diff options
| author | Alyssa Rosenzweig <alyssa@rosenzweig.io> | 2017-06-01 00:34:38 +0000 |
|---|---|---|
| committer | Gogs <gogitservice@gmail.com> | 2017-06-01 00:34:38 +0000 |
| commit | 6d272ca425c10385e540781aa7208416559a46f5 (patch) | |
| tree | 2e4399b205406529b152139f208ed30c1729fda9 /resources | |
| parent | f52e2a5172f78fc8d3d9b7ec1e228f414fe443b0 (diff) | |
| parent | e8e19e88869ecdcbb3afbdcdb17bb5bac819a58f (diff) | |
| download | librebootfr-6d272ca425c10385e540781aa7208416559a46f5.tar.gz librebootfr-6d272ca425c10385e540781aa7208416559a46f5.zip | |
Merge branch 'payloads/x86/updates-20170430' of libreboot/libreboot into master
Diffstat (limited to 'resources')
12 files changed, 3 insertions, 1763 deletions
diff --git a/resources/grub/patch/grub.johnlane.ie/0001-Cryptomount-support-LUKS-detached-header.patch b/resources/grub/patch/grub.johnlane.ie/0001-Cryptomount-support-LUKS-detached-header.patch deleted file mode 100644 index f14241b9..00000000 --- a/resources/grub/patch/grub.johnlane.ie/0001-Cryptomount-support-LUKS-detached-header.patch +++ /dev/null @@ -1,247 +0,0 @@ -From 04e079fed3b275b8ba2081c7fbf9acd853ce055b Mon Sep 17 00:00:00 2001 -From: John Lane <john@lane.uk.net> -Date: Tue, 23 Jun 2015 11:16:30 +0100 -Subject: [PATCH 02/10] Cryptomount support LUKS detached header - ---- - grub-core/disk/cryptodisk.c | 22 ++++++++++++++++++---- - grub-core/disk/geli.c | 7 +++++-- - grub-core/disk/luks.c | 45 +++++++++++++++++++++++++++++++++++++-------- - include/grub/cryptodisk.h | 5 +++-- - 4 files changed, 63 insertions(+), 16 deletions(-) - -diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index 1e03a09..dd8870d 100644 ---- a/grub-core/disk/cryptodisk.c -+++ b/grub-core/disk/cryptodisk.c -@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] = - /* TRANSLATORS: It's still restricted to cryptodisks only. */ - {"all", 'a', 0, N_("Mount all."), 0, 0}, - {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, -+ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING}, - {0, 0, 0, 0, 0, 0} - }; - -@@ -808,6 +809,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) - - static int check_boot, have_it; - static char *search_uuid; -+static grub_file_t hdr; - - static void - cryptodisk_close (grub_cryptodisk_t dev) -@@ -832,13 +834,13 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) - - FOR_CRYPTODISK_DEVS (cr) - { -- dev = cr->scan (source, search_uuid, check_boot); -+ dev = cr->scan (source, search_uuid, check_boot, hdr); - if (grub_errno) - return grub_errno; - if (!dev) - continue; - -- err = cr->recover_key (source, dev); -+ err = cr->recover_key (source, dev, hdr); - if (err) - { - cryptodisk_close (dev); -@@ -879,7 +881,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat) - - FOR_CRYPTODISK_DEVS (cr) - { -- dev = cr->scan (source, search_uuid, check_boot); -+ dev = cr->scan (source, search_uuid, check_boot,0); - if (grub_errno) - return grub_errno; - if (!dev) -@@ -933,6 +935,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) - if (argc < 1 && !state[1].set && !state[2].set) - return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required"); - -+ if (state[3].set) /* LUKS detached header */ -+ { -+ if (state[0].set) /* Cannot use UUID lookup with detached header */ -+ return GRUB_ERR_BAD_ARGUMENT; -+ -+ hdr = grub_file_open (state[3].arg); -+ if (!hdr) -+ return grub_errno; -+ } -+ else -+ hdr = NULL; -+ - have_it = 0; - if (state[0].set) - { -@@ -1140,7 +1154,7 @@ GRUB_MOD_INIT (cryptodisk) - { - grub_disk_dev_register (&grub_cryptodisk_dev); - cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, -- N_("SOURCE|-u UUID|-a|-b"), -+ N_("SOURCE|-u UUID|-a|-b|-H file"), - N_("Mount a crypto device."), options); - grub_procfs_register ("luks_script", &luks_script); - } -diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c -index e9d2329..f4394eb 100644 ---- a/grub-core/disk/geli.c -+++ b/grub-core/disk/geli.c -@@ -52,6 +52,7 @@ - #include <grub/dl.h> - #include <grub/err.h> - #include <grub/disk.h> -+#include <grub/file.h> - #include <grub/crypto.h> - #include <grub/partition.h> - #include <grub/i18n.h> -@@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev) - - static grub_cryptodisk_t - configure_ciphers (grub_disk_t disk, const char *check_uuid, -- int boot_only) -+ int boot_only, -+ grub_file_t hdr __attribute__ ((unused)) ) - { - grub_cryptodisk_t newdev; - struct grub_geli_phdr header; -@@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - } - - static grub_err_t --recover_key (grub_disk_t source, grub_cryptodisk_t dev) -+recover_key (grub_disk_t source, grub_cryptodisk_t dev, -+ grub_file_t hdr __attribute__ ((unused)) ) - { - grub_size_t keysize; - grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; -diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c -index 86c50c6..66e64c0 100644 ---- a/grub-core/disk/luks.c -+++ b/grub-core/disk/luks.c -@@ -23,6 +23,7 @@ - #include <grub/dl.h> - #include <grub/err.h> - #include <grub/disk.h> -+#include <grub/file.h> - #include <grub/crypto.h> - #include <grub/partition.h> - #include <grub/i18n.h> -@@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src, - - static grub_cryptodisk_t - configure_ciphers (grub_disk_t disk, const char *check_uuid, -- int check_boot) -+ int check_boot, grub_file_t hdr) - { - grub_cryptodisk_t newdev; - const char *iptr; -@@ -86,11 +87,21 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - int benbi_log = 0; - grub_err_t err; - -+ err = GRUB_ERR_NONE; -+ - if (check_boot) - return NULL; - - /* Read the LUKS header. */ -- err = grub_disk_read (disk, 0, 0, sizeof (header), &header); -+ if (hdr) -+ { -+ grub_file_seek (hdr, 0); -+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header)) -+ err = GRUB_ERR_READ_ERROR; -+ } -+ else -+ err = grub_disk_read (disk, 0, 0, sizeof (header), &header); -+ - if (err) - { - if (err == GRUB_ERR_OUT_OF_RANGE) -@@ -304,12 +315,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); - newdev->modname = "luks"; - COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); -+ - return newdev; - } - - static grub_err_t - luks_recover_key (grub_disk_t source, -- grub_cryptodisk_t dev) -+ grub_cryptodisk_t dev, -+ grub_file_t hdr) - { - struct grub_luks_phdr header; - grub_size_t keysize; -@@ -321,8 +334,19 @@ luks_recover_key (grub_disk_t source, - grub_err_t err; - grub_size_t max_stripes = 1; - char *tmp; -+ grub_uint32_t sector; -+ -+ err = GRUB_ERR_NONE; -+ -+ if (hdr) -+ { -+ grub_file_seek (hdr, 0); -+ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header)) -+ err = GRUB_ERR_READ_ERROR; -+ } -+ else -+ err = grub_disk_read (source, 0, 0, sizeof (header), &header); - -- err = grub_disk_read (source, 0, 0, sizeof (header), &header); - if (err) - return err; - -@@ -391,13 +415,18 @@ luks_recover_key (grub_disk_t source, - return grub_crypto_gcry_error (gcry_err); - } - -+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); - length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); - - /* Read and decrypt the key material from the disk. */ -- err = grub_disk_read (source, -- grub_be_to_cpu32 (header.keyblock -- [i].keyMaterialOffset), 0, -- length, split_key); -+ if (hdr) -+ { -+ grub_file_seek (hdr, sector * 512); -+ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) -+ err = GRUB_ERR_READ_ERROR; -+ } -+ else -+ err = grub_disk_read (source, sector, 0, length, split_key); - if (err) - { - grub_free (split_key); -diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h -index 32f564a..4e6e89a 100644 ---- a/include/grub/cryptodisk.h -+++ b/include/grub/cryptodisk.h -@@ -20,6 +20,7 @@ - #define GRUB_CRYPTODISK_HEADER 1 - - #include <grub/disk.h> -+#include <grub/file.h> - #include <grub/crypto.h> - #include <grub/list.h> - #ifdef GRUB_UTIL -@@ -107,8 +108,8 @@ struct grub_cryptodisk_dev - struct grub_cryptodisk_dev **prev; - - grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, -- int boot_only); -- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev); -+ int boot_only, grub_file_t hdr); -+ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr); - }; - typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; - --- -1.9.1 - diff --git a/resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch b/resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch deleted file mode 100644 index 9c33b9b0..00000000 --- a/resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch +++ /dev/null @@ -1,205 +0,0 @@ -From 3b7ef4a5fd57b042201fbefb92a217070b944d67 Mon Sep 17 00:00:00 2001 -From: John Lane <john@lane.uk.net> -Date: Fri, 26 Jun 2015 13:37:10 +0100 -Subject: [PATCH 03/10] Cryptomount support key files - ---- - grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++- - grub-core/disk/geli.c | 4 +++- - grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++-------------- - include/grub/cryptodisk.h | 5 ++++- - 4 files changed, 82 insertions(+), 17 deletions(-) - -diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index dd8870d..0e7ced8 100644 ---- a/grub-core/disk/cryptodisk.c -+++ b/grub-core/disk/cryptodisk.c -@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] = - {"all", 'a', 0, N_("Mount all."), 0, 0}, - {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, - {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING}, -+ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, -+ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, -+ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, - {0, 0, 0, 0, 0, 0} - }; - -@@ -810,6 +813,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) - static int check_boot, have_it; - static char *search_uuid; - static grub_file_t hdr; -+static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE]; -+static grub_size_t keyfile_size; - - static void - cryptodisk_close (grub_cryptodisk_t dev) -@@ -840,7 +845,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) - if (!dev) - continue; - -- err = cr->recover_key (source, dev, hdr); -+ err = cr->recover_key (source, dev, hdr, key, keyfile_size); - if (err) - { - cryptodisk_close (dev); -@@ -948,6 +953,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) - hdr = NULL; - - have_it = 0; -+ key = NULL; -+ -+ if (state[4].set) /* Key file; fails back to passphrase entry */ -+ { -+ grub_file_t keyfile; -+ int keyfile_offset; -+ grub_size_t requested_keyfile_size; -+ -+ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0; -+ -+ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) -+ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \ -+ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); -+ else -+ { -+ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0; -+ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ -+ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; -+ -+ keyfile = grub_file_open (state[4].arg); -+ if (!keyfile) -+ grub_printf (N_("Unable to open key file %s\n"), state[4].arg); -+ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) -+ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); -+ else -+ { -+ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); -+ if (keyfile_size == (grub_size_t)-1) -+ grub_printf (N_("Error reading key file\n")); -+ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) -+ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), -+ (unsigned long long) requested_keyfile_size, -+ (unsigned long long) keyfile_size); -+ else -+ key = keyfile_buffer; -+ } -+ } -+ } -+ - if (state[0].set) - { - grub_cryptodisk_t dev; -diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c -index f4394eb..da6aa6a 100644 ---- a/grub-core/disk/geli.c -+++ b/grub-core/disk/geli.c -@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - - static grub_err_t - recover_key (grub_disk_t source, grub_cryptodisk_t dev, -- grub_file_t hdr __attribute__ ((unused)) ) -+ grub_file_t hdr __attribute__ ((unused)), -+ grub_uint8_t *key __attribute__ ((unused)), -+ grub_size_t keyfile_size __attribute__ ((unused)) ) - { - grub_size_t keysize; - grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; -diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c -index 66e64c0..5882368 100644 ---- a/grub-core/disk/luks.c -+++ b/grub-core/disk/luks.c -@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - static grub_err_t - luks_recover_key (grub_disk_t source, - grub_cryptodisk_t dev, -- grub_file_t hdr) -+ grub_file_t hdr, -+ grub_uint8_t *keyfile_bytes, -+ grub_size_t keyfile_bytes_size) - { - struct grub_luks_phdr header; - grub_size_t keysize; - grub_uint8_t *split_key = NULL; -- char passphrase[MAX_PASSPHRASE] = ""; -+ char interactive_passphrase[MAX_PASSPHRASE] = ""; -+ grub_uint8_t *passphrase; -+ grub_size_t passphrase_length; - grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; - unsigned i; - grub_size_t length; -@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source, - if (!split_key) - return grub_errno; - -- /* Get the passphrase from the user. */ -- tmp = NULL; -- if (source->partition) -- tmp = grub_partition_get_name (source->partition); -- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, -- source->partition ? "," : "", tmp ? : "", -- dev->uuid); -- grub_free (tmp); -- if (!grub_password_get (passphrase, MAX_PASSPHRASE)) -+ if (keyfile_bytes) - { -- grub_free (split_key); -- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -+ /* Use bytestring from key file as passphrase */ -+ passphrase = keyfile_bytes; -+ passphrase_length = keyfile_bytes_size; -+ } -+ else -+ { -+ /* Get the passphrase from the user. */ -+ tmp = NULL; -+ if (source->partition) -+ tmp = grub_partition_get_name (source->partition); -+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, -+ source->partition ? "," : "", tmp ? : "", dev->uuid); -+ grub_free (tmp); -+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) -+ { -+ grub_free (split_key); -+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -+ } -+ -+ passphrase = (grub_uint8_t *)interactive_passphrase; -+ passphrase_length = grub_strlen (interactive_passphrase); -+ - } - - /* Try to recover master key from each active keyslot. */ -@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source, - - /* Calculate the PBKDF2 of the user supplied passphrase. */ - gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, -- grub_strlen (passphrase), -+ passphrase_length, - header.keyblock[i].passwordSalt, - sizeof (header.keyblock[i].passwordSalt), - grub_be_to_cpu32 (header.keyblock[i]. -diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h -index 4e6e89a..67f6b0b 100644 ---- a/include/grub/cryptodisk.h -+++ b/include/grub/cryptodisk.h -@@ -55,6 +55,8 @@ typedef enum - #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) - #define GRUB_CRYPTODISK_MAX_KEYLEN 128 - -+#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 -+ - struct grub_cryptodisk; - - typedef gcry_err_code_t -@@ -109,7 +111,8 @@ struct grub_cryptodisk_dev - - grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, - int boot_only, grub_file_t hdr); -- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr); -+ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, -+ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size); - }; - typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; - --- -1.9.1 - diff --git