[PATCH] Warn if MBR gap is small and user uses advanced modules
Daniel, do you want to adjust the whitelist?
We don't want to support small MBR gap in pair with anything but
the simplest config of biosdisk+part_msdos+simple filesystem. In this
path "simple filesystems" are all current filesystems except zfs and
btrfs
---
grub-core/partmap/gpt.c | 9 -
grub-core/partmap/msdos.c | 7 ++-
include/grub/partition.h| 3 ++-
include/grub/util/install.h | 7 +--
util/grub-install-common.c | 24
util/grub-install.c | 10 +++---
util/grub-setup.c | 2 +-
util/setup.c| 5 +++--
8 files changed, 56 insertions(+), 11 deletions(-)
diff --git a/grub-core/partmap/gpt.c b/grub-core/partmap/gpt.c
index 103f6796f..25a5a1934 100644
--- a/grub-core/partmap/gpt.c
+++ b/grub-core/partmap/gpt.c
@@ -25,6 +25,9 @@
#include
#include
#include
+#ifdef GRUB_UTIL
+#include
+#endif
GRUB_MOD_LICENSE ("GPLv3+");
@@ -169,7 +172,8 @@ static grub_err_t
gpt_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
unsigned int max_nsectors,
grub_embed_type_t embed_type,
- grub_disk_addr_t **sectors)
+ grub_disk_addr_t **sectors,
+ int warn_short)
{
struct gpt_partition_map_embed_ctx ctx = {
.start = 0,
@@ -191,6 +195,9 @@ gpt_partition_map_embed (struct grub_disk *disk,
unsigned int *nsectors,
N_("this GPT partition label contains no BIOS Boot Partition;"
" embedding won't be possible"));
+ if (ctx.len < 450) {
+grub_util_warn("Your BIOS Boot Partition is under 1 MiB, please
increase its size.");
+ }
if (ctx.len < *nsectors)
return grub_error (GRUB_ERR_OUT_OF_RANGE,
N_("your BIOS Boot Partition is too small;"
diff --git a/grub-core/partmap/msdos.c b/grub-core/partmap/msdos.c
index 7b8e45076..402bce050 100644
--- a/grub-core/partmap/msdos.c
+++ b/grub-core/partmap/msdos.c
@@ -236,7 +236,8 @@ static grub_err_t
pc_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
unsigned int max_nsectors,
grub_embed_type_t embed_type,
- grub_disk_addr_t **sectors)
+ grub_disk_addr_t **sectors,
+ int warn_short)
{
grub_disk_addr_t end = ~0ULL;
struct grub_msdos_partition_mbr mbr;
@@ -390,6 +391,10 @@ pc_partition_map_embed (struct grub_disk *disk,
unsigned int *nsectors,
return GRUB_ERR_NONE;
}
+ if (end < 450 && warn_short) {
+grub_util_warn("You have a short MBR gap and use advanced config.
Please increase post-MBR gap");
+ }
+
if (end <= 1)
return grub_error (GRUB_ERR_FILE_NOT_FOUND,
N_("this msdos-style partition label has no "
diff --git a/include/grub/partition.h b/include/grub/partition.h
index 7adb7ec6e..5697e28d5 100644
--- a/include/grub/partition.h
+++ b/include/grub/partition.h
@@ -55,7 +55,8 @@ struct grub_partition_map
grub_err_t (*embed) (struct grub_disk *disk, unsigned int *nsectors,
unsigned int max_nsectors,
grub_embed_type_t embed_type,
-grub_disk_addr_t **sectors);
+grub_disk_addr_t **sectors,
+int warn_short);
#endif
};
typedef struct grub_partition_map *grub_partition_map_t;
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
index 2631b1074..982115f57 100644
--- a/include/grub/util/install.h
+++ b/include/grub/util/install.h
@@ -193,13 +193,13 @@ grub_util_bios_setup (const char *dir,
const char *boot_file, const char *core_file,
const char *dest, int force,
int fs_probe, int allow_floppy,
- int add_rs_codes);
+ int add_rs_codes, int warn_short_mbr_gap);
void
grub_util_sparc_setup (const char *dir,
const char *boot_file, const char *core_file,
const char *dest, int force,
int fs_probe, int allow_floppy,
-int add_rs_codes);
+int add_rs_codes, int warn_short_mbr_gap);
char *
grub_install_get_image_targets_string (void);
@@ -265,4 +265,7 @@ grub_util_get_target_name (const struct
grub_install_image_target_desc *t);
extern char *grub_install_copy_buffer;
#define GRUB_INSTALL_COPY_BUFFER_SIZE 1048576
+int
+grub_install_is_short_mgrgap_supported(void);
+
#endif
