diff options
author | Maxim Fomin | 2022-01-06 14:54:42 +0000 |
---|---|---|
committer | Maxim Fomin | 2022-01-06 14:54:42 +0000 |
commit | 131f66d3e17e95e1a4b14412fe0e71e4a3035985 (patch) | |
tree | 85e5a89b575b1a56017775315b7b6305c6ca8858 | |
parent | e8a468d45e16d913550455bd6199179c36e04996 (diff) | |
download | aur-131f66d3e17e95e1a4b14412fe0e71e4a3035985.tar.gz |
Remove obsolete patches, use updated patches from github repo.
-rw-r--r-- | .SRCINFO | 25 | ||||
-rw-r--r-- | 0001-Cryptomount-support-LUKS-detached-header.patch | 247 | ||||
-rw-r--r-- | 0002-Cryptomount-support-key-files.patch | 205 | ||||
-rw-r--r-- | 0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch | 317 | ||||
-rw-r--r-- | 0004-Cryptomount-support-plain-dm-crypt.patch | 407 | ||||
-rw-r--r-- | 0005-Cryptomount-support-for-hyphens-in-UUID.patch | 89 | ||||
-rw-r--r-- | 0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch | 108 | ||||
-rw-r--r-- | PKGBUILD | 46 |
8 files changed, 14 insertions, 1430 deletions
@@ -1,7 +1,7 @@ pkgbase = grub-luks-keyfile-git pkgdesc = GNU GRand Unified Bootloader (2) - pkgver = 2.06rc1 - pkgrel = 2 + pkgver = 2.06 + pkgrel = 3 epoch = 2 url = https://www.gnu.org/software/grub/ arch = x86_64 @@ -44,35 +44,22 @@ pkgbase = grub-luks-keyfile-git replaces = grub-efi-x86_64 options = !makeflags backup = etc/grub.d/40_custom - source = git+https://git.savannah.gnu.org/git/grub.git + source = git+https://github.com/mxfm/grub.git source = git+https://git.savannah.gnu.org/git/grub-extras.git#commit=8a245d5c1800627af4cefa99162a89c7a46d8842 source = git+https://git.savannah.gnu.org/git/gnulib.git#commit=be584c56eb1311606e5ea1a36363b97bddb6eed3 - source = https://ftp.gnu.org/gnu/unifont/unifont-13.0.05/unifont-13.0.05.bdf.gz - source = https://ftp.gnu.org/gnu/unifont/unifont-13.0.05/unifont-13.0.05.bdf.gz.sig + source = https://ftp.gnu.org/gnu/unifont/unifont-13.0.06/unifont-13.0.06.bdf.gz + source = https://ftp.gnu.org/gnu/unifont/unifont-13.0.06/unifont-13.0.06.bdf.gz.sig source = 0001-00_header-add-GRUB_COLOR_-variables.patch source = 0002-10_linux-detect-archlinux-initramfs.patch - source = 0001-Cryptomount-support-LUKS-detached-header.patch - source = 0002-Cryptomount-support-key-files.patch - source = 0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch - source = 0004-Cryptomount-support-plain-dm-crypt.patch - source = 0005-Cryptomount-support-for-hyphens-in-UUID.patch - source = 0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch validpgpkeys = E53D497F3FA42AD8C9B4D1E835A93B74E82E4209 validpgpkeys = BE5C23209ACDDACEB20DB0A28C8189F1988C2166 validpgpkeys = 95D2E9AB8740D8046387FD151A09227B1F435A33 sha256sums = SKIP sha256sums = SKIP sha256sums = SKIP - sha256sums = c4e61e9336d8d024479ea72616722c6c47c93f76dc173e8ad3edf9f9e07c3115 + sha256sums = b7668a5d498972dc4981250c49f83601babce797be19b4fdd0f2f1c6cfbd0fc5 sha256sums = SKIP sha256sums = ef87b27e4cef6f83c41c8a1a0401f41e22a89a130baaef8c5a832a6c99bb2683 sha256sums = ce7e24acec78989169a136e989e07369def3dd7c727788d5038a255409ec3c35 - sha256sums = b9d737d1b403b540a00a8e9c25240a06bb371da7588d3e665af8543397724698 - sha256sums = 5d7060fbe9738764d2f8ebc96b43cc0bb8939c2e4e4e78b7a82a1a149ea6e837 - sha256sums = 3e373bcb7847326ae14365e7443f900559f35f4f9ba2e5e69d034f4423fc45bb - sha256sums = 9ff4aba657d3826a510c57ce44d7582c4e4c72eb32a59ffd2b09e923202750ed - sha256sums = 6f58b01eb9adcc6864e09a4ecaa728f19ee2c9a7ecf4cf20fd17fc5ec327f19c - sha256sums = 4739a472c609df2528ac30e502a9f1b77fd1517af551c6bcbd35ba57b81da827 pkgname = grub-luks-keyfile-git - diff --git a/0001-Cryptomount-support-LUKS-detached-header.patch b/0001-Cryptomount-support-LUKS-detached-header.patch deleted file mode 100644 index 65943f41b8c8..000000000000 --- a/0001-Cryptomount-support-LUKS-detached-header.patch +++ /dev/null @@ -1,247 +0,0 @@ -From 2008e08c0a511da5d454664363f452a9e26c734f Mon Sep 17 00:00:00 2001 -From: John Lane <john@lane.uk.net> -Date: Tue, 23 Jun 2015 11:16:30 +0100 -Subject: [PATCH 1/7] Cryptomount support LUKS detached header - ---- - grub-core/disk/cryptodisk.c | 22 ++++++++++++++++++---- - grub-core/disk/geli.c | 7 +++++-- - grub-core/disk/luks.c | 45 +++++++++++++++++++++++++++++++++++++-------- - include/grub/cryptodisk.h | 5 +++-- - 4 files changed, 63 insertions(+), 16 deletions(-) - -diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index bd60a66b3..5230a5a9a 100644 ---- a/grub-core/disk/cryptodisk.c -+++ b/grub-core/disk/cryptodisk.c -@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] = - /* TRANSLATORS: It's still restricted to cryptodisks only. */ - {"all", 'a', 0, N_("Mount all."), 0, 0}, - {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, -+ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING}, - {0, 0, 0, 0, 0, 0} - }; - -@@ -809,6 +810,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) - - static int check_boot, have_it; - static char *search_uuid; -+static grub_file_t hdr; - - static void - cryptodisk_close (grub_cryptodisk_t dev) -@@ -833,13 +835,13 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) - - FOR_CRYPTODISK_DEVS (cr) - { -- dev = cr->scan (source, search_uuid, check_boot); -+ dev = cr->scan (source, search_uuid, check_boot, hdr); - if (grub_errno) - return grub_errno; - if (!dev) - continue; - -- err = cr->recover_key (source, dev); -+ err = cr->recover_key (source, dev, hdr); - if (err) - { - cryptodisk_close (dev); -@@ -880,7 +882,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat) - - FOR_CRYPTODISK_DEVS (cr) - { -- dev = cr->scan (source, search_uuid, check_boot); -+ dev = cr->scan (source, search_uuid, check_boot,0); - if (grub_errno) - return grub_errno; - if (!dev) -@@ -934,6 +936,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) - if (argc < 1 && !state[1].set && !state[2].set) - return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required"); - -+ if (state[3].set) /* LUKS detached header */ -+ { -+ if (state[0].set) /* Cannot use UUID lookup with detached header */ -+ return GRUB_ERR_BAD_ARGUMENT; -+ -+ hdr = grub_file_open (state[3].arg, GRUB_FILE_TYPE_NONE); -+ if (!hdr) -+ return grub_errno; -+ } -+ else -+ hdr = NULL; -+ - have_it = 0; - if (state[0].set) - { -@@ -1141,7 +1155,7 @@ GRUB_MOD_INIT (cryptodisk) - { - grub_disk_dev_register (&grub_cryptodisk_dev); - cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, -- N_("SOURCE|-u UUID|-a|-b"), -+ N_("SOURCE|-u UUID|-a|-b|-H file"), - N_("Mount a crypto device."), options); - grub_procfs_register ("luks_script", &luks_script); - } -diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c -index e9d23299a..f4394eb42 100644 ---- a/grub-core/disk/geli.c -+++ b/grub-core/disk/geli.c -@@ -52,6 +52,7 @@ - #include <grub/dl.h> - #include <grub/err.h> - #include <grub/disk.h> -+#include <grub/file.h> - #include <grub/crypto.h> - #include <grub/partition.h> - #include <grub/i18n.h> -@@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev) - - static grub_cryptodisk_t - configure_ciphers (grub_disk_t disk, const char *check_uuid, -- int boot_only) -+ int boot_only, -+ grub_file_t hdr __attribute__ ((unused)) ) - { - grub_cryptodisk_t newdev; - struct grub_geli_phdr header; -@@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - } - - static grub_err_t --recover_key (grub_disk_t source, grub_cryptodisk_t dev) -+recover_key (grub_disk_t source, grub_cryptodisk_t dev, -+ grub_file_t hdr __attribute__ ((unused)) ) - { - grub_size_t keysize; - grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; -diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c -index 86c50c612..66e64c0e0 100644 ---- a/grub-core/disk/luks.c -+++ b/grub-core/disk/luks.c -@@ -23,6 +23,7 @@ - #include <grub/dl.h> - #include <grub/err.h> - #include <grub/disk.h> -+#include <grub/file.h> - #include <grub/crypto.h> - #include <grub/partition.h> - #include <grub/i18n.h> -@@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src, - - static grub_cryptodisk_t - configure_ciphers (grub_disk_t disk, const char *check_uuid, -- int check_boot) -+ int check_boot, grub_file_t hdr) - { - grub_cryptodisk_t newdev; - const char *iptr; -@@ -86,11 +87,21 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - int benbi_log = 0; - grub_err_t err; - -+ err = GRUB_ERR_NONE; -+ - if (check_boot) - return NULL; - - /* Read the LUKS header. */ -- err = grub_disk_read (disk, 0, 0, sizeof (header), &header); -+ if (hdr) -+ { -+ grub_file_seek (hdr, 0); -+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header)) -+ err = GRUB_ERR_READ_ERROR; -+ } -+ else -+ err = grub_disk_read (disk, 0, 0, sizeof (header), &header); -+ - if (err) - { - if (err == GRUB_ERR_OUT_OF_RANGE) -@@ -304,12 +315,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); - newdev->modname = "luks"; - COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); -+ - return newdev; - } - - static grub_err_t - luks_recover_key (grub_disk_t source, -- grub_cryptodisk_t dev) -+ grub_cryptodisk_t dev, -+ grub_file_t hdr) - { - struct grub_luks_phdr header; - grub_size_t keysize; -@@ -321,8 +334,19 @@ luks_recover_key (grub_disk_t source, - grub_err_t err; - grub_size_t max_stripes = 1; - char *tmp; -+ grub_uint32_t sector; -+ -+ err = GRUB_ERR_NONE; -+ -+ if (hdr) -+ { -+ grub_file_seek (hdr, 0); -+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header)) -+ err = GRUB_ERR_READ_ERROR; -+ } -+ else -+ err = grub_disk_read (source, 0, 0, sizeof (header), &header); - -- err = grub_disk_read (source, 0, 0, sizeof (header), &header); - if (err) - return err; - -@@ -391,13 +415,18 @@ luks_recover_key (grub_disk_t source, - return grub_crypto_gcry_error (gcry_err); - } - -+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); - length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); - - /* Read and decrypt the key material from the disk. */ -- err = grub_disk_read (source, -- grub_be_to_cpu32 (header.keyblock -- [i].keyMaterialOffset), 0, -- length, split_key); -+ if (hdr) -+ { -+ grub_file_seek (hdr, sector * 512); -+ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) -+ err = GRUB_ERR_READ_ERROR; -+ } -+ else -+ err = grub_disk_read (source, sector, 0, length, split_key); - if (err) - { - grub_free (split_key); -diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h -index 32f564ae0..4e6e89a93 100644 ---- a/include/grub/cryptodisk.h -+++ b/include/grub/cryptodisk.h -@@ -20,6 +20,7 @@ - #define GRUB_CRYPTODISK_HEADER 1 - - #include <grub/disk.h> -+#include <grub/file.h> - #include <grub/crypto.h> - #include <grub/list.h> - #ifdef GRUB_UTIL -@@ -107,8 +108,8 @@ struct grub_cryptodisk_dev - struct grub_cryptodisk_dev **prev; - - grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, -- int boot_only); -- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev); -+ int boot_only, grub_file_t hdr); -+ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr); - }; - typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; - --- -2.16.2 - diff --git a/0002-Cryptomount-support-key-files.patch b/0002-Cryptomount-support-key-files.patch deleted file mode 100644 index 43af5ff3cbf9..000000000000 --- a/0002-Cryptomount-support-key-files.patch +++ /dev/null @@ -1,205 +0,0 @@ -From df3aa34cc68b128c5441ee25ef092e6c2c87392e Mon Sep 17 00:00:00 2001 -From: John Lane <john@lane.uk.net> -Date: Fri, 26 Jun 2015 13:37:10 +0100 -Subject: [PATCH 2/7] Cryptomount support key files - ---- - grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++- - grub-core/disk/geli.c | 4 +++- - grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++-------------- - include/grub/cryptodisk.h | 5 ++++- - 4 files changed, 82 insertions(+), 17 deletions(-) - -diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index 5230a5a9a..5261af547 100644 ---- a/grub-core/disk/cryptodisk.c -+++ b/grub-core/disk/cryptodisk.c -@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] = - {"all", 'a', 0, N_("Mount all."), 0, 0}, - {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, - {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING}, -+ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, -+ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, -+ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, - {0, 0, 0, 0, 0, 0} - }; - -@@ -811,6 +814,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) - static int check_boot, have_it; - static char *search_uuid; - static grub_file_t hdr; -+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE]; -+static grub_size_t keyfile_size; - - static void - cryptodisk_close (grub_cryptodisk_t dev) -@@ -841,7 +846,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) - if (!dev) - continue; - -- err = cr->recover_key (source, dev, hdr); -+ err = cr->recover_key (source, dev, hdr, key, keyfile_size); - if (err) - { - cryptodisk_close (dev); -@@ -949,6 +954,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) - hdr = NULL; - - have_it = 0; -+ key = NULL; -+ -+ if (state[4].set) /* Key file; fails back to passphrase entry */ -+ { -+ grub_file_t keyfile; -+ int keyfile_offset; -+ grub_size_t requested_keyfile_size; -+ -+ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0; -+ -+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) -+ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \ -+ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); -+ else -+ { -+ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0; -+ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ -+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; -+ -+ keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE); -+ if (!keyfile) -+ grub_printf (N_("Unable to open key file %s\n"), state[4].arg); -+ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) -+ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); -+ else -+ { -+ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); -+ if (keyfile_size == (grub_size_t)-1) -+ grub_printf (N_("Error reading key file\n")); -+ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) -+ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), -+ (unsigned long long) requested_keyfile_size, -+ (unsigned long long) keyfile_size); -+ else -+ key = keyfile_buffer; -+ } -+ } -+ } -+ - if (state[0].set) - { - grub_cryptodisk_t dev; -diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c -index f4394eb42..da6aa6a63 100644 ---- a/grub-core/disk/geli.c -+++ b/grub-core/disk/geli.c -@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - - static grub_err_t - recover_key (grub_disk_t source, grub_cryptodisk_t dev, -- grub_file_t hdr __attribute__ ((unused)) ) -+ grub_file_t hdr __attribute__ ((unused)), -+ grub_uint8_t *key __attribute__ ((unused)), -+ grub_size_t keyfile_size __attribute__ ((unused)) ) - { - grub_size_t keysize; - grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; -diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c -index 66e64c0e0..588236888 100644 ---- a/grub-core/disk/luks.c -+++ b/grub-core/disk/luks.c -@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - static grub_err_t - luks_recover_key (grub_disk_t source, - grub_cryptodisk_t dev, -- grub_file_t hdr) -+ grub_file_t hdr, -+ grub_uint8_t *keyfile_bytes, -+ grub_size_t keyfile_bytes_size) - { - struct grub_luks_phdr header; - grub_size_t keysize; - grub_uint8_t *split_key = NULL; -- char passphrase[MAX_PASSPHRASE] = ""; -+ char interactive_passphrase[MAX_PASSPHRASE] = ""; -+ grub_uint8_t *passphrase; -+ grub_size_t passphrase_length; - grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; - unsigned i; - grub_size_t length; -@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source, - if (!split_key) - return grub_errno; - -- /* Get the passphrase from the user. */ -- tmp = NULL; -- if (source->partition) -- tmp = grub_partition_get_name (source->partition); -- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, -- source->partition ? "," : "", tmp ? : "", -- dev->uuid); -- grub_free (tmp); -- if (!grub_password_get (passphrase, MAX_PASSPHRASE)) -+ if (keyfile_bytes) - { -- grub_free (split_key); -- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -+ /* Use bytestring from key file as passphrase */ -+ passphrase = keyfile_bytes; -+ passphrase_length = keyfile_bytes_size; -+ } -+ else -+ { -+ /* Get the passphrase from the user. */ -+ tmp = NULL; -+ if (source->partition) -+ tmp = grub_partition_get_name (source->partition); -+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, -+ source->partition ? "," : "", tmp ? : "", dev->uuid); -+ grub_free (tmp); -+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) -+ { -+ grub_free (split_key); -+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -+ } -+ -+ passphrase = (grub_uint8_t *)interactive_passphrase; -+ passphrase_length = grub_strlen (interactive_passphrase); -+ - } - - /* Try to recover master key from each active keyslot. */ -@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source, - - /* Calculate the PBKDF2 of the user supplied passphrase. */ - gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, -- grub_strlen (passphrase), -+ passphrase_length, - header.keyblock[i].passwordSalt, - sizeof (header.keyblock[i].passwordSalt), - grub_be_to_cpu32 (header.keyblock[i]. -diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h -index 4e6e89a93..67f6b0b59 100644 ---- a/include/grub/cryptodisk.h -+++ b/include/grub/cryptodisk.h -@@ -55,6 +55,8 @@ typedef enum - #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) - #define GRUB_CRYPTODISK_MAX_KEYLEN 128 - -+#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 -+ - struct grub_cryptodisk; - - typedef gcry_err_code_t -@@ -109,7 +111,8 @@ struct grub_cryptodisk_dev - - grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, - int boot_only, grub_file_t hdr); -- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr); -+ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, -+ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size); - }; - typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; - --- -2.16.2 - diff --git a/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch b/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch deleted file mode 100644 index 07239e95f43d..000000000000 --- a/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch +++ /dev/null @@ -1,317 +0,0 @@ -From f42b774020839b1e07c5fa0ad7be4735d35cc705 Mon Sep 17 00:00:00 2001 -From: Maxim Fomin <maxim@fomin.one> -Date: Fri, 8 Jan 2021 20:00:31 +0000 -Subject: [PATCH] Support for multiple LUKS passphrase attempts - ---- - grub-core/disk/luks.c | 273 ++++++++++++++++++++++-------------------- - 1 file changed, 141 insertions(+), 132 deletions(-) - -diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c -index eea85338d..3f98df287 100644 ---- a/grub-core/disk/luks.c -+++ b/grub-core/disk/luks.c -@@ -34,6 +34,8 @@ GRUB_MOD_LICENSE ("GPLv3+"); - - #define LUKS_KEY_ENABLED 0x00AC71F3 - -+#define LUKS_PASSPHRASE_ATTEMPTS 3 -+ - /* On disk LUKS header */ - struct grub_luks_phdr - { -@@ -182,6 +184,7 @@ luks_recover_key (grub_disk_t source, - grub_size_t max_stripes = 1; - char *tmp; - grub_uint32_t sector; -+ unsigned int attempts = LUKS_PASSPHRASE_ATTEMPTS; - - err = GRUB_ERR_NONE; - -@@ -211,145 +214,151 @@ luks_recover_key (grub_disk_t source, - if (!split_key) - return grub_errno; - -- if (keyfile_bytes) -- { -- /* Use bytestring from key file as passphrase */ -- passphrase = keyfile_bytes; -- passphrase_length = keyfile_bytes_size; -- } -- else -+ while (attempts) - { -- /* Get the passphrase from the user. */ -- tmp = NULL; -- if (source->partition) -- tmp = grub_partition_get_name (source->partition); -- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, -- source->partition ? "," : "", tmp ? : "", dev->uuid); -- grub_free (tmp); -- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) -+ if (keyfile_bytes) - { -- grub_free (split_key); -- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -+ /* Use bytestring from key file as passphrase */ -+ passphrase = keyfile_bytes; -+ passphrase_length = keyfile_bytes_size; -+ keyfile_bytes = NULL; /* use it only once */ -+ } -+ else -+ { -+ /* Get the passphrase from the user. */ -+ tmp = NULL; -+ if (source->partition) -+ tmp = grub_partition_get_name (source->partition); -+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, -+ source->partition ? "," : "", tmp ? : "", dev->uuid); -+ grub_free (tmp); -+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) -+ { -+ grub_free (split_key); -+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -+ } -+ -+ passphrase = (grub_uint8_t *)interactive_passphrase; -+ passphrase_length = grub_strlen (interactive_passphrase); - } - -- passphrase = (grub_uint8_t *)interactive_passphrase; -- passphrase_length = grub_strlen (interactive_passphrase); -+ /* Try to recover master key from each active keyslot. */ -+ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++) -+ { -+ gcry_err_code_t gcry_err; -+ grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; -+ grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN]; -+ -+ /* Check if keyslot is enabled. */ -+ if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED) -+ continue; -+ -+ grub_dprintf ("luks", "Trying keyslot %d\n", i); -+ -+ /* Calculate the PBKDF2 of the user supplied passphrase. */ -+ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, -+ passphrase_length, -+ header.keyblock[i].passwordSalt, -+ sizeof (header.keyblock[i].passwordSalt), -+ grub_be_to_cpu32 (header.keyblock[i]. -+ passwordIterations), -+ digest, keysize); -+ -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } -+ -+ grub_dprintf ("luks", "PBKDF2 done\n"); -+ -+ gcry_err = grub_cryptodisk_setkey (dev, digest, keysize); -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } -+ -+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); -+ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); -+ -+ /* Read and decrypt the key material from the disk. */ -+ if (hdr) -+ { -+ grub_file_seek (hdr, sector * 512); -+ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) -+ err = GRUB_ERR_READ_ERROR; -+ } -+ else -+ err = grub_disk_read (source, sector, 0, length, split_key); -+ if (err) -+ { -+ grub_free (split_key); -+ return err; -+ } -+ -+ gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0, -+ GRUB_LUKS1_LOG_SECTOR_SIZE); -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } -+ -+ /* Merge the decrypted key material to get the candidate master key. */ -+ gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize, -+ grub_be_to_cpu32 (header.keyblock[i].stripes)); -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } -+ -+ grub_dprintf ("luks", "candidate key recovered\n"); -+ -+ /* Calculate the PBKDF2 of the candidate master key. */ -+ gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key, -+ grub_be_to_cpu32 (header.keyBytes), -+ header.mkDigestSalt, -+ sizeof (header.mkDigestSalt), -+ grub_be_to_cpu32 -+ (header.mkDigestIterations), -+ candidate_digest, -+ sizeof (candidate_digest)); -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } -+ -+ /* Compare the calculated PBKDF2 to the digest stored -+ in the header to see if it's correct. */ -+ if (grub_memcmp (candidate_digest, header.mkDigest, -+ sizeof (header.mkDigest)) != 0) -+ { -+ grub_dprintf ("luks", "bad digest\n"); -+ continue; -+ } -+ -+ /* TRANSLATORS: It's a cryptographic key slot: one element of an array -+ where each element is either empty or holds a key. */ -+ grub_printf_ (N_("Slot %d opened\n"), i); -+ -+ /* Set the master key. */ -+ gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize); -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } - -- } -+ grub_free (split_key); - -- /* Try to recover master key from each active keyslot. */ -- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++) -- { -- gcry_err_code_t gcry_err; -- grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; -- grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN]; -- -- /* Check if keyslot is enabled. */ -- if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED) -- continue; -- -- grub_dprintf ("luks", "Trying keyslot %d\n", i); -- -- /* Calculate the PBKDF2 of the user supplied passphrase. */ -- gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, -- passphrase_length, -- header.keyblock[i].passwordSalt, -- sizeof (header.keyblock[i].passwordSalt), -- grub_be_to_cpu32 (header.keyblock[i]. -- passwordIterations), -- digest, keysize); -- -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -- -- grub_dprintf ("luks", "PBKDF2 done\n"); -- -- gcry_err = grub_cryptodisk_setkey (dev, digest, keysize); -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -- -- sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); -- length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); -- -- /* Read and decrypt the key material from the disk. */ -- if (hdr) -- { -- grub_file_seek (hdr, sector * 512); -- if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) -- err = GRUB_ERR_READ_ERROR; -+ return GRUB_ERR_NONE; - } -- else -- err = grub_disk_read (source, sector, 0, length, split_key); -- if (err) -- { -- grub_free (split_key); -- return err; -- } -- -- gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0, -- GRUB_LUKS1_LOG_SECTOR_SIZE); -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -- -- /* Merge