args cargs = {0};
|
|
|
|
if (argc < 1 && !state[1].set && !state[2].set)
|
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
|
|
@@ -1131,7 +1136,13 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
|
|
if (grub_cryptodisk_list == NULL)
|
|
return grub_error (GRUB_ERR_BAD_MODULE, "no cryptodisk modules loaded");
|
|
|
|
- if (state[0].set)
|
|
+ if (state[3].set) /* password */
|
|
+ {
|
|
+ cargs.key_data = (grub_uint8_t *) state[3].arg;
|
|
+ cargs.key_len = grub_strlen (state[3].arg);
|
|
+ }
|
|
+
|
|
+ if (state[0].set) /* uuid */
|
|
{
|
|
int found_uuid;
|
|
grub_cryptodisk_t dev;
|
|
@@ -1146,7 +1157,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
|
|
|
|
check_boot = state[2].set;
|
|
search_uuid = args[0];
|
|
- found_uuid = grub_device_iterate (&grub_cryptodisk_scan_device, NULL);
|
|
+ found_uuid = grub_device_iterate (&grub_cryptodisk_scan_device, &cargs);
|
|
search_uuid = NULL;
|
|
|
|
if (found_uuid)
|
|
@@ -1163,11 +1174,11 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
|
|
}
|
|
return grub_errno;
|
|
}
|
|
- else if (state[1].set || (argc == 0 && state[2].set))
|
|
+ else if (state[1].set || (argc == 0 && state[2].set)) /* -a|-b */
|
|
{
|
|
search_uuid = NULL;
|
|
check_boot = state[2].set;
|
|
- grub_device_iterate (&grub_cryptodisk_scan_device, NULL);
|
|
+ grub_device_iterate (&grub_cryptodisk_scan_device, &cargs);
|
|
search_uuid = NULL;
|
|
return GRUB_ERR_NONE;
|
|
}
|
|
@@ -1208,7 +1219,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
|
|
return GRUB_ERR_NONE;
|
|
}
|
|
|
|
- dev = grub_cryptodisk_scan_device_real (diskname, disk);
|
|
+ dev = grub_cryptodisk_scan_device_real (diskname, disk, &cargs);
|
|
|
|
grub_disk_close (disk);
|
|
if (disklast)
|
|
@@ -1347,7 +1358,7 @@ GRUB_MOD_INIT (cryptodisk)
|
|
{
|
|
grub_disk_dev_register (&grub_cryptodisk_dev);
|
|
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
|
|
- N_("SOURCE|-u UUID|-a|-b"),
|
|
+ N_("[-p password] <SOURCE|-u UUID|-a|-b>"),
|
|
N_("Mount a crypto device."), options);
|
|
grub_procfs_register ("luks_script", &luks_script);
|
|
}
|
|
diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
|
|
index 2f34a35e6b..777da3a055 100644
|
|
--- a/grub-core/disk/geli.c
|
|
+++ b/grub-core/disk/geli.c
|
|
@@ -398,7 +398,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
|
|
}
|
|
|
|
static grub_err_t
|
|
-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
|
|
+recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_cryptomount_args_t cargs)
|
|
{
|
|
grub_size_t keysize;
|
|
grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
|
|
@@ -414,6 +414,10 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev)
|
|
grub_disk_addr_t sector;
|
|
grub_err_t err;
|
|
|
|
+ /* Keyfiles are not implemented yet */
|
|
+ if (cargs->key_data != NULL || cargs->key_len)
|
|
+ return GRUB_ERR_NOT_IMPLEMENTED_YET;
|
|
+
|
|
if (dev->cipher->cipher->blocksize > GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE)
|
|
return grub_error (GRUB_ERR_BUG, "cipher block is too long");
|
|
|
|
diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
|
|
index 13103ea6a2..c5858fcf8a 100644
|
|
--- a/grub-core/disk/luks.c
|
|
+++ b/grub-core/disk/luks.c
|
|
@@ -152,7 +152,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
|
|
|
|
static grub_err_t
|
|
luks_recover_key (grub_disk_t source,
|
|
- grub_cryptodisk_t dev)
|
|
+ grub_cryptodisk_t dev,
|
|
+ grub_cryptomount_args_t cargs)
|
|
{
|
|
struct grub_luks_phdr header;
|
|
grub_size_t keysize;
|
|
@@ -165,6 +166,10 @@ luks_recover_key (grub_disk_t source,
|
|
grub_size_t max_stripes = 1;
|
|
char *tmp;
|
|
|
|
+ /* Keyfiles are not implemented yet */
|
|
+ if (cargs->key_data != NULL || cargs->key_len)
|
|
+ return GRUB_ERR_NOT_IMPLEMENTED_YET;
|
|
+
|
|
err = grub_disk_read (source, 0, 0, sizeof (header), &header);
|
|
if (err)
|
|
return err;
|
|
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
|
|
index fea196dd4a..2cbec8acc2 100644
|
|
--- a/grub-core/disk/luks2.c
|
|
+++ b/grub-core/disk/luks2.c
|
|
@@ -545,7 +545,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
|
|
|
|
static grub_err_t
|
|
luks2_recover_key (grub_disk_t source,
|
|
- grub_cryptodisk_t crypt)
|
|
+ grub_cryptodisk_t crypt,
|
|
+ grub_cryptomount_args_t cargs)
|
|
{
|
|
grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
|
|
char passphrase[MAX_PASSPHRASE], cipher[32];
|
|
@@ -559,6 +560,10 @@ luks2_recover_key (grub_disk_t source,
|
|
grub_json_t *json = NULL, keyslots;
|
|
grub_err_t ret;
|
|
|
|
+ /* Keyfiles are not implemented yet */
|
|
+ if (cargs->key_data != NULL || cargs->key_len)
|
|
+ return GRUB_ERR_NOT_IMPLEMENTED_YET;
|
|
+
|
|
ret = luks2_read_header (source, &header);
|
|
if (ret)
|
|
return ret;
|
|
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
|
|
index dcf17fbb3a..282f8ac456 100644
|
|
--- a/include/grub/cryptodisk.h
|
|
+++ b/include/grub/cryptodisk.h
|
|
@@ -66,6 +66,13 @@ typedef gcry_err_code_t
|
|
(*grub_cryptodisk_rekey_func_t) (struct grub_cryptodisk *dev,
|
|
grub_uint64_t zoneno);
|
|
|
|
+struct grub_cryptomount_args
|
|
+{
|
|
+ grub_uint8_t *key_data;
|
|
+ grub_size_t key_len;
|
|
+};
|
|
+typedef struct grub_cryptomount_args *grub_cryptomount_args_t;
|
|
+
|
|
struct grub_cryptodisk
|
|
{
|
|
struct grub_cryptodisk *next;
|
|
@@ -119,7 +126,7 @@ struct grub_cryptodisk_dev
|
|
|
|
grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
|
|
int boot_only);
|
|
- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev);
|
|
+ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_cryptomount_args_t cargs);
|
|
};
|
|
typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
|
|
|
|
--
|
|
2.34.1
|
|
|