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
index ca0ac612a..e4cff2871 100644
--- a/util/grub-install-common.c
+++ b/util/grub-install-common.c
@@ -234,6 +234,30 @@ char *grub_install_source_directory = NULL;
char *grub_install_locale_directory = NULL;
char *grub_install_themes_directory = NULL;
+int
+grub_install_is_short_mgrgap_supported()
+{
+ int i, j;
+ static const char *whitelist[] =
+{
+ "part_msdos", "biosdisk", "affs", "afs", "bfs", "archelp",
+ "cpio", "cpio_be", "newc", "odc", "ext2", "fat", "exfat",
+ "f2fs", "fshelp", "hfs", "hfsplus", "hfspluscomp",
+ "iso9660", "jfs", "minix", "minix2", "minix3", "minix_be",
+ "minix2_be", "minix2_be", "nilfs2", "ntfs", "ntfscomp",
+ "reiserfs", "romfs", "sfs", "squash4", "tar", "udf",
+ "ufs1", "ufs1_be", "ufs2", "xfs"
+};
+ for (i = 0; i < modules.n
Re: [PATCH] Warn if MBR gap is small and user uses advanced modules
* On 3/10/20 1:23 PM, Vladimir 'phcoder' Serbinenko wrote: > [...] > diff --git a/include/grub/util/install.h b/include/grub/util/install.h > index 2631b1074..982115f57 100644 > --- a/include/grub/util/install.h > +++ b/include/grub/util/install.h > @@ -193,13 +193,13 @@ grub_util_bios_setup (const char *dir, > const char *boot_file, const char *core_file, > const char *dest, int force, > int fs_probe, int allow_floppy, > - int add_rs_codes); > + int add_rs_codes, int warn_short_mbr_gap); > void > grub_util_sparc_setup (const char *dir, > const char *boot_file, const char *core_file, > const char *dest, int force, > int fs_probe, int allow_floppy, > -int add_rs_codes); > +int add_rs_codes, int warn_short_mbr_gap); > > char * > grub_install_get_image_targets_string (void); > @@ -265,4 +265,7 @@ grub_util_get_target_name (const struct > grub_install_image_target_desc *t); > extern char *grub_install_copy_buffer; > #define GRUB_INSTALL_COPY_BUFFER_SIZE 1048576 > > +int > +grub_install_is_short_mgrgap_supported(void); Did you mean to use "grub_install_is_short_mbrgap_supported" instead here and in all the other places? Mihai signature.asc Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v3 1/5] efi: Always try to allocate heap size of 1.6GB
By default, GRUB will allocate a quarter of the pages it got available in the EFI subsystem. On many current systems, this will amount to roughly 800MB of RAM assuming an address space of 32 bits. This is plenty for most use cases, but it doesn't suffice when using full disk encryption with a key derival function based on Argon2. Besides the usual iteration count known from PBKDF2, Argon2 introduces two additional parameters "memory" and "parallelism". While the latter doesn't really matter to us, the memory parameter is quite interesting. If encrypting a partition with LUKS2 using Argon2 as KDF, then cryptsetup will default to a memory parameter of 1GB. Meaning we need to allocate a buffer of 1GB in size in order to be able to derive the key, which definitely won't squeeze into the limit of 800MB. To prepare for Argon2, this commit reworks the memory allocation algorithm for EFI platforms. Instead of trying to allocate a quarter of memory available, let's instead introduce a constant target amount of bytes that we try to allocate. The target is set to the previous value of MAX_HEAP_SIZE, which amounts to 1.6GB and thus sufficiently high to accomodate for both Argon2 as well as other functionality. The value is then clamped to at most half of available memory but at least 100MB. Signed-off-by: Patrick Steinhardt --- grub-core/kern/efi/mm.c | 21 +++-- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c index b02fab1b1..367a726c6 100644 --- a/grub-core/kern/efi/mm.c +++ b/grub-core/kern/efi/mm.c @@ -39,8 +39,8 @@ #define MEMORY_MAP_SIZE0x3000 /* The minimum and maximum heap size for GRUB itself. */ -#define MIN_HEAP_SIZE 0x10 -#define