a/resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch b/resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch deleted file mode 100644 index 538f4aef..00000000 --- a/resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch +++ /dev/null @@ -1,329 +0,0 @@ -From f39e8ee5696f15860c73b07e652a8b59fcc834c7 Mon Sep 17 00:00:00 2001 -From: John Lane <john@lane.uk.net> -Date: Fri, 26 Jun 2015 13:49:58 +0100 -Subject: [PATCH 04/10] Cryptomount luks allow multiple passphrase attempts - ---- - grub-core/disk/luks.c | 278 ++++++++++++++++++++++++++------------------------ - 1 file changed, 143 insertions(+), 135 deletions(-) - -diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c -index 5882368..11e437e 100644 ---- a/grub-core/disk/luks.c -+++ b/grub-core/disk/luks.c -@@ -321,10 +321,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - - static grub_err_t - luks_recover_key (grub_disk_t source, -- grub_cryptodisk_t dev, -- grub_file_t hdr, -- grub_uint8_t *keyfile_bytes, -- grub_size_t keyfile_bytes_size) -+ grub_cryptodisk_t dev, -+ grub_file_t hdr, -+ grub_uint8_t *keyfile_bytes, -+ grub_size_t keyfile_bytes_size) - { - struct grub_luks_phdr header; - grub_size_t keysize; -@@ -339,6 +339,7 @@ luks_recover_key (grub_disk_t source, - grub_size_t max_stripes = 1; - char *tmp; - grub_uint32_t sector; -+ unsigned attempts = 2; - - err = GRUB_ERR_NONE; - -@@ -361,151 +362,158 @@ luks_recover_key (grub_disk_t source, - - for (i = 0; i < ARRAY_SIZE (header.keyblock); i++) - if (grub_be_to_cpu32 (header.keyblock[i].active) == LUKS_KEY_ENABLED -- && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes) -+ && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes) - max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes); - - split_key = grub_malloc (keysize * max_stripes); - if (!split_key) - return grub_errno; - -- if (keyfile_bytes) -+ while (attempts) - { -- /* Use bytestring from key file as passphrase */ -- passphrase = keyfile_bytes; -- passphrase_length = keyfile_bytes_size; -- } -- else -- { -- /* Get the passphrase from the user. */ -- tmp = NULL; -- if (source->partition) -- tmp = grub_partition_get_name (source->partition); -- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, -- source->partition ? "," : "", tmp ? : "", dev->uuid); -- grub_free (tmp); -- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) -+ if (keyfile_bytes) - { -- grub_free (split_key); -- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -- } -- -- passphrase = (grub_uint8_t *)interactive_passphrase; -- passphrase_length = grub_strlen (interactive_passphrase); -- -- } -- -- /* Try to recover master key from each active keyslot. */ -- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++) -- { -- gcry_err_code_t gcry_err; -- grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; -- grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN]; -- -- /* Check if keyslot is enabled. */ -- if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED) -- continue; -- -- grub_dprintf ("luks", "Trying keyslot %d\n", i); -- -- /* Calculate the PBKDF2 of the user supplied passphrase. */ -- gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, -- passphrase_length, -- header.keyblock[i].passwordSalt, -- sizeof (header.keyblock[i].passwordSalt), -- grub_be_to_cpu32 (header.keyblock[i]. -- passwordIterations), -- digest, keysize); -- -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -- -- grub_dprintf ("luks", "PBKDF2 done\n"); -- -- gcry_err = grub_cryptodisk_setkey (dev, digest, keysize); -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -- -- sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); -- length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); -- -- /* Read and decrypt the key material from the disk. */ -- if (hdr) -- { -- grub_file_seek (hdr, sector * 512); -- if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) -- err = GRUB_ERR_READ_ERROR; -+ /* Use bytestring from key file as passphrase */ -+ passphrase = keyfile_bytes; -+ passphrase_length = keyfile_bytes_size; -+ keyfile_bytes = NULL; /* use it only once */ - } - else -- err = grub_disk_read (source, sector, 0, length, split_key); -- if (err) -- { -- grub_free (split_key); -- return err; -- } -- -- gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0); -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -- -- /* Merge the decrypted key material to get the candidate master key. */ -- gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize, -- grub_be_to_cpu32 (header.keyblock[i].stripes)); -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -- -- grub_dprintf ("luks", "candidate key recovered\n"); -- -- /* Calculate the PBKDF2 of the candidate master key. */ -- gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key, -- grub_be_to_cpu32 (header.keyBytes), -- header.mkDigestSalt, -- sizeof (header.mkDigestSalt), -- grub_be_to_cpu32 -- (header.mkDigestIterations), -- candidate_digest, -- sizeof (candidate_digest)); -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -- -- /* Compare the calculated PBKDF2 to the digest stored -- in the header to see if it's correct. */ -- if (grub_memcmp (candidate_digest, header.mkDigest, -- sizeof (header.mkDigest)) != 0) -- { -- grub_dprintf ("luks", "bad digest\n"); -- continue; -- } -+ { -+ /* Get the passphrase from the user. */ -+ tmp = NULL; -+ if (source->partition) -+ tmp = grub_partition_get_name (source->partition); -+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, -+ source->partition ? "," : "", tmp ? : "", dev->uuid); -+ grub_free (tmp); -+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) -+ { -+ grub_free (split_key); -+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -+ } -+ -+ passphrase = (grub_uint8_t *)interactive_passphrase; -+ passphrase_length = grub_strlen (interactive_passphrase); - -- /* TRANSLATORS: It's a cryptographic key slot: one element of an array -- where each element is either empty or holds a key. */ -- grub_printf_ (N_("Slot %d opened\n"), i); -+ } - -- /* Set the master key. */ -- gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize); -- if (gcry_err) -- { -- grub_free (split_key); -- return grub_crypto_gcry_error (gcry_err); -- } -+ /* Try to recover master key from each active keyslot. */ -+ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++) -+ { -+ gcry_err_code_t gcry_err; -+ grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; -+ grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN]; -+ -+ /* Check if keyslot is enabled. */ -+ if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED) -+ continue; -+ -+ grub_dprintf ("luks", "Trying keyslot %d\n", i); -+ -+ /* Calculate the PBKDF2 of the user supplied passphrase. */ -+ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, -+ passphrase_length, -+ header.keyblock[i].passwordSalt, -+ sizeof (header.keyblock[i].passwordSalt), -+ grub_be_to_cpu32 (header.keyblock[i]. -+ passwordIterations), -+ digest, keysize); -+ -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } -+ -+ grub_dprintf ("luks", "PBKDF2 done\n"); -+ -+ gcry_err = grub_cryptodisk_setkey (dev, digest, keysize); -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } -+ -+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); -+ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); -+ -+ /* Read and decrypt the key material from the disk. */ -+ if (hdr) -+ { -+ grub_file_seek (hdr, sector * 512); -+ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) -+ err = GRUB_ERR_READ_ERROR; -+ } -+ else -+ err = grub_disk_read (source, sector, 0, length, split_key); -+ if (err) -+ { -+ grub_free (split_key); -+ return err; -+ } -+ -+ gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0); -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } -+ -+ /* Merge the decrypted key material to get the candidate master key. */ -+ gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize, -+ grub_be_to_cpu32 (header.keyblock[i].stripes)); -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } -+ -+ grub_dprintf ("luks", "candidate key recovered\n"); -+ -+ /* Calculate the PBKDF2 of the candidate master key. */ -+ gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key, -+ grub_be_to_cpu32 (header.keyBytes), -+ header.mkDigestSalt, -+ sizeof (header.mkDigestSalt), -+ grub_be_to_cpu32 -+ (header.mkDigestIterations), -+ candidate_digest, -+ sizeof (candidate_digest)); -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } -+ -+ /* Compare the calculated PBKDF2 to the digest stored -+ in the header to see if it's correct. */ -+ if (grub_memcmp (candidate_digest, header.mkDigest, -+ sizeof (header.mkDigest)) != 0) -+ { -+ grub_dprintf ("luks", "bad digest\n"); -+ continue; -+ } -+ -+ /* TRANSLATORS: It's a cryptographic key slot: one element of an array -+ where each element is either empty or holds a key. */ -+ grub_printf_ (N_("Slot %d opened\n"), i); -+ -+ /* Set the master key. */ -+ gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize); -+ if (gcry_err) -+ { -+ grub_free (split_key); -+ return grub_crypto_gcry_error (gcry_err); -+ } - -- grub_free (split_key); -+ grub_free (split_key); - -- return GRUB_ERR_NONE; -+ return GRUB_ERR_NONE; -+ } -+ grub_printf_ (N_("Failed to decrypt master key.\n")); -+ if (--attempts) grub_printf_ (N_("%u attempt%s remaining.\n"), attempts, -+ (attempts==1) ? "" : "s"); - } - - grub_free (split_key); --- -1.9.1 - diff --git a/resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch b/resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch deleted file mode 100644 index 54635442..00000000 --- a/resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch +++ /dev/null @@ -1,636 +0,0 @@ -From 632155a6e8923cdd5c1d4e23576cfadcb78ee67b Mon Sep 17 00:00:00 2001 -From: John Lane <john@lane.uk.net> -Date: Fri, 26 Jun 2015 22:09:52 +0100 -Subject: [PATCH 05/10] Cryptomount support plain dm-crypt - ---- - grub-core/disk/cryptodisk.c | 298 +++++++++++++++++++++++++++++++++++++++++++- - grub-core/disk/luks.c | 195 +---------------------------- - include/grub/cryptodisk.h | 8 ++ - 3 files changed, 311 insertions(+), 190 deletions(-) - -diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index 0e7ced8..57fb904 100644 ---- a/grub-core/disk/cryptodisk.c -+++ b/grub-core/disk/cryptodisk.c -@@ -45,6 +45,12 @@ static const struct grub_arg_option options[] = - {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, - {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, - {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, -+ {"plain", 'p', 0, N_("Plain (no LUKS header)"), 0, ARG_TYPE_NONE}, -+ {"cipher", 'c', 0, N_("Plain mode cipher"), 0, ARG_TYPE_STRING}, -+ {"digest", 'd', 0, N_("Plain mode passphrase digest (hash)"), 0, ARG_TYPE_STRING}, -+ {"offset", 'o', 0, N_("Plain mode data sector offset"), 0, ARG_TYPE_INT}, -+ {"size", 's', 0, N_("Size of raw device (sectors, defaults to whole device)"), 0, ARG_TYPE_INT}, -+ {"key-size", 'K', 0, N_("Set key size (bits)"), 0, ARG_TYPE_INT}, - {0, 0, 0, 0, 0, 0} - }; - -@@ -932,6 +938,48 @@ grub_cryptodisk_scan_device (const char *name, - return have_it && search_uuid ? 1 : 0; - } - -+/* Hashes a passphrase into a key and stores it with cipher. */ -+static gcry_err_code_t -+set_passphrase (grub_cryptodisk_t dev, grub_size_t keysize, const char *passphrase) -+{ -+ grub_uint8_t derived_hash[GRUB_CRYPTODISK_MAX_KEYLEN * 2], *dh = derived_hash; -+ char *p; -+ unsigned int round, i; -+ unsigned int len, size; -+ -+ /* Need no passphrase if there's no key */ -+ if (keysize == 0) -+ return GPG_ERR_INV_KEYLEN; -+ -+ /* Hack to support the "none" hash */ -+ if (dev->hash) -+ len = dev->hash->mdlen; -+ else -+ len = grub_strlen (passphrase); -+ -+ if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN || len > GRUB_CRYPTODISK_MAX_KEYLEN) -+ return GPG_ERR_INV_KEYLEN; -+ -+ p = grub_malloc (grub_strlen (passphrase) + 2 + keysize / len); -+ if (!p) -+ return grub_errno; -+ -+ for (round = 0, size = keysize; size; round++, dh += len, size -= len) -+ { -+ for (i = 0; i < round; i++) -+ p[i] = 'A'; -+ -+ grub_strcpy (p + i, passphrase); -+ -+ if (len > size) -+ len = size; -+ -+ grub_crypto_hash (dev->hash, dh, p, grub_strlen (p)); -+ } -+ -+ return grub_cryptodisk_setkey (dev, derived_hash, keysize); -+} -+ - static grub_err_t - grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) - { -@@ -1061,6 +1109,64 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) - - err = grub_cryptodisk_scan_device_real (diskname, disk); - -+ if (state[7].set) /* Plain mode */ -+ { -+ char *cipher; -+ char *mode; -+ char *digest; -+ int offset, size, key_size; -+ -+ cipher = grub_strdup (state[8].set ? state[8].arg : GRUB_CRYPTODISK_PLAIN_CIPHER); -+ digest = grub_strdup (state[9].set ? state[9].arg : GRUB_CRYPTODISK_PLAIN_DIGEST); -+ offset = state[10].set ? grub_strtoul (state[10].arg, 0, 0) : 0; -+ size = state[11].set ? grub_strtoul (state[11].arg, 0, 0) : 0; -+ key_size = ( state[12].set ? grub_strtoul (state[12].arg, 0, 0) \ -+ : GRUB_CRYPTODISK_PLAIN_KEYSIZE ) / 8; -+ -+ /* no strtok, do it manually */ -+ mode = grub_strchr(cipher,'-'); -+ if (!mode) -+ return GRUB_ERR_BAD_ARGUMENT; -+ else -+ *mode++ = 0; -+ -+ dev = grub_cryptodisk_create (disk, NULL, cipher, mode, digest); -+ -+ dev->offset = offset; -+ if (size) dev->total_length = size; -+ -+ if (key) -+ { -+ err = grub_cryptodisk_setkey (dev, key, key_size); -+ if (err) -+ return err; -+ } -+ else -+ { -+ char passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = ""; -+ -+ grub_printf_ (N_("Enter passphrase for %s: "), diskname); -+ if (!grub_password_get (passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE)) -+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -+ -+ err = set_passphrase (dev, key_size, passphrase); -+ if (err) -+ { -+ grub_crypto_cipher_close (dev->cipher); -+ return err; -+ } -+ } -+ -+ grub_cryptodisk_insert (dev, diskname, disk); -+ -+ grub_free (cipher); -+ grub_free (digest); -+ -+ err = GRUB_ERR_NONE; -+ } -+ else -+ err = grub_cryptodisk_scan_device_real (args[0], disk); -+ - grub_disk_close (disk); - if (disklast) - *disklast = ')'; -@@ -1192,13 +1298,203 @@ struct grub_procfs_entry luks_script = - .get_contents = luks_script_get - }; - -+grub_cryptodisk_t -+grub_cryptodisk_create (grub_disk_t disk, char *uuid, -+ char *ciphername, char *ciphermode, char *hashspec) -+{ -+ grub_cryptodisk_t newdev; -+ char *cipheriv = NULL; -+ grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL; -+ grub_crypto_cipher_handle_t essiv_cipher = NULL; -+ const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL; -+ const struct gcry_cipher_spec *ciph; -+ grub_cryptodisk_mode_t mode; -+ grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; -+ int benbi_log = 0; -+ -+ if (!uuid) -+ uuid = (char*)"00000000000000000000000000000000"; -+ -+ ciph = grub_crypto_lookup_cipher_by_name (ciphername); -+ if (!ciph) -+ { -+ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available", -+ ciphername); -+ return NULL; -+ } -+ -+ /* Configure the cipher used for the bulk data. */ -+ cipher = grub_crypto_cipher_open (ciph); -+ if (!cipher) -+ return NULL; -+ -+ /* Configure the cipher mode. */ -+ if (grub_strcmp (ciphermode, "ecb") == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_ECB; -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; -+ cipheriv = NULL; -+ } -+ else if (grub_strcmp (ciphermode, "plain") == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_CBC; -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; -+ cipheriv = NULL; -+ } -+ else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_CBC; -+ cipheriv = ciphermode + sizeof ("cbc-") - 1; -+ } -+ else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_PCBC; -+ cipheriv = ciphermode + sizeof ("pcbc-") - 1; -+ } -+ else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_XTS; -+ cipheriv = ciphermode + sizeof ("xts-") - 1; -+ secondary_cipher = grub_crypto_cipher_open (ciph); -+ if (!secondary_cipher) -+ { -+ grub_crypto_cipher_close (cipher); -+ return NULL; -+ } -+ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) -+ { -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", -+ cipher->cipher->blocksize); -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ return NULL; -+ } -+ if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", -+ secondary_cipher->cipher->blocksize); -+ grub_crypto_cipher_close (secondary_cipher); -+ return NULL; -+ } -+ } -+ else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0) -+ { -+ mode = GRUB_CRYPTODISK_MODE_LRW; -+ cipheriv = ciphermode + sizeof ("lrw-") - 1; -+ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) -+ { -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d", -+ cipher->cipher->blocksize); -+ grub_crypto_cipher_close (cipher); -+ return NULL; -+ } -+ } -+ else -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s", -+ ciphermode); -+ return NULL; -+ } -+ -+ if (cipheriv == NULL); -+ else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0) -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; -+ else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0) -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; -+ else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0) -+ { -+ if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1) -+ || cipher->cipher->blocksize == 0) -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d", -+ cipher->cipher->blocksize); -+ /* FIXME should we return an error here? */ -+ for (benbi_log = 0; -+ (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE; -+ benbi_log++); -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI; -+ } -+ else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0) -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL; -+ else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0) -+ { -+ char *hash_str = cipheriv + 6; -+ -+ mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV; -+ -+ /* Configure the hash and cipher used for ESSIV. */ -+ essiv_hash = grub_crypto_lookup_md_by_name (hash_str); -+ if (!essiv_hash) -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ grub_error (GRUB_ERR_FILE_NOT_FOUND, -+ "Couldn't load %s hash", hash_str); -+ return NULL; -+ } -+ essiv_cipher = grub_crypto_cipher_open (ciph); -+ if (!essiv_cipher) -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ return NULL; -+ } -+ } -+ else -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s", -+ cipheriv); -+ return NULL; -+ } -+ -+ /* Configure the passphrase hash (LUKS also uses AF splitter and HMAC). */ -+ hash = grub_crypto_lookup_md_by_name (hashspec); -+ if (!hash) -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (essiv_cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", -+ hashspec); -+ return NULL; -+ } -+ -+ newdev = grub_zalloc (sizeof (struct grub_cryptodisk)); -+ if (!newdev) -+ { -+ grub_crypto_cipher_close (cipher); -+ grub_crypto_cipher_close (essiv_cipher); -+ grub_crypto_cipher_close (secondary_cipher); -+ return NULL; -+ } -+ newdev->cipher = cipher; -+ newdev->offset = 0; -+ newdev->source_disk = NULL; -+ newdev->benbi_log = benbi_log; -+ newdev->mode = mode; -+ newdev->mode_iv = mode_iv; -+ newdev->secondary_cipher = secondary_cipher; -+ newdev->essiv_cipher = essiv_cipher; -+ newdev->essiv_hash = essiv_hash; -+ newdev->hash = hash; -+ newdev->log_sector_size = 9; -+ newdev->total_length = grub_disk_get_size (disk) - newdev->offset; -+ grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); -+ COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); -+ -+ return newdev; -+} -+ - static grub_extcmd_t cmd; - - GRUB_MOD_INIT (cryptodisk) - { - grub_disk_dev_register (&grub_cryptodisk_dev); - cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, -- N_("SOURCE|-u UUID|-a|-b|-H file"), -+ N_("SOURCE|-u UUID|-a|-b|-H file|-p -c cipher -d digest"), - N_("Mount a crypto device."), options); - grub_procfs_register ("luks_script", &luks_script); - } -diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c -index 11e437e..4ebe21b 100644 ---- a/grub-core/disk/luks.c -+++ b/grub-core/disk/luks.c -@@ -30,8 +30,6 @@ - - GRUB_MOD_LICENSE ("GPLv3+"); - --#define MAX_PASSPHRASE 256 -- - #define LUKS_KEY_ENABLED 0x00AC71F3 - - /* On disk LUKS header */ -@@ -76,15 +74,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - char uuid[sizeof (header.uuid) + 1]; - char ciphername[sizeof (header.cipherName) + 1]; - char ciphermode[sizeof (header.cipherMode) + 1]; -- char *cipheriv = NULL; - char hashspec[sizeof (header.hashSpec) + 1]; -- grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL; -- grub_crypto_cipher_handle_t essiv_cipher = NULL; -- const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL; -- const struct gcry_cipher_spec *ciph; -- grub_cryptodisk_mode_t mode; -- grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; -- int benbi_log = 0; - grub_err_t err; - - err = GRUB_ERR_NONE; -@@ -119,7 +109,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - iptr++) - { - if (*iptr != '-') -- *optr++ = *iptr; -+ *optr++ = *iptr; - } - *optr = 0; - -@@ -129,6 +119,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - return NULL; - } - -+ - /* Make sure that strings are null terminated. */ - grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName)); - ciphername[sizeof (header.cipherName)] = 0; -@@ -137,184 +128,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec)); - hashspec[sizeof (header.hashSpec)] = 0; - -- ciph = grub_crypto_lookup_cipher_by_name (ciphername); -- if (!ciph) -- { -- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available", -- ciphername); -- return NULL; -- } -- -- /* Configure the cipher used for the bulk data. */ -- cipher = grub_crypto_cipher_open (ciph); -- if (!cipher) -- return NULL; -- -- if (grub_be_to_cpu32 (header.keyBytes) > 1024) -- { -- grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid keysize %d", -- grub_be_to_cpu32 (header.keyBytes)); -- grub_crypto_cipher_close (cipher); -- return NULL; -- } -- -- /* Configure the cipher mode. */ -- if (grub_strcmp (ciphermode, "ecb") == 0) -- { -- mode = GRUB_CRYPTODISK_MODE_ECB; -- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; -- cipheriv = NULL; -- } -- else if (grub_strcmp (ciphermode, "plain") == 0) -- { -- mode = GRUB_CRYPTODISK_MODE_CBC; -- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; -- cipheriv = NULL; -- } -- else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0) -- { -- mode = GRUB_CRYPTODISK_MODE_CBC; -- cipheriv = ciphermode + sizeof ("cbc-") - 1; -- } -- else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0) -- { -- mode = GRUB_CRYPTODISK_MODE_PCBC; -- cipheriv = ciphermode + sizeof ("pcbc-") - 1; -- } -- else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0) -- { -- mode = GRUB_CRYPTODISK_MODE_XTS; -- cipheriv = ciphermode + sizeof ("xts-") - 