[PATCH v8 5/7] cryptodisk: enable the backends to implement key files

Glenn Washburn Sat, 01 Jan 2022 19:54:36 -0800

From: John Lane <j...@lane.uk.net>

Signed-off-by: John Lane <j...@lane.uk.net>
gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
Signed-off-by: Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org>
developm...@efficientek.com: rebase and rework to use cryptomount arg passing
Signed-off-by: Glenn Washburn <developm...@efficientek.com>
---
 grub-core/disk/cryptodisk.c | 83 +++++++++++++++++++++++++++++++++++++
 include/grub/cryptodisk.h   |  2 +
 include/grub/file.h         |  2 +
 3 files changed, 87 insertions(+)


diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index e90f680f0..ea8ed20e2 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -43,6 +43,9 @@ static const struct grub_arg_option options[] =
     {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
     {"password", 'p', 0, N_("Password to open volumes."), 0, ARG_TYPE_STRING},
     {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
+    {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
+    {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
+    {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, 
ARG_TYPE_INT},
     {0, 0, 0, 0, 0, 0}
   };
 
@@ -1186,6 +1189,86 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int 
argc, char **args)
        return grub_errno;
     }
 
+  if (state[5].set) /* keyfile */
+    {
+      const char *p = NULL;
+      grub_file_t keyfile;
+      int keyfile_offset;
+      grub_size_t requested_keyfile_size = 0;
+
+
+      if (state[6].set) /* keyfile-offset */
+       {
+         keyfile_offset = grub_strtoul (state[6].arg, &p, 0);
+
+         if (grub_errno != GRUB_ERR_NONE)
+           return grub_errno;
+
+         if (*p != '\0')
+           return grub_error (GRUB_ERR_BAD_ARGUMENT,
+                              N_("unrecognized number"));
+       }
+      else
+       {
+         keyfile_offset = 0;
+       }
+
+      if (state[7].set) /* keyfile-size */
+       {
+         requested_keyfile_size = grub_strtoul (state[7].arg, &p, 0);
+
+         if (*p != '\0')
+           return grub_error (GRUB_ERR_BAD_ARGUMENT,
+                              N_("unrecognized number"));
+
+         if (grub_errno != GRUB_ERR_NONE)
+           return grub_errno;
+
+         if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
+           return grub_error (GRUB_ERR_OUT_OF_RANGE,
+                             N_("Key file size exceeds maximum (%d)\n"),
+                             GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
+
+         if (requested_keyfile_size == 0)
+           return grub_error (GRUB_ERR_OUT_OF_RANGE,
+                             N_("Key file size is 0\n"));
+       }
+
+      keyfile = grub_file_open (state[5].arg,
+                               GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
+      if (!keyfile)
+       return grub_errno;
+
+      if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
+       return grub_errno;
+
+      if (requested_keyfile_size)
+       {
+         if (requested_keyfile_size > (keyfile->size - keyfile_offset))
+           return grub_error (GRUB_ERR_FILE_READ_ERROR,
+                              N_("Keyfile is too small: "
+                                 "requested %" PRIuGRUB_SIZE " bytes, "
+                                 "but the file only has %" PRIuGRUB_UINT64_T
+                                 " bytes.\n"),
+                              requested_keyfile_size,
+                              keyfile->size);
+
+         cargs.key_len = requested_keyfile_size;
+       }
+      else
+       {
+         cargs.key_len = keyfile->size - keyfile_offset;
+       }
+
+      cargs.key_data = grub_malloc (cargs.key_len);
+      if (!cargs.key_data)
+       return GRUB_ERR_OUT_OF_MEMORY;
+
+      if (grub_file_read (keyfile, cargs.key_data, cargs.key_len) != 
(grub_ssize_t) cargs.key_len)
+       return grub_error (GRUB_ERR_FILE_READ_ERROR,
+                          (N_("Error reading key file\n")));
+    }
+
   if (state[0].set) /* uuid */
     {
       int found_uuid;
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
index 9fe451de9..d94df68b6 100644
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
@@ -62,6 +62,8 @@ typedef enum
 #define GRUB_CRYPTODISK_MAX_KEYLEN 128
 #define GRUB_CRYPTODISK_MAX_PASSPHRASE 256
 
+#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
+
 struct grub_cryptodisk;
 
 typedef gcry_err_code_t
diff --git a/include/grub/file.h b/include/grub/file.h
index 3a3c49a04..2d5d16cd2 100644
--- a/include/grub/file.h
+++ b/include/grub/file.h
@@ -92,6 +92,8 @@ enum grub_file_type
     GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY,
     /* File holding the encryption metadata header */
     GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER,
+    /* File holding the encryption key */
+    GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY,
     /* File we open n grub-fstest.  */
     GRUB_FILE_TYPE_FSTEST,
     /* File we open n grub-mount.  */
-- 
2.27.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v8 5/7] cryptodisk: enable the backends to implement key files

Reply via email to