diff options
| author | Maxim Fomin | 2021-01-16 16:36:28 +0000 |
|---|---|---|
| committer | Maxim Fomin | 2021-01-16 16:36:28 +0000 |
| commit | c6c10ff4f2bbbafa382b5bf1ecdfa18c9a409110 (patch) | |
| tree | f6829056c3822d94e62573caab8a286ba622451e | |
| download | aur-c6c10ff4f2bbbafa382b5bf1ecdfa18c9a409110.tar.gz | |
Inital upload of -git version of package grub-luks-keyfile.
| -rw-r--r-- | .SRCINFO | 78 | ||||
| -rw-r--r-- | 0001-Cryptomount-support-LUKS-detached-header.patch | 247 | ||||
| -rw-r--r-- | 0002-Cryptomount-support-key-files.patch | 205 | ||||
| -rw-r--r-- | 0003-10_linux-detect-archlinux-initramfs.patch | 41 | ||||
| -rw-r--r-- | 0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch | 317 | ||||
| -rw-r--r-- | 0004-Cryptomount-support-plain-dm-crypt.patch | 407 | ||||
| -rw-r--r-- | 0004-add-GRUB_COLOR_variables.patch | 32 | ||||
| -rw-r--r-- | 0005-Cryptomount-support-for-hyphens-in-UUID.patch | 89 | ||||
| -rw-r--r-- | 0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch | 108 | ||||
| -rw-r--r-- | PKGBUILD | 339 |
10 files changed, 1863 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..e5f21c0d0d14 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,78 @@ +pkgbase = grub-luks-keyfile-git + pkgdesc = GNU GRand Unified Bootloader (2) + pkgver = 2.05 + pkgrel = 1 + epoch = 2 + url = https://www.gnu.org/software/grub/ + arch = x86_64 + license = GPL3 + makedepends = git + makedepends = rsync + makedepends = xz + makedepends = freetype2 + makedepends = ttf-dejavu + makedepends = python + makedepends = autogen + makedepends = texinfo + makedepends = help2man + makedepends = gettext + makedepends = device-mapper + makedepends = fuse2 + depends = sh + depends = xz + depends = gettext + depends = device-mapper + optdepends = freetype2: For grub-mkfont usage + optdepends = fuse2: For grub-mount usage + optdepends = dosfstools: For grub-mkrescue FAT FS and EFI support + optdepends = efibootmgr: For grub-install EFI support + optdepends = libisoburn: Provides xorriso for generating grub rescue iso using grub-mkrescue + optdepends = os-prober: To detect other OSes when generating grub.cfg in BIOS systems + optdepends = mtools: For grub-mkrescue FAT FS support + provides = grub-common + provides = grub-bios + provides = grub-emu + provides = grub-efi-x86_64 + conflicts = grub-common + conflicts = grub-bios + conflicts = grub-emu + conflicts = grub-efi-x86_64 + conflicts = grub-legacy + replaces = grub-common + replaces = grub-bios + replaces = grub-emu + replaces = grub-efi-x86_64 + options = !makeflags + backup = etc/grub.d/40_custom + source = git+https://git.savannah.gnu.org/git/grub.git + source = git+https://git.savannah.gnu.org/git/grub-extras.git#commit=8a245d5c1800627af4cefa99162a89c7a46d8842 + source = git+https://git.savannah.gnu.org/git/gnulib.git#commit=be584c56eb1311606e5ea1a36363b97bddb6eed3 + source = https://ftp.gnu.org/gnu/unifont/unifont-13.0.05/unifont-13.0.05.bdf.gz + source = https://ftp.gnu.org/gnu/unifont/unifont-13.0.05/unifont-13.0.05.bdf.gz.sig + source = 0003-10_linux-detect-archlinux-initramfs.patch + source = 0004-add-GRUB_COLOR_variables.patch + source = 0001-Cryptomount-support-LUKS-detached-header.patch + source = 0002-Cryptomount-support-key-files.patch + source = 0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch + source = 0004-Cryptomount-support-plain-dm-crypt.patch + source = 0005-Cryptomount-support-for-hyphens-in-UUID.patch + source = 0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch + validpgpkeys = E53D497F3FA42AD8C9B4D1E835A93B74E82E4209 + validpgpkeys = BE5C23209ACDDACEB20DB0A28C8189F1988C2166 + validpgpkeys = 95D2E9AB8740D8046387FD151A09227B1F435A33 + sha256sums = SKIP + sha256sums = SKIP + sha256sums = SKIP + sha256sums = c4e61e9336d8d024479ea72616722c6c47c93f76dc173e8ad3edf9f9e07c3115 + sha256sums = SKIP + sha256sums = 171415ab075d1ac806f36c454feeb060f870416f24279b70104bba94bd6076d4 + sha256sums = a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29 + sha256sums = b9d737d1b403b540a00a8e9c25240a06bb371da7588d3e665af8543397724698 + sha256sums = 5d7060fbe9738764d2f8ebc96b43cc0bb8939c2e4e4e78b7a82a1a149ea6e837 + sha256sums = 3e373bcb7847326ae14365e7443f900559f35f4f9ba2e5e69d034f4423fc45bb + sha256sums = 9ff4aba657d3826a510c57ce44d7582c4e4c72eb32a59ffd2b09e923202750ed + sha256sums = 6f58b01eb9adcc6864e09a4ecaa728f19ee2c9a7ecf4cf20fd17fc5ec327f19c + sha256sums = 4739a472c609df2528ac30e502a9f1b77fd1517af551c6bcbd35ba57b81da827 + +pkgname = grub-luks-keyfile-git + diff --git a/0001-Cryptomount-support-LUKS-detached-header.patch b/0001-Cryptomount-support-LUKS-detached-header.patch new file mode 100644 index 000000000000..65943f41b8c8 --- /dev/null +++ b/0001-Cryptomount-support-LUKS-detached-header.patch @@ -0,0 +1,247 @@ +From 2008e08c0a511da5d454664363f452a9e26c734f Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Tue, 23 Jun 2015 11:16:30 +0100 +Subject: [PATCH 1/7] Cryptomount support LUKS detached header + +--- + grub-core/disk/cryptodisk.c | 22 ++++++++++++++++++---- + grub-core/disk/geli.c | 7 +++++-- + grub-core/disk/luks.c | 45 +++++++++++++++++++++++++++++++++++++-------- + include/grub/cryptodisk.h | 5 +++-- + 4 files changed, 63 insertions(+), 16 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index bd60a66b3..5230a5a9a 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] = + /* TRANSLATORS: It's still restricted to cryptodisks only. */ + {"all", 'a', 0, N_("Mount all."), 0, 0}, + {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, ++ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -809,6 +810,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) + + static int check_boot, have_it; + static char *search_uuid; ++static grub_file_t hdr; + + static void + cryptodisk_close (grub_cryptodisk_t dev) +@@ -833,13 +835,13 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) + + FOR_CRYPTODISK_DEVS (cr) + { +- dev = cr->scan (source, search_uuid, check_boot); ++ dev = cr->scan (source, search_uuid, check_boot, hdr); + if (grub_errno) + return grub_errno; + if (!dev) + continue; + +- err = cr->recover_key (source, dev); ++ err = cr->recover_key (source, dev, hdr); + if (err) + { + cryptodisk_close (dev); +@@ -880,7 +882,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat) + + FOR_CRYPTODISK_DEVS (cr) + { +- dev = cr->scan (source, search_uuid, check_boot); ++ dev = cr->scan (source, search_uuid, check_boot,0); + if (grub_errno) + return grub_errno; + if (!dev) +@@ -934,6 +936,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + if (argc < 1 && !state[1].set && !state[2].set) + return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required"); + ++ if (state[3].set) /* LUKS detached header */ ++ { ++ if (state[0].set) /* Cannot use UUID lookup with detached header */ ++ return GRUB_ERR_BAD_ARGUMENT; ++ ++ hdr = grub_file_open (state[3].arg, GRUB_FILE_TYPE_NONE); ++ if (!hdr) ++ return grub_errno; ++ } ++ else ++ hdr = NULL; ++ + have_it = 0; + if (state[0].set) + { +@@ -1141,7 +1155,7 @@ GRUB_MOD_INIT (cryptodisk) + { + grub_disk_dev_register (&grub_cryptodisk_dev); + cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, +- N_("SOURCE|-u UUID|-a|-b"), ++ N_("SOURCE|-u UUID|-a|-b|-H file"), + N_("Mount a crypto device."), options); + grub_procfs_register ("luks_script", &luks_script); + } +diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c +index e9d23299a..f4394eb42 100644 +--- a/grub-core/disk/geli.c ++++ b/grub-core/disk/geli.c +@@ -52,6 +52,7 @@ + #include <grub/dl.h> + #include <grub/err.h> + #include <grub/disk.h> ++#include <grub/file.h> + #include <grub/crypto.h> + #include <grub/partition.h> + #include <grub/i18n.h> +@@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev) + + static grub_cryptodisk_t + configure_ciphers (grub_disk_t disk, const char *check_uuid, +- int boot_only) ++ int boot_only, ++ grub_file_t hdr __attribute__ ((unused)) ) + { + grub_cryptodisk_t newdev; + struct grub_geli_phdr header; +@@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + } + + static grub_err_t +-recover_key (grub_disk_t source, grub_cryptodisk_t dev) ++recover_key (grub_disk_t source, grub_cryptodisk_t dev, ++ grub_file_t hdr __attribute__ ((unused)) ) + { + grub_size_t keysize; + grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 86c50c612..66e64c0e0 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -23,6 +23,7 @@ + #include <grub/dl.h> + #include <grub/err.h> + #include <grub/disk.h> ++#include <grub/file.h> + #include <grub/crypto.h> + #include <grub/partition.h> + #include <grub/i18n.h> +@@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src, + + static grub_cryptodisk_t + configure_ciphers (grub_disk_t disk, const char *check_uuid, +- int check_boot) ++ int check_boot, grub_file_t hdr) + { + grub_cryptodisk_t newdev; + const char *iptr; +@@ -86,11 +87,21 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + int benbi_log = 0; + grub_err_t err; + ++ err = GRUB_ERR_NONE; ++ + if (check_boot) + return NULL; + + /* Read the LUKS header. */ +- err = grub_disk_read (disk, 0, 0, sizeof (header), &header); ++ if (hdr) ++ { ++ grub_file_seek (hdr, 0); ++ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header)) ++ err = GRUB_ERR_READ_ERROR; ++ } ++ else ++ err = grub_disk_read (disk, 0, 0, sizeof (header), &header); ++ + if (err) + { + if (err == GRUB_ERR_OUT_OF_RANGE) +@@ -304,12 +315,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); + newdev->modname = "luks"; + COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); ++ + return newdev; + } + + static grub_err_t + luks_recover_key (grub_disk_t source, +- grub_cryptodisk_t dev) ++ grub_cryptodisk_t dev, ++ grub_file_t hdr) + { + struct grub_luks_phdr header; + grub_size_t keysize; +@@ -321,8 +334,19 @@ luks_recover_key (grub_disk_t source, + grub_err_t err; + grub_size_t max_stripes = 1; + char *tmp; ++ grub_uint32_t sector; ++ ++ err = GRUB_ERR_NONE; ++ ++ if (hdr) ++ { ++ grub_file_seek (hdr, 0); ++ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header)) ++ err = GRUB_ERR_READ_ERROR; ++ } ++ else ++ err = grub_disk_read (source, 0, 0, sizeof (header), &header); + +- err = grub_disk_read (source, 0, 0, sizeof (header), &header); + if (err) + return err; + +@@ -391,13 +415,18 @@ luks_recover_key (grub_disk_t source, + return grub_crypto_gcry_error (gcry_err); + } + ++ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); + length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); + + /* Read and decrypt the key material from the disk. */ +- err = grub_disk_read (source, +- grub_be_to_cpu32 (header.keyblock +- [i].keyMaterialOffset), 0, +- length, split_key); ++ if (hdr) ++ { ++ grub_file_seek (hdr, sector * 512); ++ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) ++ err = GRUB_ERR_READ_ERROR; ++ } ++ else ++ err = grub_disk_read (source, sector, 0, length, split_key); + if (err) + { + grub_free (split_key); +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index 32f564ae0..4e6e89a93 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -20,6 +20,7 @@ + #define GRUB_CRYPTODISK_HEADER 1 + + #include <grub/disk.h> ++#include <grub/file.h> + #include <grub/crypto.h> + #include <grub/list.h> + #ifdef GRUB_UTIL +@@ -107,8 +108,8 @@ struct grub_cryptodisk_dev + struct grub_cryptodisk_dev **prev; + + grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, +- int boot_only); +- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev); ++ int boot_only, grub_file_t hdr); ++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr); + }; + typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; + +-- +2.16.2 + diff --git a/0002-Cryptomount-support-key-files.patch b/0002-Cryptomount-support-key-files.patch new file mode 100644 index 000000000000..43af5ff3cbf9 --- /dev/null +++ b/0002-Cryptomount-support-key-files.patch @@ -0,0 +1,205 @@ +From df3aa34cc68b128c5441ee25ef092e6c2c87392e Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Fri, 26 Jun 2015 13:37:10 +0100 +Subject: [PATCH 2/7] Cryptomount support key files + +--- + grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++- + grub-core/disk/geli.c | 4 +++- + grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++-------------- + include/grub/cryptodisk.h | 5 ++++- + 4 files changed, 82 insertions(+), 17 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index 5230a5a9a..5261af547 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] = + {"all", 'a', 0, N_("Mount all."), 0, 0}, + {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, + {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING}, ++ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, ++ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, ++ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -811,6 +814,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) + static int check_boot, have_it; + static char *search_uuid; + static grub_file_t hdr; ++static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE]; ++static grub_size_t keyfile_size; + + static void + cryptodisk_close (grub_cryptodisk_t dev) +@@ -841,7 +846,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) + if (!dev) + continue; + +- err = cr->recover_key (source, dev, hdr); ++ err = cr->recover_key (source, dev, hdr, key, keyfile_size); + if (err) + { + cryptodisk_close (dev); +@@ -949,6 +954,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + hdr = NULL; + + have_it = 0; ++ key = NULL; ++ ++ if (state[4].set) /* Key file; fails back to passphrase entry */ ++ { ++ grub_file_t keyfile; ++ int keyfile_offset; ++ grub_size_t requested_keyfile_size; ++ ++ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0; ++ ++ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) ++ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \ ++ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); ++ else ++ { ++ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0; ++ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ ++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; ++ ++ keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE); ++ if (!keyfile) ++ grub_printf (N_("Unable to open key file %s\n"), state[4].arg); ++ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) ++ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); ++ else ++ { ++ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); ++ if (keyfile_size == (grub_size_t)-1) ++ grub_printf (N_("Error reading key file\n")); ++ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) ++ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), ++ (unsigned long long) requested_keyfile_size, ++ (unsigned long long) keyfile_size); ++ else ++ key = keyfile_buffer; ++ } ++ } ++ } ++ + if (state[0].set) + { + grub_cryptodisk_t dev; +diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c +index f4394eb42..da6aa6a63 100644 +--- a/grub-core/disk/geli.c ++++ b/grub-core/disk/geli.c +@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + + static grub_err_t + recover_key (grub_disk_t source, grub_cryptodisk_t dev, +- grub_file_t hdr __attribute__ ((unused)) ) ++ grub_file_t hdr __attribute__ ((unused)), ++ grub_uint8_t *key __attribute__ ((unused)), ++ grub_size_t keyfile_size __attribute__ ((unused)) ) + { + grub_size_t keysize; + grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 66e64c0e0..588236888 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + static grub_err_t + luks_recover_key (grub_disk_t source, + grub_cryptodisk_t dev, +- grub_file_t hdr) ++ grub_file_t hdr, ++ grub_uint8_t *keyfile_bytes, ++ grub_size_t keyfile_bytes_size) + { + struct grub_luks_phdr header; + grub_size_t keysize; + grub_uint8_t *split_key = NULL; +- char passphrase[MAX_PASSPHRASE] = ""; ++ char interactive_passphrase[MAX_PASSPHRASE] = ""; ++ grub_uint8_t *passphrase; ++ grub_size_t passphrase_length; + grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; + unsigned i; + grub_size_t length; +@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source, + if (!split_key) + return grub_errno; + +- /* Get the passphrase from the user. */ +- tmp = NULL; +- if (source->partition) +- tmp = grub_partition_get_name (source->partition); +- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, +- source->partition ? "," : "", tmp ? : "", +- dev->uuid); +- grub_free (tmp); +- if (!grub_password_get (passphrase, MAX_PASSPHRASE)) ++ if (keyfile_bytes) + { +- grub_free (split_key); +- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ /* Use bytestring from key file as passphrase */ ++ passphrase = keyfile_bytes; ++ passphrase_length = keyfile_bytes_size; ++ } ++ else ++ { ++ /* Get the passphrase from the user. */ ++ tmp = NULL; ++ if (source->partition) ++ tmp = grub_partition_get_name (source->partition); ++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, ++ source->partition ? "," : "", tmp ? : "", dev->uuid); ++ grub_free (tmp); ++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) ++ { ++ grub_free (split_key); ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ } ++ ++ passphrase = (grub_uint8_t *)interactive_passphrase; ++ passphrase_length = grub_strlen (interactive_passphrase); ++ + } + + /* Try to recover master key from each active keyslot. */ +@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source, + + /* Calculate the PBKDF2 of the user supplied passphrase. */ + gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, +- grub_strlen (passphrase), ++ passphrase_length, + header.keyblock[i].passwordSalt, + sizeof (header.keyblock[i].passwordSalt), + grub_be_to_cpu32 (header.keyblock[i]. +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index 4e6e89a93..67f6b0b59 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -55,6 +55,8 @@ typedef enum + #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) + #define GRUB_CRYPTODISK_MAX_KEYLEN 128 + ++#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 ++ + struct grub_cryptodisk; + + typedef gcry_err_code_t +@@ -109,7 +111,8 @@ struct grub_cryptodisk_dev + + grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, + int boot_only, grub_file_t hdr); +- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr); ++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, ++ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size); + }; + typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; + +-- +2.16.2 + diff --git a/0003-10_linux-detect-archlinux-initramfs.patch b/0003-10_linux-detect-archlinux-initramfs.patch new file mode 100644 index 000000000000..512fa0451504 --- /dev/null +++ b/0003-10_linux-detect-archlinux-initramfs.patch @@ -0,0 +1,41 @@ +diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in +index f5d3e78..ef59c8c 100644 +--- a/util/grub.d/10_linux.in ++++ b/util/grub.d/10_linux.in +@@ -83,6 +83,8 @@ linux_entry () + case $type in + recovery) + title="$(gettext_printf "%s, with Linux %s (recovery mode)" "${os}" "${version}")" ;; ++ fallback) ++ title="$(gettext_printf "%s, with Linux %s (fallback initramfs)" "${os}" "${version}")" ;; + *) + title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;; + esac +@@ -186,7 +188,7 @@ while [ "x$list" != "x" ] ; do + basename=`basename $linux` + dirname=`dirname $linux` + rel_dirname=`make_system_path_relative_to_its_root $dirname` +- version=`echo $basename | sed -e "s,^[^0-9]*-,,g"` ++ version=`echo $basename | sed -e "s,vmlinuz-,,g"` + alt_version=`echo $version | sed -e "s,\.old$,,g"` + linux_root_device_thisversion="${LINUX_ROOT_DEVICE}" + +@@ -248,6 +250,18 @@ while [ "x$list" != "x" ] ; do + + linux_entry "${OS}" "${version}" advanced \ + "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" ++ ++ if test -e "${dirname}/initramfs-${version}-fallback.img" ; then ++ initrd="initramfs-${version}-fallback.img" ++ ++ if test -n "${initrd}" ; then ++ gettext_printf "Found fallback initrd image(s) in %s:%s\n" "${dirname}" "${initrd_extra} ${initrd}" >&2 ++ fi ++ ++ linux_entry "${OS}" "${version}" fallback \ ++ "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" ++ fi ++ + if [ "x${GRUB_DISABLE_RECOVERY}" != "xtrue" ]; then + linux_entry "${OS}" "${version}" recovery \ + "single ${GRUB_CMDLINE_LINUX}" diff --git a/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch b/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch new file mode 100644 index 000000000000..07239e95f43d --- /dev/null +++ b/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch @@ -0,0 +1,317 @@ +From f42b774020839b1e07c5fa0ad7be4735d35cc705 Mon Sep 17 00:00:00 2001 +From: Maxim Fomin <maxim@fomin.one> +Date: Fri, 8 Jan 2021 20:00:31 +0000 +Subject: [PATCH] Support for multiple LUKS passphrase attempts + +--- + grub-core/disk/luks.c | 273 ++++++++++++++++++++++-------------------- + 1 file changed, 141 insertions(+), 132 deletions(-) + +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index eea85338d..3f98df287 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -34,6 +34,8 @@ GRUB_MOD_LICENSE ("GPLv3+"); + + #define LUKS_KEY_ENABLED 0x00AC71F3 + ++#define LUKS_PASSPHRASE_ATTEMPTS 3 ++ + /* On disk LUKS header */ + struct grub_luks_phdr + { +@@ -182,6 +184,7 @@ luks_recover_key (grub_disk_t source, + grub_size_t max_stripes = 1; + char *tmp; + grub_uint32_t sector; ++ unsigned int attempts = LUKS_PASSPHRASE_ATTEMPTS; + + err = GRUB_ERR_NONE; + +@@ -211,145 +214,151 @@ luks_recover_key (grub_disk_t source, + if (!split_key) + return grub_errno; + +- if (keyfile_bytes) +- { +- /* Use bytestring from key file as passphrase */ +- passphrase = keyfile_bytes; +- passphrase_length = keyfile_bytes_size; +- } +- else ++ while (attempts) + { +- /* Get the passphrase from the user. */ +- tmp = NULL; +- if (source->partition) +- tmp = grub_partition_get_name (source->partition); +- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, +- source->partition ? "," : "", tmp ? : "", dev->uuid); +- grub_free (tmp); +- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) ++ if (keyfile_bytes) + { +- grub_free (split_key); +- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ /* Use bytestring from key file as passphrase */ ++ passphrase = keyfile_bytes; ++ passphrase_length = keyfile_bytes_size; ++ keyfile_bytes = NULL; /* use it only once */ ++ } ++ else ++ { ++ /* Get the passphrase from the user. */ ++ tmp = NULL; ++ if (source->partition) ++ tmp = grub_partition_get_name (source->partition); ++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, ++ source->partition ? "," : "", tmp ? : "", dev->uuid); ++ grub_free (tmp); ++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) ++ { ++ grub_free (split_key); ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ } ++ ++ passphrase = (grub_uint8_t *)interactive_passphrase; ++ passphrase_length = grub_strlen (interactive_passphrase); + } + +- passphrase = (grub_uint8_t *)interactive_passphrase; +- passphrase_length = grub_strlen (interactive_passphrase); ++ /* Try to recover master key from each active keyslot. */ ++ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++) ++ { ++ gcry_err_code_t gcry_err; ++ grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; ++ grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN]; ++ ++ /* Check if keyslot is enabled. */ ++ if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED) ++ continue; ++ ++ grub_dprintf ("luks", "Trying keyslot %d\n", i); ++ ++ /* Calculate the PBKDF2 of the user supplied passphrase. */ ++ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, ++ passphrase_length, ++ header.keyblock[i].passwordSalt, ++ sizeof (header.keyblock[i].passwordSalt), ++ grub_be_to_cpu32 (header.keyblock[i]. ++ passwordIterations), ++ digest, keysize); ++ ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } ++ ++ grub_dprintf ("luks", "PBKDF2 done\n"); ++ ++ gcry_err = grub_cryptodisk_setkey (dev, digest, keysize); ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } ++ ++ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); ++ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); ++ ++ /* Read and decrypt the key material from the disk. */ ++ if (hdr) ++ { ++ grub_file_seek (hdr, sector * 512); ++ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) ++ err = GRUB_ERR_READ_ERROR; ++ } ++ else ++ err = grub_disk_read (source, sector, 0, length, split_key); ++ if (err) ++ { ++ grub_free (split_key); ++ return err; ++ } ++ ++ gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0, ++ GRUB_LUKS1_LOG_SECTOR_SIZE); ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } ++ ++ /* Merge the decrypted key material to get the candidate master key. */ ++ gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize, ++ grub_be_to_cpu32 (header.keyblock[i].stripes)); ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } ++ ++ grub_dprintf ("luks", "candidate key recovered\n"); ++ ++ /* Calculate the PBKDF2 of the candidate master key. */ ++ gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key, ++ grub_be_to_cpu32 (header.keyBytes), ++ header.mkDigestSalt, ++ sizeof (header.mkDigestSalt), ++ grub_be_to_cpu32 ++ (header.mkDigestIterations), ++ candidate_digest, ++ sizeof (candidate_digest)); ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } ++ ++ /* Compare the calculated PBKDF2 to the digest stored ++ in the header to see if it's correct. */ ++ if (grub_memcmp (candidate_digest, header.mkDigest, ++ sizeof (header.mkDigest)) != 0) ++ { ++ grub_dprintf ("luks", "bad digest\n"); ++ continue; ++ } ++ ++ /* TRANSLATORS: It's a cryptographic key slot: one element of an array ++ where each element is either empty or holds a key. */ ++ grub_printf_ (N_("Slot %d opened\n"), i); ++ ++ /* Set the master key. */ ++ gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize); ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } + +- } ++ grub_free (split_key); + +- /* Try to recover master key from each active keyslot. */ +- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++) +- { +- gcry_err_code_t gcry_err; +- grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; +- grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN]; +- +- /* Check if keyslot is enabled. */ +- if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED) +- continue; +- +- grub_dprintf ("luks", "Trying keyslot %d\n", i); +- +- /* Calculate the PBKDF2 of the user supplied passphrase. */ +- gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, +- passphrase_length, +- header.keyblock[i].passwordSalt, +- sizeof (header.keyblock[i].passwordSalt), +- grub_be_to_cpu32 (header.keyblock[i]. +- passwordIterations), +- digest, keysize); +- +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } +- +- grub_dprintf ("luks", "PBKDF2 done\n"); +- +- gcry_err = grub_cryptodisk_setkey (dev, digest, keysize); +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } +- +- sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); +- length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); +- +- /* Read and decrypt the key material from the disk. */ +- if (hdr) +- { +- grub_file_seek (hdr, sector * 512); +- if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) +- err = GRUB_ERR_READ_ERROR; ++ return GRUB_ERR_NONE; + } +- else +- err = grub_disk_read (source, sector, 0, length, split_key); +- if (err) +- { +- grub_free (split_key); +- return err; +- } +- +- gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0, +- GRUB_LUKS1_LOG_SECTOR_SIZE); +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } +- +- /* Merge the decrypted key material to get the candidate master key. */ +- gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize, +- grub_be_to_cpu32 (header.keyblock[i].stripes)); +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } +- +- grub_dprintf ("luks", "candidate key recovered\n"); +- +- /* Calculate the PBKDF2 of the candidate master key. */ +- gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key, +- grub_be_to_cpu32 (header.keyBytes), +- header.mkDigestSalt, +- sizeof (header.mkDigestSalt), +- grub_be_to_cpu32 +- (header.mkDigestIterations), +- candidate_digest, +- sizeof (candidate_digest)); +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } +- +- /* Compare the calculated PBKDF2 to the digest stored +- in the header to see if it's correct. */ +- if (grub_memcmp (candidate_digest, header.mkDigest, +- sizeof (header.mkDigest)) != 0) +- { +- grub_dprintf ("luks", "bad digest\n"); +- continue; +- } +- +- /* TRANSLATORS: It's a cryptographic key slot: one element of an array +- where each element is either empty or holds a key. */ +- grub_printf_ (N_("Slot %d opened\n"), i); +- +- /* Set the master key. */ +- gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize); +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } +- +- grub_free (split_key); +- +- return GRUB_ERR_NONE; ++ grub_printf_ (N_("Failed to decrypt master key.\n")); ++ if (--attempts) grub_printf_ (N_("%u attempt%s remaining.\n"), attempts, ++ (attempts==1) ? "" : "s"); + } + + grub_free (split_key); +-- +2.30.0 + diff --git a/0004-Cryptomount-support-plain-dm-crypt.patch b/0004-Cryptomount-support-plain-dm-crypt.patch new file mode 100644 index 000000000000..1ea3232b9b5e --- /dev/null +++ b/0004-Cryptomount-support-plain-dm-crypt.patch @@ -0,0 +1,407 @@ +From a8f9e3dcece89c179e89414abe89985c7ab1e03f Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Fri, 26 Jun 2015 22:09:52 +0100 +Subject: [PATCH 4/7] Cryptomount support plain dm-crypt + +Patch modified to take into account a change to context +brought about by c93d3e694713b8230fa2cf88414fabe005b56782 + +grub-core/disk/cryptodisk.c +142c142 +< if (disklast) +--- +> +--- + grub-core/disk/cryptodisk.c | 298 +++++++++++++++++++++++++++++++++++++++++++- + grub-core/disk/luks.c | 195 +---------------------------- + include/grub/cryptodisk.h | 8 ++ + 3 files changed, 310 insertions(+), 191 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index 5261af547..7f656f75c 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -45,6 +45,12 @@ static const struct grub_arg_option options[] = + {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, + {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, + {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, ++ {"plain", 'p', 0, N_("Plain (no LUKS header)"), 0, ARG_TYPE_NONE}, ++ {"cipher", 'c', 0, N_("Plain mode cipher"), 0, ARG_TYPE_STRING}, ++ {"digest", 'd', 0, N_("Plain mode passphrase digest (hash)"), 0, ARG_TYPE_STRING}, ++ {"offset", 'o', 0, N_("Plain mode data sector offset"), 0, ARG_TYPE_INT}, ++ {"size", 's', 0, N_("Size of raw device (sectors, defaults to whole device)"), 0, ARG_TYPE_INT}, ++ {"key-size", 'K', 0, N_("Set key size (bits)"), 0, ARG_TYPE_INT}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -933,6 +939,48 @@ grub_cryptodisk_scan_device (const char *name, + return have_it && search_uuid ? 