MAX_HEAP_SIZE (1600 * 0x10) +#define MIN_HEAP_PAGES BYTES_TO_PAGES( 0x10) +#define TARGET_HEAP_PAGES BYTES_TO_PAGES(1600 * 0x10) static void *finish_mmap_buf = 0; static grub_efi_uintn_t finish_mmap_size = 0; @@ -559,7 +559,7 @@ grub_efi_mm_init (void) grub_efi_uintn_t map_size; grub_efi_uintn_t desc_size; grub_efi_uint64_t total_pages; - grub_efi_uint64_t required_pages; + grub_efi_uint64_t target_heap_pages; int mm_status; /* Prepare a memory region to store two memory maps. */ @@ -599,14 +599,15 @@ grub_efi_mm_init (void) filtered_memory_map_end = filter_memory_map (memory_map, filtered_memory_map, desc_size, memory_map_end); - /* By default, request a quarter of the available memory. */ + /* By default, request TARGET_HEAP_PAGES pages. If that exceeds half of meory + * available, clamp it, but request at least MIN_HEAP_PAGES. */ total_pages = get_total_pages (filtered_memory_map, desc_size, filtered_memory_map_end); - required_pages = (total_pages >> 2); - if (required_pages < BYTES_TO_PAGES (MIN_HEAP_SIZE)) -required_pages = BYTES_TO_PAGES (MIN_HEAP_SIZE); - else if (required_pages > BYTES_TO_PAGES (MAX_HEAP_SIZE)) -required_pages = BYTES_TO_PAGES (MAX_HEAP_SIZE); + target_heap_pages = TARGET_HEAP_PAGES; + if (target_heap_pages > (total_pages / 2)) +target_heap_pages = total_pages / 2; + if (target_heap_pages < MIN_HEAP_PAGES) +target_heap_pages = MIN_HEAP_PAGES; /* Sort the filtered descriptors, so that GRUB can allocate pages from smaller regions. */ @@ -614,7 +615,7 @@ grub_efi_mm_init (void) /* Allocate memory regions for GRUB's memory management. */ add_memory_regions (filtered_memory_map, desc_size, - filtered_memory_map_end, required_pages); + filtered_memory_map_end, target_heap_pages); #if 0 /* For debug. */ -- 2.25.1 ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v3 2/5] types.h: add UINT-related macros needed for Argon2
For the upcoming import of the Argon2 library, we need the macros GRUB_UINT32_MAX, GRUB_UINT32_C and GRUB_UINT64_C. Add them as a preparatory step. Signed-off-by: Patrick Steinhardt --- include/grub/types.h | 8 1 file changed, 8 insertions(+) diff --git a/include/grub/types.h b/include/grub/types.h index 035a4b528..1e1463bea 100644 --- a/include/grub/types.h +++ b/include/grub/types.h @@ -137,6 +137,7 @@ typedef grub_int32_tgrub_ssize_t; #define GRUB_SHRT_MAX 0x7fff #define GRUB_SHRT_MIN (-GRUB_SHRT_MAX - 1) #define GRUB_UINT_MAX 4294967295U +#define GRUB_UINT32_MAX 4294967295U #define GRUB_INT_MAX 0x7fff #define GRUB_INT_MIN (-GRUB_INT_MAX - 1) #define GRUB_INT32_MAX 2147483647 @@ -151,6 +152,13 @@ typedef grub_int32_t grub_ssize_t; #endif # define GRUB_LONG_MIN (-GRUB_LONG_MAX - 1) +#define GRUB_UINT32_C(x) x ## U +#if GRUB_ULONG_MAX >> 31 >> 31 >> 1 == 1 +# define GRUB_UINT64_C(x) x##UL +#else +# define GRUB_UINT64_C(x) x##ULL +#endif + typedef grub_uint64_t grub_properly_aligned_t; #define GRUB_PROPERLY_ALIGNED_ARRAY(name, size) grub_properly_aligned_t name[((size) + sizeof (grub_properly_aligned_t) - 1) / sizeof (grub_properly_aligned_t)] -- 2.25.1 ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v3 0/5] Support Argon2 KDF in LUKS2
Hi,
this is the third version of my patchset to support the Argon2 KDF in
LUKS2. The following things have changed in comparison to v2:
- Improved the GRUB_UINT_C macros to not use `elif 1` and fixed
indentation.
- Dropped the upstreamed patch to fix a missing newline.
- Reworked how we allocate memory on EFI. Previously, we always
targeted to acquire 1/4 of available memory. Now we're always
trying to allocate MAX_HEAP_SIZE (1.6GB) but clamp it to at most
1/2 of available memory and at least MIN_HEAP_SIZE (100MB).
So especially the last part is the interesting one. I _think_ that it's
roughly what Leif had in mind, but please do correct me if I'm wrong.
