[PATCH v7 1/1] plainmount: Support plain encryption mode
From 687f8687f7c72ac91e250c9b89659f69b3644bfb Mon Sep 17 00:00:00 2001
From: Maxim Fomin
Date: Sun, 18 Sep 2022 19:43:12 +0100
Subject: [PATCH v7 1/1] plainmount: Support plain encryption mode
This patch adds support for plain encryption mode (plain dm-crypt) via
new module/command named 'plainmount'.
Signed-off-by: Maxim Fomin
---
docs/grub.texi | 80 +++
grub-core/Makefile.core.def | 5 +
grub-core/disk/plainmount.c | 457
3 files changed, 542 insertions(+)
create mode 100644 grub-core/disk/plainmount.c
diff --git a/docs/grub.texi b/docs/grub.texi
index 107f66ebc..82e79a900 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4267,6 +4267,7 @@ you forget a command, you can run the command
@command{help}
* parttool::Modify partition table entries
* password::Set a clear-text password
* password_pbkdf2:: Set a hashed password
+* plainmount:: Open device encrypted in plain mode
* play::Play a tune
* probe:: Retrieve device info
* rdmsr:: Read values from model-specific registers
@@ -4554,6 +4555,14 @@ function is supported, as Argon2 is not yet supported.
Also, note that, unlike filesystem UUIDs, UUIDs for encrypted devices must be
specified without dash separators.
+
+Successfully decrypted disks are named as (cryptoX) and have increasing
numeration
+suffix for each new decrypted disk. If the encrypted disk hosts some higher
level
+of abstraction (like LVM2 or MDRAID) it will be created under a separate device
+namespace in addition to the cryptodisk namespace.
+
+Support for plain encryption mode (plain dm-crypt) is provided via separate
+@command{@pxref{plainmount}} command.
@end deffn
@node cutmem
@@ -5113,6 +5122,77 @@ to generate password hashes. @xref{Security}.
@end deffn
+@node plainmount
+@subsection plainmount
+
+@deffn Command plainmount device @option{-c} cipher @option{-s} key size
[@option{-h} hash]
+[@option{-S} sector size] [@option{-p} password] [@option{-u} uuid]
+[[@option{-d} keyfile] [@option{-O} keyfile offset]]
+
+
+Setup access to the encrypted device in plain mode. Offset of the encrypted
+data at the device is specified in terms of 512 byte sectors with the blocklist
+syntax and loopback device. The following example shows how to specify 1MiB
+offset:
+
+@example
+loopback node (hd0,gpt1)2048+
+plainmount node
+@end example
+
+The @command{plainmount} command can be used to open LUKS encrypted volume
+if its master key and parameters (key size, cipher, offset, etc) are known.
+
+There are two ways to specify a password: a keyfile and a secret passphrase.
+The keyfile path parameter has higher priority than the secret passphrase
+parameter and is specified with the option @option{-d}. Password data obtained
+from keyfiles is not hashed and is used directly as a cipher key. An optional
+offset of password data in the keyfile can be specified with the option
+@option{-O} or directly with the option @option{-d} and GRUB blocklist syntax.
+The following example shows both methods to specify password data in the
+keyfile at offset 1MiB:
+
+@example
+plainmount -d (hd0,gpt1)2048+
+plainmount -d (hd0,gpt1)+ -O 1048576
+@end example
+
+If no keyfile is specified then the password is set to the string specified
+by option @option{-p} or is requested interactively from the console. In both
+cases the provided password is hashed with the algorithm specified by the
+option @option{-h}. This option is mandatory if no keyfile is specified, but
+it can be set to @samp{plain} which means that no hashing is done and such
+password is used directly as a key.
+
+Cipher @option{-c} and keysize @option{-s} options specify the cipher algorithm
+and the key size respectively and are mandatory options. Cipher must be
specified
+with the mode separated by a dash (for example, @samp{aes-xts-plain64}). Key
size
+option @option{-s} is the key size of the cipher in bits, not to be confused
with
+the offset of the key data in a keyfile specified with the @option{-O} option.
It
+must not exceed 1024 bits, so a 32 byte key would be specified as 256 bits
+
+The optional parameter @option{-S} specifies encrypted device sector size. It
+must be at least 512 bytes long (default value) and a power of 2.
@footnote{Current
+implementation of cryptsetup supports only 512/1024/2048/4096 byte sectors}.
+Disk sector size is configured when creating the encrypted volume. Attempting
+to decrypt volumes with a different sector size than it was created with will
+not result in an error, but will decrypt to random bytes and thus prevent
+accessing the volume (in some cases the filesystem driver can detect the
presence
+of a filesystem, but nevertheless will refuse to mount it).
+
+By default new plainmount devices will be given a UUID starting with
+'109fea84-a6b7-34a8-4bd1-1c506305a401' where the last
[PATCH] Explicitly unset SOURCE_DATE_EPOCH before running fs tests
In some filesystem utils like mksquashfs, they will silently change
behaviour and cause timestamps to unexpectedly change. Build
environments like Debian's set SOURCE_DATE_EPOCH in the environment,
so remove it. Reproducible builds are good and useful for shipped
artifacts, but this causes build-time tests to fail.
