aboutsummaryrefslogtreecommitdiff
path: root/resources/grub
diff options
context:
space:
mode:
authorKlemens Nanni <contact@autoboot.org>2015-09-15 15:44:08 +0200
committerFrancis Rowe <info@gluglug.org.uk>2015-10-07 12:11:03 +0100
commitf2f83c051c33a0446f13b66d6ba0146580a4552e (patch)
treef66e0ba60bf351159de00e8d72fa94f476acb609 /resources/grub
parentb66edef4fd1c4424238ca30ff6ff78fe3e032eac (diff)
downloadlibrebootfr-f2f83c051c33a0446f13b66d6ba0146580a4552e.tar.gz
librebootfr-f2f83c051c33a0446f13b66d6ba0146580a4552e.zip
GRUB2: Cryptomount enhancements, grub.johnlane.ie
Diffstat (limited to 'resources/grub')
-rw-r--r--resources/grub/patch/grub.johnlane.ie/0001-Cryptomount-support-LUKS-detached-header.patch247
-rw-r--r--resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch205
-rw-r--r--resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch329
-rw-r--r--resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch636
-rw-r--r--resources/grub/patch/grub.johnlane.ie/0005-Cryptomount-support-for-hyphens-in-UUID.patch122
5 files changed, 1539 insertions, 0 deletions
diff --git a/resources/grub/patch/grub.johnlane.ie/0001-Cryptomount-support-LUKS-detached-header.patch b/resources/grub/patch/grub.johnlane.ie/0001-Cryptomount-support-LUKS-detached-header.patch
new file mode 100644
index 00000000..ed27dc49
--- /dev/null
+++ b/resources/grub/patch/grub.johnlane.ie/0001-Cryptomount-support-LUKS-detached-header.patch
@@ -0,0 +1,247 @@
+From 5c643ba894421ac78c3fe18ff9548d8e9fa82ed4 Mon Sep 17 00:00:00 2001
+From: John Lane <john@lane.uk.net>
+Date: Tue, 23 Jun 2015 11:16:30 +0100
+Subject: [PATCH 1/5] Cryptomount support LUKS detached header
+
+---
+ grub-core/disk/cryptodisk.c | 22 ++++++++++++++++++----
+ grub-core/disk/geli.c | 7 +++++--
+ grub-core/disk/luks.c | 45 +++++++++++++++++++++++++++++++++++++--------
+ include/grub/cryptodisk.h | 5 +++--
+ 4 files changed, 63 insertions(+), 16 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index 82a3dcb..6f596a0 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -40,6 +40,7 @@ static const struct grub_arg_option options[] =
+ /* TRANSLATORS: It's still restricted to cryptodisks only. */
+ {"all", 'a', 0, N_("Mount all."), 0, 0},
+ {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
++ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
+ {0, 0, 0, 0, 0, 0}
+ };
+
+@@ -803,6 +804,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
+
+ static int check_boot, have_it;
+ static char *search_uuid;
++static grub_file_t hdr;
+
+ static void
+ cryptodisk_close (grub_cryptodisk_t dev)
+@@ -827,13 +829,13 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
+
+ FOR_CRYPTODISK_DEVS (cr)
+ {
+- dev = cr->scan (source, search_uuid, check_boot);
++ dev = cr->scan (source, search_uuid, check_boot, hdr);
+ if (grub_errno)
+ return grub_errno;
+ if (!dev)
+ continue;
+
+- err = cr->recover_key (source, dev);
++ err = cr->recover_key (source, dev, hdr);
+ if (err)
+ {
+ cryptodisk_close (dev);
+@@ -874,7 +876,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat)
+
+ FOR_CRYPTODISK_DEVS (cr)
+ {
+- dev = cr->scan (source, search_uuid, check_boot);
++ dev = cr->scan (source, search_uuid, check_boot,0);
+ if (grub_errno)
+ return grub_errno;
+ if (!dev)
+@@ -928,6 +930,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+ if (argc < 1 && !state[1].set && !state[2].set)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
+
++ if (state[3].set) /* LUKS detached header */
++ {
++ if (state[0].set) /* Cannot use UUID lookup with detached header */
++ return GRUB_ERR_BAD_ARGUMENT;
++
++ hdr = grub_file_open (state[3].arg);
++ if (!hdr)
++ return grub_errno;
++ }
++ else
++ hdr = NULL;
++
+ have_it = 0;
+ if (state[0].set)
+ {
+@@ -1125,7 +1139,7 @@ GRUB_MOD_INIT (cryptodisk)
+ {
+ grub_disk_dev_register (&grub_cryptodisk_dev);
+ cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
+- N_("SOURCE|-u UUID|-a|-b"),
++ N_("SOURCE|-u UUID|-a|-b|-H file"),
+ N_("Mount a crypto device."), options);
+ grub_procfs_register ("luks_script", &luks_script);
+ }
+diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
+index e9d2329..f4394eb 100644
+--- a/grub-core/disk/geli.c
++++ b/grub-core/disk/geli.c
+@@ -52,6 +52,7 @@
+ #include <grub/dl.h>
+ #include <grub/err.h>
+ #include <grub/disk.h>
++#include <grub/file.h>
+ #include <grub/crypto.h>
+ #include <grub/partition.h>
+ #include <grub/i18n.h>
+@@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
+
+ static grub_cryptodisk_t
+ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+- int boot_only)
++ int boot_only,
++ grub_file_t hdr __attribute__ ((unused)) )
+ {
+ grub_cryptodisk_t newdev;
+ struct grub_geli_phdr header;
+@@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ }
+
+ static grub_err_t
+-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
++recover_key (grub_disk_t source, grub_cryptodisk_t dev,
++ grub_file_t hdr __attribute__ ((unused)) )
+ {
+ grub_size_t keysize;
+ grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 86c50c6..66e64c0 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -23,6 +23,7 @@
+ #include <grub/dl.h>
+ #include <grub/err.h>
+ #include <grub/disk.h>
++#include <grub/file.h>
+ #include <grub/crypto.h>
+ #include <grub/partition.h>
+ #include <grub/i18n.h>
+@@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
+
+ static grub_cryptodisk_t
+ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+- int check_boot)
++ int check_boot, grub_file_t hdr)
+ {
+ grub_cryptodisk_t newdev;
+ const char *iptr;
+@@ -86,11 +87,21 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ int benbi_log = 0;
+ grub_err_t err;
+
++ err = GRUB_ERR_NONE;
++
+ if (check_boot)
+ return NULL;
+
+ /* Read the LUKS header. */
+- err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
++ if (hdr)
++ {
++ grub_file_seek (hdr, 0);
++ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
++ err = GRUB_ERR_READ_ERROR;
++ }
++ else
++ err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
++
+ if (err)
+ {
+ if (err == GRUB_ERR_OUT_OF_RANGE)
+@@ -304,12 +315,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
