Re: grub-mkimage ignores compression option
Documentation states that it works only on some platforms. Currently only on MIPS. i386-pc always uses lzma Le mer. 15 juin 2022, 00:39, Eugene Bright via Grub-devel < grub-devel@gnu.org> a écrit : > Option --compression doesn't affect the core image size. > Does it work at all? > > Running it without compression `none` > > # grub-mkimage -v -O i386-pc -p /boot btrfs -C none | wc -c > > grub-mkimage: info: the total module size is 0x1a380. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/kernel.img. > > grub-mkimage: info: locating the section .text at 0x0. > > grub-mkimage: info: locating the section .rodata at 0x5d14. > > grub-mkimage: info: locating the section .data at 0x6f40. > > grub-mkimage: info: locating the section .module_license at 0x77c0. > > grub-mkimage: info: locating the section .bss at 0x77e0. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/crypto.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/gcry_crc.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/gzio.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/diskfilter.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/raid6rec.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/lzopio.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/zstd.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/btrfs.mod. > > grub-mkimage: info: kernel_img=0x7f5fb6bc1010, kernel_size=0x77cf. > > grub-mkimage: info: the core size is 0x10092. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/lzma_decompress.img. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/diskboot.img. > > grub-mkimage: info: writing 0x200 bytes. > > grub-mkimage: info: writing 0x10ba2 bytes. > > grub-mkimage: error: cannot sync `stdout': Invalid argument. > > 69026 > > Running it without compression `xz` > > # grub-mkimage -v -O i386-pc -p /boot btrfs -C xz | wc -c > > grub-mkimage: info: the total module size is 0x1a380. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/kernel.img. > > grub-mkimage: info: locating the section .text at 0x0. > > grub-mkimage: info: locating the section .rodata at 0x5d14. > > grub-mkimage: info: locating the section .data at 0x6f40. > > grub-mkimage: info: locating the section .module_license at 0x77c0. > > grub-mkimage: info: locating the section .bss at 0x77e0. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/crypto.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/gcry_crc.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/gzio.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/diskfilter.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/raid6rec.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/lzopio.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/zstd.mod. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/btrfs.mod. > > grub-mkimage: info: kernel_img=0x7f42a5b1d010, kernel_size=0x77cf. > > grub-mkimage: info: the core size is 0x10092. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/lzma_decompress.img. > > grub-mkimage: info: reading /usr/lib/grub/i386-pc/diskboot.img. > > grub-mkimage: info: writing 0x200 bytes. > > grub-mkimage: info: writing 0x10ba2 bytes. > > grub-mkimage: error: cannot sync `stdout': Invalid argument. > > 69026 > > Is it a problem or am I missing something? > > Compression could alleviate `core.img is unusually large. It > won't fit in the embedding area.` issue. > > https://lists.gnu.org/archive/html/grub-devel/2019-11/msg00057.html > > -- > Eugene Bright > Tel.: +380635426132 > > > ___ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel > ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH v3] grub-fs-tester: Add luks1 and luks2 support
Hi,
Am Mittwoch, 15. Juni 2022, 04:43:03 CEST schrieb Glenn Washburn:
> From: Pierre-Louis Bonicoli
>
> The logical sector size used by LUKS1 is 512 bytes and LUKS2 uses 512 to
> 4069 bytes. The deafualt password used is "pass", but can be overridden
> by setting the PASS environment variable. The device mapper name is set
> to the name of the temp directory so that its easy to corrolate device
> mapper name with a particular test run. Also since this name is unique
> per test run, multiple simultaneous test runs are allowed.
>
> Note that cryptsetup is passing the --disable-locks parameter to allow
> cryptsetup run successfully when /run/lock/cryptsetup is not accessible.
> Since the device mapper name is unique per test run, there is no need to
> worry about locking the device to serialize access.
