Re: [PATCH v3 3/5] cryptodisk: Add options to cryptomount to support keyfiles

Thu, 26 May 2022 11:58:16 -0700 

On Thu, 26 May 2022 16:24:13 +0200
Daniel Kiper <dki...@net-space.pl> wrote:

> On Fri, May 20, 2022 at 02:32:17PM -0500, Glenn Washburn wrote:
> > From: John Lane <j...@lane.uk.net>
> >
> > Add the options --key-file, --keyfile-offset, and --keyfile-size to
> > cryptomount and code to put read the requested key file data and pass
> > via the cargs struct. Note, key file data is for all intents and purposes
> > equivalent to a password given to cryptomount. So there is no need to
> > enable support for key files in the various crypto backends (eg. LUKS1)
> > because the key data is passed just as if it were a password.
> >
> > Signed-off-by: John Lane <j...@lane.uk.net>
> > gnu...@cyberdimension.org: rebase, patch split, small fixes, commit message
> > Signed-off-by: Denis 'GNUtoo' Carikli <gnu...@cyberdimension.org>
> > developm...@efficientek.com: rebase and rework to use cryptomount arg 
> > passing,
> >   minor fixes, improve commit message
> > Signed-off-by: Glenn Washburn <developm...@efficientek.com>
> > ---
> >  grub-core/disk/cryptodisk.c | 81 ++++++++++++++++++++++++++++++++++++-
> >  include/grub/cryptodisk.h   |  2 +
> >  include/grub/file.h         |  2 +
> >  3 files changed, 84 insertions(+), 1 deletion(-)
> >
> > diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
> > index 9f5dc7acb..1198cb0e6 100644
> > --- a/grub-core/disk/cryptodisk.c
> > +++ b/grub-core/disk/cryptodisk.c
> > @@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
> >      {"all", 'a', 0, N_("Mount all."), 0, 0},
> >      {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
> >      {"password", 'p', 0, N_("Password to open volumes."), 0, 
> > ARG_TYPE_STRING},
> > +    {"key-file", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
> > +    {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, 
> > ARG_TYPE_INT},
> > +    {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, 
> > ARG_TYPE_INT},
> >      {0, 0, 0, 0, 0, 0}
> >    };
> >
> > @@ -1172,6 +1175,80 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, 
> > int argc, char **args)
> >        cargs.key_len = grub_strlen (state[3].arg);
> >      }
> >
> > +  if (state[4].set) /* keyfile */
> > +    {
> > +      const char *p = NULL;
> > +      grub_file_t keyfile;
> > +      unsigned long long keyfile_offset = 0, keyfile_size = 0;
> > +
> > +      if (state[5].set) /* keyfile-offset */
> > +   {
> > +     grub_errno = GRUB_ERR_NONE;
> > +     keyfile_offset = grub_strtoull (state[5].arg, &p, 0);
> > +
> > +     if (state[5].arg[0] == '\0' || *p != '\0')
> > +       return grub_error (grub_errno,
> > +                          N_("non-numeric or invalid keyfile offset `%s'"),
> > +                          state[5].arg);
> > +   }
> > +
> > +      if (state[6].set) /* keyfile-size */
> > +   {
> > +     grub_errno = GRUB_ERR_NONE;
> > +     keyfile_size = grub_strtoull (state[6].arg, &p, 0);
> > +
> > +     if (state[6].arg[0] == '\0' || *p != '\0')
> > +       return grub_error (grub_errno,
> > +                          N_("non-numeric or invalid keyfile size `%s'"),
> > +                          state[6].arg);
> > +
> > +     if (keyfile_size == 0)
> > +       return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("key file size is 0"));
> > +
> > +     if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
> > +       return grub_error (GRUB_ERR_OUT_OF_RANGE,
> > +                          N_("key file size exceeds maximum (%d)"),
> > +                          GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
> > +   }
> > +
> > +      keyfile = grub_file_open (state[4].arg,
> > +                           GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
> > +      if (keyfile == NULL)
> > +   return grub_errno;
> > +
> > +      if (keyfile_offset > keyfile->size)
> > +   return grub_error (GRUB_ERR_OUT_OF_RANGE,
> > +                      N_("Keyfile offset, %llu, is greater than"
> > +                         "keyfile size, %" PRIuGRUB_UINT64_T),
> > +                      keyfile_offset, keyfile->size);
> > +
> > +      if (grub_file_seek (keyfile, (grub_off_t) keyfile_offset) == 
> > (grub_off_t) -1)
> > +   return grub_errno;
> > +
> > +      if (keyfile_size != 0)
> > +   {
> > +     if (keyfile_size > (keyfile->size - keyfile_offset))
> > +       return grub_error (GRUB_ERR_FILE_READ_ERROR,
> > +                          N_("keyfile is too small: requested %llu bytes,"
> > +                             " but the file only has %" PRIuGRUB_UINT64_T
> 
> If you cast subtraction result to grub_size_t below then PRIuGRUB_UINT64_T
> should be replaced with PRIuGRUB_SIZE. Or maybe it would be safer if we
> do s/grub_size_t/grub_off_t/ instead of changing format string. This does
> not matter today but...
> 
> Otherwise all patches LGTM -> Reviewed-by: Daniel Kiper 
> <daniel.ki...@oracle.com>
> So, I can fix the issue mentioned above for you before push.

Sounds great. Glad to finally get this series off my plate.

Glenn

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to