1 : 0; + } + ++/* Hashes a passphrase into a key and stores it with cipher. */ ++static gcry_err_code_t ++set_passphrase (grub_cryptodisk_t dev, grub_size_t keysize, const char *passphrase) ++{ ++ grub_uint8_t derived_hash[GRUB_CRYPTODISK_MAX_KEYLEN * 2], *dh = derived_hash; ++ char *p; ++ unsigned int round, i; ++ unsigned int len, size; ++ ++ /* Need no passphrase if there's no key */ ++ if (keysize == 0) ++ return GPG_ERR_INV_KEYLEN; ++ ++ /* Hack to support the "none" hash */ ++ if (dev->hash) ++ len = dev->hash->mdlen; ++ else ++ len = grub_strlen (passphrase); ++ ++ if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN || len > GRUB_CRYPTODISK_MAX_KEYLEN) ++ return GPG_ERR_INV_KEYLEN; ++ ++ p = grub_malloc (grub_strlen (passphrase) + 2 + keysize / len); ++ if (!p) ++ return grub_errno; ++ ++ for (round = 0, size = keysize; size; round++, dh += len, size -= len) ++ { ++ for (i = 0; i < round; i++) ++ p[i] = 'A'; ++ ++ grub_strcpy (p + i, passphrase); ++ ++ if (len > size) ++ len = size; ++ ++ grub_crypto_hash (dev->hash, dh, p, grub_strlen (p)); ++ } ++ ++ return grub_cryptodisk_setkey (dev, derived_hash, keysize); ++} ++ + static grub_err_t + grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + { +@@ -1060,7 +1108,63 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + return GRUB_ERR_NONE; + } + +- err = grub_cryptodisk_scan_device_real (diskname, disk); ++ if (state[7].set) /* Plain mode */ ++ { ++ char *cipher; ++ char *mode; ++ char *digest; ++ int offset, size, key_size; ++ ++ cipher = grub_strdup (state[8].set ? state[8].arg : GRUB_CRYPTODISK_PLAIN_CIPHER); ++ digest = grub_strdup (state[9].set ? state[9].arg : GRUB_CRYPTODISK_PLAIN_DIGEST); ++ offset = state[10].set ? grub_strtoul (state[10].arg, 0, 0) : 0; ++ size = state[11].set ? grub_strtoul (state[11].arg, 0, 0) : 0; ++ key_size = ( state[12].set ? grub_strtoul (state[12].arg, 0, 0) \ ++ : GRUB_CRYPTODISK_PLAIN_KEYSIZE ) / 8; ++ ++ /* no strtok, do it manually */ ++ mode = grub_strchr(cipher,'-'); ++ if (!mode) ++ return GRUB_ERR_BAD_ARGUMENT; ++ else ++ *mode++ = 0; ++ ++ dev = grub_cryptodisk_create (disk, NULL, cipher, mode, digest); ++ ++ dev->offset_sectors = offset; ++ if (size) dev->total_sectors = size; ++ ++ if (key) ++ { ++ err = grub_cryptodisk_setkey (dev, key, key_size); ++ if (err) ++ return err; ++ } ++ else ++ { ++ char passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = ""; ++ ++ grub_printf_ (N_("Enter passphrase for %s: "), diskname); ++ if (!grub_password_get (passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE)) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ ++ err = set_passphrase (dev, key_size, passphrase); ++ if (err) ++ { ++ grub_crypto_cipher_close (dev->cipher); ++ return err; ++ } ++ } ++ ++ grub_cryptodisk_insert (dev, diskname, disk); ++ ++ grub_free (cipher); ++ grub_free (digest); ++ ++ err = GRUB_ERR_NONE; ++ } ++ else ++ err = grub_cryptodisk_scan_device_real (diskname, disk); + + grub_disk_close (disk); + if (disklast) +@@ -1193,13 +1297,203 @@ struct grub_procfs_entry luks_script = + .get_contents = luks_script_get + }; + ++grub_cryptodisk_t ++grub_cryptodisk_create (grub_disk_t disk, char *uuid, ++ char *ciphername, char *ciphermode, char *hashspec) ++{ ++ grub_cryptodisk_t newdev; ++ char *cipheriv = NULL; ++ grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL; ++ grub_crypto_cipher_handle_t essiv_cipher = NULL; ++ const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL; ++ const struct gcry_cipher_spec *ciph; ++ grub_cryptodisk_mode_t mode; ++ grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; ++ int benbi_log = 0; ++ ++ if (!uuid) ++ uuid = (char*)"00000000000000000000000000000000"; ++ ++ ciph = grub_crypto_lookup_cipher_by_name (ciphername); ++ if (!ciph) ++ { ++ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available", ++ ciphername); ++ return NULL; ++ } ++ ++ /* Configure the cipher used for the bulk data. */ ++ cipher = grub_crypto_cipher_open (ciph); ++ if (!cipher) ++ return NULL; ++ ++ /* Configure the cipher mode. */ ++ if (grub_strcmp (ciphermode, "ecb") == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_ECB; ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; ++ cipheriv = NULL; ++ } ++ else if (grub_strcmp (ciphermode, "plain") == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_CBC; ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; ++ cipheriv = NULL; ++ } ++ else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_CBC; ++ cipheriv = ciphermode + sizeof ("cbc-") - 1; ++ } ++ else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_PCBC; ++ cipheriv = ciphermode + sizeof ("pcbc-") - 1; ++ } ++ else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_XTS; ++ cipheriv = ciphermode + sizeof ("xts-") - 1; ++ secondary_cipher = grub_crypto_cipher_open (ciph); ++ if (!secondary_cipher) ++ { ++ grub_crypto_cipher_close (cipher); ++ return NULL; ++ } ++ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) ++ { ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", ++ cipher->cipher->blocksize); ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", ++ secondary_cipher->cipher->blocksize); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ } ++ else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_LRW; ++ cipheriv = ciphermode + sizeof ("lrw-") - 1; ++ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) ++ { ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d", ++ cipher->cipher->blocksize); ++ grub_crypto_cipher_close (cipher); ++ return NULL; ++ } ++ } ++ else ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s", ++ ciphermode); ++ return NULL; ++ } ++ ++ if (cipheriv == NULL); ++ else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0) ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; ++ else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0) ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; ++ else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0) ++ { ++ if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1) ++ || cipher->cipher->blocksize == 0) ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d", ++ cipher->cipher->blocksize); ++ /* FIXME should we return an error here? */ ++ for (benbi_log = 0; ++ (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE; ++ benbi_log++); ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI; ++ } ++ else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0) ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL; ++ else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0) ++ { ++ char *hash_str = cipheriv + 6; ++ ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV; ++ ++ /* Configure the hash and cipher used for ESSIV. */ ++ essiv_hash = grub_crypto_lookup_md_by_name (hash_str); ++ if (!essiv_hash) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ grub_error (GRUB_ERR_FILE_NOT_FOUND, ++ "Couldn't load %s hash", hash_str); ++ return NULL; ++ } ++ essiv_cipher = grub_crypto_cipher_open (ciph); ++ if (!essiv_cipher) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ } ++ else ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s", ++ cipheriv); ++ return NULL; ++ } ++ ++ /* Configure the passphrase hash (LUKS also uses AF splitter and HMAC). */ ++ hash = grub_crypto_lookup_md_by_name (hashspec); ++ if (!hash) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (essiv_cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", ++ hashspec); ++ return NULL; ++ } ++ ++ newdev = grub_zalloc (sizeof (struct grub_cryptodisk)); ++ if (!newdev) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (essiv_cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ newdev->cipher = cipher; ++ newdev->offset_sectors = 0; ++ newdev->source_disk = NULL; ++ newdev->benbi_log = benbi_log; ++ newdev->mode = mode; ++ newdev->mode_iv = mode_iv; ++ newdev->secondary_cipher = secondary_cipher; ++ newdev->essiv_cipher = essiv_cipher; ++ newdev->essiv_hash = essiv_hash; ++ newdev->hash = hash; ++ newdev->log_sector_size = 9; ++ newdev->total_sectors = grub_disk_native_sectors (disk) - newdev->offset_sectors; ++ grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); ++ COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); ++ ++ return newdev; ++} ++ + static grub_extcmd_t cmd; + + GRUB_MOD_INIT (cryptodisk) + { + grub_disk_dev_register (&grub_cryptodisk_dev); + cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, +- N_("SOURCE|-u UUID|-a|-b|-H file"), ++ N_("SOURCE|-u UUID|-a|-b|-H file|-p -c cipher -d digest"), + N_("Mount a crypto device."), options); + grub_procfs_register ("luks_script", &luks_script); + } +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 11e437edb..4ebe21b4e 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -329,7 +146,7 @@ luks_recover_key (grub_disk_t source, + struct grub_luks_phdr header; + grub_size_t keysize; + grub_uint8_t *split_key = NULL; +- char interactive_passphrase[MAX_PASSPHRASE] = ""; ++ char interactive_passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = ""; + grub_uint8_t *passphrase; + grub_size_t passphrase_length; + grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; +@@ -387,7 +204,7 @@ luks_recover_key (grub_disk_t source, + grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, + source->partition ? "," : "", tmp ? : "", dev->uuid); + grub_free (tmp); +- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) ++ if (!grub_password_get (interactive_passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE)) + { + grub_free (split_key); + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index 67f6b0b59..bb25ab730 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -54,9 +54,14 @@ typedef enum + #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3) + #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) + #define GRUB_CRYPTODISK_MAX_KEYLEN 128 ++#define GRUB_CRYPTODISK_MAX_PASSPHRASE 256 + + #define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 + ++#define GRUB_CRYPTODISK_PLAIN_CIPHER "aes-cbc-essiv:sha256" ++#define GRUB_CRYPTODISK_PLAIN_DIGEST "ripemd160" ++#define GRUB_CRYPTODISK_PLAIN_KEYSIZE 256 ++ + struct grub_cryptodisk; + + typedef gcry_err_code_t +@@ -160,4 +165,7 @@ grub_util_get_geli_uuid (const char *dev); + grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid); + grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk); + ++grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid, ++ char *ciphername, char *ciphermode, char *digest); ++ + #endif +-- +2.16.2 + diff --git a/0004-add-GRUB_COLOR_variables.patch b/0004-add-GRUB_COLOR_variables.patch new file mode 100644 index 000000000000..c113a81d5754 --- /dev/null +++ b/0004-add-GRUB_COLOR_variables.patch @@ -0,0 +1,32 @@ +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index 3390ba9..c416489 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -218,6 +218,8 @@ export GRUB_DEFAULT \ + GRUB_THEME \ + GRUB_GFXPAYLOAD_LINUX \ + GRUB_DISABLE_OS_PROBER \ ++ GRUB_COLOR_NORMAL \ ++ GRUB_COLOR_HIGHLIGHT \ + GRUB_INIT_TUNE \ + GRUB_SAVEDEFAULT \ + GRUB_ENABLE_CRYPTODISK \ +diff --git a/util/grub.d/00_header.in b/util/grub.d/00_header.in +index d2e7252..8259f45 100644 +--- a/util/grub.d/00_header.in ++++ b/util/grub.d/00_header.in +@@ -125,6 +125,14 @@ cat <<EOF + + EOF + ++if [ x$GRUB_COLOR_NORMAL != x ] && [ x$GRUB_COLOR_HIGHLIGHT != x ] ; then ++ cat << EOF ++set menu_color_normal=$GRUB_COLOR_NORMAL ++set menu_color_highlight=$GRUB_COLOR_HIGHLIGHT ++ ++EOF ++fi ++ + serial=0; + gfxterm=0; + for x in ${GRUB_TERMINAL_INPUT} ${GRUB_TERMINAL_OUTPUT}; do diff --git a/0005-Cryptomount-support-for-hyphens-in-UUID.patch b/0005-Cryptomount-support-for-hyphens-in-UUID.patch new file mode 100644 index 000000000000..b875f66ea3ce --- /dev/null +++ b/0005-Cryptomount-support-for-hyphens-in-UUID.patch @@ -0,0 +1,89 @@ +From 0939fef502c4b97d1facc7972a54d5dfeba4ab71 Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Fri, 26 Jun 2015 22:48:03 +0100 +Subject: [PATCH 5/7] Cryptomount support for hyphens in UUID + +--- + grub-core/disk/cryptodisk.c | 20 +++++++++++++++++--- + grub-core/disk/luks.c | 26 ++++++++------------------ + include/grub/cryptodisk.h | 2 ++ + 3 files changed, 27 insertions(+), 21 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index 7f656f75c..c442d3a34 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -114,6 +114,20 @@ gf_mul_be (grub_uint8_t *o, const grub_uint8_t *a, const grub_uint8_t *b) + } + } + ++int ++grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b) ++{ ++ while ((*uuid_a != '\0') && (*uuid_b != '\0')) ++ { ++ while (*uuid_a == '-') uuid_a++; ++ while (*uuid_b == '-') uuid_b++; ++ if (grub_toupper(*uuid_a) != grub_toupper(*uuid_b)) break; ++ uuid_a++; ++ uuid_b++; ++ } ++ return (*uuid_a == '\0') && (*uuid_b == '\0'); ++} ++ + static gcry_err_code_t + grub_crypto_pcbc_decrypt (grub_crypto_cipher_handle_t cipher, + void *out, void *in, grub_size_t size, +@@ -509,8 +523,8 @@ grub_cryptodisk_open (const char *name, grub_disk_t disk) + if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) == 0) + { + for (dev = cryptodisk_list; dev != NULL; dev = dev->next) +- if (grub_strcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid) == 0) +- break; ++ if (grub_cryptodisk_uuidcmp(name + sizeof ("cryptouuid/") - 1, dev->uuid)) ++ break; + } + else + { +@@ -742,7 +756,7 @@ grub_cryptodisk_get_by_uuid (const char *uuid) + { + grub_cryptodisk_t dev; + for (dev = cryptodisk_list; dev != NULL; dev = dev->next) +- if (grub_strcasecmp (dev->uuid, uuid) == 0) ++ if (grub_cryptodisk_uuidcmp(dev->uuid, uuid)) + return dev; + return NULL; + } +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 4ebe21b4e..80a760670 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -127,6 +109,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + ciphermode[sizeof (header.cipherMode)] = 0; + grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec)); + hashspec[sizeof (header.hashSpec)] = 0; ++ grub_memcpy (uuid, header.uuid, sizeof (header.uuid)); ++ uuid[sizeof (header.uuid)] = 0; ++ ++ if ( check_uuid && ! grub_cryptodisk_uuidcmp(check_uuid, uuid)) ++ { ++ grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid); ++ return NULL; ++ } + + newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec); + +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index bb25ab730..01c02696e 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -168,4 +168,6 @@ grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk); + grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid, + char *ciphername, char *ciphermode, char *digest); + ++int ++grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b); + #endif +-- +2.16.2 + diff --git a/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch b/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch new file mode 100644 index 000000000000..9dd806158834 --- /dev/null +++ b/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch @@ -0,0 +1,108 @@ +From 908f4282cc934422923ff59836a835e63d6a7117 Mon Sep 17 00:00:00 2001 +From: Paul Gideon Dann <pdgiddie@gmail.com> +Date: Tue, 19 Jul 2016 12:36:37 +0100 +Subject: [PATCH] Add support for using a whole device as a keyfile + +--- + grub-core/disk/cryptodisk.c | 86 +++++++++++++++++++++++++++++-------- + 1 file changed, 68 insertions(+), 18 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index d0388c6d1..c5d8021ba 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -1031,26 +1031,76 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + else + { + keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0; +- keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ +- GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; +- +- keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE); +- if (!keyfile) +- grub_printf (N_("Unable to open key file %s\n"), state[4].arg); +- else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) +- grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); +- else ++ ++ if (grub_strchr (state[4].arg, '/')) + { +- keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); +- if (keyfile_size == (grub_size_t)-1) +- grub_printf (N_("Error reading key file\n")); +- else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) +- grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), +- (unsigned long long) requested_keyfile_size, +- (unsigned long long) keyfile_size); ++ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ ++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; ++ keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE); ++ if (!keyfile) ++ grub_printf (N_("Unable to open key file %s\n"), state[4].arg); ++ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) ++ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); + else +- key = keyfile_buffer; +- } ++ { ++ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); ++ if (keyfile_size == (grub_size_t)-1) ++ grub_printf (N_("Error reading key file\n")); ++ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) ++ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), ++ (unsigned long long) requested_keyfile_size, ++ (unsigned long long) keyfile_size); ++ else ++ key = keyfile_buffer; ++ } ++ } ++ else ++ { ++ grub_disk_t keydisk; ++ char* keydisk_name; ++ grub_err_t err; ++ grub_uint64_t total_sectors; ++ ++ keydisk_name = grub_file_get_device_name(state[4].arg); ++ keydisk = grub_disk_open (keydisk_name); ++ if (!keydisk) ++ { ++ grub_printf (N_("Unable to open disk %s\n"), keydisk_name); ++ goto cleanup_keydisk_name; ++ } ++ ++ total_sectors = grub_disk_native_sectors (keydisk); ++ if (total_sectors == GRUB_DISK_SIZE_UNKNOWN) ++ { ++ grub_printf (N_("Unable to determine size of disk %s\n"), keydisk_name); ++ goto cleanup_keydisk; ++ } ++ ++ keyfile_size = (total_sectors << GRUB_DISK_SECTOR_BITS); ++ if (requested_keyfile_size > 0 && requested_keyfile_size < keyfile_size) ++ keyfile_size = requested_keyfile_size; ++ if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) ++ { ++ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \ ++ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); ++ goto cleanup_keydisk; ++ } ++ ++ err = grub_disk_read (keydisk, 0, keyfile_offset, keyfile_size, keyfile_buffer); ++ if (err != GRUB_ERR_NONE) ++ { ++ grub_printf (N_("Failed to read from disk %s\n"), keydisk_name); ++ keyfile_size = 0; ++ goto cleanup_keydisk; ++ } ++ ++ key = keyfile_buffer; ++ ++ cleanup_keydisk: ++ grub_disk_close (keydisk); ++ cleanup_keydisk_name: ++ grub_free (keydisk_name); ++ } + } + } + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..1c469ff46f40 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,339 @@ +# Maintainer : Maxim Fomin <(maxim at fomin dot one)> +# Maintainer : Christian Hesse <mail@eworm.de> +# Maintainer : Ronald van Haren <ronald.archlinux.org> +# Contributor: Tobias Powalowski <tpowa@archlinux.org> +# Contributor: Keshav Amburay <(the ddoott ridikulus ddoott rat) (aatt) (gemmaeiil) (ddoott) (ccoomm)> + +## "1" to enable IA32-EFI build in Arch x86_64, "0" to disable +_IA32_EFI_IN_ARCH_X64="1" + +## "1" to enable EMU build, "0" to disable +_GRUB_EMU_BUILD="0" + +_GRUB_EXTRAS_COMMIT="8a245d5c1800627af4cefa99162a89c7a46d8842" +_GNULIB_COMMIT="be584c56eb1311606e5ea1a36363b97bddb6eed3" +_UNIFONT_VER="13.0.05" + +[[ "${CARCH}" == "x86_64" ]] && _EFI_ARCH="x86_64" +[[ "${CARCH}" == "i686" ]] && _EFI_ARCH="i386" + +[[ "${CARCH}" == "x86_64" ]] && _EMU_ARCH="x86_64" +[[ "${CARCH}" == "i686" ]] && _EMU_ARCH="i386" + +pkgname='grub-luks-keyfile-git' +pkgdesc='GNU GRand Unified Bootloader (2)' +epoch=2 +pkgver=2.05 +pkgrel=1 +url='https://www.gnu.org/software/grub/' +arch=('x86_64') +license=('GPL3') +backup=('etc/grub.d/40_custom') +options=('!makeflags') + +conflicts=('grub-common' 'grub-bios' 'grub-emu' "grub-efi-${_EFI_ARCH}" 'grub-legacy') +replaces=('grub-common' 'grub-bios' 'grub-emu' "grub-efi-${_EFI_ARCH}") +provides=('grub-common' 'grub-bios' 'grub-emu' "grub-efi-${_EFI_ARCH}") + +makedepends=('git' 'rsync' 'xz' 'freetype2' 'ttf-dejavu' 'python' 'autogen' + 'texinfo' 'help2man' 'gettext' 'device-mapper' 'fuse2') +depends=('sh' 'xz' 'gettext' 'device-mapper') +optdepends=('freetype2: For grub-mkfont usage' + 'fuse2: For grub-mount usage' + 'dosfstools: For grub-mkrescue FAT FS and EFI support' + 'efibootmgr: For grub-install EFI support' + 'libisoburn: Provides xorriso for generating grub rescue iso using grub-mkrescue' + 'os-prober: To detect other OSes when generating grub.cfg in BIOS systems' + 'mtools: For grub-mkrescue FAT FS support') + +if [[ "${_GRUB_EMU_BUILD}" == "1" ]]; then + makedepends+=('libusbx' 'sdl') + optdepends+=('libusbx: For grub-emu USB support' + 'sdl: For grub-emu SDL support') +fi + +validpgpkeys=('E53D497F3FA42AD8C9B4D1E835A93B74E82E4209' # Vladimir 'phcoder' Serbinenko <phcoder@gmail.com> + 'BE5C23209ACDDACEB20DB0A28C8189F1988C2166' # Daniel Kiper <dkiper@net-space.pl> + '95D2E9AB8740D8046387FD151A09227B1F435A33') # Paul Hardy <unifoundry@unifoundry.com> + +source=("git+https://git.savannah.gnu.org/git/grub.git" + "git+https://git.savannah.gnu.org/git/grub-extras.git#commit=${_GRUB_EXTRAS_COMMIT}" + "git+https://git.savannah.gnu.org/git/gnulib.git#commit=${_GNULIB_COMMIT}" + "https://ftp.gnu.org/gnu/unifont/unifont-${_UNIFONT_VER}/unifont-${_UNIFONT_VER}.bdf.gz"{,.sig} + '0003-10_linux-detect-archlinux-initramfs.patch' + '0004-add-GRUB_COLOR_variables.patch' + '0001-Cryptomount-support-LUKS-detached-header.patch' + '0002-Cryptomount-support-key-files.patch' + '0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch' + '0004-Cryptomount-support-plain-dm-crypt.patch' + '0005-Cryptomount-support-for-hyphens-in-UUID.patch' + '0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch') + +sha256sums=('SKIP' + 'SKIP' + 'SKIP' + 'c4e61e9336d8d024479ea72616722c6c47c93f76dc173e8ad3edf9f9e07c3115' + 'SKIP' + '171415ab075d1ac806f36c454feeb060f870416f24279b70104bba94bd6076d4' + 'a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29' + 