+ newdev->modname = "luks";
+ COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
++
+ return newdev;
+ }
+
+ static grub_err_t
+ luks_recover_key (grub_disk_t source,
+- grub_cryptodisk_t dev)
++ grub_cryptodisk_t dev,
++ grub_file_t hdr)
+ {
+ struct grub_luks_phdr header;
+ grub_size_t keysize;
+@@ -321,8 +334,19 @@ luks_recover_key (grub_disk_t source,
+ grub_err_t err;
+ grub_size_t max_stripes = 1;
+ char *tmp;
++ grub_uint32_t sector;
++
++ err = GRUB_ERR_NONE;
++
++ if (hdr)
++ {
++ grub_file_seek (hdr, 0);
++ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
++ err = GRUB_ERR_READ_ERROR;
++ }
++ else
++ err = grub_disk_read (source, 0, 0, sizeof (header), &header);
+
+- err = grub_disk_read (source, 0, 0, sizeof (header), &header);
+ if (err)
+ return err;
+
+@@ -391,13 +415,18 @@ luks_recover_key (grub_disk_t source,
+ return grub_crypto_gcry_error (gcry_err);
+ }
+
++ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
+ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
+
+ /* Read and decrypt the key material from the disk. */
+- err = grub_disk_read (source,
+- grub_be_to_cpu32 (header.keyblock
+- [i].keyMaterialOffset), 0,
+- length, split_key);
++ if (hdr)
++ {
++ grub_file_seek (hdr, sector * 512);
++ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
++ err = GRUB_ERR_READ_ERROR;
++ }
++ else
++ err = grub_disk_read (source, sector, 0, length, split_key);
+ if (err)
+ {
+ grub_free (split_key);
+diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
+index f2ad2a7..16dee3c 100644
+--- a/include/grub/cryptodisk.h
++++ b/include/grub/cryptodisk.h
+@@ -20,6 +20,7 @@
+ #define GRUB_CRYPTODISK_HEADER 1
+
+ #include <grub/disk.h>
++#include <grub/file.h>
+ #include <grub/crypto.h>
+ #include <grub/list.h>
+ #ifdef GRUB_UTIL
+@@ -106,8 +107,8 @@ struct grub_cryptodisk_dev
+ struct grub_cryptodisk_dev **prev;
+
+ grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
+- int boot_only);
+- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev);
++ int boot_only, grub_file_t hdr);
++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
+ };
+ typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
+
+--
+2.1.2
+
diff --git a/resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch b/resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch
new file mode 100644
index 00000000..c4302e8a
--- /dev/null
+++ b/resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch
@@ -0,0 +1,205 @@
+From 802a23fc503a3c09f167883f05c759471243b4d3 Mon Sep 17 00:00:00 2001
+From: John Lane <john@lane.uk.net>
+Date: Fri, 26 Jun 2015 13:37:10 +0100
+Subject: [PATCH 2/5] Cryptomount support key files
+
+---
+ grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-
+ grub-core/disk/geli.c | 4 +++-
+ grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++--------------
+ include/grub/cryptodisk.h | 5 ++++-
+ 4 files changed, 82 insertions(+), 17 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index 6f596a0..a27e70c 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -41,6 +41,9 @@ static const struct grub_arg_option options[] =
+ {"all", 'a', 0, N_("Mount all."), 0, 0},
+ {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING},
++ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
++ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
++ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
+ {0, 0, 0, 0, 0, 0}
+ };
+
+@@ -805,6 +808,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
+ static int check_boot, have_it;
+ static char *search_uuid;
+ static grub_file_t hdr;
++static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
++static grub_size_t keyfile_size;
+
+ static void
+ cryptodisk_close (grub_cryptodisk_t dev)
+@@ -835,7 +840,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
+ if (!dev)
+ continue;
+
+- err = cr->recover_key (source, dev, hdr);
++ err = cr->recover_key (source, dev, hdr, key, keyfile_size);
+ if (err)
+ {
+ cryptodisk_close (dev);
+@@ -943,6 +948,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+ hdr = NULL;
+
+ have_it = 0;
++ key = NULL;
++
++ if (state[4].set) /* Key file; fails back to passphrase entry */
++ {
++ grub_file_t keyfile;
++ int keyfile_offset;
++ grub_size_t requested_keyfile_size;
++
++ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0;
++
++ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
++ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \
++ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
++ else
++ {
++ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0;
++ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \
++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE;
++
++ keyfile = grub_file_open (state[4].arg);
++ if (!keyfile)
++ grub_printf (N_("Unable to open key file %s\n"), state[4].arg);
++ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
++ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset);
++ else
++ {
++ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size);
++ if (keyfile_size == (grub_size_t)-1)
++ grub_printf (N_("Error reading key file\n"));
++ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size))
++ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"),
++ (unsigned long long) requested_keyfile_size,
++ (unsigned long long) keyfile_size);
++ else
++ key = keyfile_buffer;
++ }
++ }
++ }
++
+ if (state[0].set)
+ {
+ grub_cryptodisk_t dev;
+diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
+index f4394eb..da6aa6a 100644
+--- a/grub-core/disk/geli.c
++++ b/grub-core/disk/geli.c
+@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+
+ static grub_err_t
+ recover_key (grub_disk_t source, grub_cryptodisk_t dev,
+- grub_file_t hdr __attribute__ ((unused)) )
++ grub_file_t hdr __attribute__ ((unused)),
++ grub_uint8_t *key __attribute__ ((unused)),
++ grub_size_t keyfile_size __attribute__ ((unused)) )
+ {
+ grub_size_t keysize;
+ grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 66e64c0..5882368 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ static grub_err_t
+ luks_recover_key (grub_disk_t source,
+ grub_cryptodisk_t dev,
+- grub_file_t hdr)
++ grub_file_t hdr,
