On Thu, Aug 21, 2025 at 11:37:13PM +0300, Vladimir 'phcoder' Serbinenko wrote:
> Small comment, otherwise looks good
>
> Le mer. 6 août 2025, 10:16, Gary Lin <g...@suse.com> a écrit :
>
> > Leverage the new grub_crypto_argon2() function to add support for the
> > Argon2i and Argon2id KDFs in LUKS2
> >
> > Signed-off-by: Gary Lin <g...@suse.com>
> > Tested-By: Waldemar Brodkorb <w...@openadk.org>
> > ---
> > grub-core/disk/luks2.c | 38 +++++++++++++++++++++++++++++++++++---
> > 1 file changed, 35 insertions(+), 3 deletions(-)
> >
> > diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
> > index b17cd2115..1fa68c3a3 100644
> > --- a/grub-core/disk/luks2.c
> > +++ b/grub-core/disk/luks2.c
> > @@ -39,6 +39,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
> > enum grub_luks2_kdf_type
> > {
> > LUKS2_KDF_TYPE_ARGON2I,
> > + LUKS2_KDF_TYPE_ARGON2ID,
> > LUKS2_KDF_TYPE_PBKDF2
> > };
> > typedef enum grub_luks2_kdf_type grub_luks2_kdf_type_t;
> > @@ -159,7 +160,7 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const
> > grub_json_t *keyslot)
> > grub_json_getstring (&type, &kdf, "type") ||
> > grub_json_getstring (&out->kdf.salt, &kdf, "salt"))
> > return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing or invalid KDF");
> > - else if (!grub_strcmp (type, "argon2i") || !grub_strcmp (type,
> > "argon2id"))
> > + else if (!grub_strcmp (type, "argon2i"))
> > {
> > out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
> > if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
> > @@ -167,6 +168,14 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const
> > grub_json_t *keyslot)
> > grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
> > return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i
> > parameters");
> > }
> > + else if (!grub_strcmp (type, "argon2id"))
> > + {
> > + out->kdf.type = LUKS2_KDF_TYPE_ARGON2ID;
> > + if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
> > + grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory")
> > ||
> > + grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
> > + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2id
> > parameters");
> >
>
> I know that you copied from above but error messages should start with
> lowercase.
>
Will fix it in v3.
Thanks,
Gary Lin
> + }
> > else if (!grub_strcmp (type, "pbkdf2"))
> > {
> > out->kdf.type = LUKS2_KDF_TYPE_PBKDF2;
> > @@ -444,6 +453,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
> > grub_uint8_t salt[GRUB_CRYPTODISK_MAX_KEYLEN];
> > grub_uint8_t *split_key = NULL;
> > idx_t saltlen = sizeof (salt);
> > + int subalgo;
> > + unsigned long param[4];
> > char cipher[32], *p;
> > const gcry_md_spec_t *hash;
> > gcry_err_code_t gcry_ret;
> > @@ -460,8 +471,29 @@ luks2_decrypt_key (grub_uint8_t *out_key,
> > switch (k->kdf.type)
> > {
> > case LUKS2_KDF_TYPE_ARGON2I:
> > - ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
> > - goto err;
> > + case LUKS2_KDF_TYPE_ARGON2ID:
> > + if (k->kdf.type == LUKS2_KDF_TYPE_ARGON2I)
> > + subalgo = GRUB_GCRY_KDF_ARGON2I;
> > + else
> > + subalgo = GRUB_GCRY_KDF_ARGON2ID;
> > +
> > + param[0] = k->area.key_size;
> > + param[1] = k->kdf.u.argon2i.time;
> > + param[2] = k->kdf.u.argon2i.memory;
> > + param[3] = k->kdf.u.argon2i.cpus;
> > +
> > + gcry_ret = grub_crypto_argon2 (subalgo, param, 4,
> > + passphrase, passphraselen,
> > + salt, saltlen,
> > + NULL, 0, NULL, 0,
> > + k->area.key_size, area_key);
> > + if (gcry_ret)
> > + {
> > + ret = grub_crypto_gcry_error (gcry_ret);
> > + goto err;
> > + }
> > +
> > + break;
> > case LUKS2_KDF_TYPE_PBKDF2:
> > hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash);
> > if (!hash)
> > --
> > 2.43.0
> >
> >
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