>
> Signed-off-by: Pierre-Louis Bonicoli
> Signed-off-by: Glenn Washburn
> ---
> This is a heavily modified version of Pierre-Louis's v2 patch. It has been
> tested with Fabian's v3 and Josselin's v4 series. Some notable differences
> from the previous version:
> * Rebase on to master accounting for cleanup() changes
> * Allow multple tests runs to run simultaneously
> * Allow specifying alternate password with environment variable
> * Fixed bug in previous version where LC_ALL=C was being set for echo and
>not run_it
> * Make output on UUID fail consistent with other filesystems
> * Allow tests to work with older cryptsetups
> * Fixed bug where luks1 tests were actually testing luks2
> * Address my review comments
>
> Note: The luks2 test will fail without some form of working grub-probe
> support for luks2. This patch is independent of the above mentioned
> patch series, will apply without them just fine, and can be reviewed
> independently.
>
> Glenn
> ---
> .gitignore | 2 ++
> Makefile.util.def| 12
> tests/luks1_test.in | 23 +++
> tests/luks2_test.in | 23 +++
> tests/util/grub-fs-tester.in | 57 ++--
> 5 files changed, 115 insertions(+), 2 deletions(-)
> create mode 100644 tests/luks1_test.in
> create mode 100644 tests/luks2_test.in
>
> diff --git a/.gitignore b/.gitignore
> index f6a1bd051..4064d3d1e 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -230,6 +230,8 @@ widthspec.bin
> /lib/libgcrypt-grub
> /libgrub_a_init.c
> /lzocompress_test
> +/luks1_test
> +/luks2_test
> /m4/
> /minixfs_test
> /missing
> diff --git a/Makefile.util.def b/Makefile.util.def
> index d919c562c..3f1162b76 100644
> --- a/Makefile.util.def
> +++ b/Makefile.util.def
> @@ -1213,6 +1213,18 @@ script = {
>common = tests/syslinux_test.in;
> };
>
> +script = {
> + testcase = native;
> + name = luks1_test;
> + common = tests/luks1_test.in;
> +};
> +
> +script = {
> + testcase = native;
> + name = luks2_test;
> + common = tests/luks2_test.in;
> +};
> +
> program = {
>testcase = native;
>name = example_unit_test;
> diff --git a/tests/luks1_test.in b/tests/luks1_test.in
> new file mode 100644
> index 0..cd28fd714
> --- /dev/null
> +++ b/tests/luks1_test.in
> @@ -0,0 +1,23 @@
> +#!@BUILD_SHEBANG@
> +
> +set -e
> +
> +if [ "x$EUID" = "x" ] ; then
> + EUID=`id -u`
> +fi
> +
> +if [ "$EUID" != 0 ] ; then
> + exit 99
> +fi
> +
> +if ! which mkfs.ext2 >/dev/null 2>&1; then
> + echo "mkfs.ext2 not installed; cannot test luks."
> + exit 99
> +fi
> +
> +if ! which cryptsetup >/dev/null 2>&1; then
> + echo "cryptsetup not installed; cannot test luks."
> + exit 99
> +fi
> +
> +"@builddir@/grub-fs-tester" luks1
> diff --git a/tests/luks2_test.in b/tests/luks2_test.in
> new file mode 100644
> index 0..6a26ba626
> --- /dev/null
> +++ b/tests/luks2_test.in
> @@ -0,0 +1,23 @@
> +#!@BUILD_SHEBANG@
> +
> +set -e
> +
> +if [ "x$EUID" = "x" ] ; then
> + EUID=`id -u`
> +fi
> +
> +if [ "$EUID" != 0 ] ; then
> + exit 99
> +fi
> +
> +if ! which mkfs.ext2 >/dev/null 2>&1; then
> + echo "mkfs.ext2 not installed; cannot test luks2."
> + exit 99
> +fi
> +
> +if ! which cryptsetup >/dev/null 2>&1; then
> + echo "cryptsetup not installed; cannot test luks2."