Regards
Patrick
Patrick Steinhardt (5):
efi: Always try to allocate heap size of 1.6GB
types.h: add UINT-related macros needed for Argon2
argon2: Import Argon2 from cryptsetup
luks2: Discern Argon2i and Argon2id
luks2: Support key derival via Argon2
Makefile.util.def | 6 +-
docs/grub-dev.texi| 64 +++
grub-core/Makefile.core.def | 10 +-
grub-core/disk/luks2.c| 26 +-
grub-core/kern/efi/mm.c | 21 +-
grub-core/lib/argon2/argon2.c | 232
grub-core/lib/argon2/argon2.h | 264 +
grub-core/lib/argon2/blake2/blake2-impl.h | 151 +
grub-core/lib/argon2/blake2/blake2.h | 89 +++
grub-core/lib/argon2/blake2/blake2b.c | 388 +
.../lib/argon2/blake2/blamka-round-ref.h | 56 ++
grub-core/lib/argon2/core.c | 525 ++
grub-core/lib/argon2/core.h | 228
grub-core/lib/argon2/ref.c| 190 +++
include/grub/types.h | 8 +
15 files changed, 2239 insertions(+), 19 deletions(-)
create mode 100644 grub-core/lib/argon2/argon2.c
create mode 100644 grub-core/lib/argon2/argon2.h
create mode 100644 grub-core/lib/argon2/blake2/blake2-impl.h
create mode 100644 grub-core/lib/argon2/blake2/blake2.h
create mode 100644 grub-core/lib/argon2/blake2/blake2b.c
create mode 100644 grub-core/lib/argon2/blake2/blamka-round-ref.h
create mode 100644 grub-core/lib/argon2/core.c
create mode 100644 grub-core/lib/argon2/core.h
create mode 100644 grub-core/lib/argon2/ref.c
Range-diff against v2:
1: 15bdf830e < -: - efi: Allocate half of available memory by default
-: - > 1: c783f34d7 efi: Always try to allocate heap size of 1.6GB
2: e81db7d95 ! 2: 724713a8b types.h: add UINT-related macros needed for Argon2
@@ include/grub/types.h: typedef grub_int32_t grub_ssize_t;
#endif
# define GRUB_LONG_MIN (-GRUB_LONG_MAX - 1)
-+# define GRUB_UINT32_C(x) x ## U
-+# if GRUB_ULONG_MAX >> 31 >> 31 >> 1 == 1
-+# define GRUB_UINT64_C(x) x##UL
-+# elif 1
-+# define GRUB_UINT64_C(x) x##ULL
-+# endif
++#define GRUB_UINT32_C(x) x ## U
++#if GRUB_ULONG_MAX >> 31 >> 31 >> 1 == 1
++# define GRUB_UINT64_C(x) x##UL
++#else
++# define GRUB_UINT64_C(x) x##ULL
++#endif
+
typedef grub_uint64_t grub_properly_aligned_t;
3: 50aff9670 ! 3: eadc4bcd8 argon2: Import Argon2 from cryptsetup
@@ docs/grub-dev.texi: GRUB includes some code from other projects, and it
is somet
+* Argon2::
* Gnulib::
* jsmn::
+ * minilzo::
@end menu
+@node Argon2
4: af3f85665 < -: - luks2: Add missing newline to debug message
5: 89abe827b ! 4: 61bc6c0e5 luks2: Discern Argon2i and Argon2id
@@ Commit message
accordingly.
Signed-off-by: Patrick Steinhardt
+Reviewed-by: Daniel Kiper
## grub-core/disk/luks2.c ##
@@ grub-core/disk/luks2.c: GRUB_MOD_LICENSE ("GPLv3+");
6: 70a354e0b ! 5: 012e3d442 luks2: Support key derival via Argon2
@@ Commit message
now trivial.
Signed-off-by: Patrick Steinhardt
+Reviewed-by: Daniel Kiper
## Makefile.util.def ##
@@ Makefile.util.def: AutoGen definitions Makefile.tpl;
--
2.25.1
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v3 4/5] luks2: Discern Argon2i and Argon2id
While GRUB is already able to parse both Argon2i and Argon2id parameters
from the LUKS2 header, it doesn't discern both types. This commit
introduces a new KDF type for Argon2id and sets up the parsed KDF's type
accordingly.