++ grub_uint8_t *keyfile_bytes,
++ grub_size_t keyfile_bytes_size)
+ {
+ struct grub_luks_phdr header;
+ grub_size_t keysize;
+ grub_uint8_t *split_key = NULL;
+- char passphrase[MAX_PASSPHRASE] = "";
++ char interactive_passphrase[MAX_PASSPHRASE] = "";
++ grub_uint8_t *passphrase;
++ grub_size_t passphrase_length;
+ grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
+ unsigned i;
+ grub_size_t length;
+@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source,
+ if (!split_key)
+ return grub_errno;
+
+- /* Get the passphrase from the user. */
+- tmp = NULL;
+- if (source->partition)
+- tmp = grub_partition_get_name (source->partition);
+- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+- source->partition ? "," : "", tmp ? : "",
+- dev->uuid);
+- grub_free (tmp);
+- if (!grub_password_get (passphrase, MAX_PASSPHRASE))
++ if (keyfile_bytes)
+ {
+- grub_free (split_key);
+- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++ /* Use bytestring from key file as passphrase */
++ passphrase = keyfile_bytes;
++ passphrase_length = keyfile_bytes_size;
++ }
++ else
++ {
++ /* Get the passphrase from the user. */
++ tmp = NULL;
++ if (source->partition)
++ tmp = grub_partition_get_name (source->partition);
++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
++ source->partition ? "," : "", tmp ? : "", dev->uuid);
++ grub_free (tmp);
++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
++ {
++ grub_free (split_key);
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++ }
++
++ passphrase = (grub_uint8_t *)interactive_passphrase;
++ passphrase_length = grub_strlen (interactive_passphrase);
++
+ }
+
+ /* Try to recover master key from each active keyslot. */
+@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source,
+
+ /* Calculate the PBKDF2 of the user supplied passphrase. */
+ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
+- grub_strlen (passphrase),
++ passphrase_length,
+ header.keyblock[i].passwordSalt,
+ sizeof (header.keyblock[i].passwordSalt),
+ grub_be_to_cpu32 (header.keyblock[i].
+diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
+index 16dee3c..0299625 100644
+--- a/include/grub/cryptodisk.h
++++ b/include/grub/cryptodisk.h
+@@ -55,6 +55,8 @@ typedef enum
+ #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
+ #define GRUB_CRYPTODISK_MAX_KEYLEN 128
+
++#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
++
+ struct grub_cryptodisk;
+
+ typedef gcry_err_code_t
+@@ -108,7 +110,8 @@ struct grub_cryptodisk_dev
+
+ grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
+ int boot_only, grub_file_t hdr);
+- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr);
++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
++ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size);
+ };
+ typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
+
+--
+2.1.2
+
diff --git a/resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch b/resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
new file mode 100644
index 00000000..5ed8b276
--- /dev/null
+++ b/resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
@@ -0,0 +1,329 @@
+From 3e2ffefe1edbbd874ca18ac397a14465d1ac49be Mon Sep 17 00:00:00 2001
+From: John Lane <john@lane.uk.net>
+Date: Fri, 26 Jun 2015 13:49:58 +0100
+Subject: [PATCH 3/5] Cryptomount luks allow multiple passphrase attempts
+
+---
+ grub-core/disk/luks.c | 278 ++++++++++++++++++++++++++------------------------
+ 1 file changed, 143 insertions(+), 135 deletions(-)
+
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 5882368..11e437e 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -321,10 +321,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+
+ static grub_err_t
+ luks_recover_key (grub_disk_t source,
+- grub_cryptodisk_t dev,
+- grub_file_t hdr,
+- grub_uint8_t *keyfile_bytes,
+- grub_size_t keyfile_bytes_size)
++ grub_cryptodisk_t dev,
++ grub_file_t hdr,
++ grub_uint8_t *keyfile_bytes,
++ grub_size_t keyfile_bytes_size)
+ {
+ struct grub_luks_phdr header;
+ grub_size_t keysize;
+@@ -339,6 +339,7 @@ luks_recover_key (grub_disk_t source,
+ grub_size_t max_stripes = 1;
+ char *tmp;
+ grub_uint32_t sector;
++ unsigned attempts = 2;
+
+ err = GRUB_ERR_NONE;
+
+@@ -361,151 +362,158 @@ luks_recover_key (grub_disk_t source,
+
+ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
+ if (grub_be_to_cpu32 (header.keyblock[i].active) == LUKS_KEY_ENABLED
+- && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
++ && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
+ max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
+
+ split_key = grub_malloc (keysize * max_stripes);
+ if (!split_key)
+ return grub_errno;
+
+- if (keyfile_bytes)
++ while (attempts)
+ {
+- /* Use bytestring from key file as passphrase */
+- passphrase = keyfile_bytes;
+- passphrase_length = keyfile_bytes_size;
+- }
+- else
+- {
+- /* Get the passphrase from the user. */
+- tmp = NULL;
+- if (source->partition)
+- tmp = grub_partition_get_name (source->partition);
+- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+- source->partition ? "," : "", tmp ? : "", dev->uuid);
+- grub_free (tmp);
+- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
++ if (keyfile_bytes)
+ {
+- grub_free (split_key);
+- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+- }
+-
+- passphrase = (grub_uint8_t *)interactive_passphrase;
+- passphrase_length = grub_strlen (interactive_passphrase);
+-
+- }
+-
+- /* Try to recover master key from each active keyslot. */
+- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
+- {
+- gcry_err_code_t gcry_err;
+- grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
+- grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
+-
+- /* Check if keyslot is enabled. */
+- if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
+- continue;
+-
+- grub_dprintf ("luks", "Trying keyslot %d\n", i);
+-
+- /* Calculate the PBKDF2 of the user supplied passphrase. */
+- gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
+- passphrase_length,
+- header.keyblock[i].passwordSalt,
+- sizeof (header.keyblock[i].passwordSalt),
+- grub_be_to_cpu32 (header.keyblock[i].