> + exit 99
> +fi
> +
> +"@builddir@/grub-fs-tester" luks2
> diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
> index 43f6175c3..e488c0e41 100644
> --- a/tests/util/grub-fs-tester.in
> +++ b/tests/util/grub-fs-tester.in
> @@ -6,6 +6,7 @@ export BLKID_FILE=/dev/null
> fs="$1"
>
> GRUBFSTEST="@builddir@/grub-fstest"
> +GRUBPROBE="@builddir@/grub-probe"
>
> tempdir=`mktemp -d "${TMPDIR:-/tmp}/${0##*/}.$(date
> '+%Y%m%d%H%M%S%N').${fs}.XXX"` ||
> { echo "Failed to make temporary directory"; exit 99; }
> @@ -13,6 +14,8 @@ tempdir=`mktemp -d "${TMPDIR:-/tmp}/${0##*/}.$(date
> '+%Y%m%d%H%M%S%N').${fs}.XXX
> # xorriso -as mkisofs options to ignore locale when processing file names and
> # FSLABEL. This is especially needed for the conversion to Joliet UCS-2.
> XORRISOFS_CHARSET="-i
[PATCH v5 0/2] Have LUKS2 cryptomounts be useable with grub-probe
Hello again, Following Michael's mail, here's hopefully the latest patch series! This fixes building on 32-bit by using grub_uint64_t indiscriminately, and removes the curly braces for the the two ifs at the end. Sorry for all the noise. Best, -- Josselin Poiret ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v5 1/2] devmapper/getroot: Have devmapper recognize LUKS2
Changes UUID comparisons so that LUKS1 and LUKS2 are both recognized
as being LUKS cryptodisks.
---
grub-core/osdep/devmapper/getroot.c | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/grub-core/osdep/devmapper/getroot.c
b/grub-core/osdep/devmapper/getroot.c
index 9ba5c9865..2bf4264cf 100644
--- a/grub-core/osdep/devmapper/getroot.c
+++ b/grub-core/osdep/devmapper/getroot.c
@@ -138,7 +138,8 @@ grub_util_get_dm_abstraction (const char *os_dev)
grub_free (uuid);
return GRUB_DEV_ABSTRACTION_LVM;
}
- if (strncmp (uuid, "CRYPT-LUKS1-", 12) == 0)
+ if (strncmp (uuid, "CRYPT-LUKS1-", sizeof ("CRYPT-LUKS1-") - 1) == 0
+ || strncmp (uuid, "CRYPT-LUKS2-", sizeof ("CRYPT-LUKS2-") - 1) == 0)
{
grub_free (uuid);
return GRUB_DEV_ABSTRACTION_LUKS;
@@ -179,7 +180,9 @@ grub_util_pull_devmapper (const char *os_dev)
grub_util_pull_device (subdev);
}
}
- if (uuid && strncmp (uuid, "CRYPT-LUKS1-", sizeof ("CRYPT-LUKS1-") - 1) == 0
+ if (uuid
+ && (strncmp (uuid, "CRYPT-LUKS1-", sizeof ("CRYPT-LUKS1-") - 1) == 0
+ || strncmp (uuid, "CRYPT-LUKS2-", sizeof ("CRYPT-LUKS2-") - 1) == 0)
&& lastsubdev)
{
char *grdev = grub_util_get_grub_dev (lastsubdev);
@@ -253,11 +256,11 @@ grub_util_get_devmapper_grub_dev (const char *os_dev)
{
char *dash;
- dash = grub_strchr (uuid + sizeof ("CRYPT-LUKS1-") - 1, '-');
+ dash = grub_strchr (uuid + sizeof ("CRYPT-LUKS*-") - 1, '-');
if (dash)
*dash = 0;
grub_dev = grub_xasprintf ("cryptouuid/%s",
- uuid + sizeof ("CRYPT-LUKS1-") - 1);
+ uuid + sizeof ("CRYPT-LUKS*-") - 1);
grub_free (uuid);
return grub_dev;
}
--
2.36.1
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH v5 2/2] devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM parameters
This lets a LUKS2 cryptodisk have its cipher and hash filled out,
otherwise they wouldn't be initialized if cheat mounted.
