summarylogtreecommitdiffstats
path: root/0002-Cryptomount-support-key-files.patch
diff options
context:
space:
mode:
Diffstat (limited to '0002-Cryptomount-support-key-files.patch')
-rw-r--r--0002-Cryptomount-support-key-files.patch205
1 files changed, 205 insertions, 0 deletions
diff --git a/0002-Cryptomount-support-key-files.patch b/0002-Cryptomount-support-key-files.patch
new file mode 100644
index 000000000000..43af5ff3cbf9
--- /dev/null
+++ b/0002-Cryptomount-support-key-files.patch
@@ -0,0 +1,205 @@
+From df3aa34cc68b128c5441ee25ef092e6c2c87392e Mon Sep 17 00:00:00 2001
+From: John Lane <john@lane.uk.net>
+Date: Fri, 26 Jun 2015 13:37:10 +0100
+Subject: [PATCH 2/7] Cryptomount support key files
+
+---
+ grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-
+ grub-core/disk/geli.c | 4 +++-
+ grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++--------------
+ include/grub/cryptodisk.h | 5 ++++-
+ 4 files changed, 82 insertions(+), 17 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index 5230a5a9a..5261af547 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
+ {"all", 'a', 0, N_("Mount all."), 0, 0},
+ {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
++ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
++ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
++ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
+ {0, 0, 0, 0, 0, 0}
+ };
+
+@@ -811,6 +814,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
+ static int check_boot, have_it;
+ static char *search_uuid;
+ static grub_file_t hdr;
++static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
++static grub_size_t keyfile_size;
+
+ static void
+ cryptodisk_close (grub_cryptodisk_t dev)
+@@ -841,7 +846,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
+ if (!dev)
+ continue;
+
+- err = cr->recover_key (source, dev, hdr);
++ err = cr->recover_key (source, dev, hdr, key, keyfile_size);
+ if (err)
+ {
+ cryptodisk_close (dev);
+@@ -949,6 +954,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+ hdr = NULL;
+
+ have_it = 0;
++ key = NULL;
++
++ if (state[4].set) /* Key file; fails back to passphrase entry */
++ {
++ grub_file_t keyfile;
++ int keyfile_offset;
++ grub_size_t requested_keyfile_size;
++
++ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0;
++
++ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
++ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
++ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
++ else
++ {
++ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
++ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
++
++ keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE);
++ if (!keyfile)
++ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
++ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
++ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
++ else
++ {
++ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
++ if (keyfile_size == (grub_size_t)-1)
++ grub_printf (N_("Error reading key file\n"));
++ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
++ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
++ (unsigned long long) requested_keyfile_size,
++ (unsigned long long) keyfile_size);
++ else
++ key = keyfile_buffer;
++ }
++ }
++ }
++
+ if (state[0].set)
+ {
+ grub_cryptodisk_t dev;
+diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
+index f4394eb42..da6aa6a63 100644
+--- a/grub-core/disk/geli.c
++++ b/grub-core/disk/geli.c
+@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+
+ static grub_err_t
+ recover_key (grub_disk_t source, grub_cryptodisk_t dev,
+- grub_file_t hdr __attribute__ ((unused)) )
++ grub_file_t hdr __attribute__ ((unused)),
++ grub_uint8_t *key __attribute__ ((unused)),
++ grub_size_t keyfile_size __attribute__ ((unused)) )
+ {
+ grub_size_t keysize;
+ grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 66e64c0e0..588236888 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ static grub_err_t
+ luks_recover_key (grub_disk_t source,
+ grub_cryptodisk_t dev,
+- grub_file_t hdr)
++ grub_file_t hdr,
++ grub_uint8_t *keyfile_bytes,
++ grub_size_t keyfile_bytes_size)
+ {
+ struct grub_luks_phdr header;
+ grub_size_t keysize;
+ grub_uint8_t *split_key = NULL;
+- char passphrase[MAX_PASSPHRASE] = "";
++ char interactive_passphrase[MAX_PASSPHRASE] = "";
++ grub_uint8_t *passphrase;
++ grub_size_t passphrase_length;
+ grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
+ unsigned i;
+ grub_size_t length;
+@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source,
+ if (!split_key)
+ return grub_errno;
+
+- /* Get the passphrase from the user. */
+- tmp = NULL;
+- if (source->partition)
+- tmp = grub_partition_get_name (source->partition);
+- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+- source->partition ? "," : "", tmp ? : "",
+- dev->uuid);
+- grub_free (tmp);
+- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
++ if (keyfile_bytes)
+ {
+- grub_free (split_key);
+- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++ /* Use bytestring from key file as passphrase */
++ passphrase = keyfile_bytes;
++ passphrase_length = keyfile_bytes_size;
++ }
++ else
++ {
++ /* Get the passphrase from the user. */
++ tmp = NULL;
++ if (source->partition)
++ tmp = grub_partition_get_name (source->partition);
++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
++ source->partition ? "," : "", tmp ? : "", dev->uuid);
++ grub_free (tmp);
++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
++ {
++ grub_free (split_key);
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++ }
++
++ passphrase = (grub_uint8_t *)interactive_passphrase;
++ passphrase_length = grub_strlen (interactive_passphrase);
++
+ }
+
+ /* Try to recover master key from each active keyslot. */
+@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source,
+
+ /* Calculate the PBKDF2 of the user supplied passphrase. */
+ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
+- grub_strlen (passphrase),
++ passphrase_length,
+ header.keyblock[i].passwordSalt,
+ sizeof (header.keyblock[i].passwordSalt),
+ grub_be_to_cpu32 (header.keyblock[i].
+diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
+index 4e6e89a93..67f6b0b59 100644
+--- a/include/grub/cryptodisk.h
++++ b/include/grub/cryptodisk.h
+@@ -55,6 +55,8 @@ typedef enum
+ #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
+ #define GRUB_CRYPTODISK_MAX_KEYLEN 128
+
++#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
++
+ struct grub_cryptodisk;
+
+ typedef gcry_err_code_t
+@@ -109,7 +111,8 @@ struct grub_cryptodisk_dev
+
+ grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
+ int boot_only, grub_file_t hdr);
+- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
++ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size);
+ };
+ typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
+
+--
+2.16.2
+