Signed-off-by: Patrick Steinhardt
Reviewed-by: Daniel Kiper
---
grub-core/disk/luks2.c | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index 65c4f0aac..767631198 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -40,6 +40,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
enum grub_luks2_kdf_type
{
LUKS2_KDF_TYPE_ARGON2I,
+ LUKS2_KDF_TYPE_ARGON2ID,
LUKS2_KDF_TYPE_PBKDF2
};
typedef enum grub_luks2_kdf_type grub_luks2_kdf_type_t;
@@ -90,7 +91,7 @@ struct grub_luks2_keyslot
grub_int64_t time;
grub_int64_t memory;
grub_int64_t cpus;
- } argon2i;
+ } argon2;
struct
{
const char *hash;
@@ -158,10 +159,11 @@ luks2_parse_keyslot (grub_luks2_keyslot_t *out, const
grub_json_t *keyslot)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing or invalid KDF");
else if (!grub_strcmp (type, "argon2i") || !grub_strcmp (type, "argon2id"))
{
- out->kdf.type = LUKS2_KDF_TYPE_ARGON2I;
- if (grub_json_getint64 (&out->kdf.u.argon2i.time, &kdf, "time") ||
- grub_json_getint64 (&out->kdf.u.argon2i.memory, &kdf, "memory") ||
- grub_json_getint64 (&out->kdf.u.argon2i.cpus, &kdf, "cpus"))
+ out->kdf.type = !grub_strcmp (type, "argon2i")
+ ? LUKS2_KDF_TYPE_ARGON2I : LUKS2_KDF_TYPE_ARGON2ID;
+ if (grub_json_getint64 (&out->kdf.u.argon2.time, &kdf, "time") ||
+ grub_json_getint64 (&out->kdf.u.argon2.memory, &kdf, "memory") ||
+ grub_json_getint64 (&out->kdf.u.argon2.cpus, &kdf, "cpus"))
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing Argon2i parameters");
}
else if (!grub_strcmp (type, "pbkdf2"))
@@ -432,6 +434,7 @@ luks2_decrypt_key (grub_uint8_t *out_key,
switch (k->kdf.type)
{
case LUKS2_KDF_TYPE_ARGON2I:
+ case LUKS2_KDF_TYPE_ARGON2ID:
ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
goto err;
case LUKS2_KDF_TYPE_PBKDF2:
--
2.25.1
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v3 3/5] argon2: Import Argon2 from cryptsetup
In order to support the Argon2 key derival function for LUKS2, we
obviously need to implement Argon2. It doesn't make a lot of sense to
hand-code any crypto, which is why this commit instead imports Argon2
from the cryptsetup project. This commit thus imports the code from the
official reference implementation located at [1]. The code is licensed
under CC0 1.0 Universal/Apache 2.0. Given that both LGPLv2.1+ and Apache
2.0 are compatible with GPLv3, it should be fine to import that code.
The code is imported from commit 62358ba (Merge pull request #270 from
bitmark-property-system/master, 2019-05-20). To make it work for GRUB,
several adjustments were required that have beed documented in
"grub-dev.texi".
[1]: https://github.com/P-H-C/phc-winner-argon2
Signed-off-by: Patrick Steinhardt
---
docs/grub-dev.texi| 64 +++
grub-core/Makefile.core.def | 8 +
grub-core/lib/argon2/argon2.c | 232
grub-core/lib/argon2/argon2.h | 264 +
grub-core/lib/argon2/blake2/blake2-impl.h | 151 +
grub-core/lib/argon2/blake2/blake2.h | 89 +++
grub-core/lib/argon2/blake2/blake2b.c | 388 +
.../lib/argon2/blake2/blamka-round-ref.h | 56 ++
grub-core/lib/argon2/core.c | 525 ++
grub-core/lib/argon2/core.h | 228
grub-core/lib/argon2/ref.c| 190 +++
11 files changed, 2195 insertions(+)
create mode 100644 grub-core/lib/argon2/argon2.c
create mode 100644 grub-core/lib/argon2/argon2.h
create mode 100644 grub-core/lib/argon2/blake2/blake2-impl.h
create mode 100644 grub-core/lib/argon2/blake2/blake2.h
create mode 100644 grub-core/lib/argon2/blake2/blake2b.c
create mode 100644 grub-core/lib/argon2/blake2/blamka-round-ref.h
create mode 100644 grub-core/lib/argon2/core.c
create mode 100644 grub-core/lib/argon2/core.h
create mode 100644 grub-core/lib/argon2/ref.c
diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
index 837873094..4af07f11a 100644
--- a/docs/grub-dev.texi
+++ b/docs/grub-dev.texi
@@ -489,11 +489,75 @@ GRUB includes some code from other projects, and it is
sometimes necessary
to update it.
@menu
+* Argon2::
* Gnulib::
* jsmn::
* minilzo::
@end menu
+@node Argon2
+@section Argon2
+
+Argon2 is a key derivation function used by LUKS2 in order to derive encryption
+keys from a user-provided password. GRUB imports the official reference
+implementation of Argon2 from @url{https://github.com/P-H-C/phc-winner-argon2}.