---
grub-core/osdep/devmapper/getroot.c | 87 -
1 file changed, 86 insertions(+), 1 deletion(-)
diff --git a/grub-core/osdep/devmapper/getroot.c
b/grub-core/osdep/devmapper/getroot.c
index 2bf4264cf..80c7e54da 100644
--- a/grub-core/osdep/devmapper/getroot.c
+++ b/grub-core/osdep/devmapper/getroot.c
@@ -51,6 +51,8 @@
#include
#include
+#include
+
static int
grub_util_open_dm (const char *os_dev, struct dm_tree **tree,
struct dm_tree_node **node)
@@ -186,7 +188,6 @@ grub_util_pull_devmapper (const char *os_dev)
&& lastsubdev)
{
char *grdev = grub_util_get_grub_dev (lastsubdev);
- dm_tree_free (tree);
if (grdev)
{
grub_err_t err;
@@ -194,7 +195,91 @@ grub_util_pull_devmapper (const char *os_dev)
if (err)
grub_util_error (_("can't mount encrypted volume `%s': %s"),
lastsubdev, grub_errmsg);
+ if (strncmp (uuid, "CRYPT-LUKS2-", sizeof ("CRYPT-LUKS2-") - 1) == 0)
+{
+ /* set LUKS2 cipher from dm parameters, since it is not
+ * possible to determine the correct one without
+ * unlocking, as there might be multiple segments.
+ */
+ grub_disk_t source;
+ grub_cryptodisk_t cryptodisk;
+ grub_uint64_t start, length;
+ char *target_type;
+ char *params;
+ const char *name;
+ char *cipher, *cipher_mode;
+ struct dm_task *dmt;
+ char *seek_head, *c;
+ unsigned int remaining;
+
+ source = grub_disk_open (grdev);
+ cryptodisk = grub_cryptodisk_get_by_source_disk (source);
+ grub_disk_close (source);
+
+ name = dm_tree_node_get_name (node);
+
+ grub_util_info ("populating parameters of cryptomount `%s' from
DM device `%s'",
+ uuid, name);
+
+ dmt = dm_task_create (DM_DEVICE_TABLE);
+ if (dmt == 0)
+grub_util_error (_("can't create dm task DM_DEVICE_TABLE"));
+ if (dm_task_set_name (dmt, name) == 0)
+grub_util_error (_("can't set dm task name to `%s'"), name);
+ if (dm_task_run (dmt) == 0)
+grub_util_error (_("can't run dm task for `%s'"), name);
+ /* dm_get_next_target doesn't have any error modes, everything
has
+ * been handled by dm_task_run.
+ */
+ dm_get_next_target (dmt, NULL, &start, &length,
+ &target_type, ¶ms);
+ if (strncmp (target_type, "crypt", sizeof ("crypt")) != 0)
+grub_util_error (_("dm target of type `%s' is not `crypt'"),
+ target_type);
+
+ /* dm target parameters for dm-crypt is
+ *
[<#opt_params> ...]