+- passwordIterations),
+- digest, keysize);
+-
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
+-
+- grub_dprintf ("luks", "PBKDF2 done\n");
+-
+- gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
+-
+- sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
+- length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
+-
+- /* Read and decrypt the key material from the disk. */
+- if (hdr)
+- {
+- grub_file_seek (hdr, sector * 512);
+- if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
+- err = GRUB_ERR_READ_ERROR;
++ /* Use bytestring from key file as passphrase */
++ passphrase = keyfile_bytes;
++ passphrase_length = keyfile_bytes_size;
++ keyfile_bytes = NULL; /* use it only once */
+ }
+ else
+- err = grub_disk_read (source, sector, 0, length, split_key);
+- if (err)
+- {
+- grub_free (split_key);
+- return err;
+- }
+-
+- gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
+-
+- /* Merge the decrypted key material to get the candidate master key. */
+- gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
+- grub_be_to_cpu32 (header.keyblock[i].stripes));
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
+-
+- grub_dprintf ("luks", "candidate key recovered\n");
+-
+- /* Calculate the PBKDF2 of the candidate master key. */
+- gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
+- grub_be_to_cpu32 (header.keyBytes),
+- header.mkDigestSalt,
+- sizeof (header.mkDigestSalt),
+- grub_be_to_cpu32
+- (header.mkDigestIterations),
+- candidate_digest,
+- sizeof (candidate_digest));
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
+-
+- /* Compare the calculated PBKDF2 to the digest stored
+- in the header to see if it's correct. */
+- if (grub_memcmp (candidate_digest, header.mkDigest,
+- sizeof (header.mkDigest)) != 0)
+- {
+- grub_dprintf ("luks", "bad digest\n");
+- continue;
+- }
++ {
++ /* Get the passphrase from the user. */
++ tmp = NULL;
++ if (source->partition)
++ tmp = grub_partition_get_name (source->partition);
++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
++ source->partition ? "," : "", tmp ? : "", dev->uuid);
++ grub_free (tmp);
++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
++ {
++ grub_free (split_key);
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++ }
++
++ passphrase = (grub_uint8_t *)interactive_passphrase;
++ passphrase_length = grub_strlen (interactive_passphrase);
+
+- /* TRANSLATORS: It's a cryptographic key slot: one element of an array
+- where each element is either empty or holds a key. */
+- grub_printf_ (N_("Slot %d opened\n"), i);
++ }
+
+- /* Set the master key. */
+- gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
+- if (gcry_err)
+- {
+- grub_free (split_key);
+- return grub_crypto_gcry_error (gcry_err);
+- }
++ /* Try to recover master key from each active keyslot. */
++ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
++ {
++ gcry_err_code_t gcry_err;
++ grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
++ grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
++
++ /* Check if keyslot is enabled. */
++ if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
++ continue;
++
++ grub_dprintf ("luks", "Trying keyslot %d\n", i);
++
++ /* Calculate the PBKDF2 of the user supplied passphrase. */
++ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
++ passphrase_length,
++ header.keyblock[i].passwordSalt,
++ sizeof (header.keyblock[i].passwordSalt),
++ grub_be_to_cpu32 (header.keyblock[i].
++ passwordIterations),
++ digest, keysize);
++
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
++
++ grub_dprintf ("luks", "PBKDF2 done\n");
++
++ gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
++
++ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
++ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
++
++ /* Read and decrypt the key material from the disk. */
++ if (hdr)
++ {
++ grub_file_seek (hdr, sector * 512);
++ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
++ err = GRUB_ERR_READ_ERROR;
++ }
++ else
++ err = grub_disk_read (source, sector, 0, length, split_key);
++ if (err)
++ {
++ grub_free (split_key);
++ return err;
++ }
++
++ gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
++
++ /* Merge the decrypted key material to get the candidate master key. */
++ gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
++ grub_be_to_cpu32 (header.keyblock[i].stripes));
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
++
++ grub_dprintf ("luks", "candidate key recovered\n");
++
++ /* Calculate the PBKDF2 of the candidate master key. */
++ gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
++ grub_be_to_cpu32 (header.keyBytes),
++ header.mkDigestSalt,
++ sizeof (header.mkDigestSalt),
++ grub_be_to_cpu32
++ (header.mkDigestIterations),
++ candidate_digest,
++ sizeof (candidate_digest));
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
++
++ /* Compare the calculated PBKDF2 to the digest stored
++ in the header to see if it's correct. */
++ if (grub_memcmp (candidate_digest, header.mkDigest,
++ sizeof (header.mkDigest)) != 0)
++ {
++ grub_dprintf ("luks", "bad digest\n");
++ continue;
++ }
++
++ /* TRANSLATORS: It's a cryptographic key slot: one element of an array
++ where each element is either empty or holds a key. */
++ grub_printf_ (N_("Slot %d opened\n"), i);
++
++ /* Set the master key. */
++ gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
++ if (gcry_err)
++ {
++ grub_free (split_key);
++ return grub_crypto_gcry_error (gcry_err);
++ }
+
+- grub_free (split_key);
++ grub_free (split_key);
+
+- return GRUB_ERR_NONE;
++ return GRUB_ERR_NONE;
++ }
++ grub_printf_ (N_("Failed to decrypt master key.\n"));
++ if (--attempts) grub_printf_ (N_("%u attempt%s remaining.\n"), attempts,
++ (attempts==1) ? "" : "s");
+ }
+
+ grub_free (split_key);
+--
+2.1.2
+
diff --git a/resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch b/resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch
new file mode 100644
index 00000000..c8ee671f
--- /dev/null