+In order to make the library usable for GRUB, we need to perform various
+conversions. This is mainly due to the fact that the imported code makes use of
+types and functions defined in the C standard library, which isn't available.
+Furthermore, using the POSIX wrapper library is not possible as the code needs
+to be part of the kernel.
+
+Updating the code can thus be performed like following:
+
+@example
+$ git clone https://github.com/P-H-C/phc-winner-argon2 argon2
+$ cp argon2/include/argon2.h argon2/src/@{argon2.c,core.c,core.h,ref.c@} \
+grub-core/lib/argon2/
+$ cp argon2/src/blake2/@{blake2-impl.h,blake2.h,blake2b.c,blamka-round-ref.h@}
\
+grub-core/lib/argon2/blake2/
+$ sed -e 's/UINT32_C/GRUB_UINT32_C/g' \
+ -e 's/UINT64_C/GRUB_UINT64_C/g' \
+ -e 's/UINT32_MAX/GRUB_UINT32_MAX/g' \
+ -e 's/CHAR_BIT/GRUB_CHAR_BIT/g' \
+ -e 's/UINT_MAX/GRUB_UINT_MAX/g' \
+ -e 's/uintptr_t/grub_addr_t/g' \
+ -e 's/size_t/grub_size_t/g' \
+ -e 's/uint32_t/grub_uint32_t/g' \
+ -e 's/uint64_t/grub_uint64_t/g' \
+ -e 's/uint8_t/grub_uint8_t/g' \
+ -e 's/memset/grub_memset/g' \
+ -e 's/memcpy/grub_memcpy/g' \
+ -e 's/malloc/grub_malloc/g' \
+ -e 's/free/grub_free/g' \
+ -e 's/#elif _MSC_VER/#elif defined(_MSC_VER)/' \
+ grub-core/lib/argon2/@{*,blake2/*@}.@{c,h@} -i
+@end example
+
+Afterwards, you need to perform the following manual steps:
+
+@enumerate
+@item Remove all includes of standard library headers, "encoding.h" and
+ "thread.h".
+@item Add includes and to "argon2.h".
+@item Add include and module license declaration to "argon2.c".
+@item Remove the following declarations and functions from "argon2.h" and
+ "argon2.c": argon2_type2string, argon2i_hash_encoded, argon2i_hash_raw,
+ argon2d_hash_encoded, argon2d_hash_raw, argon2id_hash_encoded,
+ argon2id_hash_raw, argon2_compare, argon2_verify, argon2i_verify,
+ argon2d_verify, argon2id_verify, argon2d_ctx, argon2i_ctx, argon2id_ctx,
+ argon2_verify_ctx, argon2d_verify_ctx, argon2i_verify_ctx,
+ argon2id_verify_ctx, argon2_encodedlen.
+@item Move the declaration of `clear_internal_memory()` in "blake2-impl.h" to
+ "blake2b.c".
+@item Remove code guarded by the ARGON2_NO_THREADS macro.
+@item Remove parameters `encoded` and `encodedlen` from `argon2_hash` and
remove
+ the encoding block in that functi
[PATCH v3 5/5] luks2: Support key derival via Argon2
One addition with LUKS2 was support of the key derival function Argon2
in addition to the previously supported PBKDF2 algortihm. In order to
ease getting in initial support for LUKS2, we only reused infrastructure
to support LUKS2 with PBKDF2, but left out Argon2.
This commit now introduces support for Argon2 to enable decryption of
LUKS2 partitions using this key derival function. As the code for Argon2
has been added in a previous commit in this series, adding support is
now trivial.