+ */
+ c = params;
+ remaining = grub_strlen (c);
+
+ /* first, get the cipher name from the cipher */
+ if (!(seek_head = grub_memchr (c, '-', remaining)))
+grub_util_error (_("can't get cipher from dm-crypt parameters
`%s'"),
+ params);
+ cipher = grub_strndup (c, seek_head - c);
+ remaining -= seek_head - c + 1;
+ c = seek_head + 1;
+
+ /* now, the cipher mode */
+ if (!(seek_head = grub_memchr (c, ' ', remaining)))
+grub_util_error (_("can't get cipher mode from dm-crypt
parameters `%s'"),
+ params);
+ cipher_mode = grub_strndup (c, seek_head - c);
+ remaining -= seek_head - c + 1;
+ c = seek_head + 1;
+
+ err = grub_cryptodisk_setcipher (cryptodisk, cipher,
cipher_mode);
+ if (err)
+ grub_util_error (_("can't set cipher of cryptodisk `%s' to
`%s' with mode `%s'"),
+ uuid, cipher, cipher_mode);
+
+ grub_free (cipher);
+ grub_free (cipher_mode);
+
+ /* This is the only hash usable by PBKDF2, and we don't
+ * have Argon2 support yet, so set it by default,
+ * otherwise grub-probe would miss the required
+ * abstraction
+ */
+ cryptodisk->hash = grub_crypto_lookup_md_by_name ("sha256");
+ if (cryptodisk->hash == 0)
+ grub_util_error (_("can't lookup hash sha256 by name"));
+
+ dm_task_destroy (dmt);
+}
}
+ dm_tree_free (tree);
grub_free (grdev);
}
else
--
2.36.1
___
Grub-devel m
Re: GRUB 2.12 release, etc.
Le ven. 10 juin 2022 à 19:21, Daniel Kiper a
écrit :
> Hi,
>
> {...}
> I am not going to release any of earlier released versions with recent
> security fixes on top of them. Though if somebody wants to step up and
> prepare them I am happy to create relevant branch in the GRUB git
> repository.
>
> Daniel,
Can you list the tasks and time required to perform such point release for
Grub ?
I have to admit I have no idea, and probably some others too, what are the
current procedures and what it would mean to step up on this.
Thanks,
Erwan,
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH v3] grub-fs-tester: Add luks1 and luks2 support
On Wed, 15 Jun 2022 11:43:25 +0200
Fabian Vogt wrote:
> Hi,
>
> Am Mittwoch, 15. Juni 2022, 04:43:03 CEST schrieb Glenn Washburn:
> > From: Pierre-Louis Bonicoli
> >
> > The logical sector size used by LUKS1 is 512 bytes and LUKS2 uses 512 to
> > 4069 bytes. The deafualt password used is "pass", but can be overridden
> > by setting the PASS environment variable. The device mapper name is set
> > to the name of the temp directory so that its easy to corrolate device
> > mapper name with a particular test run. Also since this name is unique
> > per test run, multiple simultaneous test runs are allowed.
> >
> > Note that cryptsetup is passing the --disable-locks parameter to allow
> > cryptsetup run successfully when /run/lock/cryptsetup is not accessible.
> > Since the device mapper name is unique per test run, there is no need to
> > worry about locking the device to serialize access.
> >
> > Signed-off-by: Pierre-Louis Bonicoli
> > Signed-off-by: Glenn Washburn
> > ---
> > This is a heavily modified version of Pierre-Louis's v2 patch. It has been
> > tested with Fabian's v3 and Josselin's v4 series. Some notable differences
> > from the previous version:
> > * Rebase on to master accounting for cleanup() changes
> > * Allow multple tests runs to run simultaneously
> > * Allow specifying alternate password with environment variable
> > * Fixed bug in previous version where LC_ALL=C was being set for echo and
> >not run_it
> > * Make output on UUID fail consistent with other filesystems
> > * Allow tests to work with older cryptsetups
> > * Fixed bug where luks1 tests were actually testing luks2
> > * Address my review comments
> >
> > Note: The luks2 test will fail without some form of working grub-probe
> > support for luks2. This patch is independent of the above mentioned
> > patch series, will apply without them just fine, and can be reviewed
> > independently.