1; -- secondary_cipher = grub_crypto_cipher_open (ciph); -- if (!secondary_cipher) -- { -- grub_crypto_cipher_close (cipher); -- return NULL; -- } -- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) -- { -- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", -- cipher->cipher->blocksize); -- grub_crypto_cipher_close (cipher); -- grub_crypto_cipher_close (secondary_cipher); -- return NULL; -- } -- if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) -- { -- grub_crypto_cipher_close (cipher); -- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", -- secondary_cipher->cipher->blocksize); -- grub_crypto_cipher_close (secondary_cipher); -- return NULL; -- } -- } -- else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0) -- { -- mode = GRUB_CRYPTODISK_MODE_LRW; -- cipheriv = ciphermode + sizeof ("lrw-") - 1; -- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) -- { -- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d", -- cipher->cipher->blocksize); -- grub_crypto_cipher_close (cipher); -- return NULL; -- } -- } -- else -- { -- grub_crypto_cipher_close (cipher); -- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s", -- ciphermode); -- return NULL; -- } -- -- if (cipheriv == NULL); -- else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0) -- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; -- else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0) -- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; -- else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0) -- { -- if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1) -- || cipher->cipher->blocksize == 0) -- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d", -- cipher->cipher->blocksize); -- /* FIXME should we return an error here? */ -- for (benbi_log = 0; -- (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE; -- benbi_log++); -- mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI; -- } -- else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0) -- mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL; -- else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0) -- { -- char *hash_str = cipheriv + 6; -- -- mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV; -- -- /* Configure the hash and cipher used for ESSIV. */ -- essiv_hash = grub_crypto_lookup_md_by_name (hash_str); -- if (!essiv_hash) -- { -- grub_crypto_cipher_close (cipher); -- grub_crypto_cipher_close (secondary_cipher); -- grub_error (GRUB_ERR_FILE_NOT_FOUND, -- "Couldn't load %s hash", hash_str); -- return NULL; -- } -- essiv_cipher = grub_crypto_cipher_open (ciph); -- if (!essiv_cipher) -- { -- grub_crypto_cipher_close (cipher); -- grub_crypto_cipher_close (secondary_cipher); -- return NULL; -- } -- } -- else -- { -- grub_crypto_cipher_close (cipher); -- grub_crypto_cipher_close (secondary_cipher); -- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s", -- cipheriv); -- return NULL; -- } -- -- /* Configure the hash used for the AF splitter and HMAC. */ -- hash = grub_crypto_lookup_md_by_name (hashspec); -- if (!hash) -- { -- grub_crypto_cipher_close (cipher); -- grub_crypto_cipher_close (essiv_cipher); -- grub_crypto_cipher_close (secondary_cipher); -- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", -- hashspec); -- return NULL; -- } -+ newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec); - -- newdev = grub_zalloc (sizeof (struct grub_cryptodisk)); -- if (!newdev) -- { -- grub_crypto_cipher_close (cipher); -- grub_crypto_cipher_close (essiv_cipher); -- grub_crypto_cipher_close (secondary_cipher); -- return NULL; -- } -- newdev->cipher = cipher; - newdev->offset = grub_be_to_cpu32 (header.payloadOffset); -- newdev->source_disk = NULL; -- newdev->benbi_log = benbi_log; -- newdev->mode = mode; -- newdev->mode_iv = mode_iv; -- newdev->secondary_cipher = secondary_cipher; -- newdev->essiv_cipher = essiv_cipher; -- newdev->essiv_hash = essiv_hash; -- newdev->hash = hash; -- newdev->log_sector_size = 9; -- newdev->total_length = grub_disk_get_size (disk) - newdev->offset; -- grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); - newdev->modname = "luks"; -- COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); - - return newdev; - } -@@ -329,7 +146,7 @@ luks_recover_key (grub_disk_t source, - struct grub_luks_phdr header; - grub_size_t keysize; - grub_uint8_t *split_key = NULL; -- char interactive_passphrase[MAX_PASSPHRASE] = ""; -+ char interactive_passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = ""; - grub_uint8_t *passphrase; - grub_size_t passphrase_length; - grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; -@@ -376,7 +193,7 @@ luks_recover_key (grub_disk_t source, - /* Use bytestring from key file as passphrase */ - passphrase = keyfile_bytes; - passphrase_length = keyfile_bytes_size; -- keyfile_bytes = NULL; /* use it only once */ -+ keyfile_bytes = NULL; /* use it only once */ - } - else - { -@@ -387,7 +204,7 @@ luks_recover_key (grub_disk_t source, - grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, - source->partition ? "," : "", tmp ? : "", dev->uuid); - grub_free (tmp); -- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) -+ if (!grub_password_get (interactive_passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE)) - { - grub_free (split_key); - return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); -diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h -index 67f6b0b..bb25ab7 100644 ---- a/include/grub/cryptodisk.h -+++ b/include/grub/cryptodisk.h -@@ -54,9 +54,14 @@ typedef enum - #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3) - #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) - #define GRUB_CRYPTODISK_MAX_KEYLEN 128 -+#define GRUB_CRYPTODISK_MAX_PASSPHRASE 256 - - #define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 - -+#define GRUB_CRYPTODISK_PLAIN_CIPHER "aes-cbc-essiv:sha256" -+#define GRUB_CRYPTODISK_PLAIN_DIGEST "ripemd160" -+#define GRUB_CRYPTODISK_PLAIN_KEYSIZE 256 -+ - struct grub_cryptodisk; - - typedef gcry_err_code_t -@@ -160,4 +165,7 @@ grub_util_get_geli_uuid (const char *dev); - grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid); - grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk); - -+grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid, -+ char *ciphername, char *ciphermode, char *digest); -+ - #endif --- -1.9.1 - diff --git a/resources/grub/patch/grub.johnlane.ie/0005-Cryptomount-support-for-hyphens-in-UUID.patch b/resources/grub/patch/grub.johnlane.ie/0005-Cryptomount-support-for-hyphens-in-UUID.patch deleted file mode 100644 index 2684f062..00000000 --- a/resources/grub/patch/grub.johnlane.ie/0005-Cryptomount-support-for-hyphens-in-UUID.