Signed-off-by: Patrick Steinhardt
Reviewed-by: Daniel Kiper
---
Makefile.util.def | 6 +-
grub-core/Makefile.core.def | 2 +-
grub-core/disk/luks2.c | 13 +++--
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/Makefile.util.def b/Makefile.util.def
index 1e0799a68..f07cf9deb 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -3,7 +3,7 @@ AutoGen definitions Makefile.tpl;
library = {
name = libgrubkern.a;
cflags = '$(CFLAGS_GNULIB)';
- cppflags = '$(CPPFLAGS_GNULIB) -I$(srcdir)/grub-core/lib/json';
+ cppflags = '$(CPPFLAGS_GNULIB) -I$(srcdir)/grub-core/lib/json
-I$(srcdir)/grub-core/lib/argon2';
common = util/misc.c;
common = grub-core/kern/command.c;
@@ -36,6 +36,10 @@ library = {
common = grub-core/kern/misc.c;
common = grub-core/kern/partition.c;
common = grub-core/lib/crypto.c;
+ common = grub-core/lib/argon2/argon2.c;
+ common = grub-core/lib/argon2/core.c;
+ common = grub-core/lib/argon2/ref.c;
+ common = grub-core/lib/argon2/blake2/blake2b.c;
common = grub-core/lib/json/json.c;
common = grub-core/disk/luks.c;
common = grub-core/disk/luks2.c;
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 30147a899..9e4c89791 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1204,7 +1204,7 @@ module = {
common = disk/luks2.c;
common = lib/gnulib/base64.c;
cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
- cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB) -I$(srcdir)/lib/json';
+ cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB) -I$(srcdir)/lib/json
-I$(srcdir)/lib/argon2';
};
module = {
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index 767631198..3c79f14aa 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -27,6 +27,7 @@
#include
#include
+#include
#include
#include
@@ -435,8 +436,16 @@ luks2_decrypt_key (grub_uint8_t *out_key,
{
case LUKS2_KDF_TYPE_ARGON2I:
case LUKS2_KDF_TYPE_ARGON2ID:
- ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "Argon2 not supported");
- goto err;
+ ret = argon2_hash (k->kdf.u.argon2.time, k->kdf.u.argon2.memory,
k->kdf.u.argon2.cpus,
+ passphrase, passphraselen, salt, saltlen, area_key,
k->area.key_size,
+ k->kdf.type == LUKS2_KDF_TYPE_ARGON2I ? Argon2_i :
Argon2_id,
+ ARGON2_VERSION_NUMBER);
+if (ret)
+ {
+ grub_dprintf ("luks2", "Argon2 failed: %s\n", argon2_error_message
(ret));
+ goto err;
+ }
+break;
case LUKS2_KDF_TYPE_PBKDF2:
hash = grub_crypto_lookup_md_by_name (k->kdf.u.pbkdf2.hash);
if (!hash)
--
2.25.1
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH v3 3/5] argon2: Import Argon2 from cryptsetup
On 3/10/20 2:58 PM, Patrick Steinhardt wrote:
> In order to support the Argon2 key derival function for LUKS2, we
> obviously need to implement Argon2. It doesn't make a lot of sense to
> hand-code any crypto, which is why this commit instead imports Argon2
> from the cryptsetup project. This commit thus imports the code from the
> official reference implementation located at [1].
Which one is it? :p
Perhaps, "which is why this commit instead imports the Argon2
implementation used by the cryptsetup project, that is, the official
reference implementation located at [1]."
> The code is licensed
> under CC0 1.0 Universal/Apache 2.0. Given that both LGPLv2.1+ and Apache
> 2.0 are compatible with GPLv3, it should be fine to import that code.
>
> The code is imported from commit 62358ba (Merge pull request #270 from
> bitmark-property-system/master, 2019-05-20). To make it work for GRUB,
> several adjustments were required that have beed documented in
> "grub-dev.texi".
typo:
"beed" -> "been"
> [1]: https://github.com/P-H-C/phc-winner-argon2
>
> Signed-off-by: Patrick Steinhardt
> ---
> docs/grub-dev.texi| 64 +++
> grub-core/Makefile.core.def | 8 +
> grub-core/lib/argon2/argon2.c | 232
> grub-core/lib/argon2/argon2.h | 264 +
> grub-core/lib/argon2/blake2/blake2-impl.h | 151 +
> grub-core/lib/argon2/blake2/blake2.h | 89 +++
> grub-core/lib/argon2/blake2/blake2b.c | 388 +
> .../lib/argon2/blake2/blamka-round-ref.h | 56 ++
> grub-core/lib/argon2/core.c | 525 ++
> grub-core/lib/argon2/core.h | 228
> grub-core/lib/argon2/ref.c| 190 +++
> 11 files changed, 2195 insertions(+)
> create mode 100644 grub-core/lib/argon2/argon2.c
> create mode 100644 grub-core/lib/argon2/argon2.h
> create mode 100644 grub-core/lib/argon2/blake2/blake2-impl.h
> create mode 100644 grub-core/lib/argon2/blake2/blake2.h
> create mode 100644 grub-core/lib/argon2/blake2/blake2b.c
> create mode 100644 grub-core/lib/argon2/blake2/blamka-round-ref.h
> create mode 100644 grub-core/lib/argon2/core.c
> create mode 100644 grub-core/lib/argon2/core.h
> create mode 100644 grub-core/lib/argon2/ref.c
>
> diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
> index 837873094..4af07f11a 100644
> --- a/docs/grub-dev.texi
> +++ b/docs/grub-dev.texi
> @@ -489,11 +489,75 @@ GRUB includes some code from other projects, and it is
> sometimes necessary
> to update it.