> >
> > Glenn
> > ---
> > .gitignore | 2 ++
> > Makefile.util.def| 12
> > tests/luks1_test.in | 23 +++
> > tests/luks2_test.in | 23 +++
> > tests/util/grub-fs-tester.in | 57 ++--
> > 5 files changed, 115 insertions(+), 2 deletions(-)
> > create mode 100644 tests/luks1_test.in
> > create mode 100644 tests/luks2_test.in
> >
> > diff --git a/.gitignore b/.gitignore
> > index f6a1bd051..4064d3d1e 100644
> > --- a/.gitignore
> > +++ b/.gitignore
> > @@ -230,6 +230,8 @@ widthspec.bin
> > /lib/libgcrypt-grub
> > /libgrub_a_init.c
> > /lzocompress_test
> > +/luks1_test
> > +/luks2_test
> > /m4/
> > /minixfs_test
> > /missing
> > diff --git a/Makefile.util.def b/Makefile.util.def
> > index d919c562c..3f1162b76 100644
> > --- a/Makefile.util.def
> > +++ b/Makefile.util.def
> > @@ -1213,6 +1213,18 @@ script = {
> >common = tests/syslinux_test.in;
> > };
> >
> > +script = {
> > + testcase = native;
> > + name = luks1_test;
> > + common = tests/luks1_test.in;
> > +};
> > +
> > +script = {
> > + testcase = native;
> > + name = luks2_test;
> > + common = tests/luks2_test.in;
> > +};
> > +
> > program = {
> >testcase = native;
> >name = example_unit_test;
> > diff --git a/tests/luks1_test.in b/tests/luks1_test.in
> > new file mode 100644
> > index 0..cd28fd714
> > --- /dev/null
> > +++ b/tests/luks1_test.in
> > @@ -0,0 +1,23 @@
> > +#!@BUILD_SHEBANG@
> > +
> > +set -e
> > +
> > +if [ "x$EUID" = "x" ] ; then
> > + EUID=`id -u`
> > +fi
> > +
> > +if [ "$EUID" != 0 ] ; then
> > + exit 99
> > +fi
> > +
> > +if ! which mkfs.ext2 >/dev/null 2>&1; then
> > + echo "mkfs.ext2 not installed; cannot test luks."
> > + exit 99
> > +fi
> > +
> > +if ! which cryptsetup >/dev/null 2>&1; then
> > + echo "cryptsetup not installed; cannot test luks."
> > + exit 99
> > +fi
> > +
> > +"@builddir@/grub-fs-tester" luks1
> > diff --git a/tests/luks2_test.in b/tests/luks2_test.in
> > new file mode 100644
> > index 0..6a26ba626
> > --- /dev/null
> > +++ b/tests/luks2_test.in
> > @@ -0,0 +1,23 @@
> > +#!@BUILD_SHEBANG@
> > +
> > +set -e
> > +
> > +if [ "x$EUID" = "x" ] ; then
> > + EUID=`id -u`
> > +fi
> > +
> > +if [ "$EUID" != 0 ] ; then
> > + exit 99
> > +fi
> > +
> > +if ! which mkfs.ext2 >/dev/null 2>&1; then
> > + echo "mkfs.ext2 not installed; cannot test luks2."
> > + exit 99
> > +fi
> > +
> > +if ! which cryptsetup >/dev/null 2>&1; then
> > + echo "cryptsetup not installed; cannot test luks2."
> > + exit 99
> > +fi
> > +
> > +"@builddir@/grub-fs-tester" luks2
> > diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
> > index 43f6175c3..e488c0e41 100644
> > --- a/tests/util/grub-fs-tester.in
> > +++ b/tests/util/grub-fs-tester.in
> > @@ -6,6 +6,7 @@ export BLKID_FILE=/dev/null
> > fs="$1"
> >
> > GRUBFSTEST="@builddir@/grub-fstest"
> > +GRUBPROBE="@builddir@/grub-probe"
> >
> > tempdir=`mktemp -d "${TMPDIR:-/tmp}/${0##*/}.$(date
> > '+%Y%m%d%H%M
[PATCH v4] grub-fs-tester: Add luks1 and luks2 support
From: Pierre-Louis Bonicoli
The logical sector size used by LUKS1 is 512 bytes and LUKS2 uses 512 to
4069 bytes. The deafualt password used is "pass", but can be overridden
by setting the PASS environment variable. The device mapper name is set
to the name of the temp directory so that its easy to corrolate device
mapper name with a particular test run. Also since this name is unique
per test run, multiple simultaneous test runs are allowed.