+++ b/resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch
@@ -0,0 +1,636 @@
+From c584bacaad58facb9124df26f98fff2542f7237a Mon Sep 17 00:00:00 2001
+From: John Lane <john@lane.uk.net>
+Date: Fri, 26 Jun 2015 22:09:52 +0100
+Subject: [PATCH 4/5] Cryptomount support plain dm-crypt
+
+---
+ grub-core/disk/cryptodisk.c | 298 +++++++++++++++++++++++++++++++++++++++++++-
+ grub-core/disk/luks.c | 195 +----------------------------
+ include/grub/cryptodisk.h | 8 ++
+ 3 files changed, 310 insertions(+), 191 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index a27e70c..cd5cfc9 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -44,6 +44,12 @@ static const struct grub_arg_option options[] =
+ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
++ {"plain", 'p', 0, N_("Plain (no LUKS header)"), 0, ARG_TYPE_NONE},
++ {"cipher", 'c', 0, N_("Plain mode cipher"), 0, ARG_TYPE_STRING},
++ {"digest", 'd', 0, N_("Plain mode passphrase digest (hash)"), 0, ARG_TYPE_STRING},
++ {"offset", 'o', 0, N_("Plain mode data sector offset"), 0, ARG_TYPE_INT},
++ {"size", 's', 0, N_("Size of raw device (sectors, defaults to whole device)"), 0, ARG_TYPE_INT},
++ {"key-size", 'K', 0, N_("Set key size (bits)"), 0, ARG_TYPE_INT},
+ {0, 0, 0, 0, 0, 0}
+ };
+
+@@ -927,6 +933,48 @@ grub_cryptodisk_scan_device (const char *name,
+ return have_it && search_uuid ? 1 : 0;
+ }
+
++/* Hashes a passphrase into a key and stores it with cipher. */
++static gcry_err_code_t
++set_passphrase (grub_cryptodisk_t dev, grub_size_t keysize, const char *passphrase)
++{
++ grub_uint8_t derived_hash[GRUB_CRYPTODISK_MAX_KEYLEN * 2], *dh = derived_hash;
++ char *p;
++ unsigned int round, i;
++ unsigned int len, size;
++
++ /* Need no passphrase if there's no key */
++ if (keysize == 0)
++ return GPG_ERR_INV_KEYLEN;
++
++ /* Hack to support the "none" hash */
++ if (dev->hash)
++ len = dev->hash->mdlen;
++ else
++ len = grub_strlen (passphrase);
++
++ if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN || len > GRUB_CRYPTODISK_MAX_KEYLEN)
++ return GPG_ERR_INV_KEYLEN;
++
++ p = grub_malloc (grub_strlen (passphrase) + 2 + keysize / len);
++ if (!p)
++ return grub_errno;
++
++ for (round = 0, size = keysize; size; round++, dh += len, size -= len)
++ {
++ for (i = 0; i < round; i++)
++ p[i] = 'A';
++
++ grub_strcpy (p + i, passphrase);
++
++ if (len > size)
++ len = size;
++
++ grub_crypto_hash (dev->hash, dh, p, grub_strlen (p));
++ }
++
++ return grub_cryptodisk_setkey (dev, derived_hash, keysize);
++}
++
+ static grub_err_t
+ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+ {
+@@ -1046,7 +1094,63 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+ return GRUB_ERR_NONE;
+ }
+
+- err = grub_cryptodisk_scan_device_real (args[0], disk);
++ if (state[7].set) /* Plain mode */
++ {
++ char *cipher;
++ char *mode;
++ char *digest;
++ int offset, size, key_size;
++
++ cipher = grub_strdup (state[8].set ? state[8].arg : GRUB_CRYPTODISK_PLAIN_CIPHER);
++ digest = grub_strdup (state[9].set ? state[9].arg : GRUB_CRYPTODISK_PLAIN_DIGEST);
++ offset = state[10].set ? grub_strtoul (state[10].arg, 0, 0) : 0;
++ size = state[11].set ? grub_strtoul (state[11].arg, 0, 0) : 0;
++ key_size = ( state[12].set ? grub_strtoul (state[12].arg, 0, 0) \
++ : GRUB_CRYPTODISK_PLAIN_KEYSIZE ) / 8;
++
++ /* no strtok, do it manually */
++ mode = grub_strchr(cipher,'-');
++ if (!mode)
++ return GRUB_ERR_BAD_ARGUMENT;
++ else
++ *mode++ = 0;
++
++ dev = grub_cryptodisk_create (disk, NULL, cipher, mode, digest);
++
++ dev->offset = offset;
++ if (size) dev->total_length = size;
++
++ if (key)
++ {
++ err = grub_cryptodisk_setkey (dev, key, key_size);
++ if (err)
++ return err;
++ }
++ else
++ {
++ char passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = "";
++
++ grub_printf_ (N_("Enter passphrase for %s: "), diskname);
++ if (!grub_password_get (passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE))
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++
++ err = set_passphrase (dev, key_size, passphrase);
++ if (err)
++ {
++ grub_crypto_cipher_close (dev->cipher);
++ return err;
++ }
++ }
++
++ grub_cryptodisk_insert (dev, diskname, disk);
++
++ grub_free (cipher);
++ grub_free (digest);
++
++ err = GRUB_ERR_NONE;
++ }
++ else
++ err = grub_cryptodisk_scan_device_real (args[0], disk);
+
+ grub_disk_close (disk);
+
+@@ -1177,13 +1281,203 @@ struct grub_procfs_entry luks_script =
+ .get_contents = luks_script_get
+ };
+
++grub_cryptodisk_t
++grub_cryptodisk_create (grub_disk_t disk, char *uuid,
++ char *ciphername, char *ciphermode, char *hashspec)
++{
++ grub_cryptodisk_t newdev;
++ char *cipheriv = NULL;
++ grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
++ grub_crypto_cipher_handle_t essiv_cipher = NULL;
++ const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL;
++ const struct gcry_cipher_spec *ciph;
++ grub_cryptodisk_mode_t mode;
++ grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
++ int benbi_log = 0;
++
++ if (!uuid)
++ uuid = (char*)"00000000000000000000000000000000";
++
++ ciph = grub_crypto_lookup_cipher_by_name (ciphername);
++ if (!ciph)
++ {
++ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
++ ciphername);
++ return NULL;
++ }
++
++ /* Configure the cipher used for the bulk data. */
++ cipher = grub_crypto_cipher_open (ciph);
++ if (!cipher)
++ return NULL;
++
++ /* Configure the cipher mode. */
++ if (grub_strcmp (ciphermode, "ecb") == 0)
++ {
++ mode = GRUB_CRYPTODISK_MODE_ECB;
++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
++ cipheriv = NULL;
++ }
++ else if (grub_strcmp (ciphermode, "plain") == 0)
++ {
++ mode = GRUB_CRYPTODISK_MODE_CBC;
++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
++ cipheriv = NULL;
++ }
++ else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0)
++ {
++ mode = GRUB_CRYPTODISK_MODE_CBC;
++ cipheriv = ciphermode + sizeof ("cbc-") - 1;
++ }
++ else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0)
++ {
++ mode = GRUB_CRYPTODISK_MODE_PCBC;
++ cipheriv = ciphermode + sizeof ("pcbc-") - 1;
