Small comment, otherwise looks good
Le mer. 6 août 2025, 10:16, Gary Lin <g...@suse.com> a écrit :
> Leverage the new grub_crypto_argon2() function to add support for the
> Argon2i and Argon2id KDFs in LUKS2
>
> Signed-off-by: Gary Lin <g...@suse.com>
> Tested-By: Waldemar Brodkorb <w...@openadk.org>
> ---
> grub-core/disk/luks2.c | 38 +++++++++++++++++++++++++++++++++++---
> 1 file changed, 35 insertions(+), 3 deletions(-)
>
> diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
> index b17cd2115..1fa68c3a3 100644
> --- a/grub-core/disk/luks2.c
> +++ b/grub-core/disk/luks2.c
> @@ -39,6 +39,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
> enum grub_luks2_kdf_type
> {
> LUKS2_KDF_TYPE_ARGON2I,
> + LUKS2_KDF_TYPE_ARGON2ID,
> LUKS2_KDF_TYPE_PBKDF2
> };
> typedef enum grub_luks2_kdf_type grub_luks2_kdf_type_t;
> @@ -159,7 +160,7 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const
> grub_json_t *keyslot)
> grub_json_getstring (&type, &kdf, "type") ||
> grub_json_getstring (&out->kdf.salt, &kdf, "salt"))
> return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing or invalid KDF");
> - else if (!grub_strcmp (type, "argon2i") || !grub_strcmp (type,
> "argon2id"))
> + else if (!grub_strcmp (type, "argon2i"))
> {
> out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
> if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
> @@ -167,6 +168,14 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const
> grub_json_t *keyslot)
> grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
> return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i
> parameters");
> }
> + else if (!grub_strcmp (type, "argon2id"))
> + {
> + out->kdf.type = LUKS2_KDF_TYPE_ARGON2ID;
> + if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
> + grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory")
> ||
> + grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
> + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2id
> parameters");
>
I know that you copied from above but error messages should start with
lowercase.
+ }
> else if (!grub_strcmp (type, "pbkdf2"))
> {
> out->kdf.type = LUKS2_KDF_TYPE_PBKDF2;
> @@ -444,6 +453,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
> grub_uint8_t salt[GRUB_CRYPTODISK_MAX_KEYLEN];
> grub_uint8_t *split_key = NULL;
> idx_t saltlen = sizeof (salt);
> + int subalgo;
> + unsigned long param[4];
> char cipher[32], *p;
> const gcry_md_spec_t *hash;
> gcry_err_code_t gcry_ret;
> @@ -460,8 +471,29 @@ luks2_decrypt_key (grub_uint8_t *out_key,
> switch (k->kdf.type)
> {
> case LUKS2_KDF_TYPE_ARGON2I:
> - ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
> - goto err;
> + case LUKS2_KDF_TYPE_ARGON2ID:
> + if (k->kdf.type == LUKS2_KDF_TYPE_ARGON2I)
> + subalgo = GRUB_GCRY_KDF_ARGON2I;
> + else
> + subalgo = GRUB_GCRY_KDF_ARGON2ID;
> +
> + param[0] = k->area.key_size;
> + param[1] = k->kdf.u.argon2i.time;
> + param[2] = k->kdf.u.argon2i.memory;
> + param[3] = k->kdf.u.argon2i.cpus;
> +
> + gcry_ret = grub_crypto_argon2 (subalgo, param, 4,
> + passphrase, passphraselen,
> + salt, saltlen,
> + NULL, 0, NULL, 0,
> + k->area.key_size, area_key);
> + if (gcry_ret)
> + {
> + ret = grub_crypto_gcry_error (gcry_ret);
> + goto err;
> + }
> +
> + break;
> case LUKS2_KDF_TYPE_PBKDF2:
> hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash);
> if (!hash)
> --
> 2.43.0
>
>
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