Note that cryptsetup is passing the --disable-locks parameter to allow
cryptsetup run successfully when /run/lock/cryptsetup is not accessible.
Since the device mapper name is unique per test run, there is no need to
worry about locking the device to serialize access.
Signed-off-by: Pierre-Louis Bonicoli
Signed-off-by: Glenn Washburn
---
Update from v3:
* Add --force-password so that cryptsetup does not fail with the default
password on systems where cryptsetup is built with the password quality
checking library. Cryptsetup is not built this way on Debian or Ubuntu
systems, but on Fabian's test system, which I presume is a SUSE variant,
it is.
This is a heavily modified version of Pierre-Louis's v2 patch. It has
been tested with Fabian's v3 and Josselin's v4 series for x86_64-efi.
Some notable differences from the previous version:
* Rebase on to master accounting for cleanup() changes
* Allow multple tests runs to run simultaneously
* Allow specifying alternate password with environment variable
* Fixed bug in previous version where LC_ALL=C was being set for echo and
not run_it
* Make output on UUID fail consistent with other filesystems
* Allow tests to work with older cryptsetups
* Fixed bug where luks1 tests were actually testing luks2
* Address my review comments
Note: The luks2 test will fail without some form of working grub-probe
support for luks2. This patch is independent of the above mentioned
patch series, will apply without them just fine, and can be reviewed
independently.
Glenn
---
.gitignore | 2 ++
Makefile.util.def| 12
tests/luks1_test.in | 23 +++
tests/luks2_test.in | 23 +++
tests/util/grub-fs-tester.in | 57 ++--
5 files changed, 115 insertions(+), 2 deletions(-)
create mode 100644 tests/luks1_test.in
create mode 100644 tests/luks2_test.in
diff --git a/.gitignore b/.gitignore
index f6a1bd051..4064d3d1e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -230,6 +230,8 @@ widthspec.bin
/lib/libgcrypt-grub
/libgrub_a_init.c
/lzocompress_test
+/luks1_test
+/luks2_test
/m4/
/minixfs_test
/missing
diff --git a/Makefile.util.def b/Makefile.util.def
index d919c562c..3f1162b76 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -1213,6 +1213,18 @@ script = {
common = tests/syslinux_test.in;
};
+script = {
+ testcase = native;
+ name = luks1_test;
+ common = tests/luks1_test.in;
+};
+
+script = {
+ testcase = native;
+ name = luks2_test;
+ common = tests/luks2_test.in;
+};
+
program = {
testcase = native;
name = example_unit_test;
diff --git a/tests/luks1_test.in b/tests/luks1_test.in
new file mode 100644
index 0..cd28fd714
--- /dev/null
+++ b/tests/luks1_test.in
@@ -0,0 +1,23 @@
+#!@BUILD_SHEBANG@
+
+set -e
+
+if [ "x$EUID" = "x" ] ; then
+ EUID=`id -u`
+fi
+
+if [ "$EUID" != 0 ] ; then
+ exit 99
+fi
+
+if ! which mkfs.ext2 >/dev/null 2>&1; then
+ echo "mkfs.ext2 not installed; cannot test luks."
+ exit 99
+fi
+
+if ! which cryptsetup >/dev/null 2>&1; then
+ echo "cryptsetup not installed; cannot test luks."