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 047a5b323de2a0c45a6fe2b6854106830da5f3ae Mon Sep 17 00:00:00 2001 -From: John Lane <john@lane.uk.net> -Date: Fri, 26 Jun 2015 22:48:03 +0100 -Subject: [PATCH 06/10] Cryptomount support for hyphens in UUID - ---- - grub-core/disk/cryptodisk.c | 20 +++++++++++++++++--- - grub-core/disk/luks.c | 26 ++++++++------------------ - include/grub/cryptodisk.h | 2 ++ - 3 files changed, 27 insertions(+), 21 deletions(-) - -diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index 57fb904..5430b2e 100644 ---- a/grub-core/disk/cryptodisk.c -+++ b/grub-core/disk/cryptodisk.c -@@ -114,6 +114,20 @@ gf_mul_be (grub_uint8_t *o, const grub_uint8_t *a, const grub_uint8_t *b) - } - } - -+int -+grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b) -+{ -+ while ((*uuid_a != '\0') && (*uuid_b != '\0')) -+ { -+ while (*uuid_a == '-') uuid_a++; -+ while (*uuid_b == '-') uuid_b++; -+ if (grub_toupper(*uuid_a) != grub_toupper(*uuid_b)) break; -+ uuid_a++; -+ uuid_b++; -+ } -+ return (*uuid_a == '\0') && (*uuid_b == '\0'); -+} -+ - static gcry_err_code_t - grub_crypto_pcbc_decrypt (grub_crypto_cipher_handle_t cipher, - void *out, void *in, grub_size_t size, -@@ -508,8 +522,8 @@ grub_cryptodisk_open (const char *name, grub_disk_t disk) - if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) == 0) - { - for (dev = cryptodisk_list; dev != NULL; dev = dev->next) -- if (grub_strcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid) == 0) -- break; -+ if (grub_cryptodisk_uuidcmp(name + sizeof ("cryptouuid/") - 1, dev->uuid)) -+ break; - } - else - { -@@ -741,7 +755,7 @@ grub_cryptodisk_get_by_uuid (const char *uuid) - { - grub_cryptodisk_t dev; - for (dev = cryptodisk_list; dev != NULL; dev = dev->next) -- if (grub_strcasecmp (dev->uuid, uuid) == 0) -+ if (grub_cryptodisk_uuidcmp(dev->uuid, uuid)) - return dev; - return NULL; - } -diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c -index 4ebe21b..80a7606 100644 ---- a/grub-core/disk/luks.c -+++ b/grub-core/disk/luks.c -@@ -68,9 +68,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - int check_boot, grub_file_t hdr) - { - grub_cryptodisk_t newdev; -- const char *iptr; - struct grub_luks_phdr header; -- char *optr; - char uuid[sizeof (header.uuid) + 1]; - char ciphername[sizeof (header.cipherName) + 1]; - char ciphermode[sizeof (header.cipherMode) + 1]; -@@ -104,22 +102,6 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - || grub_be_to_cpu16 (header.version) != 1) - return NULL; - -- optr = uuid; -- for (iptr = header.uuid; iptr < &header.uuid[ARRAY_SIZE (header.uuid)]; -- iptr++) -- { -- if (*iptr != '-') -- *optr++ = *iptr; -- } -- *optr = 0; -- -- if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0) -- { -- grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid); -- return NULL; -- } -- -- - /* Make sure that strings are null terminated. */ - grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName)); - ciphername[sizeof (header.cipherName)] = 0; -@@ -127,6 +109,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, - ciphermode[sizeof (header.cipherMode)] = 0; - grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec)); - hashspec[sizeof (header.hashSpec)] = 0; -+ grub_memcpy (uuid, header.uuid, sizeof (header.uuid)); -+ uuid[sizeof (header.uuid)] = 0; -+ -+ if ( check_uuid && ! grub_cryptodisk_uuidcmp(check_uuid, uuid)) -+ { -+ grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid); -+ return NULL; -+ } - - newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec); - -diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h -index bb25ab7..01c0269 100644 ---- a/include/grub/cryptodisk.h -+++ b/include/grub/cryptodisk.h -@@ -168,4 +168,6 @@ grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk); - grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid, - char *ciphername, char *ciphermode, char *digest); - -+int -+grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b); - #endif --- -1.9.1 - diff --git a/resources/grub/patch/grub.johnlane.ie/0006-grub-core-disk-cryptodisk.c-Point-to-const-char.patch b/resources/grub/patch/grub.johnlane.ie/0006-grub-core-disk-cryptodisk.c-Point-to-const-char.patch deleted file mode 100644 index b9314e5a..00000000 --- a/resources/grub/patch/grub.johnlane.ie/0006-grub-core-disk-cryptodisk.c-Point-to-const-char.patch +++ /dev/null @@ -1,37 +0,0 @@ -From fd72a029d64e0ee9552e4433387ee01f3cb05592 Mon Sep 17 00:00:00 2001 -From: Klemens Nanni <contact@autoboot.org> -Date: Tue, 15 Sep 2015 16:00:03 +0200 -Subject: [PATCH 07/10] grub-core/disk/cryptodisk.c: Point to const char - ---- - grub-core/disk/cryptodisk.c | 2 +- - include/grub/cryptodisk.h | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index 5430b2e..633edb2 100644 ---- a/grub-core/disk/cryptodisk.c -+++ b/grub-core/disk/cryptodisk.c -@@ -115,7 +115,7 @@ gf_mul_be (grub_uint8_t *o, const grub_uint8_t *a, const grub_uint8_t *b) - } - - int --grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b) -+grub_cryptodisk_uuidcmp(const char *uuid_a, const char *uuid_b) - { - while ((*uuid_a != '\0') && (*uuid_b != '\0')) - { -diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h -index 01c0269..cd6a545 100644 ---- a/include/grub/cryptodisk.h -+++ b/include/grub/cryptodisk.h -@@ -169,5 +169,5 @@ grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid, - char *ciphername, char *ciphermode, char *digest); - - int --grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b); -+grub_cryptodisk_uuidcmp(const char *uuid_a, const char *uuid_b); - #endif --- -1.9.1 - diff --git a/resources/grub/patch/reproducible/0001-mkstandalone-add-argument-fixed-time-to-override-mti.patch b/resources/grub/patch/reproducible/0001-mkstandalone-add-argument-fixed-time-to-override-mti.patch deleted file mode 100644 index 1d537e87..00000000 --- a/resources/grub/patch/reproducible/0001-mkstandalone-add-argument-fixed-time-to-override-mti.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 8dde1d7be2dd321a375570b7ff7e22bb01293044 Mon Sep 17 00:00:00 2001 -From: Alexander Couzens <lynxis@fe80.eu> -Date: Fri, 4 Dec 2015 17:10:42 +0100 -Subject: [PATCH 08/10] mkstandalone: add argument --fixed-time to override - mtime of files - -mkstandalone adds several files to an archive. Doing this it uses the -mtime to give these files a timestamp. ---fixed-time <TIME_EPOCH> overrides these timestamps with a given. - -Replacing all timestamps with a specific one is required -to get reproducible builds. See source epoch specification of -reproducible-builds.org ---- - util/grub-mkstandalone.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/util/grub-mkstandalone.c b/util/grub-mkstandalone.c -index 4907d44..047f0cd 100644 ---- a/util/grub-mkstandalone.c -+++ b/util/grub-mkstandalone.c -@@ -30,6 +30,7 @@ - #pragma GCC diagnostic error "-Wmissing-prototypes" - #pragma GCC diagnostic error "-Wmissing-declarations" - -+static time_t fixed_time; - static char *output_image; - static char **files; - static int nfiles; -@@ -48,6 +49,7 @@ static struct argp_option options[] = { - 0, N_("save output in FILE [required]"), 2}, - {"format", 'O', N_("FILE"), 0, 0, 2}, - {"compression", 'C', "xz|none|auto", OPTION_HIDDEN, 0, 2}, -+ {"fixed-time", 't', N_("TIMEEPOCH"), 0, N_("Use a fixed timestamp to override mtime of all files. Time since epoch is used."), 2}, - {0, 0, 0, 0, 0, 0} - }; - -@@ -72,6 +74,7 @@ help_filter (int key, const char *text, void *input __attribute__ ((unused))) - static error_t - argp_parser (int key, char *arg, struct argp_state *state) - { -+ char *b; - if (key == 'C') - key = GRUB_INSTALL_OPTIONS_INSTALL_CORE_COMPRESS; - -@@ -80,6 +83,14 @@ argp_parser (int key, char *arg, struct argp_state *state) - - switch (key) - { -+ case 't': -+ fixed_time = strtoll (arg, &b, 10); -+ if (*b !='\0') { -+ printf (_("invalid fixed time number: %s\n"), arg); -+ argp_usage (state); -+ exit (1); -+ } -+ break; - - case 'o': - if (output_image) -@@ -192,7 +203,8 @@ add_tar_file (const char *from, - if (grub_util_is_special_file (from)) - return; - -- mtime = grub_util_get_mtime (from); -+ /* use fixed_time if given for mtime */ -+ mtime = fixed_time != -1 ? fixed_time : grub_util_get_mtime (from); - - optr = tcn = xmalloc (strlen (to) + 1); - for (iptr = to; *iptr == '/'; iptr++); --- -1.9.1 - diff --git a/resources/grub/patch/reproducible/0002-mkrescue-add-argument-fixed-time-to-get-reproducible.patch b/resources/grub/patch/reproducible/0002-mkrescue-add-argument-fixed-time-to-get-reproducible.patch deleted file mode 100644 index 0612ade0..00000000 --- a/resources/grub/patch/reproducible/0002-mkrescue-add-argument-fixed-time-to-get-reproducible.