++ }
++ else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0)
++ {
++ mode = GRUB_CRYPTODISK_MODE_XTS;
++ cipheriv = ciphermode + sizeof ("xts-") - 1;
++ secondary_cipher = grub_crypto_cipher_open (ciph);
++ if (!secondary_cipher)
++ {
++ grub_crypto_cipher_close (cipher);
++ return NULL;
++ }
++ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
++ {
++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
++ cipher->cipher->blocksize);
++ grub_crypto_cipher_close (cipher);
++ grub_crypto_cipher_close (secondary_cipher);
++ return NULL;
++ }
++ if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
++ {
++ grub_crypto_cipher_close (cipher);
++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
++ secondary_cipher->cipher->blocksize);
++ grub_crypto_cipher_close (secondary_cipher);
++ return NULL;
++ }
++ }
++ else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0)
++ {
++ mode = GRUB_CRYPTODISK_MODE_LRW;
++ cipheriv = ciphermode + sizeof ("lrw-") - 1;
++ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
++ {
++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d",
++ cipher->cipher->blocksize);
++ grub_crypto_cipher_close (cipher);
++ return NULL;
++ }
++ }
++ else
++ {
++ grub_crypto_cipher_close (cipher);
++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s",
++ ciphermode);
++ return NULL;
++ }
++
++ if (cipheriv == NULL);
++ else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0)
++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
++ else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0)
++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
++ else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0)
++ {
++ if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1)
++ || cipher->cipher->blocksize == 0)
++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",
++ cipher->cipher->blocksize);
++ /* FIXME should we return an error here? */
++ for (benbi_log = 0;
++ (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE;
++ benbi_log++);
++ mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI;
++ }
++ else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0)
++ mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL;
++ else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0)
++ {
++ char *hash_str = cipheriv + 6;
++
++ mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV;
++
++ /* Configure the hash and cipher used for ESSIV. */
++ essiv_hash = grub_crypto_lookup_md_by_name (hash_str);
++ if (!essiv_hash)
++ {
++ grub_crypto_cipher_close (cipher);
++ grub_crypto_cipher_close (secondary_cipher);
++ grub_error (GRUB_ERR_FILE_NOT_FOUND,
++ "Couldn't load %s hash", hash_str);
++ return NULL;
++ }
++ essiv_cipher = grub_crypto_cipher_open (ciph);
++ if (!essiv_cipher)
++ {
++ grub_crypto_cipher_close (cipher);
++ grub_crypto_cipher_close (secondary_cipher);
++ return NULL;
++ }
++ }
++ else
++ {
++ grub_crypto_cipher_close (cipher);
++ grub_crypto_cipher_close (secondary_cipher);
++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s",
++ cipheriv);
++ return NULL;
++ }
++
++ /* Configure the passphrase hash (LUKS also uses AF splitter and HMAC). */
++ hash = grub_crypto_lookup_md_by_name (hashspec);
++ if (!hash)
++ {
++ grub_crypto_cipher_close (cipher);
++ grub_crypto_cipher_close (essiv_cipher);
++ grub_crypto_cipher_close (secondary_cipher);
++ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
++ hashspec);
++ return NULL;
++ }
++
++ newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
++ if (!newdev)
++ {
++ grub_crypto_cipher_close (cipher);
++ grub_crypto_cipher_close (essiv_cipher);
++ grub_crypto_cipher_close (secondary_cipher);
++ return NULL;
++ }
++ newdev->cipher = cipher;
++ newdev->offset = 0;
++ newdev->source_disk = NULL;
++ newdev->benbi_log = benbi_log;
++ newdev->mode = mode;
++ newdev->mode_iv = mode_iv;
++ newdev->secondary_cipher = secondary_cipher;
++ newdev->essiv_cipher = essiv_cipher;
++ newdev->essiv_hash = essiv_hash;
++ newdev->hash = hash;
++ newdev->log_sector_size = 9;
++ newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
++ grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
++ COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
++
++ return newdev;
++}
++
+ static grub_extcmd_t cmd;
+
+ GRUB_MOD_INIT (cryptodisk)
+ {
+ grub_disk_dev_register (&grub_cryptodisk_dev);
+ cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
+- N_("SOURCE|-u UUID|-a|-b|-H file"),
++ N_("SOURCE|-u UUID|-a|-b|-H file|-p -c cipher -d digest"),
+ N_("Mount a crypto device."), options);
+ grub_procfs_register ("luks_script", &luks_script);
+ }
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 11e437e..4ebe21b 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -30,8 +30,6 @@
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+-#define MAX_PASSPHRASE 256
+-
+ #define LUKS_KEY_ENABLED 0x00AC71F3
+
+ /* On disk LUKS header */
+@@ -76,15 +74,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ char uuid[sizeof (header.uuid) + 1];
+ char ciphername[sizeof (header.cipherName) + 1];
+ char ciphermode[sizeof (header.cipherMode) + 1];
+- char *cipheriv = NULL;
+ char hashspec[sizeof (header.hashSpec) + 1];
+- grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL;
+- grub_crypto_cipher_handle_t essiv_cipher = NULL;
+- const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL;
+- const struct gcry_cipher_spec *ciph;
+- grub_cryptodisk_mode_t mode;
+- grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
+- int benbi_log = 0;
+ grub_err_t err;
+
+ err = GRUB_ERR_NONE;
+@@ -119,7 +109,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ iptr++)
+ {
+ if (*iptr != '-')
+- *optr++ = *iptr;
++ *optr++ = *iptr;
+ }
+ *optr = 0;
+
+@@ -129,6 +119,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ return NULL;
+ }
+
++
+ /* Make sure that strings are null terminated. */
+ grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName));
+ ciphername[sizeof (header.cipherName)] = 0;