+ exit 99
+fi
+
+"@builddir@/grub-fs-tester" luks1
diff --git a/tests/luks2_test.in b/tests/luks2_test.in
new file mode 100644
index 0..6a26ba626
--- /dev/null
+++ b/tests/luks2_test.in
@@ -0,0 +1,23 @@
+#!@BUILD_SHEBANG@
+
+set -e
+
+if [ "x$EUID" = "x" ] ; then
+ EUID=`id -u`
+fi
+
+if [ "$EUID" != 0 ] ; then
+ exit 99
+fi
+
+if ! which mkfs.ext2 >/dev/null 2>&1; then
+ echo "mkfs.ext2 not installed; cannot test luks2."
+ exit 99
+fi
+
+if ! which cryptsetup >/dev/null 2>&1; then
+ echo "cryptsetup not installed; cannot test luks2."
+ exit 99
+fi
+
+"@builddir@/grub-fs-tester" luks2
diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
index 43f6175c3..de4430ae9 100644
--- a/tests/util/grub-fs-tester.in
+++ b/tests/util/grub-fs-tester.in
@@ -6,6 +6,7 @@ export BLKID_FILE=/dev/null
fs="$1"
GRUBFSTEST="@builddir@/grub-fstest"
+GRUBPROBE="@builddir@/grub-probe"
tempdir=`mktemp -d "${TMPDIR:-/tmp}/${0##*/}.$(date
'+%Y%m%d%H%M%S%N').${fs}.XXX"` ||
{ echo "Failed to make temporary directory"; exit 99; }
@@ -13,6 +14,8 @@ tempdir=`mktemp -d "${TMPDIR:-/tmp}/${0##*/}.$(date
'+%Y%m%d%H%M%S%N').${fs}.XXX
# xorriso -as mkisofs options to ignore locale when processing file names and
# FSLABEL. This is especially needed for the conversion to Joliet UCS-2.
XORRISOFS_CHARSET="-input-charset UTF-8 -output-charset UTF-8"
+DMN
Re: [PATCH v4] grub-fs-tester: Add luks1 and luks2 support
On 15/06/2022 20.30, Glenn Washburn wrote: From: Pierre-Louis Bonicoli The logical sector size used by LUKS1 is 512 bytes and LUKS2 uses 512 to 4069 bytes. The deafualt password used is "pass", but can be overridden by setting the PASS environment variable. The device mapper name is set to the name of the temp directory so that its easy to corrolate device mapper name with a particular test run. Also since this name is unique per test run, multiple simultaneous test runs are allowed. Note that cryptsetup is passing the --disable-locks parameter to allow cryptsetup run successfully when /run/lock/cryptsetup is not accessible. Since the device mapper name is unique per test run, there is no need to worry about locking the device to serialize access. Signed-off-by: Pierre-Louis Bonicoli Signed-off-by: Glenn Washburn --- Update from v3: * Add --force-password so that cryptsetup does not fail with the default password on systems where cryptsetup is built with the password quality checking library. Cryptsetup is not built this way on Debian or Ubuntu systems, but on Fabian's test system, which I presume is a SUSE variant, it is. This is a heavily modified version of Pierre-Louis's v2 patch. It has been tested with Fabian's v3 and Josselin's v4 series for x86_64-efi. Some notable differences from the previous version: * Rebase on to master accounting for cleanup() changes * Allow multple tests runs to run simultaneously * Allow specifying alternate password with environment variable * Fixed bug in previous version where LC_ALL=C was being set for echo and not run_it * Make output on UUID fail consistent with other filesystems * Allow tests to work with older cryptsetups * Fixed bug where luks1 tests were actually testing luks2 * Address my review comments Note: The luks2 test will fail without some form of working grub-probe support for luks2. This patch is independent of the above mentioned patch series, will apply without them just fine, and can be reviewed independently. Glenn Thanks for these updates. I ran the luks1_test and luks2_test tests successfully on top of the following patches: - [PATCH v3] disk/cryptodisk: When cheatmounting, use the sector info of the cheat device - [PATCH v5 2/2] devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM parameters -- Pierre-Louis Bonicoli ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