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 0f1e1a29d4d019e7b2b1a3ac3db7ca22c75e8d88 Mon Sep 17 00:00:00 2001 -From: Alexander Couzens <lynxis@fe80.eu> -Date: Fri, 4 Dec 2015 17:10:43 +0100 -Subject: [PATCH 09/10] mkrescue: add argument --fixed-time to get reproducible - uuids - -The uuid generation is based on the time. ---- - util/grub-mkrescue.c | 15 ++++++++++++++- - 1 file changed, 14 insertions(+), 1 deletion(-) - -diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c -index 238d484..a3e0155 100644 ---- a/util/grub-mkrescue.c -+++ b/util/grub-mkrescue.c -@@ -52,6 +52,7 @@ static int xorriso_arg_alloc; - static char **xorriso_argv; - static char *iso_uuid; - static char *iso9660_dir; -+static time_t fixed_time; - - static void - xorriso_push (const char *val) -@@ -110,6 +111,7 @@ static struct argp_option options[] = { - {"product-version", OPTION_PRODUCT_VERSION, N_("STRING"), 0, N_("use STRING as product version"), 2}, - {"sparc-boot", OPTION_SPARC_BOOT, 0, 0, N_("enable sparc boot. Disables HFS+, APM, ARCS and boot as disk image for i386-pc"), 2}, - {"arcs-boot", OPTION_ARCS_BOOT, 0, 0, N_("enable ARCS (big-endian mips machines, mostly SGI) boot. Disables HFS+, APM, sparc64 and boot as disk image for i386-pc"), 2}, -+ {"fixed-time", 't', N_("TIMEEPOCH"), 0, N_("use a fixed timestamp for uuid generation"), 2}, - {0, 0, 0, 0, 0, 0} - }; - -@@ -153,6 +155,8 @@ enum { - static error_t - argp_parser (int key, char *arg, struct argp_state *state) - { -+ char *b; -+ - if (grub_install_parse (key, arg)) - return 0; - switch (key) -@@ -212,6 +216,15 @@ argp_parser (int key, char *arg, struct argp_state *state) - xorriso = xstrdup (arg); - return 0; - -+ case 't': -+ fixed_time = strtoll (arg, &b, 10); -+ if (*b !='\0') { -+ printf (_("invalid fixed time number: %s\n"), arg); -+ argp_usage (state); -+ exit (1); -+ } -+ return 0; -+ - default: - return ARGP_ERR_UNKNOWN; - } -@@ -542,7 +555,7 @@ main (int argc, char *argv[]) - { - time_t tim; - struct tm *tmm; -- tim = time (NULL); -+ tim = fixed_time != -1 ? fixed_time : time (NULL); - tmm = gmtime (&tim); - iso_uuid = xmalloc (55); - grub_snprintf (iso_uuid, 50, --- -1.9.1 - diff --git a/resources/grub/patch/reproducible/0003-Makefile-use-FIXED_TIMESTAMP-for-mkstandalone-if-set.patch b/resources/grub/patch/reproducible/0003-Makefile-use-FIXED_TIMESTAMP-for-mkstandalone-if-set.patch deleted file mode 100644 index f06dbfb5..00000000 --- a/resources/grub/patch/reproducible/0003-Makefile-use-FIXED_TIMESTAMP-for-mkstandalone-if-set.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 57174ed960905be4f9c229bbf3913b25745dbfd9 Mon Sep 17 00:00:00 2001 -From: Alexander Couzens <lynxis@fe80.eu> -Date: Fri, 4 Dec 2015 17:10:44 +0100 -Subject: [PATCH 10/10] Makefile: use FIXED_TIMESTAMP for mkstandalone if set - -mkstandalone sets timestamps for files which can be overriden by a fixed_timestamp. -This makes it possible to build reproducible builds for coreboot. - -To build a reproducible build of grub for coreboot do: -make default_payload.elf FIXED_TIMESTAMP=1134242 ---- - Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile.am b/Makefile.am -index 00a9663..ed7f148 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -411,7 +411,7 @@ bootcheck: $(BOOTCHECKS) - if COND_i386_coreboot - default_payload.elf: grub-mkstandalone grub-mkimage FORCE - test -f $@ && rm $@ || true -- pkgdatadir=. ./grub-mkstandalone --grub-mkimage=./grub-mkimage -O i386-coreboot -o $@ --modules='ahci pata ehci uhci ohci usb_keyboard usbms part_msdos ext2 fat at_keyboard part_gpt usbserial_usbdebug cbfs' --install-modules='ls linux search configfile normal cbtime cbls memrw iorw minicmd lsmmap lspci halt reboot hexdump pcidump regexp setpci lsacpi chain test serial multiboot cbmemc linux16 gzio echo help syslinuxcfg xnu $(shell cat grub-core/fs.lst) password_pbkdf2 $(EXTRA_PAYLOAD_MODULES)' --fonts= --themes= --locales= -d grub-core/ /boot/grub/grub.cfg=$(srcdir)/coreboot.cfg -+ pkgdatadir=. ./grub-mkstandalone --grub-mkimage=./grub-mkimage -O i386-coreboot -o $@ --modules='ahci pata ehci uhci ohci usb_keyboard usbms part_msdos ext2 fat at_keyboard part_gpt usbserial_usbdebug cbfs' --install-modules='ls linux search configfile normal cbtime cbls memrw iorw minicmd lsmmap lspci halt reboot hexdump pcidump regexp setpci lsacpi chain test serial multiboot cbmemc linux16 gzio echo help syslinuxcfg xnu $(shell cat grub-core/fs.lst) password_pbkdf2 $(EXTRA_PAYLOAD_MODULES)' --fonts= --themes= --locales= -d grub-core/ /boot/grub/grub.cfg=$(srcdir)/coreboot.cfg $(if $(FIXED_TIMESTAMP),-t $(FIXED_TIMESTAMP)) - endif - - endif --- -1.9.1 - diff --git a/resources/scripts/helpers/download/grub b/resources/scripts/helpers/download/grub index d0d42817..1847de9a 100755 --- a/resources/scripts/helpers/download/grub +++ b/resources/scripts/helpers/download/grub @@ -41,7 +41,7 @@ git clone git://git.savannah.gnu.org/grub.git || git clone http://git.savannah.g cd "grub/" # reset to known revision -git reset --hard 7f2a856faec951b7ab816880bd26e1e10b17a596 +git reset --hard e54c99aaff5e5f6f5d3b06028506c57e66d8ef77 # Apply patches # ------------------------------------------------------------------------------ @@ -49,20 +49,6 @@ git reset --hard 7f2a856faec951b7ab816880bd26e1e10b17a596 # Replace "GNU GRUB version" in GRUB screen with "FREE AS IN FREEDOM" git am "../resources/grub/patch/0001-grub-core-normal-main.c-Display-FREE-AS-IN-FREEDOM-n.patch" -# GRUB enhancement patches from grub.johnlane.ie (rebased in libreboot's GRUB, unofficially, on 30 November 2015) -git am "../resources/grub/patch/grub.johnlane.ie/0001-Cryptomount-support-LUKS-detached-header.patch" -git am "../resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch" -git am "../resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch" -git am "../resources/grub/patch/grub.johnlane.ie/0004-Cryptomount-support-plain-dm-crypt.patch" -git am "../resources/grub/patch/grub.johnlane.ie/0005-Cryptomount-support-for-hyphens-in-UUID.patch" -# hotfix from kl3 (merged from autoboot) (ditto) -git am "../resources/grub/patch/grub.johnlane.ie/0006-grub-core-disk-cryptodisk.c-Point-to-const-char.patch" - -# Needed for reproducible builds in GRUB -git am "../resources/grub/patch/reproducible/0001-mkstandalone-add-argument-fixed-time-to-override-mti.patch" -git am "../resources/grub/patch/reproducible/0002-mkrescue-add-argument-fixed-time-to-get-reproducible.patch" -git am "../resources/grub/patch/reproducible/0003-Makefile-use-FIXED_TIMESTAMP-for-mkstandalone-if-set.patch" - cd "../" # Also download SeaBIOS, which we use with GRUB, to implement SeaGRUB diff --git a/resources/scripts/helpers/download/seabios b/resources/scripts/helpers/download/seabios index 39036ebb..18f90dd6 100755 --- a/resources/scripts/helpers/download/seabios +++ b/resources/scripts/helpers/download/seabios @@ -44,7 +44,7 @@ cd "seabios/" # Reset to the last commit that was tested (we use stable releases for seabios) # ------------------------------------------------------------------------------ -git reset --hard rel-1.9.1 +git reset --hard 19fdcca467ad3436d68ef88899b4dcd78154a9c6 ) diff --git a/resources/seabios/config/config b/resources/seabios/config/config index 8333ea9e..cd13ec77 100644 --- a/resources/seabios/config/config +++ b/resources/seabios/config/config @@ -87,4 +87,5 @@ CONFIG_VGA_EXTRA_STACK_SIZE=512 # CONFIG_DEBUG_LEVEL=1 # CONFIG_DEBUG_SERIAL is not set +# CONFIG_DEBUG_SERIAL_MMIO is not set CONFIG_DEBUG_COREBOOT=y |