the decrypted key material to get the candidate master key. */ -- gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize, -- grub_be_to_cpu32 (header.keyblock[i].stripes)); -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -- -- grub_dprintf ("luks", "candidate key recovered\n"); -- -- /* Calculate the PBKDF2 of the candidate master key. */ -- gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key, -- grub_be_to_cpu32 (header.keyBytes), -- header.mkDigestSalt, -- sizeof (header.mkDigestSalt), -- grub_be_to_cpu32 -- (header.mkDigestIterations), -- candidate_digest, -- sizeof (candidate_digest)); -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -- -- /* Compare the calculated PBKDF2 to the digest stored -- in the header to see if it's correct. */ -- if (grub_memcmp (candidate_digest, header.mkDigest, -- sizeof (header.mkDigest)) != 0) -- { -- grub_dprintf ("luks", "bad digest\n"); -- continue; -- } -- -- /* TRANSLATORS: It's a cryptographic key slot: one element of an array -- where each element is either empty or holds a key. */ -- grub_printf_ (N_("Slot %d opened\n"), i); -- -- /* Set the master key. */ -- gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize); -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -- -- grub_free (split_key); -- -- return GRUB_ERR_NONE; -+ grub_printf_ (N_("Failed to decrypt master key.\n")); -+ if (--attempts) grub_printf_ (N_("%u attempt%s remaining.\n"), attempts, -+ (attempts==1) ? "" : "s"); - } - - grub_free (split_key); --- -2.30.0 - diff --git a/0004-Cryptomount-support-plain-dm-crypt.patch b/0004-Cryptomount-support-plain-dm-crypt.patch deleted file mode 100644 index 1ea3232b9b5e..000000000000 --- a/0004-Cryptomount-support-plain-dm-crypt.patch +++ /dev/null @@ -1,407 +0,0 @@ -From a8f9e3dcece89c179e89414abe89985c7ab1e03f Mon Sep 17 00:00:00 2001 -From: John Lane <john@lane.uk.net> -Date: Fri, 26 Jun 2015 22:09:52 +0100 -Subject: [PATCH 4/7] Cryptomount support plain dm-crypt - -Patch modified to take into account a change to context -brought about by c93d3e694713b8230fa2cf88414fabe005b56782 - -grub-core/disk/cryptodisk.c -142c142 -< if (disklast) ---- -> ---- - grub-core/disk/cryptodisk.c | 298 +++++++++++++++++++++++++++++++++++++++++++- - grub-core/disk/luks.c | 195 +---------------------------- - include/grub/cryptodisk.h | 8 ++ - 3 files changed, 310 insertions(+), 191 deletions(-) - -diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index 5261af547..7f656f75c 100644 ---- a/grub-core/disk/cryptodisk.c -+++ b/grub-core/disk/cryptodisk.c -@@ -45,6 +45,12 @@ static const struct grub_arg_option options[] = - {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, - {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, - {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, -+ {"plain", 'p', 0, N_("Plain (no LUKS header)"), 0, ARG_TYPE_NONE}, -+ {"cipher", 'c', 0, N_("Plain mode cipher"), 0, ARG_TYPE_STRING}, -+ {"digest", 'd', 0, N_("Plain mode passphrase digest (hash)"), 0, ARG_TYPE_STRING}, -+ {"offset", 'o', 0, N_("Plain mode data sector offset"), 0, ARG_TYPE_INT}, -+ {"size", 's', 0, N_("Size of raw device (sectors, defaults to whole device)"), 0, ARG_TYPE_INT}, -+ {"key-size", 'K', 0, N_("Set key size (bits)"), 0, ARG_TYPE_INT}, - {0, 0, 0, 0, 0, 0} - }; - -@@ -933,6 +939,48 @@ grub_cryptodisk_scan_device (const char *name, - return have_it && search_uuid ? 1 : 0; - } - -+/* Hashes a passphrase into a key and stores it with cipher. */ -+static gcry_err_code_t -+set_passphrase (grub_cryptodisk_t dev, grub_size_t keysize, const char *passphrase) -+{ -+ grub_uint8_t derived_hash[GRUB_CRYPTODISK_MAX_KEYLEN * 2], *dh = derived_hash; -+ char *p; -+ unsigned int round, i; -+ unsigned int len, size; -+ -+ /* Need no passphrase if there's no key */ -+ if (keysize == 0) -+ return GPG_ERR_INV_KEYLEN; -+ -+ /* Hack to support the "none" hash */ -+ if (dev->hash) -+ len = dev->hash->mdlen; -+ else -+ len = grub_strlen (passphrase); -+ -+ if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN || len > GRUB_CRYPTODISK_MAX_KEYLEN) -+ return GPG_ERR_INV_KEYLEN; -+ -+ p = grub_malloc (grub_strlen (passphrase) + 2 + keysize / len); -+ if (!p) -+ return grub_errno; -+ -+ for (round = 0, size = keysize; size; round++, dh += len, size -= len) -+ { -+ for (i = 0; i < round; i++) -+ p[i] = 'A'; -+ -+ grub_strcpy (p + i, passphrase); -+ -+ if (len > size) -+ len = size; -+ -+ grub_crypto_hash (dev->hash, dh, p, grub_strlen (p)); -+ } -+ -+ return grub_cryptodisk_setkey (dev, derived_hash, keysize); -+} -+ - static grub_err_t - grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) - { -@@ -1060,7 +1108,63 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) - return GRUB_ERR_NONE; - } - -- err = grub_cryptodisk_scan_device_real (diskname, disk); -+ if (state[7].set) /* Plain mode */ -+ { -+ char *cipher; -+ char *mode; -+ char *digest; -+ int offset, size, key_size; -+ -+ cipher = grub_strdup (state[8].set ? state[8].arg : GRUB_CRYPTODISK_PLAIN_CIPHER); -+ digest = grub_strdup (state[9].set ? state[9].arg : GRUB_CRYPTODISK_PLAIN_DIGEST); -+ offset = state[10].set ? grub_strtoul (state[10].arg, 0, 0) : 0; -+ size = state[11].set ? grub_strtoul (state[11].arg, 0, 0) : 0; -+ key_size = ( state[12].set ? grub_strtoul (state[12].arg, 0, 0) \ -+ : GRUB_CRYPTODISK_PLAIN_KEYSIZE ) / 8; -+ -+ /* no strtok, do it manually */ -+ mode = grub_strchr(cipher,'-'); -+ if (!mode) -+ return GRUB_ERR_BAD_ARGUMENT; -+ else -+ *mode++ = 0; -+ -+ dev = grub_cryptodisk_create (disk, NULL, cipher, mode, digest); -+ -+ dev->offset_sectors = offset; -+ if (size) dev->total_sectors = size; -+ -+ if (key) -+ { -+ err = grub_cryptodisk_setkey (dev, key, key_size); -+ if (err) -+ return err; -+ } -+ else -+ { -+ char passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = ""; -+ -+ grub_printf_ (N_("Enter passphrase for %s: "), diskname); -+ if (!grub_password_get (passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE)) -+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -+ -+ err = set_passphrase (dev, key_size, passphrase); -+ if (err) -+ { -+ grub_crypto_cipher_close (dev->cipher); -+ return err; -+ } -+ } -+ -+ grub_cryptodisk_insert (dev, diskname, disk); -+ -+ grub_free (cipher); -+ grub_free (digest); -+ -+ err = GRUB_ERR_NONE; -+ } -+ else -+ err = grub_cryptodisk_scan_device_real (diskname, disk); - - grub_disk_close (disk); - if (disklast) -@@ -1193,13 +1297,203 @@ struct grub_procfs_entry luks_script = - .get_contents = luks_script_get - }; - -+grub_cryptodisk_t -+grub_cryptodisk_create (grub_disk_t disk, char *uuid, -+ char *ciphername, char *ciphermode, char *hashspec) -+{ -+ grub_cryptodisk_t newdev; -+ char *cipheriv = NULL; -+ grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL; -+ grub_crypto_cipher_handle_t essiv_cipher = NULL; -+ const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL; -+ const struct gcry_cipher_spec *ciph; -+ grub_cryptodisk_mode_t mode; -+ grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; -+ int benbi_log = 0; -+ -+ if (!uuid) -+ uuid = (char*)"00000000000000000000000000000000"; -+ -+ ciph = grub_crypto_lookup_cipher_by_name (ciphername); -+ if (!ciph) -+ { -+ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available", -+ ciphername); -+ return NULL; -+ } -+ -+ /* Configure the cipher used for the bulk data. */ -+ cipher = grub_crypto_cipher_open (ciph); -+ if (!cipher) -+ return NULL; -+ -+ /* Configure the cipher mode. */ -+ if (grub_strcmp (ciphermode, "ecb") == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_ECB; -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; -+ cipheriv = NULL; -+ } -+ else if (grub_strcmp (ciphermode, "plain") == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_CBC; -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; -+ cipheriv = NULL; -+ } -+ else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_CBC; -+ cipheriv = ciphermode + sizeof ("cbc-") - 1; -+ } -+ else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_PCBC; -+ cipheriv = ciphermode + sizeof ("pcbc-") - 1; -+ } -+ else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_XTS; -+ cipheriv = ciphermode + sizeof ("xts-") - 1; -+ secondary_cipher = grub_crypto_cipher_open (ciph); -+ if (!secondary_cipher) -+ { -+ grub_crypto_cipher_close (cipher); -+ return NULL; -+ } -+ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) -+ { -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", -+ cipher->cipher->blocksize); -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ return NULL; -+ } -+ if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", -+ secondary_cipher->cipher->blocksize); -+ grub_crypto_cipher_close (secondary_cipher); -+ return NULL; -+ } -+ } -+ else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_LRW; -+ cipheriv = ciphermode + sizeof ("lrw-") - 1; -+ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) -+ { -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d", -+ cipher->cipher->blocksize); -+ grub_crypto_cipher_close (cipher); -+ return NULL; -+ } -+ } -+ else -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s", -+ ciphermode); -+ return NULL; -+ } -+ -+ if (cipheriv == NULL); -+ else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0) -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; -+ else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0) -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; -+ else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0) -+ { -+ if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1) -+ || cipher->cipher->blocksize == 0) -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d", -+ cipher->cipher->blocksize); -+ /* FIXME should we return an error here? */ -+ for (benbi_log = 0; -+ (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE; -+ benbi_log++); -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI; -+ } -+ else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0) -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL; -+ else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0) -+ { -+ char *hash_str = cipheriv + 6; -+ -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV; -+ -+ /* Configure the hash and cipher used for ESSIV. */ -+ essiv_hash = grub_crypto_lookup_md_by_name (hash_str); -+ if (!essiv_hash) -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ grub_error (GRUB_ERR_FILE_NOT_FOUND, -+ "Couldn't load %s hash", hash_str); -+ return NULL; -+ } -+ essiv_cipher = grub_crypto_cipher_open (ciph); -+ if (!essiv_cipher) -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ return NULL; -+ } -+ } -+ else -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s", -+ cipheriv); -+ return NULL; -+ } -+ -+ /* Configure the passphrase hash (LUKS also uses AF splitter and HMAC). */ -+ hash = grub_crypto_lookup_md_by_name (hashspec); -+ if (!hash) -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (essiv_cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", -+ hashspec); -+ return NULL; -+ } -+ -+ newdev = grub_zalloc (sizeof (struct grub_cryptodisk)); -+ if (!newdev) -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (essiv_cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ return NULL; -+ } -+ newdev->cipher = cipher; -+ newdev->offset_sectors = 0; -+ newdev->source_disk = NULL; -+ newdev->benbi_log = benbi_log; -+ newdev->mode = mode; -+ newdev->mode_iv = mode_iv; -+ newdev->secondary_cipher = secondary_cipher; -+ newdev->essiv_cipher = essiv_cipher; -+ newdev->essiv_hash = essiv_hash; -+ newdev->hash = hash; -+ newdev->log_sector_size = 9; -+ newdev->total_sectors = grub_disk_native_sectors (disk) - newdev->offset_sectors; -+ grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); -+ COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); -+ -+ return newdev; -+} -+ - static grub_extcmd_t cmd; - - GRUB_MOD_INIT (cryptodisk) - { - grub_disk_dev_register (&grub_cryptodisk_dev); - cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, -- N_("SOURCE|-u UUID|-a|-b|-H file"), -+ N_("SOURCE|-u UUID|-a|-b|-H file|-p -c cipher -d digest"), - N_("Mount a crypto device."), options); - grub_procfs_register ("luks_script", &luks_script); - } -diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c -index 11e437edb..4ebe21b4e 100644 ---- a/grub-core/disk/luks.c -+++ b/grub-core/disk/luks.c -@@ -329,7 +146,7 @@ luks_recover_key (grub_disk_t source, - struct grub_luks_phdr header; - grub_size_t keysize; - grub_uint8_t *split_key = NULL; -- char interactive_passphrase[MAX_PASSPHRASE] = ""; -+ char interactive_passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = ""; - grub_uint8_t *passphrase; - grub_size_t passphrase_length; - grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; -@@ -387,7 +204,7 @@ luks_recover_key (grub_disk_t source, - grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, - source->partition ? "," : "", tmp ? : "", dev->uuid); - grub_free (tmp); -- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) -+ if (!grub_password_get (interactive_passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE)) - { - grub_free (split_key); - return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h -index 67f6b0b59..bb25ab730 100644 ---- a/include/grub/cryptodisk.h -+++ b/include/grub/cryptodisk.h -@@ -54,9 +54,14 @@ typedef enum - #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3) - #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) - #define GRUB_CRYPTODISK_MAX_KEYLEN 128 -+#define GRUB_CRYPTODISK_MAX_PASSPHRASE 256 - - #define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 - -+#define GRUB_CRYPTODISK_PLAIN_CIPHER "aes-cbc-essiv:sha256" -+#define GRUB_CRYPTODISK_PLAIN_DIGEST "ripemd160" -+#define GRUB_CRYPTODISK_PLAIN_KEYSIZE 256 -+ - struct grub_cryptodisk; - - typedef gcry_err_code_t -@@ -160,4 +165,7 @@ grub_util_get_geli_uuid (const char *dev); - grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid); - grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk); - -+grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid, -+ char *ciphername, char *ciphermode, char *digest); -+ - #endif --- -2.16.2 - diff --git a/0005-Cryptomount-support-for-hyphens-in-UUID.patch b/0005-Cryptomount-support-for-hyphens-in-UUID.patch deleted file mode 100644 index b875f66ea3ce..000000000000 --- a/0005-Cryptomount-support-for-hyphens-in-UUID.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 0939fef502c4b97d1facc7972a54d5dfeba4ab71 Mon Sep 17 00:00:00 2001 -From: John Lane <john@lane.uk.net> -Date: Fri, 26 Jun 2015 22:48:03 +0100 -Subject: [PATCH 5/7] Cryptomount support for hyphens in UUID - ---- - grub-core/disk/cryptodisk.c | 20 +++++++++++++++++--- - grub-core/disk/luks.c | 26 ++++++++------------------ - include/grub/cryptodisk.h | 2 ++ - 3 files changed, 27 insertions(+), 21 deletions(-) - -diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index 7f656f75c..c442d3a34 100644 ---- a/grub-core/disk/cryptodisk.c -+++ b/grub-core/disk/cryptodisk.c -@@ -114,6 +114,20 @@ gf_mul_be (grub_uint8_t *o, const grub_uint8_t *a, const grub_uint8_t *b) - } - } - -+int -+grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b) -+{ -+ while ((*uuid_a != '\0') && (*uuid_b != '\0')) -+ { -+ while (*uuid_a == '-') uuid_a++; -+ while (*uuid_b == '-') uuid_b++; -+ if (grub_toupper(*uuid_a) != grub_toupper(*uuid_b)) break; -+ uuid_a++; -+ uuid_b++; -+ } -+ return (*uuid_a == '\0') && (*uuid_b == '\0'); -+} -+ - static gcry_err_code_t - grub_crypto_pcbc_decrypt (grub_crypto_cipher_handle_t cipher, - void *out, void *in, grub_size_t size, -@@ -509,8 +523,8 @@ grub_cryptodisk_open (const char *name, grub_disk_t disk) - if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) == 0) - { - for (dev = cryptodisk_list; dev != NULL; dev = dev->next) -- if (grub_strcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid) == 0) -- break; -+ if (grub_cryptodisk_uuidcmp(name + sizeof ("cryptouuid/") - 1, dev->uuid)) -+ break; - } - else - { -@@ -742,7 +756,7 @@ grub_cryptodisk_get_by_uuid (const char *uuid) - { - grub_cryptodisk_t dev; - for (dev = cryptodisk_list; dev != NULL; dev = dev->next) -- if (grub_strcasecmp (dev->uuid, uuid) == 0) -+ if (grub_cryptodisk_uuidcmp(dev->uuid, uuid)) - return dev; - return NULL; - } -diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c -index 4ebe21b4e..80a760670 100644 ---- a/grub-core/disk/luks.c -+++ b/grub-core/disk/luks.c -@@ -127,6 +109,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - ciphermode[sizeof (header.cipherMode)] = 0; - grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec)); - hashspec[sizeof (header.hashSpec)] = 0; -+ grub_memcpy (uuid, header.uuid, sizeof (header.uuid)); -+ uuid[sizeof (header.uuid)] = 0; -+ -+ if ( check_uuid && ! grub_cryptodisk_uuidcmp(check_uuid, uuid)) -+ { -+ grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid); -+ return NULL; -+ } - - newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec); - -diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h -index bb25ab730..01c02696e 100644 ---- a/include/grub/cryptodisk.h -+++ b/include/grub/cryptodisk.h -@@ -168,4 +168,6 @@ grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk); - grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid, - char *ciphername, char *ciphermode, char *digest); - -+int -+grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b); - #endif --- -2.16.2 - diff --git a/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch b/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch deleted file mode 100644 index 9dd806158834..000000000000 --- a/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 908f4282cc934422923ff59836a835e63d6a7117 Mon Sep 17 00:00:00 2001 -From: Paul Gideon Dann <pdgiddie@gmail.com> -Date: Tue, 19 Jul 2016 12:36:37 +0100 -Subject: [PATCH] Add support for using a whole device as a keyfile - ---- - grub-core/disk/cryptodisk.c | 86 +++++++++++++++++++++++++++++-------- - 1 file changed, 68 insertions(+), 18 deletions(-) - -diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index d0388c6d1..c5d8021ba 100644 ---- a/grub-core/disk/cryptodisk.c -+++ b/grub-core/disk/cryptodisk.c -@@ -1031,26 +1031,76 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) - else - { - keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0; -- keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ -- GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; -- -- keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE); -- if (!keyfile) -- grub_printf (N_("Unable to open key file %s\n"), state[4].arg); -- else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) -- grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); -- else -+ -+ if (grub_strchr (state[4].arg, '/')) - { -- keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); -- if (keyfile_size == (grub_size_t)-1) -- grub_printf (N_("Error reading key