+@@ -137,184 +128,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec));
+ hashspec[sizeof (header.hashSpec)] = 0;
+
+- ciph = grub_crypto_lookup_cipher_by_name (ciphername);
+- if (!ciph)
+- {
+- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available",
+- ciphername);
+- return NULL;
+- }
+-
+- /* Configure the cipher used for the bulk data. */
+- cipher = grub_crypto_cipher_open (ciph);
+- if (!cipher)
+- return NULL;
+-
+- if (grub_be_to_cpu32 (header.keyBytes) > 1024)
+- {
+- grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid keysize %d",
+- grub_be_to_cpu32 (header.keyBytes));
+- grub_crypto_cipher_close (cipher);
+- return NULL;
+- }
+-
+- /* Configure the cipher mode. */
+- if (grub_strcmp (ciphermode, "ecb") == 0)
+- {
+- mode = GRUB_CRYPTODISK_MODE_ECB;
+- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
+- cipheriv = NULL;
+- }
+- else if (grub_strcmp (ciphermode, "plain") == 0)
+- {
+- mode = GRUB_CRYPTODISK_MODE_CBC;
+- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
+- cipheriv = NULL;
+- }
+- else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0)
+- {
+- mode = GRUB_CRYPTODISK_MODE_CBC;
+- cipheriv = ciphermode + sizeof ("cbc-") - 1;
+- }
+- else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0)
+- {
+- mode = GRUB_CRYPTODISK_MODE_PCBC;
+- cipheriv = ciphermode + sizeof ("pcbc-") - 1;
+- }
+- else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0)
+- {
+- mode = GRUB_CRYPTODISK_MODE_XTS;
+- cipheriv = ciphermode + sizeof ("xts-") - 1;
+- secondary_cipher = grub_crypto_cipher_open (ciph);
+- if (!secondary_cipher)
+- {
+- grub_crypto_cipher_close (cipher);
+- return NULL;
+- }
+- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
+- {
+- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
+- cipher->cipher->blocksize);
+- grub_crypto_cipher_close (cipher);
+- grub_crypto_cipher_close (secondary_cipher);
+- return NULL;
+- }
+- if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
+- {
+- grub_crypto_cipher_close (cipher);
+- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d",
+- secondary_cipher->cipher->blocksize);
+- grub_crypto_cipher_close (secondary_cipher);
+- return NULL;
+- }
+- }
+- else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0)
+- {
+- mode = GRUB_CRYPTODISK_MODE_LRW;
+- cipheriv = ciphermode + sizeof ("lrw-") - 1;
+- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES)
+- {
+- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d",
+- cipher->cipher->blocksize);
+- grub_crypto_cipher_close (cipher);
+- return NULL;
+- }
+- }
+- else
+- {
+- grub_crypto_cipher_close (cipher);
+- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s",
+- ciphermode);
+- return NULL;
+- }
+-
+- if (cipheriv == NULL);
+- else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0)
+- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN;
+- else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0)
+- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64;
+- else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0)
+- {
+- if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1)
+- || cipher->cipher->blocksize == 0)
+- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d",
+- cipher->cipher->blocksize);
+- /* FIXME should we return an error here? */
+- for (benbi_log = 0;
+- (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE;
+- benbi_log++);
+- mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI;
+- }
+- else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0)
+- mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL;
+- else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0)
+- {
+- char *hash_str = cipheriv + 6;
+-
+- mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV;
+-
+- /* Configure the hash and cipher used for ESSIV. */
+- essiv_hash = grub_crypto_lookup_md_by_name (hash_str);
+- if (!essiv_hash)
+- {
+- grub_crypto_cipher_close (cipher);
+- grub_crypto_cipher_close (secondary_cipher);
+- grub_error (GRUB_ERR_FILE_NOT_FOUND,
+- "Couldn't load %s hash", hash_str);
+- return NULL;
+- }
+- essiv_cipher = grub_crypto_cipher_open (ciph);
+- if (!essiv_cipher)
+- {
+- grub_crypto_cipher_close (cipher);
+- grub_crypto_cipher_close (secondary_cipher);
+- return NULL;
+- }
+- }
+- else
+- {
+- grub_crypto_cipher_close (cipher);
+- grub_crypto_cipher_close (secondary_cipher);
+- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s",
+- cipheriv);
+- return NULL;
+- }
+-
+- /* Configure the hash used for the AF splitter and HMAC. */
+- hash = grub_crypto_lookup_md_by_name (hashspec);
+- if (!hash)
+- {
+- grub_crypto_cipher_close (cipher);
+- grub_crypto_cipher_close (essiv_cipher);
+- grub_crypto_cipher_close (secondary_cipher);
+- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash",
+- hashspec);
+- return NULL;
+- }
++ newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec);
+
+- newdev = grub_zalloc (sizeof (struct grub_cryptodisk));
+- if (!newdev)
+- {
+- grub_crypto_cipher_close (cipher);
+- grub_crypto_cipher_close (essiv_cipher);
+- grub_crypto_cipher_close (secondary_cipher);
+- return NULL;
+- }
+- newdev->cipher = cipher;
+ newdev->offset = grub_be_to_cpu32 (header.payloadOffset);
+- newdev->source_disk = NULL;
+- newdev->benbi_log = benbi_log;
+- newdev->mode = mode;
+- newdev->mode_iv = mode_iv;
+- newdev->secondary_cipher = secondary_cipher;
+- newdev->essiv_cipher = essiv_cipher;
+- newdev->essiv_hash = essiv_hash;
+- newdev->hash = hash;
+- newdev->log_sector_size = 9;
+- newdev->total_length = grub_disk_get_size (disk) - newdev->offset;
+- grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid));
+ newdev->modname = "luks";
+- COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid));
+
+ return newdev;
+ }
+@@ -329,7 +146,7 @@ luks_recover_key (grub_disk_t source,
+ struct grub_luks_phdr header;
+ grub_size_t keysize;
+ grub_uint8_t *split_key = NULL;
+- char interactive_passphrase[MAX_PASSPHRASE] = "";
++ char interactive_passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = "";
+ grub_uint8_t *passphrase;