'b9d737d1b403b540a00a8e9c25240a06bb371da7588d3e665af8543397724698' + '5d7060fbe9738764d2f8ebc96b43cc0bb8939c2e4e4e78b7a82a1a149ea6e837' + '3e373bcb7847326ae14365e7443f900559f35f4f9ba2e5e69d034f4423fc45bb' + '9ff4aba657d3826a510c57ce44d7582c4e4c72eb32a59ffd2b09e923202750ed' + '6f58b01eb9adcc6864e09a4ecaa728f19ee2c9a7ecf4cf20fd17fc5ec327f19c' + '4739a472c609df2528ac30e502a9f1b77fd1517af551c6bcbd35ba57b81da827') + +_backports=( + # grub-mkconfig: Use portable "command -v" to detect installed programs + '28a7e597de0d5584f65e36f9588ff9041936e617' +) + +_configure_options=( + FREETYPE="pkg-config freetype2" + BUILD_FREETYPE="pkg-config freetype2" + --enable-mm-debug + --enable-nls + --enable-device-mapper + --enable-cache-stats + --enable-grub-mkfont + --enable-grub-mount + --prefix="/usr" + --bindir="/usr/bin" + --sbindir="/usr/bin" + --mandir="/usr/share/man" + --infodir="/usr/share/info" + --datarootdir="/usr/share" + --sysconfdir="/etc" + --program-prefix="" + --with-bootdir="/boot" + --with-grubdir="grub" + --disable-silent-rules + --disable-werror +) + +prepare() { + cd "${srcdir}/grub/" + + echo "Apply backports..." + local _c + for _c in "${_backports[@]}"; do + git log --oneline -1 "${_c}" + git cherry-pick -n "${_c}" + done + + echo "Patch to detect of Arch Linux initramfs images by grub-mkconfig..." + patch -Np1 -i "${srcdir}/0003-10_linux-detect-archlinux-initramfs.patch" + + echo "Patch to enable GRUB_COLOR_* variables in grub-mkconfig..." + ## Based on http://lists.gnu.org/archive/html/grub-devel/2012-02/msg00021.html + patch -Np1 -i "${srcdir}/0004-add-GRUB_COLOR_variables.patch" + + echo "Patch to enable LUKS detached header support..." + patch -Np1 -i "${srcdir}/0001-Cryptomount-support-LUKS-detached-header.patch" + + echo "Patch to enable LUKS key files support ..." + patch -Np1 -i "${srcdir}/0002-Cryptomount-support-key-files.patch" + + echo "Patch to enable multiple passphrase attempts support..." + patch -Np1 -i "${srcdir}/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch" + + echo "Patch to enable plain dm-crypt mode support..." + patch -Np1 -i "${srcdir}/0004-Cryptomount-support-plain-dm-crypt.patch" + + echo "Patch to enable hyphens in UUID support..." + patch -Np1 -i "${srcdir}/0005-Cryptomount-support-for-hyphens-in-UUID.patch" + + echo "Patch to enable whole device as keyfile support ..." + patch -Np1 -i "${srcdir}/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch" + + echo "Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme..." + sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac" + + echo "Fix mkinitcpio 'rw' FS#36275..." + sed 's| ro | rw |g' -i "util/grub.d/10_linux.in" + + echo "Fix OS naming FS#33393..." + sed 's|GNU/Linux|Linux|' -i "util/grub.d/10_linux.in" + + echo "Pull in latest language files..." + ./linguas.sh + + echo "Avoid problem with unifont during compile of grub..." + # http://savannah.gnu.org/bugs/?40330 and https://bugs.archlinux.org/task/37847 + gzip -cd "${srcdir}/unifont-${_UNIFONT_VER}.bdf.gz" > "unifont.bdf" + + echo "Run bootstrap..." + ./bootstrap \ + --gnulib-srcdir="${srcdir}/gnulib/" \ + --no-git + + echo "Make translations reproducible..." + sed -i '1i /^PO-Revision-Date:/ d' po/*.sed +} + +_build_grub-common_and_bios() { + echo "Set ARCH dependent variables for bios build..." + if [[ "${CARCH}" == 'x86_64' ]]; then + _EFIEMU="--enable-efiemu" + else + _EFIEMU="--disable-efiemu" + fi + + echo "Copy the source for building the bios part..." + cp -r "${srcdir}/grub/" "${srcdir}/grub-bios/" + cd "${srcdir}/grub-bios/" + + echo "Add the grub-extra sources for bios build..." + install -d "${srcdir}/grub-bios/grub-extras" + cp -r "${srcdir}/grub-extras/915resolution" \ + "${srcdir}/grub-bios/grub-extras/915resolution" + export GRUB_CONTRIB="${srcdir}/grub-bios/grub-extras/" + + echo "Unset all compiler FLAGS for bios build..." + unset CFLAGS + unset CPPFLAGS + unset CXXFLAGS + unset LDFLAGS + unset MAKEFLAGS + + echo "Run ./configure for bios build..." + ./configure \ + --with-platform="pc" \ + --target="i386" \ + "${_EFIEMU}" \ + --enable-boot-time \ + "${_configure_options[@]}" + + if [ ! -z "${SOURCE_DATE_EPOCH}" ]; then + echo "Make info pages reproducible..." + touch -d "@${SOURCE_DATE_EPOCH}" $(find -name '*.texi') + fi + + echo "Run make for bios build..." + make +} + +_build_grub-efi() { + echo "Copy the source for building the ${_EFI_ARCH} efi part..." + cp -r "${srcdir}/grub/" "${srcdir}/grub-efi-${_EFI_ARCH}/" + cd "${srcdir}/grub-efi-${_EFI_ARCH}/" + + echo "Unset all compiler FLAGS for ${_EFI_ARCH} efi build..." + unset CFLAGS + unset CPPFLAGS + unset CXXFLAGS + unset LDFLAGS + unset MAKEFLAGS + + echo "Run ./configure for ${_EFI_ARCH} efi build..." + ./configure \ + --with-platform="efi" \ + --target="${_EFI_ARCH}" \ + --disable-efiemu \ + --enable-boot-time \ + "${_configure_options[@]}" + + echo "Run make for ${_EFI_ARCH} efi build..." + make +} + +_build_grub-emu() { + echo "Copy the source for building the emu part..." + cp -r "${srcdir}/grub/" "${srcdir}/grub-emu/" + cd "${srcdir}/grub-emu/" + + echo "Unset all compiler FLAGS for emu build..." + unset CFLAGS + unset CPPFLAGS + unset CXXFLAGS + unset LDFLAGS + unset MAKEFLAGS + + echo "Run ./configure for emu build..." + ./configure \ + --with-platform="emu" \ + --target="${_EMU_ARCH}" \ + --enable-grub-emu-usb=no \ + --enable-grub-emu-sdl=no \ + --disable-grub-emu-pci \ + "${_configure_options[@]}" + + echo "Run make for emu build..." + make +} + +build() { + cd "${srcdir}/grub/" + + echo "Build grub bios stuff..." + _build_grub-common_and_bios + + echo "Build grub ${_EFI_ARCH} efi stuff..." + _build_grub-efi + + if [[ "${CARCH}" == "x86_64" ]] && [[ "${_IA32_EFI_IN_ARCH_X64}" == "1" ]]; then + echo "Build grub i386 efi stuff..." + _EFI_ARCH="i386" _build_grub-efi + fi + + if [[ "${_GRUB_EMU_BUILD}" == "1" ]]; then + echo "Build grub emu stuff..." + _build_grub-emu + fi +} + +_package_grub-common_and_bios() { + cd "${srcdir}/grub-bios/" + + echo "Run make install for bios build..." + make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install + + echo "Remove gdb debugging related files for bios build..." + rm -f "${pkgdir}/usr/lib/grub/i386-pc"/*.module || true + rm -f "${pkgdir}/usr/lib/grub/i386-pc"/*.image || true + rm -f "${pkgdir}/usr/lib/grub/i386-pc"/{kernel.exec,gdb_grub,gmodule.pl} || true +} + +_package_grub-efi() { + cd "${srcdir}/grub-efi-${_EFI_ARCH}/" + + echo "Run make install for ${_EFI_ARCH} efi build..." + make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install + + echo "Remove gdb debugging related files for ${_EFI_ARCH} efi build..." + rm -f "${pkgdir}/usr/lib/grub/${_EFI_ARCH}-efi"/*.module || true + rm -f "${pkgdir}/usr/lib/grub/${_EFI_ARCH}-efi"/*.image || true + rm -f "${pkgdir}/usr/lib/grub/${_EFI_ARCH}-efi"/{kernel.exec,gdb_grub,gmodule.pl} || true +} + +_package_grub-emu() { + cd "${srcdir}/grub-emu/" + + echo "Run make install for emu build..." + make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install + + echo "Remove gdb debugging related files for emu build..." + rm -f "${pkgdir}/usr/lib/grub/${_EMU_ARCH}-emu"/*.module || true + rm -f "${pkgdir}/usr/lib/grub/${_EMU_ARCH}-emu"/*.image || true + rm -f "${pkgdir}/usr/lib/grub/${_EMU_ARCH}-emu"/{kernel.exec,gdb_grub,gmodule.pl} || true +} + +package() { + cd "${srcdir}/grub/" + + echo "Package grub ${_EFI_ARCH} efi stuff..." + _package_grub-efi + + if [[ "${CARCH}" == "x86_64" ]] && [[ "${_IA32_EFI_IN_ARCH_X64}" == "1" ]]; then + echo "Package grub i386 efi stuff..." + _EFI_ARCH="i386" _package_grub-efi + fi + + if [[ "${_GRUB_EMU_BUILD}" == "1" ]]; then + echo "Package grub emu stuff..." + _package_grub-emu + fi + + echo "Package grub bios stuff..." + _package_grub-common_and_bios +} |