Signed-off-by: Steve McIntyre
---
tests/util/grub-fs-tester.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
index 43f6175c3..6d70967e6 100644
--- a/tests/util/grub-fs-tester.in
+++ b/tests/util/grub-fs-tester.in
@@ -5,6 +5,9 @@ export BLKID_FILE=/dev/null
fs="$1"
+# We can't have this set, or filesystem tests will fail
+unset SOURCE_DATE_EPOCH
+
GRUBFSTEST="@builddir@/grub-fstest"
tempdir=`mktemp -d "${TMPDIR:-/tmp}/${0##*/}.$(date
'+%Y%m%d%H%M%S%N').${fs}.XXX"` ||
--
2.30.2
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH 0/2] bash-completion:fix shellcheck error and warning
Hi, The patch set fix some warning and error in grub-completion.bash.in. And shellcheck also provides 'info' and 'style' level check, i think grub do not need to modify. shellcheck -s bash -S warning grub-completion.bash.in shellcheck:https://github.com/koalaman/shellcheck t.feng (2): bash-completion:fix shellcheck error bash-completion:fix shellcheck warning .../bash-completion.d/grub-completion.bash.in | 40 --- 1 file changed, 25 insertions(+), 15 deletions(-) -- 2.27.0 ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH 1/2] bash-completion:fix shellcheck error
SC2070 (error): -n doesn't work with unquoted arguments.
Quote or use [[ ]].
In grub-completion.bash.in line 130:
[ -n $tmp ] && {
^--^ SC2070 (error)
ref:https://github.com/koalaman/shellcheck/wiki/SC2070
---
util/bash-completion.d/grub-completion.bash.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/bash-completion.d/grub-completion.bash.in
b/util/bash-completion.d/grub-completion.bash.in
index 44bf135b9..93d143480 100644
--- a/util/bash-completion.d/grub-completion.bash.in
+++ b/util/bash-completion.d/grub-completion.bash.in
@@ -127,7 +127,7 @@ __grub_list_modules () {
local IFS=$'\n'
COMPREPLY=( $( compgen -f -X '!*/*.mod' -- "${grub_dir}/$cur" | {
while read -r tmp; do
- [ -n $tmp ] && {
+ [ -n "$tmp" ] && {
tmp=${tmp##*/}
printf '%s\n' ${tmp%.mod}
}
--
2.27.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH 2/2] bash-completion:fix shellcheck warning
SC2207 (warning): Prefer mapfile or read -a to split
command output (or quote to avoid splitting).
SC2120 (warning): __grub_get_options_from_help references arguments,
but none are ever passed.
SC2155 (warning): Declare and assign separately to avoid
masking return values.
In grub-completion.bash.in line 56:
COMPREPLY=($(compgen -P "${2-}" -W "${1-}" -S "${4-}" --
"$cur"))
^-- SC2207 (warning)
In grub-completion.bash.in line 63:
__grub_get_options_from_help () {
^-- SC2120 (warning)
In grub-completion.bash.in line 115:
local config_file=$(__grub_dir)/grub.cfg
^-^ SC2155 (warning)
In grub-completion.bash.in line 119:
COMPREPLY=( $(compgen \
^-- SC2207 (warning)
In grub-completion.bash.in line 126:
local grub_dir=$(__grub_dir)
^--^ SC2155 (warning)
In grub-completion.bash.in line 128:
COMPREPLY=( $( compgen -f -X '!*/*.mod' -- "${grub_dir}/$cur" | {
^-- SC2207 (warning)
SC2120: the current code meets the exception and does not need to be
modified
ref:https://github.com/koalaman/shellcheck/wiki/SC2207
ref:https://github.com/koalaman/shellcheck/wiki/SC2120
ref:https://github.com/koalaman/shellcheck/wiki/SC2155
---
.../bash-completion.d/grub-completion.bash.in | 40 ---
1 file changed, 25 insertions(+), 15 deletions(-)
diff --git a/util/bash-completion.d/grub-completion.bash.in
b/util/bash-completion.d/grub-completion.bash.in
index 93d143480..7449e629a 100644
--- a/util/bash-completion.d/grub-completion.bash.in
+++ b/util/bash-completion.d/grub-completion.bash.in
@@ -53,7 +53,10 @@ __grubcomp () {
;;
*)
local IFS=' '$'\t'$'\n'
-COMPREPLY=($(compgen -P "${2-}" -W "${1-}" -S "${4-}" -- "$cur"))
+COMPREPLY=()
+while read -r line; do
+COMPREPLY+=("${line}")
+done < <(compgen -P "${2-}" -W "${1-}" -S "${4-}" -- "$cur")
;;
esac
}
@@ -112,28 +115,35 @@ __grub_get_last_option () {
__grub_list_menuentries () {
local cur="${COMP_WORDS[COMP_CWORD]}"
-local config_file=$(__grub_dir)/grub.cfg
+local config_file
+config_file=$(__grub_dir)/grub.cfg
if [ -f "$config_file" ];then
local IFS=$'\n'
-COMPREPLY=( $(compgen \
--W "$( awk -F "[\"']" '/menuentry/ { print $2 }' $config_file )" \
--- "$cur" )) #'# Help emacs syntax highlighting
+COMPREPLY=()
+while read -r line; do
+COMPREPLY+=("${line}")
+done < <(compgen \
+-W "$( awk -F "[\"']" '/menuentry/ { print $2 }' $config_file
)" \
+-- "$cur" ) #'# Help emacs syntax highlighting
fi
}
__grub_list_modules () {
-local grub_dir=$(__grub_dir)
+local grub_dir
+grub_dir=$(__grub_dir)
local IFS=$'\n'
-COMPREPLY=( $( compgen -f -X '!*/*.mod' -- "${grub_dir}/$cur" | {
- while read -r tmp; do
- [ -n "$tmp" ] && {
- tmp=${tmp##*/}
- printf '%s\n' ${tmp%.mod}
- }
- done
- }
-))
+COMPREPLY=()
+while read -r line; do
+COMPREPLY+=("${line}")
+done < <(compgen -f -X '!*/*.mod' -- "${grub_dir}/$cur" | {
+while read -r tmp; do
+[ -n "$tmp "] && {
+tmp=${tmp##*/}
+printf '%s\n' ${tmp%.mod}
+}
+done
+})
}
#
--
2.27.0
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