file\n")); -- else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) -- grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), -- (unsigned long long) requested_keyfile_size, -- (unsigned long long) keyfile_size); -+ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ -+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; -+ keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE); -+ if (!keyfile) -+ grub_printf (N_("Unable to open key file %s\n"), state[4].arg); -+ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) -+ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); - else -- key = keyfile_buffer; -- } -+ { -+ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); -+ if (keyfile_size == (grub_size_t)-1) -+ grub_printf (N_("Error reading key file\n")); -+ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) -+ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), -+ (unsigned long long) requested_keyfile_size, -+ (unsigned long long) keyfile_size); -+ else -+ key = keyfile_buffer; -+ } -+ } -+ else -+ { -+ grub_disk_t keydisk; -+ char* keydisk_name; -+ grub_err_t err; -+ grub_uint64_t total_sectors; -+ -+ keydisk_name = grub_file_get_device_name(state[4].arg); -+ keydisk = grub_disk_open (keydisk_name); -+ if (!keydisk) -+ { -+ grub_printf (N_("Unable to open disk %s\n"), keydisk_name); -+ goto cleanup_keydisk_name; -+ } -+ -+ total_sectors = grub_disk_native_sectors (keydisk); -+ if (total_sectors == GRUB_DISK_SIZE_UNKNOWN) -+ { -+ grub_printf (N_("Unable to determine size of disk %s\n"), keydisk_name); -+ goto cleanup_keydisk; -+ } -+ -+ keyfile_size = (total_sectors << GRUB_DISK_SECTOR_BITS); -+ if (requested_keyfile_size > 0 && requested_keyfile_size < keyfile_size) -+ keyfile_size = requested_keyfile_size; -+ if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) -+ { -+ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \ -+ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); -+ goto cleanup_keydisk; -+ } -+ -+ err = grub_disk_read (keydisk, 0, keyfile_offset, keyfile_size, keyfile_buffer); -+ if (err != GRUB_ERR_NONE) -+ { -+ grub_printf (N_("Failed to read from disk %s\n"), keydisk_name); -+ keyfile_size = 0; -+ goto cleanup_keydisk; -+ } -+ -+ key = keyfile_buffer; -+ -+ cleanup_keydisk: -+ grub_disk_close (keydisk); -+ cleanup_keydisk_name: -+ grub_free (keydisk_name); -+ } - } - } - @@ -5,14 +5,14 @@ # Contributor: Keshav Amburay <(the ddoott ridikulus ddoott rat) (aatt) (gemmaeiil) (ddoott) (ccoomm)> ## "1" to enable IA32-EFI build in Arch x86_64, "0" to disable -_IA32_EFI_IN_ARCH_X64="1" +_IA32_EFI_IN_ARCH_X64="0" ## "1" to enable EMU build, "0" to disable _GRUB_EMU_BUILD="0" _GRUB_EXTRAS_COMMIT="8a245d5c1800627af4cefa99162a89c7a46d8842" _GNULIB_COMMIT="be584c56eb1311606e5ea1a36363b97bddb6eed3" -_UNIFONT_VER="13.0.05" +_UNIFONT_VER="13.0.06" [[ "${CARCH}" == "x86_64" ]] && _EFI_ARCH="x86_64" [[ "${CARCH}" == "i686" ]] && _EFI_ARCH="i386" @@ -23,8 +23,8 @@ _UNIFONT_VER="13.0.05" pkgname='grub-luks-keyfile-git' pkgdesc='GNU GRand Unified Bootloader (2)' epoch=2 -pkgver=2.06rc1 -pkgrel=2 +pkgver=2.06 +pkgrel=3 url='https://www.gnu.org/software/grub/' arch=('x86_64') license=('GPL3') @@ -56,32 +56,20 @@ validpgpkeys=('E53D497F3FA42AD8C9B4D1E835A93B74E82E4209' # Vladimir 'phcoder' S 'BE5C23209ACDDACEB20DB0A28C8189F1988C2166' # Daniel Kiper <dkiper@net-space.pl> '95D2E9AB8740D8046387FD151A09227B1F435A33') # Paul Hardy <unifoundry@unifoundry.com> -source=("git+https://git.savannah.gnu.org/git/grub.git" +source=("git+https://github.com/mxfm/grub.git" "git+https://git.savannah.gnu.org/git/grub-extras.git#commit=${_GRUB_EXTRAS_COMMIT}" "git+https://git.savannah.gnu.org/git/gnulib.git#commit=${_GNULIB_COMMIT}" "https://ftp.gnu.org/gnu/unifont/unifont-${_UNIFONT_VER}/unifont-${_UNIFONT_VER}.bdf.gz"{,.sig} '0001-00_header-add-GRUB_COLOR_-variables.patch' - '0002-10_linux-detect-archlinux-initramfs.patch' - '0001-Cryptomount-support-LUKS-detached-header.patch' - '0002-Cryptomount-support-key-files.patch' - '0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch' - '0004-Cryptomount-support-plain-dm-crypt.patch' - '0005-Cryptomount-support-for-hyphens-in-UUID.patch' - '0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch') + '0002-10_linux-detect-archlinux-initramfs.patch') sha256sums=('SKIP' 'SKIP' 'SKIP' - 'c4e61e9336d8d024479ea72616722c6c47c93f76dc173e8ad3edf9f9e07c3115' + 'b7668a5d498972dc4981250c49f83601babce797be19b4fdd0f2f1c6cfbd0fc5' 'SKIP' 'ef87b27e4cef6f83c41c8a1a0401f41e22a89a130baaef8c5a832a6c99bb2683' - 'ce7e24acec78989169a136e989e07369def3dd7c727788d5038a255409ec3c35' - 'b9d737d1b403b540a00a8e9c25240a06bb371da7588d3e665af8543397724698' - '5d7060fbe9738764d2f8ebc96b43cc0bb8939c2e4e4e78b7a82a1a149ea6e837' - '3e373bcb7847326ae14365e7443f900559f35f4f9ba2e5e69d034f4423fc45bb' - '9ff4aba657d3826a510c57ce44d7582c4e4c72eb32a59ffd2b09e923202750ed' - '6f58b01eb9adcc6864e09a4ecaa728f19ee2c9a7ecf4cf20fd17fc5ec327f19c' - '4739a472c609df2528ac30e502a9f1b77fd1517af551c6bcbd35ba57b81da827') + 'ce7e24acec78989169a136e989e07369def3dd7c727788d5038a255409ec3c35') _backports=( # grub-mkconfig: Use portable "command -v" to detect installed programs @@ -127,24 +115,6 @@ prepare() { echo "Patch to enable GRUB_COLOR_* variables in grub-mkconfig..." ## Based on http://lists.gnu.org/archive/html/grub-devel/2012-02/msg00021.html patch -Np1 -i "${srcdir}/0001-00_header-add-GRUB_COLOR_-variables.patch" - - echo "Patch to enable LUKS detached header support..." - patch -Np1 -i "${srcdir}/0001-Cryptomount-support-LUKS-detached-header.patch" - - echo "Patch to enable LUKS key files support ..." - patch -Np1 -i "${srcdir}/0002-Cryptomount-support-key-files.patch" - - echo "Patch to enable multiple passphrase attempts support..." - patch -Np1 -i "${srcdir}/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch" - - echo "Patch to enable plain dm-crypt mode support..." - patch -Np1 -i "${srcdir}/0004-Cryptomount-support-plain-dm-crypt.patch" - - echo "Patch to enable hyphens in UUID support..." - patch -Np1 -i "${srcdir}/0005-Cryptomount-support-for-hyphens-in-UUID.patch" - - echo "Patch to enable whole device as keyfile support ..." - patch -Np1 -i "${srcdir}/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch" echo "Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme..." sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac" |