>
> @menu
> +* Argon2::
> * Gnulib::
> * jsmn::
> * minilzo::
> @end menu
>
> +@node Argon2
> +@section Argon2
> +
> +Argon2 is a key derivation function used by LUKS2 in order to derive
> encryption
> +keys from a user-provided password. GRUB imports the official reference
> +implementation of Argon2 from
> @url{https://github.com/P-H-C/phc-winner-argon2}.
> +In order to make the library usable for GRUB, we need to perform various
> +conversions. This is mainly due to the fact that the imported code makes use
> of
> +types and functions defined in the C standard library, which isn't available.
> +Furthermore, using the POSIX wrapper library is not possible as the code
> needs
> +to be part of the kernel.
> +
> +Updating the code can thus be performed like following:
> +
> +@example
> +$ git clone https://github.com/P-H-C/phc-winner-argon2 argon2
> +$ cp argon2/include/argon2.h argon2/src/@{argon2.c,core.c,core.h,ref.c@} \
> +grub-core/lib/argon2/
> +$ cp
> argon2/src/blake2/@{blake2-impl.h,blake2.h,blake2b.c,blamka-round-ref.h@} \
> +grub-core/lib/argon2/blake2/
> +$ sed -e 's/UINT32_C/GRUB_UINT32_C/g' \
> + -e 's/UINT64_C/GRUB_UINT64_C/g' \
> + -e 's/UINT32_MAX/GRUB_UINT32_MAX/g' \
> + -e 's/CHAR_BIT/GRUB_CHAR_BIT/g' \
> + -e 's/UINT_MAX/GRUB_UINT_MAX/g' \
> + -e 's/uintptr_t/grub_addr_t/g' \
> + -e 's/size_t/grub_size_t/g' \
> + -e 's/uint32_t/grub_uint32_t/g' \
> + -e 's/uint64_t/grub_uint64_t/g' \
> + -e 's/uint8_t/grub_uint8_t/g' \
> + -e 's/memset/grub_memset/g' \
> + -e 's/memcpy/grub_memcpy/g' \
> + -e 's/malloc/grub_malloc/g' \
> + -e 's/free/grub_free/g' \
> + -e 's/#elif _MSC_VER/#elif defined(_MSC_VER)/' \
> + grub-core/lib/argon2/@{*,blake2/*@}.@{c,h@} -i
> +@end example
> +
> +Afterwards, you need to perform the following manual steps:
> +
> +@enumerate
> +@item Remove all includes of standard library headers, "encoding.h" and
> + "thread.h".
> +@item Add includes and to "argon2.h".
> +@item Add include and module license declaration to "argon2.c".
> +@item Remove the following declarations and functions from "argon2.h" and
> + "argon2.c": argon2_type2string, argon2i_hash_encoded, argon2i_hash_raw,
> + argon2d_hash_encoded, argon2d_hash_raw, argon2id_hash_encoded,
> + argon2id_hash_raw, argon2_compare, argon2_verify,
Re: [PATCH v3 3/5] argon2: Import Argon2 from cryptsetup
On Tue, Mar 10, 2020 at 04:44:11PM -0400, Eli Schwartz wrote: > On 3/10/20 2:58 PM, Patrick Steinhardt wrote: > > In order to support the Argon2 key derival function for LUKS2, we > > obviously need to implement Argon2. It doesn't make a lot of sense to > > hand-code any crypto, which is why this commit instead imports Argon2 > > from the cryptsetup project. This commit thus imports the code from the > > official reference implementation located at [1]. > > Which one is it? :p > > Perhaps, "which is why this commit instead imports the Argon2 > implementation used by the cryptsetup project, that is, the official > reference implementation located at [1]." Oops, yes. This is an artifact caused by switching implementations from cryptsetup to the reference implementation midway through. Thanks for pointing out, will fix! > > > The code is licensed > > under CC0 1.0 Universal/Apache 2.0. Given that both LGPLv2.1+ and Apache > > 2.0 are compatible with GPLv3, it should be fine to import that code. > > > > The code is imported from commit 62358ba (Merge pull request #270 from > > bitmark-property-system/master, 2019-05-20). To make it work for GRUB, > > several adjustments were required that have beed documented in > > "grub-dev.texi". > > typo: > > "beed" -> "been" Ditto. Patrick signature.asc Description: PGP signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
