diff options
Diffstat (limited to 'resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch')
| -rw-r--r-- | resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch | 205 |
1 files changed, 205 insertions, 0 deletions
diff --git a/resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch b/resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch new file mode 100644 index 00000000..9c33b9b0 --- /dev/null +++ b/resources/grub/patch/grub.johnlane.ie/0002-Cryptomount-support-key-files.patch @@ -0,0 +1,205 @@ +From 3b7ef4a5fd57b042201fbefb92a217070b944d67 Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Fri, 26 Jun 2015 13:37:10 +0100 +Subject: [PATCH 03/10] Cryptomount support key files + +--- + grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++- + grub-core/disk/geli.c | 4 +++- + grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++-------------- + include/grub/cryptodisk.h | 5 ++++- + 4 files changed, 82 insertions(+), 17 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index dd8870d..0e7ced8 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] = + {"all", 'a', 0, N_("Mount all."), 0, 0}, + {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, + {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING}, ++ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, ++ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, ++ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -810,6 +813,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) + static int check_boot, have_it; + static char *search_uuid; + static grub_file_t hdr; ++static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE]; ++static grub_size_t keyfile_size; + + static void + cryptodisk_close (grub_cryptodisk_t dev) +@@ -840,7 +845,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) + if (!dev) + continue; + +- err = cr->recover_key (source, dev, hdr); ++ err = cr->recover_key (source, dev, hdr, key, keyfile_size); + if (err) + { + cryptodisk_close (dev); +@@ -948,6 +953,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + hdr = NULL; + + have_it = 0; ++ key = NULL; ++ ++ if (state[4].set) /* Key file; fails back to passphrase entry */ ++ { ++ grub_file_t keyfile; ++ int keyfile_offset; ++ grub_size_t requested_keyfile_size; ++ ++ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0; ++ ++ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) ++ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \ ++ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); ++ else ++ { ++ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0; ++ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ ++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; ++ ++ keyfile = grub_file_open (state[4].arg); ++ if (!keyfile) ++ grub_printf (N_("Unable to open key file %s\n"), state[4].arg); ++ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) ++ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); ++ else ++ { ++ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); ++ if (keyfile_size == (grub_size_t)-1) ++ grub_printf (N_("Error reading key file\n")); ++ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) ++ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), ++ (unsigned long long) requested_keyfile_size, ++ (unsigned long long) keyfile_size); ++ else ++ key = keyfile_buffer; ++ } ++ } ++ } ++ + if (state[0].set) + { + grub_cryptodisk_t dev; +diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c +index f4394eb..da6aa6a 100644 +--- a/grub-core/disk/geli.c ++++ b/grub-core/disk/geli.c +@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + + static grub_err_t + recover_key (grub_disk_t source, grub_cryptodisk_t dev, +- grub_file_t hdr __attribute__ ((unused)) ) ++ grub_file_t hdr __attribute__ ((unused)), ++ grub_uint8_t *key __attribute__ ((unused)), ++ grub_size_t keyfile_size __attribute__ ((unused)) ) + { + grub_size_t keysize; + grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 66e64c0..5882368 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + static grub_err_t + luks_recover_key (grub_disk_t source, + grub_cryptodisk_t dev, +- grub_file_t hdr) ++ grub_file_t hdr, ++ grub_uint8_t *keyfile_bytes, ++ grub_size_t keyfile_bytes_size) + { + struct grub_luks_phdr header; + grub_size_t keysize; + grub_uint8_t *split_key = NULL; +- char passphrase[MAX_PASSPHRASE] = ""; ++ char interactive_passphrase[MAX_PASSPHRASE] = ""; ++ grub_uint8_t *passphrase; ++ grub_size_t passphrase_length; + grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; + unsigned i; + grub_size_t length; +@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source, + if (!split_key) + return grub_errno; + +- /* Get the passphrase from the user. */ +- tmp = NULL; +- if (source->partition) +- tmp = grub_partition_get_name (source->partition); +- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, +- source->partition ? "," : "", tmp ? : "", +- dev->uuid); +- grub_free (tmp); +- if (!grub_password_get (passphrase, MAX_PASSPHRASE)) ++ if (keyfile_bytes) + { +- grub_free (split_key); +- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ /* Use bytestring from key file as passphrase */ ++ passphrase = keyfile_bytes; ++ passphrase_length = keyfile_bytes_size; ++ } ++ else ++ { ++ /* Get the passphrase from the user. */ ++ tmp = NULL; ++ if (source->partition) ++ tmp = grub_partition_get_name (source->partition); ++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, ++ source->partition ? "," : "", tmp ? : "", dev->uuid); ++ grub_free (tmp); ++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) ++ { ++ grub_free (split_key); ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ } ++ ++ passphrase = (grub_uint8_t *)interactive_passphrase; ++ passphrase_length = grub_strlen (interactive_passphrase); ++ + } + + /* Try to recover master key from each active keyslot. */ +@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source, + + /* Calculate the PBKDF2 of the user supplied passphrase. */ + gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, +- grub_strlen (passphrase), ++ passphrase_length, + header.keyblock[i].passwordSalt, + sizeof (header.keyblock[i].passwordSalt), + grub_be_to_cpu32 (header.keyblock[i]. +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index 4e6e89a..67f6b0b 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -55,6 +55,8 @@ typedef enum + #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) + #define GRUB_CRYPTODISK_MAX_KEYLEN 128 + ++#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 ++ + struct grub_cryptodisk; + + typedef gcry_err_code_t +@@ -109,7 +111,8 @@ struct grub_cryptodisk_dev + + grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, + int boot_only, grub_file_t hdr); +- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr); ++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, ++ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size); + }; + typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; + +-- +1.9.1 + |