+ grub_size_t passphrase_length;
+ grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
+@@ -376,7 +193,7 @@ luks_recover_key (grub_disk_t source,
+ /* Use bytestring from key file as passphrase */
+ passphrase = keyfile_bytes;
+ passphrase_length = keyfile_bytes_size;
+- keyfile_bytes = NULL; /* use it only once */
++ keyfile_bytes = NULL; /* use it only once */
+ }
+ else
+ {
+@@ -387,7 +204,7 @@ luks_recover_key (grub_disk_t source,
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition ? "," : "", tmp ? : "", dev->uuid);
+ grub_free (tmp);
+- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
++ if (!grub_password_get (interactive_passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE))
+ {
+ grub_free (split_key);
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
+diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
+index 0299625..4076412 100644
+--- a/include/grub/cryptodisk.h
++++ b/include/grub/cryptodisk.h
+@@ -54,9 +54,14 @@ typedef enum
+ #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3)
+ #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
+ #define GRUB_CRYPTODISK_MAX_KEYLEN 128
++#define GRUB_CRYPTODISK_MAX_PASSPHRASE 256
+
+ #define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
+
++#define GRUB_CRYPTODISK_PLAIN_CIPHER "aes-cbc-essiv:sha256"
++#define GRUB_CRYPTODISK_PLAIN_DIGEST "ripemd160"
++#define GRUB_CRYPTODISK_PLAIN_KEYSIZE 256
++
+ struct grub_cryptodisk;
+
+ typedef gcry_err_code_t
+@@ -159,4 +164,7 @@ grub_util_get_geli_uuid (const char *dev);
+ grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid);
+ grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
+
++grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid,
++ char *ciphername, char *ciphermode, char *digest);
++
+ #endif
+--
+2.1.2
+
diff --git a/resources/grub/patch/grub.johnlane.ie/0005-Cryptomount-support-for-hyphens-in-UUID.patch b/resources/grub/patch/grub.johnlane.ie/0005-Cryptomount-support-for-hyphens-in-UUID.patch
new file mode 100644
index 00000000..2707cebf
--- /dev/null
+++ b/resources/grub/patch/grub.johnlane.ie/0005-Cryptomount-support-for-hyphens-in-UUID.patch
@@ -0,0 +1,122 @@
+From f723c22cb7d8a5a6633eaa0682e024e667fb581a Mon Sep 17 00:00:00 2001
+From: John Lane <john@lane.uk.net>
+Date: Fri, 26 Jun 2015 22:48:03 +0100
+Subject: [PATCH 5/5] Cryptomount support for hyphens in UUID
+
+---
+ grub-core/disk/cryptodisk.c | 20 +++++++++++++++++---
+ grub-core/disk/luks.c | 26 ++++++++------------------
+ include/grub/cryptodisk.h | 2 ++
+ 3 files changed, 27 insertions(+), 21 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index cd5cfc9..d36d16b 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -113,6 +113,20 @@ gf_mul_be (grub_uint8_t *o, const grub_uint8_t *a, const grub_uint8_t *b)
+ }
+ }
+
++int
++grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b)
++{
++ while ((*uuid_a != '\0') && (*uuid_b != '\0'))
++ {
++ while (*uuid_a == '-') uuid_a++;
++ while (*uuid_b == '-') uuid_b++;
++ if (grub_toupper(*uuid_a) != grub_toupper(*uuid_b)) break;
++ uuid_a++;
++ uuid_b++;
++ }
++ return (*uuid_a == '\0') && (*uuid_b == '\0');
++}
++
+ static gcry_err_code_t
+ grub_crypto_pcbc_decrypt (grub_crypto_cipher_handle_t cipher,
+ void *out, void *in, grub_size_t size,
+@@ -507,8 +521,8 @@ grub_cryptodisk_open (const char *name, grub_disk_t disk)
+ if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) == 0)
+ {
+ for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
+- if (grub_strcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid) == 0)
+- break;
++ if (grub_cryptodisk_uuidcmp(name + sizeof ("cryptouuid/") - 1, dev->uuid))
++ break;
+ }
+ else
+ {
+@@ -739,7 +753,7 @@ grub_cryptodisk_get_by_uuid (const char *uuid)
+ {
+ grub_cryptodisk_t dev;
+ for (dev = cryptodisk_list; dev != NULL; dev = dev->next)
+- if (grub_strcasecmp (dev->uuid, uuid) == 0)
++ if (grub_cryptodisk_uuidcmp(dev->uuid, uuid))
+ return dev;
+ return NULL;
+ }
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 4ebe21b..80a7606 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -68,9 +68,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ int check_boot, grub_file_t hdr)
+ {
+ grub_cryptodisk_t newdev;
+- const char *iptr;
+ struct grub_luks_phdr header;
+- char *optr;
+ char uuid[sizeof (header.uuid) + 1];
+ char ciphername[sizeof (header.cipherName) + 1];
+ char ciphermode[sizeof (header.cipherMode) + 1];
+@@ -104,22 +102,6 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ || grub_be_to_cpu16 (header.version) != 1)
+ return NULL;
+
+- optr = uuid;
+- for (iptr = header.uuid; iptr < &header.uuid[ARRAY_SIZE (header.uuid)];
+- iptr++)
+- {
+- if (*iptr != '-')
+- *optr++ = *iptr;
+- }
+- *optr = 0;
+-
+- if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0)
+- {
+- grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid);
+- return NULL;
+- }
+-
+-
+ /* Make sure that strings are null terminated. */
+ grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName));
+ ciphername[sizeof (header.cipherName)] = 0;
+@@ -127,6 +109,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ ciphermode[sizeof (header.cipherMode)] = 0;
+ grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec));
+ hashspec[sizeof (header.hashSpec)] = 0;
++ grub_memcpy (uuid, header.uuid, sizeof (header.uuid));
++ uuid[sizeof (header.uuid)] = 0;
++
++ if ( check_uuid && ! grub_cryptodisk_uuidcmp(check_uuid, uuid))
++ {
++ grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid);
++ return NULL;
++ }
+
+ newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec);
+
+diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
+index 4076412..a564f2c 100644
+--- a/include/grub/cryptodisk.h
++++ b/include/grub/cryptodisk.h
+@@ -167,4 +167,6 @@ grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
+ grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid,
+ char *ciphername, char *ciphermode, char *digest);
+
++int
++grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b);
+ #endif
+--
+2.1.2
+